plugins.external package¶

Subpackages¶

Submodules¶

plugins.external.amcache module¶

class plugins.external.amcache.ExecutionEntry(path, sha1, size, file_description, source_key_timestamp, created_timestamp, modified_timestamp, modified_timestamp2, linker_timestamp, product, company, pe_sizeofimage, version_number, version, language, header_hash, pe_checksum, id, switchbackcontext)¶

Bases: tuple

property company¶

Alias for field number 10

property created_timestamp¶

Alias for field number 5

property file_description¶

Alias for field number 3

property header_hash¶

Alias for field number 15

property id¶

Alias for field number 17

property language¶

Alias for field number 14

property linker_timestamp¶

Alias for field number 8

property modified_timestamp¶

Alias for field number 6

property modified_timestamp2¶

Alias for field number 7

property path¶

Alias for field number 0

property pe_checksum¶

Alias for field number 16

property pe_sizeofimage¶

Alias for field number 11

property product¶

Alias for field number 9

property sha1¶

Alias for field number 1

property size¶

Alias for field number 2

property source_key_timestamp¶

Alias for field number 4

property switchbackcontext¶

Alias for field number 18

property version¶

Alias for field number 13

property version_number¶

Alias for field number 12

class plugins.external.amcache.Field(name, getter)¶

Bases: tuple

property getter¶

Alias for field number 1

property name¶

Alias for field number 0

exception plugins.external.amcache.NotAnAmcacheHive¶

Bases: Exception

class plugins.external.amcache.TimelineEntry(timestamp, type, entry)¶

Bases: tuple

property entry¶

Alias for field number 2

property timestamp¶

Alias for field number 0

property type¶

Alias for field number 1

plugins.external.amcache.main(argv=None)¶

plugins.external.amcache.make_unix_timestamp_value_getter(value_name)¶

return a function that fetches the value from the registry key

as a UNIX timestamp.

plugins.external.amcache.make_value_getter(value_name)¶

return a function that fetches the value from the registry key

plugins.external.amcache.make_windows_timestamp_value_getter(value_name)¶

return a function that fetches the value from the registry key

as a Windows timestamp.

plugins.external.amcache.parse_execution_entries(registry)¶

plugins.external.amcache.parse_execution_entry(key)¶

plugins.external.amcache.parse_unix_timestamp(qword)¶

plugins.external.amcache.parse_windows_timestamp(qword)¶

plugins.external.jobparser module¶

class plugins.external.jobparser.Job(data)¶

Bases: object

RunDate = None¶

Variable length section http://msdn.microsoft.com/en-us/library/cc248287%28v=prot.10%29.aspx

class plugins.external.jobparser.JobDate(data, scheduled=False)¶

Bases: object

class plugins.external.jobparser.UUID(data)¶

Bases: object

plugins.external.jobparser.main()¶

plugins.external.jobparser.usage()¶