plaso.parsers.plist_plugins package

Submodules

plaso.parsers.plist_plugins.airport module

Plist parser plugin for Airport plist files.

class plaso.parsers.plist_plugins.airport.AirportPlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for Airport plist files.

DATA_FORMAT = 'Airport plist file'

NAME = 'airport'

PLIST_KEYS = frozenset({'RememberedNetworks'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.appleaccount module

Plist parser plugin for Apple Account plist files.

class plaso.parsers.plist_plugins.appleaccount.AppleAccountPlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for Apple Account plist files.

Further details about fields within the key:

Accounts: account name. FirstName: first name associated with the account. LastName: family name associate with the account. CreationDate: timestamp when the account was configured in the system. LastSuccessfulConnect: last time when the account was connected. ValidationDate: last time when the account was validated.

DATA_FORMAT = 'Apple account information plist file'

NAME = 'apple_id'

PLIST_KEYS = frozenset({'AccessorVersions', 'Accounts', 'AuthCertificates'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PrefixPlistPathFilter object>})

plaso.parsers.plist_plugins.bluetooth module

Plist parser plugin for Bluetooth plist files.

class plaso.parsers.plist_plugins.bluetooth.BluetoothPlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for Bluetooth plist files.

Additional details about the fields.

LastInquiryUpdate:

Device connected via Bluetooth Discovery. Updated when a device is detected in discovery mode. E.g. BT headphone power on. Pairing is not required for a device to be discovered and cached.

LastNameUpdate:

When the human name was last set. Usually done only once during initial setup.

LastServicesUpdate:

Time set when device was polled to determine what it is. Usually done at setup or manually requested via advanced menu.

DATA_FORMAT = 'Bluetooth plist file'

NAME = 'macosx_bluetooth'

PLIST_KEYS = frozenset({'DeviceCache', 'PairedDevices'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.default module

Default plist parser plugin.

class plaso.parsers.plist_plugins.default.DefaultPlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Default plist parser plugin.

DATA_FORMAT = 'plist file'

NAME = 'plist_default'

plaso.parsers.plist_plugins.install_history module

Plist parser plugin for MacOS install history plist files.

class plaso.parsers.plist_plugins.install_history.InstallHistoryPlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for MacOS install history plist files.

DATA_FORMAT = 'MacOS installation history plist file'

NAME = 'macosx_install_history'

PLIST_KEYS = frozenset({'date', 'displayName', 'displayVersion', 'packageIdentifiers', 'processName'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.interface module

Interface for plist parser plugins.

Plist files are only one example of a type of object that the Plaso tool is expected to encounter and process. There can be and are many other parsers which are designed to process specific data types.

PlistPlugin defines the attributes necessary for registration, discovery and operation of plugins for plist files which will be used by PlistParser.

class plaso.parsers.plist_plugins.interface.PlistPathFilter(filename)

Bases: object

The plist path filter.

Match(filename_lower_case)

Determines if a plist filename matches the filter.

Note that this method does a case insensitive comparison.

Parameters

filename_lower_case (str) – filename of the plist in lower case.

Returns

True if the filename matches the filter.

Return type

bool

class plaso.parsers.plist_plugins.interface.PlistPlugin

Bases: plaso.parsers.plugins.BasePlugin

This is an abstract class from which plugins should be based.

The following are the attributes and methods expected to be overridden by a plugin.

PLIST_PATH_FILTERS

plist path filters that should match for the plugin to process the plist.

Type

set[PlistPathFilter]

PLIST_KEY

keys holding values that are necessary for processing.

Type

set[str]

Please note, PLIST_KEY is case sensitive and for a plugin to match a plist file needs to contain at minimum the number of keys needed for processing.

For example if a Plist file contains the following keys, {‘foo’: 1, ‘bar’: 2, ‘opt’: 3} with ‘foo’ and ‘bar’ being keys critical to processing define PLIST_KEY as [‘foo’, ‘bar’]. If ‘opt’ is only optionally defined it can still be accessed by manually processing self.top_level from the plugin.

NAME = 'plist_plugin'

PLIST_KEYS = frozenset({'any'})

PLIST_PATH_FILTERS = frozenset({})

Process(parser_mediator, top_level=None, **kwargs)

Extracts events from a plist file.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

• top_level (Optional[dict[str, object]]) – plist top-level item.

class plaso.parsers.plist_plugins.interface.PrefixPlistPathFilter(filename)

Bases: plaso.parsers.plist_plugins.interface.PlistPathFilter

The prefix plist path filter.

Match(filename_lower_case)

Determines if a plist filename matches the filter.

Note that this method does a case insensitive comparison.

Parameters

filename_lower_case (str) – filename of the plist in lower case.

Returns

True if the filename matches the filter.

Return type

bool

plaso.parsers.plist_plugins.ipod module

Plist parser plugin for iPod, iPad and iPhone storage plist files.

class plaso.parsers.plist_plugins.ipod.IPodPlistEventData

Bases: plaso.containers.events.EventData

iPod plist event data.

device_id

unique identifier of the iPod device.

