plaso.preprocessors package

Submodules

plaso.preprocessors.generic module

Operating system independent (generic) preprocessor plugins.

class plaso.preprocessors.generic.DetermineOperatingSystemPlugin[source]

Bases: FileSystemArtifactPreprocessorPlugin

Plugin to determine the operating system.

Collect(mediator, artifact_definition, searcher, file_system)[source]

Collects values using a file artifact definition.

Parameters:
  • mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.

  • artifact_definition (artifacts.ArtifactDefinition) – artifact definition.

  • searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system.

  • file_system (dfvfs.FileSystem) – file system to be preprocessed.

Raises:

PreProcessFail – if the preprocessing fails.

__init__()[source]

Initializes a plugin to determine the operating system.

plaso.preprocessors.interface module

This file contains classes used for preprocessing in plaso.

class plaso.preprocessors.interface.ArtifactPreprocessorPlugin[source]

Bases: object

The artifact preprocessor plugin interface.

The artifact preprocessor determines preprocessing attributes based on an artifact definition defined by ARTIFACT_DEFINITION_NAME.

ARTIFACT_DEFINITION_NAME = None
class plaso.preprocessors.interface.FileArtifactPreprocessorPlugin[source]

Bases: FileEntryArtifactPreprocessorPlugin

File artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file artifact definition, such as file or path.

class plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin[source]

Bases: FileSystemArtifactPreprocessorPlugin

File entry artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file entry artifact definition, such as file or path.

class plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin[source]

Bases: ArtifactPreprocessorPlugin

File system artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file system artifact definition, such as file or path.

Collect(mediator, artifact_definition, searcher, file_system)[source]

Collects values using a file artifact definition.

Parameters:
  • mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage.

  • artifact_definition (artifacts.ArtifactDefinition) – artifact definition.

  • searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system.

  • file_system (dfvfs.FileSystem) – file system to be preprocessed.

Raises:

PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.interface.KnowledgeBasePreprocessorPlugin[source]

Bases: object

The knowledge base preprocessor plugin interface.

The knowledge base preprocessor determines preprocessing attributes based on other values in the knowledge base.

abstract Collect(mediator)[source]

Collects values from the knowledge base.

Parameters:

mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage.

Raises:

PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin[source]

Bases: ArtifactPreprocessorPlugin

Windows Registry key artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a Windows Registry artifact definition, such as Windows Registry key or value.

Collect(mediator, artifact_definition, searcher)[source]

Collects values using a Windows Registry value artifact definition.

Parameters:
  • mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage.

  • artifact_definition (artifacts.ArtifactDefinition) – artifact definition.

  • searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher to preprocess the Windows Registry.

Raises:

PreProcessFail – if the Windows Registry key or value cannot be read.

class plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin[source]

Bases: WindowsRegistryKeyArtifactPreprocessorPlugin

Windows Registry value artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a Windows Registry value artifact definition.

plaso.preprocessors.linux module

Linux preprocessor plugins.

class plaso.preprocessors.linux.LinuxDistributionPlugin[source]

Bases: FileArtifactPreprocessorPlugin

The Linux distribution plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxDistributionRelease'
class plaso.preprocessors.linux.LinuxHostnamePlugin[source]

Bases: FileArtifactPreprocessorPlugin

The Linux hostname plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxHostnameFile'
class plaso.preprocessors.linux.LinuxIssueFilePlugin[source]

Bases: FileArtifactPreprocessorPlugin

The Linux issue file plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxIssueFile'
class plaso.preprocessors.linux.LinuxStandardBaseReleasePlugin[source]

Bases: FileArtifactPreprocessorPlugin

The Linux standard base (LSB) release plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxLSBRelease'
class plaso.preprocessors.linux.LinuxSystemdOperatingSystemPlugin[source]

Bases: FileArtifactPreprocessorPlugin

The Linux systemd operating system release plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxSystemdOSRelease'
class plaso.preprocessors.linux.LinuxTimeZonePlugin[source]

Bases: FileEntryArtifactPreprocessorPlugin

Linux time zone plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxLocalTime'
class plaso.preprocessors.linux.LinuxUserAccountsPlugin[source]

Bases: FileArtifactPreprocessorPlugin

The Linux user accounts plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxPasswdFile'

plaso.preprocessors.logger module

The preprocessors sub module logger.

plaso.preprocessors.macos module

MacOS preprocessor plugins.

class plaso.preprocessors.macos.MacOSHostnamePlugin[source]

