Plaso, short for log2timeline, is an open source digital forensics framework developed by Joachim Metz for creating detailed super timelines from a wide range of forensic artifacts. It is designed to extract, normalize, and correlate timestamped events across operating systems, applications, and logs into a single chronological view.

Plaso is widely used by DFIR teams, incident responders, and forensic investigators to reconstruct system and user activity at scale.

First time seeing this?

What Plaso Does

Plaso processes disk images, directories, and collected artifacts to extract timestamped events from file systems, logs, browser data, registry hives, application databases, and more. These events are normalized into a common format and stored for later analysis, filtering, and correlation.

By consolidating thousands or millions of events into a single timeline, Plaso enables investigators to identify attack sequences, user behavior, persistence actions, and gaps in evidence.

Find Tool

Key Features of Plaso

• Multi Artifact Event Extraction
  Parses events from file systems, logs, registries, browsers, and applications.

• Super Timeline Generation
  Aggregates events from multiple sources into a unified chronological view.

• Cross Platform Support
  Supports Windows, Linux, and macOS artifacts.

• Pluggable Parser Architecture
  Uses modular parsers to support a wide and growing range of artifacts.

• Event Normalization
  Standardizes timestamps and fields across disparate data sources.

• High Volume Data Handling
  Designed to process very large datasets efficiently.

• Flexible Storage and Output
  Stores results in plaso storage files and supports export to CSV and other formats.

• Integration with Analysis Tools
  Commonly paired with Timeline Explorer, Timesketch, and other DFIR platforms.

• Command Line Automation
  Well suited for scripted and repeatable forensic workflows.

Join CyberMaterial’s subscriber chat

Available in the Substack app and on web

Join chat

Advanced Use Cases

Incident Response

Reconstruct attacker actions across systems and artifacts during investigations.

Malware and Ransomware Analysis

Correlate execution, persistence, encryption, and cleanup events.

Insider Threat Investigations

Analyze long term user behavior and access patterns.

Timeline Validation

Identify inconsistencies, gaps, or anomalies across evidence sources.

Legal and Forensic Investigations

Produce defensible timelines suitable for expert analysis and reporting.

Report Incident

Latest Updates (as of 2026)

Recent development and maintenance highlights include:

• Continued expansion of supported artifact parsers

• Improved performance and memory handling

• Enhanced support for modern Windows, Linux, and macOS artifacts

• Ongoing maintenance and community contributions

• Continued adoption in enterprise and law enforcement investigations

Plaso remains actively maintained and is considered a standard tool for large scale timeline generation.

Check Jobs

Why It Matters

Modern investigations generate overwhelming volumes of timestamped data. Plaso enables investigators to bring order to this complexity by consolidating events into a single, analyzable timeline.

For DFIR professionals, it provides the foundation for understanding what happened, when it happened, and how actions across systems relate to one another.

Visit Book Club

Requirements and Platform Support

Plaso runs on:

• Windows

• Linux

• macOS

It requires:

• Python 3

• Disk images, directories, or collected forensic artifacts

Official site and documentation:

• https://plaso.readthedocs.io/

• https://github.com/log2timeline/plaso