plaso.preprocessors package
Submodules
plaso.preprocessors.generic module
Operating system independent (generic) preprocessor plugins.
- class plaso.preprocessors.generic.DetermineOperatingSystemPlugin[source]
Bases:
FileSystemArtifactPreprocessorPlugin
Plugin to determine the operating system.
- Collect(mediator, artifact_definition, searcher, file_system)[source]
Collects values using a file artifact definition.
- Parameters:
mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.
artifact_definition (artifacts.ArtifactDefinition) – artifact definition.
searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system.
file_system (dfvfs.FileSystem) – file system to be preprocessed.
- Raises:
PreProcessFail – if the preprocessing fails.
plaso.preprocessors.interface module
This file contains classes used for preprocessing in plaso.
- class plaso.preprocessors.interface.ArtifactPreprocessorPlugin[source]
Bases:
object
The artifact preprocessor plugin interface.
The artifact preprocessor determines preprocessing attributes based on an artifact definition defined by ARTIFACT_DEFINITION_NAME.
- ARTIFACT_DEFINITION_NAME = None
- class plaso.preprocessors.interface.FileArtifactPreprocessorPlugin[source]
Bases:
FileEntryArtifactPreprocessorPlugin
File artifact preprocessor plugin interface.
Shared functionality for preprocessing attributes based on a file artifact definition, such as file or path.
- class plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin[source]
Bases:
FileSystemArtifactPreprocessorPlugin
File entry artifact preprocessor plugin interface.
Shared functionality for preprocessing attributes based on a file entry artifact definition, such as file or path.
- class plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin[source]
Bases:
ArtifactPreprocessorPlugin
File system artifact preprocessor plugin interface.
Shared functionality for preprocessing attributes based on a file system artifact definition, such as file or path.
- Collect(mediator, artifact_definition, searcher, file_system)[source]
Collects values using a file artifact definition.
- Parameters:
mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage.
artifact_definition (artifacts.ArtifactDefinition) – artifact definition.
searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system.
file_system (dfvfs.FileSystem) – file system to be preprocessed.
- Raises:
PreProcessFail – if the preprocessing fails.
- class plaso.preprocessors.interface.KnowledgeBasePreprocessorPlugin[source]
Bases:
object
The knowledge base preprocessor plugin interface.
The knowledge base preprocessor determines preprocessing attributes based on other values in the knowledge base.
- abstract Collect(mediator)[source]
Collects values from the knowledge base.
- Parameters:
mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage.
- Raises:
PreProcessFail – if the preprocessing fails.
- class plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin[source]
Bases:
ArtifactPreprocessorPlugin
Windows Registry key artifact preprocessor plugin interface.
Shared functionality for preprocessing attributes based on a Windows Registry artifact definition, such as Windows Registry key or value.
- Collect(mediator, artifact_definition, searcher)[source]
Collects values using a Windows Registry value artifact definition.
- Parameters:
mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage.
artifact_definition (artifacts.ArtifactDefinition) – artifact definition.
searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher to preprocess the Windows Registry.
- Raises:
PreProcessFail – if the Windows Registry key or value cannot be read.
- class plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin[source]
Bases:
WindowsRegistryKeyArtifactPreprocessorPlugin
Windows Registry value artifact preprocessor plugin interface.
Shared functionality for preprocessing attributes based on a Windows Registry value artifact definition.
plaso.preprocessors.linux module
Linux preprocessor plugins.
- class plaso.preprocessors.linux.LinuxDistributionPlugin[source]
Bases:
FileArtifactPreprocessorPlugin
The Linux distribution plugin.
- ARTIFACT_DEFINITION_NAME = 'LinuxDistributionRelease'
- class plaso.preprocessors.linux.LinuxHostnamePlugin[source]
Bases:
FileArtifactPreprocessorPlugin
The Linux hostname plugin.
- ARTIFACT_DEFINITION_NAME = 'LinuxHostnameFile'
- class plaso.preprocessors.linux.LinuxIssueFilePlugin[source]
Bases:
FileArtifactPreprocessorPlugin
The Linux issue file plugin.
