dissect.target.plugins.os.windows.log.evt#

Module Contents#

Classes#

WindowsEventlogsMixin

EvtPlugin

Base class for plugins.

Attributes#

dissect.target.plugins.os.windows.log.evt.re_illegal_characters#
dissect.target.plugins.os.windows.log.evt.EvtRecordDescriptor#
dissect.target.plugins.os.windows.log.evt.EVT_GLOB = '*.evt'#
class dissect.target.plugins.os.windows.log.evt.WindowsEventlogsMixin#
EVENTLOG_REGISTRY_KEY = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Eventlog'#
LOGS_DIR_PATH#
get_logs(filename_glob='*') List[pathlib.Path]#
get_logs_from_dir(logs_dir: str, filename_glob: str = '*') List[pathlib.Path]#
get_logs_from_registry(filename_glob: str = '*') List[pathlib.Path]#
check_compatible() None#
class dissect.target.plugins.os.windows.log.evt.EvtPlugin(target: dissect.target.Target)#

Bases: WindowsEventlogsMixin, dissect.target.plugin.Plugin

Base class for plugins.

Plugins can optionally be namespaced by specifying the __namespace__ class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specified test as namespace and a function called example, you must call your plugin with test.example:

A Plugin class has the following private class attributes:

  • __namespace__

  • __record_descriptors__

With the following three being assigned in register():

  • __plugin__

  • __functions__

  • __exports__

Additionally, the methods and attributes of Plugin receive more private attributes by using decorators.

The export() decorator adds the following private attributes

  • __exported__

  • __output__: Set with the export() decorator.

  • __record__: Set with the export() decorator.

The internal() decorator and InternalPlugin set the __internal__ attribute. Finally. args() decorator sets the __args__ attribute.

Parameters:

target – The Target object to load the plugin for.

LOGS_DIR_PATH = 'sysvol/windows/system32/config'#
NEEDLE = b'LfLe'#
CHUNK_SIZE = 65536#
evt(log_file_glob: str = EVT_GLOB, logs_dir: str | None = None) Generator[flow.record.Record, None, None]#

Parse Windows Eventlog files (*.evt).

Yields dynamically created records based on the fields in the event. At least contains the following fields:

hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The TimeCreated_SystemTime field of the event. Provider_Name (string): The Provider_Name field of the event. EventID (int): The EventID of the event.

scraped_evt() Generator[flow.record.Record, None, None]#

Yields EVT log file records scraped from target disks