Many Velociraptor artifacts rely on specialized parsing of file formats. This page outlines all the plugins and functions designed to allow the client to parse information for various files.
Simple file formats may be parsed using regular expressions and other generic rules. However some specialized file formats have dedicated parsers. These dedicated parsers are exported into VQL plugins so their results may be used in further queries.
| Plugin/Function | Type | Description |
|---|---|---|
| grok | Function | Parse a string using a Grok expression |
| olevba | Plugin | Extracts VBA Macros from Office documents |
| parse_auditd | Plugin | Parse log files generated by auditd |
| parse_binary | Function | Parse a binary file into a data structure using a profile |
| parse_csv | Plugin | Parses events from a CSV file |
| parse_ese | Plugin | Opens an ESE file and dump a table |
| parse_ese_catalog | Plugin | Opens an ESE file and dump the schema |
| parse_evtx | Plugin | Parses events from an EVTX file |
| parse_float | Function | Convert a string to a float |
| parse_json | Function | Parse a JSON string into an object |
| parse_json_array | Function | Parse a JSON string into an array |
| parse_json_array | Plugin | Parses events from a line oriented json file |
| parse_jsonl | Plugin | Parses a line oriented json file |
| parse_lines | Plugin | Parse a file separated into lines |
| parse_mft | Plugin | Scan the $MFT from an NTFS volume |
| parse_ntfs | Function | Parse specific inodes from an NTFS image file or the raw device |
| parse_ntfs_i30 | Plugin | Scan the $I30 stream from an NTFS MFT entry |
| parse_ntfs_ranges | Plugin | Show the run ranges for an NTFS stream |
| parse_pe | Function | Parse a PE file |
| parse_pkcs7 | Function | Parse a DER encoded pkcs7 string into an object |
| parse_records_with_regex | Plugin | Parses a file with a set of regexp and yields matches as records |
| parse_recyclebin | Plugin | Parses a $I file found in the $Recycle |
| parse_string_with_regex | Function | Parse a string with a set of regex and extract fields |
| parse_usn | Plugin | Parse the USN journal from a device, image file or USN file |
| parse_x509 | Function | Parse a DER encoded x509 string into an object |
| parse_xml | Function | Parse an XML document into a dict like object |
| parse_yaml | Function | Parse yaml into an object |
| plist | Function | Parse plist file |
| plist | Plugin | Parses a plist file |
| prefetch | Plugin | Parses a prefetch file |
| regex_replace | Function | Search and replace a string with a regexp |
| rot13 | Function | Apply rot13 deobfuscation to the string |
| split_records | Plugin | Parses files by splitting lines into records |
| sqlite | Plugin | Opens an SQLite file and run a query against it |
| starl | Function | Compile a starlark code block - returns a module usable in VQL |
| xor | Function | Apply xor to the string and key |