plaso.cli package

Subpackages

• plaso.cli.helpers package
  • Submodules
  • plaso.cli.helpers.analysis_plugins module
  • plaso.cli.helpers.artifact_definitions module
  • plaso.cli.helpers.artifact_filters module
  • plaso.cli.helpers.data_location module
  • plaso.cli.helpers.date_filters module
  • plaso.cli.helpers.dynamic_output module
  • plaso.cli.helpers.elastic_output module
  • plaso.cli.helpers.elastic_ts_output module
  • plaso.cli.helpers.event_filters module
  • plaso.cli.helpers.extraction module
  • plaso.cli.helpers.filter_file module
  • plaso.cli.helpers.hashers module
  • plaso.cli.helpers.interface module
  • plaso.cli.helpers.language module
  • plaso.cli.helpers.manager module
  • plaso.cli.helpers.nsrlsvr_analysis module
  • plaso.cli.helpers.output_modules module
  • plaso.cli.helpers.parsers module
  • plaso.cli.helpers.process_resources module
  • plaso.cli.helpers.profiling module
  • plaso.cli.helpers.sessionize_analysis module
  • plaso.cli.helpers.status_view module
  • plaso.cli.helpers.storage_format module
  • plaso.cli.helpers.tagging_analysis module
  • plaso.cli.helpers.temporary_directory module
  • plaso.cli.helpers.text_prepend module
  • plaso.cli.helpers.vfs_backend module
  • plaso.cli.helpers.viper_analysis module
  • plaso.cli.helpers.virustotal_analysis module
  • plaso.cli.helpers.windows_services_analysis module
  • plaso.cli.helpers.workers module
  • plaso.cli.helpers.xlsx_output module
  • plaso.cli.helpers.yara_rules module
  • Module contents

Submodules

plaso.cli.analysis_tool module

Shared functionality for an analysis CLI tool.

class plaso.cli.analysis_tool.AnalysisTool(input_reader=None, output_writer=None)

Bases: plaso.cli.tools.CLITool, plaso.cli.tool_options.AnalysisPluginOptions, plaso.cli.tool_options.ProfilingOptions, plaso.cli.tool_options.StorageFileOptions

Analysis CLI tool.

list_analysis_plugins

True if information about the analysis plugins should be shown.

Type

bool

plaso.cli.extraction_tool module

Shared functionality for an extraction CLI tool.

class plaso.cli.extraction_tool.ExtractionTool(input_reader=None, output_writer=None)

Bases: plaso.cli.storage_media_tool.StorageMediaTool, plaso.cli.tool_options.HashersOptions, plaso.cli.tool_options.ProfilingOptions, plaso.cli.tool_options.StorageFileOptions

Extraction CLI tool.

list_time_zones

True if the time zones should be listed.

Type

bool

AddPerformanceOptions(argument_group)

Adds the performance options to the argument group.

Parameters

argument_group (argparse._ArgumentGroup) – argparse argument group.

AddProcessingOptions(argument_group)

Adds the processing options to the argument group.

Parameters

argument_group (argparse._ArgumentGroup) – argparse argument group.

AddTimeZoneOption(argument_group)

Adds the time zone option to the argument group.

Parameters

argument_group (argparse._ArgumentGroup) – argparse argument group.

ExtractEventsFromSources()

Processes the sources and extracts events.

Raises

• BadConfigOption – if the storage file path is invalid, or the storage format not supported, or there was a failure to writing to the storage.

• IOError – if the extraction engine could not write to the storage.

• OSError – if the extraction engine could not write to the storage.

• SourceScannerError – if the source scanner could not find a supported file system.

• UserAbort – if the user initiated an abort.

ListParsersAndPlugins()

Lists information about the available parsers and plugins.

plaso.cli.image_export_tool module

The image export CLI tool.

class plaso.cli.image_export_tool.ImageExportTool(input_reader=None, output_writer=None)

Bases: plaso.cli.storage_media_tool.StorageMediaTool

Class that implements the image export CLI tool.

has_filters

True if filters have been specified via the options.

Type

bool

list_signature_identifiers

True if information about the signature identifiers should be shown.

