plugins.common package¶

Submodules¶

plugins.common.RVT_browsers module¶

class plugins.common.RVT_browsers.Edge(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Generate Internet Explorer 10+ / Microsoft Edge web browsing or cookies history

convert_date_format(string_date)¶

get_ids()¶

parse_export()¶

read_config()¶

Read options from the configuration section.

This method should set default values for all available configuration options. The other module function will safely assume these options have correct values.

run(path)¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

class plugins.common.RVT_browsers.InternetExplorer(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Generate Internet Explorer web browsing history

run(path)¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

class plugins.common.RVT_browsers.Safari(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Generate Safari web browsing history, cookies and downloads

cookies(path)¶

downloads(path)¶

history_plist(path)¶

read_config()¶

Read options from the configuration section.

This method should set default values for all available configuration options. The other module function will safely assume these options have correct values.

run(path)¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

plugins.common.RVT_browsers.convert_absolute(mac_absolute_time)¶: Convert mac absolute time (seconds from 1/1/2001) to human readable

plugins.common.RVT_characterization module¶

class plugins.common.RVT_characterization.CharacterizeDisk(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Extract summary info about disk and Windows partitions.

Regripper output files and the timeline, must had been previously generated. If the image has been obtained by a cloning machine, logs should be provided as well

:param : ripplugins (str): path to json containing the list of plugins executed by ‘autorip’ job

characterize_Windows()¶: Characterize Windows partitions from registry files and timeline.

get_image_information(disk)¶: Get partition tables and number of vss. If cloning logs are provided, model ans serial number are obtained

make_ntuser_timeline()¶: Get user creation date from the birth time of NTUSER.dat

read_config()¶

Read options from the configuration section.

This method should set default values for all available configuration options. The other module function will safely assume these options have correct values.

run(path=None)¶: The output dictionaries with disk information are expected to be sent to a mako template

plugins.common.RVT_characterization.human_readable_size(num)¶

plugins.common.RVT_disk module¶

Manages images

class plugins.common.RVT_disk.AFFImage(imagefile, imagetype, params)¶

Bases: plugins.common.RVT_disk.BaseImage

Manages an AFF4 image

umount(unzip_path=None)¶: Unmounts all partitions

class plugins.common.RVT_disk.BaseImage(imagefile, imagetype, params)¶

Bases: object

A base class for images. Also, manages raw (dd) images

exists()¶: Returns True if the disk was found in the morgue.

getPartitionNumber()¶: Return the number of partitions in disk

mmls()¶: Read partitions from the image

mount(partitions=None, vss=False, unzip_path=None)¶

Mounts partitions of disk :param partition: partition to be mounted (mounts all available partitions by default) :type partition: str

Returns: False in case of error
Return type: bool

myflag(option, default=False)¶: A convenience method for self.config.getboolean(self.section, option, False)

umount(unzip_path=None)¶: Unmounts all partitions

class plugins.common.RVT_disk.DummyImage(imagefile, imagetype, params)¶

Bases: plugins.common.RVT_disk.BaseImage

mmls()¶: Read partitions from the image

mount(partitions='', vss=False, unzip_path=None)¶

Mounts partitions of disk :param partition: partition to be mounted (mounts all available partitions by default) :type partition: str

Returns: False in case of error
Return type: bool

umount(unzip_path=None)¶: Unmounts all partitions

class plugins.common.RVT_disk.EncaseImage(imagefile, imagetype, params)¶

Bases: plugins.common.RVT_disk.BaseImage

Manages an EncaseImage image

umount(unzip_path=None)¶: Unmounts all partitions

class plugins.common.RVT_disk.ZipImage(imagefile, imagetype, params)¶

Bases: plugins.common.RVT_disk.BaseImage

Manages a ZIP file: its contents are unzipped into a single partition

mmls()¶: Read partitions from the image

mount(unzip_path=None, partitions='', vss=False)¶: Extracts contents of zip imagefile to unzip_path

umount(unzip_path=None)¶: Unmounts all partitions

plugins.common.RVT_disk.getSourceImage(myconfig)¶

plugins.common.RVT_files module¶

class plugins.common.RVT_files.ExtractPathTerms(*args, **kwargs)¶

Bases: base.job.BaseModule

Set new configuration options with user and partition obtained from a file path

get_partition_from_path(path)¶

get_user_from_path(path)¶

read_config()¶

Read options from the configuration section.