- ARTIFACT_DEFINITION_NAME = 'LinuxIssueFile'
- class plaso.preprocessors.linux.LinuxStandardBaseReleasePlugin[source]
Bases:
FileArtifactPreprocessorPlugin
The Linux standard base (LSB) release plugin.
- ARTIFACT_DEFINITION_NAME = 'LinuxLSBRelease'
- class plaso.preprocessors.linux.LinuxSystemdOperatingSystemPlugin[source]
Bases:
FileArtifactPreprocessorPlugin
The Linux systemd operating system release plugin.
- ARTIFACT_DEFINITION_NAME = 'LinuxSystemdOSRelease'
- class plaso.preprocessors.linux.LinuxTimeZonePlugin[source]
Bases:
FileEntryArtifactPreprocessorPlugin
Linux time zone plugin.
- ARTIFACT_DEFINITION_NAME = 'LinuxLocalTime'
- class plaso.preprocessors.linux.LinuxUserAccountsPlugin[source]
Bases:
FileArtifactPreprocessorPlugin
The Linux user accounts plugin.
- ARTIFACT_DEFINITION_NAME = 'LinuxPasswdFile'
plaso.preprocessors.logger module
The preprocessors sub module logger.
plaso.preprocessors.macos module
MacOS preprocessor plugins.
- class plaso.preprocessors.macos.MacOSHostnamePlugin[source]
Bases:
PlistFileArtifactPreprocessorPlugin
MacOS hostname plugin.
- ARTIFACT_DEFINITION_NAME = 'MacOSSystemConfigurationPreferencesPlistFile'
- class plaso.preprocessors.macos.MacOSKeyboardLayoutPlugin[source]
Bases:
PlistFileArtifactPreprocessorPlugin
MacOS keyboard layout plugin.
- ARTIFACT_DEFINITION_NAME = 'MacOSKeyboardLayoutPlistFile'
- class plaso.preprocessors.macos.MacOSSystemVersionPlugin[source]
Bases:
PlistFileArtifactPreprocessorPlugin
MacOS system version information plugin.
- ARTIFACT_DEFINITION_NAME = 'MacOSSystemVersionPlistFile'
- class plaso.preprocessors.macos.MacOSTimeZonePlugin[source]
Bases:
FileEntryArtifactPreprocessorPlugin
MacOS time zone plugin.
- ARTIFACT_DEFINITION_NAME = 'MacOSLocalTime'
- class plaso.preprocessors.macos.MacOSUserAccountsPlugin[source]
Bases:
FileEntryArtifactPreprocessorPlugin
MacOS user accounts plugin.
- ARTIFACT_DEFINITION_NAME = 'MacOSUserPasswordHashesPlistFiles'
- class plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin[source]
Bases:
FileArtifactPreprocessorPlugin
Plist file artifact preprocessor plugin interface.
Retrieves values from a plist file artifact using names of keys defined in _PLIST_KEYS.
plaso.preprocessors.manager module
The preprocess plugins manager.
- class plaso.preprocessors.manager.FileSystemWinRegistryFileReader(*args: Any, **kwargs: Any)[source]
Bases:
WinRegistryFileReader
A file system-based Windows Registry file reader.
- Open(path, ascii_codepage='cp1252')[source]
Opens the Windows Registry file specified by the path.
- Parameters:
path (str) – path of the Windows Registry file.
ascii_codepage (Optional[str]) – ASCII string codepage.
- Returns:
Windows Registry file or None.
- Return type:
WinRegistryFile
- __init__(file_system, mount_point, environment_variables=None)[source]
Initializes a Windows Registry file reader object.
- Parameters:
file_system (dfvfs.FileSystem) – file system.
mount_point (dfvfs.PathSpec) – mount point path specification.
environment_variables (Optional[list[EnvironmentVariableArtifact]]) – environment variables.
- class plaso.preprocessors.manager.PreprocessPluginsManager[source]
Bases:
object
Preprocess plugins manager.
- classmethod CollectFromFileSystem(artifacts_registry, mediator, searcher, file_system)[source]
Collects values from Windows Registry values.
- Parameters:
artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.
mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.
searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system.
file_system (dfvfs.FileSystem) – file system to be preprocessed.
