plaso.cli package

Subpackages

• plaso.cli.helpers package
  • Submodules
  • plaso.cli.helpers.analysis_plugins module
    • AnalysisPluginsArgumentsHelper
      • AnalysisPluginsArgumentsHelper.AddArguments()
      • AnalysisPluginsArgumentsHelper.DESCRIPTION
      • AnalysisPluginsArgumentsHelper.NAME
      • AnalysisPluginsArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.archives module
    • ArchivesArgumentsHelper
      • ArchivesArgumentsHelper.AddArguments()
      • ArchivesArgumentsHelper.DESCRIPTION
      • ArchivesArgumentsHelper.NAME
      • ArchivesArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.artifact_definitions module
    • ArtifactDefinitionsArgumentsHelper
      • ArtifactDefinitionsArgumentsHelper.AddArguments()
      • ArtifactDefinitionsArgumentsHelper.DESCRIPTION
      • ArtifactDefinitionsArgumentsHelper.NAME
      • ArtifactDefinitionsArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.artifact_filters module
    • ArtifactFiltersArgumentsHelper
      • ArtifactFiltersArgumentsHelper.AddArguments()
      • ArtifactFiltersArgumentsHelper.DESCRIPTION
      • ArtifactFiltersArgumentsHelper.NAME
      • ArtifactFiltersArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.bloom_analysis module
    • BloomAnalysisArgumentsHelper
      • BloomAnalysisArgumentsHelper.AddArguments()
      • BloomAnalysisArgumentsHelper.CATEGORY
      • BloomAnalysisArgumentsHelper.DESCRIPTION
      • BloomAnalysisArgumentsHelper.NAME
      • BloomAnalysisArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.codepage module
    • CodepageArgumentsHelper
      • CodepageArgumentsHelper.AddArguments()
      • CodepageArgumentsHelper.DESCRIPTION
      • CodepageArgumentsHelper.NAME
      • CodepageArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.data_location module
    • DataLocationArgumentsHelper
      • DataLocationArgumentsHelper.AddArguments()
      • DataLocationArgumentsHelper.DESCRIPTION
      • DataLocationArgumentsHelper.NAME
      • DataLocationArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.date_filters module
    • DateFiltersArgumentsHelper
      • DateFiltersArgumentsHelper.AddArguments()
      • DateFiltersArgumentsHelper.DESCRIPTION
      • DateFiltersArgumentsHelper.NAME
      • DateFiltersArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.dynamic_output module
    • DynamicOutputArgumentsHelper
      • DynamicOutputArgumentsHelper.AddArguments()
      • DynamicOutputArgumentsHelper.CATEGORY
      • DynamicOutputArgumentsHelper.DESCRIPTION
      • DynamicOutputArgumentsHelper.NAME
      • DynamicOutputArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.event_filters module
    • EventFiltersArgumentsHelper
      • EventFiltersArgumentsHelper.AddArguments()
      • EventFiltersArgumentsHelper.DESCRIPTION
      • EventFiltersArgumentsHelper.NAME
      • EventFiltersArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.extraction module
    • ExtractionArgumentsHelper
      • ExtractionArgumentsHelper.AddArguments()
      • ExtractionArgumentsHelper.DESCRIPTION
      • ExtractionArgumentsHelper.NAME
      • ExtractionArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.filter_file module
    • FilterFileArgumentsHelper
      • FilterFileArgumentsHelper.AddArguments()
      • FilterFileArgumentsHelper.DESCRIPTION
      • FilterFileArgumentsHelper.NAME
      • FilterFileArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.hashers module
    • HashersArgumentsHelper
      • HashersArgumentsHelper.AddArguments()
      • HashersArgumentsHelper.DESCRIPTION
      • HashersArgumentsHelper.NAME
      • HashersArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.interface module
    • ArgumentsHelper
      • ArgumentsHelper.AddArguments()
      • ArgumentsHelper.CATEGORY
      • ArgumentsHelper.DESCRIPTION
      • ArgumentsHelper.NAME
      • ArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.language module
    • LanguageArgumentsHelper
      • LanguageArgumentsHelper.AddArguments()
      • LanguageArgumentsHelper.DESCRIPTION
      • LanguageArgumentsHelper.NAME
      • LanguageArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.manager module
    • ArgumentHelperManager
      • ArgumentHelperManager.AddCommandLineArguments()
      • ArgumentHelperManager.DeregisterHelper()
      • ArgumentHelperManager.ParseOptions()
      • ArgumentHelperManager.RegisterHelper()
      • ArgumentHelperManager.RegisterHelpers()
  • plaso.cli.helpers.nsrlsvr_analysis module
    • NsrlsvrAnalysisArgumentsHelper
      • NsrlsvrAnalysisArgumentsHelper.AddArguments()
      • NsrlsvrAnalysisArgumentsHelper.CATEGORY
      • NsrlsvrAnalysisArgumentsHelper.DESCRIPTION
      • NsrlsvrAnalysisArgumentsHelper.NAME
      • NsrlsvrAnalysisArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.opensearch_output module
    • OpenSearchOutputArgumentsHelper
      • OpenSearchOutputArgumentsHelper.AddArguments()
      • OpenSearchOutputArgumentsHelper.CATEGORY