This method should set default values for all available configuration options. The other module function will safely assume these options have correct values.

run(path)¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

class plugins.common.RVT_files.Files(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Generates a list with all the allocated files in a disk, by visiting them.

run(path=None)¶: The path is ignored.

class plugins.common.RVT_files.FilterAllocFiles(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Reads alloc_files and sends to from_module the filenames that match an expression.

Configuration:

regex: the regex expression to match
file_category: if present, ignore regex and read extensions from this file_category.
vss: use virtual shadow instead of the current system (only Window images)

read_config()¶

Read options from the configuration section.

This method should set default values for all available configuration options. The other module function will safely assume these options have correct values.

run(path=None)¶: The path is ignored

class plugins.common.RVT_files.GetFiles(config, vss=False)¶

Bases: object

This class provides method to interact with the list of all allocated files in the filesystem (alloc_files.txt)

files()¶: Yield all of allocated file paths

get_alloc_txt_files()¶: Return a list of all alloc_files-txt files present in the output directory for the source

search(regex)¶: Return a list of allocated files matching ‘regex’.

class plugins.common.RVT_files.SendAllocFiles(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

The module sends to from_module the path to all files inside alloc_files.

run(path=None)¶: The path is ignored

plugins.common.RVT_filesystem module¶

class plugins.common.RVT_filesystem.FileSystem(*args, disk=None, **kwargs)¶

Bases: base.job.BaseModule

This class provides a set of methods to extract general information about filesystems in every partition.

The available methods create auxiliar files in json format. Once generated, they allow a fast access to information describing filesystem relations regarding:

Inodes and path association

Inodes and blocks

Inodes status

Use the ‘load…’ methods to retrieve (or generate) the specific dictionaries. It also provides some methods to extract inodes or clusters.

:param : outdir (str): path to auxiliar output where all files generated by this modules are stored

cluster_allocation_status(partition, cluster)¶

Gets cluster allocation status

Parameters

partition (str) – partition name
cluster (str) – cluster number

Returns

Allocated or Not Allocated

Return type

str

cluster_extract(partition, cluster)¶

Extraxt cluster content

Parameters

partition (str) – partition name
cluster (str) – cluster number

Returns

binary text from a cluster

Return type

str

create_inode_list_with_ffind(partition=None, device=None, deleted=False)¶: Associate inode with paths using ffind. CAUTION: This method is VERY slow. Use self.inode_path instead

get_inode_from_path(filename, partition, vss=False)¶

Find inode associated to a filename inside a partition filesystem

:param : filename (str): filename to search inode :param : partition (str): Partition name where getting inode (examples: p05 or v1p04) :param : vss (bool): True if it’s an vss

get_macb(file_list, vss=False)¶

Retrieve timestamp information (MACB times) for a list of files

:param : file_list (list): list of filenames paths relative to casedir (example: 112233-01-1/mnt/p02/Users/myuser/Documents/mydoc.txt) :param : vss (bool): If True, look at vss partitions

Returns: dict: every key (filename) contains a list of four strings representing times

icat(inode, partition, output_filename=None, attribute='', vss=False)¶

Write or return inode contents. If output_filename is set the content is written to that file and returns nothing.: Otherwise the content is returned. Be careful with large files.

