plaso.preprocessors package

Submodules

plaso.preprocessors.interface module

This file contains classes used for preprocessing in plaso.

class plaso.preprocessors.interface.ArtifactPreprocessorPlugin[source]

Bases: object

The artifact preprocessor plugin interface.

The artifact preprocessor determines preprocessing attributes based on an artifact definition defined by ARTIFACT_DEFINITION_NAME.

ARTIFACT_DEFINITION_NAME = None
class plaso.preprocessors.interface.FileArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

File artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file artifact definition, such as file or path.

class plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin

File entry artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file entry artifact definition, such as file or path.

class plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.ArtifactPreprocessorPlugin

File system artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file system artifact definition, such as file or path.

Collect(mediator, artifact_definition, searcher, file_system)[source]

Collects values using a file artifact definition.

Parameters
  • mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.

  • artifact_definition (artifacts.ArtifactDefinition) – artifact definition.

  • searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system.

  • file_system (dfvfs.FileSystem) – file system to be preprocessed.

Raises

PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.interface.KnowledgeBasePreprocessorPlugin[source]

Bases: object

The knowledge base preprocessor plugin interface.

The knowledge base preprocessor determines preprocessing attributes based on other values in the knowledge base.

abstract Collect(mediator)[source]

Collects values from the knowledge base.

Parameters

mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.

Raises

PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.ArtifactPreprocessorPlugin

Windows Registry key artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a Windows Registry artifact definition, such as Windows Registry key or value.

Collect(mediator, artifact_definition, searcher)[source]

Collects values using a Windows Registry value artifact definition.

Parameters
  • mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.

  • artifact_definition (artifacts.ArtifactDefinition) – artifact definition.

  • searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher to preprocess the Windows Registry.

Raises

PreProcessFail – if the Windows Registry key or value cannot be read.

class plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin

Windows Registry value artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a Windows Registry value artifact definition.

plaso.preprocessors.linux module

This file contains preprocessors for Linux.

class plaso.preprocessors.linux.LinuxDistributionPlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux distribution plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxDistributionRelease'
class plaso.preprocessors.linux.LinuxHostnamePlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux hostname plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxHostnameFile'
class plaso.preprocessors.linux.LinuxIssueFilePlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux issue file plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxIssueFile'
class plaso.preprocessors.linux.LinuxStandardBaseReleasePlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux standard base (LSB) release plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxLSBRelease'
class plaso.preprocessors.linux.LinuxSystemdOperatingSystemPlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux systemd operating system release plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxSystemdOSRelease'
class plaso.preprocessors.linux.LinuxTimeZonePlugin[source]

Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

Linux time zone plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxLocalTime'
class plaso.preprocessors.linux.LinuxUserAccountsPlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux user accounts plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxPasswdFile'

plaso.preprocessors.logger module

The preprocessors sub module logger.

plaso.preprocessors.macos module

This file contains preprocessors for MacOS.

class plaso.preprocessors.macos.MacOSHostnamePlugin[source]

Bases: plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin

MacOS hostname plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSSystemConfigurationPreferencesPlistFile'
class plaso.preprocessors.macos.MacOSKeyboardLayoutPlugin[source]

Bases: plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin

MacOS keyboard layout plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSKeyboardLayoutPlistFile'
class plaso.preprocessors.macos.MacOSSystemVersionPlugin[source]

Bases: plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin

MacOS system version information plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSSystemVersionPlistFile'
class plaso.preprocessors.macos.MacOSTimeZonePlugin[source]

Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

MacOS time zone plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSLocalTime'
class plaso.preprocessors.macos.MacOSUserAccountsPlugin[source]

Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

MacOS user accounts plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSUserPasswordHashesPlistFiles'
class plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

Plist file artifact preprocessor plugin interface.

Retrieves values from a plist file artifact using names of keys defined in _PLIST_KEYS.

plaso.preprocessors.manager module

The preprocess plugins manager.

class plaso.preprocessors.manager.FileSystemWinRegistryFileReader(*args: Any, **kwargs: Any)[source]

Bases: dfwinreg.interface.

A file system-based Windows Registry file reader.

Open(path, ascii_codepage='cp1252')[source]

Opens the Windows Registry file specified by the path.

Parameters
  • path (str) – path of the Windows Registry file.

  • ascii_codepage (Optional[str]) – ASCII string codepage.

Returns

Windows Registry file or None.

Return type

WinRegistryFile

class plaso.preprocessors.manager.PreprocessPluginsManager[source]

Bases: object

Preprocess plugins manager.

classmethod CollectFromFileSystem(artifacts_registry, mediator, searcher, file_system)[source]

Collects values from Windows Registry values.

Parameters
  • artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.

  • mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.

  • searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system.

  • file_system (dfvfs.FileSystem) – file system to be preprocessed.

classmethod CollectFromKnowledgeBase(mediator)[source]

Collects values from knowledge base values.

Parameters

mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.

classmethod CollectFromWindowsRegistry(artifacts_registry, mediator, searcher)[source]

Collects values from Windows Registry values.

Parameters
  • artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.

  • mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.

  • searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher to preprocess the Windows Registry.

classmethod DeregisterPlugin(plugin_class)[source]

Deregisters an preprocess plugin class.

Parameters

plugin_class (type) – preprocess plugin class.

Raises
  • KeyError – if plugin class is not set for the corresponding name.

  • TypeError – if the source type of the plugin class is not supported.

classmethod GetNames()[source]

Retrieves the names of the registered artifact definitions.

Returns

registered artifact definitions names.

Return type

list[str]

classmethod RegisterPlugin(plugin_class)[source]

Registers an preprocess plugin class.

