plaso.parsers.plist_plugins package

Submodules

plaso.parsers.plist_plugins.airport module

Airport plist plugin.

class plaso.parsers.plist_plugins.airport.AirportPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist plugin that extracts WiFi information.

DESCRIPTION = u'Parser for Airport plist files.'
GetEntries(parser_mediator, match=None, **unused_kwargs)[source]

Extracts relevant Airport entries.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.
NAME = u'airport'
PLIST_KEYS = frozenset([u'RememberedNetworks'])
PLIST_PATH = u'com.apple.airport.preferences.plist'

plaso.parsers.plist_plugins.appleaccount module

Apple Account plist plugin.

class plaso.parsers.plist_plugins.appleaccount.AppleAccountPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Basic plugin to extract the apple account information.

Further details about fields within the key:
Accounts: account name. FirstName: first name associated with the account. LastName: family name associate with the account. CreationDate: timestamp when the account was configured in the system. LastSuccessfulConnect: last time when the account was connected. ValidationDate: last time when the account was validated.
DESCRIPTION = u'Parser for Apple account information plist files.'
GetEntries(parser_mediator, match=None, **unused_kwargs)[source]

Extracts relevant Apple Account entries.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.
NAME = u'apple_id'
PLIST_KEYS = frozenset([u'AuthCertificates', u'Accounts', u'AccessorVersions'])
PLIST_PATH = u'com.apple.coreservices.appleidauthenticationinfo'
Process(parser_mediator, plist_name, top_level, **kwargs)[source]

Check if it is a valid Apple account plist file name.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • plist_name (str) – name of the plist.
  • top_level (dict[str, object]) – plist top-level key.

plaso.parsers.plist_plugins.bluetooth module

Bluetooth plist plugin.

class plaso.parsers.plist_plugins.bluetooth.BluetoothPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Basic plugin to extract interesting Bluetooth related keys.

Additional details about the fields.

LastInquiryUpdate:
Device connected via Bluetooth Discovery. Updated when a device is detected in discovery mode. E.g. BT headphone power on. Pairing is not required for a device to be discovered and cached.
LastNameUpdate:
When the human name was last set. Usually done only once during initial setup.
LastServicesUpdate:
Time set when device was polled to determine what it is. Usually done at setup or manually requested via advanced menu.
DESCRIPTION = u'Parser for Bluetooth plist files.'
GetEntries(parser_mediator, match=None, **unused_kwargs)[source]

Extracts relevant BT entries.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.
NAME = u'macosx_bluetooth'
PLIST_KEYS = frozenset([u'DeviceCache', u'PairedDevices'])
PLIST_PATH = u'com.apple.bluetooth.plist'

plaso.parsers.plist_plugins.default module

This file contains a default plist plugin in Plaso.

class plaso.parsers.plist_plugins.default.DefaultPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Basic plugin to extract keys with timestamps as values from plists.

DESCRIPTION = u'Parser for plist files.'
GetEntries(parser_mediator, top_level=None, **unused_kwargs)[source]

Simple method to exact date values from a Plist.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • top_level (dict[str, object]) – plist top-level key.
NAME = u'plist_default'
Process(parser_mediator, plist_name, top_level, **kwargs)[source]

Overwrite the default Process function so it always triggers.

Process() checks if the current plist being processed is a match for a plugin by comparing the PATH and KEY requirements defined by a plugin. If both match processing continues; else raise WrongPlistPlugin.

The purpose of the default plugin is to always trigger on any given plist file, thus it needs to overwrite the default behavior of comparing PATH and KEY.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • plist_name (str) – name of the plist.
  • top_level (dict[str, object]) – plist top-level key.

plaso.parsers.plist_plugins.dtfabric_plugin module

Shared functionality for dtFabric-based data format Registry plugins.

class plaso.parsers.plist_plugins.dtfabric_plugin.DtFabricBasePlistPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Shared functionality for dtFabric-based data format Registry plugins.

