Welcome to the Plaso documentation!¶

Plaso (Plaso Langar Að Safna Öllu) is a computer forensic tool for timeline generation and analysis.

Plaso’s documentation is split into several parts:

The project’s code is available from https://github.com/log2timeline/plaso

Plaso is licensed under the Apache license version 2.

Contents:

User documentation¶

User’s Guide¶

How to get started¶

First determine which version of plaso is must suitable to your needs, for more information see Releases and roadmap

Installing the packaged release¶

To install the packaged release see:

If you run into problems installing, check out the installation troubleshooting guide

Before we start¶

Please report all discovered bugs on the issue tracker.

To follow announcements from the plaso team or send in generic inquiries or discuss the tool:

subscribe to the log2timeline-discuss mailing list.
join the plaso channel part of the open-source-dfir Slack community, more information can be found here.

I know the good old Perl version¶

If you are one of those people that liked the old perl version of log2timeline but really would like to switch use all the nifty features of the Python version. Fear not, here is a guide to help you migrate.

The tools¶

Though plaso initially was created in mind to replace the Perl version of log2timeline, its focus has shifted from a stand-alone tool to a set of modules that can be used in various use cases. Fear not plaso is not a developers only project it also includes several command line tools, each with its specific purpose. Currently these are:

Note that each tool can be invoked with the -h or --help command line flag to display basic usage and command line option information.

image_export¶

image_export is a command line tool to export file content from a storage media image or device based on various filter criteria, such as extension names, filter paths, file format signature identifiers, file creation date and time ranges, etc.

log2timeline¶

log2timeline is a command line tool to extract events from individual files, recursing a directory (e.g. mount point) or storage media image or device. log2timeline creates a plaso storage file which can be analyzed with the pinfo and psort tools.

The plaso storage file contains the extracted events and various metadata about the collection process alongside information collected from the source data. It may also contain information about tags applied to events and reports from analysis plugins.

pinfo¶

pinfo is a command line tool to provide information about the contents of a plaso storage file.

preg¶

preg is a command line tool to analyze Windows Registry files. It allows you to plaso’s Windows Registry plugins on individual Windows Registry files and interactively analyze the results. For more information see: Using preg

psort¶

psort is a command line tool to post-process plaso storage files. It allows you to filter, sort and run automatic analysis on the contents of plaso storage files.

Creating a timeline¶

Using psteal¶

The quickest way to generate a timeline with Plaso is using the “psteal” frontend. A command line like so: psteal.py --source ~/cases/greendale/registrar.dd -o l2tcsv -w /tmp/registrar.csv will produce a csv file containing all the events from an image, with some sensible defaults.

Troubleshooting¶

This page contains instructions that can be used to assist you in debugging potential issues with the plaso and its dependencies.

Quick list¶

Check the commit history and issue tracker if the bug has already been fixed;
If you are running the development release make sure plaso and dependencies are up to date, see: Developers Guide
If you are experiencing an issue that cannot directly be attributed to some broken code e.g. the test are getting killed, check your system logs it might be a problem with resources available to plaso;
Try to isolate the error, see below.

If everything fails create a new issue on the issue tracker. Please provide as much detailed information as possible, keep in mind that:

we cannot fix errors based on vague descriptions;
we cannot look into your thoughts or on your systems;
we cannot easily isolate errors if you keep changing your test environment.

Hence please provide us with the following details:

What steps will reproduce the problem?
- What output did you expect?
- What do you see instead?
The output of log2timeline.py --troubles, which provide:
- The Python version including operating system and architecture
- The path to plaso/log2timeline
- The version of plaso/log2timeline
- Information about dependencies
Are you processing a storage media image, if so which format, a directory or on an individual file?
Were you able to isolate the error to a specific file? Is it possible to share the file with the developer?
Any additional information that could be of use e.g. build logs, error logs, debug logs, etc.

Note that the github issue tracker uses markdown and thus please escape blocks of error output accordingly.

Also see the sections below on how to troubleshoot issues of a specific nature.

Isolating errors¶

The most important part of troubleshooting is isolating the error.

Can you run the tests successfully?

$ python run_tests.py
...
----------------------------------------------------------------------
Ran 585 tests in 66.530s

OK

If an error occurs when processing a storage media image try to run with the storage image media file and/or the file system directly mounted. Mounting the storage image media file will bypass libraries (modules) supporting the storage image media format. Running source_analyzer.py can help pinpointing the issue, e.g.

PYTHONPATH=. python examples/source_analyzer.py --no-auto-recurse

Try:

logging to a log file log2timeline.py --log-file=log2timeline.log ...;
running in debug mode log2timeline.py --debug ...;
running in single process mode this will bypass any issues with multi processing log2timeline.py --single-process ...;
mounting the file system as well to bypass libraries (modules) supporting the file system, e.g. the SleuthKit and pytsk;
running in single process and debug mode, see section below.

Producing debug logs¶

To produce debugging logs, run log2timeline like so: log2timeline.py --log-file=log2timeline_problem.log.gz --debug. This will create multiple, gzip-compressed log files. There will be one called log2timeline_problem.log.gz containing logs from the main log2timeline process, and one log file for each worker process.

Note that the .gz file suffix is important, as it triggers Plaso to compress the log output. In an uncompressed form, the logs are very large. The compressed logs can be reviewed with unzip tools like zless and zgrep.

Import errors¶

It sometimes happen that the tests fail with an import error e.g.

ImportError: Failed to import test module:
plaso.parsers.winreg_plugins.shutdown_test
Traceback (most recent call last):
  File "/usr/lib64/python2.7/unittest/loader.py", line 254, in _find_tests
    module = self._get_module_from_name(name)
  File "/usr/lib64/python2.7/unittest/loader.py", line 232, in
_get_module_from_name
    __import__(name)
  File "./plaso/parsers/__init__.py", line 4, in <module>
    from plaso.parsers import asl
ImportError: cannot import name asl

This does not necessarily mean that the code cannot find the asl module. The import error can mask an underlying issue. Try running the following commands in a Python shell:

$ python
import sys
sys.path.insert(0, u'.')
import plaso

It also sometimes means that you have multiple versions of plaso installed on your system and Python tries to import for the wrong one.

Crashes, hangs and tracebacks¶

In the context of plaso crashes and tracebacks have different meanings:

crash; an error that causes an abrupt termination of the program you were running e.g. a segfault (SIGSEGV)
traceback; the back trace of an error that was caught by an exception handler that can cause a termination of the program you were running

A worker segfault-ing¶

Since plaso relies on several compiled dependencies it is possible that a worker segfault (SIGSEGV).

As part of the 1.3 pre-release bug hunting a SIGSEGV signal handler was added however this process turned out, as expected, unreliable. However it added an interesting side effect that is very useful for debugging. If the SIGSEGV signal handler is enable the worker process typically remains in the “running” state but stops producing event object. What happens under the hood is that the SIGSEGV signal is caught but the worker is unable to cleanly terminate. Because of this “frozen” state of the worker it is very easy to attach a debugger e.g. gdb python -p PID.

A kill -11 PID however seems to be cleanly handled by the SIGSEGV signal handler and puts the worker into “error” status.