      • OpenSearchOutputArgumentsHelper.DESCRIPTION
      • OpenSearchOutputArgumentsHelper.NAME
      • OpenSearchOutputArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.opensearch_ts_output module
    • OpenSearchTimesketchOutputArgumentsHelper
      • OpenSearchTimesketchOutputArgumentsHelper.AddArguments()
      • OpenSearchTimesketchOutputArgumentsHelper.CATEGORY
      • OpenSearchTimesketchOutputArgumentsHelper.DESCRIPTION
      • OpenSearchTimesketchOutputArgumentsHelper.NAME
      • OpenSearchTimesketchOutputArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.output_modules module
    • OutputModulesArgumentsHelper
      • OutputModulesArgumentsHelper.AddArguments()
      • OutputModulesArgumentsHelper.DESCRIPTION
      • OutputModulesArgumentsHelper.NAME
      • OutputModulesArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.parsers module
    • ParsersArgumentsHelper
      • ParsersArgumentsHelper.AddArguments()
      • ParsersArgumentsHelper.DESCRIPTION
      • ParsersArgumentsHelper.NAME
      • ParsersArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.process_resources module
    • ProcessResourcesArgumentsHelper
      • ProcessResourcesArgumentsHelper.AddArguments()
      • ProcessResourcesArgumentsHelper.DESCRIPTION
      • ProcessResourcesArgumentsHelper.NAME
      • ProcessResourcesArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.profiling module
    • ProfilingArgumentsHelper
      • ProfilingArgumentsHelper.AddArguments()
      • ProfilingArgumentsHelper.DEFAULT_PROFILING_SAMPLE_RATE
      • ProfilingArgumentsHelper.DESCRIPTION
      • ProfilingArgumentsHelper.NAME
      • ProfilingArgumentsHelper.PROFILERS_INFORMATION
      • ProfilingArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.sessionize_analysis module
    • SessionizeAnalysisArgumentsHelper
      • SessionizeAnalysisArgumentsHelper.AddArguments()
      • SessionizeAnalysisArgumentsHelper.CATEGORY
      • SessionizeAnalysisArgumentsHelper.DESCRIPTION
      • SessionizeAnalysisArgumentsHelper.NAME
      • SessionizeAnalysisArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.status_view module
    • StatusViewArgumentsHelper
      • StatusViewArgumentsHelper.AddArguments()
      • StatusViewArgumentsHelper.DESCRIPTION
      • StatusViewArgumentsHelper.NAME
      • StatusViewArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.storage_format module
    • StorageFormatArgumentsHelper
      • StorageFormatArgumentsHelper.AddArguments()
      • StorageFormatArgumentsHelper.DESCRIPTION
      • StorageFormatArgumentsHelper.NAME
      • StorageFormatArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.tagging_analysis module
    • TaggingAnalysisArgumentsHelper
      • TaggingAnalysisArgumentsHelper.AddArguments()
      • TaggingAnalysisArgumentsHelper.CATEGORY
      • TaggingAnalysisArgumentsHelper.DESCRIPTION
      • TaggingAnalysisArgumentsHelper.NAME
      • TaggingAnalysisArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.temporary_directory module
    • TemporaryDirectoryArgumentsHelper
      • TemporaryDirectoryArgumentsHelper.AddArguments()
      • TemporaryDirectoryArgumentsHelper.DESCRIPTION
      • TemporaryDirectoryArgumentsHelper.NAME
      • TemporaryDirectoryArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.vfs_backend module
    • VFSBackEndArgumentsHelper
      • VFSBackEndArgumentsHelper.AddArguments()
      • VFSBackEndArgumentsHelper.DESCRIPTION
      • VFSBackEndArgumentsHelper.NAME
      • VFSBackEndArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.viper_analysis module
    • ViperAnalysisArgumentsHelper
      • ViperAnalysisArgumentsHelper.AddArguments()
      • ViperAnalysisArgumentsHelper.CATEGORY
      • ViperAnalysisArgumentsHelper.DESCRIPTION
      • ViperAnalysisArgumentsHelper.NAME
      • ViperAnalysisArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.virustotal_analysis module
    • VirusTotalAnalysisArgumentsHelper
      • VirusTotalAnalysisArgumentsHelper.AddArguments()
      • VirusTotalAnalysisArgumentsHelper.CATEGORY
      • VirusTotalAnalysisArgumentsHelper.DESCRIPTION
      • VirusTotalAnalysisArgumentsHelper.NAME
      • VirusTotalAnalysisArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.workers module
    • WorkersArgumentsHelper
      • WorkersArgumentsHelper.AddArguments()
      • WorkersArgumentsHelper.DESCRIPTION
      • WorkersArgumentsHelper.NAME
      • WorkersArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.xlsx_output module
    • XLSXOutputArgumentsHelper
      • XLSXOutputArgumentsHelper.AddArguments()
      • XLSXOutputArgumentsHelper.CATEGORY
      • XLSXOutputArgumentsHelper.DESCRIPTION
      • XLSXOutputArgumentsHelper.NAME
      • XLSXOutputArgumentsHelper.ParseOptions()
  • plaso.cli.helpers.yara_rules module
    • YaraRulesArgumentsHelper
      • YaraRulesArgumentsHelper.AddArguments()
      • YaraRulesArgumentsHelper.DESCRIPTION
      • YaraRulesArgumentsHelper.NAME
      • YaraRulesArgumentsHelper.ParseOptions()
  • Module contents

