plaso.preprocessors package

Submodules

plaso.preprocessors.interface module

This file contains classes used for preprocessing in plaso.

class plaso.preprocessors.interface.ArtifactPreprocessorPlugin[source]

Bases: object

The artifact preprocessor plugin interface.

The artifact preprocessor determines preprocessing attributes based on an artifact definition defined by ARTIFACT_DEFINITION_NAME.

ARTIFACT_DEFINITION_NAME = None
class plaso.preprocessors.interface.FileArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

File artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file artifact definition, such as file or path.

class plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin

File entry artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file entry artifact definition, such as file or path.

class plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.ArtifactPreprocessorPlugin

File system artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file system artifact definition, such as file or path.

Collect(knowledge_base, artifact_definition, searcher, file_system)[source]

Collects values using a file artifact definition.

Parameters:
  • knowledge_base (KnowledgeBase) – to fill with preprocessing information.
  • artifact_definition (artifacts.ArtifactDefinition) – artifact definition.
  • searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system.
  • file_system (dfvfs.FileSystem) – file system to be preprocessed.
Raises:

PreProcessFail – if the Windows Registry key or value cannot be read.
class plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.ArtifactPreprocessorPlugin

Windows Registry key artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a Windows Registry artifact definition, such as Windows Registry key or value.

Collect(knowledge_base, artifact_definition, searcher)[source]

Collects values using a Windows Registry value artifact definition.

Parameters:
  • knowledge_base (KnowledgeBase) – to fill with preprocessing information.
  • artifact_definition (artifacts.ArtifactDefinition) – artifact definition.
  • searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher to preprocess the Windows Registry.
Raises:

PreProcessFail – if the Windows Registry key or value cannot be read.
class plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin

Windows Registry value artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a Windows Registry value artifact definition.

plaso.preprocessors.linux module

This file contains preprocessors for Linux.

class plaso.preprocessors.linux.LinuxDistributionPlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux distribution plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxDistributionRelease'
class plaso.preprocessors.linux.LinuxHostnamePlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux hostname plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxHostnameFile'
class plaso.preprocessors.linux.LinuxIssueFilePlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux issue file plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxIssueFile'
class plaso.preprocessors.linux.LinuxStandardBaseReleasePlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux standard base (LSB) release plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxLSBRelease'
class plaso.preprocessors.linux.LinuxSystemdOperatingSystemPlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux systemd operating system release plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxSystemdOSRelease'
class plaso.preprocessors.linux.LinuxTimeZonePlugin[source]

Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

Linux time zone plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxLocalTime'
class plaso.preprocessors.linux.LinuxUserAccountsPlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux user accounts plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxPasswdFile'

plaso.preprocessors.logger module

The preprocessors sub module logger.

plaso.preprocessors.macos module

This file contains preprocessors for MacOS.

class plaso.preprocessors.macos.MacOSHostnamePlugin[source]

Bases: plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin

MacOS hostname plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSSystemConfigurationPreferencesPlistFile'
class plaso.preprocessors.macos.MacOSKeyboardLayoutPlugin[source]

Bases: plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin

MacOS keyboard layout plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSKeyboardLayoutPlistFile'
class plaso.preprocessors.macos.MacOSSystemVersionPlugin[source]

Bases: plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin

MacOS system version information plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSSystemVersionPlistFile'
class plaso.preprocessors.macos.MacOSTimeZonePlugin[source]

Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

MacOS time zone plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSLocalTime'
class plaso.preprocessors.macos.MacOSUserAccountsPlugin[source]

Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

MacOS user accounts plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSUserPasswordHashesPlistFiles'
class plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

Plist file artifact preprocessor plugin interface.

Retrieves values from a plist file artifact using names of keys defined in _PLIST_KEYS.

plaso.preprocessors.manager module

The preprocess plugins manager.

class plaso.preprocessors.manager.PreprocessPluginsManager[source]

Bases: object

Preprocess plugins manager.

classmethod CollectFromFileSystem(artifacts_registry, knowledge_base, searcher, file_system)[source]

Collects values from Windows Registry values.

Parameters:
  • artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.
  • knowledge_base (KnowledgeBase) – to fill with preprocessing information.
  • searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system.
  • file_system (dfvfs.FileSystem) – file system to be preprocessed.
classmethod CollectFromWindowsRegistry(artifacts_registry, knowledge_base, searcher)[source]

Collects values from Windows Registry values.

Parameters:
  • artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.
  • knowledge_base (KnowledgeBase) – to fill with preprocessing information.
  • searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher to preprocess the Windows Registry.
classmethod DeregisterPlugin(plugin_class)[source]

Deregisters an preprocess plugin class.

Parameters:

plugin_class (type) – preprocess plugin class.
Raises:
  • KeyError – if plugin class is not set for the corresponding name.
  • TypeError – if the source type of the plugin class is not supported.
classmethod GetNames()[source]

Retrieves the names of the registered artifact definitions.

Returns:registered artifact definitions names.
Return type:list[str]
classmethod RegisterPlugin(plugin_class)[source]

Registers an preprocess plugin class.

Parameters:

plugin_class (type) – preprocess plugin class.
Raises:
  • KeyError – if plugin class is already set for the corresponding name.
  • TypeError – if the source type of the plugin class is not supported.
classmethod RegisterPlugins(plugin_classes)[source]

Registers preprocess plugin classes.

Parameters:plugin_classes (list[type]) – preprocess plugin classes.
Raises:KeyError – if plugin class is already set for the corresponding name.
classmethod RunPlugins(artifacts_registry, file_system, mount_point, knowledge_base)[source]

Runs the preprocessing plugins.

Parameters:
  • artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry.
  • file_system (dfvfs.FileSystem) – file system to be preprocessed.
  • mount_point (dfvfs.PathSpec) – mount point path specification that refers to the base location of the file system.
  • knowledge_base (KnowledgeBase) – to fill with preprocessing information.

plaso.preprocessors.windows module

This file contains preprocessors for Windows.

class plaso.preprocessors.windows.WindowsCodepagePlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows codepage plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsCodePage'
class plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

Windows environment variable artifact preprocessor plugin interface.

class plaso.preprocessors.windows.WindowsHostnamePlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows hostname plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsComputerName'
class plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin[source]

Bases: plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin

Windows path environment variable plugin interface.

class plaso.preprocessors.windows.WindowsProgramFilesEnvironmentVariablePlugin[source]

Bases: plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin

The Windows %ProgramFiles% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramFiles'
class plaso.preprocessors.windows.WindowsProgramFilesX86EnvironmentVariablePlugin[source]

Bases: plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin

The Windows %ProgramFilesX86% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramFilesX86'
class plaso.preprocessors.windows.WindowsSystemProductPlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows system product information plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsProductName'
class plaso.preprocessors.windows.WindowsSystemRootEnvironmentVariablePlugin[source]

Bases: plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin

The Windows %SystemRoot% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableSystemRoot'
class plaso.preprocessors.windows.WindowsSystemVersionPlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows system version information plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsCurrentVersion'
class plaso.preprocessors.windows.WindowsTimeZonePlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows time zone plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsTimezone'
class plaso.preprocessors.windows.WindowsUserAccountsPlugin[source]

Bases: plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin

The Windows user account plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsRegistryProfiles'
class plaso.preprocessors.windows.WindowsWinDirEnvironmentVariablePlugin[source]

Bases: plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin

The Windows %WinDir% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableWinDir'

Module contents

Preprocessor.