plistrc package

Subpackages

Submodules

plistrc.decoders module

Property list decoders.

class plistrc.decoders.NSKeyedArchiverDecoder[source]

Bases: object

Decoder for NSKeyedArchiver encoded plists.

Also see:

https://developer.apple.com/documentation/foundation/nskeyedarchiver

Decode(root_item)[source]

Decodes a NSKeyedArchiver encoded plist.

Parameters:

root_item (object) – root object of the NSKeyedArchiver encoded plist.

Returns:

root object of the decoded plist.

Return type:

dict[str, object]

Raises:

RuntimeError – if the plist cannot be decoded.

IsEncoded(root_item)[source]

Determines if a plist is NSKeyedArchiver encoded.

Parameters:

root_item (object) – root object of the NSKeyedArchiver encoded plist.

Returns:

True if NSKeyedArchiver encoded, False otherwise.

Return type:

bool

plistrc.resources module

Property list resources.

class plistrc.resources.PropertyDefinition[source]

Bases: object

Property definition.

key_path

key path of the property.

Type:

str

name

name of the property.

Type:

str

schema

schema of the property.

Type:

list[PropertyDefinition]

value_type

value type of the property.

Type:

str

__init__()[source]

Initializes a property definition.

class plistrc.resources.PropertyListDefinition[source]

Bases: object

Property list definition.

artifact_definition

name of the corresponding Digital Forensics Artifact definition.

Type:

str

property_list_identifier

identifier of the property list.

Type:

str

__init__()[source]

Initializes a property list definition.

plistrc.schema_extractor module

Property list file schema extractor.

class plistrc.schema_extractor.PropertyListSchemaExtractor(artifact_definitions, mediator=None)[source]

Bases: object

Property list file schema extractor.

ExtractSchemas(path, options=None)[source]

Extracts property list schemas from the path.

Parameters:

  • path (str) – path of a property list file or storage media image containing property list files.

  • options (Optional[dfvfs.VolumeScannerOptions]) – volume scanner options. If None the default volume scanner options are used, which are defined in the dfVFS VolumeScannerOptions class.

Yields:

tuple[str, dict[str, str]]

known property list type identifier or the

name of the property list file if not known and schema.

FormatSchema(schema, output_format)[source]

Formats a schema into the output format.

Parameters:
Returns:

formatted schema.

Return type:

str

Raises:

RuntimeError – if a query could not be parsed.

GetDisplayPath(path_segments, data_stream_name=None)[source]

Retrieves a path to display.

Parameters:

  • path_segments (list[str]) – path segments of the full path of the file entry.

  • data_stream_name (Optional[str]) – name of the data stream.

Returns:

path to display.

Return type:

str

__init__(artifact_definitions, mediator=None)[source]

Initializes a property list file schema extractor.

Parameters:

  • artifact_definitions (str) – path to a single artifact definitions YAML file or a directory of definitions YAML files.

  • mediator (Optional[dfvfs.VolumeScannerMediator]) – a volume scanner mediator.

plistrc.yaml_definitions_file module

YAML-based property list definitions file.

class plistrc.yaml_definitions_file.YAMLPropertyListDefinitionsFile[source]

Bases: object

YAML-based property list definitions file.

A YAML-based property list definitions file contains one or more property list definitions. A property list definition consists of:

artifact_definition: MacOSAirportPreferencesPlistFile property_list_identifier: com.apple.airport.preferences.plist

Where: * artifact_definition, name of the corresponding Digital Forensics Artifact

definition.

  • property_list_identifier, identifier of the property list.

ReadFromFile(path)[source]

Reads the event formatters from a YAML file.

Parameters:

path (str) – path to a formatters file.

Yields:

PropertyListDefinition – property list definition.

Module contents

Property List resources (plistrc).