Parsing UAC output

Using Plaso

Plaso is a Python-based backend engine that powers log2timeline - a tool designed to extract timestamps and forensic artifacts from a computer system to facilitate timeline analysis. It generates what is commonly referred to as a "Super Timeline."

If you haven’t seen it already, there's a great YouTube video by Richard Davis of 13cubed that introduces the concept effectively.

For more details about Plaso, refer to the official documentation page.

Plaso in a Docker container

Obtaining the Plaso Docker image

docker pull log2timeline/plaso

Parsing a UAC output file using Plaso

To start the extraction with log2timeline, ensure the UAC output file is available on the host system. Since containers are isolated, you’ll need to mount the host directory containing the file into the container.

For example, if your UAC output file is stored at:

/data/uac-testvm-linux-20220204120054.tar.gz

...and you want to generate the Plaso storage file as:

/data/uac-testvm-linux-20220204120054.plaso

You can run:

docker run -v /data:/data log2timeline/plaso:latest log2timeline --storage-file /data/uac-testvm-linux-20220204120054.plaso /data/uac-testvm-linux-20220204120054.tar.gz

This ensures that both the input and output files are accessible from the host filesystem.

Run analysis with psort

The .plaso file created by log2timeline is a structured event database. You can convert it to CSV format using psort, making it compatible with timeline analysis tools such as Eric Zimmerman's Timeline Explorer.

Run:

docker run -v /data:/data log2timeline/plaso:latest psort.py -o l2tcsv /data/uac-testvm-linux-20220204120054.plaso -w /data/uac-testvm-linux-20220204120054.csv

Using Magnet AXIOM

Magnet AXIOM can be used to parse forensic artifacts from UAC output files.

Bodyfile custom artifact

Before analyzing a UAC output file in AXIOM, it’s strongly recommended that you download and install the Bodyfile custom artifact. This custom parser reads the bodyfile.txt generated by UAC and enhances timeline extraction.

You can download it from my AXIOM Custom Artifacts repository.

Parsing UAC output file in Magnet AXIOM

  1. Under EVIDENCE SOURCES, load the UAC output file (.tar.gz or .zip) as a Linux or macOS disk image.

  2. In ARTIFACT DETAILS, click CUSTOMIZE COMPUTER ARTIFACTS and ensure the Bodyfile custom artifact is selected under the CUSTOM ARTIFACTS category.

  3. In PARSE AND CARVE ARTIFACTS, select Parse and carve selected artifacts.

Using Cyber Triage

You can also analyze UAC output using Cyber Triage. For more details, refer to their blog post:
Collecting Linux DFIR Artifacts with UAC