plaso.analyzers package

Subpackages

• plaso.analyzers.hashers package
  • Submodules
  • plaso.analyzers.hashers.entropy module
  • plaso.analyzers.hashers.interface module
  • plaso.analyzers.hashers.manager module
  • plaso.analyzers.hashers.md5 module
  • plaso.analyzers.hashers.sha1 module
  • plaso.analyzers.hashers.sha256 module
  • Module contents

Submodules

plaso.analyzers.hashing_analyzer module

The hashing analyzer implementation.

class plaso.analyzers.hashing_analyzer.HashingAnalyzer

Bases: plaso.analyzers.interface.BaseAnalyzer

This class contains code for calculating file hashes of input files.

In Plaso, hashers are classes that map arbitrarily sized file content to a fixed size value. See: https://en.wikipedia.org/wiki/Hash_function

Analyze(data)

Updates the internal state of the analyzer, processing a block of data.

Repeated calls are equivalent to a single call with the concatenation of all the arguments.

Parameters

data (bytes) – block of data from the data stream.

DESCRIPTION = 'Calculates hashes of file content.'

GetResults()

Retrieves the hashing results.

Returns

results.

Return type

list[AnalyzerResult]

INCREMENTAL_ANALYZER = True

NAME = 'hashing'

PROCESSING_STATUS_HINT = 'hashing'

Reset()

Resets the internal state of the analyzer.

SetHasherNames(hasher_names_string)

Sets the hashers that should be enabled.

Parameters

hasher_names_string (str) – comma separated names of hashers to enable.

plaso.analyzers.interface module

Definitions to provide a whole-file processing framework.

class plaso.analyzers.interface.BaseAnalyzer

Bases: object

Class that provides the interface for whole-file analysis.

Analyze(data)

Analyzes a block of data, updating the state of the analyzer

Parameters

data (bytes) – block of data to process.

DESCRIPTION = ''

GetResults()

Retrieves the results of the analysis.

Returns

results.

Return type

list[AnalyzerResult]

INCREMENTAL_ANALYZER = False

NAME = 'base_analyzer'

PROCESSING_STATUS_HINT = 'analyzing'

Reset()

Resets the internal state of the analyzer.

SIZE_LIMIT = 33554432

plaso.analyzers.logger module

The analyzers sub module logger.

plaso.analyzers.manager module

This file contains a class for managing digest analyzers for Plaso.

class plaso.analyzers.manager.AnalyzersManager

Bases: object

Class that implements the analyzers manager.

classmethod DeregisterAnalyzer(analyzer_class)

Deregisters a analyzer class.

The analyzer classes are identified based on their lower case name.

Parameters

analyzer_class (type) – class object of the analyzer.

Raises

KeyError – if analyzer class is not set for the corresponding name.

classmethod GetAnalyzerInstance(analyzer_name)

Retrieves an instance of a specific analyzer.

Parameters

analyzer_name (str) – name of the analyzer to retrieve.

Returns

analyzer instance.

Return type

BaseAnalyzer

Raises

KeyError – if analyzer class is not set for the corresponding name.

classmethod GetAnalyzerInstances(analyzer_names)

Retrieves instances for all the specified analyzers.

Parameters

analyzer_names (list[str]) – names of the analyzers to retrieve.

Returns

analyzer instances.

Return type

list[BaseAnalyzer]

classmethod GetAnalyzerNames()

Retrieves the names of all loaded analyzers.

Returns

of analyzer names.

Return type

list[str]

classmethod GetAnalyzers()

Retrieves the registered analyzers.

Yields

tuple –

containing:

str: the uniquely identifying name of the analyzer type: the analyzer class.

classmethod GetAnalyzersInformation()

Retrieves the analyzers information.

Returns

containing:

str: analyzer name. str: analyzer description.

Return type

list[tuple]

classmethod RegisterAnalyzer(analyzer_class)

Registers a analyzer class.

The analyzer classes are identified by their lower case name.

Parameters

analyzer_class (type) – the analyzer class to register.

Raises

KeyError – if analyzer class is already set for the corresponding name.

plaso.analyzers.yara_analyzer module

Analyzer that matches Yara rules.

class plaso.analyzers.yara_analyzer.YaraAnalyzer

Bases: plaso.analyzers.interface.BaseAnalyzer

Analyzer that matches Yara rules.

Analyze(data)

Analyzes a block of data, attempting to match Yara rules to it.

Parameters

data (bytes) – a block of data.

DESCRIPTION = 'Matches Yara rules over input data.'

GetResults()

Retrieves results of the most recent analysis.

Returns

results.

Return type

list[AnalyzerResult]

INCREMENTAL_ANALYZER = False

NAME = 'yara'

PROCESSING_STATUS_HINT = 'yara scan'

Reset()

Resets the internal state of the analyzer.

SetRules(rules_string)

Sets the rules that the Yara analyzer will use.

Parameters

rules_string (str) – Yara rule definitions

Module contents

This file imports Python modules that register analyzers.