:param : partition (str): Partition name where getting content (examples: p05 or v1p04) :param : inode (int): inode number :param : output_filename (string): file where inode’s content may be written :param : attribute (string): optional inode attribute (related with ADS) :param : vss (bool): True if it is an volume snapshot

inode_block(**kwargs)¶: Relates inodes with blocks for every partition. Generates two reciprocal JSON files: inode -> block; block -> inode. block_from_inode: Keys are inodes (strings, not integers). Values are a list of blocks inode_from_block: Keys are blocks. Values are a list of inodes

inode_from_cluster(partition, cluster, inode_from_block=None)¶

Use ifind (very slow) or a previously created file to get a list of inodes associated to a cluster (block)

Parameters

partition (str) – partition name
cluster (str) – cluster number
inode_from_block (dict) – associates a list of inodes with a block. Use it if provided

Returns

list of inodes associated to a cluster

Return type

list

inode_path(deleted=False, vss=None)¶

Relates inodes with paths for every partition using sleuthkit fls command. Generates two reciprocal JSON files: inode -> path; path -> inode. path_from_inode: Keys are inodes (strings, not integers). Values are a list of paths inode_from_path: Keys are paths. Values are inodes Deleted files are treated apart since the associated inode may no longer contain the data Caution: Embedded data streams are not referenced.

Parameters

deleted (bool) – If True, show only deleted files
vss (str) – If True, retrieve Volume Shadows Snapshots inode path relations

inode_status(**kwargs)¶: Save files showing allocated status of every inode in a partition

load_block_from_inode(config=None, partition=None, vss=None, deleted=None)¶: Return dictionary relating each inode in the partition with its data blocks. Keys are strings, not integers

load_inode_from_block(config=None, partition=None, vss=None, deleted=None)¶: Return dictionary relating each block with a list of inodes

load_inode_from_path(config=None, partition=None, vss=None, deleted=None)¶: Return dictionary relating each path with an inode

load_inode_status(config=None, partition=None, vss=None, deleted=None)¶: Return dictionary telling the allocation status for every inode in a partition

load_path_from_inode(config=None, partition=None, vss=None, deleted=None)¶: Return dictionary relating each inode in the partition with filenames. Keys are strings, not integers

run(path='')¶: Generate the main files describing filesystem relations. It is advisable to generate them separately when needed, since they are slow to run

save_inode_path_files(path_from_inode, inode_from_path, partition, deleted=False)¶: Save path_from_inode and inode_from_path results to JSON files.

plugins.common.RVT_gmail_mailbox module¶

class plugins.common.RVT_gmail_mailbox.Gmail(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

extract_from_cspan(infile, of)¶

extract_from_gmail(infile, of)¶

generate_search_file()¶: Generates needed searches files if it doesn’t exists

run(path='')¶: Main function to generate inbox files based on string searches

plugins.common.RVT_gmail_mailbox.check_make_search_file(fname, webmail, kw)¶

plugins.common.RVT_gmail_mailbox.sanitize_text(texto)¶

Sanitize text :param texto: text to sanitize :type texto: str

Returns: text replacing some chars
Return type: str

plugins.common.RVT_mails module¶

class plugins.common.RVT_mails.CharacterizeMails(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

static init_dict(m)¶

process_mails(infile)¶: Main function to extract general statistics from all mails in a mailbox

run(path='')¶

Characterize mailbox. Writes a summary file.

Parameters: path (str) – path to mailbox.csv

Configuration:

outdir (str): Output directory
summary_file (str): path to output summary_file
n (int or str): number of most common instances to show for each category

Yields: Dictionaries of individual mail accounts information, such as number of appearences or time ranges

summary(out_summary, n=30)¶

Creates summary file, including most common email accounts and correspondence.

Parameters

out_summary (str) – path to output file
n (int or str) – number of most common instances to show for each category

class plugins.common.RVT_mails.FilterMails(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

filter_fields(row, variables, conditions, values, pre_function=None, operator='and')¶

Return True if conditions applied to variables pass.