A worker gives a killed status¶

This typically indicates that the worker was killed (SIGKILL) likely by an external process e.g the Out Of Memory (OOM) killer.

Your system logs might indicate why the worker was killed.

Which processes are running¶

The following command help you determine which plaso processes are running on your system:

Linux:

top -p `ps -ef | grep log2timeline.py | grep python | awk '{ print $2 }' | tr '\n' ',' | sed 's/,$//'`

Mac OS X:

ps aux | grep log2timeline.py | grep python | awk '{print $2}' | tr '\n' ',' | sed 's/,$//'

Analyzing crashes with single process and debug mode¶

In single process and debug mode log2timeline.py --debug --single-process ... log2timeline will run a Python debug shell (pdb) when an uncaught Python exception is raised.

Use u to go up one level and d to go down one level .

Print the attributes of the current object you are looking for.

!self.__dict__

Print the current argument stack to see what arguments are available to you.

args

Note that inside pdb you can run any Python commands including loading new libraries e.g. for troubleshooting. You can prepend commands with an exclamation mark (!) to indicate that you want to run a Python command as an opposed to a debug shell one.

Analyzing crashes with gdb¶

Once you have isolated the file that causes the crash and you cannot share the file you can generate a back trace that can help us fix the error.

First make sure you have the debug symbols installed.

Then run the plaso as a single process with gdb:

gdb --ex r --args log2timeline.py --single-process -d /tmp/test.dump /tmp/file_that_crashes_the_tool

To generate a back trace:

bt

Note that often the first 10 lines of the back trace are sufficient information.

An alternative approach is to attach a debugger to it once the program is running:

gdb python -p PID

Where PID is the process identifier of the program. Once the debugger is attached continue running:

Wait until the crash occurs and generate a back trace.

Also see: DebuggingWithGdb, gdb Support

High memory usage¶

Plaso consists of various components. It can happen that one of these components uses a lot of memory or even leaks memory. In these cases it is important to isolate the error, see before, to track down what the possible culprit is. Also see: Profiling memory usage

Also see¶

Collection Filters¶

When you know beforehand which files are relevant for your analysis and which files not, you can use collection filters to instruct Plaso to only collect events from these files. This is also referred to as targeted collection.

Plaso supports the following methods of targeted collection:

Using Forensic Artifacts definitions
Using filter files

Note that at the moment the different collection filters cannot be used simultaneously.

Using Forensic Artifacts definitions¶

Forensic Artifacts definitions provide a more analyst centric approach to collection filters.

For example based on the definition:

name: WindowsEventLogSystem
doc: System Windows Event Log.
sources:
- type: FILE
  attributes:
    paths: ['%%environ_systemroot%%\System32\winevt\Logs\SysEvent.evt']
    separator: '\'
conditions: [os_major_version < 6]
labels: [Logs]
supported_os: [Windows]
urls: ['http://www.forensicswiki.org/wiki/Windows_Event_Log_(EVT)']

‘WindowsEventLogSystem’ refers to the path ‘%SystemRoot%\System32\winevt\Logs\SysEvent.evt’.

To use:

log2timeline.py --artifact-filters WindowsEventLogSystem name.plaso source.raw

Note that for convenience the Forensic Artifacts definition names can also be stored in a file.

Using filter files¶

Due a limitations in the original text-based filter file format the YAML-based filter format was introduced. We recommend using the YAML-based format.

A YAML-based filter can be used to describe the path of each file or directory Plaso should include or exclude from parsing.

Inclusion filters are applied before exclusion filters.
Specifying the path of a directory will include or exclude its files and subdirectories.

Path filters are case sensitive when compared to a case sensitive file system and case insensitive when compared to a case insensitive file system.

To use:

log2timeline.py --file-filter windows.yaml name.plaso source.raw

Text-based filter file format¶

A text-based filter can be used to describe the path of each file or directory Plaso should include in parsing.

Note that the text-based filter file does not support exclusion filters (or blacklisting). If you need this functionality use the YAML-based filter file instead.

The text-based filter file itself contains a path filter per line or a line starting # for comment.

# This is comment.
/ segment1 / segment2 / segment3 / ...
{systemroot} / segment2 / segment3 / ...

The path segment separator is a forward slash ‘/’.

A path segment can be defined as

a string representing the exact name of the directory or file;
a regular expression representing the name of the directory or file;
a path expansion variable, denoted by a curly bracket, such as {systemroot}.

The path must be an absolute path, meaning that is should start with ‘/’ or with path expansion variable that Plaso was able to resolve during preprocessing. Plaso will ignore path filters it does not consider valid.

For example:

{systemroot}/System32/config/.+[.]evt
/(Users|Documents And Settings)/.+/AppData/Roaming/Mozilla/Firefox/Profiles/.+/places.sqlite

The first line defines a path filter that uses the “systemroot” path expansion variable that is discovered during preprocessing and denotes the Windows SytemRoot folder. It will then process the directories and files with a name that endswith “.evt”.

The second line defines a path filter using both regular expressions and strings to denote the location of Firefox history files.

YAML-based filter file format¶

A YAML-based filter can be used to describe the path of each file or directory Plaso should include or exclude from parsing.

Include filters have precedence above exclude filters.

A path filter is defined as a set of attributes:

“description”; optional description of the purpose of the path filter;
“paths”: one or more paths to filter defined as a regular expression;
“path_separator”; optional path segment separator, which is ‘/’ by default;
“type”; required filter type either “include” or “exclude”;

For example:

description: Windows Event Log files.
type: include
path_separator: '\'
paths:
- '%SystemRoot%\\System32\\config\\.+[.]evt'
---
description: Exclude Linux binaries.
type: exclude
paths:
- '/usr/bin'

Note that if you use \ as a path segment separator it must be escaped as part of the regular expression.

References¶

Event filters¶

Event filters are used to:

selectively export events;
selectively analyze events;
apply a label to events in the tagging analysis module.

Tools that have event filter support:

psort

How do event filters work¶

An event filter is constructed in the following way:

EXPRESSION BOOLEAN_OPERATOR EXPRESSION

Where each expression is:

ATTRIBUTE [not] OPERATOR [not] VALUE

Each expression can also be a collection of binary expressions and operators enclosed in a parenthesis.

EXPRESSION BOOLEAN_OPERATOR (EXPRESSION BINARY_OPERATOR EXPRESSION)

The following boolean operators are supported:

and
or
&& (and)
|| (or)

The following keywords are available:

Operator	Notes
equals	Determine if the attribute is equal to the value, meaning that both parts need to be exactly the same in order for this to match.
`is`	Same as equals.
`==`	Same as equals.
`!=`	Negative matching of equals, that is it checks if it is not equal to the value (same as "not is")
`contains`	If the value is a string it checks if the lowercase version of the value is in the lowercase value of the attribute. That is this is a case insensitive substring match.
`>`	Checks if the value is greater than the attribute. If the attribute is date or timestamp and the value is an integer it compares against the timestamp attribute. If the attribute is date and the value is a string it will convert the string value to an integer and then make the comparison.
`>=`	Checks if the value is greater or equal than the attribute. If the attribute is date or timestamp the same behavior as in ">" is observed.
`<`	Checks if the value is less than the attribute. If the attribute is date or timestamp the same checks are made as in ">", except the comparison is to whether or not the value is less or equal than the supplied date.
`<=`	Checks if the value is less or equal than the value. If the attribute is timestamp or date same behavior as in "<" is applied.
`inset`	Checks if the values are all in the set of attributes.
`regexp`	A case sensitive regular expression is compiled from the value and it is compared against the attribute. The regular expression is somewhat limited, the only escaped strings that are supported are: '"rnbt.ws
`iregexp`	Same as the regexp above, except the regular expression is compiled as case-insensitive.