Type

bool

AddFilterOptions(argument_group)

Adds the filter options to the argument group.

Parameters

argument_group (argparse._ArgumentGroup) – argparse argument group.

DESCRIPTION = 'This is a simple collector designed to export files inside an image, both within a regular RAW image as well as inside a VSS. The tool uses a collection filter that uses the same syntax as a targeted plaso filter.'

EPILOG = 'And that is how you export files, plaso style.'

ListSignatureIdentifiers()

Lists the signature identifier.

Raises

BadConfigOption – if the data location is invalid.

NAME = 'image_export'

ParseArguments(arguments)

Parses the command line arguments.

Parameters

arguments (list[str]) – command line arguments.

Returns

True if the arguments were successfully parsed.

Return type

bool

ParseOptions(options)

Parses the options and initializes the front-end.

Parameters

options (argparse.Namespace) – command line arguments.

Raises

BadConfigOption – if the options are invalid.

PrintFilterCollection()

Prints the filter collection.

ProcessSources()

Processes the sources.

Raises

• SourceScannerError – if the source scanner could not find a supported file system.

• UserAbort – if the user initiated an abort.

plaso.cli.log2timeline_tool module

The log2timeline CLI tool.

class plaso.cli.log2timeline_tool.Log2TimelineTool(input_reader=None, output_writer=None)

Bases: plaso.cli.extraction_tool.ExtractionTool

Log2timeline CLI tool.

dependencies_check

True if the availability and versions of dependencies should be checked.

Type

bool

list_hashers

True if the hashers should be listed.

Type

bool

list_parsers_and_plugins

True if the parsers and plugins should be listed.

Type

bool

list_profilers

True if the profilers should be listed.

Type

bool

show_info

True if information about hashers, parsers, plugins, etc. should be shown.

Type

bool

AddLegacyStorageOptions(argument_parser)

Adds the legacy storage options to the argument group.

Parameters

argument_parser (argparse.ArgumentParser) – argparse argument parser.

AddStorageOptions(argument_group)

Adds the storage options to the argument group.

Parameters

argument_group (argparse._ArgumentGroup) – argparse argument group.

DESCRIPTION = '\nlog2timeline is a command line tool to extract events from individual \nfiles, recursing a directory (e.g. mount point) or storage media \nimage or device.\n\nMore information can be gathered from here:\n    https://plaso.readthedocs.io/en/latest/sources/user/Using-log2timeline.html\n'

EPILOG = '\nExample usage:\n\nRun the tool against a storage media image (full kitchen sink)\n    log2timeline.py /cases/mycase/storage.plaso ímynd.dd\n\nInstead of answering questions, indicate some of the options on the\ncommand line (including data from particular VSS stores).\n    log2timeline.py --vss_stores 1,2 /cases/plaso_vss.plaso image.E01\n\nAnd that is how you build a timeline using log2timeline...\n'

NAME = 'log2timeline'

ParseArguments(arguments)

Parses the command line arguments.

Parameters

arguments (list[str]) – command line arguments.

Returns

True if the arguments were successfully parsed.

Return type

bool

ParseOptions(options)

Parses the options.

Parameters

options (argparse.Namespace) – command line arguments.

Raises

BadConfigOption – if the options are invalid.

ShowInfo()

Shows information about available hashers, parsers, plugins, etc.

plaso.cli.logger module

The cli sub module logger.

plaso.cli.pinfo_tool module

The pinfo CLI tool.

class plaso.cli.pinfo_tool.PinfoTool(input_reader=None, output_writer=None)

Bases: plaso.cli.tools.CLITool, plaso.cli.tool_options.StorageFileOptions

Pinfo CLI tool.

compare_storage_information

True if the tool is used to compare stores.

Type

bool

generate_report

True if a predefined report type should be generated.

Type

bool

list_reports

True if the report types should be listed.

Type

bool

list_sections

True if the section types should be listed.

Type

bool

CompareStores()

Compares the contents of two stores.

Returns

True if the content of the stores is identical.

Return type

bool

Raises

BadConfigOption – if the storage file format is not supported.

