plaso.parsers.plist_plugins package

Submodules

plaso.parsers.plist_plugins.airport module

Plist parser plugin for MacOS Airport plist files.

class plaso.parsers.plist_plugins.airport.MacOSAirportEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS airport event data.

last_connected_time

last date and time MacOS Airport connected to the Wi-Fi network.

Type: dfdatetime.DateTimeValues

security_type

Wi-Fi security type.

Type: str

ssid

Wi-Fi SSID.

Type: str

DATA_TYPE = 'macos:airport:entry'

class plaso.parsers.plist_plugins.airport.MacOSAirportPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for Airport plist files.

DATA_FORMAT = 'Airport plist file'

NAME = 'airport'

PLIST_KEYS = frozenset({'RememberedNetworks'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.apple_account module

Plist parser plugin for Apple Account plist files.

Fields within the plist key: com.apple.coreservices.appleidauthenticationinfo: Accounts: account name. FirstName: first name associated with the account. LastName: last (or family) name associate with the account. CreationDate: timestamp when the account was configured in the system. LastSuccessfulConnect: last time when the account was connected. ValidationDate: last time when the account was validated.

class plaso.parsers.plist_plugins.apple_account.AppleAccountEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Apple account event data.

account_name

name of the account.

Type: str

creation_time

date and time the Apple account was created (configured) on the system.

Type: dfdatetime.DateTimeValues

first_name

first name.

Type: str

last_connected_time

last date and time the system successfully connected to the Apple account.

Type: dfdatetime.DateTimeValues

last_name

last (or family) name.

Type: str

validation_time

date and time the Apple account was validated.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'macos:apple_account:entry'

class plaso.parsers.plist_plugins.apple_account.AppleAccountPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for Apple Account plist files.

DATA_FORMAT = 'Apple account information plist file'

NAME = 'apple_id'

PLIST_KEYS = frozenset({'AccessorVersions', 'Accounts', 'AuthCertificates'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PrefixPlistPathFilter object>})

plaso.parsers.plist_plugins.bluetooth module

Plist parser plugin for MacOS Bluetooth plist files.

Fields within the plist key: com.apple.bluetooth.plist

LastInquiryUpdate:: Device connected via Bluetooth discovery. Updated when a device is detected in discovery mode. E.g. Bluetooth headphone power on. Pairing is not required for a device to be discovered and cached.
LastNameUpdate:: When the human name was last set. Usually done only once during initial setup.
LastServicesUpdate:: Time set when device was polled to determine what it is. Usually done at setup or manually requested via advanced menu.

class plaso.parsers.plist_plugins.bluetooth.MacOSBluetoothEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS Bluetooth event data.

device_identifier

identifier of the device.

Type: str

device_name

name of the device.

Type: str

inquiry_time

date and time of the most recent inquiry (connection during discovery mode) of a Bluetooth device.

Type: dfdatetime.DateTimeValues

is_paired

True if the device has been paired.

Type: bool

name_update_time

date and time of the most recent update of the human name.

Type: dfdatetime.DateTimeValues

services_update_time

date and time of the most recent poll of a Bluetooth device.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'macos:bluetooth:entry'

class plaso.parsers.plist_plugins.bluetooth.MacOSBluetoothPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for MacOS Bluetooth plist files.

DATA_FORMAT = 'MacOS Bluetooth plist file'

NAME = 'macos_bluetooth'

PLIST_KEYS = frozenset({'DeviceCache', 'PairedDevices'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.default module

Default plist parser plugin.

class plaso.parsers.plist_plugins.default.DefaultPlugin[source]

Bases: PlistPlugin

Default plist parser plugin.

DATA_FORMAT = 'plist file'

NAME = 'plist_default'

plaso.parsers.plist_plugins.install_history module

Plist parser plugin for MacOS install history plist files.

class plaso.parsers.plist_plugins.install_history.MacOSInstallHistoryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS install history event data.

identifiers

identifiers of the installed package.

Type: list[str]

name

display name of the installed package.

Type: str

process_name

name of the process that installed the package.

Type: str

version

display version of the installed package.

Type: str

written_time

entry written date and time.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'macos:install_history:entry'

class plaso.parsers.plist_plugins.install_history.MacOSInstallHistoryPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for MacOS install history plist files.

DATA_FORMAT = 'MacOS installation history plist file'

NAME = 'macos_install_history'

PLIST_KEYS = frozenset({'date', 'displayName', 'displayVersion', 'packageIdentifiers', 'processName'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.interface module

Interface for plist parser plugins.

