plaso.parsers.plist_plugins package

Submodules

plaso.parsers.plist_plugins.airport module

Plist parser plugin for Airport plist files.

class plaso.parsers.plist_plugins.airport.AirportPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for Airport plist files.

DATA_FORMAT = 'Airport plist file'
GetEntries(parser_mediator, match=None, **unused_kwargs)[source]

Extracts relevant Airport entries.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'airport'
PLIST_KEYS = frozenset({'RememberedNetworks'})
PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.appleaccount module

Plist parser plugin for Apple Account plist files.

class plaso.parsers.plist_plugins.appleaccount.AppleAccountPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for Apple Account plist files.

Further details about fields within the key:

Accounts: account name. FirstName: first name associated with the account. LastName: family name associate with the account. CreationDate: timestamp when the account was configured in the system. LastSuccessfulConnect: last time when the account was connected. ValidationDate: last time when the account was validated.

DATA_FORMAT = 'Apple account information plist file'
GetEntries(parser_mediator, match=None, **unused_kwargs)[source]

Extracts relevant Apple Account entries.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'apple_id'
PLIST_KEYS = frozenset({'AccessorVersions', 'Accounts', 'AuthCertificates'})
PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PrefixPlistPathFilter object>})

plaso.parsers.plist_plugins.bluetooth module

Plist parser plugin for Bluetooth plist files.

class plaso.parsers.plist_plugins.bluetooth.BluetoothPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for Bluetooth plist files.

Additional details about the fields.

LastInquiryUpdate:

Device connected via Bluetooth Discovery. Updated when a device is detected in discovery mode. E.g. BT headphone power on. Pairing is not required for a device to be discovered and cached.

LastNameUpdate:

When the human name was last set. Usually done only once during initial setup.

LastServicesUpdate:

Time set when device was polled to determine what it is. Usually done at setup or manually requested via advanced menu.

DATA_FORMAT = 'Bluetooth plist file'
GetEntries(parser_mediator, match=None, **unused_kwargs)[source]

Extracts relevant BT entries.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'macosx_bluetooth'
PLIST_KEYS = frozenset({'DeviceCache', 'PairedDevices'})
PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.default module

Default plist parser plugin.

class plaso.parsers.plist_plugins.default.DefaultPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Default plist parser plugin.

DATA_FORMAT = 'plist file'
GetEntries(parser_mediator, top_level=None, **unused_kwargs)[source]

Extracts events from the values of entries within a plist.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • top_level (Optional[dict[str, object]]) – plist top-level item.

NAME = 'plist_default'

plaso.parsers.plist_plugins.dtfabric_plugin module

Shared functionality for dtFabric-based data format plist parser plugins.

class plaso.parsers.plist_plugins.dtfabric_plugin.DtFabricBasePlistPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Shared functionality for dtFabric-based data format Registry plugins.

A dtFabric-based data format plist parser plugin defines its data format structures in dtFabric definition file, for example “dtfabric.yaml”:

name: int32 type: integer description: 32-bit signed integer type .. attribute:: format

signed

size

4

units

bytes

— name: point3d aliases: [POINT] type: structure description: Point in 3 dimensional space. .. attribute:: byte_order

little-endian

members: - name: x

aliases: [XCOORD] data_type: int32

  • name: y data_type: int32

  • name: z data_type: int32

The path to the definition file is defined in the class constant “_DEFINITION_FILE” and will be read on class instantiation.

The definition files contains data type definitions such as “int32” and “point3d” in the previous example.

A data type map can be used to create a Python object that represent the data type definition mapped to a byte stream, for example if we have the following byte stream: 01 00 00 00 02 00 00 00 03 00 00 00

The corresponding “point3d” Python object would be: point3d(x=1, y=2, z=3)

A parser that wants to implement a dtFabric-based data format parser needs to: * define a definition file and override _DEFINITION_FILE; * implement the ParseFileObject method.

The _GetDataTypeMap method of this class can be used to retrieve data type maps from the “fabric”, which is the collection of the data type definitions in definition file. Data type maps are cached for reuse.

The _ReadStructure method of this class can be used to read structure data from a file-like object and create a Python object using a data type map.

abstract GetEntries(parser_mediator, match=None, top_level=None, **unused_kwargs)[source]

Extracts event objects from the values of entries within a plist.

This is the main method that a plist plugin needs to implement.