Parameters

variables (-) – variables to compare
conditions (-) – comparsion function. Ex: [‘__gt’__, ‘__eq__’]
values (-) – values to compare against
operator (-) – ‘and’ or ‘or’

run(path='')¶

Parse some properties and filter a list of emails, yielding only the ones satisfying the specified conditions. Filters must be specified in configuration files under the section ‘filter_mails’. If the section is empty or does not exists, all mails will be returned.

Each filter must specify a list of field names (variables) to compare against (values) with the comparsion operators (conditions). Optionally a function (pre_function) may be specified to apply before the comparsion. The key (operator) determines if every item in the list must be linked with an ‘and’ or ‘or’ operator.

Configuration example: select recieved mails with delivery_time between ‘2006-2-6’ and ‘2007-1-2’ where the number of recipients is bigger or equal than 5

[filter_mails] filter1: {‘operator’: ‘and’,

‘variables’: [‘send_or_received’, ‘delivery_time’, ‘delivery_time’], ‘conditions’: [‘__eq__’, ‘__ge__’, ‘__le__’], ‘values’: [‘R’, ‘2006-2-6’, ‘2007-1-2’]}

filter2: {‘operator’: ‘or’,
‘pre_function’: [‘len’, ‘len’], ‘variables’: [‘to_mails’, ‘cc_mails’], ‘conditions’: [‘__ge__’, ‘__ge__’], ‘values’: [‘5’, ‘5’]}

plugins.common.RVT_mount module¶

class plugins.common.RVT_mount.Mount(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Mount all partitions in a disk and then run from_module.

Configuration:

partitions (str): comma separated list of partitions to mount (ex: p03,p05,v1p05). All non vss partitions by default
recovery_keys (str): comma separated list of recovery keys for encrypted partition
ntfs_args (str): specific options for mounting an NTFS partition.
fat32_args (str): specific options for mounting a FAT32 partition.
ext4_args (str): specific options for mounting an EXT4 partition.
hfs_args (str): specific options for mounting an HFS partition.
vss (bool): mount regular (False) or Volume Shadow Snapshots (True) partitions

run(path=None)¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

class plugins.common.RVT_mount.UMount(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Run from_module and then umount all partitions in a disk.

run(path=None)¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

plugins.common.RVT_partition module¶

class plugins.common.RVT_partition.Partition(imagefile, size, filesystem, osects, partition, sectorsize, myconfig, bn='', voln='')¶

Bases: object

Stores relevant information about a partition. Allows to mount the partiton

bindfs_mount()¶

check_bitlocker()¶: Check if partitions is encrypted with bitlocker

fvde_mount()¶

get_vss_number_stores()¶: Describes VSS found in the partition

load_partition()¶: Load partition variables from JSON file. Avoids running mmls every time

mount()¶: Main mounting method for partitions. Calls specific function depending on Filesystem type

mount_APFS()¶

mount_HFS(imagefile='', mountpath='', offset=True)¶

mount_NTFS(imagefile=None, mountpath=None, offset=True)¶

mount NTFS partition

Confiugration section:

ntfs_args: arguments for mount. offset and sizelimit will be automatically appended to these arguments. This parameter will be managed as a format string. The current group id will be passed as an option gid.

Parameters

imagefile (str) – imagefile path (used for auxiliary mount point). If None, use self.imagefile.
mountpath (str) – mount the image on this path. If None, use source/mnt/pXX.
offset (bool) – Used to ignore disk offset (used for auxiliary mount point)

mount_bitlocker()¶

mount_ext()¶

mount_fat(imagefile=None, mountpath=None, offset=True)¶

myflag(option, default=False)¶: A convenience method for self.config.getboolean(self.section, option, False)

refreshMountedImages()¶: Updates information about loop devices mounted.

save_partition()¶: Write partition variables in a JSON file

umount()¶: Unmounts all partitions

umountPartition(path)¶: Umount path

vss_mount()¶

plugins.common.RVT_search module¶

class plugins.common.RVT_search.OutSearch(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

run(keyfile='')¶: Searche contents of regex in output dir except in strings, searches and parser folders

class plugins.common.RVT_search.ReportSearch(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Generates reports from keywords files Parameter:

path (str): filename with keywords to seek

Configuration:

keyfile: filename with keywords in case path is not specified
search_dir: output directory for StringSearch generated files

report_search_kw(keyword, regex)¶

Creates a pdf file from ‘all_kw’ file, using LaTex.