Submodules

plaso.cli.analysis_tool module

Shared functionality for an analysis CLI tool.

class plaso.cli.analysis_tool.AnalysisTool(input_reader=None, output_writer=None)

Bases: CLITool, AnalysisPluginOptions, ProfilingOptions, StorageFileOptions

Analysis CLI tool.

list_analysis_plugins

True if information about the analysis plugins should be shown.

Type:

bool

__init__(input_reader=None, output_writer=None)

Initializes the CLI tool object.

Parameters:

• input_reader (Optional[InputReader]) – input reader, where None indicates that the stdin input reader should be used.

• output_writer (Optional[OutputWriter]) – output writer, where None indicates that the stdout output writer should be used.

plaso.cli.extraction_tool module

Shared functionality for an extraction CLI tool.

class plaso.cli.extraction_tool.ExtractionTool(input_reader=None, output_writer=None)

Bases: StorageMediaTool, HashersOptions, ProfilingOptions, StorageFileOptions

Extraction CLI tool.

list_language_tags

True if the language tags should be listed.

Type:

bool

list_time_zones

True if the time zones should be listed.

Type:

bool

AddExtractionOptions(argument_group)

Adds the extraction options to the argument group.

Parameters:

argument_group (argparse._ArgumentGroup) – argparse argument group.

AddPerformanceOptions(argument_group)

Adds the performance options to the argument group.

Parameters:

argument_group (argparse._ArgumentGroup) – argparse argument group.

AddProcessingOptions(argument_group)

Adds the processing options to the argument group.

Parameters:

argument_group (argparse._ArgumentGroup) – argparse argument group.

ExtractEventsFromSources()

Processes the sources and extracts events.

Raises:

• BadConfigOption – if the storage file path is invalid, or the storage format not supported, or there was a failure to writing to the storage.

• IOError – if the extraction engine could not write to the storage.

• OSError – if the extraction engine could not write to the storage.

• SourceScannerError – if the source scanner could not find a supported file system.

• UserAbort – if the user initiated an abort.

ListArchiveTypes()

Lists information about supported archive types.

ListLanguageTags()

Lists the language tags.

ListParsersAndPlugins()

Lists information about the available parsers and plugins.

__init__(input_reader=None, output_writer=None)

Initializes an CLI tool.

Parameters:

• input_reader (Optional[InputReader]) – input reader, where None indicates that the stdin input reader should be used.

• output_writer (Optional[OutputWriter]) – output writer, where None indicates that the stdout output writer should be used.

plaso.cli.image_export_tool module

The image export CLI tool.

class plaso.cli.image_export_tool.ImageExportTool(input_reader=None, output_writer=None)

Bases: StorageMediaTool

Class that implements the image export CLI tool.

has_filters

True if filters have been specified via the options.

Type:

bool

list_signature_identifiers

True if information about the signature identifiers should be shown.

Type:

bool

AddFilterOptions(argument_group)

Adds the filter options to the argument group.

Parameters:

argument_group (argparse._ArgumentGroup) – argparse argument group.

DESCRIPTION = 'This is a simple collector designed to export files inside an image, both within a regular RAW image as well as inside a VSS. The tool uses a collection filter that uses the same syntax as a targeted plaso filter.'

EPILOG = 'And that is how you export files, plaso style.'

ListSignatureIdentifiers()

Lists the signature identifier.

Raises:

BadConfigOption – if the data location is invalid.

NAME = 'image_export'

ParseArguments(arguments)

Parses the command line arguments.

Parameters:

arguments (list[str]) – command line arguments.

Returns:

True if the arguments were successfully parsed.

Return type:

bool

ParseOptions(options)

Parses the options and initializes the front-end.