A dtFabric-based data format plist parser plugin defines its data format structures in dtFabric definition file, for example “dtfabric.yaml”:

name: int32 type: integer description: 32-bit signed integer type .. attribute:: format

signed
size

4

units

bytes

— name: point3d aliases: [POINT] type: structure description: Point in 3 dimensional space. .. attribute:: byte_order

little-endian

members: - name: x

aliases: [XCOORD] data_type: int32
  • name: y data_type: int32
  • name: z data_type: int32

The path to the definition file is defined in the class constant “_DEFINITION_FILE” and will be read on class instantiation.

The definition files contains data type definitions such as “int32” and “point3d” in the previous example.

A data type map can be used to create a Python object that represent the data type definition mapped to a byte stream, for example if we have the following byte stream: 01 00 00 00 02 00 00 00 03 00 00 00

The corresponding “point3d” Python object would be: point3d(x=1, y=2, z=3)

A parser that wants to implement a dtFabric-based data format parser needs to: * define a definition file and override _DEFINITION_FILE; * implement the ParseFileObject method.

The _GetDataTypeMap method of this class can be used to retrieve data type maps from the “fabric”, which is the collection of the data type definitions in definition file. Data type maps are cached for reuse.

The _ReadStructure method of this class can be used to read structure data from a file-like object and create a Python object using a data type map.

GetEntries(parser_mediator, top_level=None, match=None, **unused_kwargs)[source]

Extracts event objects from the values of entries within a plist.

This is the main method that a plist plugin needs to implement.

The contents of the plist keys defined in PLIST_KEYS will be made available to the plugin as self.matched{‘KEY’: ‘value’}. The plugin should implement logic to parse this into a useful event for incorporation into the Plaso timeline.

For example if you want to note the timestamps of when devices were LastInquiryUpdated you would need to examine the bluetooth config file called ‘com.apple.bluetooth’ and need to look at devices under the key ‘DeviceCache’. To do this the plugin needs to define PLIST_PATH = ‘com.apple.bluetooth’ and PLIST_KEYS = frozenset([‘DeviceCache’]). IMPORTANT: this interface requires exact names and is case sensitive. A unit test based on a real world file is expected for each plist plugin.

When a file with this key is encountered during processing self.matched is populated and the plugin’s GetEntries() is called. The plugin would have self.matched = {‘DeviceCache’: [{‘DE:AD:BE:EF:01’: {‘LastInquiryUpdate’: DateTime_Object}, ‘DE:AD:BE:EF:01’: {‘LastInquiryUpdate’: DateTime_Object}’…}]} and needs to implement logic here to extract values, format, and produce the data as a event.PlistEvent.

The attributes for a PlistEvent should include the following:

root = Root key this event was extracted from. E.g. DeviceCache/ key = Key the value resided in. E.g. ‘DE:AD:BE:EF:01’ time = Date this artifact was created in number of micro seconds

(usec) since January 1, 1970, 00:00:00 UTC.

desc = Short description. E.g. ‘Device LastInquiryUpdated’

See plist/bluetooth.py for the implemented example plugin.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • top_level (Optional[dict[str, object]]) – plist top-level key.
  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

plaso.parsers.plist_plugins.install_history module

Install history plist plugin.

class plaso.parsers.plist_plugins.install_history.InstallHistoryPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist plugin that extracts the installation history.

DESCRIPTION = u'Parser for installation history plist files.'
GetEntries(parser_mediator, top_level=None, **unused_kwargs)[source]

Extracts relevant install history entries.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • top_level (dict[str, object]) – plist top-level key.
NAME = u'macosx_install_history'
PLIST_KEYS = frozenset([u'date', u'displayVersion', u'packageIdentifiers', u'displayName', u'processName'])
PLIST_PATH = u'InstallHistory.plist'

plaso.parsers.plist_plugins.interface module

Plist_interface contains basic interface for plist plugins within Plaso.

