plaso.parsers.bencode_plugins package

Submodules

plaso.parsers.bencode_plugins.interface module

bencode_interface contains basic interface for bencode plugins within Plaso.

Bencoded files are only one example of a type of object that the Plaso tool is expected to encounter and process. There can be and are many other parsers which are designed to process specific data types.

BencodePlugin defines the attributes necessary for registration, discovery and operation of plugins for bencoded files which will be used by BencodeParser.

class plaso.parsers.bencode_plugins.interface.BencodePlugin[source]

Bases: plaso.parsers.plugins.BasePlugin

This is an abstract class from which plugins should be based.

BENCODE_KEYS = frozenset({'any'})
GetEntries(parser_mediator, data=None, **kwargs)[source]

Extracts event object from the values of entries within a bencoded file.

This is the main method that a bencode plugin needs to implement.

The contents of the bencode keys defined in BENCODE_KEYS can be made available to the plugin as both a matched{‘KEY’: ‘value’} and as the entire bencoded data dictionary. The plugin should implement logic to parse the most relevant data set into a useful event for incorporation into the Plaso timeline.

The attributes for a BencodeEvent should include the following:

root = Root key this event was extracted from. key = Key the value resided in. time = Date this artifact was created in micro seconds (usec) from

January 1, 1970 00:00:00 UTC.

desc = Short description.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • data (Optional[dict[str, object]]) – bencode data values.
NAME = 'bencode'
Process(parser_mediator, data, **kwargs)[source]

Determine if this is the correct plugin; if so proceed with processing.

Process() checks if the current bencode file being processed is a match for a plugin by comparing the PATH and KEY requirements defined by a plugin. If both match processing continues; else raise WrongBencodePlugin.

This function also extracts the required keys as defined in self.BENCODE_KEYS from the file and stores the result in match[key] and calls self.GetEntries() which holds the processing logic implemented by the plugin.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • data (dict[str, object]) – bencode data values.
Raises:
  • WrongBencodePlugin – If this plugin is not able to process the given file.
  • ValueError – If top level is not set.
URLS = []

plaso.parsers.bencode_plugins.transmission module

Bencode parser plugin for Transmission BitTorrent files.

class plaso.parsers.bencode_plugins.transmission.TransmissionEventData[source]

Bases: plaso.containers.events.EventData

Transmission BitTorrent event data.

destination

str – downloaded file name within .torrent file

seedtime

int – number of seconds client seeded torrent

DATA_TYPE = 'p2p:bittorrent:transmission'
class plaso.parsers.bencode_plugins.transmission.TransmissionPlugin[source]

Bases: plaso.parsers.bencode_plugins.interface.BencodePlugin

Parse Transmission BitTorrent activity file for current torrents.

BENCODE_KEYS = frozenset({'added-date', 'seeding-time-seconds', 'destination', 'activity-date', 'done-date'})
DESCRIPTION = 'Parser for Transmission bencoded files.'
GetEntries(parser_mediator, data=None, **unused_kwargs)[source]

Extract data from Transmission’s resume folder files.

This is the main parsing engine for the parser. It determines if the selected file is the proper file to parse and extracts current running torrents.

Transmission stores an individual Bencoded file for each active download in a folder named resume under the user’s application data folder.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • data (Optional[dict[str, object]]) – bencode data values.
NAME = 'bencode_transmission'

plaso.parsers.bencode_plugins.utorrent module

Bencode parser plugin for uTorrent files.

class plaso.parsers.bencode_plugins.utorrent.UTorrentEventData[source]

Bases: plaso.containers.events.EventData

uTorrent event data.

caption

str – official name of package

path

str – Torrent download location

seedtime

int – number of seconds client seeded torrent

DATA_TYPE = 'p2p:bittorrent:utorrent'
class plaso.parsers.bencode_plugins.utorrent.UTorrentPlugin[source]

Bases: plaso.parsers.bencode_plugins.interface.BencodePlugin

Plugin to extract uTorrent active torrent events.

BENCODE_KEYS = frozenset({'.fileguard'})
DESCRIPTION = 'Parser for uTorrent bencoded files.'
GetEntries(parser_mediator, data=None, **unused_kwargs)[source]

Extracts uTorrent active torrents.

This is the main parsing engine for the plugin. It determines if the selected file is the proper file to parse and extracts current running torrents.

interface.Process() checks for the given BENCODE_KEYS set, ensures that it matches, and then passes the bencoded data to this function for parsing. This plugin then parses the entire set of bencoded data to extract the variable file-name keys to retrieve their values.

uTorrent creates a file, resume.dat, and a backup, resume.dat.old, to for all active torrents. This is typically stored in the user’s application data folder.

These files, at a minimum, contain a ‘.fileguard’ key and a dictionary with a key name for a particular download with a ‘.torrent’ file extension.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • data (Optional[dict[str, object]]) – bencode data values.
NAME = 'bencode_utorrent'

Module contents

Imports for the bencode parser.