And for negative matching the keyword “not” in front of any of these keywords is also supported. That is to say if each of these operators is preceded with the keyword “not” a negative matching is performed.

Note that as of 20190512 special event attributes like ‘message’, ‘source’, ‘source_short’, ‘source_long’ and ‘sourcetype’ are considered part of the output and are no longer expanded in the event filter.

Example event filter expressions¶

parser is 'syslog' and body contains 'root'

This event filter applies to all events where:

the event was produced by the parser named ‘syslog’ (case sensitive) and;
the body attribute contains the substring ‘root’ (case insensitive).

Use “log2timeline –info” to retrieve a list of the names of all the available parsers. Or use the pinfo.py test.plaso to see a list of all parsers that were used to produce the output in the storage file.

parser contains 'firefox' AND pathspec.vss_store_number > 0

The parser name contains the word “firefox”;
The event was extracted from a Volume Shadow Snapshot (VSS).

References¶

log2timeline filtering 101

Analysis Plugins¶

Tips and Tricks¶

This is a collection of few tips and tricks that can be used with plaso

analyzeMFT and plaso¶

Plaso can parse the output of analyzeMFT in bodyfile (or mactime) output.

Run analyzeMFT as following:

$ analyzeMFT.py -b output.bodyfile -f input.MFT
$ log2timeline.py test.plaso output.bodyfile

The mactime parser of plaso will parse the bodyfile.

Also see: Mactime

Split the output of psort¶

psort itself does not provide you the option of splitting the file into chunks, however there are other ways to achieve that, such as using the standard Unix tool split, eg:

$ psort.py test.plaso | split -b 10m - split_output_

This will leave you with the following files:

split_output_aa
split_output_ab
split_output_ac
split_output_ad
…

And so on… the size can be controlled by the ``-b``` parameter of the split command.

Switching from Log2Timeline Perl (Legacy) to plaso¶

This is a site that should contain information for those that are used to the 0.X branch of log2timeline, also known as Log2Timeline Perl or Log2Timeline legacy.

The syntax has changed somewhat from the older version, the largest user facing differences may be:

Output of the tool is no longer controllable through the log2timeline front-end (there is only one storage mechanism and that is binary). The user needs to run psort on the output to produce a human-readable content (with l2t_csv as the default output).
Raw image files can be parsed directly, so mounting the images is no longer required (not encouraged).
Parser names have changed (number of new parsers yet some that have not yet been ported).
Parameters have changed considerably and options are different, so please read this page.
The post-processing tool is no longer called l2t_process, it is now named psort.
The name plaso can come up in the discussion, that is the name of the new backend (as an opposed to Log2Timeline which is the old Perl backend). Hence plaso refers to the backend, log2timeline to the CLI based front-end of the tool. There are other front-ends to the tool though, for instance timesketch and 4n6time.

Let’s go over the old and new method of collecting a timeline from a simple image file.

Old method¶

First of all we needed to mount the image. Something like this:

sudo mount -t ntfs-3g -o ro,nodev,noexec,show_sys_files,streams_interface=windows,loop,offset=32256 image.dd /mnt/nfts

Then we needed to run log2timeline against the mount point. You needed to define the timezone of the suspect image, which could get overwritten if a correct value was found and you needed to define which parsers to use. The sample run is:

cd /mnt/ntfs
log2timeline -r -p -z CST6CDT -f win7 . > /cases/timeline/myhost.csv 2> /cases/timeline/myhost.log

This would pick all the parsers defined in the “win7” list and run those against every file found in the mount point. A list of all available parsers and lists could be produced by running:

log2timeline -f list

As noted earlier, the above approach would produce a large “kitchen-sink” approach timeline that is not sorted. To sort that one (no filtering):

cd /cases/timeline
l2t_process.py -b myhost.csv > myhost.sorted.csv

Now we would have a large sorted CSV file ready to analyze.

Limiting the output to a specific date could be achieved using methods like:

l2t_process.py -b myhost.csv 10-10-2012..10-11-2012

However, you could not limit the output of the timeline to a more narrow timeframe than a single day, for that you needed grep (or some other tools of choice).

l2t_process.py -b myhost.csv 10-10-2012..10-11-2012 | grep ",1[8-9]:[0-5][0-9]:[0-9][0-9],"

And filtering based on content was constrained to few options:

Use a keyword file that contained case-insensitive potentially regular expressions and supply that as a white- or blacklist.
Use a YARA rule that matched against the description_long field.
Use grep/sed/awk.

The problem with most of the l2t_process filtering is that it was either done on the whole line or against the description_long field. There was no easy way to filter against a more specific attribute of the event.

New method¶

Since the new version works directly on a raw image file there is no need to mount the image first (and mounting them is actually highly discouraged), the timeline can be created in a single step:

log2timeline.py /cases/timeline/myhost.plaso image.dd

The tool will detect whether or not the input is a file, directory or a disk image/partition. If the tool requires additional information, such as when VSS stores are detected or more than a single partition in the volume the tool will ask for additional details. An example of that:

The following Volume Shadow Snapshots (VSS) were found:
Identifier      VSS store identifier                    Creation Time
vss1            23b509aa-3499-11e3-be88-24fd52566ede    2013-10-16T13:18:01.685825+00:00
vss2            8dfc93b3-376f-11e3-be88-24fd52566ede    2013-10-18T00:28:29.120593+00:00
vss3            dc8ffcf4-3a6b-11e3-be8a-24fd52566ede    2013-10-21T19:24:50.879381+00:00

Please specify the identifier(s) of the VSS that should be processed:
Note that a range of stores can be defined as: 3..5. Multiple stores can
be defined as: 1,3,5 (a list of comma separated values). Ranges and lists can
also be combined as: 1,3..5. The first store is 1. If no stores are specified
none will be processed. You can abort with Ctrl^C.

The options can also be supplied on the command line, --vss_stores '1,2' for defining the VSS stores to parse, or --no-vss or -vss-stores all for processing all VSS stores.

This can be achieved without calculating the offset into the disk image.

log2timeline.py --partitions 2 /cases/timeline/myhost.dump image.dd

First of all there is quite a difference in the number of parameters, let’s go slightly over them:

There is no -r for recursive, when the tool is run against an image or a directory recursive is automatically assumed, run it against a single file and it recursion is not turned on.
There is no need to supply the tool with the -p (preprocessing) when run against an image, that is automatically turned on.
The -z CST6CDT is not used here. The tool does automatically pick up the timezone and use that. However in the case the timezone is not identified the option is still possible and in fact if not provided uses UTC as the timezone.
You may have noticed there is no -f list parameter used. The notion of selecting filters is now removed and is done automatically. The way the tool now works is that it tries to “guess” the OS and select the appropriate parsers based on that selection. The categories that are available can be found here or by issuing log2timeline.py --info. If you want to overwrite the automatic selection of parsers you can define them using the --parsers parameter.
You have to supply the tool with the parameter to define where to save the output (can no longer just output to STDOUT and pipe it to a file).