Parameters:

options (argparse.Namespace) – command line arguments.

Raises:

BadConfigOption – if the options are invalid.

PrintFilterCollection()

Prints the filter collection.

ProcessSource()

Processes the source.

Raises:

• SourceScannerError – if the source scanner could not find a supported file system.

• UserAbort – if the user initiated an abort.

__init__(input_reader=None, output_writer=None)

Initializes the CLI tool object.

Parameters:

• input_reader (Optional[InputReader]) – input reader, where None indicates that the stdin input reader should be used.

• output_writer (Optional[OutputWriter]) – output writer, where None indicates that the stdout output writer should be used.

plaso.cli.log2timeline_tool module

The log2timeline CLI tool.

class plaso.cli.log2timeline_tool.Log2TimelineTool(input_reader=None, output_writer=None)

Bases: ExtractionTool

Log2timeline CLI tool.

dependencies_check

True if the availability and versions of dependencies should be checked.

Type:

bool

list_archive_types

True if the archive types should be listed.

Type:

bool

list_hashers

True if the hashers should be listed.

Type:

bool

list_parsers_and_plugins

True if the parsers and plugins should be listed.

Type:

bool

list_profilers

True if the profilers should be listed.

Type:

bool

show_info

True if information about hashers, parsers, plugins, etc. should be shown.

Type:

bool

AddStorageOptions(argument_group)

Adds the storage options to the argument group.

Parameters:

argument_group (argparse._ArgumentGroup) – argparse argument group.

DESCRIPTION = '\nlog2timeline is a command line tool to extract events from individual \nfiles, recursing a directory (e.g. mount point) or storage media \nimage or device.\n\nMore information can be gathered from here:\n    https://plaso.readthedocs.io/en/latest/sources/user/Using-log2timeline.html\n'

EPILOG = '\nExample usage:\n\nRun the tool against a storage media image (full kitchen sink)\n    log2timeline.py /cases/mycase/storage.plaso ímynd.dd\n\nInstead of answering questions, indicate some of the options on the\ncommand line (including data from particular VSS stores).\n    log2timeline.py --vss_stores 1,2 /cases/plaso_vss.plaso image.E01\n\nAnd that is how you build a timeline using log2timeline...\n'

NAME = 'log2timeline'

ParseArguments(arguments)

Parses the command line arguments.

Parameters:

arguments (list[str]) – command line arguments.

Returns:

True if the arguments were successfully parsed.

Return type:

bool

ParseOptions(options)

Parses the options.

Parameters:

options (argparse.Namespace) – command line arguments.

Raises:

BadConfigOption – if the options are invalid.

ShowInfo()

Shows information about available hashers, parsers, plugins, etc.

__init__(input_reader=None, output_writer=None)

Initializes a log2timeline CLI tool.

Parameters:

• input_reader (Optional[InputReader]) – input reader, where None indicates that the stdin input reader should be used.

• output_writer (Optional[OutputWriter]) – output writer, where None indicates that the stdout output writer should be used.

plaso.cli.logger module

The cli sub module logger.

plaso.cli.pinfo_tool module

The pinfo CLI tool.

class plaso.cli.pinfo_tool.PinfoTool(input_reader=None, output_writer=None)

Bases: CLITool, StorageFileOptions

Pinfo CLI tool.

compare_storage_information

True if the tool is used to compare stores.

Type:

bool

generate_report

True if a predefined report type should be generated.

Type:

bool

list_reports

True if the report types should be listed.

Type:

bool

list_sections

True if the section types should be listed.

Type:

bool

CompareStores()

Compares the contents of two stores.

Returns:

True if the content of the stores is identical.

Return type:

bool

Raises:

BadConfigOption – if the storage file format is not supported.

DESCRIPTION = 'Shows information about a Plaso storage file, for example how it was collected, what information was extracted from a source, etc.'

GenerateReport()

Generates a report.

Raises:

BadConfigOption – if the storage file format is not supported.

ListReports()

Lists information about the available report types.

ListSections()

Lists information about the available sections.

NAME = 'pinfo'

ParseArguments(arguments)

Parses the command line arguments.

Parameters:

arguments (list[str]) – command line arguments.

Returns:

True if the arguments were successfully parsed.

Return type:

bool

ParseOptions(options)

Parses the options.

Parameters:

options (argparse.Namespace) – command line arguments.

Raises:

BadConfigOption – if the options are invalid.

PrintStorageInformation()

Prints the storage information.

Raises:

BadConfigOption – if the storage file format is not supported.

__init__(input_reader=None, output_writer=None)

Initializes the CLI tool object.

Parameters:

• input_reader (Optional[InputReader]) – input reader, where None indicates that the stdin input reader should be used.