The contents of the plist keys defined in PLIST_KEYS will be made available to the plugin as self.matched{‘KEY’: ‘value’}. The plugin should implement logic to parse this into a useful event for incorporation into the Plaso timeline.

For example if you want to note the timestamps of when devices were LastInquiryUpdated you would need to examine the bluetooth config file called ‘com.apple.bluetooth’ and need to look at devices under the key ‘DeviceCache’. To do this the plugin needs to define:

PLIST_PATH_FILTERS = frozenset([

interface.PlistPathFilter(‘com.apple.bluetooth’)])

PLIST_KEYS = frozenset([‘DeviceCache’]).

When a file with this key is encountered during processing self.matched is populated and the plugin’s GetEntries() is called. The plugin would have self.matched = {‘DeviceCache’: [{‘DE:AD:BE:EF:01’: {‘LastInquiryUpdate’: DateTime_Object}, ‘DE:AD:BE:EF:01’: {‘LastInquiryUpdate’: DateTime_Object}’…}]} and needs to implement logic here to extract values, format, and produce the data as a event.PlistEvent.

The attributes for a PlistEvent should include the following:

root = Root key this event was extracted from. E.g. DeviceCache/ key = Key the value resided in. E.g. ‘DE:AD:BE:EF:01’ time = Date this artifact was created in number of micro seconds

(usec) since January 1, 1970, 00:00:00 UTC.

desc = Short description. E.g. ‘Device LastInquiryUpdated’

See plist/bluetooth.py for the implemented example plugin.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

  • top_level (Optional[dict[str, object]]) – plist top-level item.

plaso.parsers.plist_plugins.install_history module

Plist parser plugin for MacOS install history plist files.

class plaso.parsers.plist_plugins.install_history.InstallHistoryPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for MacOS install history plist files.

DATA_FORMAT = 'MacOS installation history plist file'
GetEntries(parser_mediator, top_level=None, **unused_kwargs)[source]

Extracts relevant install history entries.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • top_level (Optional[dict[str, object]]) – plist top-level item.

NAME = 'macosx_install_history'
PLIST_KEYS = frozenset({'date', 'displayName', 'displayVersion', 'packageIdentifiers', 'processName'})
PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.interface module

Interface for plist parser plugins.

Plist files are only one example of a type of object that the Plaso tool is expected to encounter and process. There can be and are many other parsers which are designed to process specific data types.

PlistPlugin defines the attributes necessary for registration, discovery and operation of plugins for plist files which will be used by PlistParser.

class plaso.parsers.plist_plugins.interface.PlistPathFilter(filename)[source]

Bases: object

The plist path filter.

Match(filename_lower_case)[source]

Determines if a plist filename matches the filter.

Note that this method does a case insensitive comparison.

Parameters

filename_lower_case (str) – filename of the plist in lower case.

Returns

True if the filename matches the filter.

Return type

bool

class plaso.parsers.plist_plugins.interface.PlistPlugin[source]

Bases: plaso.parsers.plugins.BasePlugin

This is an abstract class from which plugins should be based.

The following are the attributes and methods expected to be overridden by a plugin.

PLIST_PATH_FILTERS

plist path filters that should match for the plugin to process the plist.

Type

set[PlistPathFilter]

PLIST_KEY

keys holding values that are necessary for processing.

Type

set[str]

Please note, PLIST_KEY is case sensitive and for a plugin to match a plist file needs to contain at minimum the number of keys needed for processing.

For example if a Plist file contains the following keys, {‘foo’: 1, ‘bar’: 2, ‘opt’: 3} with ‘foo’ and ‘bar’ being keys critical to processing define PLIST_KEY as [‘foo’, ‘bar’]. If ‘opt’ is only optionally defined it can still be accessed by manually processing self.top_level from the plugin.

Methods: GetEntries() - extract and format info from keys and yields event.PlistEvent.

abstract GetEntries(parser_mediator, match=None, top_level=None, **unused_kwargs)[source]

Extracts events from the values of entries within a plist.

This is the main method that a plist plugin needs to implement.

The contents of the plist keys defined in PLIST_KEYS will be made available to the plugin as self.matched{‘KEY’: ‘value’}. The plugin should implement logic to parse this into a useful event for incorporation into the Plaso timeline.