- classmethod CollectFromKnowledgeBase(mediator)[source]
Collects values from knowledge base values.
- Parameters:
mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.
- classmethod CollectFromWindowsRegistry(artifacts_registry, mediator, searcher)[source]
Collects values from Windows Registry values.
- Parameters:
artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.
mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.
searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher to preprocess the Windows Registry.
- classmethod DeregisterPlugin(plugin_class)[source]
Deregisters an preprocess plugin class.
- Parameters:
plugin_class (type) – preprocess plugin class.
- Raises:
KeyError – if plugin class is not set for the corresponding name.
TypeError – if the source type of the plugin class is not supported.
- classmethod GetNames()[source]
Retrieves the names of the registered artifact definitions.
- Returns:
registered artifact definitions names.
- Return type:
list[str]
- classmethod RegisterPlugin(plugin_class)[source]
Registers an preprocess plugin class.
- Parameters:
plugin_class (type) – preprocess plugin class.
- Raises:
KeyError – if plugin class is already set for the corresponding name.
TypeError – if the source type of the plugin class is not supported.
- classmethod RegisterPlugins(plugin_classes)[source]
Registers preprocess plugin classes.
- Parameters:
plugin_classes (list[type]) – preprocess plugin classes.
- Raises:
KeyError – if plugin class is already set for the corresponding name.
- classmethod RunPlugins(artifacts_registry, file_system, mount_point, mediator)[source]
Runs the preprocessing plugins.
- Parameters:
artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.
file_system (dfvfs.FileSystem) – file system to be preprocessed.
mount_point (dfvfs.PathSpec) – mount point path specification that refers to the base location of the file system.
mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.
plaso.preprocessors.mediator module
The preprocess mediator.
- class plaso.preprocessors.mediator.PreprocessMediator(storage_writer)[source]
Bases:
object
Preprocess mediator.
- code_page
code page.
- Type:
str
- hostname
hostname.
- Type:
- language
language.
- Type:
str
- time_zone
time zone.
- Type:
datetime.tzinfo
- AddArtifact(artifact_attribute_container)[source]
Adds a pre-processing artifact attribute container.
- Parameters:
artifact_attribute_container (ArtifactAttributeContainer) – artifact attribute container.
- AddEnvironmentVariable(environment_variable_artifact)[source]
Adds an environment variable.
- Parameters:
environment_variable_artifact (EnvironmentVariableArtifact) – environment variable artifact.
- Raises:
KeyError – if the environment variable already exists.
- AddHostname(hostname_artifact)[source]
Adds a hostname.
- Parameters:
hostname_artifact (HostnameArtifact) – hostname artifact.
- AddTimeZoneInformation(time_zone_artifact)[source]
Adds a time zone defined by the operating system.
- Parameters:
time_zone_artifact (TimeZoneArtifact) – time zone artifact.
- Raises:
KeyError – if the time zone already exists.
- AddUserAccount(user_account)[source]
Adds an user account.
- Parameters:
user_account (UserAccountArtifact) – user account artifact.
- Raises:
KeyError – if the user account already exists.
- AddWindowsEventLogProvider(windows_eventlog_provider)[source]
Adds a Windows EventLog provider.
- Parameters:
windows_eventlog_provider (WindowsEventLogProviderArtifact) – Windows EventLog provider.
- Raises:
KeyError – if the Windows EventLog provider already exists.
- GetEnvironmentVariable(name)[source]
Retrieves an environment variable.
- Parameters:
name (str) – name of the environment variable.
- Returns:
- environment variable artifact or None
if there was no value set for the given name.
- Return type:
- GetEnvironmentVariables()[source]
Retrieves the environment variables.
- Returns:
environment variable artifacts.
- Return type:
- GetValue(identifier)[source]
Retrieves a value by identifier.
- Parameters:
identifier (str) – case insensitive unique identifier for the value.
- Returns:
value or None if not available.
- Return type:
object
- ProducePreprocessingWarning(plugin_name, message)[source]
Produces a preprocessing warning.
- Parameters:
plugin_name (str) – name of the preprocess plugin.
message (str) – message of the warning.