• output_writer (Optional[OutputWriter]) – output writer, where None indicates that the stdout output writer should be used.

plaso.cli.psort_tool module

The psort CLI tool.

class plaso.cli.psort_tool.PsortTool(input_reader=None, output_writer=None)

Bases: AnalysisTool, OutputModuleOptions

Psort CLI tool.

list_analysis_plugins

True if information about the analysis plugins should be shown.

Type:

bool

list_language_tags

True if the language tags should be listed.

Type:

bool

list_output_modules

True if information about the output modules should be shown.

Type:

bool

list_profilers

True if the profilers should be listed.

Type:

bool

AddProcessingOptions(argument_group)

Adds processing options to the argument group.

Parameters:

argument_group (argparse._ArgumentGroup) – argparse argument group.

DESCRIPTION = 'Application to read, filter and process output from a Plaso storage file.'

ListLanguageTags()

Lists the language tags.

NAME = 'psort'

ParseArguments(arguments)

Parses the command line arguments.

Parameters:

arguments (list[str]) – command line arguments.

Returns:

True if the arguments were successfully parsed.

Return type:

bool

ParseOptions(options)

Parses the options.

Parameters:

options (argparse.Namespace) – command line arguments.

Raises:

BadConfigOption – if the options are invalid.

ProcessStorage()

Processes a Plaso storage file.

Raises:

• BadConfigOption – when a configuration parameter fails validation or the storage file cannot be opened with read access.

• RuntimeError – if a non-recoverable situation is encountered.

__init__(input_reader=None, output_writer=None)

Initializes the CLI tool object.

Parameters:

• input_reader (Optional[InputReader]) – input reader, where None indicates that the stdin input reader should be used.

• output_writer (Optional[OutputWriter]) – output writer, where None indicates that the stdout output writer should be used.

plaso.cli.psteal_tool module

The psteal CLI tool.

class plaso.cli.psteal_tool.PstealTool(input_reader=None, output_writer=None)

Bases: ExtractionTool, OutputModuleOptions, StorageFileOptions

Psteal CLI tool.

Psteal extract events from the provided source and stores them in an intermediate storage file. After extraction an output log file is created. This mimics the behavior of the log2timeline.pl.

The tool currently doesn’t support any of the log2timeline or psort tools’ flags.

dependencies_check

True if the availability and versions of dependencies should be checked.

Type:

bool

list_archive_types

True if the archive types should be listed.

Type:

bool

list_hashers

True if the hashers should be listed.

Type:

bool

list_output_modules

True if information about the output modules should be shown.

Type:

bool

list_parsers_and_plugins

True if the parsers and plugins should be listed.

Type:

bool

AddStorageOptions(argument_group)

Adds the storage options to the argument group.

Parameters:

argument_group (argparse._ArgumentGroup) – argparse argument group.

DESCRIPTION = '\npsteal is a command line tool to extract events from individual \nfiles, recursing a directory (e.g. mount point) or storage media \nimage or device. The output events will be stored in a storage file.\nThis tool will then read the output and process the events into a CSV \nfile.\n\nMore information can be gathered from here:\n    https://plaso.readthedocs.io/en/latest/sources/user/Using-log2timeline.html\n'

EPILOG = '\nExample usage:\n\nRun the tool against a storage media image (full kitchen sink)\n    psteal.py --source ímynd.dd -w imynd.timeline.txt\n\nAnd that is how you build a timeline using psteal...\n'

NAME = 'psteal'

ParseArguments(arguments)

Parses the command line arguments.

Parameters:

arguments (list[str]) – command line arguments.

Returns:

True if the arguments were successfully parsed.

Return type:

bool

ParseOptions(options)

Parses tool specific options.

Parameters:

options (argparse.Namespace) – command line arguments.

Raises:

BadConfigOption – if the options are invalid.

ProcessStorage()

Processes a Plaso storage file.

Raises:

• BadConfigOption – when a configuration parameter fails validation or the storage file cannot be opened with read access.

• RuntimeError – if a non-recoverable situation is encountered.

__init__(input_reader=None, output_writer=None)

Initializes the CLI tool object.

Parameters:

• input_reader (Optional[InputReader]) – input reader, where None indicates that the stdin input reader should be used.

• output_writer (Optional[OutputWriter]) – output writer, where None indicates that the stdout output writer should be used.

plaso.cli.status_view module

The status view.

class plaso.cli.status_view.StatusView(output_writer, tool_name)

Bases: object

Processing status view.

GetAnalysisStatusUpdateCallback()

Retrieves the analysis status update callback function.

Returns:

status update callback function or None if not available.

Return type:

function

GetExtractionStatusUpdateCallback()

Retrieves the extraction status update callback function.

Returns:

status update callback function or None if not available.

Return type:

function

MODE_FILE = 'file'

MODE_LINEAR = 'linear'

MODE_WINDOW = 'window'

PrintExtractionStatusHeader(processing_status)

Prints the extraction status header.

