plaso.preprocessors package

Submodules

plaso.preprocessors.generic module

Operating system independent (generic) preprocessor plugins.

class plaso.preprocessors.generic.DetermineOperatingSystemPlugin[source]

Bases: FileSystemArtifactPreprocessorPlugin

Plugin to determine the operating system.

Collect(mediator, artifact_definition, searcher, file_system)[source]

Collects values using a file artifact definition.

Parameters:

mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.
artifact_definition (artifacts.ArtifactDefinition) – artifact definition.
searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system.
file_system (dfvfs.FileSystem) – file system to be preprocessed.

Raises:

PreProcessFail – if the preprocessing fails.

__init__()[source]: Initializes a plugin to determine the operating system.

plaso.preprocessors.interface module

This file contains classes used for preprocessing in plaso.

class plaso.preprocessors.interface.ArtifactPreprocessorPlugin[source]

Bases: object

The artifact preprocessor plugin interface.

The artifact preprocessor determines preprocessing attributes based on an artifact definition defined by ARTIFACT_DEFINITION_NAME.

ARTIFACT_DEFINITION_NAME = None

class plaso.preprocessors.interface.FileArtifactPreprocessorPlugin[source]

Bases: FileEntryArtifactPreprocessorPlugin

File artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file artifact definition, such as file or path.

class plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin[source]

Bases: FileSystemArtifactPreprocessorPlugin

File entry artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file entry artifact definition, such as file or path.

class plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin[source]

Bases: ArtifactPreprocessorPlugin

File system artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file system artifact definition, such as file or path.

Collect(mediator, artifact_definition, searcher, file_system)[source]

Collects values using a file artifact definition.

Parameters:

mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage.
artifact_definition (artifacts.ArtifactDefinition) – artifact definition.
searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system.
file_system (dfvfs.FileSystem) – file system to be preprocessed.

Raises:

PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.interface.KnowledgeBasePreprocessorPlugin[source]

Bases: object

The knowledge base preprocessor plugin interface.

The knowledge base preprocessor determines preprocessing attributes based on other values in the knowledge base.

abstract Collect(mediator)[source]

Collects values from the knowledge base.

Parameters:: mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage.
Raises:: PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin[source]

Bases: ArtifactPreprocessorPlugin

Windows Registry key artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a Windows Registry artifact definition, such as Windows Registry key or value.

Collect(mediator, artifact_definition, searcher)[source]

Collects values using a Windows Registry value artifact definition.

Parameters:

mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage.
artifact_definition (artifacts.ArtifactDefinition) – artifact definition.
searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher to preprocess the Windows Registry.

Raises:

PreProcessFail – if the Windows Registry key or value cannot be read.

class plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin[source]

Bases: WindowsRegistryKeyArtifactPreprocessorPlugin

Windows Registry value artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a Windows Registry value artifact definition.

plaso.preprocessors.linux module

Linux preprocessor plugins.

class plaso.preprocessors.linux.LinuxDistributionPlugin[source]

Bases: FileArtifactPreprocessorPlugin

The Linux distribution plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxDistributionRelease'

class plaso.preprocessors.linux.LinuxHostnamePlugin[source]

Bases: FileArtifactPreprocessorPlugin

The Linux hostname plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxHostnameFile'

class plaso.preprocessors.linux.LinuxIssueFilePlugin[source]

Bases: FileArtifactPreprocessorPlugin

The Linux issue file plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxIssueFile'

class plaso.preprocessors.linux.LinuxStandardBaseReleasePlugin[source]

Bases: FileArtifactPreprocessorPlugin

The Linux standard base (LSB) release plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxLSBRelease'

class plaso.preprocessors.linux.LinuxSystemdOperatingSystemPlugin[source]

Bases: FileArtifactPreprocessorPlugin

The Linux systemd operating system release plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxSystemdOSRelease'

class plaso.preprocessors.linux.LinuxTimeZonePlugin[source]

Bases: FileEntryArtifactPreprocessorPlugin

Linux time zone plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxLocalTime'

class plaso.preprocessors.linux.LinuxUserAccountsPlugin[source]

