plaso.preprocessors package¶
Submodules¶
plaso.preprocessors.interface module¶
This file contains classes used for preprocessing in plaso.
-
class
plaso.preprocessors.interface.
ArtifactPreprocessorPlugin
[source]¶ Bases:
object
The artifact preprocessor plugin interface.
The artifact preprocessor determines preprocessing attributes based on an artifact definition defined by ARTIFACT_DEFINITION_NAME.
-
ARTIFACT_DEFINITION_NAME
= None¶
-
-
class
plaso.preprocessors.interface.
FileArtifactPreprocessorPlugin
[source]¶ Bases:
plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin
File artifact preprocessor plugin interface.
Shared functionality for preprocessing attributes based on a file artifact definition, such as file or path.
-
class
plaso.preprocessors.interface.
FileEntryArtifactPreprocessorPlugin
[source]¶ Bases:
plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin
File entry artifact preprocessor plugin interface.
Shared functionality for preprocessing attributes based on a file entry artifact definition, such as file or path.
-
class
plaso.preprocessors.interface.
FileSystemArtifactPreprocessorPlugin
[source]¶ Bases:
plaso.preprocessors.interface.ArtifactPreprocessorPlugin
File system artifact preprocessor plugin interface.
Shared functionality for preprocessing attributes based on a file system artifact definition, such as file or path.
-
Collect
(knowledge_base, artifact_definition, searcher, file_system)[source]¶ Collects values using a file artifact definition.
Parameters: - knowledge_base (KnowledgeBase) – to fill with preprocessing information.
- artifact_definition (artifacts.ArtifactDefinition) – artifact definition.
- searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system.
- file_system (dfvfs.FileSystem) – file system to be preprocessed.
Raises: PreProcessFail
– if the Windows Registry key or value cannot be read.
-
-
class
plaso.preprocessors.interface.
WindowsRegistryKeyArtifactPreprocessorPlugin
[source]¶ Bases:
plaso.preprocessors.interface.ArtifactPreprocessorPlugin
Windows Registry key artifact preprocessor plugin interface.
Shared functionality for preprocessing attributes based on a Windows Registry artifact definition, such as Windows Registry key or value.
-
Collect
(knowledge_base, artifact_definition, searcher)[source]¶ Collects values using a Windows Registry value artifact definition.
Parameters: - knowledge_base (KnowledgeBase) – to fill with preprocessing information.
- artifact_definition (artifacts.ArtifactDefinition) – artifact definition.
- searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher to preprocess the Windows Registry.
Raises: PreProcessFail
– if the Windows Registry key or value cannot be read.
-
-
class
plaso.preprocessors.interface.
WindowsRegistryValueArtifactPreprocessorPlugin
[source]¶ Bases:
plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin
Windows Registry value artifact preprocessor plugin interface.
Shared functionality for preprocessing attributes based on a Windows Registry value artifact definition.
plaso.preprocessors.linux module¶
This file contains preprocessors for Linux.
-
class
plaso.preprocessors.linux.
LinuxDistributionPlugin
[source]¶ Bases:
plaso.preprocessors.interface.FileArtifactPreprocessorPlugin
The Linux distribution plugin.
-
ARTIFACT_DEFINITION_NAME
= 'LinuxDistributionRelease'¶
-
-
class
plaso.preprocessors.linux.
LinuxHostnamePlugin
[source]¶ Bases:
plaso.preprocessors.interface.FileArtifactPreprocessorPlugin
The Linux hostname plugin.
-
ARTIFACT_DEFINITION_NAME
= 'LinuxHostnameFile'¶
-
-
class
plaso.preprocessors.linux.
LinuxIssueFilePlugin
[source]¶ Bases:
plaso.preprocessors.interface.FileArtifactPreprocessorPlugin
The Linux issue file plugin.
-
ARTIFACT_DEFINITION_NAME
= 'LinuxIssueFile'¶
-
-
class
plaso.preprocessors.linux.
LinuxStandardBaseReleasePlugin
[source]¶ Bases:
plaso.preprocessors.interface.FileArtifactPreprocessorPlugin
The Linux standard base (LSB) release plugin.
