Plaso architecture
Let's take a look at Plaso architecture. Plaso has a few core components which perform independent roles:
Preprocessing
Collection
Worker
Storage
Let's look at them in more detail.
Preprocessing
At this stage, some preprocessing tasks should be done prior to all other processing. For example, before mounting the image and determining which OS is installed on the disk, collect some information which will be used in the next stage.
The preprocessing process should collect the following:
The version of the OS
The hostname
Time zone information
Default applications, such as the default browser, and so on
Enumerate all users and their paths
Collection
In the collection stage, the process goes over the image, directory, or mount point, and finds all the files that the tool can process.
The collection could be divided into three different scenarios:
In the simplest case, the collection process recursively goes through either a mount point or an image file and collects every file discovered.
During...