Bases: FileArtifactPreprocessorPlugin

The Linux user accounts plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxPasswdFile'

plaso.preprocessors.logger module

The preprocessors sub module logger.

plaso.preprocessors.macos module

MacOS preprocessor plugins.

class plaso.preprocessors.macos.MacOSHostnamePlugin[source]

Bases: PlistFileArtifactPreprocessorPlugin

MacOS hostname plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSSystemConfigurationPreferencesPlistFile'

class plaso.preprocessors.macos.MacOSKeyboardLayoutPlugin[source]

Bases: PlistFileArtifactPreprocessorPlugin

MacOS keyboard layout plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSKeyboardLayoutPlistFile'

class plaso.preprocessors.macos.MacOSSystemVersionPlugin[source]

Bases: PlistFileArtifactPreprocessorPlugin

MacOS system version information plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSSystemVersionPlistFile'

class plaso.preprocessors.macos.MacOSTimeZonePlugin[source]

Bases: FileEntryArtifactPreprocessorPlugin

MacOS time zone plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSLocalTime'

class plaso.preprocessors.macos.MacOSUserAccountsPlugin[source]

Bases: FileEntryArtifactPreprocessorPlugin

MacOS user accounts plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSUserPasswordHashesPlistFiles'

class plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin[source]

Bases: FileArtifactPreprocessorPlugin

Plist file artifact preprocessor plugin interface.

Retrieves values from a plist file artifact using names of keys defined in _PLIST_KEYS.

plaso.preprocessors.manager module

The preprocess plugins manager.

class plaso.preprocessors.manager.FileSystemWinRegistryFileReader(*args: Any, **kwargs: Any)[source]

Bases: WinRegistryFileReader

A file system-based Windows Registry file reader.

Open(path, ascii_codepage='cp1252')[source]

Opens the Windows Registry file specified by the path.

Parameters:

path (str) – path of the Windows Registry file.
ascii_codepage (Optional[str]) – ASCII string codepage.

Returns:

Windows Registry file or None.

Return type:

WinRegistryFile

__init__(file_system, mount_point, environment_variables=None)[source]

Initializes a Windows Registry file reader object.

Parameters:

file_system (dfvfs.FileSystem) – file system.
mount_point (dfvfs.PathSpec) – mount point path specification.
environment_variables (Optional[list[EnvironmentVariableArtifact]]) – environment variables.

class plaso.preprocessors.manager.PreprocessPluginsManager[source]

Bases: object

Preprocess plugins manager.

classmethod CollectFromFileSystem(artifacts_registry, mediator, searcher, file_system)[source]

Collects values from Windows Registry values.

Parameters:

artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.
mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.
searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system.
file_system (dfvfs.FileSystem) – file system to be preprocessed.

classmethod CollectFromKnowledgeBase(mediator)[source]

Collects values from knowledge base values.

Parameters:: mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.

classmethod CollectFromWindowsRegistry(artifacts_registry, mediator, searcher)[source]

Collects values from Windows Registry values.

Parameters:

artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.
mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.
searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher to preprocess the Windows Registry.

classmethod DeregisterPlugin(plugin_class)[source]

Deregisters an preprocess plugin class.

Parameters:

plugin_class (type) – preprocess plugin class.

Raises:

KeyError – if plugin class is not set for the corresponding name.
TypeError – if the source type of the plugin class is not supported.

classmethod GetNames()[source]

Retrieves the names of the registered artifact definitions.

Returns:: registered artifact definitions names.
Return type:: list[str]

classmethod RegisterPlugin(plugin_class)[source]

Registers an preprocess plugin class.

Parameters:

plugin_class (type) – preprocess plugin class.

Raises:

KeyError – if plugin class is already set for the corresponding name.
TypeError – if the source type of the plugin class is not supported.

classmethod RegisterPlugins(plugin_classes)[source]

Registers preprocess plugin classes.

