Unique domains visited analysis plugin

Notes on how to use the unique_domains_visited analysis plugin.

Running the analysis plugin

First run log2timeline to extract events:

log2timeline.py --storage-file timeline.plaso image.raw

Note that the unique domains visited analysis plugin analyzes URLS in web history data such as events with data type:

  • chrome:history:file_downloaded

  • chrome:history:page_visited

  • firefox:downloads:download

  • firefox:places:page_visited

  • macosx:lsquarantine

  • msiecf:redirected

  • msiecf:url

  • msie:webcache:container

  • opera:history

  • safari:history:visit

Next run psort to determine the unique domains visited:

psort.py --analysis unique_domains_visited -o null timeline.plaso

This will extract information of unique domains which will be stored in the analysis report.