The equivalent call of the old tool of -f list can now be found using --info. That will print out all available parsers and plugins in the tool. One thing to take note of is the different concepts of either plugins or parsers. In the old tool there was just the notion of a parser, which purpose it was to parse a single file/artifact. However plaso introduces both plugins and parsers, and there is a distinction between the two. The parser understands and parses file formats whereas a plugin understands data inside file formats. So in the case of the Windows Registry the parser understands the file format of the registry and parses that, but it’s the purpose of a plugin to read the actual key content and produce meaningful data of it. The same goes with SQLite databases, the parser understands how to read SQLite databases while the plugins understand the data in them, an example of a SQLite plugin is the Chrome History plugin, or the Firefox History plugin. Both are SQLite databases so the use the same parser, but the data stored in them is different, thus we need a plugin for that.

To see the list of presets that are available use the --info parameter. The old tool allowed you to indicate which presets you wanted using the -f parameter. In the new version this same functionality is exposed as the --parsers parameter. The difference now is that now you can supply globs or patterns to match parser names (since they are longer than in the previous version). Example usage of this parameter is:

log2timeline.py --parsers "win7" /cases/timeline/myhost.dump image.dd
log2timeline.py --parsers "win7,-winreg" /cases/timeline/myhost.dump image.dd
log2timeline.py --parsers "winreg,winevt,winevtx" /cases/timeline/myhost.dump image.dd

There is another difference, the old tool used l2t_csv as the default output, which could be configured using the -o parameter of log2timeline. This output was all saved in a single file that was unsorted, which meant that a post-processing tool called l2t_process needed to be run to sort the output and remove duplicate entries before analysis started (you could however immediately start to grep the output).

The new version does not allow you to control the output (ATM, that support will be added into future versions), there is only one available output and that is the plaso storage file. That output is a ZIP container that stores binary files that represent each event. This has many benefits over the older format, since first of all the data is compressed, saving disk space, and it can store metadata about the runtime of the tool, information gathered during the parsing and other useful information that could not be stored in the older format. The data is also stored semi sorted (several smaller sorted files), which makes sorting easier (and less strenuous on memory), and finally the data is stored in a more structured format making filtering considerably easier and more flexible.

The downside of the storage format is that you can no longer immediately start to grep or analyze the output of the tool, now you need to run a second tool to sort, remove duplicates and change it into a human readable format.

psort.py -w /cases/timeline/myhost.sorted.csv /cases/timeline/myhost.dump

However, with the new storage format and the filtering possibilities of psort, many new things are now available that were not possible in the older version. For instance the possibility to narrow down the window of output to few minutes:

psort.py /cases/timeline/myhost.dump "date > '2012-10-10 18:24:00' and date < '2012-10-10 22:25:19'"

Or to a specific dataset:

psort.py /cases/timeline/myhost.dump "date > '2012-10-10 12:00:00' and date < '2012-10-10 23:55:14' and message contains 'evil' and (source is 'LNK' or timestamp_desc iregexp 'st\swr' or filename contains 'mystery')"

Or to just present a small time slice based on a particular event of interest:

psort.py --slice "2012-10-10 12:00:00" /cases/timeline/myhost.dump

Developer documentation¶

Developer Guide¶

Setting up and maintaining your development environment¶

The first challenge you will encounter is setting up and maintaining your development environment.

Start by installing a development release on your platform:

Building dependencies¶

If you’re feeling particularly brave, you can try building all the dependencies yourself.

Note that Plaso and some dependencies are currently actively under development keeping up with the development release is not for “the faint of heart”.

Getting Started¶

Once you’ve set up your development environment we recommend start simple:

Design¶

Overview of the general architecture of Plaso:

Roadmap¶

A high level roadmap can be found here. Individual features are tracked as a github issue and labeled as “enhancement”. A list of features can be found here.

Contributing Code¶

Want to add a parser to Plaso and you are ready to go? Start by checking here if someone is already working on it. If you don’t see anything there you can just go ahead and create an issue on the github site and mark it as “enhancement”. Assign the issue to yourself so that we can keep track on who is working on what.

If you cannot program and still have a great idea for a feature please go ahead and create an issue and leave it unassigned, note that the priority will be who ever wants to work on it. Or consider this the idea opportunity to learn yourself Python programming.

Before you start writing the code, please review the following:

Style guide. All code submitted to the project needs to follow this style guide.
Code review. All code that is submitted into the project needs to be reviewed by at least one other person.
Adding a new dependency. If your code requires adding a new dependency please check out these instructions.

Before you submit your first code review¶

Join the development mailing list: log2timeline-dev@googlegroups.com, we recommend using the same account as step 1
Install the required development tools like pylint, python-mock, sphinx
Make sure to run all the tests inside the Plaso and the dfVFS codebase, and that they successfully complete on your development system
Make sure your development system is set up correctly so that you can develop and test correctly.
Make sure your email address and name are correctly set in git e.g.:

git config --global user.name "Full Name"
git config --global user.email name@example.com
git config --global push.default matching

Use git config -l to determine the current configuration.

Core features changes¶

Sometimes you need to make some change to the core of the Plaso codebase. In those cases we ask that contributors first create a short design doc explaining the rationale behind the change. The design doc needs to contain:

Describe the problem you are facing
List the objectives of this change
Mention what is in scope and what’s not
Describe the solution/proposal

The preferred way of creating these design docs is to use Google Docs and send the link to the development mailing list so that it can be discussed further before starting to implement the code.

The current design docs are stored here. You may not have access to that folder, so you may need to request access to it.

Tests¶

Tests are part of a maintainable code base. Code without sufficient test is very likely to be broken by a large rewrite/refactor.

Some guidelines for writing tests: Style guide - tests

Code Review¶

All code submitted into the plaso project goes through code review. We use the GitHub codereview process, which while not perfect, is good enough for our purposes.

One helpful hint is while you have a code in code review monitor the development mailing list for large changes or new dependencies that may potentially affect your code. Such changes may include code re-factors that change plugin interface while you have a plugin in review. These should be rare but they do happen every now and then.

Process¶

Plaso follows the Log2timeline project code review process

Style Guide¶

Plaso follows the log2timeline style guide.

Plaso specific style points¶

Tests¶

Use as much as possible the test functions available in the local test_lib.py instead of writing your own test functions. If you think a test function is missing please add it, or mail the developer list to see if you can get someone else to do it.
Use self.CheckTimestamp for testing timestamp values.

Common test code should be stored in “test library” files, e.g. the parser test library:

tests/parsers/test_lib.py

We do this for various reasons:

to remove code duplication in “boiler plate” test code;
to make the tests more uniform in both look-and-feel but also what is tested;
improve test coverage;
isolate core functionality from tests to prevent some future core changes affecting the parsers and plugins too much.

How to write a parser¶

Introduction¶

This page is intended to give you an introduction into developing a parser for plaso.

