plaso.cli package

Subpackages

Submodules

plaso.cli.extraction_tool module

The extraction CLI tool.

class plaso.cli.extraction_tool.ExtractionTool(input_reader=None, output_writer=None)[source]

Bases: plaso.cli.storage_media_tool.StorageMediaTool, plaso.cli.tool_options.HashersOptions, plaso.cli.tool_options.ParsersOptions, plaso.cli.tool_options.ProfilingOptions, plaso.cli.tool_options.StorageFileOptions

Extraction CLI tool.

AddPerformanceOptions(argument_group)[source]

Adds the performance options to the argument group.

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.
AddProcessingOptions(argument_group)[source]

Adds the processing options to the argument group.

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.

plaso.cli.image_export_tool module

The image export CLI tool.

class plaso.cli.image_export_tool.ImageExportTool(input_reader=None, output_writer=None)[source]

Bases: plaso.cli.storage_media_tool.StorageMediaTool

Class that implements the image export CLI tool.

has_filters

bool – True if filters have been specified via the options.

list_signature_identifiers

bool – True if information about the signature identifiers should be shown.

AddFilterOptions(argument_group)[source]

Adds the filter options to the argument group.

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.
DESCRIPTION = 'This is a simple collector designed to export files inside an image, both within a regular RAW image as well as inside a VSS. The tool uses a collection filter that uses the same syntax as a targeted plaso filter.'
EPILOG = 'And that is how you export files, plaso style.'
ListSignatureIdentifiers()[source]

Lists the signature identifier.

Raises:BadConfigOption – if the data location is invalid.
NAME = 'image_export'
ParseArguments()[source]

Parses the command line arguments.

Returns:True if the arguments were successfully parsed.
Return type:bool
ParseOptions(options)[source]

Parses the options and initializes the front-end.

Parameters:options (argparse.Namespace) – command line arguments.
Raises:BadConfigOption – if the options are invalid.
PrintFilterCollection()[source]

Prints the filter collection.

ProcessSources()[source]

Processes the sources.

Raises:
  • SourceScannerError – if the source scanner could not find a supported file system.
  • UserAbort – if the user initiated an abort.

plaso.cli.log2timeline_tool module

The log2timeline CLI tool.

class plaso.cli.log2timeline_tool.Log2TimelineTool(input_reader=None, output_writer=None)[source]

Bases: plaso.cli.extraction_tool.ExtractionTool

Log2timeline CLI tool.

dependencies_check

bool – True if the availability and versions of dependencies should be checked.

list_hashers

bool – True if the hashers should be listed.

list_parsers_and_plugins

bool – True if the parsers and plugins should be listed.

list_profilers

bool – True if the profilers should be listed.

show_info

bool – True if information about hashers, parsers, plugins, etc. should be shown.

DESCRIPTION = '\nlog2timeline is a command line tool to extract events from individual \nfiles, recursing a directory (e.g. mount point) or storage media \nimage or device.\n\nMore information can be gathered from here:\n https://github.com/log2timeline/plaso/wiki/Using-log2timeline\n'
EPILOG = '\nExample usage:\n\nRun the tool against a storage media image (full kitchen sink)\n log2timeline.py /cases/mycase/storage.plaso ímynd.dd\n\nInstead of answering questions, indicate some of the options on the\ncommand line (including data from particular VSS stores).\n log2timeline.py -o 63 --vss_stores 1,2 /cases/plaso_vss.plaso image.E01\n\nAnd that is how you build a timeline using log2timeline...\n'
ExtractEventsFromSources()[source]

Processes the sources and extracts events.

Raises:
  • BadConfigOption – if the storage file path is invalid or the storage format not supported.
  • SourceScannerError – if the source scanner could not find a supported file system.
  • UserAbort – if the user initiated an abort.
NAME = 'log2timeline'
ParseArguments()[source]

Parses the command line arguments.

Returns:True if the arguments were successfully parsed.
Return type:bool
ParseOptions(options)[source]

Parses the options.

Parameters:options (argparse.Namespace) – command line arguments.
Raises:BadConfigOption – if the options are invalid.
ShowInfo()[source]

Shows information about available hashers, parsers, plugins, etc.

plaso.cli.logger module

The cli sub module logger.

plaso.cli.pinfo_tool module

The pinfo CLI tool.

class plaso.cli.pinfo_tool.PinfoTool(input_reader=None, output_writer=None)[source]

Bases: plaso.cli.tools.CLITool, plaso.cli.tool_options.StorageFileOptions

Pinfo CLI tool.

CompareStores()[source]

Compares the contents of two stores.

