plaso.cli package¶
Subpackages¶
- plaso.cli.helpers package
- Submodules
- plaso.cli.helpers.analysis_plugins module
- plaso.cli.helpers.artifact_definitions module
- plaso.cli.helpers.artifact_filters module
- plaso.cli.helpers.data_location module
- plaso.cli.helpers.database_config module
- plaso.cli.helpers.date_filters module
- plaso.cli.helpers.dynamic_output module
- plaso.cli.helpers.elastic_output module
- plaso.cli.helpers.event_filters module
- plaso.cli.helpers.extraction module
- plaso.cli.helpers.filter_file module
- plaso.cli.helpers.hashers module
- plaso.cli.helpers.interface module
- plaso.cli.helpers.language module
- plaso.cli.helpers.manager module
- plaso.cli.helpers.mysql_4n6time_output module
- plaso.cli.helpers.nsrlsvr_analysis module
- plaso.cli.helpers.output_modules module
- plaso.cli.helpers.parsers module
- plaso.cli.helpers.process_resources module
- plaso.cli.helpers.profiling module
- plaso.cli.helpers.server_config module
- plaso.cli.helpers.sessionize_analysis module
- plaso.cli.helpers.shared_4n6time_output module
- plaso.cli.helpers.sqlite_4n6time_output module
- plaso.cli.helpers.status_view module
- plaso.cli.helpers.storage_file module
- plaso.cli.helpers.storage_format module
- plaso.cli.helpers.tagging_analysis module
- plaso.cli.helpers.temporary_directory module
- plaso.cli.helpers.text_prepend module
- plaso.cli.helpers.timesketch_output module
- plaso.cli.helpers.viper_analysis module
- plaso.cli.helpers.virustotal_analysis module
- plaso.cli.helpers.windows_services_analysis module
- plaso.cli.helpers.workers module
- plaso.cli.helpers.xlsx_output module
- plaso.cli.helpers.yara_rules module
- plaso.cli.helpers.zeromq module
- Module contents
Submodules¶
plaso.cli.extraction_tool module¶
The extraction CLI tool.
-
class
plaso.cli.extraction_tool.
ExtractionTool
(input_reader=None, output_writer=None)[source]¶ Bases:
plaso.cli.storage_media_tool.StorageMediaTool
,plaso.cli.tool_options.HashersOptions
,plaso.cli.tool_options.ParsersOptions
,plaso.cli.tool_options.ProfilingOptions
,plaso.cli.tool_options.StorageFileOptions
Extraction CLI tool.
plaso.cli.image_export_tool module¶
The image export CLI tool.
-
class
plaso.cli.image_export_tool.
ImageExportTool
(input_reader=None, output_writer=None)[source]¶ Bases:
plaso.cli.storage_media_tool.StorageMediaTool
Class that implements the image export CLI tool.
-
has_filters
¶ bool – True if filters have been specified via the options.
-
list_signature_identifiers
¶ bool – True if information about the signature identifiers should be shown.
-
AddFilterOptions
(argument_group)[source]¶ Adds the filter options to the argument group.
Parameters: argument_group (argparse._ArgumentGroup) – argparse argument group.
-
DESCRIPTION
= 'This is a simple collector designed to export files inside an image, both within a regular RAW image as well as inside a VSS. The tool uses a collection filter that uses the same syntax as a targeted plaso filter.'¶
-
EPILOG
= 'And that is how you export files, plaso style.'¶
-
ListSignatureIdentifiers
()[source]¶ Lists the signature identifier.
Raises: BadConfigOption
– if the data location is invalid.
-
NAME
= 'image_export'¶
-
ParseArguments
()[source]¶ Parses the command line arguments.
Returns: True if the arguments were successfully parsed. Return type: bool
-
plaso.cli.log2timeline_tool module¶
The log2timeline CLI tool.
-
class
plaso.cli.log2timeline_tool.
Log2TimelineTool
(input_reader=None, output_writer=None)[source]¶ Bases:
plaso.cli.extraction_tool.ExtractionTool
Log2timeline CLI tool.
-
dependencies_check
¶ bool – True if the availability and versions of dependencies should be checked.
-
list_hashers
¶ bool – True if the hashers should be listed.
-
list_parsers_and_plugins
¶ bool – True if the parsers and plugins should be listed.
-
list_profilers
¶ bool – True if the profilers should be listed.
-
show_info
¶ bool – True if information about hashers, parsers, plugins, etc. should be shown.
