Plaso / log2timeline Supertimeline Forensics

Overview#

Generate forensic supertimelines from disk images, log archives, and other data sources with Plaso, then work the resulting multi-hundred-thousand-event timelines directly inside Argus case workflows.

Plaso (log2timeline) is the open-source supertimeline framework widely used in digital forensics and incident response. It parses the many timestamps embedded across a data source, file system metadata, registry hives, browser history, system and application logs, and dozens of other artefact types, and merges them into a single chronological timeline. Argus drives Plaso through an authenticated integration so that examiners can request timeline generation, track the processing job, and review the parsed events without ever leaving their case.

This removes the need to run a standalone Plaso instance, manually export its CSV or JSON output, and re-import that output into a separate case management system. Timelines arrive structured, searchable, and linked to the investigation, with classification-level filtering and an immutable audit trail that satisfies chain-of-custody requirements for legal proceedings.

Key Features#

• Automated supertimeline generation: Request a Plaso timeline for a data source by referencing its content hash, a case reference, the parser list to apply, and a time range. The source is sent to a remote Plaso processing service, the job is polled to completion, and the parsed events are returned and recorded against the case, no manual export or re-import required.

• Multi-hundred-thousand-event handling: Plaso routinely produces timelines containing hundreds of thousands of events from a single disk image. Each timeline record captures the total event count so examiners can immediately gauge the scale of the dataset before drilling in.

• Selectable parser sets: The parser list applied to a source is captured on every timeline, so examiners can target specific artefact families, file system metadata, registry hives, browser history, event logs, and others, and keep a clear record of exactly which parsers produced a given result.

• Time-range scoping: Each timeline records the start and end of the period it covers, letting examiners constrain processing to the window relevant to the investigation and document the bounds of the analysis.

• Paginated, organisation-scoped timeline list: Retrieve timelines for the authenticated organisation as a paginated, clearance-filtered list. Every record carries its case reference, source hash, event count, parser list, time range, status, and classification level.

• Aggregate case statistics: A statistics view reports the total number of timelines, the count that have completed processing, and the combined event total across the organisation, giving forensic leads an at-a-glance picture of timeline workload and coverage.

• Classification-level filtering: Timelines carry a secrecy level. Results from classified investigations are visible only to cleared personnel, and clearance filtering is applied to every list returned. All access attempts are logged regardless of outcome.

• Immutable audit trail: Each timeline submission emits an interop ingest audit entry with a defined source standard identifier, the authenticated user, the organisation scope, and a timestamp, providing the data lineage record that forensic evidence chains depend on.

Use Cases#

Enterprise Incident Response#

After a confirmed intrusion, examiners need a chronological view of attacker activity across compromised hosts. They request Plaso supertimelines for each acquired disk image, and the parsed events, file creation, log entries, registry changes, browser activity, land directly in the case. Analysts pivot through the merged timeline to reconstruct the attack sequence without juggling standalone Plaso output files.

Classified and Cleared-Environment Investigations#

Timelines from classified investigations are recorded at the appropriate secrecy level. Clearance filtering ensures these timelines are visible only to cleared personnel, so a single platform can hold both routine and restricted casework while keeping restricted material out of reach of uncleared analysts.

Log Archive Triage#

Beyond disk images, examiners submit log archives and other artefact collections for timeline generation. Plaso normalises the many timestamp formats across those logs into one ordered sequence, accelerating triage of large, heterogeneous log sets during the early phase of an investigation.

Chain-of-Custody for Legal Proceedings#

Every timeline is linked to a case reference, recorded against the data source by its content hash, and accompanied by an immutable audit entry. This combination of source hashing, case linkage, classification control, and tamper-evident audit records supports chain-of-custody requirements where evidence provenance must be demonstrable in legal or regulatory proceedings.

Integration#

Plaso timeline operations are exposed over GraphQL. A write operation accepts a data source hash, a case reference, a parser list, a time range, and a secrecy level; it persists the resulting timeline metadata and returns the timeline identifier, case reference, and event count. Read operations return a paginated, clearance-filtered list of timelines for your organisation and the aggregate statistics view.

Behind the GraphQL layer, a paired REST client submits sources to a remote Plaso processing service, polls job status until processing finishes, and retrieves the parsed timeline events. Customers therefore plug in their own Plaso processing service endpoint and let Argus orchestrate the round trip, with results normalised into the platform's timeline model so they behave consistently with every other forensic data type.

All operations require authenticated, organisation-scoped access and are bound to your tenant. The platform integrates Plaso alongside the Autopsy, DFIR-ORC, and GRR Rapid Response forensics capabilities, so a single investigation can combine disk analysis, agentless artefact collection, fleet-wide hunts, and supertimeline generation in one workflow. Webhook notifications can be configured to signal when timeline processing completes, allowing downstream automation to begin correlation or reporting as soon as events are recorded.

Open Standards#

• Plaso / log2timeline: The timeline engine itself is the open-source Plaso (log2timeline) supertimeline framework from the log2timeline project; Argus drives it and consumes its parsed timeline events natively.
• The Sleuth Kit: Plaso's file system parsers build on The Sleuth Kit, the open-source forensic library for reading disk images and file system structures, which underpins the file system timestamps surfaced in each timeline.
• ISO/IEC 27037:2012 (Digital Evidence Identification and Collection): The source submission and event ingestion workflow aligns with ISO/IEC 27037 guidance on identifying, collecting, and preserving digital evidence in a forensically sound manner.
• OAuth 2.0 / OpenID Connect: Every GraphQL operation is protected by OAuth 2.0 bearer tokens with OIDC identity assertions, ensuring authenticated, organisation-scoped access to timelines and statistics.

Security & Compliance#

Every timeline submission is recorded in the platform's immutable audit log with a defined source standard identifier, the authenticated user, the organisation scope, the data source hash, the event count, and a timestamp. Access to timeline records is enforced against the secrecy level of each timeline; clearance filtering is applied to every list returned, and attempts by users without the required clearance are denied and logged. Referencing each data source by its content hash gives a stable, verifiable link between a timeline and the evidence it was generated from, reinforcing the chain-of-custody record that forensic and legal workflows rely on.

Last Reviewed: 2026-05-26 / Last Updated: 2026-05-26