Plaso for Windows Part 2
Some of you may remember part 1 from back in 2023. I was recently using Autopsy and once again bemoaning the 2018 version it's packaged with and how slow Plaso is. I decided to give this another shot, and this time initial results look VERY good. You can find the build documentation and binaries here.
BeanBagKingThe test in the feature image of this site was a very small (233 mb VMDK / 1 gb raw) Alpine Linux disk image. It took 43 minutes to process vs under 2 minutes for the Windows binary builds. Both of these were processed on a Windows 11 VM, stock image with nothing else running at the same time. They both had access to the same resources, there was nothing unfair about the test. I've had similar results on my main workstation, but I didn't want other background processes to unfairly affect the test.
Some of you might notice the total tasks are different and are worried that the output between the two is different. Don't worry, after running both through their respective psort's, the total number of events is not only the same, but the output is a byte for byte match. The only thing I did do was run the Windows CSV through dos2unix to account for the different line endings between Linux and Windows.
This was a very small image, but as I said, I have seen similar results on my main workstation. A larger Ubuntu image that took 7 hours! to process with WSL vs 40 minutes on Windows. A Windows 11 image that took a bit over 3 hours in WSL, but just 18 minutes on Windows. I'm going to run some more head-to-head tests and post results here and on the GitHub repo soonish, so check back.
I did notice that some final output didn't match perfectly. In one case there were some line ordering differences and some names in the "Parser" field had changed. I have yet to find one where there is a difference in the meaningful output (meaning Timestamp and Message fields).
The old Plaso built into Autopsy, 20180818, took around 6 minutes to process that Alpine image. So the new build is still 200% faster, and likely has newer parsers.
What's changed?
It's been nearly 3 years - Python has gone from 3.11 to 3.14, PyInstaller has had a major version bump, and l2tbinaries is no longer distributing MSI's, but rather .whl builds. Most importantly, I actually took the time to look through an older version of Plaso and figure out where stuff needed to go during the build process, you can see the results of that here https://github.com/BeanBagKing/WinPlaso/commit/ef30dc420eb5ba05d9a56330697c26d9c40082c5.
The main .py files (e.g. log2timeline.py) had moved from tools to plaso\scripts. Most of the formatters and artifacts wanted to be found in \_internal\ now. There was a missing pycreg dependency that needed to be added, and a few other odds and ends. I ran into and fixed some of this back in the old post around Step 7, but by this point I was kind of over it and was really hoping this would be enough to get someone else started.
What's next?
I really don't want to be the maintainer of this. For one thing, I am not an expert in Plaso and certainly not a developer. Anything that I need to fix is just trial and error, looking at log messages. There may very well be other dependencies I didn't notice. For another, I don't have the recognition to be hosting random binaries that people will use in prod. I'm really hoping either Plaso or Autopsy will take up the challenge.
Lastly, this needs testing. If you're interested in this in the least, I encourage you to build your own copy and run it and the official release side by side. Try to find differences and, whatever the result, even if it's a success, report the results in the GitHub issues. I ask for success messages because if I hear are crickets, that doesn't tell me if it's working or if nobody is using it.