-
DESCRIPTION
= '\nlog2timeline is a command line tool to extract events from individual \nfiles, recursing a directory (e.g. mount point) or storage media \nimage or device.\n\nMore information can be gathered from here:\n https://github.com/log2timeline/plaso/wiki/Using-log2timeline\n'¶
-
EPILOG
= '\nExample usage:\n\nRun the tool against a storage media image (full kitchen sink)\n log2timeline.py /cases/mycase/storage.plaso ímynd.dd\n\nInstead of answering questions, indicate some of the options on the\ncommand line (including data from particular VSS stores).\n log2timeline.py -o 63 --vss_stores 1,2 /cases/plaso_vss.plaso image.E01\n\nAnd that is how you build a timeline using log2timeline...\n'¶
-
ExtractEventsFromSources
()[source]¶ Processes the sources and extracts events.
Raises: BadConfigOption
– if the storage file path is invalid or the storage format not supported.SourceScannerError
– if the source scanner could not find a supported file system.UserAbort
– if the user initiated an abort.
-
NAME
= 'log2timeline'¶
-
ParseArguments
()[source]¶ Parses the command line arguments.
Returns: True if the arguments were successfully parsed. Return type: bool
-
plaso.cli.logger module¶
The cli sub module logger.
plaso.cli.pinfo_tool module¶
The pinfo CLI tool.
-
class
plaso.cli.pinfo_tool.
PinfoTool
(input_reader=None, output_writer=None)[source]¶ Bases:
plaso.cli.tools.CLITool
,plaso.cli.tool_options.StorageFileOptions
Pinfo CLI tool.
-
CompareStores
()[source]¶ Compares the contents of two stores.
Returns: True if the content of the stores is identical. Return type: bool
-
DESCRIPTION
= 'Shows information about a Plaso storage file, for example how it was collected, what information was extracted from a source, etc.'¶
-
NAME
= 'pinfo'¶
-
ParseArguments
()[source]¶ Parses the command line arguments.
Returns: True if the arguments were successfully parsed. Return type: bool
-
plaso.cli.psort_tool module¶
The psort CLI tool.
-
class
plaso.cli.psort_tool.
PsortTool
(input_reader=None, output_writer=None)[source]¶ Bases:
plaso.cli.tools.CLITool
,plaso.cli.tool_options.AnalysisPluginOptions
,plaso.cli.tool_options.OutputModuleOptions
,plaso.cli.tool_options.ProfilingOptions
,plaso.cli.tool_options.StorageFileOptions
Psort CLI tool.
-
list_analysis_plugins
¶ bool – True if information about the analysis plugins should be shown.
-
list_language_identifiers
¶ bool – True if information about the language identifiers should be shown.
-
list_output_modules
¶ bool – True if information about the output modules should be shown.
-
list_profilers
¶ bool – True if the profilers should be listed.
-
AddProcessingOptions
(argument_group)[source]¶ Adds processing options to the argument group
Parameters: argument_group (argparse._ArgumentGroup) – argparse argument group.
-
DESCRIPTION
= 'Application to read, filter and process output from a plaso storage file.'¶
-
NAME
= 'psort'¶
-
ParseArguments
()[source]¶ Parses the command line arguments.
Returns: True if the arguments were successfully parsed. Return type: bool
-
plaso.cli.psteal_tool module¶
The psteal CLI tool.
-
class
plaso.cli.psteal_tool.
PstealTool
(input_reader=None, output_writer=None)[source]¶ Bases:
plaso.cli.extraction_tool.ExtractionTool
,plaso.cli.tool_options.HashersOptions
,plaso.cli.tool_options.OutputModuleOptions
,plaso.cli.tool_options.ParsersOptions
,plaso.cli.tool_options.StorageFileOptions
Psteal CLI tool.
Psteal extract events from the provided source and stores them in an intermediate storage file. After extraction an output log file is created. This mimics the behaviour of the log2timeline.pl. The tool currently doesn’t support any of the log2timeline or psort tools’ flags.
-
dependencies_check
¶ bool – True if the availability and versions of dependencies should be checked.
-
list_hashers
¶ bool – True if the hashers should be listed.
-
list_language_identifiers
¶ bool – True if information about the language identifiers should be shown.
-
list_output_modules
¶ bool – True if information about the output modules should be shown.
-
list_parsers_and_plugins
¶ bool – True if the parsers and plugins should be listed.
-
AnalyzeEvents
()[source]¶ Analyzes events from a plaso storage file and generate a report.
Raises: BadConfigOption
– when a configuration parameter fails validation.RuntimeError
– if a non-recoverable situation is encountered.