Parameters:

processing_status (ProcessingStatus) – processing status.

PrintExtractionSummary(processing_status, number_of_extraction_warnings)

Prints a summary of the extraction.

Parameters:

• processing_status (ProcessingStatus) – processing status.

• number_of_extraction_warnings (int) – number of extraction warnings.

SetMode(mode)

Sets the mode.

Parameters:

mode (str) – status view mode.

SetSourceInformation(source_path, source_type, artifact_filters=None, filter_file=None)

Sets the source information.

Parameters:

• source_path (str) – path of the source.

• source_type (str) – source type.

• artifact_filters (Optional[list[str]]) – names of artifact definitions to use as filters.

• filter_file (Optional[str]) – filter file.

SetStatusFile(path)

Sets the status file.

Parameters:

path (str) – path of the status file.

SetStorageFileInformation(storage_file_path)

Sets the storage file information.

Parameters:

storage_file_path (str) – path to the storage file.

__init__(output_writer, tool_name)

Initializes a status view.

Parameters:

• output_writer (OutputWriter) – output writer.

• tool_name (str) – name of the tool.

plaso.cli.storage_media_tool module

The storage media CLI tool.

class plaso.cli.storage_media_tool.StorageMediaTool(input_reader=None, output_writer=None)

Bases: CLITool

CLI tool that supports a storage media device or image as input.

AddCredentialOptions(argument_group)

Adds the credential options to the argument group.

The credential options are use to unlock encrypted volumes.

Parameters:

argument_group (argparse._ArgumentGroup) – argparse argument group.

AddStorageMediaImageOptions(argument_group)

Adds the storage media image options to the argument group.

Parameters:

argument_group (argparse._ArgumentGroup) – argparse argument group.

AddVSSProcessingOptions(argument_group)

Adds the VSS processing options to the argument group.

Parameters:

argument_group (argparse._ArgumentGroup) – argparse argument group.

ScanSource(source_path)

Scans the source path for volume and file systems.

This function sets the internal source path specification and source type values.

Parameters:

source_path (str) – path to the source.

Raises:

SourceScannerError – if the format of or within the source is not supported.

__init__(input_reader=None, output_writer=None)

Initializes a CLI tool that supports storage media as input.

Parameters:

• input_reader (Optional[InputReader]) – input reader, where None indicates that the stdin input reader should be used.

• output_writer (Optional[OutputWriter]) – output writer, where None indicates that the stdout output writer should be used.

class plaso.cli.storage_media_tool.StorageMediaToolMediator(*args: Any, **kwargs: Any)

Bases: CLIVolumeScannerMediator

Mediator between the storage media tool and user input.

ParseVolumeIdentifiersString(volume_identifiers_string, prefix='v')

Parses a user specified volume identifiers string.

Parameters:

• volume_identifiers_string (str) – user specified volume identifiers. A range of volumes can be defined as: “3..5”. Multiple volumes can be defined as: “1,3,5” (a list of comma separated values). Ranges and lists can also be combined as: “1,3..5”. The first volume is 1. All volumes can be defined as: “all”.

• prefix (Optional[str]) – volume identifier prefix.

Returns:

volume identifiers with prefix or the string “all”.

Return type:

list[str]

Raises:

ValueError – if the volume identifiers string is invalid.

PromptUserForVSSCurrentVolume()

Prompts the user if the current volume with VSS should be processed.

Returns:

True if the current volume with VSS should be processed.

Return type:

bool

class plaso.cli.storage_media_tool.StorageMediaToolVolumeScanner(*args: Any, **kwargs: Any)

Bases: VolumeScanner

Volume scanner used by the storage media tool.

ScanSource(source_path, options, base_path_specs)

Scans the source path for volume and file systems.

This function sets the internal source path specification and source type values.

Parameters:

• source_path (str) – path to the source.

• options (VolumeScannerOptions) – volume scanner options.

• base_path_specs (list[PathSpec]) – file system base path specifications.

Returns:

source scanner context.

Return type:

dfvfs.SourceScannerContext

Raises:

dfvfs.ScannerError – if the format of or within the source is not supported.

__init__(mediator=None)

Initializes a volume scanner.

Parameters:

mediator (Optional[VolumeScannerMediator]) – a volume scanner mediator.

property source_type

type of source.

Type:

str

class plaso.cli.storage_media_tool.StorageMediaToolVolumeScannerOptions(*args: Any, **kwargs: Any)

Bases: VolumeScannerOptions

Volume scanner options used by the storage media tool.

snapshots_only

True if the current volume of a volume with snapshots should be ignored.

Type:

bool

__init__()

Initializes volume scanner options.

plaso.cli.time_slices module

The time slice.

class plaso.cli.time_slices.TimeSlice(event_timestamp, duration=5)

Bases: object

Time slice.

The time slice is used to provide a context of events around an event of interest.

duration

duration of the time slice in minutes.