Plist files are only one example of a type of object that the Plaso tool is expected to encounter and process. There can be and are many other parsers which are designed to process specific data types.

PlistPlugin defines the attributes necessary for registration, discovery and operation of plugins for plist files which will be used by PlistParser.

class plaso.parsers.plist_plugins.interface.PlistPlugin[source]

Bases: plaso.parsers.plugins.BasePlugin

This is an abstract class from which plugins should be based.

The following are the attributes and methods expected to be overridden by a plugin.

Attributes: PLIST_PATH - string of the filename the plugin is designed to process. PLIST_KEY - list of keys holding values that are necessary for processing.

Please note, PLIST_KEY is cAse sensitive and for a plugin to match a plist file needs to contain at minimum the number of keys needed for processing or WrongPlistPlugin is raised.

For example if a Plist file contains the following keys, {‘foo’: 1, ‘bar’: 2, ‘opt’: 3} with ‘foo’ and ‘bar’ being keys critical to processing define PLIST_KEY as [‘foo’, ‘bar’]. If ‘opt’ is only optionally defined it can still be accessed by manually processing self.top_level from the plugin.

Methods: GetEntries() - extract and format info from keys and yields event.PlistEvent.

GetEntries(parser_mediator, top_level=None, match=None, **unused_kwargs)[source]

Extracts event objects from the values of entries within a plist.

This is the main method that a plist plugin needs to implement.

The contents of the plist keys defined in PLIST_KEYS will be made available to the plugin as self.matched{‘KEY’: ‘value’}. The plugin should implement logic to parse this into a useful event for incorporation into the Plaso timeline.

For example if you want to note the timestamps of when devices were LastInquiryUpdated you would need to examine the bluetooth config file called ‘com.apple.bluetooth’ and need to look at devices under the key ‘DeviceCache’. To do this the plugin needs to define PLIST_PATH = ‘com.apple.bluetooth’ and PLIST_KEYS = frozenset([‘DeviceCache’]). IMPORTANT: this interface requires exact names and is case sensitive. A unit test based on a real world file is expected for each plist plugin.

When a file with this key is encountered during processing self.matched is populated and the plugin’s GetEntries() is called. The plugin would have self.matched = {‘DeviceCache’: [{‘DE:AD:BE:EF:01’: {‘LastInquiryUpdate’: DateTime_Object}, ‘DE:AD:BE:EF:01’: {‘LastInquiryUpdate’: DateTime_Object}’…}]} and needs to implement logic here to extract values, format, and produce the data as a event.PlistEvent.

The attributes for a PlistEvent should include the following:

root = Root key this event was extracted from. E.g. DeviceCache/ key = Key the value resided in. E.g. ‘DE:AD:BE:EF:01’ time = Date this artifact was created in number of micro seconds

(usec) since January 1, 1970, 00:00:00 UTC.

desc = Short description. E.g. ‘Device LastInquiryUpdated’

See plist/bluetooth.py for the implemented example plugin.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • top_level (Optional[dict[str, object]]) – plist top-level key.
  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.
NAME = u'plist_plugin'
PLIST_KEYS = frozenset([u'any'])
PLIST_PATH = u'any'
Process(parser_mediator, plist_name, top_level, **kwargs)[source]

Determine if this is the correct plugin; if so proceed with processing.

Process() checks if the current plist being processed is a match for a plugin by comparing the PATH and KEY requirements defined by a plugin. If both match processing continues; else raise WrongPlistPlugin.

This function also extracts the required keys as defined in self.PLIST_KEYS from the plist and stores the result in self.match[key] and calls self.GetEntries() which holds the processing logic implemented by the plugin.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • plist_name (str) – name of the plist.
  • top_level (dict[str, object]) – plist top-level key.
Raises:
  • WrongPlistPlugin – If this plugin is not able to process the given file.
  • ValueError – If top_level or plist_name are not set.
URLS = []
plaso.parsers.plist_plugins.interface.RecurseKey(recur_item, depth=15, key_path=u'')[source]

Flattens nested dictionaries and lists by yielding it’s values.

