Contents Menu Expand Light mode Dark mode Auto light/dark, in light mode Auto light/dark, in dark mode Skip to content
Dissect 3.21 documentation
Light Logo Dark Logo
  • Home

Basics

  • Install
  • Tutorial
  • Querying
  • Shell
  • Mount
  • Acquire
  • RDump

In-Depth

  • Tools
    • acquire
    • target-query
    • target-shell
    • target-fs
    • target-reg
    • target-dump
    • target-dd
    • target-mount
    • target-info
    • rdump
  • Projects
    • acquire
    • dissect.apfs
    • dissect.archive
    • dissect.btrfs
    • dissect.cim
    • dissect.clfs
    • dissect.cstruct
    • dissect.database
    • dissect.etl
    • dissect.eventlog
    • dissect.evidence
    • dissect.executable
    • dissect.extfs
    • dissect.fat
    • dissect.ffs
    • dissect.fve
    • dissect.hypervisor
    • dissect.jffs
    • dissect.ntfs
    • dissect.ole
    • dissect.regf
    • dissect.shellitem
    • dissect.squashfs
    • dissect.target
    • dissect.thumbcache
    • dissect.util
    • dissect.vmfs
    • dissect.volume
    • dissect.xfs
    • flow.record
  • Usage
    • Introduction
    • First steps
      • Next steps as an Incident Handler
      • Next steps as a Security Analyst
    • Use-cases
    • Disk encryption (FVE)
  • Plugin Reference
    • 7zip
    • account_policy
    • acquire
    • acquire.handles
    • acquire.hashes
    • activitiescache
    • activity
    • adpolicy
    • alternateshell
    • amcache
    • amcache.applaunches
    • amcache.application_files
    • amcache.applications
    • amcache.device_containers
    • amcache.drivers
    • amcache.files
    • amcache.general
    • amcache.programs
    • amcache.shortcuts
    • amcache_install
    • anydesk
    • anydesk.filetransfer
    • anydesk.logs
    • apache
    • apache.access
    • apache.error
    • apache.hosts
    • apache.logs
    • appinit
    • applications
    • appxdebugkeys
    • apt
    • apt.logs
    • atop
    • audit
    • auditpol
    • authlog
    • bam
    • bashhistory
    • bootshell
    • brave
    • brave.cookies
    • brave.downloads
    • brave.extensions
    • brave.history
    • brave.passwords
    • browser
    • browser.cookies
    • browser.downloads
    • browser.extensions
    • browser.history
    • browser.passwords
    • btmp
    • caddy
    • caddy.access
    • caddy.logs
    • cam
    • cam.history
    • cam.registry
    • capability_binaries
    • catroot
    • catroot.catdb
    • catroot.files
    • chat
    • chat.history
    • chrome
    • chrome.cookies
    • chrome.downloads
    • chrome.extensions
    • chrome.history
    • chrome.passwords
    • chromium
    • chromium.cookies
    • chromium.downloads
    • chromium.extensions
    • chromium.history
    • chromium.passwords
    • cim
    • cim.consumerbindings
    • cit
    • cit.cit
    • cit.dp
    • cit.modules
    • cit.puu
    • cit.telemetry
    • citrix
    • citrix.access
    • citrix.error
    • citrix.hosts
    • citrix.logs
    • clfs
    • clsid
    • clsid.machine
    • clsid.user
    • cmdline
    • codepage
    • commandhistory
    • commandprocautorun
    • config_tree
    • container
    • container.containers
    • container.images
    • container.logs
    • cpanel
    • cpanel.lastlogin
    • credhist
    • cronjobs
    • datetime
    • defender
    • defender.evtx
    • defender.exclusions
    • defender.mplog
    • defender.quarantine
    • defender.recover
    • docker
    • docker.containers
    • docker.images
    • docker.logs
    • domain
    • domain_sid
    • dpapi
    • dpapi.keyprovider
    • dpapi.keyprovider.credhist
    • dpapi.keyprovider.credhist.keys
    • dpapi.keyprovider.defaultpassword
    • dpapi.keyprovider.defaultpassword.lsa
    • dpapi.keyprovider.defaultpassword.lsa.keys
    • dpapi.keyprovider.defaultpassword.winlogon
    • dpapi.keyprovider.defaultpassword.winlogon.keys
    • dpapi.keyprovider.empty
    • dpapi.keyprovider.empty.keys
    • dpapi.keyprovider.keychain
    • dpapi.keyprovider.keychain.keys
    • dpapi.keyprovider.keys
    • dpkg
    • dpkg.log
    • dpkg.status
    • edge
    • edge.cookies
    • edge.downloads
    • edge.extensions
    • edge.history
    • edge.passwords
    • editor
    • editor.extensions
    • editor.history
    • editor.tabs
    • envfile
    • environ
    • environment_variables
    • etc
    • etc.etc
    • etl
    • etl.boot
    • etl.etl
    • etl.shutdown
    • everything
    • everything.locate
    • evt
    • evtx
    • example
    • example_namespace
    • example_namespace.example_record
    • example_none
    • example_record
    • example_user_registry_record
    • example_yield
    • exchange
    • exchange.transport_agents
    • filerenameop
    • firefox
    • firefox.cookies
    • firefox.downloads
    • firefox.extensions
    • firefox.history
    • firefox.passwords
    • firewall
    • firewall.logs
    • firewall.rules
    • gnulocate
    • gnulocate.locate
    • icat
    • iexplore
    • iexplore.downloads
    • iexplore.history
    • iis
    • iis.access
    • iis.logs
    • install_date
    • iptables
    • jumplist
    • jumplist.automatic_destination
    • jumplist.custom_destination
    • keyboard
    • knowndlls
    • language
    • lastlog
    • license
    • lnk
    • loaders
    • locate
    • locate.locate
    • lsa
    • lsa.secrets
    • lsmod
    • machine_sid
    • mcafee
    • mcafee.msc
    • messages
    • mft
    • mft.body
    • mft.records
    • mft.timeline
    • mft_timeline
    • mlocate
    • mlocate.locate
    • mru
    • mru.acmru
    • mru.lastvisited
    • mru.msoffice
    • mru.mstsc
    • mru.networkdrive
    • mru.opensave
    • mru.recentdocs
    • mru.run
    • msn
    • msn.history
    • msoffice
    • msoffice.native
    • msoffice.startup
    • msoffice.web
    • mssql
    • mssql.errorlog
    • muicache
    • ndis
    • netstat
    • network
    • network.dhcp
    • network.dns
    • network.gateways
    • network.interfaces
    • network.ips
    • network.macs
    • network_history
    • nginx
