plaso.parsers.plist_plugins package

Submodules

plaso.parsers.plist_plugins.airport module

Plist parser plugin for MacOS Airport plist files.

class plaso.parsers.plist_plugins.airport.MacOSAirportEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS airport event data.

last_connected_time

last date and time MacOS Airport connected to the Wi-Fi network.

Type:: dfdatetime.DateTimeValues

security_type

Wi-Fi security type.

Type:: str

ssid

Wi-Fi SSID.

Type:: str

DATA_TYPE = 'macos:airport:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.airport.MacOSAirportPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for Airport plist files.

DATA_FORMAT = 'Airport plist file'

NAME = 'airport'

PLIST_KEYS = frozenset({'RememberedNetworks'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.apple_account module

Plist parser plugin for Apple Account plist files.

Fields within the plist key: com.apple.coreservices.appleidauthenticationinfo: Accounts: account name. FirstName: first name associated with the account. LastName: last (or family) name associate with the account. CreationDate: timestamp when the account was configured in the system. LastSuccessfulConnect: last time when the account was connected. ValidationDate: last time when the account was validated.

class plaso.parsers.plist_plugins.apple_account.AppleAccountEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Apple account event data.

account_name

name of the account.

Type:: str

creation_time

date and time the Apple account was created (configured) on the system.

Type:: dfdatetime.DateTimeValues

first_name

first name.

Type:: str

last_connected_time

last date and time the system successfully connected to the Apple account.

Type:: dfdatetime.DateTimeValues

last_name

last (or family) name.

Type:: str

validation_time

date and time the Apple account was validated.

Type:: dfdatetime.DateTimeValues

DATA_TYPE = 'macos:apple_account:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.apple_account.AppleAccountPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for Apple Account plist files.

DATA_FORMAT = 'Apple account information plist file'

NAME = 'apple_id'

PLIST_KEYS = frozenset({'AccessorVersions', 'Accounts', 'AuthCertificates'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PrefixPlistPathFilter object>})

plaso.parsers.plist_plugins.bluetooth module

Plist parser plugin for MacOS Bluetooth plist files.

Fields within the plist key: com.apple.bluetooth.plist

LastInquiryUpdate:: Device connected via Bluetooth discovery. Updated when a device is detected in discovery mode. E.g. Bluetooth headphone power on. Pairing is not required for a device to be discovered and cached.
LastNameUpdate:: When the human name was last set. Usually done only once during initial setup.
LastServicesUpdate:: Time set when device was polled to determine what it is. Usually done at setup or manually requested via advanced menu.

class plaso.parsers.plist_plugins.bluetooth.MacOSBluetoothEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS Bluetooth event data.

device_identifier

identifier of the device.

Type:: str

device_name

name of the device.

Type:: str

inquiry_time

date and time of the most recent inquiry (connection during discovery mode) of a Bluetooth device.

Type:: dfdatetime.DateTimeValues

is_paired

True if the device has been paired.

Type:: bool

name_update_time

date and time of the most recent update of the human name.

Type:: dfdatetime.DateTimeValues

services_update_time

date and time of the most recent poll of a Bluetooth device.

Type:: dfdatetime.DateTimeValues

DATA_TYPE = 'macos:bluetooth:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.bluetooth.MacOSBluetoothPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for MacOS Bluetooth plist files.

DATA_FORMAT = 'MacOS Bluetooth plist file'

NAME = 'macos_bluetooth'

PLIST_KEYS = frozenset({'DeviceCache', 'PairedDevices'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.default module

Default plist parser plugin.

class plaso.parsers.plist_plugins.default.DefaultPlugin[source]

Bases: PlistPlugin

Default plist parser plugin.

DATA_FORMAT = 'plist file'

NAME = 'plist_default'

plaso.parsers.plist_plugins.install_history module

Plist parser plugin for MacOS install history plist files.

class plaso.parsers.plist_plugins.install_history.MacOSInstallHistoryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS install history event data.

identifiers

identifiers of the installed package.

Type:: list[str]

name

display name of the installed package.

Type:: str

process_name

name of the process that installed the package.

Type:: str

version

display version of the installed package.

Type:: str

written_time

entry written date and time.

Type:: dfdatetime.DateTimeValues

DATA_TYPE = 'macos:install_history:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.install_history.MacOSInstallHistoryPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for MacOS install history plist files.