The hierarchy of a plist file is a series of nested dictionaries and lists. This is a helper function helps plugins navigate the structure without having to reimplement their own recursive methods.

This method implements an overridable depth limit to prevent processing extremely deeply nested plists. If the limit is reached a debug message is logged indicating which key processing stopped on.

Example Input Plist:
recur_item = { DeviceRoot: { DeviceMAC1: [Value1, Value2, Value3],
DeviceMAC2: [Value1, Value2, Value3]}}
Example Output:
(‘’, DeviceRoot, {DeviceMACs…}) (DeviceRoot, DeviceMAC1, [Value1, Value2, Value3]) (DeviceRoot, DeviceMAC2, [Value1, Value2, Value3])
Parameters:
  • recur_item – An object to be checked for additional nested items.
  • depth – Optional integer indication the current recursion depth. This value is used to ensure we stop at the maximum recursion depth.
  • key_path – Optional path of the current working key.
Yields:

A tuple of the key path, key, and value from a plist.

plaso.parsers.plist_plugins.ipod module

This file contains a plist plugin for the iPod/iPhone storage plist.

class plaso.parsers.plist_plugins.ipod.IPodPlistEventData[source]

Bases: plaso.containers.events.EventData

iPod plist event data.

device_id

str – unique identifier of the iPod device.

DATA_TYPE = u'ipod:device:entry'
class plaso.parsers.plist_plugins.ipod.IPodPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plugin to extract iPod/iPad/iPhone device information.

DESCRIPTION = u'Parser for iPod, iPad and iPhone plist files.'
GetEntries(parser_mediator, match=None, **unused_kwargs)[source]

Extract device information from the iPod plist.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.
NAME = u'ipod_device'
PLIST_KEYS = frozenset([u'Devices'])
PLIST_PATH = u'com.apple.iPod.plist'

plaso.parsers.plist_plugins.macuser module

This file contains the MacOS user plist plugin.

class plaso.parsers.plist_plugins.macuser.MacUserPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Basic plugin to extract timestamp Mac user information.

Further details about the extracted fields.
name:
string with the system user.
uid:
user ID.
passwordpolicyoptions:
XML Plist structures with the timestamp.
passwordLastSetTime:
last time the password was changed.
lastLoginTimestamp:
last time the user was authenticated depending on the situation, these timestamps are reset (0 value). It is translated by the library as a 2001-01-01 00:00:00 (COCAO zero time representation). If this happens, the event is not yield.
failedLoginTimestamp:
last time the user passwd was incorrectly(*).
failedLoginCount:
times of incorrect passwords.
DESCRIPTION = u'Parser for MacOS user plist files.'
GetEntries(parser_mediator, match=None, **unused_kwargs)[source]

Extracts relevant user timestamp entries.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.
NAME = u'macuser'
PLIST_KEYS = frozenset([u'passwordpolicyoptions', u'home', u'ShadowHashData', u'name', u'uid'])
Process(parser_mediator, plist_name, top_level, **kwargs)[source]

Check if it is a valid MacOS system account plist file name.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • plist_name (str) – name of the plist.
  • top_level (dict[str, object]) – plist top-level key.

plaso.parsers.plist_plugins.safari module

This file contains a default plist plugin in Plaso.

class plaso.parsers.plist_plugins.safari.SafariHistoryEventData[source]

Bases: plaso.containers.events.EventData

Safari history event data.

display_title

str – display title of the webpage visited.

title

str – title of the webpage visited.

url

str – URL visited.

visit_count

int – number of times the website was visited.

was_http_non_get

bool – True if the webpage was visited using a non-GET HTTP request.