Parameters

plugin_class (type) – preprocess plugin class.

Raises
  • KeyError – if plugin class is already set for the corresponding name.

  • TypeError – if the source type of the plugin class is not supported.

classmethod RegisterPlugins(plugin_classes)[source]

Registers preprocess plugin classes.

Parameters

plugin_classes (list[type]) – preprocess plugin classes.

Raises

KeyError – if plugin class is already set for the corresponding name.

classmethod RunPlugins(artifacts_registry, file_system, mount_point, mediator)[source]

Runs the preprocessing plugins.

Parameters
  • artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.

  • file_system (dfvfs.FileSystem) – file system to be preprocessed.

  • mount_point (dfvfs.PathSpec) – mount point path specification that refers to the base location of the file system.

  • mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.

plaso.preprocessors.mediator module

The preprocess mediator.

class plaso.preprocessors.mediator.PreprocessMediator(storage_writer, knowledge_base)[source]

Bases: object

Preprocess mediator.

AddTimeZoneInformation(time_zone_artifact)[source]

Adds a time zone defined by the operating system.

Parameters

time_zone_artifact (TimeZoneArtifact) – time zone artifact.

Raises

KeyError – if the time zone already exists.

AddUserAccount(user_account)[source]

Adds an user account.

Parameters

user_account (UserAccountArtifact) – user account artifact.

Raises

KeyError – if the user account already exists.

AddWindowsEventLogProvider(windows_eventlog_provider)[source]

Adds a Windows Event Log provider.

Parameters

windows_eventlog_provider (WindowsEventLogProviderArtifact) – Windows Event Log provider.

Raises

KeyError – if the Windows Event Log provider already exists.

ProducePreprocessingWarning(plugin_name, message)[source]

Produces a preprocessing warning.

Parameters
  • plugin_name (str) – name of the preprocess plugin.

  • message (str) – message of the warning.

SetFileEntry(file_entry)[source]

Sets the active file entry.

Parameters

file_entry (dfvfs.FileEntry) – file entry.

property knowledge_base

knowledge base.

Type

KnowledgeBase

plaso.preprocessors.windows module

This file contains preprocessors for Windows.

class plaso.preprocessors.windows.WindowsAllUsersAppDataKnowledgeBasePlugin[source]

Bases: plaso.preprocessors.interface.KnowledgeBasePreprocessorPlugin

The allusersdata knowledge base value plugin.

The allusersdata value is needed for the expansion of %%environ_allusersappdata%% in artifact definitions.

Collect(mediator)[source]

Collects values from the knowledge base.

Parameters

mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.

Raises

PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.windows.WindowsAllUsersAppProfileKnowledgeBasePlugin[source]

Bases: plaso.preprocessors.interface.KnowledgeBasePreprocessorPlugin

The allusersprofile knowledge base value plugin.

The allusersprofile value is needed for the expansion of %%environ_allusersappprofile%% in artifact definitions.

It is derived from %ProgramData% for versions of Windows, Vista and later, that do not define %AllUsersProfile%.

Collect(mediator)[source]

Collects values from the knowledge base.

Parameters

mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.

Raises

PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.windows.WindowsAllUsersProfileEnvironmentVariablePlugin[source]

Bases: plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin

The Windows %AllUsersProfile% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableAllUsersProfile'
class plaso.preprocessors.windows.WindowsAvailableTimeZonesPlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

The Windows available time zones plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsAvailableTimeZones'
class plaso.preprocessors.windows.WindowsCodepagePlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows codepage plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsCodePage'
class plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

Windows environment variable artifact preprocessor plugin interface.

class plaso.preprocessors.windows.WindowsEventLogProvidersPlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin

The Windows Event Log providers plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEventLogProviders'
class plaso.preprocessors.windows.WindowsHostnamePlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows hostname plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsComputerName'
class plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin

Windows path environment variable plugin interface.

class plaso.preprocessors.windows.WindowsProgramDataEnvironmentVariablePlugin[source]

Bases: plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin

The Windows %ProgramData% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramData'
class plaso.preprocessors.windows.WindowsProgramDataKnowledgeBasePlugin[source]

Bases: plaso.preprocessors.interface.KnowledgeBasePreprocessorPlugin

The programdata knowledge base value plugin.

The programdata value is needed for the expansion of %%environ_programdata%% in artifact definitions.

It is derived from %AllUsersProfile% for versions of Windows prior to Vista that do not define %ProgramData%.

Collect(mediator)[source]

Collects values from the knowledge base.

Parameters

mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.

Raises

PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.windows.WindowsProgramFilesEnvironmentVariablePlugin[source]

Bases: plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin

The Windows %ProgramFiles% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramFiles'
class plaso.preprocessors.windows.WindowsProgramFilesX86EnvironmentVariablePlugin[source]

Bases: plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin

The Windows %ProgramFilesX86% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramFilesX86'
class plaso.preprocessors.windows.WindowsSystemProductPlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows system product information plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsProductName'
class plaso.preprocessors.windows.WindowsSystemRootEnvironmentVariablePlugin[source]

Bases: plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin

The Windows %SystemRoot% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableSystemRoot'
class plaso.preprocessors.windows.WindowsSystemVersionPlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows system version information plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsCurrentVersion'
class plaso.preprocessors.windows.WindowsTimeZonePlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows time zone plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsTimezone'
class plaso.preprocessors.windows.WindowsUserAccountsPlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin

The Windows user account plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsRegistryProfiles'
class plaso.preprocessors.windows.WindowsWinDirEnvironmentVariablePlugin[source]

Bases: plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin

The Windows %WinDir% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableWinDir'

Module contents

Preprocessor.