DATA_FORMAT = 'MacOS installation history plist file'

NAME = 'macos_install_history'

PLIST_KEYS = frozenset({'date', 'displayName', 'displayVersion', 'packageIdentifiers', 'processName'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.interface module

Interface for plist parser plugins.

Plist files are only one example of a type of object that the Plaso tool is expected to encounter and process. There can be and are many other parsers which are designed to process specific data types.

PlistPlugin defines the attributes necessary for registration, discovery and operation of plugins for plist files which will be used by PlistParser.

class plaso.parsers.plist_plugins.interface.NSKeyedArchiverDecoder[source]

Bases: object

Decoder for NSKeyedArchiver encoded plists.

Also see:: https://developer.apple.com/documentation/foundation/nskeyedarchiver

Decode(root_item)[source]

Decodes a NSKeyedArchiver encoded plist.

Parameters:: root_item (object) – root object of the NSKeyedArchiver encoded plist.
Returns:: root object of the decoded plist.
Return type:: dict[str, object]
Raises:: RuntimeError – if the plist cannot be decoded.

IsEncoded(root_item)[source]

Determines if a plist is NSKeyedArchiver encoded.

Parameters:: root_item (object) – root object of the NSKeyedArchiver encoded plist.
Returns:: True if NSKeyedArchiver encoded, False otherwise.
Return type:: bool

class plaso.parsers.plist_plugins.interface.PlistPathFilter(filename)[source]

Bases: object

The plist path filter.

Match(filename_lower_case)[source]

Determines if a plist filename matches the filter.

Note that this method does a case insensitive comparison.

Parameters:: filename_lower_case (str) – filename of the plist in lower case.
Returns:: True if the filename matches the filter.
Return type:: bool

__init__(filename)[source]

Initializes a plist path filter.

Parameters:: filename (str) – expected file name of the plist.

class plaso.parsers.plist_plugins.interface.PlistPlugin[source]

Bases: BasePlugin

This is an abstract class from which plugins should be based.

The following are the attributes and methods expected to be overridden by a plugin.

PLIST_PATH_FILTERS

plist path filters that should match for the plugin to process the plist.

Type:: set[PlistPathFilter]

PLIST_KEY

keys holding values that are necessary for processing.

Type:: set[str]

Please note, PLIST_KEY is case sensitive and for a plugin to match a plist file needs to contain at minimum the number of keys needed for processing.

For example if a Plist file contains the following keys, {‘foo’: 1, ‘bar’: 2, ‘opt’: 3} with ‘foo’ and ‘bar’ being keys critical to processing define PLIST_KEY as [‘foo’, ‘bar’]. If ‘opt’ is only optionally defined it can still be accessed by manually processing self.top_level from the plugin.

CheckRequiredFormat(top_level)[source]

Check if the plist has the minimal structure required by the plugin.

Parameters:: top_level (dict[str, object]) – plist top-level item.
Returns:: True if this is the correct plugin, False otherwise.
Return type:: bool

NAME = 'plist_plugin'

PLIST_KEYS = frozenset({})

PLIST_PATH_FILTERS = frozenset({})

Process(parser_mediator, top_level=None, **kwargs)[source]

Extracts events from a plist file.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
top_level (Optional[dict[str, object]]) – plist top-level item.

class plaso.parsers.plist_plugins.interface.PrefixPlistPathFilter(filename)[source]

Bases: PlistPathFilter

The prefix plist path filter.

Match(filename_lower_case)[source]

Determines if a plist filename matches the filter.

Note that this method does a case insensitive comparison.

Parameters:: filename_lower_case (str) – filename of the plist in lower case.
Returns:: True if the filename matches the filter.
Return type:: bool

plaso.parsers.plist_plugins.ios_carplay module

Plist parser plugin for Apple iOS Car Play application plist files.

The plist contains history of opened applications in the Car Play application.

class plaso.parsers.plist_plugins.ios_carplay.IOSCarPlayHistoryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Apple iOS Car Play application history event data.

application_identifier

application identifier.

Type:: str

last_run_time

application last run date and time.

Type:: dfdatetime.DateTimeValues

DATA_TYPE = 'ios:carplay:history:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.ios_carplay.IOSCarPlayPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for Apple iOS Car Play application plist files.

DATA_FORMAT = 'Apple iOS Car Play application plist file'

NAME = 'ios_carplay'

PLIST_KEYS = frozenset({'CARRecentAppHistory'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.ios_identityservices module

Plist parser plugin for iOS identity services status cache files.

class plaso.parsers.plist_plugins.ios_identityservices.IOSIdstatusacheEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

iOS identity services status cache event data.

apple_identifier

type and value of the identifier.