Parameters

keyword (str) – keyword name
regex (str) – regular expression associated to keyword

run(path='')¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

class plugins.common.RVT_search.SearchAccounts(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

control_digits(account)¶: Auxiliary function

read_config()¶

Read options from the configuration section.

This method should set default values for all available configuration options. The other module function will safely assume these options have correct values.

remove_separators(texto)¶: Auxiliary function to remove chars

run(path='')¶: Search credit card accounts in strings

validate(account, banks)¶

Returns an account in a normalized format :param account: string number to normalize :type account: str :param banks: dict that relates account with bank :type banks: dict

Returns: account in a normalized format or empty string if is not a valid account number
Return type: string

class plugins.common.RVT_search.SearchEmailAddresses(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

run(path='')¶: Generates a list with number of times an email address apears in strings

class plugins.common.RVT_search.StringSearch(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Find strings that matches regular expression. There are three different output files types:

hits_somekeyword: For every hit in the search of ‘somekeyword’ in strings, show:
Partition;Offset;Block;Status;String

blocks_somekeyword: All blocks (clusters) associated with a hit for a partition.
It is an intermediate file, only for perfoming purposes

all_somekeyword: Displays every block where somekeyword has been found, along with the next information:
Partition;Block;Inode;InodeStatus;PossibleFilename

Parameter:

path (str): filename with keywords to seek (same as keyfile in configuration)

Configuration:

keyfile: default filename with keywords in case path is not specified
outdir: path to directory where generated match files will be stored
strings_dir: path to directory where string files are generated.

Warning: if a keyword is found between two consecutive blocks, result won’t be shown.

all_info(kw_blocks, kw='')¶

Yields partition, block, inode, status, file and block content for each block where there is a match for ‘kw’

Parameters

kw_blocks (dict) – mapping between partition and blocks with a hit for a keyword
kw (str) – keyword name

get_blocks(kw, regex)¶: Updates variable self.blocks, that stores set of blocks for kw and partition, creating new ‘block’ and ‘hits’ files

get_cluster()¶: Generates report files containing information about the block where a hit is found, along with the contents of the block itself.

run(path='')¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

save_blocks_file(blocks, kw)¶

search_strings(kw, regex)¶

Generates a string search and yields hits. Also stores blocks where there’s a match for the keyword ‘kw’.

Parameters

kw (str) – keyword name
regex (str) – regular expression associated to keyword

Yields

Dictionaries containing partition, block, offset and string match

plugins.common.RVT_search.getSearchItems(key_file, is_file=True)¶

Get keywords and names for searching :param key_file: File name with keywords :type key_file: str :param is_file: get data from a file or from an string :type is_file: boolean

Returns: dictionary with keynames and keywords to search
Return type: key_dict (dict)

plugins.common.RVT_search.searchCountRegex(regex, string_path, grep='grep', logger=<module 'logging' from '/usr/lib/python3.7/logging/__init__.py'>)¶

Return number of times a hit appears

Parameters: regex (str) – regular expression to seek
Returns: dict with number of times a hit appears
Return type: dict

plugins.common.RVT_skype module¶

class plugins.common.RVT_skype.GenericLevelDB(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Parse any leveldb. Since it is general, all specific fields are not parsed

run(path='')¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

class plugins.common.RVT_skype.ParseLevelDB(path=None, outdir=None, user='', partition='', prefix='')¶

Bases: object

Base class for parsing leveldb. Methods ‘get_types_table’, ‘get_target_type’ and ‘filter_special_keys’ must be implemented

static decode_value(b)¶: Try to decode a bytearray

filter_special_keys(k, v)¶: Some keys may be parsed or decoded in a special way.