First a step-by-step example is provided to create a simple binary parser for the Safari Cookies.binarycookies file.
At bottom are some common troubleshooting tips that others have run into before you.

This page assumes you have at least a basic understanding of programming in Python and use of git.

Format¶

Before you can write a binary file parser you will need to have a good understanding of the file format. A description of the Safari Cookies.binarycookies format can be found here.

Parsers vs. Plugins¶

Before starting work on a parser, check if Plaso already has a parser that handles the underlying format of the file you’re parsing. Plaso currently supports plugins for the following file formats:

Bencode
Web Browser Cookies
ESEDB
OLECF
Plist
SQLite
Syslog
Windows Registry

If the artifact you’re trying to parse is in one of these formats, you need to write a plugin of the appropriate type, rather than a parser.

For our example, however, the Safari Cookies.binarycookies file is in its own binary format, so a separate parser is appropriate.

Test data¶

First we make a representative test file and add it to the test_data/ directory, in our example:

test_data/Cookies.binarycookies

Make sure that the test file does not contain sensitive or copyrighted material.

Parsers, formatters, events and event data¶

parser; subclass of plaso.parsers.interface.FileObjectParser, that extracts events from the content of a file.
formatter (or event formatter); subclass of plaso.formatters.interface.EventFormatter, that generates a human readable description of the event data.
event; subclass of plaso.containers.events.EventObject, that represents an event
event data; subclass of plaso.containers.events.EventData, that represents data related to the event.

Writing the parser¶

Registering the parser¶

Add an import for the parser to:

plaso/parsers/__init__.py

from plaso.parsers import safari_cookies

When plaso.parsers is imported this will load the safari_cookies module (safari_cookies.py).

The parser class BinaryCookieParser is registered using manager.ParsersManager.RegisterParser(BinaryCookieParser).

plaso/parsers/safari_cookies.py

# -*- coding: utf-8 -*-
"""Parser for Safari Binary Cookie files."""

from plaso.parsers import interface
from plaso.parsers import manager

class BinaryCookieParser(interface.FileObjectParser):
  """Parser for Safari Binary Cookie files."""

  NAME = u'binary_cookies'
  DESCRIPTION = u'Parser for Safari Binary Cookie files.'

  def ParseFileObject(self, parser_mediator, file_object, **kwargs):
    """Parses a Safari binary cookie file-like object.

    Args:
      parser_mediator (ParserMediator): parser mediator.
      file_object (dfvfs.FileIO): file-like object to be parsed.

    Raises:
      UnableToParseFile: when the file cannot be parsed, this will signal
          the event extractor to apply other parsers.
    """
    ...

manager.ParsersManager.RegisterParser(BinaryCookieParser)

NAME
DESCRIPTION

Writing the event formatter¶

plaso/formatters/safari_cookies.py

How to write a parser plugin¶

Writing a parser plugin is different depending on which parser you’re writing a plugin for. Parsers that support plugins are:

bencode
cookie
esedb
olecf
plist
sqlite
syslog
winreg

How to write an analysis plugin¶

Create file and class¶

Plugin file in plaso/analysis/
- Create an empty subclass of plaso.analysis.interface.AnalysisPlugin
- Register it with the analysis plugin by calling AnalysisPluginManager.RegisterPlugin
Test file in tests/analysis/
- Create an empty subclass of tests.analysis.test_lib.AnalysisPluginTestCase

Write minimal tests¶

Write a test that loads your plugin
It will fail initially, but running the test while you’re developing your plugin gives you a quick way to see if your code is doing what you expect.

Develop plugin¶

Implement your subclass of plaso.analysis.interface.AnalysisPlugin
You’ll need to define/override:
- NAME
- ExamineEvent()
- CompileReport()
You may also want to override:
- URLS
- ENABLE_IN_EXTRACTION, if your plugin is eligible to run while Plaso is extracting events.

Expand tests¶

Add additional tests that test your plugin

Register classes¶

Edit plaso/analysis/__init__.py to import your plugin in the correct alphabetical order.

Code review/submit¶

How to write an output module¶

Create file and class¶

Plugin file in plaso/output/
- Create an empty subclass of plaso.output.interface.OutputModule
- Register it with the output module manager by calling OutputManager.RegisterOutput
Test file in tests/output/
- Create an empty subclass of tests.output.test_lib.OutputModuleTestCase

Write minimal tests¶

Write a test that loads your output module.
It will fail initially, but running the test while you’re developing your plugin gives you a quick way to see if your code is doing what you expect.

Develop plugin¶

Implement your subclass of plaso.output.interface.OutputModule
You’ll need to define/overwrite:
- NAME
- DESCRIPTION
- WriteEventBody
You may also want to override:
- Open()
- Close()
- GetMissingArguments()
- WriteHeader()
- WriteEventStart()
- WriteEventEnd()
- WriteEventMACBGroup()
- WriteFooter()

Expand tests¶

Add additional tests that test your plugin

Register classes¶

Edit plaso/output/__init__.py to import your plugin in the correct alphabetical order.

Code review/submit¶

plaso package¶

Subpackages¶

plaso.analysis package¶

Submodules¶

plaso.analysis.browser_search module¶

plaso.analysis.chrome_extension module¶

A plugin that gather extension IDs from Chrome history browser.

class plaso.analysis.chrome_extension.ChromeExtensionPlugin[source]¶

Bases: plaso.analysis.interface.AnalysisPlugin

Convert Chrome extension IDs into names, requires Internet connection.

CompileReport(mediator)[source]¶

Compiles an analysis report.

Parameters: mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
Returns: analysis report.
Return type: AnalysisReport

ENABLE_IN_EXTRACTION = True¶

ExamineEvent(mediator, event, event_data)[source]¶

Analyzes an event.

Parameters

mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
event (EventObject) – event to examine.
event_data (EventData) – event data.

NAME = 'chrome_extension'¶

plaso.analysis.definitions module¶

This file contains the definitions for analysis plugins.

plaso.analysis.file_hashes module¶

A plugin to generate a list of unique hashes and paths.

class plaso.analysis.file_hashes.FileHashesPlugin[source]¶

Bases: plaso.analysis.interface.AnalysisPlugin

A plugin for generating a list of file paths and corresponding hashes.

CompileReport(mediator)[source]¶

Compiles an analysis report.

Parameters: mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
Returns: report.
Return type: AnalysisReport

ENABLE_IN_EXTRACTION = True¶

ExamineEvent(mediator, event, event_data)[source]¶

Analyzes an event and creates extracts hashes as required.

Parameters

mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
event (EventObject) – event to examine.
event_data (EventData) – event data.

NAME = 'file_hashes'¶

plaso.analysis.interface module¶

This file contains the interface for analysis plugins.

class plaso.analysis.interface.AnalysisPlugin[source]¶

Bases: object

Class that defines the analysis plugin interface.

CompileReport(mediator)[source]¶

Compiles a report of the analysis.

After the plugin has received every copy of an event to analyze this function will be called so that the report can be assembled.

Parameters: mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
Returns: report.
Return type: AnalysisReport

ENABLE_IN_EXTRACTION = False¶

ExamineEvent(mediator, event, event_data)[source]¶

Analyzes an event.

Parameters

mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
event (EventObject) – event.
event_data (EventData) – event data.