Type:: str

lookup_time

date and time of the lookup.

Type:: dfdatetime.DateTimeValues

process_name

Type:: str

DATA_TYPE = 'ios:idstatuscache:lookup'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.ios_identityservices.IOSIdstatusachePlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for identity services status cache files.

Identity services status cache plist files are typically named: com.apple.identityservices.idstatuscache.plist

DATA_FORMAT = 'Idstatuscache plist file'

NAME = 'ios_identityservices'

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.ios_mobilebackup module

Plist parser plugin for Apple iOS Mobile Backup plist files.

The plist contains history of opened applications in the Mobile Backup.

class plaso.parsers.plist_plugins.ios_mobilebackup.IOSMobileBackupEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Apple iOS Mobile Backup event data.

account_enabled_time

date and time the mobile backup account was enabled.

Type:: dfdatetime.DateTimeValues

backup_state

backup state.

Type:: int

backup_state_time

date and time if the backup state.

Type:: dfdatetime.DateTimeValues

DATA_TYPE = 'ios:mobile_backup:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.ios_mobilebackup.IOSMobileBackupPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for Apple iOS Mobile Backup plist files.

DATA_FORMAT = 'Apple iOS Mobile Backup plist file'

NAME = 'ios_mobile_backup'

PLIST_KEYS = frozenset({'AccountEnabledDate', 'BackupStateInfo'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

class plaso.parsers.plist_plugins.ios_mobilebackup.IOSMobileBackupStateEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Apple iOS Mobile Backup state event data.

backup_time

date and time of the backup.

Type:: dfdatetime.DateTimeValues

description

localized description of the backup state.

Type:: str

DATA_TYPE = 'ios:mobile_backup:state'

__init__()[source]: Initializes event data.

plaso.parsers.plist_plugins.ios_siminfo module

Plist parser plugin for Apple iOS SIM information plist files.

class plaso.parsers.plist_plugins.ios_siminfo.IOSSIMInfoEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Apple iOS SIM information event data.

cell_broadcast_version

Cell broadcast version.

Type:: str

eap_aka_enabled

value to indicate EAP-AKA is enabled.

Type:: bool

label_identifier

label identifier.

Type:: str

last_used_time

date and time the SIM was last used.

Type:: dfdatetime.DateTimeValues

phone_number

phone number.

Type:: str

sim_type

type of SIM

Type:: str

DATA_TYPE = 'ios:sim:info'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.ios_siminfo.IOSSIMInfoPlugin[source]

Bases: PlistPlugin

Plist parser plugin for Apple iOS SIM information plist files.

DATA_FORMAT = 'iOS SIM Info plist file'

NAME = 'ios_siminfo'

PLIST_KEYS = frozenset({'PersonalWallet', 'PersonalitySlots', 'pw_ver'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.ios_wifi_known_networks module

Plist parser plugin for Apple iOS WiFi Known Networks plist files.

The plist contains information about WiFi networks the device has connected to.

class plaso.parsers.plist_plugins.ios_wifi_known_networks.IOSWiFiKnownNetworksEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Apple iOS WiFi Known Networks event data.

added_time

date the network was added.

Type:: dfdatetime.DateTimeValues

bssid

BSSID of the WiFi network.

Type:: str

channel

Channel used by the WiFi network.

Type:: int

last_associated_time

date the network was last associated.

Type:: dfdatetime.DateTimeValues

ssid

SSID of the WiFi network.

Type:: str

DATA_TYPE = 'ios:wifi:known_networks:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.ios_wifi_known_networks.IOSWiFiKnownNetworksPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for Apple iOS WiFi Known Networks plist files.

DATA_FORMAT = 'Apple iOS WiFi Known Networks plist file'

NAME = 'ios_wifi_known_networks'

PLIST_KEYS = frozenset({})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.ipod module

Plist parser plugin for iPod, iPad and iPhone storage plist files.

class plaso.parsers.plist_plugins.ipod.IPodPlistEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

iPod plist event data.

device_class

device class.

Type:: str

device_identifier

identifier of the device.

Type:: str

family_identifier

identifier of the device family.

Type:: str

firmware_version

firmware version.

Type:: str

imei

IMEI (International Mobile Equipment Identity).

Type:: str

last_connected_time

last date and time the iPod, iPad or iPhone storage (device) was connected.

Type:: dfdatetime.DateTimeValues

serial_number

serial number.

