dissect.target.plugins.os.windows.clfs

Module Contents

Classes

ClfsPlugin

CLFS Plugin.

Attributes

ClfsRecord

dissect.target.plugins.os.windows.clfs.ClfsRecord

class dissect.target.plugins.os.windows.clfs.ClfsPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

CLFS Plugin.

Dissect plugin for parsing the Base Log Files of a Microsoft Windows system.

Most of these records are actually parsed in-memory, this is the first iteration to parse the files present on disk. This should be improved in the near future when the memory implementation for dissect is working.

BLF_PATH = 'sysvol/windows/system32/config/'

check_compatible() → bool

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

clfs() → Iterator[ClfsRecord]

Parse the containers associated with a valid BLF file.

Containers are used to store the transactional logs in the form of records.

Sources:

• https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/introduction-to-the-common-log-file-system