DESCRIPTION = 'Shows information about a Plaso storage file, for example how it was collected, what information was extracted from a source, etc.'

GenerateReport()

Generates a report.

Raises

BadConfigOption – if the storage file format is not supported.

ListReports()

Lists information about the available report types.

ListSections()

Lists information about the available sections.

NAME = 'pinfo'

ParseArguments(arguments)

Parses the command line arguments.

Parameters

arguments (list[str]) – command line arguments.

Returns

True if the arguments were successfully parsed.

Return type

bool

ParseOptions(options)

Parses the options.

Parameters

options (argparse.Namespace) – command line arguments.

Raises

BadConfigOption – if the options are invalid.

PrintStorageInformation()

Prints the storage information.

Raises

BadConfigOption – if the storage file format is not supported.

plaso.cli.psort_tool module

The psort CLI tool.

class plaso.cli.psort_tool.PsortTool(input_reader=None, output_writer=None)

Bases: plaso.cli.analysis_tool.AnalysisTool, plaso.cli.tool_options.OutputModuleOptions

Psort CLI tool.

list_analysis_plugins

True if information about the analysis plugins should be shown.

Type

bool

list_language_identifiers

True if information about the language identifiers should be shown.

Type

bool

list_output_modules

True if information about the output modules should be shown.

Type

bool

list_profilers

True if the profilers should be listed.

Type

bool

AddProcessingOptions(argument_group)

Adds processing options to the argument group

Parameters

argument_group (argparse._ArgumentGroup) – argparse argument group.

DESCRIPTION = 'Application to read, filter and process output from a plaso storage file.'

NAME = 'psort'

ParseArguments(arguments)

Parses the command line arguments.

Parameters

arguments (list[str]) – command line arguments.

Returns

True if the arguments were successfully parsed.

Return type

bool

ParseOptions(options)

Parses the options.

Parameters

options (argparse.Namespace) – command line arguments.

Raises

BadConfigOption – if the options are invalid.

ProcessStorage()

Processes a plaso storage file.

Raises

• BadConfigOption – when a configuration parameter fails validation or the storage file cannot be opened with read access.

• RuntimeError – if a non-recoverable situation is encountered.

plaso.cli.psteal_tool module

The psteal CLI tool.

class plaso.cli.psteal_tool.PstealTool(input_reader=None, output_writer=None)

Bases: plaso.cli.extraction_tool.ExtractionTool, plaso.cli.tool_options.HashersOptions, plaso.cli.tool_options.OutputModuleOptions, plaso.cli.tool_options.StorageFileOptions

Psteal CLI tool.

Psteal extract events from the provided source and stores them in an intermediate storage file. After extraction an output log file is created. This mimics the behavior of the log2timeline.pl.

The tool currently doesn’t support any of the log2timeline or psort tools’ flags.

dependencies_check

True if the availability and versions of dependencies should be checked.

Type

bool

list_hashers

True if the hashers should be listed.

Type

bool

list_language_identifiers

True if information about the language identifiers should be shown.

Type

bool

list_output_modules

True if information about the output modules should be shown.

Type

bool

list_parsers_and_plugins

True if the parsers and plugins should be listed.

Type

bool

AddStorageOptions(argument_group)

Adds the storage options to the argument group.

Parameters

argument_group (argparse._ArgumentGroup) – argparse argument group.

AnalyzeEvents()

Analyzes events from a plaso storage file and generate a report.

Raises

• BadConfigOption – when a configuration parameter fails validation or the storage file cannot be opened with read access.

• RuntimeError – if a non-recoverable situation is encountered.

DESCRIPTION = '\npsteal is a command line tool to extract events from individual \nfiles, recursing a directory (e.g. mount point) or storage media \nimage or device. The output events will be stored in a storage file.\nThis tool will then read the output and process the events into a CSV \nfile.\n\nMore information can be gathered from here:\n    https://plaso.readthedocs.io/en/latest/sources/user/Using-log2timeline.html\n'

EPILOG = '\nExample usage:\n\nRun the tool against a storage media image (full kitchen sink)\n    psteal.py --source ímynd.dd -w imynd.timeline.txt\n\nAnd that is how you build a timeline using psteal...\n'

NAME = 'psteal'

ParseArguments(arguments)

Parses the command line arguments.