- SetCodePage(code_page)[source]
Sets the code page.
- Parameters:
code_page (str) – code_page.
- Raises:
ValueError – if the code page is not supported.
- SetFileEntry(file_entry)[source]
Sets the active file entry.
- Parameters:
file_entry (dfvfs.FileEntry) – file entry.
- SetLanguage(language)[source]
Sets the language.
- Parameters:
language (str) – language.
- Raises:
ValueError – if the language is not supported.
- SetTimeZone(time_zone)[source]
Sets the time zone.
- Parameters:
time_zone (str) – time zone.
- Raises:
ValueError – if the time zone is not supported.
- SetValue(identifier, value)[source]
Sets a value by identifier.
- Parameters:
identifier (str) – case insensitive unique identifier for the value.
value (object) – value.
- Raises:
TypeError – if the identifier is not a string type.
- __init__(storage_writer)[source]
Initializes a preprocess mediator.
- Parameters:
storage_writer (StorageWriter) – storage writer, to store preprocessing information in.
plaso.preprocessors.windows module
Windows preprocessor plugins.
- class plaso.preprocessors.windows.WindowsAllUsersAppDataKnowledgeBasePlugin[source]
Bases:
KnowledgeBasePreprocessorPlugin
The allusersdata knowledge base value plugin.
The allusersdata value is needed for the expansion of %%environ_allusersappdata%% in artifact definitions.
- Collect(mediator)[source]
Collects values from the knowledge base.
- Parameters:
mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage.
- Raises:
PreProcessFail – if the preprocessing fails.
- class plaso.preprocessors.windows.WindowsAllUsersAppProfileKnowledgeBasePlugin[source]
Bases:
KnowledgeBasePreprocessorPlugin
The allusersprofile knowledge base value plugin.
The allusersprofile value is needed for the expansion of %%environ_allusersappprofile%% in artifact definitions.
It is derived from %ProgramData% for versions of Windows, Vista and later, that do not define %AllUsersProfile%.
- Collect(mediator)[source]
Collects values from the knowledge base.
- Parameters:
mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage.
- Raises:
PreProcessFail – if the preprocessing fails.
- class plaso.preprocessors.windows.WindowsAllUsersProfileEnvironmentVariablePlugin[source]
Bases:
WindowsProfilePathEnvironmentVariableArtifactPreprocessorPlugin
The Windows %AllUsersProfile% environment variable plugin.
- ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableAllUsersProfile'
- class plaso.preprocessors.windows.WindowsAvailableTimeZonesPlugin[source]
Bases:
WindowsRegistryKeyArtifactPreprocessorPlugin
,DtFabricHelper
The Windows available time zones plugin.
- ARTIFACT_DEFINITION_NAME = 'WindowsAvailableTimeZones'
- class plaso.preprocessors.windows.WindowsCodePagePlugin[source]
Bases:
WindowsRegistryValueArtifactPreprocessorPlugin
The Windows code page plugin.
- ARTIFACT_DEFINITION_NAME = 'WindowsCodePage'
- class plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin[source]
Bases:
WindowsRegistryValueArtifactPreprocessorPlugin
Windows environment variable artifact preprocessor plugin.
- class plaso.preprocessors.windows.WindowsEventLogPublishersPlugin[source]
Bases:
WindowsRegistryKeyArtifactPreprocessorPlugin
The Windows EventLog publishers plugin.
- ARTIFACT_DEFINITION_NAME = 'WindowsEventLogPublishers'
- class plaso.preprocessors.windows.WindowsEventLogSourcesPlugin[source]
Bases:
WindowsRegistryKeyArtifactPreprocessorPlugin
The Windows EventLog sources plugin.
- ARTIFACT_DEFINITION_NAME = 'WindowsEventLogSources'
- class plaso.preprocessors.windows.WindowsHostnamePlugin[source]
Bases:
WindowsRegistryValueArtifactPreprocessorPlugin
The Windows hostname plugin.
- ARTIFACT_DEFINITION_NAME = 'WindowsComputerName'
- class plaso.preprocessors.windows.WindowsLanguagePlugin[source]
Bases:
WindowsRegistryValueArtifactPreprocessorPlugin
The Windows language plugin.