DATA_TYPE = u'safari:history:visit'
class plaso.parsers.plist_plugins.safari.SafariHistoryPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plugin to extract Safari history timestamps.

DESCRIPTION = u'Parser for Safari history plist files.'
GetEntries(parser_mediator, match=None, **unused_kwargs)[source]

Extracts Safari history items.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.
NAME = u'safari_history'
PLIST_KEYS = frozenset([u'WebHistoryFileVersion', u'WebHistoryDates'])
PLIST_PATH = u'History.plist'

plaso.parsers.plist_plugins.softwareupdate module

Software update plist plugin.

class plaso.parsers.plist_plugins.softwareupdate.SoftwareUpdatePlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Basic plugin to extract the MacOS update status.

Further details about the extracted fields:
LastFullSuccessfulDate:
timestamp when MacOS was full update.
LastSuccessfulDate:
timestamp when MacOS was partially update.
DESCRIPTION = u'Parser for MacOS software update plist files.'
GetEntries(parser_mediator, match=None, **unused_kwargs)[source]

Extracts relevant MacOS update entries.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.
NAME = u'maxos_software_update'
PLIST_KEYS = frozenset([u'LastUpdatesAvailable', u'LastRecommendedUpdatesAvailable', u'RecommendedUpdates', u'LastFullSuccessfulDate', u'LastAttemptSystemVersion', u'LastSuccessfulDate'])
PLIST_PATH = u'com.apple.SoftwareUpdate.plist'

plaso.parsers.plist_plugins.spotlight module

Spotlight searched terms plist plugin.

class plaso.parsers.plist_plugins.spotlight.SpotlightPlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Basic plugin to extract information from Spotlight plist file.

Further information about extracted fields:
name of the item:
search term.
PATH:
path of the program associated to the term.
LAST_USED:
last time when it was executed.
DISPLAY_NAME:
the display name of the program associated.
DESCRIPTION = u'Parser for Spotlight plist files.'
GetEntries(parser_mediator, match=None, **unused_kwargs)[source]

Extracts relevant Spotlight entries.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.
NAME = u'spotlight'
PLIST_KEYS = frozenset([u'UserShortcuts'])
PLIST_PATH = u'com.apple.spotlight.plist'

plaso.parsers.plist_plugins.spotlight_volume module

Spotlight Volume Configuration plist plugin.

class plaso.parsers.plist_plugins.spotlight_volume.SpotlightVolumePlugin[source]

Bases: plaso.parsers.plist_plugins.interface.PlistPlugin

Basic plugin to extract the Spotlight Volume Configuration.

DESCRIPTION = u'Parser for Spotlight volume configuration plist files.'
GetEntries(parser_mediator, match=None, **unused_kwargs)[source]

Extracts relevant Volume Configuration Spotlight entries.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.
NAME = u'spotlight_volume'
PLIST_KEYS = frozenset([u'Stores'])
PLIST_PATH = u'VolumeConfiguration.plist'

plaso.parsers.plist_plugins.timemachine module

TimeMachine plist plugin.

class plaso.parsers.plist_plugins.timemachine.TimeMachinePlugin[source]

Bases: plaso.parsers.plist_plugins.dtfabric_plugin.DtFabricBasePlistPlugin

Basic plugin to extract time machine hard disk and the backups.

Further details about the extracted fields:
DestinationID:
remote UUID hard disk where the backup is done.
BackupAlias:
structure that contains the extra information from the destinationID.
SnapshotDates:
list of the backup dates.
DESCRIPTION = u'Parser for TimeMachine plist files.'
GetEntries(parser_mediator, match=None, **unused_kwargs)[source]

Extracts relevant TimeMachine entries.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.
NAME = u'time_machine'
PLIST_KEYS = frozenset([u'RootVolumeUUID', u'Destinations'])
PLIST_PATH = u'com.apple.TimeMachine.plist'

Module contents

Imports for the plist parser.