-
ARTIFACT_DEFINITION_NAME
= 'LinuxLSBRelease'¶
-
-
class
plaso.preprocessors.linux.
LinuxSystemdOperatingSystemPlugin
[source]¶ Bases:
plaso.preprocessors.interface.FileArtifactPreprocessorPlugin
The Linux systemd operating system release plugin.
-
ARTIFACT_DEFINITION_NAME
= 'LinuxSystemdOSRelease'¶
-
-
class
plaso.preprocessors.linux.
LinuxTimeZonePlugin
[source]¶ Bases:
plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin
Linux time zone plugin.
-
ARTIFACT_DEFINITION_NAME
= 'LinuxLocalTime'¶
-
-
class
plaso.preprocessors.linux.
LinuxUserAccountsPlugin
[source]¶ Bases:
plaso.preprocessors.interface.FileArtifactPreprocessorPlugin
The Linux user accounts plugin.
-
ARTIFACT_DEFINITION_NAME
= 'LinuxPasswdFile'¶
-
plaso.preprocessors.logger module¶
The preprocessors sub module logger.
plaso.preprocessors.macos module¶
This file contains preprocessors for MacOS.
-
class
plaso.preprocessors.macos.
MacOSHostnamePlugin
[source]¶ Bases:
plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin
MacOS hostname plugin.
-
ARTIFACT_DEFINITION_NAME
= 'MacOSSystemConfigurationPreferencesPlistFile'¶
-
-
class
plaso.preprocessors.macos.
MacOSKeyboardLayoutPlugin
[source]¶ Bases:
plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin
MacOS keyboard layout plugin.
-
ARTIFACT_DEFINITION_NAME
= 'MacOSKeyboardLayoutPlistFile'¶
-
-
class
plaso.preprocessors.macos.
MacOSSystemVersionPlugin
[source]¶ Bases:
plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin
MacOS system version information plugin.
-
ARTIFACT_DEFINITION_NAME
= 'MacOSSystemVersionPlistFile'¶
-
-
class
plaso.preprocessors.macos.
MacOSTimeZonePlugin
[source]¶ Bases:
plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin
MacOS time zone plugin.
-
ARTIFACT_DEFINITION_NAME
= 'MacOSLocalTime'¶
-
-
class
plaso.preprocessors.macos.
MacOSUserAccountsPlugin
[source]¶ Bases:
plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin
MacOS user accounts plugin.
-
ARTIFACT_DEFINITION_NAME
= 'MacOSUserPasswordHashesPlistFiles'¶
-
-
class
plaso.preprocessors.macos.
PlistFileArtifactPreprocessorPlugin
[source]¶ Bases:
plaso.preprocessors.interface.FileArtifactPreprocessorPlugin
Plist file artifact preprocessor plugin interface.
Retrieves values from a plist file artifact using names of keys defined in _PLIST_KEYS.
plaso.preprocessors.manager module¶
The preprocess plugins manager.
-
class
plaso.preprocessors.manager.
PreprocessPluginsManager
[source]¶ Bases:
object
Preprocess plugins manager.
-
classmethod
CollectFromFileSystem
(artifacts_registry, knowledge_base, searcher, file_system)[source]¶ Collects values from Windows Registry values.
Parameters: - artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.
- knowledge_base (KnowledgeBase) – to fill with preprocessing information.
- searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system.
- file_system (dfvfs.FileSystem) – file system to be preprocessed.
-
classmethod
CollectFromWindowsRegistry
(artifacts_registry, knowledge_base, searcher)[source]¶ Collects values from Windows Registry values.
Parameters: - artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.
- knowledge_base (KnowledgeBase) – to fill with preprocessing information.
- searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher to preprocess the Windows Registry.
-
classmethod
DeregisterPlugin
(plugin_class)[source]¶ Deregisters an preprocess plugin class.
Parameters: plugin_class (type) – preprocess plugin class.
Raises: KeyError
– if plugin class is not set for the corresponding name.TypeError
– if the source type of the plugin class is not supported.
-
classmethod
GetNames
()[source]¶ Retrieves the names of the registered artifact definitions.
Returns: registered artifact definitions names. Return type: list[str]
-
classmethod
RegisterPlugin
(plugin_class)[source]¶ Registers an preprocess plugin class.