-
DESCRIPTION
= '\npsteal is a command line tool to extract events from individual \nfiles, recursing a directory (e.g. mount point) or storage media \nimage or device. The output events will be stored in a storage file.\nThis tool will then read the output and process the events into a CSV \nfile.\n\nMore information can be gathered from here:\n https://github.com/log2timeline/plaso/wiki/Using-log2timeline\n'¶
-
EPILOG
= '\nExample usage:\n\nRun the tool against a storage media image (full kitchen sink)\n psteal.py --source ímynd.dd -w imynd.timeline.txt\n\nAnd that is how you build a timeline using psteal...\n'¶
-
ExtractEventsFromSources
()[source]¶ Processes the sources and extract events.
This is a stripped down copy of tools/log2timeline.py that doesn’t support the full set of flags. The defaults for these are hard coded in the constructor of this class.
Raises: BadConfigOption
– if the storage format is not supported.SourceScannerError
– if the source scanner could not find a supported file system.UserAbort
– if the user initiated an abort.
-
NAME
= 'psteal'¶
-
plaso.cli.status_view module¶
The status view.
-
class
plaso.cli.status_view.
StatusView
(output_writer, tool_name)[source]¶ Bases:
object
Processing status view.
-
GetAnalysisStatusUpdateCallback
()[source]¶ Retrieves the analysis status update callback function.
Returns: status update callback function or None. Return type: function
-
GetExtractionStatusUpdateCallback
()[source]¶ Retrieves the extraction status update callback function.
Returns: status update callback function or None. Return type: function
-
MODE_LINEAR
= 'linear'¶
-
MODE_WINDOW
= 'window'¶
-
PrintExtractionStatusHeader
(processing_status)[source]¶ Prints the extraction status header.
Parameters: processing_status (ProcessingStatus) – processing status.
-
PrintExtractionSummary
(processing_status)[source]¶ Prints a summary of the extraction.
Parameters: processing_status (ProcessingStatus) – processing status.
-
SetSourceInformation
(source_path, source_type, artifact_filters=None, filter_file=None)[source]¶ Sets the source information.
Parameters: - source_path (str) – path of the source.
- source_type (str) – source type.
- artifact_filters (Optional[str]) – names of artifact defintions to use as filters.
- filter_file (Optional[str]) – filter file.
-
plaso.cli.storage_media_tool module¶
The storage media CLI tool.
-
class
plaso.cli.storage_media_tool.
StorageMediaTool
(input_reader=None, output_writer=None)[source]¶ Bases:
plaso.cli.tools.CLITool
Class that implements a storage media CLI tool.
-
AddCredentialOptions
(argument_group)[source]¶ Adds the credential options to the argument group.
The credential options are use to unlock encrypted volumes.
Parameters: argument_group (argparse._ArgumentGroup) – argparse argument group.
-
AddStorageMediaImageOptions
(argument_group)[source]¶ Adds the storage media image options to the argument group.
Parameters: argument_group (argparse._ArgumentGroup) – argparse argument group.
-
AddVSSProcessingOptions
(argument_group)[source]¶ Adds the VSS processing options to the argument group.
Parameters: argument_group (argparse._ArgumentGroup) – argparse argument group.
-
ScanSource
(source_path)[source]¶ Scans the source path for volume and file systems.
This function sets the internal source path specification and source type values.
Parameters: source_path (str) – path to the source. Returns: source scanner context. Return type: dfvfs.SourceScannerContext Raises: SourceScannerError
– if the format of or within the source is not supported.
-
plaso.cli.time_slices module¶
The time slice.
-
class
plaso.cli.time_slices.
TimeSlice
(event_timestamp, duration=5)[source]¶ Bases:
object
Time slice.
The time slice is used to provide a context of events around an event of interest.
-
duration
¶ int – duration of the time slice in minutes.
-
event_timestamp
¶ int – event timestamp of the time slice or None.
-
end_timestamp
¶ int – slice end timestamp or None.
-
start_timestamp
¶ int – slice start timestamp or None.
-
plaso.cli.tool_options module¶
The CLI tool options mix-ins.
-
class
plaso.cli.tool_options.
AnalysisPluginOptions
[source]¶ Bases:
object
Analysis plugin options mix-in.
-
class
plaso.cli.tool_options.
OutputModuleOptions
[source]¶ Bases:
object
Output module options mix-in.
plaso.cli.tools module¶
The CLI tools classes.
-
class
plaso.cli.tools.