NAME = 'analysis_plugin'¶

URLS = []¶

plugin_name¶

name of the plugin.

Type: str

class plaso.analysis.interface.HTTPHashAnalyzer(hash_queue, hash_analysis_queue, **kwargs)[source]¶

Bases: plaso.analysis.interface.HashAnalyzer

Interface for hash analysis plugins that use HTTP(S)

Analyze(hashes)[source]¶

Analyzes a list of hashes.

Parameters: hashes (list[str]) – hashes to look up.
Returns: analysis results.
Return type: list[HashAnalysis]

MakeRequestAndDecodeJSON(url, method, **kwargs)[source]¶

Make a HTTP request and decode the results as JSON.

Parameters

url (str) – URL to make a request to.
method (str) – HTTP method to used to make the request. GET and POST are supported.
kwargs – parameters to the requests .get() or post() methods, depending on the value of the method parameter.

Returns

body of the HTTP response, decoded from JSON.

Return type

dict[str, object]

Raises

ConnectionError – If it is not possible to connect to the given URL, or it the request returns a HTTP error.
ValueError – If an invalid HTTP method is specified.

class plaso.analysis.interface.HashAnalysis(subject_hash, hash_information)[source]¶

Bases: object

Analysis information about a hash.

hash_information¶

object containing information about the hash.

Type: object

subject_hash¶

hash that was analyzed.

Type: str

class plaso.analysis.interface.HashAnalyzer(hash_queue, hash_analysis_queue, hashes_per_batch=1, lookup_hash='sha256', wait_after_analysis=0)[source]¶

Bases: threading.Thread

Class that defines the interfaces for hash analyzer threads.

This interface should be implemented once for each hash analysis plugin.

analyses_performed¶

number of analysis batches completed by this analyzer.

Type: int

hashes_per_batch¶

maximum number of hashes to analyze at once.

Type: int

lookup_hash¶

name of the hash attribute to look up.

Type: str

seconds_spent_analyzing¶

number of seconds this analyzer has spent performing analysis (as opposed to waiting on queues, etc.)

Type: int

wait_after_analysis¶

number of seconds the analyzer will sleep for after analyzing a batch of hashes.

Type: int

Analyze(hashes)[source]¶

Analyzes a list of hashes.

Parameters: hashes (list[str]) – list of hashes to look up.
Returns: list of results of analyzing the hashes.
Return type: list[HashAnalysis]

EMPTY_QUEUE_WAIT_TIME = 4¶

SUPPORTED_HASHES = []¶

SetLookupHash(lookup_hash)[source]¶

Sets the hash to query.

Parameters: lookup_hash (str) – name of the hash attribute to look up.
Raises: ValueError – if the lookup hash is not supported.

SignalAbort()[source]¶: Instructs this analyzer to stop running.

run()[source]¶: The method called by the threading library to start the thread.

class plaso.analysis.interface.HashTaggingAnalysisPlugin(analyzer_class)[source]¶

Bases: plaso.analysis.interface.AnalysisPlugin

An interface for plugins that tag events based on the source file hash.

An implementation of this class should be paired with an implementation of the HashAnalyzer interface.

hash_analysis_queue¶

queue that contains the results of analysis of file hashes.

Type: Queue.queue

hash_queue¶

queue that contains file hashes.

Type: Queue.queue

CompileReport(mediator)[source]¶

Compiles an analysis report.

Parameters: mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
Returns: report.
Return type: AnalysisReport

DATA_TYPES = []¶

DEFAULT_QUEUE_TIMEOUT = 4¶

EstimateTimeRemaining()[source]¶

Estimates how long until all hashes have been analyzed.

Returns: estimated number of seconds until all hashes have been analyzed.
Return type: int

ExamineEvent(mediator, event, event_data)[source]¶

Evaluates whether an event contains the right data for a hash lookup.

Parameters

mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
event (EventObject) – event.
event_data (EventData) – event data.

GenerateLabels(hash_information)[source]¶

Generates a list of strings to tag events with.

Parameters: hash_information (object) – object that mediates the result of the analysis of a hash, as returned by the Analyze() method of the analyzer class associated with this plugin.
Returns: list of labels to apply to events.
Return type: list[str]

SECONDS_BETWEEN_STATUS_LOG_MESSAGES = 30¶

SetLookupHash(lookup_hash)[source]¶

Sets the hash to query.

Parameters: lookup_hash (str) – name of the hash attribute to look up.

plaso.analysis.logger module¶

The analysis sub module logger.

plaso.analysis.manager module¶

This file contains the analysis plugin manager class.

class plaso.analysis.manager.AnalysisPluginManager[source]¶

Bases: object

Analysis plugin manager.

classmethod DeregisterPlugin(plugin_class)[source]¶

Deregisters an analysis plugin class.

The analysis plugin classes are identified by their lower case name.

Parameters: plugin_class (type) – class of the analysis plugin.
Raises: KeyError – if an analysis plugin class is not set for the corresponding name.

classmethod GetAllPluginInformation(show_all=True)[source]¶

Retrieves a list of the registered analysis plugins.

Parameters

show_all (Optional[bool]) – True if all analysis plugin names should be listed.

Returns

the name, docstring and type string of each: analysis plugin in alphabetical order.

Return type

list[tuple[str, str, str]]

classmethod GetPluginNames()[source]¶

Retrieves the analysis plugin names.

Returns: analysis plugin names.
Return type: list[str]

classmethod GetPluginObjects(plugin_names)[source]¶

Retrieves the plugin objects.

Parameters: plugin_names (list[str]) – names of plugins that should be retrieved.
Returns: analysis plugins per name.
Return type: dict[str, AnalysisPlugin]

classmethod GetPlugins()[source]¶

Retrieves the registered analysis plugin classes.

Yields

tuple –

containing:

str: name of the plugin type: plugin class

classmethod RegisterPlugin(plugin_class)[source]¶

Registers an analysis plugin class.

Then analysis plugin classes are identified based on their lower case name.

Parameters: plugin_class (type) – class of the analysis plugin.
Raises: KeyError – if an analysis plugin class is already set for the corresponding name.

classmethod RegisterPlugins(plugin_classes)[source]¶

Registers analysis plugin classes.

The analysis plugin classes are identified based on their lower case name.

Parameters: plugin_classes (list[type]) – classes of the analysis plugin.
Raises: KeyError – if an analysis plugin class is already set for the corresponding name.

plaso.analysis.mediator module¶

plaso.analysis.nsrlsvr module¶

Analysis plugin to look up files in nsrlsvr and tag events.

class plaso.analysis.nsrlsvr.NsrlsvrAnalysisPlugin[source]¶

Bases: plaso.analysis.interface.HashTaggingAnalysisPlugin

Analysis plugin for looking up hashes in nsrlsvr.

DATA_TYPES = ['fs:stat', 'fs:stat:ntfs']¶

GenerateLabels(hash_information)[source]¶

Generates a list of strings that will be used in the event tag.

Parameters: hash_information (bool) – whether the analyzer received a response from nsrlsvr indicating that the hash was present in its loaded NSRL set.
Returns: strings describing the results from nsrlsvr.
Return type: list[str]

NAME = 'nsrlsvr'¶

SetHost(host)[source]¶

Sets the address or hostname of the server running nsrlsvr.