    • nginx.access
    • nginx.error
    • nginx.hosts
    • nginx.logs
    • notifications
    • notifications.appdb
    • notifications.wpndatabase
    • ntversion
    • nullsessionpipes
    • openssh
    • openssh.authorized_keys
    • openssh.known_hosts
    • openssh.private_keys
    • openssh.public_keys
    • opensshd
    • opensshd.config
    • openvpn
    • openvpn.config
    • osinfo
    • packagemanager
    • packagemanager.logs
    • passwords
    • path_extensions
    • pathenvironment
    • pfro
    • plocate
    • plocate.locate
    • plugins
    • podman
    • podman.containers
    • podman.images
    • podman.logs
    • powershell_history
    • prefetch
    • proc
    • processes
    • productkey
    • putty
    • putty.known_hosts
    • putty.sessions
    • qfind
    • rdpcache
    • rdpcache.paths
    • rdpcache.recover
    • recentfilecache
    • recently_used
    • recyclebin
    • regf
    • registry
    • remoteaccess
    • remoteaccess.filetransfer
    • remoteaccess.logs
    • runkeys
    • rustdesk
    • rustdesk.logs
    • sam
    • schedlgu
    • scrape
    • scraped_evt
    • scraped_evtx
    • search
    • securelog
    • services
    • sessionmanager
    • sevenzip
    • shellbags
    • shimcache
    • sid
    • snap
    • snaps
    • sockets
    • sockets.packet
    • sockets.raw
    • sockets.tcp
    • sockets.udp
    • sockets.unix
    • sophos
    • sophos.hitmanlogs
    • sophos.sophoshomelogs
    • splashtop
    • splashtop.filetransfer
    • splashtop.logs
    • sru
    • sru.application
    • sru.application_timeline
    • sru.energy_estimator
    • sru.energy_usage
    • sru.energy_usage_lt
    • sru.network_connectivity
    • sru.network_data
    • sru.push_notification
    • sru.sdp_cpu_provider
    • sru.sdp_network_provider
    • sru.sdp_physical_disk_provider
    • sru.sdp_volume_provider
    • sru.vfu
    • ssh
    • ssh.authorized_keys
    • ssh.config
    • ssh.known_hosts
    • ssh.private_keys
    • ssh.public_keys
    • ssh.sessions
    • startupinfo
    • suid_binaries
    • symantec
    • symantec.firewall
    • symantec.logs
    • syscache
    • syslog
    • sysmodules
    • tasks
    • teamviewer
    • teamviewer.logs
    • thumbcache
    • thumbcache.iconcache
    • thumbcache.thumbcache
    • timezone
    • trash
    • trendmicro
    • trendmicro.wffirewall
    • trendmicro.wflogs
    • trusteddocs
    • ual
    • ual.client_access
    • ual.domains_seen
    • ual.role_access
    • ual.system_identities
    • ual.virtual_machines
    • usb
    • user_details
    • userassist
    • usnjrnl
    • utmp
    • velociraptor
    • velociraptor.results
    • vmlist
    • vmware
    • vmware.clipboard
    • vmware.config
    • vmware.draganddrop
    • walkfs
    • webserver
    • webserver.access
    • webserver.error
    • webserver.hosts
    • webserver.logs
    • wer
    • wget
    • wget.hsts
    • windowsnotepad
    • windowsnotepad.extensions
    • windowsnotepad.history
    • windowsnotepad.tabs
    • winrar
    • winsocknamespaceprovider
    • wireguard
    • wireguard.config
    • wtmp
    • wua_history
    • yara
    • yum
    • yum.logs
    • zypper
    • zypper.logs
  • Architecture
  • Advanced
    • Python API
    • Targets
    • Loaders
    • Containers
    • Volumes
    • Filesystems
    • Plugins
    • Record Descriptors
  • API Reference
    • acquire.acquire
      • acquire.acquire.dynamic
        • acquire.acquire.dynamic.windows
          • acquire.acquire.dynamic.windows.collect
          • acquire.acquire.dynamic.windows.exceptions
          • acquire.acquire.dynamic.windows.handles
          • acquire.acquire.dynamic.windows.named_objects
          • acquire.acquire.dynamic.windows.ntdll
          • acquire.acquire.dynamic.windows.types
      • acquire.acquire.gui
        • acquire.acquire.gui.base
        • acquire.acquire.gui.win32
      • acquire.acquire.outputs
        • acquire.acquire.outputs.base
        • acquire.acquire.outputs.dir
        • acquire.acquire.outputs.tar
        • acquire.acquire.outputs.zip
      • acquire.acquire.tools
        • acquire.acquire.tools.decrypter
      • acquire.acquire.uploaders
        • acquire.acquire.uploaders.minio
        • acquire.acquire.uploaders.plugin
        • acquire.acquire.uploaders.plugin_registry
      • acquire.acquire.acquire
      • acquire.acquire.collector
      • acquire.acquire.crypt
      • acquire.acquire.esxi
      • acquire.acquire.hashes
      • acquire.acquire.log
      • acquire.acquire.utils
      • acquire.acquire.volatilestream
    • dissect.apfs
      • dissect.apfs.objects
        • dissect.apfs.objects.base
        • dissect.apfs.objects.btree
        • dissect.apfs.objects.btree_node
        • dissect.apfs.objects.checkpoint_map
        • dissect.apfs.objects.efi_jumpstart
        • dissect.apfs.objects.er_recovery_block
        • dissect.apfs.objects.er_state
        • dissect.apfs.objects.fs
        • dissect.apfs.objects.gbitmap
        • dissect.apfs.objects.gbitmap_block
        • dissect.apfs.objects.integrity_meta
        • dissect.apfs.objects.keybag
        • dissect.apfs.objects.nx_fusion_wbc
        • dissect.apfs.objects.nx_fusion_wbc_list
        • dissect.apfs.objects.nx_reap_list
        • dissect.apfs.objects.nx_reaper
        • dissect.apfs.objects.nx_superblock
        • dissect.apfs.objects.omap
        • dissect.apfs.objects.snap_meta_ext
        • dissect.apfs.objects.spaceman
        • dissect.apfs.objects.spaceman_bitmap
        • dissect.apfs.objects.spaceman_cab
        • dissect.apfs.objects.spaceman_cib
      • dissect.apfs.apfs
      • dissect.apfs.c_apfs
      • dissect.apfs.cursor
      • dissect.apfs.exception
      • dissect.apfs.stream
      • dissect.apfs.util
    • dissect.archive
      • dissect.archive.tools
        • dissect.archive.tools.backup
      • dissect.archive.c_vbk
      • dissect.archive.c_vma
      • dissect.archive.c_wim
      • dissect.archive.exceptions
      • dissect.archive.vbk
      • dissect.archive.vma