Parameters

arguments (list[str]) – command line arguments.

Returns

True if the arguments were successfully parsed.

Return type

bool

ParseOptions(options)

Parses tool specific options.

Parameters

options (argparse.Namespace) – command line arguments.

Raises

BadConfigOption – if the options are invalid.

plaso.cli.status_view module

The status view.

class plaso.cli.status_view.StatusView(output_writer, tool_name)

Bases: object

Processing status view.

GetAnalysisStatusUpdateCallback()

Retrieves the analysis status update callback function.

Returns

status update callback function or None if not available.

Return type

function

GetExtractionStatusUpdateCallback()

Retrieves the extraction status update callback function.

Returns

status update callback function or None if not available.

Return type

function

MODE_LINEAR = 'linear'

MODE_WINDOW = 'window'

PrintExtractionStatusHeader(processing_status)

Prints the extraction status header.

Parameters

processing_status (ProcessingStatus) – processing status.

PrintExtractionSummary(processing_status)

Prints a summary of the extraction.

Parameters

processing_status (ProcessingStatus) – processing status.

SetMode(mode)

Sets the mode.

Parameters

mode (str) – status view mode.

SetSourceInformation(source_path, source_type, artifact_filters=None, filter_file=None)

Sets the source information.

Parameters

• source_path (str) – path of the source.

• source_type (str) – source type.

• artifact_filters (Optional[list[str]]) – names of artifact definitions to use as filters.

• filter_file (Optional[str]) – filter file.

SetStorageFileInformation(storage_file_path)

Sets the storage file information.

Parameters

storage_file_path (str) – path to the storage file.

plaso.cli.storage_media_tool module

The storage media CLI tool.

class plaso.cli.storage_media_tool.StorageMediaTool(input_reader=None, output_writer=None)

Bases: plaso.cli.tools.CLITool

CLI tool that supports a storage media device or image as input.

AddCredentialOptions(argument_group)

Adds the credential options to the argument group.

The credential options are use to unlock encrypted volumes.

Parameters

argument_group (argparse._ArgumentGroup) – argparse argument group.

AddStorageMediaImageOptions(argument_group)

Adds the storage media image options to the argument group.

Parameters

argument_group (argparse._ArgumentGroup) – argparse argument group.

AddVSSProcessingOptions(argument_group)

Adds the VSS processing options to the argument group.

Parameters

argument_group (argparse._ArgumentGroup) – argparse argument group.

ScanSource(source_path)

Scans the source path for volume and file systems.

This function sets the internal source path specification and source type values.

Parameters

source_path (str) – path to the source.

Raises

SourceScannerError – if the format of or within the source is not supported.

class plaso.cli.storage_media_tool.StorageMediaToolMediator(*args: Any, **kwargs: Any)

Bases: dfvfs.helpers.command_line.

Mediator between the storage media tool and user input.

ParseVolumeIdentifiersString(volume_identifiers_string, prefix='v')

Parses a user specified volume identifiers string.

Parameters

• volume_identifiers_string (str) – user specified volume identifiers. A range of volumes can be defined as: “3..5”. Multiple volumes can be defined as: “1,3,5” (a list of comma separated values). Ranges and lists can also be combined as: “1,3..5”. The first volume is 1. All volumes can be defined as: “all”.

• prefix (Optional[str]) – volume identifier prefix.

Returns

volume identifiers with prefix or the string “all”.

Return type

list[str]

Raises

ValueError – if the volume identifiers string is invalid.

PromptUserForVSSCurrentVolume()

Prompts the user if the current volume with VSS should be processed.

Returns

True if the current volume with VSS should be processed.

Return type

bool

class plaso.cli.storage_media_tool.StorageMediaToolVolumeScanner(*args: Any, **kwargs: Any)

Bases: dfvfs.helpers.volume_scanner.

Volume scanner used by the storage media tool.

ScanSource(source_path, options, base_path_specs)

Scans the source path for volume and file systems.

This function sets the internal source path specification and source type values.