Parameters:: plugin_classes (list[type]) – preprocess plugin classes.
Raises:: KeyError – if plugin class is already set for the corresponding name.

classmethod RunPlugins(artifacts_registry, file_system, mount_point, mediator)[source]

Runs the preprocessing plugins.

Parameters:

artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.
file_system (dfvfs.FileSystem) – file system to be preprocessed.
mount_point (dfvfs.PathSpec) – mount point path specification that refers to the base location of the file system.
mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base.

plaso.preprocessors.mediator module

The preprocess mediator.

class plaso.preprocessors.mediator.PreprocessMediator(storage_writer)[source]

Bases: object

Preprocess mediator.

code_page

code page.

Type:: str

hostname

hostname.

Type:: HostnameArtifact

language

language.

Type:: str

time_zone

time zone.

Type:: datetime.tzinfo

AddArtifact(artifact_attribute_container)[source]

Adds a pre-processing artifact attribute container.

Parameters:: artifact_attribute_container (ArtifactAttributeContainer) – artifact attribute container.

AddEnvironmentVariable(environment_variable_artifact)[source]

Adds an environment variable.

Parameters:: environment_variable_artifact (EnvironmentVariableArtifact) – environment variable artifact.
Raises:: KeyError – if the environment variable already exists.

AddHostname(hostname_artifact)[source]

Adds a hostname.

Parameters:: hostname_artifact (HostnameArtifact) – hostname artifact.

AddTimeZoneInformation(time_zone_artifact)[source]

Adds a time zone defined by the operating system.

Parameters:: time_zone_artifact (TimeZoneArtifact) – time zone artifact.
Raises:: KeyError – if the time zone already exists.

AddUserAccount(user_account)[source]

Adds an user account.

Parameters:: user_account (UserAccountArtifact) – user account artifact.
Raises:: KeyError – if the user account already exists.

AddWindowsEventLogProvider(windows_eventlog_provider)[source]

Adds a Windows EventLog provider.

Parameters:: windows_eventlog_provider (WindowsEventLogProviderArtifact) – Windows EventLog provider.
Raises:: KeyError – if the Windows EventLog provider already exists.

GetEnvironmentVariable(name)[source]

Retrieves an environment variable.

Parameters:

name (str) – name of the environment variable.

Returns:

environment variable artifact or None: if there was no value set for the given name.

Return type:

EnvironmentVariableArtifact

GetEnvironmentVariables()[source]

Retrieves the environment variables.

Returns:: environment variable artifacts.
Return type:: list[EnvironmentVariableArtifact]

GetValue(identifier)[source]

Retrieves a value by identifier.

Parameters:: identifier (str) – case insensitive unique identifier for the value.
Returns:: value or None if not available.
Return type:: object

GetValues()[source]

Retrieves the values.

Returns:: values.
Return type:: list[tuple[str, object]]

ProducePreprocessingWarning(plugin_name, message)[source]

Produces a preprocessing warning.

Parameters:

plugin_name (str) – name of the preprocess plugin.
message (str) – message of the warning.

Reset()[source]: Resets the values stored in the mediator.

SetCodePage(code_page)[source]

Sets the code page.

Parameters:: code_page (str) – code_page.
Raises:: ValueError – if the code page is not supported.

SetFileEntry(file_entry)[source]

Sets the active file entry.

Parameters:: file_entry (dfvfs.FileEntry) – file entry.

SetLanguage(language)[source]

Sets the language.

Parameters:: language (str) – language.
Raises:: ValueError – if the language is not supported.

SetTimeZone(time_zone)[source]

Sets the time zone.

Parameters:: time_zone (str) – time zone.
Raises:: ValueError – if the time zone is not supported.

SetValue(identifier, value)[source]

Sets a value by identifier.

Parameters:

identifier (str) – case insensitive unique identifier for the value.
value (object) – value.

Raises:

TypeError – if the identifier is not a string type.

__init__(storage_writer)[source]

Initializes a preprocess mediator.

Parameters:: storage_writer (StorageWriter) – storage writer, to store preprocessing information in.

plaso.preprocessors.windows module

Windows preprocessor plugins.

class plaso.preprocessors.windows.WindowsAllUsersAppDataKnowledgeBasePlugin[source]

Bases: KnowledgeBasePreprocessorPlugin

The allusersdata knowledge base value plugin.