Type

str

DATA_TYPE = 'ipod:device:entry'

class plaso.parsers.plist_plugins.ipod.IPodPlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for iPod, iPad and iPhone storage plist files.

DATA_FORMAT = 'iPod, iPad and iPhone plist file'

NAME = 'ipod_device'

PLIST_KEYS = frozenset({'Devices'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.launchd module

Plist parser plugin for launchd plist files.

class plaso.parsers.plist_plugins.launchd.LaunchdPlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for launchd plist files.

Further details about fields within the key:

Label:

the required key for uniquely identifying the launchd service.

Program:

absolute path to the executable. required in the absence of the ProgramArguments key.

ProgramArguments:

command-line flags for the executable. required in the absence of the Program key.

UserName:

the job run as the specified user.

GroupName:

the job run as the specified group.

DATA_FORMAT = 'Launchd plist file'

NAME = 'launchd_plist'

PLIST_KEYS = frozenset({'GroupName', 'Label', 'Program', 'ProgramArguments', 'UserName'})

plaso.parsers.plist_plugins.macuser module

Plist parser plugin for MacOS user plist files.

class plaso.parsers.plist_plugins.macuser.MacUserPlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for MacOS user plist files.

Further details about the extracted fields.

name:

string with the system user.

uid:

user ID.

passwordpolicyoptions:

XML Plist structures with the timestamp.

passwordLastSetTime:

last time the password was changed.

lastLoginTimestamp:

last time the user was authenticated depending on the situation, these timestamps are reset (0 value). It is translated by the library as a 2001-01-01 00:00:00 (Cocoa zero time representation). If this happens, the event is not yield.

failedLoginTimestamp:

last time the user passwd was incorrectly(*).

failedLoginCount:

times of incorrect passwords.

DATA_FORMAT = 'MacOS user plist file'

NAME = 'macuser'

PLIST_KEYS = frozenset({'ShadowHashData', 'home', 'name', 'passwordpolicyoptions', 'uid'})

plaso.parsers.plist_plugins.safari module

Plist parser plugin for Safari history plist files.

class plaso.parsers.plist_plugins.safari.SafariHistoryEventData

Bases: plaso.containers.events.EventData

Safari history event data.

display_title

display title of the webpage visited.

Type

str

title

title of the webpage visited.

Type

str

url

URL visited.

Type

str

visit_count

number of times the website was visited.

Type

int

was_http_non_get

True if the webpage was visited using a non-GET HTTP request.

Type

bool

DATA_TYPE = 'safari:history:visit'

class plaso.parsers.plist_plugins.safari.SafariHistoryPlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for Safari history plist files.

DATA_FORMAT = 'Safari history plist file'

NAME = 'safari_history'

PLIST_KEYS = frozenset({'WebHistoryDates', 'WebHistoryFileVersion'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.softwareupdate module

Plist parser plugin for MacOS software update plist files.

class plaso.parsers.plist_plugins.softwareupdate.SoftwareUpdatePlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for MacOS software update plist files.

Further details about the extracted fields:

LastFullSuccessfulDate:

timestamp when MacOS was full update.

LastSuccessfulDate:

timestamp when MacOS was partially update.

DATA_FORMAT = 'MacOS software update plist file'

NAME = 'macos_software_update'

PLIST_KEYS = frozenset({'LastAttemptSystemVersion', 'LastFullSuccessfulDate', 'LastRecommendedUpdatesAvailable', 'LastSuccessfulDate', 'LastUpdatesAvailable', 'RecommendedUpdates'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.spotlight module

Plist parser plugin for Spotlight searched terms plist files.

class plaso.parsers.plist_plugins.spotlight.SpotlightPlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for Spotlight searched terms plist files.

Further information about extracted fields:

name of the item:

search term.

PATH:

path of the program associated to the term.

LAST_USED:

last time when it was executed.

DISPLAY_NAME:

the display name of the program associated.

DATA_FORMAT = 'Spotlight plist file'

NAME = 'spotlight'

PLIST_KEYS = frozenset({'UserShortcuts'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.spotlight_volume module

Plist parser plugin for Spotlight volume configuration plist files.

class plaso.parsers.plist_plugins.spotlight_volume.SpotlightVolumePlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for Spotlight volume configuration plist files.

DATA_FORMAT = 'Spotlight volume configuration plist file'

NAME = 'spotlight_volume'

PLIST_KEYS = frozenset({'Stores'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.timemachine module

Plist parser plugin for TimeMachine plist files.

class plaso.parsers.plist_plugins.timemachine.TimeMachinePlugin

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Plist parser plugin for TimeMachine plist files.

Further details about the extracted fields:

DestinationID:

remote UUID hard disk where the backup is done.

BackupAlias:

structure that contains the extra information from the destinationID.

SnapshotDates:

list of the backup dates.

DATA_FORMAT = 'TimeMachine plist file'

NAME = 'time_machine'

PLIST_KEYS = frozenset({'Destinations', 'RootVolumeUUID'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

Module contents

Imports for the plist parser plugins.