dissect.target.plugins.os.windows.log.evt

Module Contents

Classes

WindowsEventlogsMixin
EvtPlugin	Base class for plugins.

Attributes

re_illegal_characters
EvtRecordDescriptor
EVT_GLOB

dissect.target.plugins.os.windows.log.evt.re_illegal_characters

dissect.target.plugins.os.windows.log.evt.EvtRecordDescriptor

dissect.target.plugins.os.windows.log.evt.EVT_GLOB = '*.evt'

class dissect.target.plugins.os.windows.log.evt.WindowsEventlogsMixin

EVENTLOG_REGISTRY_KEY = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Eventlog'

LOGS_DIR_PATH

get_logs(filename_glob='*') → List[pathlib.Path]

get_logs_from_dir(logs_dir: str, filename_glob: str = '*') → List[pathlib.Path]

get_logs_from_registry(filename_glob: str = '*') → List[pathlib.Path]

check_compatible()

class dissect.target.plugins.os.windows.log.evt.EvtPlugin(target: dissect.target.Target)

Bases: WindowsEventlogsMixin, dissect.target.plugin.Plugin

Base class for plugins.

Plugins can optionally be namespaced by specifying the __namespace__ class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specified test as namespace and a function called example, you must call your plugin with test.example:

A Plugin class has the following private class attributes:

• __namespace__

• __record_descriptors__

With the following three being assigned in register():

• __plugin__

• __functions__

• __exports__

Additionally, the methods and attributes of Plugin receive more private attributes by using decorators.

The export() decorator adds the following private attributes

• __exported__

• __output__: Set with the export() decorator.

• __record__: Set with the export() decorator.

The internal() decorator and InternalPlugin set the __internal__ attribute. Finally. args() decorator sets the __args__ attribute.

Parameters:

target – The Target object to load the plugin for.

LOGS_DIR_PATH = 'sysvol/windows/system32/config'

NEEDLE = b'LfLe'

CHUNK_SIZE = 65536

evt(log_file_glob: str = EVT_GLOB, logs_dir: Optional[str] = None) → Generator[flow.record.Record, None, None]

Parse Windows Eventlog files (*.evt).

Yields dynamically created records based on the fields in the event. At least contains the following fields:

hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The TimeCreated_SystemTime field of the event. Provider_Name (string): The Provider_Name field of the event. EventID (int): The EventID of the event.

scraped_evt() → Generator[flow.record.Record, None, None]

Yields EVT log file records scraped from target disks