Plist files are only one example of a type of object that the Plaso tool is expected to encounter and process. There can be and are many other parsers which are designed to process specific data types.

PlistPlugin defines the attributes necessary for registration, discovery and operation of plugins for plist files which will be used by PlistParser.

class plaso.parsers.plist_plugins.interface.PlistPathFilter(filename)[source]

Bases: object

The plist path filter.

Match(filename_lower_case)[source]

Determines if a plist filename matches the filter.

Note that this method does a case insensitive comparison.

Parameters: filename_lower_case (str) – filename of the plist in lower case.
Returns: True if the filename matches the filter.
Return type: bool

class plaso.parsers.plist_plugins.interface.PlistPlugin[source]

Bases: BasePlugin

This is an abstract class from which plugins should be based.

The following are the attributes and methods expected to be overridden by a plugin.

PLIST_PATH_FILTERS

plist path filters that should match for the plugin to process the plist.

Type: set[PlistPathFilter]

PLIST_KEY

keys holding values that are necessary for processing.

Type: set[str]

Please note, PLIST_KEY is case sensitive and for a plugin to match a plist file needs to contain at minimum the number of keys needed for processing.

For example if a Plist file contains the following keys, {‘foo’: 1, ‘bar’: 2, ‘opt’: 3} with ‘foo’ and ‘bar’ being keys critical to processing define PLIST_KEY as [‘foo’, ‘bar’]. If ‘opt’ is only optionally defined it can still be accessed by manually processing self.top_level from the plugin.

NAME = 'plist_plugin'

PLIST_KEYS = frozenset({'any'})

PLIST_PATH_FILTERS = frozenset({})

Process(parser_mediator, top_level=None, **kwargs)[source]

Extracts events from a plist file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
top_level (Optional[dict[str, object]]) – plist top-level item.

class plaso.parsers.plist_plugins.interface.PrefixPlistPathFilter(filename)[source]

Bases: PlistPathFilter

The prefix plist path filter.

Match(filename_lower_case)[source]

Determines if a plist filename matches the filter.

Note that this method does a case insensitive comparison.

Parameters: filename_lower_case (str) – filename of the plist in lower case.
Returns: True if the filename matches the filter.
Return type: bool

plaso.parsers.plist_plugins.ios_carplay module

Plist parser plugin for Apple iOS Car Play application plist files.

The plist contains history of opened applications in the Car Play application.

class plaso.parsers.plist_plugins.ios_carplay.IOSCarPlayHistoryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Apple iOS Car Play application history event data.

application_identifier

application identifier.

Type: str

last_run_time

application last run date and time.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'ios:carplay:history:entry'

class plaso.parsers.plist_plugins.ios_carplay.IOSCarPlayPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for Apple iOS Car Play application plist files.

DATA_FORMAT = 'Apple iOS Car Play application plist file'

NAME = 'ios_carplay'

PLIST_KEYS = frozenset({'CARRecentAppHistory'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.ios_identityservices module

Plist parser plugin for iOS identity services status cache files.

class plaso.parsers.plist_plugins.ios_identityservices.IOSIdstatusacheEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

iOS identity services status cache event data.

apple_identifier

type and value of the identifier.

Type: str

lookup_time

date and time of the lookup.

Type: dfdatetime.DateTimeValues

process_name

Type: str

DATA_TYPE = 'ios:idstatuscache:lookup'

class plaso.parsers.plist_plugins.ios_identityservices.IOSIdstatusachePlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for identity services status cache files.

Identity services status cache plist files are typically named: com.apple.identityservices.idstatuscache.plist

DATA_FORMAT = 'Idstatuscache plist file'

NAME = 'ios_identityservices'

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.ipod module

Plist parser plugin for iPod, iPad and iPhone storage plist files.

class plaso.parsers.plist_plugins.ipod.IPodPlistEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

iPod plist event data.

device_class

device class.

Type: str

device_identifier

identifier of the device.

Type: str

family_identifier

identifier of the device family.

Type: str

firmware_version

firmware version.

Type: str

imei

IMEI (International Mobile Equipment Identity).

Type: str

last_connected_time

last date and time the iPod, iPad or iPhone storage (device) was connected.

Type: dfdatetime.DateTimeValues

serial_number

serial number.

Type: str

use_count

number of times the device was used.