Bases: PlistFileArtifactPreprocessorPlugin

MacOS hostname plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSSystemConfigurationPreferencesPlistFile'
class plaso.preprocessors.macos.MacOSKeyboardLayoutPlugin[source]

Bases: PlistFileArtifactPreprocessorPlugin

MacOS keyboard layout plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSKeyboardLayoutPlistFile'
class plaso.preprocessors.macos.MacOSSystemVersionPlugin[source]

Bases: PlistFileArtifactPreprocessorPlugin

MacOS system version information plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSSystemVersionPlistFile'
class plaso.preprocessors.macos.MacOSTimeZonePlugin[source]

Bases: FileEntryArtifactPreprocessorPlugin

MacOS time zone plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSLocalTime'
class plaso.preprocessors.macos.MacOSUserAccountsPlugin[source]

Bases: FileEntryArtifactPreprocessorPlugin

MacOS user accounts plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSUserPasswordHashesPlistFiles'
class plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin[source]

Bases: FileArtifactPreprocessorPlugin

Plist file artifact preprocessor plugin interface.

Retrieves values from a plist file artifact using names of keys defined in _PLIST_KEYS.

plaso.preprocessors.manager module

The preprocess plugins manager.

class plaso.preprocessors.manager.FileSystemWinRegistryFileReader(*args: Any, **kwargs: Any)[source]

Bases: WinRegistryFileReader

A file system-based Windows Registry file reader.

Open(path, ascii_codepage='cp1252')[source]

Opens the Windows Registry file specified by the path.

Parameters:
  • path (str) – path of the Windows Registry file.

  • ascii_codepage (Optional[str]) – ASCII string codepage.

Returns:

Windows Registry file or None.

Return type:

WinRegistryFile

__init__(file_system, mount_point, environment_variables=None)[source]

Initializes a Windows Registry file reader object.

Parameters:
  • file_system (dfvfs.FileSystem) – file system.

  • mount_point (dfvfs.PathSpec) – mount point path specification.

  • environment_variables (Optional[list[EnvironmentVariableArtifact]]) – environment variables.

class plaso.preprocessors.manager.PreprocessPluginsManager[source]

Bases: object

Preprocess plugins manager.

classmethod CollectFromFileSystem(artifacts_registry, mediator, searcher, file_system)[source]

Collects values from Windows Registry values.

Parameters:
  • artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.

  • mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.

  • searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system.

  • file_system (dfvfs.FileSystem) – file system to be preprocessed.

classmethod CollectFromKnowledgeBase(mediator)[source]

Collects values from knowledge base values.

Parameters:

mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.

classmethod CollectFromWindowsRegistry(artifacts_registry, mediator, searcher)[source]

Collects values from Windows Registry values.

Parameters:
  • artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.

  • mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.

  • searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher to preprocess the Windows Registry.

classmethod DeregisterPlugin(plugin_class)[source]

Deregisters an preprocess plugin class.

Parameters:

plugin_class (type) – preprocess plugin class.

Raises:
  • KeyError – if plugin class is not set for the corresponding name.

  • TypeError – if the source type of the plugin class is not supported.

classmethod GetNames()[source]

Retrieves the names of the registered artifact definitions.

Returns:

registered artifact definitions names.

Return type:

list[str]

classmethod RegisterPlugin(plugin_class)[source]

Registers an preprocess plugin class.

Parameters:

plugin_class (type) – preprocess plugin class.

Raises:
  • KeyError – if plugin class is already set for the corresponding name.

  • TypeError – if the source type of the plugin class is not supported.

classmethod RegisterPlugins(plugin_classes)[source]

Registers preprocess plugin classes.

Parameters:

plugin_classes (list[type]) – preprocess plugin classes.

Raises:

KeyError – if plugin class is already set for the corresponding name.

classmethod RunPlugins(artifacts_registry, file_system, mount_point, mediator)[source]

Runs the preprocessing plugins.

Parameters:
  • artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.

  • file_system (dfvfs.FileSystem) – file system to be preprocessed.

  • mount_point (dfvfs.PathSpec) – mount point path specification that refers to the base location of the file system.

  • mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.

plaso.preprocessors.mediator module

The preprocess mediator.

class plaso.preprocessors.mediator.PreprocessMediator(storage_writer)[source]

Bases: object

Preprocess mediator.

code_page

code page.

Type:

str

hostname

hostname.

Type:

HostnameArtifact

language

language.

Type:

str

time_zone

time zone.

Type:

datetime.tzinfo

AddArtifact(artifact_attribute_container)[source]

Adds a pre-processing artifact attribute container.