Parameters: host (str) – IP address or hostname to query.

SetLabel(label)[source]¶

Sets the tagging label.

Parameters: label (str) – label to apply to events extracted from files that are present in nsrlsvr.

SetPort(port)[source]¶

Sets the port where nsrlsvr is listening.

Parameters: port (int) – port to query.

TestConnection()[source]¶

Tests the connection to nsrlsvr.

Returns: True if nsrlsvr instance is reachable.
Return type: bool

URLS = ['https://rjhansen.github.io/nsrlsvr/']¶

class plaso.analysis.nsrlsvr.NsrlsvrAnalyzer(hash_queue, hash_analysis_queue, **kwargs)[source]¶

Bases: plaso.analysis.interface.HashAnalyzer

Analyzes file hashes by consulting an nsrlsvr instance.

analyses_performed¶

number of analysis batches completed by this analyzer.

Type: int

hashes_per_batch¶

maximum number of hashes to analyze at once.

Type: int

seconds_spent_analyzing¶

number of seconds this analyzer has spent performing analysis (as opposed to waiting on queues, etc.)

Type: int

wait_after_analysis¶

number of seconds the analyzer will sleep for after analyzing a batch of hashes.

Type: int

Analyze(hashes)[source]¶

Looks up hashes in nsrlsvr.

Parameters: hashes (list[str]) – hash values to look up.
Returns: analysis results, or an empty list on error.
Return type: list[HashAnalysis]

SUPPORTED_HASHES = ['md5', 'sha1']¶

SetHost(host)[source]¶

Sets the address or hostname of the server running nsrlsvr.

Parameters: host (str) – IP address or hostname to query.

SetPort(port)[source]¶

Sets the port where nsrlsvr is listening.

Parameters: port (int) – port to query.

TestConnection()[source]¶

Tests the connection to nsrlsvr.

Checks if a connection can be set up and queries the server for the MD5 of an empty file and expects a response. The value of the response is not checked.

Returns: True if nsrlsvr instance is reachable.
Return type: bool

plaso.analysis.sessionize module¶

A plugin to tag events according to rules in a tag file.

class plaso.analysis.sessionize.SessionizeAnalysisPlugin[source]¶

Bases: plaso.analysis.interface.AnalysisPlugin

Analysis plugin that labels events by session.

CompileReport(mediator)[source]¶

Compiles an analysis report.

Parameters: mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
Returns: analysis report.
Return type: AnalysisReport

ENABLE_IN_EXTRACTION = False¶

ExamineEvent(mediator, event, event_data)[source]¶

Analyzes an EventObject and tags it as part of a session.

Parameters

mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
event (EventObject) – event to examine.
event_data (EventData) – event data.

NAME = 'sessionize'¶

SetMaximumPause(maximum_pause_minutes)[source]¶

Sets the maximum pause interval between events to consider a session.

Parameters: maximum_pause_minutes (int) – maximum gap between events that are part of the same session, in minutes.

plaso.analysis.tagging module¶

A plugin to tag events according to rules in a tagging file.

class plaso.analysis.tagging.TaggingAnalysisPlugin[source]¶

Bases: plaso.analysis.interface.AnalysisPlugin

Analysis plugin that tags events according to rules in a tagging file.

CompileReport(mediator)[source]¶

Compiles an analysis report.

Parameters: mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
Returns: analysis report.
Return type: AnalysisReport

ENABLE_IN_EXTRACTION = True¶

ExamineEvent(mediator, event, event_data)[source]¶

Analyzes an EventObject and tags it according to rules in the tag file.

Parameters

mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
event (EventObject) – event to examine.
event_data (EventData) – event data.

NAME = 'tagging'¶

SetAndLoadTagFile(tagging_file_path)[source]¶

Sets the tag file to be used by the plugin.

Parameters: tagging_file_path (str) – path of the tagging file.

plaso.analysis.unique_domains_visited module¶

A plugin to generate a list of domains visited.

class plaso.analysis.unique_domains_visited.UniqueDomainsVisitedPlugin[source]¶

Bases: plaso.analysis.interface.AnalysisPlugin

A plugin to generate a list all domains visited.

This plugin will extract domains from browser history events extracted by Plaso. The list produced can be used to quickly determine if there has been a visit to a site of interest, for example, a known phishing site.

CompileReport(mediator)[source]¶

Compiles an analysis report.

Parameters: mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
Returns: the analysis report.
Return type: AnalysisReport

ENABLE_IN_EXTRACTION = True¶

ExamineEvent(mediator, event, event_data)[source]¶

Analyzes an event and extracts domains from it.

We only evaluate straightforward web history events, not visits which can be inferred by TypedURLs, cookies or other means.

Parameters

mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.
event (EventObject) – event to examine.
event_data (EventData) – event data.

NAME = 'unique_domains_visited'¶

plaso.analysis.viper module¶

Analysis plugin to look up files in Viper and tag events.

class plaso.analysis.viper.ViperAnalysisPlugin[source]¶

Bases: plaso.analysis.interface.HashTaggingAnalysisPlugin

An analysis plugin for looking up SHA256 hashes in Viper.

DATA_TYPES = ['pe:compilation:compilation_time']¶

GenerateLabels(hash_information)[source]¶

Generates a list of strings that will be used in the event tag.

Parameters: hash_information (dict[str, object]) – JSON decoded contents of the result of a Viper lookup, as produced by the ViperAnalyzer.
Returns: list of labels to apply to events.
Return type: list[str]

NAME = 'viper'¶

SetHost(host)[source]¶

Sets the address or hostname of the server running Viper server.

Parameters: host (str) – IP address or hostname to query.

SetPort(port)[source]¶

Sets the port where Viper server is listening.

Parameters: port (int) – port to query.

SetProtocol(protocol)[source]¶

Sets the protocol that will be used to query Viper.

Parameters: protocol (str) – protocol to use to query Viper. Either ‘http’ or ‘https’.
Raises: ValueError – If an invalid protocol is selected.

TestConnection()[source]¶

Tests the connection to the Viper server.

Returns: True if the Viper server instance is reachable.
Return type: bool

URLS = ['https://viper.li']¶

class plaso.analysis.viper.ViperAnalyzer(hash_queue, hash_analysis_queue, **kwargs)[source]¶

Bases: plaso.analysis.interface.HTTPHashAnalyzer

Class that analyzes file hashes by consulting Viper.

REST API reference:: https://viper-framework.readthedocs.org/en/latest/usage/web.html#api

Analyze(hashes)[source]¶

Looks up hashes in Viper using the Viper HTTP API.

Parameters: hashes (list[str]) – hashes to look up.
Returns: hash analysis.
Return type: list[HashAnalysis]
Raises: RuntimeError – If no host has been set for Viper.

SUPPORTED_HASHES = ['md5', 'sha256']¶

SUPPORTED_PROTOCOLS = ['http', 'https']¶

SetHost(host)[source]¶

Sets the address or hostname of the server running Viper server.

Parameters: host (str) – IP address or hostname to query.

SetPort(port)[source]¶

Sets the port where Viper server is listening.

Parameters: port (int) – port to query.