Type: str

DATA_TYPE = 'ipod:device:entry'

class plaso.parsers.plist_plugins.ipod.IPodPlugin[source]

Bases: PlistPlugin

Plist parser plugin for iPod, iPad and iPhone storage plist files.

DATA_FORMAT = 'iPod, iPad and iPhone plist file'

NAME = 'ipod_device'

PLIST_KEYS = frozenset({'Devices'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.launchd module

Plist parser plugin for MacOS launchd plist files.

class plaso.parsers.plist_plugins.launchd.MacOSLaunchdEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS launchd event data.

name

name.

Type: str

group_name

name of the group.

Type: str

program

program and arguments.

Type: str

user_name

name of the user.

Type: str

DATA_TYPE = 'macos:launchd:entry'

class plaso.parsers.plist_plugins.launchd.MacOSLaunchdPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for MacOS launchd plist files.

Further details about fields within the key:

Label:: the required key for uniquely identifying the launchd service.
Program:: absolute path to the executable. required in the absence of the ProgramArguments key.
ProgramArguments:: command-line flags for the executable. required in the absence of the Program key.
UserName:: the job run as the specified user.
GroupName:: the job run as the specified group.

DATA_FORMAT = 'Launchd plist file'

NAME = 'launchd_plist'

PLIST_KEYS = frozenset({'GroupName', 'Label', 'Program', 'ProgramArguments', 'UserName'})

plaso.parsers.plist_plugins.macos_user module

Plist parser plugin for MacOS user plist files.

Fields within the plist key:

name: username. uid: user identifier (UID). passwordpolicyoptions: XML Plist structures with the timestamp. passwordLastSetTime: last time the password was changed. lastLoginTimestamp: last time the user was authenticated depending on

the situation, these timestamps are reset (0 value). It is translated by the library as a 2001-01-01 00:00:00 (Cocoa zero time representation).

failedLoginTimestamp: last time the login attempt failed. failedLoginCount: number of failed loging attempts.

class plaso.parsers.plist_plugins.macos_user.MacOSUserEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS user event data.

fullname

full name.

Type: str

home_directory

path of the home directory.

Type: str

last_login_attempt_time

date and time of the last (failed) login attempt.

Type: dfdatetime.DateTimeValues

last_login_time

date and time of the last login.

Type: dfdatetime.DateTimeValues

last_password_set_time

date and time of the last password set.

Type: dfdatetime.DateTimeValues

number_of_failed_login_attempts

number of failed login attempts.

Type: str

password_hash

password hash.

Type: str

user_identifier

user identifier.

Type: str

username

username.

Type: str

DATA_TYPE = 'macos:user:entry'

class plaso.parsers.plist_plugins.macos_user.MacOSUserPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for MacOS user plist files.

DATA_FORMAT = 'MacOS user plist file'

NAME = 'macuser'

PLIST_KEYS = frozenset({'ShadowHashData', 'home', 'name', 'passwordpolicyoptions', 'uid'})

plaso.parsers.plist_plugins.safari_downloads module

Plist parser plugin for Safari Downloads.plist files.

class plaso.parsers.plist_plugins.safari_downloads.SafariDownloadEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Safari download event data.

end_time

date and time the download was finished.

Type: dfdatetime.DateTimeValues

full_path

full path where the file was downloaded to.

Type: str

received_bytes

number of bytes received while downloading.

Type: int

remove_on_completion

remove the download when completed (done).

Type: bool

start_time

date and time the download was started.

Type: dfdatetime.DateTimeValues

total_bytes

total number of bytes to download.

Type: int

url

URL of the downloaded file.

Type: str

DATA_TYPE = 'safari:downloads:entry'

class plaso.parsers.plist_plugins.safari_downloads.SafariDownloadsPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for Safari Downloads.plist files.

DATA_FORMAT = 'Safari Downloads plist file'

NAME = 'safari_downloads'

PLIST_KEYS = frozenset({'DownloadHistory'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.safari_history module

Plist parser plugin for Safari history plist files.

class plaso.parsers.plist_plugins.safari_history.SafariHistoryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Safari history event data.

display_title

display title of the webpage visited.

Type: str

last_visited_time

date and time the URL was last visited.

Type: dfdatetime.DateTimeValues

title

title of the webpage visited.

Type: str

url

URL visited.

Type: str

visit_count

number of times the website was visited.

Type: int

was_http_non_get

True if the webpage was visited using a non-GET HTTP request.

