Plaso is a Python-based engine that can automatically create timelines from various files found on typical computer systems. It can extract timestamps from file system metadata, log files, registry files, browser history, email archives, and many other sources, and can also filter and analyse the extracted events using various plugins and modules.


Designed for digital forensics analysts who need to examine large amounts of data and quickly find relevant evidence, Plaso helps them correlate events from multiple sources and identify anomalies or suspicious activity.

The latest version of Plaso (20230226) includes bug fixes and improvements for parsing various files from Windows 11, MacOS Monterey, and Chrome 99. It also fixes some issues with processing large or encrypted volumes and compressed EWF files.

Some of the main changes are:

  • Added support for parsing Windows 11 Registry files

  • Added support for parsing MacOS Monterey log files

  • Added support for parsing Chrome 99 history files

  • Fixed an issue with processing NTFS volumes larger than 2 TB

  • Fixed an issue with processing encrypted APFS volumes

  • Fixed an issue with processing compressed EWF files

For guidance on how to use Plaso, check out the Users’ Guide. The easiest way to install Plaso is with Docker, as suggested by the developers.

However, if you prefer a different method, you can follow the instructions for MacOS, Ubuntu or Fedora.