Recipes

Introduction

Recipes are a way to create pre-defined configurations for what Jobs/Tasks to run and how to run them along with various parameters that Tasks can use to change their runtime behavior for a given processing request. They can contain a number of “global” variables that affect the overall processing and also have per-Task variables that are specific to each Task.

Using Recipes

Recipes can be specified by name when sending a processing request to Turbinia. The name of the recipe is the filename that contains the recipe, which should work with or without specifying the .yaml extension.

turbiniactl --recipe triage googleclouddisk -d diskname-to-process

Note: This currently requires that the RECIPE_FILE_DIR configuration variable is set in the config file that you are using and is pointing to a valid directory containing the recipe files. Alternately you can also specify a recipe file directly by referencing the file path:

turbiniactl --recipe_path ./recipes/triage.yaml googleclouddisk -d diskname-to-process

Writing new Recipes

Recipes are .yaml files that are read and validated by the client and passed to the server along with the processing request data. There are no required sections and they can contain a globals section and zero or more Task sections. Each Task section must contain a task: key that references the relevant Task that the section applies to. Other keys in either the globals or Task sections must match the pre-defined keys for those sections. Here is a snapshot of the pre-defined variables allowed in the globals section along with the defaults:

    'debug_tasks': False,
    'jobs_allowlist': [],
    'jobs_denylist': [],
    'yara_rules': '',
    'filter_patterns': [],
    'sketch_id': None

These generally correlate with similarly named command line flags. The current full list can be found here - Line 36. Each Task specifies the available recipe keys in a TASK_CONFIG attribute for the Task object (e.g. here is the TASK_CONFIG for the Plaso Task - Line 141).

Here is a real sample of the all Recipe including the description in a comment:

# This recipe will run all Jobs with all configuration options turned on for in
# depth "kitchen-sink" processing of everything (e.g. all VSS stores and all
# partitions).  This may take a long time to complete.

globals:
  jobs_allowlist:
    - BinaryExtractorJob
    - BulkExtractorJob
    - FileSystemTimelineJob
    - FsstatJob
    - GrepJob
    - HindsightJob
    - HTTPAccessLogExtractionJob
    - HTTPAccessLogAnalysisJob
    - JenkinsAnalysisJob
    - JupyterExtractionJob
    - JupyterAnalysisJob
    - LinuxAccountAnalysisJob
    - PartitionEnumerationJob
    - PlasoJob
    - PsortJob
    - RedisAnalysisJob
    - RedisExtractionJob
    - SSHDAnalysisJob
    - SSHDExtractionJob
    - StringsJob
    - TomcatExtractionJob
    - TomcatAnalysisJob
    - WindowsAccountAnalysisJob

plaso_base:
  task: 'PlasoParserTask'
  status_view: 'none'
  hashers: 'all'
  partition: 'all'
  vss_stores: 'all'

For adding additional configuration options to a given Task, please see the recipes configuration section in the developing new Tasks documentation.