plaso.analyzers package

Submodules

plaso.analyzers.hashing_analyzer module

The hashing analyzer implementation.

class plaso.analyzers.hashing_analyzer.HashingAnalyzer[source]

Bases: plaso.analyzers.interface.BaseAnalyzer

This class contains code for calculating file hashes of input files.

Analyze(data)[source]

Updates the internal state of the analyzer, processing a block of data.

Repeated calls are equivalent to a single call with the concatenation of all the arguments.

Parameters:data (bytes) – block of data from the data stream.
DESCRIPTION = u'Calculates hashes of file content.'
GetResults()[source]

Retrieves the hashing results.

Returns:results.
Return type:list[AnalyzerResult]
INCREMENTAL_ANALYZER = True
NAME = u'hashing'
PROCESSING_STATUS_HINT = u'hashing'
Reset()[source]

Resets the internal state of the analyzer.

SetHasherNames(hasher_names_string)[source]

Sets the hashers that should be enabled.

Parameters:hasher_names_string (str) – comma separated names of hashers to enable.

plaso.analyzers.interface module

Definitions to provide a whole-file processing framework.

class plaso.analyzers.interface.BaseAnalyzer[source]

Bases: object

Class that provides the interface for whole-file analysis.

Analyze(data)[source]

Analyzes a block of data, updating the state of the analyzer

Parameters:data (bytes) – block of data to process.
DESCRIPTION = u''
GetResults()[source]

Retrieves the results of the analysis.

Returns:results.
Return type:list[AnalyzerResult]
INCREMENTAL_ANALYZER = False
NAME = u'base_analyzer'
PROCESSING_STATUS_HINT = u'analyzing'
Reset()[source]

Resets the internal state of the analyzer.

SIZE_LIMIT = 33554432

plaso.analyzers.logger module

The analyzers sub module logger.

plaso.analyzers.manager module

This file contains a class for managing digest analyzers for Plaso.

class plaso.analyzers.manager.AnalyzersManager[source]

Bases: object

Class that implements the analyzers manager.

classmethod DeregisterAnalyzer(analyzer_class)[source]

Deregisters a analyzer class.

The analyzer classes are identified based on their lower case name.

Parameters:analyzer_class (type) – class object of the analyzer.
Raises:KeyError – if analyzer class is not set for the corresponding name.
classmethod GetAnalyzerInstance(analyzer_name)[source]

Retrieves an instance of a specific analyzer.

Parameters:analyzer_name (str) – name of the analyzer to retrieve.
Returns:analyzer instance.
Return type:BaseAnalyzer
Raises:KeyError – if analyzer class is not set for the corresponding name.
classmethod GetAnalyzerInstances(analyzer_names)[source]

Retrieves instances for all the specified analyzers.

Parameters:analyzer_names (list[str]) – names of the analyzers to retrieve.
Returns:analyzer instances.
Return type:list[BaseAnalyzer]
classmethod GetAnalyzerNames()[source]

Retrieves the names of all loaded analyzers.

Returns:of analyzer names.
Return type:list[str]
classmethod GetAnalyzers()[source]

Retrieves the registered analyzers.

Yields:

tuple

containing:

str: the uniquely identifying name of the analyzer type: the analyzer class.

classmethod GetAnalyzersInformation()[source]

Retrieves the analyzers information.

Returns:containing:
str: analyzer name. str: analyzer description.
Return type:list[tuple]
classmethod RegisterAnalyzer(analyzer_class)[source]

Registers a analyzer class.

The analyzer classes are identified by their lower case name.

Parameters:analyzer_class (type) – the analyzer class to register.
Raises:KeyError – if analyzer class is already set for the corresponding name.

plaso.analyzers.yara_analyzer module

Analyzer that matches Yara rules.

class plaso.analyzers.yara_analyzer.YaraAnalyzer[source]

Bases: plaso.analyzers.interface.BaseAnalyzer

Analyzer that matches Yara rules.

Analyze(data)[source]

Analyzes a block of data, attempting to match Yara rules to it.

Parameters:data (bytes) – a block of data.
DESCRIPTION = u'Matches Yara rules over input data.'
GetResults()[source]

Retrieves results of the most recent analysis.

Returns:results.
Return type:list[AnalyzerResult]
INCREMENTAL_ANALYZER = False
NAME = u'yara'
PROCESSING_STATUS_HINT = u'yara scan'
Reset()[source]

Resets the internal state of the analyzer.

SetRules(rules_string)[source]

Sets the rules that the Yara analyzer will use.

Parameters:rules_string (str) – Yara rule definitions

Module contents

This file imports Python modules that register analyzers.