CLIInputReader
(encoding='utf-8')[source]¶ Bases:
object
CLI input reader interface.
-
class
plaso.cli.tools.
CLIOutputWriter
(encoding='utf-8')[source]¶ Bases:
object
CLI output writer interface.
-
class
plaso.cli.tools.
CLITool
(input_reader=None, output_writer=None)[source]¶ Bases:
object
CLI tool.
-
list_timezones
¶ bool – True if the time zones should be listed.
-
preferred_encoding
¶ str – preferred encoding of single-byte or multi-byte character strings, sometimes referred to as extended ASCII.
-
AddBasicOptions
(argument_group)[source]¶ Adds the basic options to the argument group.
Parameters: argument_group (argparse._ArgumentGroup) – argparse argument group.
-
AddInformationalOptions
(argument_group)[source]¶ Adds the informational options to the argument group.
Parameters: argument_group (argparse._ArgumentGroup) – argparse argument group.
-
AddLogFileOptions
(argument_group)[source]¶ Adds the log file option to the argument group.
Parameters: argument_group (argparse._ArgumentGroup) – argparse argument group.
-
AddTimeZoneOption
(argument_group)[source]¶ Adds the time zone option to the argument group.
Parameters: argument_group (argparse._ArgumentGroup) – argparse argument group.
-
GetCommandLineArguments
()[source]¶ Retrieves the command line arguments.
Returns: command line arguments. Return type: str
-
NAME
= ''¶
-
ParseNumericOption
(options, name, base=10, default_value=None)[source]¶ Parses a numeric option.
If the option is not set the default value is returned.
Parameters: - options (argparse.Namespace) – command line arguments.
- name (str) – name of the numeric option.
- base (Optional[int]) – base of the numeric value.
- default_value (Optional[object]) – default value.
Returns: numeric value.
Return type: int
Raises: BadConfigOption
– if the options are invalid.
-
ParseStringOption
(options, argument_name, default_value=None)[source]¶ Parses a string command line argument.
Parameters: - options (argparse.Namespace) – command line arguments.
- argument_name (str) – name of the command line argument.
- default_value (Optional[object]) – default value of the command line argument.
Returns: - command line argument value. If the command line argument is
not set the default value will be returned.
Return type: object
Raises: BadConfigOption
– if the command line argument value cannot be converted to a Unicode string.
-
-
class
plaso.cli.tools.
FileObjectInputReader
(file_object, encoding='utf-8')[source]¶ Bases:
plaso.cli.tools.CLIInputReader
File-like object input reader.
This input reader relies on the file-like object having a readline method.
-
class
plaso.cli.tools.
FileObjectOutputWriter
(file_object, encoding='utf-8')[source]¶ Bases:
plaso.cli.tools.CLIOutputWriter
File-like object output writer.
This output writer relies on the file-like object having a write method.
-
class
plaso.cli.tools.
StdinInputReader
(encoding='utf-8')[source]¶ Bases:
plaso.cli.tools.FileObjectInputReader
Stdin input reader.
-
class
plaso.cli.tools.
StdoutOutputWriter
(encoding='utf-8')[source]¶ Bases:
plaso.cli.tools.FileObjectOutputWriter
Stdout output writer.
plaso.cli.views module¶
View classes.
-
class
plaso.cli.views.
BaseTableView
(column_names=None, title=None)[source]¶ Bases:
object
Table view interface.
-
class
plaso.cli.views.
CLITableView
(column_names=None, title=None)[source]¶ Bases:
plaso.cli.views.BaseTableView
Command line table view.
Note that currently this table view does not support more than 2 columns.
-
class
plaso.cli.views.
CLITabularTableView
(column_names=None, column_sizes=None, title=None)[source]¶ Bases:
plaso.cli.views.BaseTableView
Command line tabular table view interface.
-
class
plaso.cli.views.
MarkdownTableView
(column_names=None, title=None)[source]¶ Bases:
plaso.cli.views.BaseTableView
Markdown table view.
-
class
plaso.cli.views.
ViewsFactory
[source]¶ Bases:
object
Views factory.
-
FORMAT_TYPE_CLI
= 'cli'¶
-
FORMAT_TYPE_MARKDOWN
= 'markdown'¶
-
classmethod
GetTableView
(format_type, column_names=None, title=None)[source]¶ Retrieves a table view.
Parameters: - format_type (str) – table view format type.
- column_names (Optional[list[str]]) – column names.
- title (Optional[str]) – title.
Returns: table view.
Return type: Raises: ValueError
– if the format type is not supported.
-