Parameters:

artifact_attribute_container (ArtifactAttributeContainer) – artifact attribute container.

AddEnvironmentVariable(environment_variable_artifact)[source]

Adds an environment variable.

Parameters:

environment_variable_artifact (EnvironmentVariableArtifact) – environment variable artifact.

Raises:

KeyError – if the environment variable already exists.

AddHostname(hostname_artifact)[source]

Adds a hostname.

Parameters:

hostname_artifact (HostnameArtifact) – hostname artifact.

AddTimeZoneInformation(time_zone_artifact)[source]

Adds a time zone defined by the operating system.

Parameters:

time_zone_artifact (TimeZoneArtifact) – time zone artifact.

Raises:

KeyError – if the time zone already exists.

AddUserAccount(user_account)[source]

Adds an user account.

Parameters:

user_account (UserAccountArtifact) – user account artifact.

Raises:

KeyError – if the user account already exists.

AddWindowsEventLogProvider(windows_eventlog_provider)[source]

Adds a Windows EventLog provider.

Parameters:

windows_eventlog_provider (WindowsEventLogProviderArtifact) – Windows EventLog provider.

Raises:

KeyError – if the Windows EventLog provider already exists.

GetEnvironmentVariable(name)[source]

Retrieves an environment variable.

Parameters:

name (str) – name of the environment variable.

Returns:

environment variable artifact or None

if there was no value set for the given name.

Return type:

EnvironmentVariableArtifact

GetEnvironmentVariables()[source]

Retrieves the environment variables.

Returns:

environment variable artifacts.

Return type:

list[EnvironmentVariableArtifact]

GetValue(identifier)[source]

Retrieves a value by identifier.

Parameters:

identifier (str) – case insensitive unique identifier for the value.

Returns:

value or None if not available.

Return type:

object

GetValues()[source]

Retrieves the values.

Returns:

values.

Return type:

list[tuple[str, object]]

ProducePreprocessingWarning(plugin_name, message)[source]

Produces a preprocessing warning.

Parameters:
  • plugin_name (str) – name of the preprocess plugin.

  • message (str) – message of the warning.

Reset()[source]

Resets the values stored in the mediator.

SetCodePage(code_page)[source]

Sets the code page.

Parameters:

code_page (str) – code_page.

Raises:

ValueError – if the code page is not supported.

SetFileEntry(file_entry)[source]

Sets the active file entry.

Parameters:

file_entry (dfvfs.FileEntry) – file entry.

SetLanguage(language)[source]

Sets the language.

Parameters:

language (str) – language.

Raises:

ValueError – if the language is not supported.

SetTimeZone(time_zone)[source]

Sets the time zone.

Parameters:

time_zone (str) – time zone.

Raises:

ValueError – if the time zone is not supported.

SetValue(identifier, value)[source]

Sets a value by identifier.

Parameters:
  • identifier (str) – case insensitive unique identifier for the value.

  • value (object) – value.

Raises:

TypeError – if the identifier is not a string type.

__init__(storage_writer)[source]

Initializes a preprocess mediator.

Parameters:

storage_writer (StorageWriter) – storage writer, to store preprocessing information in.

plaso.preprocessors.windows module

Windows preprocessor plugins.

class plaso.preprocessors.windows.WindowsAllUsersAppDataKnowledgeBasePlugin[source]

Bases: KnowledgeBasePreprocessorPlugin

The allusersdata knowledge base value plugin.

The allusersdata value is needed for the expansion of %%environ_allusersappdata%% in artifact definitions.

Collect(mediator)[source]

Collects values from the knowledge base.

Parameters:

mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage.

Raises:

PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.windows.WindowsAllUsersAppProfileKnowledgeBasePlugin[source]

Bases: KnowledgeBasePreprocessorPlugin

The allusersprofile knowledge base value plugin.

The allusersprofile value is needed for the expansion of %%environ_allusersappprofile%% in artifact definitions.

It is derived from %ProgramData% for versions of Windows, Vista and later, that do not define %AllUsersProfile%.

Collect(mediator)[source]

Collects values from the knowledge base.

Parameters:

mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage.

