Virustotal analysis plugin
Notes on how to use the virustotal analysis plugin.
Getting an API key
The virustotal analysis plugin uses the public Virustotal API, and requires an API key to operate. The process for obtaining an API key is here.
Running the analysis plugin
First run log2timeline to hash files and extract events:
log2timeline.py --storage-file timeline.plaso image.raw
Note that hashing must be turned on for the virustotal plugin to work correctly. This is default setting for log2timeline.py.
Next run psort to tag events:
psort.py --analysis virustotal --virustotal-api-key $API_KEY -o null timeline.plaso
If a file processed by Plaso is present in virustotal and has been detected as
malicious by one more detection engines, it will be tagged with
virustotal_detections_$NUMBER_OF_DETECTIONS
. If the file is in Virustotal,
but it hasn’t been fully analyzed yet, it will be tagged with
virustotal_analysis_pending
. If the file is in Virustotal, but has not been
detected as malicious, it will be tagged with virustotal_no_detections
. If
the file isn’t in Virustotal, it will be tagged as virustotal_not_present
.
The last step would be to export a timeline with the tags:
psort.py -o dynamic --fields datetime,timestamp_desc,source,source_long,message,parser,tag -w timeline.csv timeline.plaso