beagle.datasources.memory package¶
Submodules¶
beagle.datasources.memory.windows_rekall module¶
-
class
beagle.datasources.memory.windows_rekall.
WindowsMemory
(memory_image: str)[source]¶ Bases:
beagle.datasources.base_datasource.DataSource
Yields events from a raw memory file by leveraging Rekall plugins.
This DataSource converts the outputs of the plugins to the schema provided by GenericTransformer.
Parameters: memory_image (str) – File path to the memory image. -
category
= 'Windows Memory'¶
-
events
() → Generator[[dict, None], None][source]¶ Generator which must yield each event as a dictionary from the datasource one by one, once the generator is exhausted, this signals the datasource is exhausted.
Returns: Generator over all events from this datasource. Return type: Generator[dict, None, None]
-
handles
() → Generator[[dict, None], None][source]¶ Converts the output of the rekall handles plugin to a series of events which represent accessing registry keys or file.
Yields: Generator[dict, None, None] – One file or registry key access event a time.
-
metadata
() → dict[source]¶ Returns the metadata object for this data source.
Returns: A metadata dictionary to store with the graph. Return type: dict
-
name
= 'Windows Memory'¶
-
pslist
() → Generator[[dict, None], None][source]¶ Converts the output of rekall’s pslist plugin to a series of dictionaries that represent a process getting launched.
Returns: Yields one process launch event Return type: Generator[dict, None, None]
-
transformers
= [<class 'beagle.transformers.generic_transformer.GenericTransformer'>]¶
-