Type:: str

use_count

number of times the device was used.

Type:: str

DATA_TYPE = 'ipod:device:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.ipod.IPodPlugin[source]

Bases: PlistPlugin

Plist parser plugin for iPod, iPad and iPhone storage plist files.

DATA_FORMAT = 'iPod, iPad and iPhone plist file'

NAME = 'ipod_device'

PLIST_KEYS = frozenset({'Devices'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.launchd module

Plist parser plugin for MacOS launchd plist files.

class plaso.parsers.plist_plugins.launchd.MacOSLaunchdEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS launchd event data.

name

name.

Type:: str

group_name

name of the group.

Type:: str

program

program and arguments.

Type:: str

user_name

name of the user.

Type:: str

DATA_TYPE = 'macos:launchd:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.launchd.MacOSLaunchdPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for MacOS launchd plist files.

Further details about fields within the key:

Label:: the required key for uniquely identifying the launchd service.
Program:: absolute path to the executable. required in the absence of the ProgramArguments key.
ProgramArguments:: command-line flags for the executable. required in the absence of the Program key.
UserName:: the job run as the specified user.
GroupName:: the job run as the specified group.

CheckRequiredFormat(top_level)[source]

Check if the plist has the minimal structure required by the plugin.

Parameters:: top_level (dict[str, object]) – plist top-level item.
Returns:: True if this is the correct plugin, False otherwise.
Return type:: bool

DATA_FORMAT = 'Launchd plist file'

NAME = 'launchd_plist'

PLIST_KEYS = frozenset({'Label'})

plaso.parsers.plist_plugins.macos_background_items module

Plist parser plugin for Mac OS background items plist files.

class plaso.parsers.plist_plugins.macos_background_items.MacOSBackgroundItemEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Mac OS background item event data.

name

name.

Type:: str

target_creation_time

date and time the target was created.

Type:: dfdatetime.DateTimeValues

target_path

path of the target.

Type:: str

volume_creation_time

date and time the (target) volume was created.

Type:: dfdatetime.DateTimeValues

volume_flags

volume flags.

Type:: int

volume_mount_point

location the volume is mounted on the file system.

Type:: str

volume_name

name of the volume containing the target.

Type:: str

DATA_TYPE = 'macos:background_items:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.macos_background_items.MacOSBackgroundItemsPlistPlugin[source]

Bases: PlistPlugin, DtFabricHelper

Plist parser plugin for Mac OS background items.

DATA_FORMAT = 'Mac OS backgrounditems.btm or BackgroundItems-v[3-9].btm plist file'

NAME = 'macos_background_items_plist'

PLIST_KEYS = frozenset({'$objects'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>, <plaso.parsers.plist_plugins.interface.PrefixPlistPathFilter object>})

__init__()[source]: Initializes a plist parser plugin for Mac OS background items.

plaso.parsers.plist_plugins.macos_login_items module

Plist parser plugin for Mac OS login items plist files.

class plaso.parsers.plist_plugins.macos_login_items.MacOSLoginItemEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Mac OS login item event data.

hidden

whether this login item is hidden.

Type:: bool

name

name.

Type:: str

target_creation_time

date and time the target was created.

Type:: dfdatetime.DateTimeValues

target_path

path of the target.

Type:: str

volume_creation_time

date and time the (target) volume was created.

Type:: dfdatetime.DateTimeValues

volume_flags

volume flags.

Type:: int

volume_mount_point

location the volume is mounted on the file system.

Type:: str

volume_name

name of the volume containing the target.

Type:: str

DATA_TYPE = 'macos:login_items:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.macos_login_items.MacOSLoginItemsPlistPlugin[source]

Bases: PlistPlugin, DtFabricHelper

Plist parser plugin for Mac OS login items.

DATA_FORMAT = 'Mac OS com.apple.loginitems.plist file'

NAME = 'macos_login_items_plist'

PLIST_KEYS = frozenset({'SessionItems'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.macos_login_window module

Plist parser plugin for Mac OS login window plist files.

class plaso.parsers.plist_plugins.macos_login_window.MacOSLoginWindowEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Mac OS login window event data.

Also see: * https://developer.apple.com/documentation/devicemanagement/loginwindow * https://developer.apple.com/documentation/devicemanagement/

loginwindowscripts

login_hook

path of the script to run during login.

Type:: str

logout_hook

path of the script to run during logout.

