| Command | Description |
|---|
| log2timeline.py <Kape Triage location> --archives none --skip_compressed_streams --hashers none --parsers win7_slow -z UTC --storage_file <destination file>.plaso | Convert the Windows Kape Triage collection located at <Kape Triage location> to a .plaso timeline <destination file> |
| log2timeline.py <UAC collection>/bodyfile/bodyfile.txt --storage_file <destination file>.plaso | Convert the UAC collection bodyfile located at <UAC collection>/bodyfile/bodyfile.txt to a .plaso timeline <destination file>, SHOULD BE IMMEDIATELY FOLLOWED BY NEXT COMMAND |
| log2timeline.py <UAC collection>/\[root\]/ -z UTC --storage_file <destination file>.plaso | Add the UAC collection root loacted at <UAC collection>/\[root]\/ to the <destination file> from the above command |
| psort.py --dynamic_time --output_time_zone UTC -o dynamic --analysis tagging --tagging-file /usr/share/plaso/<tag file> -w <destination file>.csv <plaso file>.plaso | Sort contents of <plaso file> and create the .csv file <destination file>. For <tag file>, use tag_windows.txt for Windows systems and tag_linux.txt for Linux systems |