- ARTIFACT_DEFINITION_NAME = 'WindowsLanguage'
- class plaso.preprocessors.windows.WindowsMountedDevicesPlugin[source]
Bases:
WindowsRegistryKeyArtifactPreprocessorPlugin
,DtFabricHelper
The Windows mounted devices plugin.
- ARTIFACT_DEFINITION_NAME = 'WindowsMountedDevices'
- class plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin[source]
Bases:
FileSystemArtifactPreprocessorPlugin
Windows path environment variable plugin interface.
- class plaso.preprocessors.windows.WindowsProfilePathEnvironmentVariableArtifactPreprocessorPlugin[source]
Bases:
WindowsRegistryKeyArtifactPreprocessorPlugin
Windows profile path environment variable artifact preprocessor plugin.
- class plaso.preprocessors.windows.WindowsProgramDataEnvironmentVariablePlugin[source]
Bases:
WindowsProfilePathEnvironmentVariableArtifactPreprocessorPlugin
The Windows %ProgramData% environment variable plugin.
- ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramData'
- class plaso.preprocessors.windows.WindowsProgramDataKnowledgeBasePlugin[source]
Bases:
KnowledgeBasePreprocessorPlugin
The programdata knowledge base value plugin.
The programdata value is needed for the expansion of %%environ_programdata%% in artifact definitions.
It is derived from %AllUsersProfile% for versions of Windows prior to Vista that do not define %ProgramData%.
- Collect(mediator)[source]
Collects values from the knowledge base.
- Parameters:
mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage.
- Raises:
PreProcessFail – if the preprocessing fails.
- class plaso.preprocessors.windows.WindowsProgramFilesEnvironmentVariablePlugin[source]
Bases:
WindowsEnvironmentVariableArtifactPreprocessorPlugin
The Windows %ProgramFiles% environment variable plugin.
- ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramFiles'
- class plaso.preprocessors.windows.WindowsProgramFilesX86EnvironmentVariablePlugin[source]
Bases:
WindowsEnvironmentVariableArtifactPreprocessorPlugin
The Windows %ProgramFilesX86% environment variable plugin.
- ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramFilesX86'
- class plaso.preprocessors.windows.WindowsServicesAndDriversPlugin[source]
Bases:
WindowsRegistryKeyArtifactPreprocessorPlugin
The Windows service (and driver) configurations plugin.
- ARTIFACT_DEFINITION_NAME = 'WindowsServices'
- class plaso.preprocessors.windows.WindowsSystemProductPlugin[source]
Bases:
WindowsRegistryValueArtifactPreprocessorPlugin
The Windows system product information plugin.
- ARTIFACT_DEFINITION_NAME = 'WindowsProductName'
- class plaso.preprocessors.windows.WindowsSystemRootEnvironmentVariablePlugin[source]
Bases:
WindowsPathEnvironmentVariableArtifactPreprocessorPlugin
The Windows %SystemRoot% environment variable plugin.
- ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableSystemRoot'
- class plaso.preprocessors.windows.WindowsSystemVersionPlugin[source]
Bases:
WindowsRegistryValueArtifactPreprocessorPlugin
The Windows system version information plugin.
- ARTIFACT_DEFINITION_NAME = 'WindowsCurrentVersion'
- class plaso.preprocessors.windows.WindowsTimeZonePlugin[source]
Bases:
WindowsRegistryValueArtifactPreprocessorPlugin
The Windows time zone plugin.
- ARTIFACT_DEFINITION_NAME = 'WindowsTimezone'
- class plaso.preprocessors.windows.WindowsUserAccountsPlugin[source]
Bases:
WindowsRegistryKeyArtifactPreprocessorPlugin
The Windows user account plugin.
- ARTIFACT_DEFINITION_NAME = 'WindowsRegistryProfiles'
- class plaso.preprocessors.windows.WindowsWinDirEnvironmentVariablePlugin[source]
Bases:
WindowsPathEnvironmentVariableArtifactPreprocessorPlugin
The Windows %WinDir% environment variable plugin.
- ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableWinDir'
Module contents
Preprocessor.