      • dissect.archive.wim
      • dissect.archive.xva
    • dissect.btrfs
      • dissect.btrfs.btrfs
      • dissect.btrfs.c_btrfs
      • dissect.btrfs.exceptions
      • dissect.btrfs.stream
      • dissect.btrfs.tree
    • dissect.cim
      • dissect.cim.c_cim
      • dissect.cim.cim
      • dissect.cim.classes
      • dissect.cim.exceptions
      • dissect.cim.index
      • dissect.cim.mappings
      • dissect.cim.objects
      • dissect.cim.utils
    • dissect.clfs
      • dissect.clfs.blf
      • dissect.clfs.c_clfs
      • dissect.clfs.container
      • dissect.clfs.exceptions
    • dissect.cramfs
      • dissect.cramfs.c_cramfs
      • dissect.cramfs.cramfs
      • dissect.cramfs.exception
    • dissect.cstruct
      • dissect.cstruct.tools
        • dissect.cstruct.tools.stubgen
      • dissect.cstruct.types
        • dissect.cstruct.types.base
        • dissect.cstruct.types.char
        • dissect.cstruct.types.enum
        • dissect.cstruct.types.flag
        • dissect.cstruct.types.int
        • dissect.cstruct.types.leb128
        • dissect.cstruct.types.packed
        • dissect.cstruct.types.pointer
        • dissect.cstruct.types.structure
        • dissect.cstruct.types.void
        • dissect.cstruct.types.wchar
      • dissect.cstruct.bitbuffer
      • dissect.cstruct.compiler
      • dissect.cstruct.cstruct
      • dissect.cstruct.exceptions
      • dissect.cstruct.expression
      • dissect.cstruct.parser
      • dissect.cstruct.utils
    • dissect.database
      • dissect.database.bsd
        • dissect.database.bsd.tools
          • dissect.database.bsd.tools.c_rpm
          • dissect.database.bsd.tools.rpm
        • dissect.database.bsd.c_db
        • dissect.database.bsd.db
      • dissect.database.ese
        • dissect.database.ese.tools
          • dissect.database.ese.tools.certlog
          • dissect.database.ese.tools.impacket
          • dissect.database.ese.tools.sru
          • dissect.database.ese.tools.ual
        • dissect.database.ese.btree
        • dissect.database.ese.c_ese
        • dissect.database.ese.compression
        • dissect.database.ese.cursor
        • dissect.database.ese.ese
        • dissect.database.ese.exception
        • dissect.database.ese.index
        • dissect.database.ese.lcmapstring
        • dissect.database.ese.page
        • dissect.database.ese.record
        • dissect.database.ese.sorting_table
        • dissect.database.ese.table
        • dissect.database.ese.util
      • dissect.database.sqlite3
        • dissect.database.sqlite3.c_sqlite3
        • dissect.database.sqlite3.exception
        • dissect.database.sqlite3.sqlite3
        • dissect.database.sqlite3.util
      • dissect.database.exception
    • dissect.etl
      • dissect.etl.headers
        • dissect.etl.headers.event
        • dissect.etl.headers.headers
        • dissect.etl.headers.logfile
        • dissect.etl.headers.system
        • dissect.etl.headers.utils
      • dissect.etl.manifests
      • dissect.etl.c_etl
      • dissect.etl.etl
      • dissect.etl.exceptions
      • dissect.etl.manifest
      • dissect.etl.utils
    • dissect.eventlog
      • dissect.eventlog.bxml
      • dissect.eventlog.evt
      • dissect.eventlog.evtx
      • dissect.eventlog.exceptions
      • dissect.eventlog.utils
      • dissect.eventlog.wevt
      • dissect.eventlog.wevt_object
      • dissect.eventlog.wevtutil
    • dissect.evidence
      • dissect.evidence.asdf
        • dissect.evidence.asdf.asdf
        • dissect.evidence.asdf.streams
      • dissect.evidence.tools
        • dissect.evidence.tools.asdf
          • dissect.evidence.tools.asdf.dd
          • dissect.evidence.tools.asdf.meta
          • dissect.evidence.tools.asdf.repair
          • dissect.evidence.tools.asdf.verify
      • dissect.evidence.ad1
      • dissect.evidence.aff4
      • dissect.evidence.ewf
      • dissect.evidence.exceptions
    • dissect.executable
      • dissect.executable.elf
        • dissect.executable.elf.c_elf
        • dissect.executable.elf.elf
      • dissect.executable.macho
      • dissect.executable.pe
        • dissect.executable.pe.directory
          • dissect.executable.pe.directory.base
          • dissect.executable.pe.directory.basereloc
          • dissect.executable.pe.directory.bound_import
          • dissect.executable.pe.directory.com_descriptor
          • dissect.executable.pe.directory.debug
          • dissect.executable.pe.directory.delay_import
          • dissect.executable.pe.directory.exception
          • dissect.executable.pe.directory.export
          • dissect.executable.pe.directory.iat
          • dissect.executable.pe.directory.imports
          • dissect.executable.pe.directory.load_config
          • dissect.executable.pe.directory.resource
          • dissect.executable.pe.directory.security
          • dissect.executable.pe.directory.tls
        • dissect.executable.pe.c_pe
        • dissect.executable.pe.locale_id
        • dissect.executable.pe.pe
      • dissect.executable.exception
    • dissect.extfs
      • dissect.extfs.c_ext
      • dissect.extfs.c_jdb2
      • dissect.extfs.exceptions
      • dissect.extfs.extfs
      • dissect.extfs.journal
    • dissect.fat
      • dissect.fat.c_exfat
      • dissect.fat.c_fat
      • dissect.fat.exceptions
      • dissect.fat.exfat
      • dissect.fat.fat
    • dissect.ffs
      • dissect.ffs.c_ffs
      • dissect.ffs.exceptions
      • dissect.ffs.ffs
    • dissect.fve
      • dissect.fve.bde
        • dissect.fve.bde.bde
        • dissect.fve.bde.c_bde
        • dissect.fve.bde.eow
        • dissect.fve.bde.information
        • dissect.fve.bde.key
      • dissect.fve.crypto
        • dissect.fve.crypto.argon2
        • dissect.fve.crypto.base
        • dissect.fve.crypto.dmcrypt
        • dissect.fve.crypto.elephant
        • dissect.fve.crypto.util
      • dissect.fve.luks
        • dissect.fve.luks.af
        • dissect.fve.luks.c_luks
        • dissect.fve.luks.luks
        • dissect.fve.luks.metadata