get_leveldb_pairs(lvl_db_path)¶: Generator of key-value pairs for all leveldb files inside a folder.

get_target_type(out, tipe)¶: Append data to table when out contains the required identifier.

get_types_table()¶

Creates the table relating types of entries with fields

Example: self.table = {

‘messages’: {‘identifier’: ‘originalarrivaltime’,
‘fields’: [‘originalarrivaltime’, ‘creator’, ‘conversationId’, ‘content’], ‘sort’: ‘originalarrivaltime’},

‘calls’: {‘identifier’: ‘callDirection’,
‘fields’: [‘startTime’, ‘connectTime’, ‘endTime’, ‘callDuration’, ‘originator’, ‘target’], ‘sort’: None},

parse_db(entry)¶: Main function for parsing leveldb

run()¶: Main function to execute

write_tables()¶: Write csv files containing information for each of defined tables.

class plugins.common.RVT_skype.ParseSkypeLevelDB(path=None, outdir=None, user='', partition='', prefix='')¶

Bases: plugins.common.RVT_skype.ParseLevelDB

filter_special_keys(k, v)¶: Some keys may be parsed or decoded in a special way.

get_target_type(out, typ)¶: Append data to table when out contains the required identifier.

get_types_table()¶

Creates the table relating types of entries with fields

Example: self.table = {

‘messages’: {‘identifier’: ‘originalarrivaltime’,
‘fields’: [‘originalarrivaltime’, ‘creator’, ‘conversationId’, ‘content’], ‘sort’: ‘originalarrivaltime’},

‘calls’: {‘identifier’: ‘callDirection’,
‘fields’: [‘startTime’, ‘connectTime’, ‘endTime’, ‘callDuration’, ‘originator’, ‘target’], ‘sort’: None},

class plugins.common.RVT_skype.ParseTeamsLevelDB(path=None, outdir=None, user='', partition='', prefix='')¶

Bases: plugins.common.RVT_skype.ParseLevelDB

filter_special_keys(k, v)¶: Some keys may be parsed or decoded in a special way.

get_target_type(out, typ)¶: Append data to table when out contains the required identifier.

get_types_table()¶

Creates the table relating types of entries with fields

Example: self.table = {

‘messages’: {‘identifier’: ‘originalarrivaltime’,
‘fields’: [‘originalarrivaltime’, ‘creator’, ‘conversationId’, ‘content’], ‘sort’: ‘originalarrivaltime’},

‘calls’: {‘identifier’: ‘callDirection’,
‘fields’: [‘startTime’, ‘connectTime’, ‘endTime’, ‘callDuration’, ‘originator’, ‘target’], ‘sort’: None},

class plugins.common.RVT_skype.Skype(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Parse Skype databases leveldb

run(path='')¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

class plugins.common.RVT_skype.Teams(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Parse Teams databases leveldb

run(path='')¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

plugins.common.RVT_skype.comparator(a, b)¶: Dummy string comparator for sorting leveldb keys in case the standard leveldb.BytewiseComparator is not allowed.

plugins.common.RVT_string module¶

class plugins.common.RVT_string.StringGenerate(*args, disk=None, **kwargs)¶

Bases: base.job.BaseModule

generate_strings()¶: Generates strings of disk partitions

run(path='')¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

plugins.common.RVT_timelines module¶

class plugins.common.RVT_timelines.Timelines(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Generates timeline and body files for a disk and its VSS (if set)

Configuration:

vss: If True, generate timelines and body files for the VSS, not the main disk (only useful on Windows systems)
fls: Path to the fls app (TSK)
apfs_fls: Path to a fls app with APFS support (TSK>?)
mactime: Path to the mactime app (TSK)

run(path=None)¶: The path is ignored, and the source image is used.

plugins.common.case_solve module¶

class plugins.common.case_solve.Case_Solve(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Mount all partitions in a disk and then run from_module.

print(txt)¶

run(path=None)¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.