For example if you want to note the timestamps of when devices were LastInquiryUpdated you would need to examine the bluetooth config file called ‘com.apple.bluetooth’ and need to look at devices under the key ‘DeviceCache’. To do this the plugin needs to define:

PLIST_PATH_FILTERS = frozenset([

interface.PlistPathFilter(‘com.apple.bluetooth’)])

PLIST_KEYS = frozenset([‘DeviceCache’]).

When a file with this key is encountered during processing self.matched is populated and the plugin’s GetEntries() is called. The plugin would have self.matched = {‘DeviceCache’: [{‘DE:AD:BE:EF:01’: {‘LastInquiryUpdate’: DateTime_Object}, ‘DE:AD:BE:EF:01’: {‘LastInquiryUpdate’: DateTime_Object}’…}]} and needs to implement logic here to extract values, format, and produce the data as a event.PlistEvent.

The attributes for a PlistEvent should include the following:

root = Root key this event was extracted from. E.g. DeviceCache/ key = Key the value resided in. E.g. ‘DE:AD:BE:EF:01’ time = Date this artifact was created in number of micro seconds

(usec) since January 1, 1970, 00:00:00 UTC.

desc = Short description. E.g. ‘Device LastInquiryUpdated’

See plist/bluetooth.py for the implemented example plugin.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

  • top_level (Optional[dict[str, object]]) – plist top-level item.

NAME = 'plist_plugin'
PLIST_KEYS = frozenset({'any'})
PLIST_PATH_FILTERS = frozenset({})
Process(parser_mediator, top_level=None, **kwargs)[source]

Determine if this is the correct plugin; if so proceed with processing.

Process() checks if the current plist being processed is a match for a plugin by comparing the PATH and KEY requirements defined by a plugin.

This function also extracts the required keys as defined in self.PLIST_KEYS from the plist and stores the result in self.match[key] and calls self.GetEntries() which holds the processing logic implemented by the plugin.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • top_level (Optional[dict[str, object]]) – plist top-level item.

URLS = []
class plaso.parsers.plist_plugins.interface.PrefixPlistPathFilter(filename)[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPathFilter

The prefix plist path filter.

Match(filename_lower_case)[source]

Determines if a plist filename matches the filter.

Note that this method does a case insensitive comparison.

Parameters

filename_lower_case (str) – filename of the plist in lower case.

Returns

True if the filename matches the filter.

Return type

bool

plaso.parsers.plist_plugins.ipod module

Plist parser plugin for iPod, iPad and iPhone storage plist files.

class plaso.parsers.plist_plugins.ipod.IPodPlistEventData[source]

Bases: plaso.containers.events.EventData

iPod plist event data.

device_id

unique identifier of the iPod device.

Type

str

DATA_TYPE = 'ipod:device:entry'
class plaso.parsers.plist_plugins.ipod.IPodPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for iPod, iPad and iPhone storage plist files.

DATA_FORMAT = 'iPod, iPad and iPhone plist file'
GetEntries(parser_mediator, match=None, **unused_kwargs)[source]

Extract device information from the iPod plist.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'ipod_device'
PLIST_KEYS = frozenset({'Devices'})
PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.launchd module

Plist parser plugin for launchd plist files.

class plaso.parsers.plist_plugins.launchd.LaunchdPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for launchd plist files.

Further details about fields within the key:
Label:

the required key for uniquely identifying the launchd service.

Program:

absolute path to the executable. required in the absence of the ProgramArguments key.

ProgramArguments:

command-line flags for the executable. required in the absence of the Program key.

UserName:

the job run as the specified user.

GroupName:

the job run as the specified group.

DATA_FORMAT = 'Launchd plist file'
GetEntries(parser_mediator, top_level=None, **unused_kwargs)[source]

Extracts launchd information from the plist.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • top_level (Optional[dict[str, object]]) – plist top-level item.

NAME = 'launchd_plist'
PLIST_KEYS = frozenset({'GroupName', 'Label', 'Program', 'ProgramArguments', 'UserName'})

plaso.parsers.plist_plugins.macuser module

Plist parser plugin for MacOS user plist files.

class plaso.parsers.plist_plugins.macuser.MacUserPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for MacOS user plist files.