      • dissect.fve.tools
        • dissect.fve.tools.dd
      • dissect.fve.exception
    • dissect.hypervisor
      • dissect.hypervisor.descriptor
        • dissect.hypervisor.descriptor.c_hyperv
        • dissect.hypervisor.descriptor.hyperv
        • dissect.hypervisor.descriptor.ovf
        • dissect.hypervisor.descriptor.pvs
        • dissect.hypervisor.descriptor.vbox
        • dissect.hypervisor.descriptor.vmx
      • dissect.hypervisor.disk
        • dissect.hypervisor.disk.asif
        • dissect.hypervisor.disk.c_asif
        • dissect.hypervisor.disk.c_hdd
        • dissect.hypervisor.disk.c_qcow2
        • dissect.hypervisor.disk.c_vdi
        • dissect.hypervisor.disk.c_vhd
        • dissect.hypervisor.disk.c_vhdx
        • dissect.hypervisor.disk.c_vmdk
        • dissect.hypervisor.disk.hdd
        • dissect.hypervisor.disk.qcow2
        • dissect.hypervisor.disk.vdi
        • dissect.hypervisor.disk.vhd
        • dissect.hypervisor.disk.vhdx
        • dissect.hypervisor.disk.vmdk
      • dissect.hypervisor.tools
        • dissect.hypervisor.tools.envelope
        • dissect.hypervisor.tools.vmtar
      • dissect.hypervisor.util
        • dissect.hypervisor.util.envelope
        • dissect.hypervisor.util.vmtar
      • dissect.hypervisor.exceptions
    • dissect.jffs
      • dissect.jffs.c_jffs2
      • dissect.jffs.exceptions
      • dissect.jffs.jffs2
    • dissect.ntfs
      • dissect.ntfs.attr
      • dissect.ntfs.c_ntfs
      • dissect.ntfs.exceptions
      • dissect.ntfs.index
      • dissect.ntfs.mft
      • dissect.ntfs.ntfs
      • dissect.ntfs.secure
      • dissect.ntfs.stream
      • dissect.ntfs.usnjrnl
      • dissect.ntfs.util
    • dissect.ole
      • dissect.ole.c_ole
      • dissect.ole.exceptions
      • dissect.ole.ole
    • dissect.qnxfs
      • dissect.qnxfs.c_qnx4
      • dissect.qnxfs.c_qnx6
      • dissect.qnxfs.exceptions
      • dissect.qnxfs.qnx4
      • dissect.qnxfs.qnx6
      • dissect.qnxfs.qnxfs
    • dissect.regf
      • dissect.regf.c_regf
      • dissect.regf.exceptions
      • dissect.regf.regf
    • dissect.shellitem
      • dissect.shellitem.lnk
        • dissect.shellitem.lnk.c_lnk
        • dissect.shellitem.lnk.lnk
      • dissect.shellitem.tools
        • dissect.shellitem.tools.lnk
    • dissect.squashfs
      • dissect.squashfs.c_squashfs
      • dissect.squashfs.compression
      • dissect.squashfs.exceptions
      • dissect.squashfs.squashfs
    • dissect.target
      • dissect.target.containers
        • dissect.target.containers.asdf
        • dissect.target.containers.asif
        • dissect.target.containers.ewf
        • dissect.target.containers.fortifw
        • dissect.target.containers.hdd
        • dissect.target.containers.hds
        • dissect.target.containers.qcow2
        • dissect.target.containers.raw
        • dissect.target.containers.split
        • dissect.target.containers.vdi
        • dissect.target.containers.vhd
        • dissect.target.containers.vhdx
        • dissect.target.containers.vmdk
      • dissect.target.filesystems
        • dissect.target.filesystems.ad1
        • dissect.target.filesystems.btrfs
        • dissect.target.filesystems.cb
        • dissect.target.filesystems.config
        • dissect.target.filesystems.cpio
        • dissect.target.filesystems.cramfs
        • dissect.target.filesystems.dir
        • dissect.target.filesystems.exfat
        • dissect.target.filesystems.extfs
        • dissect.target.filesystems.fat
        • dissect.target.filesystems.ffs
        • dissect.target.filesystems.itunes
        • dissect.target.filesystems.jffs
        • dissect.target.filesystems.nfs
        • dissect.target.filesystems.ntfs
        • dissect.target.filesystems.overlay
        • dissect.target.filesystems.qnxfs
        • dissect.target.filesystems.smb
        • dissect.target.filesystems.squashfs
        • dissect.target.filesystems.tar
        • dissect.target.filesystems.vbk
        • dissect.target.filesystems.vmfs
        • dissect.target.filesystems.vmtar
        • dissect.target.filesystems.xfs
        • dissect.target.filesystems.zip
      • dissect.target.helpers
        • dissect.target.helpers.compat
          • dissect.target.helpers.compat.path_310
          • dissect.target.helpers.compat.path_311
          • dissect.target.helpers.compat.path_312
          • dissect.target.helpers.compat.path_313
          • dissect.target.helpers.compat.path_common
        • dissect.target.helpers.nfs
          • dissect.target.helpers.nfs.client
            • dissect.target.helpers.nfs.client.mount
            • dissect.target.helpers.nfs.client.nfs
          • dissect.target.helpers.nfs.nfs3
          • dissect.target.helpers.nfs.serializer
        • dissect.target.helpers.regex
          • dissect.target.helpers.regex.ipaddress
        • dissect.target.helpers.sunrpc
          • dissect.target.helpers.sunrpc.client
          • dissect.target.helpers.sunrpc.serializer
          • dissect.target.helpers.sunrpc.sunrpc
        • dissect.target.helpers.cache
        • dissect.target.helpers.config
        • dissect.target.helpers.configutil
        • dissect.target.helpers.cyber
        • dissect.target.helpers.descriptor_extensions
        • dissect.target.helpers.docs
        • dissect.target.helpers.fsutil
        • dissect.target.helpers.hashutil
        • dissect.target.helpers.keychain
        • dissect.target.helpers.lazy
        • dissect.target.helpers.loaderutil
        • dissect.target.helpers.localeutil
        • dissect.target.helpers.logging
        • dissect.target.helpers.mount
        • dissect.target.helpers.mui
        • dissect.target.helpers.network
        • dissect.target.helpers.polypath
        • dissect.target.helpers.protobuf
        • dissect.target.helpers.record
        • dissect.target.helpers.record_modifier
        • dissect.target.helpers.regutil
        • dissect.target.helpers.scrape
        • dissect.target.helpers.shell_application_ids