Raises:

PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.windows.WindowsAllUsersProfileEnvironmentVariablePlugin[source]

Bases: WindowsProfilePathEnvironmentVariableArtifactPreprocessorPlugin

The Windows %AllUsersProfile% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableAllUsersProfile'
class plaso.preprocessors.windows.WindowsAvailableTimeZonesPlugin[source]

Bases: WindowsRegistryKeyArtifactPreprocessorPlugin, DtFabricHelper

The Windows available time zones plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsAvailableTimeZones'
class plaso.preprocessors.windows.WindowsCodePagePlugin[source]

Bases: WindowsRegistryValueArtifactPreprocessorPlugin

The Windows code page plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsCodePage'
class plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin[source]

Bases: WindowsRegistryValueArtifactPreprocessorPlugin

Windows environment variable artifact preprocessor plugin.

class plaso.preprocessors.windows.WindowsEventLogPublishersPlugin[source]

Bases: WindowsRegistryKeyArtifactPreprocessorPlugin

The Windows EventLog publishers plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEventLogPublishers'
class plaso.preprocessors.windows.WindowsEventLogSourcesPlugin[source]

Bases: WindowsRegistryKeyArtifactPreprocessorPlugin

The Windows EventLog sources plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEventLogSources'
class plaso.preprocessors.windows.WindowsHostnamePlugin[source]

Bases: WindowsRegistryValueArtifactPreprocessorPlugin

The Windows hostname plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsComputerName'
class plaso.preprocessors.windows.WindowsLanguagePlugin[source]

Bases: WindowsRegistryValueArtifactPreprocessorPlugin

The Windows language plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsLanguage'
class plaso.preprocessors.windows.WindowsMountedDevicesPlugin[source]

Bases: WindowsRegistryKeyArtifactPreprocessorPlugin, DtFabricHelper

The Windows mounted devices plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsMountedDevices'
class plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin[source]

Bases: FileSystemArtifactPreprocessorPlugin

Windows path environment variable plugin interface.

class plaso.preprocessors.windows.WindowsProfilePathEnvironmentVariableArtifactPreprocessorPlugin[source]

Bases: WindowsRegistryKeyArtifactPreprocessorPlugin

Windows profile path environment variable artifact preprocessor plugin.

class plaso.preprocessors.windows.WindowsProgramDataEnvironmentVariablePlugin[source]

Bases: WindowsProfilePathEnvironmentVariableArtifactPreprocessorPlugin

The Windows %ProgramData% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramData'
class plaso.preprocessors.windows.WindowsProgramDataKnowledgeBasePlugin[source]

Bases: KnowledgeBasePreprocessorPlugin

The programdata knowledge base value plugin.

The programdata value is needed for the expansion of %%environ_programdata%% in artifact definitions.

It is derived from %AllUsersProfile% for versions of Windows prior to Vista that do not define %ProgramData%.

Collect(mediator)[source]

Collects values from the knowledge base.

Parameters:

mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage.

Raises:

PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.windows.WindowsProgramFilesEnvironmentVariablePlugin[source]

Bases: WindowsEnvironmentVariableArtifactPreprocessorPlugin

The Windows %ProgramFiles% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramFiles'
class plaso.preprocessors.windows.WindowsProgramFilesX86EnvironmentVariablePlugin[source]

Bases: WindowsEnvironmentVariableArtifactPreprocessorPlugin

The Windows %ProgramFilesX86% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramFilesX86'
class plaso.preprocessors.windows.WindowsServicesAndDriversPlugin[source]

Bases: WindowsRegistryKeyArtifactPreprocessorPlugin

The Windows service (and driver) configurations plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsServices'
class plaso.preprocessors.windows.WindowsSystemProductPlugin[source]

Bases: WindowsRegistryValueArtifactPreprocessorPlugin

The Windows system product information plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsProductName'
class plaso.preprocessors.windows.WindowsSystemRootEnvironmentVariablePlugin[source]

Bases: WindowsPathEnvironmentVariableArtifactPreprocessorPlugin

The Windows %SystemRoot% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableSystemRoot'
class plaso.preprocessors.windows.WindowsSystemVersionPlugin[source]

Bases: WindowsRegistryValueArtifactPreprocessorPlugin

The Windows system version information plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsCurrentVersion'
class plaso.preprocessors.windows.WindowsTimeZonePlugin[source]

Bases: WindowsRegistryValueArtifactPreprocessorPlugin

The Windows time zone plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsTimezone'
class plaso.preprocessors.windows.WindowsUserAccountsPlugin[source]

Bases: WindowsRegistryKeyArtifactPreprocessorPlugin

The Windows user account plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsRegistryProfiles'
class plaso.preprocessors.windows.WindowsWinDirEnvironmentVariablePlugin[source]

Bases: WindowsPathEnvironmentVariableArtifactPreprocessorPlugin

The Windows %WinDir% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableWinDir'

Module contents

Preprocessor.