dissect.target.plugins.os.windows.syscache

Module Contents

Classes

SyscachePlugin

Plugin to parse Syscache.hve.

Attributes

SyscacheRecord

dissect.target.plugins.os.windows.syscache.SyscacheRecord

class dissect.target.plugins.os.windows.syscache.SyscachePlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Plugin to parse Syscache.hve.

hive

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

syscache() → collections.abc.Iterator[SyscacheRecord]

Parse the objects in the ObjectTable from the Syscache.hve file.

References

• https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/