        • dissect.target.helpers.shell_folder_ids
        • dissect.target.helpers.utils
      • dissect.target.loaders
        • dissect.target.loaders.ab
        • dissect.target.loaders.acquire
        • dissect.target.loaders.asdf
        • dissect.target.loaders.cb
        • dissect.target.loaders.cellebrite
        • dissect.target.loaders.containerimage
        • dissect.target.loaders.cyber
        • dissect.target.loaders.dir
        • dissect.target.loaders.direct
        • dissect.target.loaders.hyperv
        • dissect.target.loaders.itunes
        • dissect.target.loaders.kape
        • dissect.target.loaders.libvirt
        • dissect.target.loaders.local
        • dissect.target.loaders.log
        • dissect.target.loaders.mqtt
        • dissect.target.loaders.multiraw
        • dissect.target.loaders.ova
        • dissect.target.loaders.overlay
        • dissect.target.loaders.overlay2
        • dissect.target.loaders.ovf
        • dissect.target.loaders.phobos
        • dissect.target.loaders.profile
        • dissect.target.loaders.proxmox
        • dissect.target.loaders.pvm
        • dissect.target.loaders.pvs
        • dissect.target.loaders.raw
        • dissect.target.loaders.remote
        • dissect.target.loaders.res
        • dissect.target.loaders.smb
        • dissect.target.loaders.tanium
        • dissect.target.loaders.tar
        • dissect.target.loaders.target
        • dissect.target.loaders.uac
        • dissect.target.loaders.utm
        • dissect.target.loaders.vb
        • dissect.target.loaders.vbk
        • dissect.target.loaders.vbox
        • dissect.target.loaders.velociraptor
        • dissect.target.loaders.vma
        • dissect.target.loaders.vmwarevm
        • dissect.target.loaders.vmx
        • dissect.target.loaders.xva
        • dissect.target.loaders.zip
      • dissect.target.plugins
        • dissect.target.plugins.apps
          • dissect.target.plugins.apps.av
            • dissect.target.plugins.apps.av.mcafee
            • dissect.target.plugins.apps.av.sophos
            • dissect.target.plugins.apps.av.symantec
            • dissect.target.plugins.apps.av.trendmicro
          • dissect.target.plugins.apps.browser
            • dissect.target.plugins.apps.browser.brave
            • dissect.target.plugins.apps.browser.browser
            • dissect.target.plugins.apps.browser.chrome
            • dissect.target.plugins.apps.browser.chromium
            • dissect.target.plugins.apps.browser.edge
            • dissect.target.plugins.apps.browser.firefox
            • dissect.target.plugins.apps.browser.iexplore
          • dissect.target.plugins.apps.chat
            • dissect.target.plugins.apps.chat.chat
            • dissect.target.plugins.apps.chat.msn
          • dissect.target.plugins.apps.container
            • dissect.target.plugins.apps.container.container
            • dissect.target.plugins.apps.container.docker
            • dissect.target.plugins.apps.container.podman
          • dissect.target.plugins.apps.editor
            • dissect.target.plugins.apps.editor.editor
            • dissect.target.plugins.apps.editor.windowsnotepad
          • dissect.target.plugins.apps.edr
            • dissect.target.plugins.apps.edr.acquire
            • dissect.target.plugins.apps.edr.velociraptor
          • dissect.target.plugins.apps.other
            • dissect.target.plugins.apps.other.env
          • dissect.target.plugins.apps.productivity
            • dissect.target.plugins.apps.productivity.msoffice
            • dissect.target.plugins.apps.productivity.sevenzip
            • dissect.target.plugins.apps.productivity.winrar
          • dissect.target.plugins.apps.remoteaccess
            • dissect.target.plugins.apps.remoteaccess.anydesk
            • dissect.target.plugins.apps.remoteaccess.remoteaccess
            • dissect.target.plugins.apps.remoteaccess.rustdesk
            • dissect.target.plugins.apps.remoteaccess.splashtop
            • dissect.target.plugins.apps.remoteaccess.teamviewer
          • dissect.target.plugins.apps.shell
            • dissect.target.plugins.apps.shell.powershell
            • dissect.target.plugins.apps.shell.wget
          • dissect.target.plugins.apps.ssh
            • dissect.target.plugins.apps.ssh.openssh
            • dissect.target.plugins.apps.ssh.opensshd
            • dissect.target.plugins.apps.ssh.putty
            • dissect.target.plugins.apps.ssh.ssh
          • dissect.target.plugins.apps.virtualization
            • dissect.target.plugins.apps.virtualization.vmware_workstation
          • dissect.target.plugins.apps.vpn
            • dissect.target.plugins.apps.vpn.openvpn
            • dissect.target.plugins.apps.vpn.wireguard
          • dissect.target.plugins.apps.webhosting
            • dissect.target.plugins.apps.webhosting.cpanel
          • dissect.target.plugins.apps.webserver
            • dissect.target.plugins.apps.webserver.apache
            • dissect.target.plugins.apps.webserver.caddy
            • dissect.target.plugins.apps.webserver.citrix
            • dissect.target.plugins.apps.webserver.iis
            • dissect.target.plugins.apps.webserver.nginx
            • dissect.target.plugins.apps.webserver.webserver
        • dissect.target.plugins.child
          • dissect.target.plugins.child.colima
          • dissect.target.plugins.child.docker
          • dissect.target.plugins.child.esxi
          • dissect.target.plugins.child.hyperv
          • dissect.target.plugins.child.lima
          • dissect.target.plugins.child.parallels
          • dissect.target.plugins.child.podman
          • dissect.target.plugins.child.proxmox
          • dissect.target.plugins.child.qemu
          • dissect.target.plugins.child.virtualbox
          • dissect.target.plugins.child.virtuozzo
          • dissect.target.plugins.child.vmware_workstation
          • dissect.target.plugins.child.wsl
        • dissect.target.plugins.filesystem
          • dissect.target.plugins.filesystem.ntfs