Type: bool

DATA_TYPE = 'safari:history:visit'

class plaso.parsers.plist_plugins.safari_history.SafariHistoryPlugin[source]

Bases: PlistPlugin

Plist parser plugin for Safari history plist files.

DATA_FORMAT = 'Safari history plist file'

NAME = 'safari_history'

PLIST_KEYS = frozenset({'WebHistoryDates', 'WebHistoryFileVersion'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.software_update module

Plist parser plugin for MacOS software update plist files.

class plaso.parsers.plist_plugins.software_update.MacOSSoftwareUpdateEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS software update event data.

full_update_time

date and time of last full MacOS software update.

Type: dfdatetime.DateTimeValues

recommended_updates

recommended updates.

Type: list[str]

system_version

operating system version.

Type: str

update_time

date and time of last MacOS software update.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'macos:software_updata:entry'

class plaso.parsers.plist_plugins.software_update.MacOSSoftwareUpdatePlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for MacOS software update plist files.

Further details about the extracted fields:

LastFullSuccessfulDate:: timestamp when MacOS was full update.
LastSuccessfulDate:: timestamp when MacOS was partially update.

DATA_FORMAT = 'MacOS software update plist file'

NAME = 'macos_software_update'

PLIST_KEYS = frozenset({'LastAttemptSystemVersion', 'LastFullSuccessfulDate', 'LastRecommendedUpdatesAvailable', 'LastSuccessfulDate', 'LastUpdatesAvailable', 'RecommendedUpdates'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.spotlight_searched_terms module

Plist parser plugin for Spotlight searched terms plist files.

Fields within the plist key: com.apple.spotlight.plist, where the name of the key contains the search term.

DISPLAY_NAME: the display name of the program associated. LAST_USED: last time when it was executed. PATH: path of the program associated to the term.

class plaso.parsers.plist_plugins.spotlight_searched_terms.SpotlightSearchedTermsEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Spotlight searched terms event data.

display_name

display name.

Type: str

last_used_time

last date and time the search term was last used.

Type: dfdatetime.DateTimeValues

path

path.

Type: str

search_term

search term.

Type: str

DATA_TYPE = 'spotlight_searched_terms:entry'

class plaso.parsers.plist_plugins.spotlight_searched_terms.SpotlightSearchedTermsPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for Spotlight searched terms plist files.

DATA_FORMAT = 'Spotlight searched terms plist file'

NAME = 'spotlight'

PLIST_KEYS = frozenset({'UserShortcuts'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.spotlight_volume module

Plist parser plugin for Spotlight volume configuration plist files.

class plaso.parsers.plist_plugins.spotlight_volume.SpotlightVolumeConfigurationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Spotlight volume configuration event data.

creation_time

volume creation date and time.

Type: dfdatetime.DateTimeValues

partial_path

part of the path.

Type: str

volume_identifier

identifier of the volume.

Type: str

DATA_TYPE = 'spotlight_volume_configuration:store'

class plaso.parsers.plist_plugins.spotlight_volume.SpotlightVolumeConfigurationPlistPlugin[source]

Bases: PlistPlugin

Plist parser plugin for Spotlight volume configuration plist files.

DATA_FORMAT = 'Spotlight volume configuration plist file'

NAME = 'spotlight_volume'

PLIST_KEYS = frozenset({'Stores'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.time_machine module

Plist parser plugin for MacOS TimeMachine plist files.

class plaso.parsers.plist_plugins.time_machine.MacOSTimeMachineBackupEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS TimeMachine backup event data.

backup_alias

alias of the backup.

Type: str

destination_identifier

identifier of the destination volume.

Type: str

snapshot_times

dates and times of the creation of backup snaphots.

Type: list[dfdatetime.DateTimeValues]

DATA_TYPE = 'macos:time_machine:backup'

class plaso.parsers.plist_plugins.time_machine.MacOSTimeMachinePlistPlugin[source]

Bases: PlistPlugin, DtFabricHelper

Plist parser plugin for MacOS TimeMachine plist files.

Further details about the extracted fields:

DestinationID:: remote UUID hard disk where the backup is done.
BackupAlias:: structure that contains the extra information from the destinationID.
SnapshotDates:: list of the backup dates.

DATA_FORMAT = 'MacOS TimeMachine plist file'

NAME = 'time_machine'

PLIST_KEYS = frozenset({'Destinations', 'RootVolumeUUID'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

Module contents

Imports for the plist parser plugins.