Type:: str

DATA_TYPE = 'macos:login_window:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.macos_login_window.MacOSLoginWindowManagedLoginItemEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Mac OS login window managed login item event data.

Also see: * https://developer.apple.com/documentation/devicemanagement/

loginitemsmanageditems/loginitem

is_hidden

True if the item should is not shown in the “Users & Groups” items list.

Type:: bool

path

URL or path of the location of the item.

Type:: str

DATA_TYPE = 'macos:login_window:managed_login_item'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.macos_login_window.MacOSLoginWindowPlugin[source]

Bases: PlistPlugin

Plist parser plugin for Mac OS login window plist files.

DATA_FORMAT = 'Mac OS login window plist file'

NAME = 'macos_login_window_plist'

PLIST_KEYS = frozenset({})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>, <plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.macos_startup_item module

Plist parser plugin for Mac OS startup item plist files.

class plaso.parsers.plist_plugins.macos_startup_item.MacOSStartupItemEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Mac OS startup item event data.

description

description of the startup item.

Type:: str

order_preference

startup order preference.

Type:: str

provides

names of services provided by the startup item.

Type:: list[str]

requires

services required prior to this startup item.

Type:: list[str]

uses

services that should be started before this startup item.

Type:: list[str]

DATA_TYPE = 'macos:startup_item:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.macos_startup_item.MacOSStartupItemPlugin[source]

Bases: PlistPlugin

Plist parser plugin for Mac OS startup item plist files.

DATA_FORMAT = 'Mac OS startup item plist file'

NAME = 'macos_startup_item_plist'

PLIST_KEYS = frozenset({})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.macos_user module

Plist parser plugin for MacOS user plist files.

Fields within the plist key:

name: username. uid: user identifier (UID). passwordpolicyoptions: XML Plist structures with the timestamp. passwordLastSetTime: last time the password was changed. lastLoginTimestamp: last time the user was authenticated depending on

the situation, these timestamps are reset (0 value). It is translated by the library as a 2001-01-01 00:00:00 (Cocoa zero time representation).

failedLoginTimestamp: last time the login attempt failed. failedLoginCount: number of failed loging attempts.

class plaso.parsers.plist_plugins.macos_user.MacOSUserEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS user event data.

fullname

full name.

Type:: str

home_directory

path of the home directory.

Type:: str

last_login_attempt_time

date and time of the last (failed) login attempt.

Type:: dfdatetime.DateTimeValues

last_login_time

date and time of the last login.

Type:: dfdatetime.DateTimeValues

last_password_set_time

date and time of the last password set.

Type:: dfdatetime.DateTimeValues

number_of_failed_login_attempts

number of failed login attempts.

Type:: str

password_hash

password hash.

Type:: str

user_identifier

user identifier.

Type:: str

username

username.

Type:: str

DATA_TYPE = 'macos:user:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.macos_user.MacOSUserPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for MacOS user plist files.

DATA_FORMAT = 'MacOS user plist file'

NAME = 'macuser'

PLIST_KEYS = frozenset({'ShadowHashData', 'home', 'name', 'passwordpolicyoptions', 'uid'})

plaso.parsers.plist_plugins.safari_downloads module

Plist parser plugin for Safari Downloads.plist files.

class plaso.parsers.plist_plugins.safari_downloads.SafariDownloadEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Safari download event data.

end_time

date and time the download was finished.

Type:: dfdatetime.DateTimeValues

full_path

full path where the file was downloaded to.

Type:: str

received_bytes

number of bytes received while downloading.

Type:: int

remove_on_completion

remove the download when completed (done).

Type:: bool

start_time

date and time the download was started.

Type:: dfdatetime.DateTimeValues

total_bytes

total number of bytes to download.

Type:: int

url

URL of the downloaded file.

Type:: str

DATA_TYPE = 'safari:downloads:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.safari_downloads.SafariDownloadsPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for Safari Downloads.plist files.

DATA_FORMAT = 'Safari Downloads plist file'

NAME = 'safari_downloads'

PLIST_KEYS = frozenset({'DownloadHistory'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.safari_history module

Plist parser plugin for Safari history plist files.

class plaso.parsers.plist_plugins.safari_history.SafariHistoryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Safari history event data.

display_title

display title of the webpage visited.

Type:: str

last_visited_time

date and time the URL was last visited.

Type:: dfdatetime.DateTimeValues

title

title of the webpage visited.

Type:: str

url

URL visited.

Type:: str

visit_count

number of times the website was visited.