            • dissect.target.plugins.filesystem.ntfs.mft
            • dissect.target.plugins.filesystem.ntfs.mft_timeline
            • dissect.target.plugins.filesystem.ntfs.usnjrnl
            • dissect.target.plugins.filesystem.ntfs.utils
          • dissect.target.plugins.filesystem.unix
            • dissect.target.plugins.filesystem.unix.capability
            • dissect.target.plugins.filesystem.unix.suid
          • dissect.target.plugins.filesystem.icat
          • dissect.target.plugins.filesystem.resolver
          • dissect.target.plugins.filesystem.walkfs
          • dissect.target.plugins.filesystem.yara
        • dissect.target.plugins.general
          • dissect.target.plugins.general.config
          • dissect.target.plugins.general.example
          • dissect.target.plugins.general.loaders
          • dissect.target.plugins.general.osinfo
          • dissect.target.plugins.general.plugins
          • dissect.target.plugins.general.users
        • dissect.target.plugins.os
          • dissect.target.plugins.os.default
            • dissect.target.plugins.os.default._os
            • dissect.target.plugins.os.default.datetime
            • dissect.target.plugins.os.default.locale
            • dissect.target.plugins.os.default.network
          • dissect.target.plugins.os.unix
            • dissect.target.plugins.os.unix.bsd
              • dissect.target.plugins.os.unix.bsd.citrix
                • dissect.target.plugins.os.unix.bsd.citrix._os
                • dissect.target.plugins.os.unix.bsd.citrix.history
              • dissect.target.plugins.os.unix.bsd.darwin
                • dissect.target.plugins.os.unix.bsd.darwin.ios
                  • dissect.target.plugins.os.unix.bsd.darwin.ios._os
                  • dissect.target.plugins.os.unix.bsd.darwin.ios.applications
                  • dissect.target.plugins.os.unix.bsd.darwin.ios.generic
                  • dissect.target.plugins.os.unix.bsd.darwin.ios.locale
                • dissect.target.plugins.os.unix.bsd.darwin.macos
                  • dissect.target.plugins.os.unix.bsd.darwin.macos._os
                  • dissect.target.plugins.os.unix.bsd.darwin.macos.network
                  • dissect.target.plugins.os.unix.bsd.darwin.macos.user
                • dissect.target.plugins.os.unix.bsd.darwin._os
              • dissect.target.plugins.os.unix.bsd.freebsd
                • dissect.target.plugins.os.unix.bsd.freebsd._os
              • dissect.target.plugins.os.unix.bsd.openbsd
                • dissect.target.plugins.os.unix.bsd.openbsd._os
              • dissect.target.plugins.os.unix.bsd._os
            • dissect.target.plugins.os.unix.esxi
              • dissect.target.plugins.os.unix.esxi._os
            • dissect.target.plugins.os.unix.etc
              • dissect.target.plugins.os.unix.etc.etc
            • dissect.target.plugins.os.unix.linux
              • dissect.target.plugins.os.unix.linux.android
                • dissect.target.plugins.os.unix.linux.android._os
              • dissect.target.plugins.os.unix.linux.debian
                • dissect.target.plugins.os.unix.linux.debian.proxmox
                  • dissect.target.plugins.os.unix.linux.debian.proxmox._os
                  • dissect.target.plugins.os.unix.linux.debian.proxmox.vm
                • dissect.target.plugins.os.unix.linux.debian.vyos
                  • dissect.target.plugins.os.unix.linux.debian.vyos._os
                • dissect.target.plugins.os.unix.linux.debian._os
                • dissect.target.plugins.os.unix.linux.debian.apt
                • dissect.target.plugins.os.unix.linux.debian.dpkg
                • dissect.target.plugins.os.unix.linux.debian.snap
              • dissect.target.plugins.os.unix.linux.fortios
                • dissect.target.plugins.os.unix.linux.fortios._os
                • dissect.target.plugins.os.unix.linux.fortios.generic
                • dissect.target.plugins.os.unix.linux.fortios.locale
              • dissect.target.plugins.os.unix.linux.redhat
                • dissect.target.plugins.os.unix.linux.redhat._os
                • dissect.target.plugins.os.unix.linux.redhat.yum
              • dissect.target.plugins.os.unix.linux.suse
                • dissect.target.plugins.os.unix.linux.suse._os
                • dissect.target.plugins.os.unix.linux.suse.zypper
              • dissect.target.plugins.os.unix.linux._os
              • dissect.target.plugins.os.unix.linux.cmdline
              • dissect.target.plugins.os.unix.linux.environ
              • dissect.target.plugins.os.unix.linux.iptables
              • dissect.target.plugins.os.unix.linux.modules
              • dissect.target.plugins.os.unix.linux.netstat
              • dissect.target.plugins.os.unix.linux.network
              • dissect.target.plugins.os.unix.linux.network_managers
              • dissect.target.plugins.os.unix.linux.proc
              • dissect.target.plugins.os.unix.linux.processes
              • dissect.target.plugins.os.unix.linux.recentlyused
              • dissect.target.plugins.os.unix.linux.services
              • dissect.target.plugins.os.unix.linux.sockets
            • dissect.target.plugins.os.unix.locate
              • dissect.target.plugins.os.unix.locate.gnulocate
              • dissect.target.plugins.os.unix.locate.locate
              • dissect.target.plugins.os.unix.locate.mlocate
              • dissect.target.plugins.os.unix.locate.plocate
            • dissect.target.plugins.os.unix.log
              • dissect.target.plugins.os.unix.log.atop
              • dissect.target.plugins.os.unix.log.audit
              • dissect.target.plugins.os.unix.log.auth
              • dissect.target.plugins.os.unix.log.helpers
              • dissect.target.plugins.os.unix.log.journal
              • dissect.target.plugins.os.unix.log.lastlog
              • dissect.target.plugins.os.unix.log.messages
              • dissect.target.plugins.os.unix.log.utmp
            • dissect.target.plugins.os.unix._os