Parameters: plugin_class (type) – preprocess plugin class.
Raises: KeyError
– if plugin class is already set for the corresponding name.TypeError
– if the source type of the plugin class is not supported.
-
classmethod
RegisterPlugins
(plugin_classes)[source]¶ Registers preprocess plugin classes.
Parameters: plugin_classes (list[type]) – preprocess plugin classes. Raises: KeyError
– if plugin class is already set for the corresponding name.
-
classmethod
RunPlugins
(artifacts_registry, file_system, mount_point, knowledge_base)[source]¶ Runs the preprocessing plugins.
Parameters: - artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.
- file_system (dfvfs.FileSystem) – file system to be preprocessed.
- mount_point (dfvfs.PathSpec) – mount point path specification that refers to the base location of the file system.
- knowledge_base (KnowledgeBase) – to fill with preprocessing information.
-
classmethod
plaso.preprocessors.windows module¶
This file contains preprocessors for Windows.
-
class
plaso.preprocessors.windows.
WindowsCodepagePlugin
[source]¶ Bases:
plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin
The Windows codepage plugin.
-
ARTIFACT_DEFINITION_NAME
= 'WindowsCodePage'¶
-
-
class
plaso.preprocessors.windows.
WindowsEnvironmentVariableArtifactPreprocessorPlugin
[source]¶ Bases:
plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin
Windows environment variable artifact preprocessor plugin interface.
-
class
plaso.preprocessors.windows.
WindowsHostnamePlugin
[source]¶ Bases:
plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin
The Windows hostname plugin.
-
ARTIFACT_DEFINITION_NAME
= 'WindowsComputerName'¶
-
-
class
plaso.preprocessors.windows.
WindowsPathEnvironmentVariableArtifactPreprocessorPlugin
[source]¶ Bases:
plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin
Windows path environment variable plugin interface.
-
class
plaso.preprocessors.windows.
WindowsProgramFilesEnvironmentVariablePlugin
[source]¶ Bases:
plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin
The Windows %ProgramFiles% environment variable plugin.
-
ARTIFACT_DEFINITION_NAME
= 'WindowsEnvironmentVariableProgramFiles'¶
-
-
class
plaso.preprocessors.windows.
WindowsProgramFilesX86EnvironmentVariablePlugin
[source]¶ Bases:
plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin
The Windows %ProgramFilesX86% environment variable plugin.
-
ARTIFACT_DEFINITION_NAME
= 'WindowsEnvironmentVariableProgramFilesX86'¶
-
-
class
plaso.preprocessors.windows.
WindowsSystemProductPlugin
[source]¶ Bases:
plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin
The Windows system product information plugin.
-
ARTIFACT_DEFINITION_NAME
= 'WindowsProductName'¶
-
-
class
plaso.preprocessors.windows.
WindowsSystemRootEnvironmentVariablePlugin
[source]¶ Bases:
plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin
The Windows %SystemRoot% environment variable plugin.
-
ARTIFACT_DEFINITION_NAME
= 'WindowsEnvironmentVariableSystemRoot'¶
-
-
class
plaso.preprocessors.windows.
WindowsSystemVersionPlugin
[source]¶ Bases:
plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin
The Windows system version information plugin.
-
ARTIFACT_DEFINITION_NAME
= 'WindowsCurrentVersion'¶
-
-
class
plaso.preprocessors.windows.
WindowsTimeZonePlugin
[source]¶ Bases:
plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin
The Windows time zone plugin.
-
ARTIFACT_DEFINITION_NAME
= 'WindowsTimezone'¶
-
-
class
plaso.preprocessors.windows.
WindowsUserAccountsPlugin
[source]¶ Bases:
plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin
The Windows user account plugin.
-
ARTIFACT_DEFINITION_NAME
= 'WindowsRegistryProfiles'¶
-
-
class
plaso.preprocessors.windows.
WindowsWinDirEnvironmentVariablePlugin
[source]¶ Bases:
plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin
The Windows %WinDir% environment variable plugin.
-
ARTIFACT_DEFINITION_NAME
= 'WindowsEnvironmentVariableWinDir'¶
-
Module contents¶
Preprocessor.