Skip to content

How to write an analysis plugin

Daniel White edited this page Nov 28, 2018 · 3 revisions

Deprecation warning

:warning: The Plaso Github wiki is now deprecated

:warning: Content was migrated to ReadTheDocs

:warning: The information below is likely to be out of date.

:warning: To update the current documentation, send a pull request for change to a file in the docs subdirectory of the Plaso source tree.

Create file and class

  • Plugin file in plaso/analysis/
    • Create an empty subclass of plaso.analysis.interface.AnalysisPlugin
    • Register it with the analysis pluging by calling AnalysisPluginManager.RegisterPlugin
  • Test file in tests/analysis/
    • Create an empty subclass of tests.analysis.test_lib.AnalysisPluginTestCase

Write minimal tests

  • Write a test that loads your plugin
  • It will fail initially, but running the test while you're developing your plugin gives you a quick way to see if your code is doing what you expect.

Develop plugin

  • Implement your subclass of plaso.analysis.interface.AnalysisPlugin
  • You'll need to define/override:
    • NAME
    • ExamineEvent()
    • CompileReport()
  • You may also want to override:
    • URLS
    • ENABLE_IN_EXTRACTION, if your plugin is eligible to run while Plaso is extracting events.

Expand tests

  • Add additional tests that test your plugin

Register classes

  • Edit plaso/analysis/ to import your plugin in the correct alphabetical order.

Code review/submit

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.