beagle.datasources.memory package

Submodules

beagle.datasources.memory.windows_rekall module

class beagle.datasources.memory.windows_rekall.WindowsMemory(memory_image: str)[source]

Bases: beagle.datasources.base_datasource.DataSource

Yields events from a raw memory file by leveraging Rekall plugins.

This DataSource converts the outputs of the plugins to the schema provided by GenericTransformer.

Parameters:memory_image (str) – File path to the memory image.
category = 'Windows Memory'
connscan() → Generator[[dict, None], None][source]
events() → Generator[[dict, None], None][source]

Generator which must yield each event as a dictionary from the datasource one by one, once the generator is exhausted, this signals the datasource is exhausted.

Returns:Generator over all events from this datasource.
Return type:Generator[dict, None, None]
handles() → Generator[[dict, None], None][source]

Converts the output of the rekall handles plugin to a series of events which represent accessing registry keys or file.

Yields:Generator[dict, None, None] – One file or registry key access event a time.
metadata() → dict[source]

Returns the metadata object for this data source.

Returns:A metadata dictionary to store with the graph.
Return type:dict
name = 'Windows Memory'
pslist() → Generator[[dict, None], None][source]

Converts the output of rekall’s pslist plugin to a series of dictionaries that represent a process getting launched.

Returns:Yields one process launch event
Return type:Generator[dict, None, None]
transformers = [<class 'beagle.transformers.generic_transformer.GenericTransformer'>]

Module contents