            • dissect.target.plugins.os.unix.applications
            • dissect.target.plugins.os.unix.cronjobs
            • dissect.target.plugins.os.unix.datetime
            • dissect.target.plugins.os.unix.generic
            • dissect.target.plugins.os.unix.history
            • dissect.target.plugins.os.unix.locale
            • dissect.target.plugins.os.unix.packagemanager
            • dissect.target.plugins.os.unix.shadow
            • dissect.target.plugins.os.unix.trash
          • dissect.target.plugins.os.windows
            • dissect.target.plugins.os.windows.credential
              • dissect.target.plugins.os.windows.credential.credhist
              • dissect.target.plugins.os.windows.credential.lsa
              • dissect.target.plugins.os.windows.credential.sam
            • dissect.target.plugins.os.windows.defender
              • dissect.target.plugins.os.windows.defender.mplog
              • dissect.target.plugins.os.windows.defender.quarantine
            • dissect.target.plugins.os.windows.dpapi
              • dissect.target.plugins.os.windows.dpapi.keyprovider
                • dissect.target.plugins.os.windows.dpapi.keyprovider.defaultpassword
                  • dissect.target.plugins.os.windows.dpapi.keyprovider.defaultpassword.defaultpassword
                  • dissect.target.plugins.os.windows.dpapi.keyprovider.defaultpassword.lsa
                  • dissect.target.plugins.os.windows.dpapi.keyprovider.defaultpassword.winlogon
                • dissect.target.plugins.os.windows.dpapi.keyprovider.credhist
                • dissect.target.plugins.os.windows.dpapi.keyprovider.empty
                • dissect.target.plugins.os.windows.dpapi.keyprovider.keychain
                • dissect.target.plugins.os.windows.dpapi.keyprovider.keyprovider
              • dissect.target.plugins.os.windows.dpapi.blob
              • dissect.target.plugins.os.windows.dpapi.crypto
              • dissect.target.plugins.os.windows.dpapi.dpapi
              • dissect.target.plugins.os.windows.dpapi.master_key
            • dissect.target.plugins.os.windows.everything
              • dissect.target.plugins.os.windows.everything.parser
            • dissect.target.plugins.os.windows.exchange
              • dissect.target.plugins.os.windows.exchange.exchange
            • dissect.target.plugins.os.windows.log
              • dissect.target.plugins.os.windows.log.amcache
              • dissect.target.plugins.os.windows.log.etl
              • dissect.target.plugins.os.windows.log.evt
              • dissect.target.plugins.os.windows.log.evtx
              • dissect.target.plugins.os.windows.log.mssql
              • dissect.target.plugins.os.windows.log.pfro
              • dissect.target.plugins.os.windows.log.schedlgu
            • dissect.target.plugins.os.windows.regf
              • dissect.target.plugins.os.windows.regf.applications
              • dissect.target.plugins.os.windows.regf.appxdebugkeys
              • dissect.target.plugins.os.windows.regf.auditpol
              • dissect.target.plugins.os.windows.regf.bam
              • dissect.target.plugins.os.windows.regf.cit
              • dissect.target.plugins.os.windows.regf.clsid
              • dissect.target.plugins.os.windows.regf.mru
              • dissect.target.plugins.os.windows.regf.muicache
              • dissect.target.plugins.os.windows.regf.nethist
              • dissect.target.plugins.os.windows.regf.recentfilecache
              • dissect.target.plugins.os.windows.regf.regf
              • dissect.target.plugins.os.windows.regf.runkeys
              • dissect.target.plugins.os.windows.regf.shellbags
              • dissect.target.plugins.os.windows.regf.shimcache
              • dissect.target.plugins.os.windows.regf.trusteddocs
              • dissect.target.plugins.os.windows.regf.usb
              • dissect.target.plugins.os.windows.regf.userassist
            • dissect.target.plugins.os.windows.tasks
              • dissect.target.plugins.os.windows.tasks.job
              • dissect.target.plugins.os.windows.tasks.records
              • dissect.target.plugins.os.windows.tasks.xml
            • dissect.target.plugins.os.windows._os
            • dissect.target.plugins.os.windows.activitiescache
            • dissect.target.plugins.os.windows.adpolicy
            • dissect.target.plugins.os.windows.amcache
            • dissect.target.plugins.os.windows.cam
            • dissect.target.plugins.os.windows.catroot
            • dissect.target.plugins.os.windows.cim
            • dissect.target.plugins.os.windows.clfs
            • dissect.target.plugins.os.windows.datetime
            • dissect.target.plugins.os.windows.env
            • dissect.target.plugins.os.windows.firewall
            • dissect.target.plugins.os.windows.generic
            • dissect.target.plugins.os.windows.jumplist
            • dissect.target.plugins.os.windows.lnk
            • dissect.target.plugins.os.windows.locale
            • dissect.target.plugins.os.windows.network
            • dissect.target.plugins.os.windows.notifications
            • dissect.target.plugins.os.windows.prefetch
            • dissect.target.plugins.os.windows.productkey
            • dissect.target.plugins.os.windows.rdpcache
            • dissect.target.plugins.os.windows.recyclebin
            • dissect.target.plugins.os.windows.registry
            • dissect.target.plugins.os.windows.search
            • dissect.target.plugins.os.windows.services
            • dissect.target.plugins.os.windows.sru
            • dissect.target.plugins.os.windows.startupinfo
            • dissect.target.plugins.os.windows.syscache
            • dissect.target.plugins.os.windows.thumbcache
            • dissect.target.plugins.os.windows.ual
            • dissect.target.plugins.os.windows.wer
            • dissect.target.plugins.os.windows.wua_history
        • dissect.target.plugins.scrape
          • dissect.target.plugins.scrape.qfind
          • dissect.target.plugins.scrape.scrape
      • dissect.target.tools