Returns:True if the content of the stores is identical.
Return type:bool
DESCRIPTION = 'Shows information about a Plaso storage file, for example how it was collected, what information was extracted from a source, etc.'
NAME = 'pinfo'
ParseArguments()[source]

Parses the command line arguments.

Returns:True if the arguments were successfully parsed.
Return type:bool
ParseOptions(options)[source]

Parses the options.

Parameters:options (argparse.Namespace) – command line arguments.
Raises:BadConfigOption – if the options are invalid.
PrintStorageInformation()[source]

Prints the storage information.

plaso.cli.psort_tool module

The psort CLI tool.

class plaso.cli.psort_tool.PsortTool(input_reader=None, output_writer=None)[source]

Bases: plaso.cli.tools.CLITool, plaso.cli.tool_options.AnalysisPluginOptions, plaso.cli.tool_options.OutputModuleOptions, plaso.cli.tool_options.ProfilingOptions, plaso.cli.tool_options.StorageFileOptions

Psort CLI tool.

list_analysis_plugins

bool – True if information about the analysis plugins should be shown.

list_language_identifiers

bool – True if information about the language identifiers should be shown.

list_output_modules

bool – True if information about the output modules should be shown.

list_profilers

bool – True if the profilers should be listed.

AddProcessingOptions(argument_group)[source]

Adds processing options to the argument group

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.
DESCRIPTION = 'Application to read, filter and process output from a plaso storage file.'
NAME = 'psort'
ParseArguments()[source]

Parses the command line arguments.

Returns:True if the arguments were successfully parsed.
Return type:bool
ParseOptions(options)[source]

Parses the options.

Parameters:options (argparse.Namespace) – command line arguments.
Raises:BadConfigOption – if the options are invalid.
ProcessStorage()[source]

Processes a plaso storage file.

Raises:
  • BadConfigOption – when a configuration parameter fails validation.
  • RuntimeError – if a non-recoverable situation is encountered.

plaso.cli.psteal_tool module

The psteal CLI tool.

class plaso.cli.psteal_tool.PstealTool(input_reader=None, output_writer=None)[source]

Bases: plaso.cli.extraction_tool.ExtractionTool, plaso.cli.tool_options.HashersOptions, plaso.cli.tool_options.OutputModuleOptions, plaso.cli.tool_options.ParsersOptions, plaso.cli.tool_options.StorageFileOptions

Psteal CLI tool.

Psteal extract events from the provided source and stores them in an intermediate storage file. After extraction an output log file is created. This mimics the behaviour of the log2timeline.pl. The tool currently doesn’t support any of the log2timeline or psort tools’ flags.

dependencies_check

bool – True if the availability and versions of dependencies should be checked.

list_hashers

bool – True if the hashers should be listed.

list_language_identifiers

bool – True if information about the language identifiers should be shown.

list_output_modules

bool – True if information about the output modules should be shown.

list_parsers_and_plugins

bool – True if the parsers and plugins should be listed.

AnalyzeEvents()[source]

Analyzes events from a plaso storage file and generate a report.

Raises:
  • BadConfigOption – when a configuration parameter fails validation.
  • RuntimeError – if a non-recoverable situation is encountered.
DESCRIPTION = '\npsteal is a command line tool to extract events from individual \nfiles, recursing a directory (e.g. mount point) or storage media \nimage or device. The output events will be stored in a storage file.\nThis tool will then read the output and process the events into a CSV \nfile.\n\nMore information can be gathered from here:\n https://github.com/log2timeline/plaso/wiki/Using-log2timeline\n'
EPILOG = '\nExample usage:\n\nRun the tool against a storage media image (full kitchen sink)\n psteal.py --source ímynd.dd -w imynd.timeline.txt\n\nAnd that is how you build a timeline using psteal...\n'
ExtractEventsFromSources()[source]

Processes the sources and extract events.

This is a stripped down copy of tools/log2timeline.py that doesn’t support the full set of flags. The defaults for these are hard coded in the constructor of this class.

Raises:
  • BadConfigOption – if the storage format is not supported.
  • SourceScannerError – if the source scanner could not find a supported file system.
  • UserAbort – if the user initiated an abort.
NAME = 'psteal'
ParseArguments()[source]

Parses the command line arguments.

Returns:True if the arguments were successfully parsed.
Return type:bool
ParseOptions(options)[source]

Parses tool specific options.

Parameters:options (argparse.Namespace) – command line arguments.
Raises:BadConfigOption – if the options are invalid.

plaso.cli.status_view module

The status view.

class plaso.cli.status_view.StatusView(output_writer, tool_name)[source]

Bases: object

Processing status view.