Type:

int

event_timestamp

event timestamp of the time slice or None.

Type:

int

__init__(event_timestamp, duration=5)

Initializes the time slice.

Parameters:

• event_timestamp (int) – event timestamp of the time slice or None.

• duration (Optional[int]) – duration of the time slice in minutes. The default is 5, which represent 2.5 minutes before and 2.5 minutes after the event timestamp.

property end_timestamp

slice end timestamp or None.

Type:

int

property start_timestamp

slice start timestamp or None.

Type:

int

plaso.cli.tool_options module

The CLI tool options mix-ins.

class plaso.cli.tool_options.AnalysisPluginOptions

Bases: object

Analysis plugin options mix-in.

ListAnalysisPlugins()

Lists the analysis modules.

class plaso.cli.tool_options.HashersOptions

Bases: object

Hashers options mix-in.

ListHashers()

Lists information about the available hashers.

__init__()

Initializes hasher options.

class plaso.cli.tool_options.OutputModuleOptions

Bases: object

Output module options mix-in.

list_time_zones

True if the time zones should be listed.

Type:

bool

AddOutputOptions(argument_group)

Adds the output options to the argument group.

Parameters:

argument_group (argparse._ArgumentGroup) – argparse argument group.

ListOutputModules()

Lists the output modules.

__init__()

Initializes output module options.

class plaso.cli.tool_options.ProfilingOptions

Bases: object

Profiling options mix-in.

ListProfilers()

Lists information about the available profilers.

__init__()

Initializes profiling options.

class plaso.cli.tool_options.StorageFileOptions

Bases: object

Storage file options mix-in.

AddStorageOptions(argument_parser)

Adds the storage options to the argument group.

Parameters:

argument_parser (argparse.ArgumentParser) – argparse argument parser.

plaso.cli.tools module

The command line interface (CLI) tools classes.

class plaso.cli.tools.CLIInputReader(encoding='utf-8')

Bases: object

Command line interface input reader interface.

abstractmethod Read()

Reads a string from the input.

Returns:

input.

Return type:

str

__init__(encoding='utf-8')

Initializes an input reader.

Parameters:

encoding (Optional[str]) – input encoding.

class plaso.cli.tools.CLIOutputWriter(encoding='utf-8')

Bases: object

Command line interface output writer interface.

abstractmethod Write(string)

Writes a string to the output.

Parameters:

string (str) – output.

__init__(encoding='utf-8')

Initializes an output writer.

Parameters:

encoding (Optional[str]) – output encoding.

class plaso.cli.tools.CLITool(input_reader=None, output_writer=None)

Bases: object

Command line interface tool.

preferred_encoding

preferred encoding of single-byte or multi-byte character strings, sometimes referred to as extended ASCII.

Type:

str

show_troubleshooting

True if troubleshooting information should be shown.

Type:

bool

AddBasicOptions(argument_group)

Adds the basic options to the argument group.

Parameters:

argument_group (argparse._ArgumentGroup) – argparse argument group.

AddInformationalOptions(argument_group)

Adds the informational options to the argument group.

Parameters:

argument_group (argparse._ArgumentGroup) – argparse argument group.

AddLogFileOptions(argument_group)

Adds the log file option to the argument group.

Parameters:

argument_group (argparse._ArgumentGroup) – argparse argument group.

CheckOutDated()

Checks if the version of plaso is outdated and warns the user.

GetCommandLineArguments()

Retrieves the command line arguments.

Returns:

command line arguments.

Return type:

str

GetVersionInformation()

Retrieves the version information.

Returns:

version information.

Return type:

str

ListTimeZones()

Lists the time zones.

NAME = ''

ParseNumericOption(options, name, base=10, default_value=None)

Parses a numeric option.

If the option is not set the default value is returned.

Parameters:

• options (argparse.Namespace) – command line arguments.

• name (str) – name of the numeric option.

• base (Optional[int]) – base of the numeric value.

• default_value (Optional[object]) – default value.

Returns:

numeric value.

Return type:

int

Raises:

BadConfigOption – if the options are invalid.

ParseStringOption(options, argument_name, default_value=None)

Parses a string command line argument.

Parameters:

• options (argparse.Namespace) – command line arguments.

• argument_name (str) – name of the command line argument.

• default_value (Optional[object]) – default value of the command line argument.

Returns:

command line argument value. If the command line argument is

not set the default value will be returned.

Return type:

object

Raises:

BadConfigOption – if the command line argument value cannot be converted to a Unicode string.

PrintSeparatorLine()

Prints a separator line.

__init__(input_reader=None, output_writer=None)

Initializes a command line interface tool.

Parameters:

• input_reader (Optional[CLIInputReader]) – input reader, where None indicates that the stdin input reader should be used.

