Many Velociraptor artifacts rely on parsing of file and data formats.
Velociraptor has dedicated parsers for some specialized file and data
formats. In addition we have flexible generic parsers, such as grok and
other regex-based parsers for text formats, and parse_binary which
provides completely customizable parsing of binary file formats.
| Plugin/Function | Type | Description |
|---|---|---|
| carve_usn | Plugin | Carve for the USN journal entries from a device |
| commandline_split | Function | Split a commandline into separate components following the windows |
| grok | Function | Parse a string using a Grok expression |
| leveldb | Plugin | Enumerate all items in a level db database |
| olevba | Plugin | Extracts VBA Macros from Office documents |
| parse_auditd | Plugin | Parse log files generated by auditd |
| parse_binary | Function | Parse a binary file into a data structure using a profile |
| parse_csv | Plugin | Parses events from a CSV file |
| parse_ese | Plugin | Opens an ESE file and dump a table |
| parse_ese_catalog | Plugin | Opens an ESE file and dump the schema |
| parse_evtx | Plugin | Parses events from an EVTX file |
| parse_float | Function | Convert a string to a float |
| parse_journald | Plugin | Parse a journald file |
| parse_json | Function | Parse a JSON string into an object |
| parse_json_array | Function | Parse a JSON string into an array |
| parse_json_array | Plugin | Parses events from a line oriented json file |
| parse_jsonl | Plugin | Parses a line oriented json file |
| parse_lines | Plugin | Parse a file separated into lines |
| parse_mft | Plugin | Scan the $MFT from an NTFS volume |
| parse_ntfs | Function | Parse specific inodes from an NTFS image file or the raw device |
| parse_ntfs_i30 | Plugin | Scan the $I30 stream from an NTFS MFT entry |
| parse_ntfs_ranges | Plugin | Show the run ranges for an NTFS stream |
| parse_pe | Function | Parse a PE file |
| parse_pkcs7 | Function | Parse a DER encoded pkcs7 string into an object |
| parse_records_with_regex | Plugin | Parses a file with a set of regexp and yields matches as records |
| parse_recyclebin | Plugin | Parses a $I file found in the $Recycle |
| parse_string_with_regex | Function | Parse a string with a set of regex and extract fields |
| parse_usn | Plugin | Parse the USN journal from a device, image file or USN file |
| parse_x509 | Function | Parse a DER encoded x509 string into an object |
| parse_xml | Function | Parse an XML document into a dict like object |
| parse_yaml | Function | Parse yaml into an object |
| path_split | Function | Split a path into components |
| pathspec | Function | Create a structured path spec to pass to certain accessors |
| plist | Plugin | Parses a plist file |
| prefetch | Plugin | Parses a prefetch file |
| regex_replace | Function | Search and replace a string with a regexp |
| relpath | Function | Return the relative path of |
| split_records | Plugin | Parses files by splitting lines into records |
| sqlite | Plugin | Opens an SQLite file and run a query against it |
| starl | Function | Compile a starlark code block - returns a module usable in VQL |
| yara | Plugin | Scan files using yara rules |
| yara_lint | Function | Clean a set of yara rules |