GetAnalysisStatusUpdateCallback()[source]

Retrieves the analysis status update callback function.

Returns:status update callback function or None.
Return type:function
GetExtractionStatusUpdateCallback()[source]

Retrieves the extraction status update callback function.

Returns:status update callback function or None.
Return type:function
MODE_LINEAR = 'linear'
MODE_WINDOW = 'window'
PrintExtractionStatusHeader(processing_status)[source]

Prints the extraction status header.

Parameters:processing_status (ProcessingStatus) – processing status.
PrintExtractionSummary(processing_status)[source]

Prints a summary of the extraction.

Parameters:processing_status (ProcessingStatus) – processing status.
SetMode(mode)[source]

Sets the mode.

Parameters:mode (str) – status view mode.
SetSourceInformation(source_path, source_type, artifact_filters=None, filter_file=None)[source]

Sets the source information.

Parameters:
  • source_path (str) – path of the source.
  • source_type (str) – source type.
  • artifact_filters (Optional[str]) – names of artifact defintions to use as filters.
  • filter_file (Optional[str]) – filter file.
SetStorageFileInformation(storage_file_path)[source]

Sets the storage file information.

Parameters:storage_file_path (str) – path to the storage file.

plaso.cli.storage_media_tool module

The storage media CLI tool.

class plaso.cli.storage_media_tool.StorageMediaTool(input_reader=None, output_writer=None)[source]

Bases: plaso.cli.tools.CLITool

Class that implements a storage media CLI tool.

AddCredentialOptions(argument_group)[source]

Adds the credential options to the argument group.

The credential options are use to unlock encrypted volumes.

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.
AddStorageMediaImageOptions(argument_group)[source]

Adds the storage media image options to the argument group.

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.
AddVSSProcessingOptions(argument_group)[source]

Adds the VSS processing options to the argument group.

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.
ScanSource(source_path)[source]

Scans the source path for volume and file systems.

This function sets the internal source path specification and source type values.

Parameters:source_path (str) – path to the source.
Returns:source scanner context.
Return type:dfvfs.SourceScannerContext
Raises:SourceScannerError – if the format of or within the source is not supported.

plaso.cli.time_slices module

The time slice.

class plaso.cli.time_slices.TimeSlice(event_timestamp, duration=5)[source]

Bases: object

Time slice.

The time slice is used to provide a context of events around an event of interest.

duration

int – duration of the time slice in minutes.

event_timestamp

int – event timestamp of the time slice or None.

end_timestamp

int – slice end timestamp or None.

start_timestamp

int – slice start timestamp or None.

plaso.cli.tool_options module

The CLI tool options mix-ins.

class plaso.cli.tool_options.AnalysisPluginOptions[source]

Bases: object

Analysis plugin options mix-in.

ListAnalysisPlugins()[source]

Lists the analysis modules.

class plaso.cli.tool_options.HashersOptions[source]

Bases: object

Hashers options mix-in.

ListHashers()[source]

Lists information about the available hashers.

class plaso.cli.tool_options.OutputModuleOptions[source]

Bases: object

Output module options mix-in.

ListLanguageIdentifiers()[source]

Lists the language identifiers.

ListOutputModules()[source]

Lists the output modules.

class plaso.cli.tool_options.ParsersOptions[source]

Bases: object

Parsers options mix-in.

ListParsersAndPlugins()[source]

Lists information about the available parsers and plugins.

class plaso.cli.tool_options.ProfilingOptions[source]

Bases: object

Profiling options mix-in.

ListProfilers()[source]

Lists information about the available profilers.

class plaso.cli.tool_options.StorageFileOptions[source]

Bases: object

Storage file options mix-in.

plaso.cli.tools module

The CLI tools classes.

class plaso.cli.tools.CLIInputReader(encoding='utf-8')[source]

Bases: object

CLI input reader interface.

Read()[source]

Reads a string from the input.

Returns:input.
Return type:str
class plaso.cli.tools.CLIOutputWriter(encoding='utf-8')[source]

Bases: object

CLI output writer interface.

Write(string)[source]

Writes a string to the output.

Parameters:string (str) – output.
class plaso.cli.tools.CLITool(input_reader=None, output_writer=None)[source]

Bases: object

CLI tool.

list_timezones

bool – True if the time zones should be listed.

preferred_encoding

str – preferred encoding of single-byte or multi-byte character strings, sometimes referred to as extended ASCII.

AddBasicOptions(argument_group)[source]

Adds the basic options to the argument group.

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.
AddInformationalOptions(argument_group)[source]

Adds the informational options to the argument group.

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.
AddLogFileOptions(argument_group)[source]

Adds the log file option to the argument group.