Parameters

• source_path (str) – path to the source.

• options (VolumeScannerOptions) – volume scanner options.

• base_path_specs (list[PathSpec]) – file system base path specifications.

Returns

source scanner context.

Return type

dfvfs.SourceScannerContext

Raises

dfvfs.ScannerError – if the format of or within the source is not supported.

property source_type

type of source.

Type

str

class plaso.cli.storage_media_tool.StorageMediaToolVolumeScannerOptions(*args: Any, **kwargs: Any)

Bases: dfvfs.helpers.volume_scanner.

Volume scanner options used by the storage media tool.

snapshots_only

True if the current volume of a volume with snapshots should be ignored.

Type

bool

plaso.cli.time_slices module

The time slice.

class plaso.cli.time_slices.TimeSlice(event_timestamp, duration=5)

Bases: object

Time slice.

The time slice is used to provide a context of events around an event of interest.

duration

duration of the time slice in minutes.

Type

int

event_timestamp

event timestamp of the time slice or None.

Type

int

property end_timestamp

slice end timestamp or None.

Type

int

property start_timestamp

slice start timestamp or None.

Type

int

plaso.cli.tool_options module

The CLI tool options mix-ins.

class plaso.cli.tool_options.AnalysisPluginOptions

Bases: object

Analysis plugin options mix-in.

ListAnalysisPlugins()

Lists the analysis modules.

class plaso.cli.tool_options.HashersOptions

Bases: object

Hashers options mix-in.

ListHashers()

Lists information about the available hashers.

class plaso.cli.tool_options.OutputModuleOptions

Bases: object

Output module options mix-in.

list_time_zones

True if the time zones should be listed.

Type

bool

AddOutputOptions(argument_group)

Adds the output options to the argument group.

Parameters

argument_group (argparse._ArgumentGroup) – argparse argument group.

ListLanguageIdentifiers()

Lists the language identifiers.

ListOutputModules()

Lists the output modules.

class plaso.cli.tool_options.ProfilingOptions

Bases: object

Profiling options mix-in.

ListProfilers()

Lists information about the available profilers.

class plaso.cli.tool_options.StorageFileOptions

Bases: object

Storage file options mix-in.

AddStorageOptions(argument_parser)

Adds the storage options to the argument group.

Parameters

argument_parser (argparse.ArgumentParser) – argparse argument parser.

plaso.cli.tools module

The command line interface (CLI) tools classes.

class plaso.cli.tools.CLIInputReader(encoding='utf-8')

Bases: object

Command line interface input reader interface.

abstract Read()

Reads a string from the input.

Returns

input.

Return type

str

class plaso.cli.tools.CLIOutputWriter(encoding='utf-8')

Bases: object

Command line interface output writer interface.

abstract Write(string)

Writes a string to the output.

Parameters

string (str) – output.

class plaso.cli.tools.CLITool(input_reader=None, output_writer=None)

Bases: object

Command line interface tool.

preferred_encoding

preferred encoding of single-byte or multi-byte character strings, sometimes referred to as extended ASCII.

Type

str

show_troubleshooting

True if troubleshooting information should be shown.

Type

bool

AddBasicOptions(argument_group)

Adds the basic options to the argument group.

Parameters

argument_group (argparse._ArgumentGroup) – argparse argument group.

AddInformationalOptions(argument_group)

Adds the informational options to the argument group.

Parameters

argument_group (argparse._ArgumentGroup) – argparse argument group.

AddLogFileOptions(argument_group)

Adds the log file option to the argument group.

Parameters

argument_group (argparse._ArgumentGroup) – argparse argument group.

CheckOutDated()

Checks if the version of plaso is outdated and warns the user.

GetCommandLineArguments()

Retrieves the command line arguments.

Returns

command line arguments.

Return type

str

GetVersionInformation()

Retrieves the version information.

Returns

version information.

Return type

str

ListTimeZones()

Lists the timezones.

NAME = ''

ParseNumericOption(options, name, base=10, default_value=None)

Parses a numeric option.

If the option is not set the default value is returned.

Parameters

• options (argparse.Namespace) – command line arguments.

