ZFS/ZDB Plaso Parsers

NOTE: Source code for the ZFS/ZDB Parsers is now hosted on GitHub

ZFS ZDB Plaso Parsers v. 1.0.1 - released 24 July
First public release; minor fixes and major documentation improvements.

These parsers process output from the ZFS Debugger (ZDB) to generate events for the Plaso super-timeline software from internal ZFS objects and metadata. They are based on my research into ZFS Timeline Forensics (see the main research page for details).

My article "Adding ZFS Events to a Super-Timeline" on the development and use of these parsers was published in Digital Forensics Magazine, Issue 20, August 2014.

The readme.txt includes changelog, installation and usage instructions etc.

-- Dylan Leigh
[back to research index page]