Further details about the extracted fields.
name:

string with the system user.

uid:

user ID.

passwordpolicyoptions:

XML Plist structures with the timestamp.

passwordLastSetTime:

last time the password was changed.

lastLoginTimestamp:

last time the user was authenticated depending on the situation, these timestamps are reset (0 value). It is translated by the library as a 2001-01-01 00:00:00 (Cocoa zero time representation). If this happens, the event is not yield.

failedLoginTimestamp:

last time the user passwd was incorrectly(*).

failedLoginCount:

times of incorrect passwords.

DATA_FORMAT = 'MacOS user plist file'
GetEntries(parser_mediator, match=None, **unused_kwargs)[source]

Extracts relevant user timestamp entries.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'macuser'
PLIST_KEYS = frozenset({'ShadowHashData', 'home', 'name', 'passwordpolicyoptions', 'uid'})

plaso.parsers.plist_plugins.safari module

Plist parser plugin for Safari history plist files.

class plaso.parsers.plist_plugins.safari.SafariHistoryEventData[source]

Bases: plaso.containers.events.EventData

Safari history event data.

display_title

display title of the webpage visited.

Type

str

title

title of the webpage visited.

Type

str

url

URL visited.

Type

str

visit_count

number of times the website was visited.

Type

int

was_http_non_get

True if the webpage was visited using a non-GET HTTP request.

Type

bool

DATA_TYPE = 'safari:history:visit'
class plaso.parsers.plist_plugins.safari.SafariHistoryPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for Safari history plist files.

DATA_FORMAT = 'Safari history plist file'
GetEntries(parser_mediator, match=None, **unused_kwargs)[source]

Extracts Safari history items.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'safari_history'
PLIST_KEYS = frozenset({'WebHistoryDates', 'WebHistoryFileVersion'})
PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.softwareupdate module

Plist parser plugin for MacOS software update plist files.

class plaso.parsers.plist_plugins.softwareupdate.SoftwareUpdatePlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for MacOS software update plist files.

Further details about the extracted fields:
LastFullSuccessfulDate:

timestamp when MacOS was full update.

LastSuccessfulDate:

timestamp when MacOS was partially update.

DATA_FORMAT = 'MacOS software update plist file'
GetEntries(parser_mediator, match=None, **unused_kwargs)[source]

Extracts relevant MacOS update entries.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'macos_software_update'
PLIST_KEYS = frozenset({'LastAttemptSystemVersion', 'LastFullSuccessfulDate', 'LastRecommendedUpdatesAvailable', 'LastSuccessfulDate', 'LastUpdatesAvailable', 'RecommendedUpdates'})
PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.spotlight module

Plist parser plugin for Spotlight searched terms plist files.

class plaso.parsers.plist_plugins.spotlight.SpotlightPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for Spotlight searched terms plist files.

Further information about extracted fields:
name of the item:

search term.

PATH:

path of the program associated to the term.

LAST_USED:

last time when it was executed.

DISPLAY_NAME:

the display name of the program associated.

DATA_FORMAT = 'Spotlight plist file'
GetEntries(parser_mediator, match=None, **unused_kwargs)[source]

Extracts relevant Spotlight entries.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'spotlight'
PLIST_KEYS = frozenset({'UserShortcuts'})
PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.spotlight_volume module

Plist parser plugin for Spotlight volume configuration plist files.

class plaso.parsers.plist_plugins.spotlight_volume.SpotlightVolumePlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for Spotlight volume configuration plist files.

DATA_FORMAT = 'Spotlight volume configuration plist file'
GetEntries(parser_mediator, match=None, **unused_kwargs)[source]

Extracts relevant Volume Configuration Spotlight entries.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'spotlight_volume'
PLIST_KEYS = frozenset({'Stores'})
PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.timemachine module

Plist parser plugin for TimeMachine plist files.

class plaso.parsers.plist_plugins.timemachine.TimeMachinePlugin[source]

Bases: plaso.parsers.plist_plugins.dtfabric_plugin.DtFabricBasePlistPlugin

Plist parser plugin for TimeMachine plist files.

Further details about the extracted fields:
DestinationID:

remote UUID hard disk where the backup is done.

BackupAlias:

structure that contains the extra information from the destinationID.

SnapshotDates:

list of the backup dates.

DATA_FORMAT = 'TimeMachine plist file'
GetEntries(parser_mediator, match=None, **unused_kwargs)[source]

Extracts relevant TimeMachine entries.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'time_machine'
PLIST_KEYS = frozenset({'Destinations', 'RootVolumeUUID'})
PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

Module contents

Imports for the plist parser plugins.