The allusersdata value is needed for the expansion of %%environ_allusersappdata%% in artifact definitions.

Collect(mediator)[source]

Collects values from the knowledge base.

Parameters:: mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage.
Raises:: PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.windows.WindowsAllUsersAppProfileKnowledgeBasePlugin[source]

Bases: KnowledgeBasePreprocessorPlugin

The allusersprofile knowledge base value plugin.

The allusersprofile value is needed for the expansion of %%environ_allusersappprofile%% in artifact definitions.

It is derived from %ProgramData% for versions of Windows, Vista and later, that do not define %AllUsersProfile%.

Collect(mediator)[source]

Collects values from the knowledge base.

Parameters:: mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage.
Raises:: PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.windows.WindowsAllUsersProfileEnvironmentVariablePlugin[source]

Bases: WindowsProfilePathEnvironmentVariableArtifactPreprocessorPlugin

The Windows %AllUsersProfile% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableAllUsersProfile'

class plaso.preprocessors.windows.WindowsAvailableTimeZonesPlugin[source]

Bases: WindowsRegistryKeyArtifactPreprocessorPlugin, DtFabricHelper

The Windows available time zones plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsAvailableTimeZones'

class plaso.preprocessors.windows.WindowsCodePagePlugin[source]

Bases: WindowsRegistryValueArtifactPreprocessorPlugin

The Windows code page plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsCodePage'

class plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin[source]

Bases: WindowsRegistryValueArtifactPreprocessorPlugin

Windows environment variable artifact preprocessor plugin.

class plaso.preprocessors.windows.WindowsEventLogPublishersPlugin[source]

Bases: WindowsRegistryKeyArtifactPreprocessorPlugin

The Windows EventLog publishers plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEventLogPublishers'

class plaso.preprocessors.windows.WindowsEventLogSourcesPlugin[source]

Bases: WindowsRegistryKeyArtifactPreprocessorPlugin

The Windows EventLog sources plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEventLogSources'

class plaso.preprocessors.windows.WindowsHostnamePlugin[source]

Bases: WindowsRegistryValueArtifactPreprocessorPlugin

The Windows hostname plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsComputerName'

class plaso.preprocessors.windows.WindowsLanguagePlugin[source]

Bases: WindowsRegistryValueArtifactPreprocessorPlugin

The Windows language plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsLanguage'

class plaso.preprocessors.windows.WindowsMountedDevicesPlugin[source]

Bases: WindowsRegistryKeyArtifactPreprocessorPlugin, DtFabricHelper

The Windows mounted devices plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsMountedDevices'

class plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin[source]

Bases: FileSystemArtifactPreprocessorPlugin

Windows path environment variable plugin interface.

class plaso.preprocessors.windows.WindowsProfilePathEnvironmentVariableArtifactPreprocessorPlugin[source]

Bases: WindowsRegistryKeyArtifactPreprocessorPlugin

Windows profile path environment variable artifact preprocessor plugin.

class plaso.preprocessors.windows.WindowsProgramDataEnvironmentVariablePlugin[source]

Bases: WindowsProfilePathEnvironmentVariableArtifactPreprocessorPlugin

The Windows %ProgramData% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramData'

class plaso.preprocessors.windows.WindowsProgramDataKnowledgeBasePlugin[source]

Bases: KnowledgeBasePreprocessorPlugin

The programdata knowledge base value plugin.

The programdata value is needed for the expansion of %%environ_programdata%% in artifact definitions.

It is derived from %AllUsersProfile% for versions of Windows prior to Vista that do not define %ProgramData%.

Collect(mediator)[source]

Collects values from the knowledge base.

Parameters:: mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage.
Raises:: PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.windows.WindowsProgramFilesEnvironmentVariablePlugin[source]

Bases: WindowsEnvironmentVariableArtifactPreprocessorPlugin

The Windows %ProgramFiles% environment variable plugin.