Type:: int

was_http_non_get

True if the webpage was visited using a non-GET HTTP request.

Type:: bool

DATA_TYPE = 'safari:history:visit'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.safari_history.SafariHistoryPlugin[source]

Bases: PlistPlugin

Plist parser plugin for Safari history plist files.

DATA_FORMAT = 'Safari history plist file'

NAME = 'safari_history'

PLIST_KEYS = frozenset({'WebHistoryDates', 'WebHistoryFileVersion'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.software_update module

Plist parser plugin for MacOS software update plist files.

class plaso.parsers.plist_plugins.software_update.MacOSSoftwareUpdateEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS software update event data.

full_update_time

date and time of last full MacOS software update.

Type:: dfdatetime.DateTimeValues

recommended_updates

recommended updates.

Type:: list[str]

system_version

operating system version.

Type:: str

update_time

date and time of last MacOS software update.

Type:: dfdatetime.DateTimeValues

DATA_TYPE = 'macos:software_updata:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.software_update.MacOSSoftwareUpdatePlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for MacOS software update plist files.

Further details about the extracted fields:

LastFullSuccessfulDate:: timestamp when MacOS was full update.
LastSuccessfulDate:: timestamp when MacOS was partially update.

DATA_FORMAT = 'MacOS software update plist file'

NAME = 'macos_software_update'

PLIST_KEYS = frozenset({'LastAttemptSystemVersion', 'LastFullSuccessfulDate', 'LastRecommendedUpdatesAvailable', 'LastSuccessfulDate', 'LastUpdatesAvailable', 'RecommendedUpdates'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.spotlight_searched_terms module

Plist parser plugin for Spotlight searched terms plist files.

Fields within the plist key: com.apple.spotlight.plist, where the name of the key contains the search term.

DISPLAY_NAME: the display name of the program associated. LAST_USED: last time when it was executed. PATH: path of the program associated to the term.

class plaso.parsers.plist_plugins.spotlight_searched_terms.SpotlightSearchedTermsEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Spotlight searched terms event data.

display_name

display name.

Type:: str

last_used_time

last date and time the search term was last used.

Type:: dfdatetime.DateTimeValues

path

path.

Type:: str

search_term

search term.

Type:: str

DATA_TYPE = 'spotlight_searched_terms:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.spotlight_searched_terms.SpotlightSearchedTermsPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for Spotlight searched terms plist files.

DATA_FORMAT = 'Spotlight searched terms plist file'

NAME = 'spotlight'

PLIST_KEYS = frozenset({'UserShortcuts'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.spotlight_volume module

Plist parser plugin for Spotlight volume configuration plist files.

class plaso.parsers.plist_plugins.spotlight_volume.SpotlightVolumeConfigurationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Spotlight volume configuration event data.

creation_time

volume creation date and time.

Type:: dfdatetime.DateTimeValues

partial_path

part of the path.

Type:: str

volume_identifier

identifier of the volume.

Type:: str

DATA_TYPE = 'spotlight_volume_configuration:store'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.spotlight_volume.SpotlightVolumeConfigurationPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for Spotlight volume configuration plist files.

DATA_FORMAT = 'Spotlight volume configuration plist file'

NAME = 'spotlight_volume'

PLIST_KEYS = frozenset({'Stores'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.time_machine module

Plist parser plugin for MacOS TimeMachine plist files.

class plaso.parsers.plist_plugins.time_machine.MacOSTimeMachineBackupEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS TimeMachine backup event data.

backup_alias

alias of the backup.

Type:: str

destination_identifier

identifier of the destination volume.

Type:: str

snapshot_times

dates and times of the creation of backup snaphots.

Type:: list[dfdatetime.DateTimeValues]

DATA_TYPE = 'macos:time_machine:backup'

__init__()[source]: Initializes event data.

class plaso.parsers.plist_plugins.time_machine.MacOSTimeMachinePlistPlugin[source]

Bases: PlistPlugin, DtFabricHelper

Plist parser plugin for MacOS TimeMachine plist files.

Further details about the extracted fields:

DestinationID:: remote UUID hard disk where the backup is done.
BackupAlias:: structure that contains the extra information from the destinationID.
SnapshotDates:: list of the backup dates.

DATA_FORMAT = 'MacOS TimeMachine plist file'

NAME = 'time_machine'

PLIST_KEYS = frozenset({'Destinations', 'RootVolumeUUID'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

__init__()[source]: Initializes a plist parser plugin.

Module contents

Imports for the plist parser plugins.