plaso.preprocessors package

Submodules

plaso.preprocessors.interface module

This file contains classes used for preprocessing in plaso.

class plaso.preprocessors.interface.ArtifactPreprocessorPlugin[source]

Bases: object

The artifact preprocessor plugin interface.

The artifact preprocessor determines preprocessing attributes based on an artifact definition defined by ARTIFACT_DEFINITION_NAME.

ARTIFACT_DEFINITION_NAME = None
class plaso.preprocessors.interface.FileArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

File artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file artifact definition, such as file or path.

class plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin

File entry artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file entry artifact definition, such as file or path.

class plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.ArtifactPreprocessorPlugin

File system artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file system artifact definition, such as file or path.

Collect(knowledge_base, artifact_definition, searcher, file_system)[source]

Collects values using a file artifact definition.

Parameters
  • knowledge_base (KnowledgeBase) – to fill with preprocessing information.

  • artifact_definition (artifacts.ArtifactDefinition) – artifact definition.

  • searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system.

  • file_system (dfvfs.FileSystem) – file system to be preprocessed.

Raises

PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.interface.KnowledgeBasePreprocessorPlugin[source]

Bases: object

The knowledge base preprocessor plugin interface.

The knowledge base preprocessor determines preprocessing attributes based on other values in the knowledge base.

abstract Collect(knowledge_base)[source]

Collects values from the knowledge base.

Parameters

knowledge_base (KnowledgeBase) – to fill with preprocessing information.

Raises

PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.ArtifactPreprocessorPlugin

Windows Registry key artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a Windows Registry artifact definition, such as Windows Registry key or value.

Collect(knowledge_base, artifact_definition, searcher)[source]

Collects values using a Windows Registry value artifact definition.

Parameters
  • knowledge_base (KnowledgeBase) – to fill with preprocessing information.

  • artifact_definition (artifacts.ArtifactDefinition) – artifact definition.

  • searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher to preprocess the Windows Registry.

Raises

PreProcessFail – if the Windows Registry key or value cannot be read.

class plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin

Windows Registry value artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a Windows Registry value artifact definition.

plaso.preprocessors.linux module

This file contains preprocessors for Linux.

class plaso.preprocessors.linux.LinuxDistributionPlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux distribution plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxDistributionRelease'
class plaso.preprocessors.linux.LinuxHostnamePlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux hostname plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxHostnameFile'
class plaso.preprocessors.linux.LinuxIssueFilePlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux issue file plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxIssueFile'
class plaso.preprocessors.linux.LinuxStandardBaseReleasePlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux standard base (LSB) release plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxLSBRelease'
class plaso.preprocessors.linux.LinuxSystemdOperatingSystemPlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux systemd operating system release plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxSystemdOSRelease'
class plaso.preprocessors.linux.LinuxTimeZonePlugin[source]

Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

Linux time zone plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxLocalTime'
class plaso.preprocessors.linux.LinuxUserAccountsPlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux user accounts plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxPasswdFile'

plaso.preprocessors.logger module

The preprocessors sub module logger.

plaso.preprocessors.macos module

This file contains preprocessors for MacOS.

class plaso.preprocessors.macos.MacOSHostnamePlugin[source]

Bases: plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin

MacOS hostname plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSSystemConfigurationPreferencesPlistFile'
class plaso.preprocessors.macos.MacOSKeyboardLayoutPlugin[source]

Bases: plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin

MacOS keyboard layout plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSKeyboardLayoutPlistFile'
class plaso.preprocessors.macos.MacOSSystemVersionPlugin[source]

Bases: plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin

MacOS system version information plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSSystemVersionPlistFile'
class plaso.preprocessors.macos.MacOSTimeZonePlugin[source]

Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

MacOS time zone plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSLocalTime'
class plaso.preprocessors.macos.MacOSUserAccountsPlugin[source]

Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

MacOS user accounts plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSUserPasswordHashesPlistFiles'
class plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

Plist file artifact preprocessor plugin interface.

Retrieves values from a plist file artifact using names of keys defined in _PLIST_KEYS.

plaso.preprocessors.manager module

The preprocess plugins manager.

class plaso.preprocessors.manager.PreprocessPluginsManager[source]

Bases: object

Preprocess plugins manager.

classmethod CollectFromFileSystem(artifacts_registry, knowledge_base, searcher, file_system)[source]

Collects values from Windows Registry values.

Parameters
  • artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.

  • knowledge_base (KnowledgeBase) – to fill with preprocessing information.

  • searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system.

  • file_system (dfvfs.FileSystem) – file system to be preprocessed.

classmethod CollectFromKnowledgeBase(knowledge_base)[source]

Collects values from knowledge base values.

Parameters

knowledge_base (KnowledgeBase) – to fill with preprocessing information.

classmethod CollectFromWindowsRegistry(artifacts_registry, knowledge_base, searcher)[source]

Collects values from Windows Registry values.

Parameters
  • artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.

  • knowledge_base (KnowledgeBase) – to fill with preprocessing information.

  • searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher to preprocess the Windows Registry.

classmethod DeregisterPlugin(plugin_class)[source]

Deregisters an preprocess plugin class.

Parameters

plugin_class (type) – preprocess plugin class.

Raises
  • KeyError – if plugin class is not set for the corresponding name.

  • TypeError – if the source type of the plugin class is not supported.

classmethod GetNames()[source]

Retrieves the names of the registered artifact definitions.

Returns

registered artifact definitions names.

Return type

list[str]

classmethod RegisterPlugin(plugin_class)[source]

Registers an preprocess plugin class.

Parameters

plugin_class (type) – preprocess plugin class.

Raises
  • KeyError – if plugin class is already set for the corresponding name.

  • TypeError – if the source type of the plugin class is not supported.

classmethod RegisterPlugins(plugin_classes)[source]

Registers preprocess plugin classes.

Parameters

plugin_classes (list[type]) – preprocess plugin classes.

Raises

KeyError – if plugin class is already set for the corresponding name.

classmethod RunPlugins(artifacts_registry, file_system, mount_point, knowledge_base)[source]

Runs the preprocessing plugins.

Parameters
  • artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.

  • file_system (dfvfs.FileSystem) – file system to be preprocessed.

  • mount_point (dfvfs.PathSpec) – mount point path specification that refers to the base location of the file system.

  • knowledge_base (KnowledgeBase) – to fill with preprocessing information.

plaso.preprocessors.windows module

This file contains preprocessors for Windows.

class plaso.preprocessors.windows.WindowsAllUsersAppDataKnowledgeBasePlugin[source]

Bases: plaso.preprocessors.interface.KnowledgeBasePreprocessorPlugin

The allusersdata knowledge base value plugin.

The allusersdata value is needed for the expansion of %%environ_allusersappdata%% in artifact definitions.

Collect(knowledge_base)[source]

Collects values from the knowledge base.

Parameters

knowledge_base (KnowledgeBase) – to fill with preprocessing information.

Raises

PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.windows.WindowsAllUsersAppProfileKnowledgeBasePlugin[source]

Bases: plaso.preprocessors.interface.KnowledgeBasePreprocessorPlugin

The allusersprofile knowledge base value plugin.

The allusersprofile value is needed for the expansion of %%environ_allusersappprofile%% in artifact definitions.

It is derived from %ProgramData% for versions of Windows, Vista and later, that do not define %AllUsersProfile%.

Collect(knowledge_base)[source]

Collects values from the knowledge base.

Parameters

knowledge_base (KnowledgeBase) – to fill with preprocessing information.

Raises

PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.windows.WindowsAllUsersProfileEnvironmentVariablePlugin[source]

Bases: plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin

The Windows %AllUsersProfile% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableAllUsersProfile'
class plaso.preprocessors.windows.WindowsAvailableTimeZonesPlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin

The Windows available time zones plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsAvailableTimeZones'
class plaso.preprocessors.windows.WindowsCodepagePlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows codepage plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsCodePage'
class plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

Windows environment variable artifact preprocessor plugin interface.

class plaso.preprocessors.windows.WindowsHostnamePlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows hostname plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsComputerName'
class plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin

Windows path environment variable plugin interface.

class plaso.preprocessors.windows.WindowsProgramDataEnvironmentVariablePlugin[source]

Bases: plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin

The Windows %ProgramData% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramData'
class plaso.preprocessors.windows.WindowsProgramDataKnowledgeBasePlugin[source]

Bases: plaso.preprocessors.interface.KnowledgeBasePreprocessorPlugin

The programdata knowledge base value plugin.

The programdata value is needed for the expansion of %%environ_programdata%% in artifact definitions.

It is derived from %AllUsersProfile% for versions of Windows prior to Vista that do not define %ProgramData%.

Collect(knowledge_base)[source]

Collects values from the knowledge base.

Parameters

knowledge_base (KnowledgeBase) – to fill with preprocessing information.

Raises

PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.windows.WindowsProgramFilesEnvironmentVariablePlugin[source]

Bases: plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin

The Windows %ProgramFiles% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramFiles'
class plaso.preprocessors.windows.WindowsProgramFilesX86EnvironmentVariablePlugin[source]

Bases: plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin

The Windows %ProgramFilesX86% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramFilesX86'
class plaso.preprocessors.windows.WindowsSystemProductPlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows system product information plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsProductName'
class plaso.preprocessors.windows.WindowsSystemRootEnvironmentVariablePlugin[source]

Bases: plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin

The Windows %SystemRoot% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableSystemRoot'
class plaso.preprocessors.windows.WindowsSystemVersionPlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows system version information plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsCurrentVersion'
class plaso.preprocessors.windows.WindowsTimeZonePlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows time zone plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsTimezone'
class plaso.preprocessors.windows.WindowsUserAccountsPlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin

The Windows user account plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsRegistryProfiles'
class plaso.preprocessors.windows.WindowsWinDirEnvironmentVariablePlugin[source]

Bases: plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin

The Windows %WinDir% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableWinDir'

Module contents

Preprocessor.