• name (str) – name of the numeric option.

• base (Optional[int]) – base of the numeric value.

• default_value (Optional[object]) – default value.

Returns

numeric value.

Return type

int

Raises

BadConfigOption – if the options are invalid.

ParseStringOption(options, argument_name, default_value=None)

Parses a string command line argument.

Parameters

• options (argparse.Namespace) – command line arguments.

• argument_name (str) – name of the command line argument.

• default_value (Optional[object]) – default value of the command line argument.

Returns

command line argument value. If the command line argument is

not set the default value will be returned.

Return type

object

Raises

BadConfigOption – if the command line argument value cannot be converted to a Unicode string.

PrintSeparatorLine()

Prints a separator line.

property data_location

path of the data files.

Type

str

class plaso.cli.tools.FileObjectInputReader(file_object, encoding='utf-8')

Bases: plaso.cli.tools.CLIInputReader

File object command line interface input reader.

This input reader relies on the file-like object having a readline method.

Read()

Reads a string from the input.

Returns

input.

Return type

str

class plaso.cli.tools.FileObjectOutputWriter(file_object, encoding='utf-8')

Bases: plaso.cli.tools.CLIOutputWriter

File object command line interface output writer.

This output writer relies on the file-like object having a write method.

Write(string)

Writes a string to the output.

Parameters

string (str) – output.

class plaso.cli.tools.StdinInputReader(encoding='utf-8')

Bases: plaso.cli.tools.FileObjectInputReader

Stdin command line interface input reader.

Read()

Reads a string from the input.

Returns

input.

Return type

str

class plaso.cli.tools.StdoutOutputWriter(encoding='utf-8')

Bases: plaso.cli.tools.FileObjectOutputWriter

Stdout command line interface output writer.

Write(string)

Writes a string to the output.

Parameters

string (str) – output.

plaso.cli.views module

View classes.

class plaso.cli.views.BaseTableView(column_names=None, title=None, title_level=3)

Bases: object

Table view interface.

AddRow(values)

Adds a row of values.

Parameters

values (list[object]) – values.

Raises

ValueError – if the number of values is out of bounds.

abstract Write(output_writer)

Writes the table to the output writer.

Parameters

output_writer (OutputWriter) – output writer.

class plaso.cli.views.CLITableView(column_names=None, title=None, title_level=3)

Bases: plaso.cli.views.BaseTableView

Command line table view.

Note that currently this table view does not support more than 2 columns.

AddRow(values)

Adds a row of values.

Parameters

values (list[object]) – values.

Raises

ValueError – if the number of values is out of bounds.

Write(output_writer)

Writes the table to the output writer.

Parameters

output_writer (OutputWriter) – output writer.

Raises

RuntimeError – if the title exceeds the maximum width or if the table has more than 2 columns or if the column width is out of bounds.

class plaso.cli.views.CLITabularTableView(column_names=None, column_sizes=None, title=None)

Bases: plaso.cli.views.BaseTableView

Command line tabular table view interface.

AddRow(values)

Adds a row of values.

Parameters

values (list[object]) – values.

Raises

ValueError – if the number of values is out of bounds.

Write(output_writer)

Writes the table to the output writer.

Parameters

output_writer (OutputWriter) – output writer.

class plaso.cli.views.MarkdownTableView(column_names=None, title=None, title_level=3)

Bases: plaso.cli.views.BaseTableView

Markdown table view.

Write(output_writer)

Writes the table to the output writer.

Parameters

output_writer (OutputWriter) – output writer.

class plaso.cli.views.ViewsFactory

Bases: object

Views factory.

FORMAT_TYPE_CLI = 'cli'

FORMAT_TYPE_MARKDOWN = 'markdown'

classmethod GetTableView(format_type, column_names=None, title=None, title_level=3)

Retrieves a table view.

Parameters

• format_type (str) – table view format type.

• column_names (Optional[list[str]]) – column names.

• title (Optional[str]) – title.

• title_level (Optional[int]) – title heading level.

Returns

table view.

Return type

BaseTableView

Raises

ValueError – if the format type is not supported.

Module contents