        • dissect.target.tools.utils
          • dissect.target.tools.utils.cli
          • dissect.target.tools.utils.fs
          • dissect.target.tools.utils.logging
          • dissect.target.tools.utils.report
        • dissect.target.tools.build_pluginlist
        • dissect.target.tools.dd
        • dissect.target.tools.diff
        • dissect.target.tools.dump
        • dissect.target.tools.fs
        • dissect.target.tools.info
        • dissect.target.tools.mount
        • dissect.target.tools.qfind
        • dissect.target.tools.query
        • dissect.target.tools.reg
        • dissect.target.tools.shell
        • dissect.target.tools.yara
      • dissect.target.volumes
        • dissect.target.volumes.bde
        • dissect.target.volumes.ddf
        • dissect.target.volumes.disk
        • dissect.target.volumes.luks
        • dissect.target.volumes.lvm
        • dissect.target.volumes.md
        • dissect.target.volumes.vmfs
      • dissect.target.container
      • dissect.target.exceptions
      • dissect.target.filesystem
      • dissect.target.loader
      • dissect.target.plugin
      • dissect.target.target
      • dissect.target.volume
    • dissect.thumbcache
      • dissect.thumbcache.tools
        • dissect.thumbcache.tools.extract_images
        • dissect.thumbcache.tools.extract_with_index
        • dissect.thumbcache.tools.utils
      • dissect.thumbcache.c_thumbcache
      • dissect.thumbcache.exceptions
      • dissect.thumbcache.index
      • dissect.thumbcache.thumbcache
      • dissect.thumbcache.thumbcache_file
      • dissect.thumbcache.util
    • dissect.util
      • dissect.util.compression
        • dissect.util.compression.lz4
        • dissect.util.compression.lzbitmap
        • dissect.util.compression.lzfse
        • dissect.util.compression.lznt1
        • dissect.util.compression.lzo
        • dissect.util.compression.lzvn
        • dissect.util.compression.lzxpress
        • dissect.util.compression.lzxpress_huffman
        • dissect.util.compression.sevenbit
        • dissect.util.compression.xz
      • dissect.util.encoding
        • dissect.util.encoding.surrogateescape
      • dissect.util.hash
        • dissect.util.hash.crc32
        • dissect.util.hash.crc32c
        • dissect.util.hash.jenkins
      • dissect.util.tools
        • dissect.util.tools.dump_nskeyedarchiver
      • dissect.util.cpio
      • dissect.util.exceptions
      • dissect.util.ldap
      • dissect.util.plist
      • dissect.util.sid
      • dissect.util.stream
      • dissect.util.ts
      • dissect.util.xmemoryview
    • dissect.vmfs
      • dissect.vmfs.address
      • dissect.vmfs.c_lvm
      • dissect.vmfs.c_vmfs
      • dissect.vmfs.descriptor
      • dissect.vmfs.exception
      • dissect.vmfs.lvm
      • dissect.vmfs.resource
      • dissect.vmfs.util
      • dissect.vmfs.vmfs
    • dissect.volume
      • dissect.volume.ddf
        • dissect.volume.ddf.c_ddf
        • dissect.volume.ddf.ddf
      • dissect.volume.disk
        • dissect.volume.disk.schemes
          • dissect.volume.disk.schemes.apm
          • dissect.volume.disk.schemes.bsd
          • dissect.volume.disk.schemes.gpt
          • dissect.volume.disk.schemes.mbr
        • dissect.volume.disk.disk
        • dissect.volume.disk.partition
      • dissect.volume.dm
        • dissect.volume.dm.btree
        • dissect.volume.dm.c_dm
        • dissect.volume.dm.thin
      • dissect.volume.lvm
        • dissect.volume.lvm.c_lvm2
        • dissect.volume.lvm.lvm2
        • dissect.volume.lvm.metadata
        • dissect.volume.lvm.physical
      • dissect.volume.md
        • dissect.volume.md.c_md
        • dissect.volume.md.md
      • dissect.volume.raid
        • dissect.volume.raid.raid
        • dissect.volume.raid.stream
      • dissect.volume.vinum
        • dissect.volume.vinum.c_vinum
        • dissect.volume.vinum.config
        • dissect.volume.vinum.vinum
      • dissect.volume.exceptions
      • dissect.volume.ldm
      • dissect.volume.vss
    • dissect.xfs
      • dissect.xfs.c_xfs
      • dissect.xfs.exceptions
      • dissect.xfs.xfs
    • flow.record
      • flow.record.adapter
        • flow.record.adapter.archive
        • flow.record.adapter.avro
        • flow.record.adapter.broker
        • flow.record.adapter.csvfile
        • flow.record.adapter.duckdb
        • flow.record.adapter.elastic
        • flow.record.adapter.jsonfile
        • flow.record.adapter.line
        • flow.record.adapter.mongo
        • flow.record.adapter.split
        • flow.record.adapter.splunk
        • flow.record.adapter.sqlite
        • flow.record.adapter.stream
        • flow.record.adapter.text
        • flow.record.adapter.xlsx
      • flow.record.fieldtypes
        • flow.record.fieldtypes.net
          • flow.record.fieldtypes.net.ip
          • flow.record.fieldtypes.net.ipv4
          • flow.record.fieldtypes.net.tcp
          • flow.record.fieldtypes.net.udp
        • flow.record.fieldtypes.credential
      • flow.record.tools
        • flow.record.tools.geoip
        • flow.record.tools.rdump
      • flow.record.base
      • flow.record.context
      • flow.record.exceptions
      • flow.record.jsonpacker
      • flow.record.packer
      • flow.record.selector
      • flow.record.stream
      • flow.record.utils
      • flow.record.whitelist

Contributing

  • Developing for Dissect
  • Style guide
  • Tooling
  • License

Resources

  • Dissect in Action
  • Talks and Conferences
  • Try in your browser
  • GitHub
  • PyPI
Back to top
View this page

dissect.target.plugins.apps.ssh¶

Submodules¶

  • dissect.target.plugins.apps.ssh.openssh
  • dissect.target.plugins.apps.ssh.opensshd
  • dissect.target.plugins.apps.ssh.putty
  • dissect.target.plugins.apps.ssh.ssh
Next
dissect.target.plugins.apps.ssh.openssh
Previous
dissect.target.plugins.apps.shell.wget
Copyright © 2023, Fox-IT part of NCC Group
Made with Sphinx and @pradyunsg's Furo
On this page
  • dissect.target.plugins.apps.ssh
    • Submodules