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.
AddTimeZoneOption(argument_group)[source]

Adds the time zone option to the argument group.

Parameters:argument_group (argparse._ArgumentGroup) – argparse argument group.
GetCommandLineArguments()[source]

Retrieves the command line arguments.

Returns:command line arguments.
Return type:str
ListTimeZones()[source]

Lists the timezones.

NAME = ''
ParseNumericOption(options, name, base=10, default_value=None)[source]

Parses a numeric option.

If the option is not set the default value is returned.

Parameters:
  • options (argparse.Namespace) – command line arguments.
  • name (str) – name of the numeric option.
  • base (Optional[int]) – base of the numeric value.
  • default_value (Optional[object]) – default value.
Returns:

numeric value.

Return type:

int

Raises:

BadConfigOption – if the options are invalid.

ParseStringOption(options, argument_name, default_value=None)[source]

Parses a string command line argument.

Parameters:
  • options (argparse.Namespace) – command line arguments.
  • argument_name (str) – name of the command line argument.
  • default_value (Optional[object]) – default value of the command line argument.
Returns:

command line argument value. If the command line argument is

not set the default value will be returned.

Return type:

object

Raises:

BadConfigOption – if the command line argument value cannot be converted to a Unicode string.

PrintSeparatorLine()[source]

Prints a separator line.

class plaso.cli.tools.FileObjectInputReader(file_object, encoding='utf-8')[source]

Bases: plaso.cli.tools.CLIInputReader

File-like object input reader.

This input reader relies on the file-like object having a readline method.

Read()[source]

Reads a string from the input.

Returns:input.
Return type:str
class plaso.cli.tools.FileObjectOutputWriter(file_object, encoding='utf-8')[source]

Bases: plaso.cli.tools.CLIOutputWriter

File-like object output writer.

This output writer relies on the file-like object having a write method.

Write(string)[source]

Writes a string to the output.

Parameters:string (str) – output.
class plaso.cli.tools.StdinInputReader(encoding='utf-8')[source]

Bases: plaso.cli.tools.FileObjectInputReader

Stdin input reader.

class plaso.cli.tools.StdoutOutputWriter(encoding='utf-8')[source]

Bases: plaso.cli.tools.FileObjectOutputWriter

Stdout output writer.

Write(string)[source]

Writes a string to the output.

Parameters:string (str) – output.

plaso.cli.views module

View classes.

class plaso.cli.views.BaseTableView(column_names=None, title=None)[source]

Bases: object

Table view interface.

AddRow(values)[source]

Adds a row of values.

Parameters:values (list[object]) – values.
Raises:ValueError – if the number of values is out of bounds.
Write(output_writer)[source]

Writes the table to the output writer.

Parameters:output_writer (OutputWriter) – output writer.
class plaso.cli.views.CLITableView(column_names=None, title=None)[source]

Bases: plaso.cli.views.BaseTableView

Command line table view.

Note that currently this table view does not support more than 2 columns.

AddRow(values)[source]

Adds a row of values.

Parameters:values (list[object]) – values.
Raises:ValueError – if the number of values is out of bounds.
Write(output_writer)[source]

Writes the table to the output writer.

Parameters:output_writer (OutputWriter) – output writer.
Raises:RuntimeError – if the title exceeds the maximum width or if the table has more than 2 columns or if the column width is out of bounds.
class plaso.cli.views.CLITabularTableView(column_names=None, column_sizes=None, title=None)[source]

Bases: plaso.cli.views.BaseTableView

Command line tabular table view interface.

AddRow(values)[source]

Adds a row of values.

Parameters:values (list[object]) – values.
Raises:ValueError – if the number of values is out of bounds.
Write(output_writer)[source]

Writes the table to the output writer.

Parameters:output_writer (OutputWriter) – output writer.
class plaso.cli.views.MarkdownTableView(column_names=None, title=None)[source]

Bases: plaso.cli.views.BaseTableView

Markdown table view.

Write(output_writer)[source]

Writes the table to the output writer.

Parameters:output_writer (OutputWriter) – output writer.
class plaso.cli.views.ViewsFactory[source]

Bases: object

Views factory.

FORMAT_TYPE_CLI = 'cli'
FORMAT_TYPE_MARKDOWN = 'markdown'
classmethod GetTableView(format_type, column_names=None, title=None)[source]

Retrieves a table view.

Parameters:
  • format_type (str) – table view format type.
  • column_names (Optional[list[str]]) – column names.
  • title (Optional[str]) – title.
Returns:

table view.

Return type:

BaseTableView

Raises:

ValueError – if the format type is not supported.

Module contents