• output_writer (Optional[CLIOutputWriter]) – output writer, where None indicates that the stdout output writer should be used.

property data_location

path of the data files.

Type:

str

class plaso.cli.tools.FileObjectInputReader(file_object, encoding='utf-8')

Bases: CLIInputReader

File object command line interface input reader.

This input reader relies on the file-like object having a readline method.

Read()

Reads a string from the input.

Returns:

input.

Return type:

str

__init__(file_object, encoding='utf-8')

Initializes a file object command line interface input reader.

Parameters:

• file_object (file) – file-like object to read from.

• encoding (Optional[str]) – input encoding.

class plaso.cli.tools.FileObjectOutputWriter(file_object, encoding='utf-8')

Bases: CLIOutputWriter

File object command line interface output writer.

This output writer relies on the file-like object having a write method.

Write(string)

Writes a string to the output.

Parameters:

string (str) – output.

__init__(file_object, encoding='utf-8')

Initializes a file object command line interface output writer.

Parameters:

• file_object (file) – file-like object to read from.

• encoding (Optional[str]) – output encoding.

class plaso.cli.tools.StdinInputReader(encoding='utf-8')

Bases: FileObjectInputReader

Stdin command line interface input reader.

Read()

Reads a string from the input.

Returns:

input.

Return type:

str

__init__(encoding='utf-8')

Initializes an stdin input reader.

Parameters:

encoding (Optional[str]) – input encoding.

class plaso.cli.tools.StdoutOutputWriter(encoding='utf-8')

Bases: FileObjectOutputWriter

Stdout command line interface output writer.

Write(string)

Writes a string to the output.

Parameters:

string (str) – output.

__init__(encoding='utf-8')

Initializes a stdout output writer.

Parameters:

encoding (Optional[str]) – output encoding.

plaso.cli.views module

View classes.

class plaso.cli.views.BaseTableView(column_names=None, title=None, title_level=3)

Bases: object

Table view interface.

AddRow(values)

Adds a row of values.

Parameters:

values (list[object]) – values.

Raises:

ValueError – if the number of values is out of bounds.

abstractmethod Write(output_writer)

Writes the table to the output writer.

Parameters:

output_writer (OutputWriter) – output writer.

__init__(column_names=None, title=None, title_level=3)

Initializes a table view.

Parameters:

• column_names (Optional[list[str]]) – column names.

• title (Optional[str]) – title.

• title_level (Optional[int]) – title heading level.

class plaso.cli.views.CLITableView(column_names=None, title=None, title_level=3)

Bases: BaseTableView

Command line table view.

Note that currently this table view does not support more than 2 columns.

AddRow(values)

Adds a row of values.

Parameters:

values (list[object]) – values.

Raises:

ValueError – if the number of values is out of bounds.

Write(output_writer)

Writes the table to the output writer.

Parameters:

output_writer (OutputWriter) – output writer.

Raises:

RuntimeError – if the title exceeds the maximum width or if the table has more than 2 columns or if the column width is out of bounds.

__init__(column_names=None, title=None, title_level=3)

Initializes a command line table view.

Parameters:

• column_names (Optional[list[str]]) – column names.

• title (Optional[str]) – title.

• title_level (Optional[int]) – title heading level.

class plaso.cli.views.CLITabularTableView(column_names=None, column_sizes=None, title=None)

Bases: BaseTableView

Command line tabular table view interface.

AddRow(values)

Adds a row of values.

Parameters:

values (list[object]) – values.

Raises:

ValueError – if the number of values is out of bounds.

Write(output_writer)

Writes the table to the output writer.

Parameters:

output_writer (OutputWriter) – output writer.

__init__(column_names=None, column_sizes=None, title=None)

Initializes a command line table view.

Parameters:

• column_names (Optional[list[str]]) – column names.

• column_sizes (Optional[list[int]]) – minimum column sizes, in number of characters. If a column name or row value is larger than the minimum column size the column will be enlarged. Note that the minimum columns size will be rounded up to the number of spaces of the next tab.

• title (Optional[str]) – title.

class plaso.cli.views.MarkdownTableView(column_names=None, title=None, title_level=3)

Bases: BaseTableView

Markdown table view.

Write(output_writer)

Writes the table to the output writer.

Parameters:

output_writer (OutputWriter) – output writer.

class plaso.cli.views.ViewsFactory

Bases: object

Views factory.

FORMAT_TYPE_CLI = 'cli'

FORMAT_TYPE_MARKDOWN = 'markdown'

classmethod GetTableView(format_type, column_names=None, title=None, title_level=3)

Retrieves a table view.

Parameters:

• format_type (str) – table view format type.

• column_names (Optional[list[str]]) – column names.

• title (Optional[str]) – title.

• title_level (Optional[int]) – title heading level.

Returns:

table view.

Return type:

BaseTableView

Raises:

ValueError – if the format type is not supported.

Module contents