SetProtocol(protocol)[source]¶

Sets the protocol that will be used to query Viper.

Parameters: protocol (str) – protocol to use to query Viper. Either ‘http’ or ‘https’.
Raises: ValueError – if the protocol is not supported.

TestConnection()[source]¶

Tests the connection to the Viper server.

Returns: True if the Viper server instance is reachable.
Return type: bool

plaso.analysis.virustotal module¶

Analysis plugin to look up files in VirusTotal and tag events.

class plaso.analysis.virustotal.VirusTotalAnalysisPlugin[source]¶

Bases: plaso.analysis.interface.HashTaggingAnalysisPlugin

An analysis plugin for looking up hashes in VirusTotal.

DATA_TYPES = ['pe:compilation:compilation_time']¶

EnableFreeAPIKeyRateLimit()[source]¶

Configures Rate limiting for queries to VirusTotal.

The default rate limit for free VirusTotal API keys is 4 requests per minute.

GenerateLabels(hash_information)[source]¶

Generates a list of strings that will be used in the event tag.

Parameters: hash_information (dict[str, object]) – the JSON decoded contents of the result of a VirusTotal lookup, as produced by the VirusTotalAnalyzer.
Returns: strings describing the results from VirusTotal.
Return type: list[str]

NAME = 'virustotal'¶

SetAPIKey(api_key)[source]¶

Sets the VirusTotal API key to use in queries.

Parameters: api_key (str) – VirusTotal API key

TestConnection()[source]¶

Tests the connection to VirusTotal

Returns: True if VirusTotal is reachable.
Return type: bool

URLS = ['https://virustotal.com']¶

class plaso.analysis.virustotal.VirusTotalAnalyzer(hash_queue, hash_analysis_queue, **kwargs)[source]¶

Bases: plaso.analysis.interface.HTTPHashAnalyzer

Class that analyzes file hashes by consulting VirusTotal.

Analyze(hashes)[source]¶

Looks up hashes in VirusTotal using the VirusTotal HTTP API.

The API is documented here:: https://www.virustotal.com/en/documentation/public-api/

Parameters: hashes (list[str]) – hashes to look up.
Returns: analysis results.
Return type: list[HashAnalysis]
Raises: RuntimeError – If the VirusTotal API key has not been set.

SUPPORTED_HASHES = ['md5', 'sha1', 'sha256']¶

SetAPIKey(api_key)[source]¶

Sets the VirusTotal API key to use in queries.

Parameters: api_key (str) – VirusTotal API key

TestConnection()[source]¶

Tests the connection to VirusTotal

Returns: True if VirusTotal is reachable.
Return type: bool

plaso.analysis.windows_services module¶

Module contents¶

plaso.analyzers package¶

Subpackages¶

plaso.analyzers.hashers package¶

Submodules¶

plaso.analyzers.hashers.entropy module¶

The entropy calculation implementation.

class plaso.analyzers.hashers.entropy.EntropyHasher[source]¶

Bases: plaso.analyzers.hashers.interface.BaseHasher

Calculates the byte entropy of input files.

ATTRIBUTE_NAME = 'file_entropy'¶

DESCRIPTION = 'Calculates the byte entropy of input data.'¶

GetStringDigest()[source]¶

Calculates the byte entropy value.

Byte entropy is a value between 0.0 and 8.0, and is returned as a string to match the Plaso analyzer and storage APIs.

Returns

byte entropy formatted as a floating point number with 6 decimal: places calculated over the data blocks passed to Update().

Return type

str

NAME = 'entropy'¶

Update(data)[source]¶

Updates the state of the entropy calculator with a new block of data.

Repeated calls to update are equivalent to one single call with the concatenation of the arguments.

Parameters: data (bytes) – block of data with which to update the context of the entropy calculator.

plaso.analyzers.hashers.interface module¶

The hasher interface.

class plaso.analyzers.hashers.interface.BaseHasher[source]¶

Bases: object

Base class for objects that calculate hashes.

ATTRIBUTE_NAME = 'hash'¶

DESCRIPTION = 'Calculates a digest hash over input data.'¶

GetStringDigest()[source]¶

Retrieves the digest of the hash function expressed as a Unicode string.

Returns

string hash digest calculated over the data blocks passed to: Update(). The string consists of printable Unicode characters.

Return type

str

NAME = 'base_hasher'¶

Update(data)[source]¶

Updates the current state of the hasher with a new block of data.

Repeated calls to update are equivalent to one single call with the concatenation of the arguments.

Parameters: data (bytes) – data with which to update the context of the hasher.

plaso.analyzers.hashers.manager module¶

This file contains a class for managing digest hashers for Plaso.

class plaso.analyzers.hashers.manager.HashersManager[source]¶

Bases: object

Class that implements the hashers manager.

classmethod DeregisterHasher(hasher_class)[source]¶

Deregisters a hasher class.

The hasher classes are identified based on their lower case name.

Parameters: hasher_class (type) – class object of the hasher.
Raises: KeyError – if hasher class is not set for the corresponding name.

classmethod GetHasher(hasher_name)[source]¶

Retrieves an instance of a specific hasher.

Parameters: hasher_name (str) – the name of the hasher to retrieve.
Returns: hasher.
Return type: BaseHasher
Raises: KeyError – if hasher class is not set for the corresponding name.

classmethod GetHasherClasses(hasher_names=None)[source]¶

Retrieves the registered hashers.

Parameters

hasher_names (list[str]) – names of the hashers to retrieve.

Yields

tuple –

containing:

str: parser name type: next hasher class.

classmethod GetHasherNames()[source]¶

Retrieves the names of all loaded hashers.

Returns: hasher names.
Return type: list[str]

classmethod GetHasherNamesFromString(hasher_names_string)[source]¶

Retrieves a list of a hasher names from a comma separated string.

Takes a string of comma separated hasher names transforms it to a list of hasher names.

Parameters

hasher_names_string (str) – comma separated names of hashers to enable, the string ‘all’ to enable all hashers or ‘none’ to disable all hashers.

Returns

names of valid hashers from the string, or an empty list if no: valid names are found.

Return type

list[str]

classmethod GetHashers(hasher_names)[source]¶

Retrieves instances for all the specified hashers.

Parameters: hasher_names (list[str]) – names of the hashers to retrieve.
Returns: hashers.
Return type: list[BaseHasher]

classmethod GetHashersInformation()[source]¶

Retrieves the hashers information.

Returns

containing:

str: hasher name. str: hasher description.

Return type

list[tuple]

classmethod RegisterHasher(hasher_class)[source]¶

Registers a hasher class.

The hasher classes are identified based on their lower case name.

Parameters: hasher_class (type) – class object of the hasher.
Raises: KeyError – if hasher class is already set for the corresponding name.

plaso.analyzers.hashers.md5 module¶

The MD5 hasher implementation.

class plaso.analyzers.hashers.md5.MD5Hasher[source]¶

Bases: plaso.analyzers.hashers.interface.BaseHasher

This class provides MD5 hashing functionality.

ATTRIBUTE_NAME = 'md5_hash'¶

DESCRIPTION = 'Calculates an MD5 digest hash over input data.'¶

GetStringDigest()[source]¶

Returns the digest of the hash function expressed as a Unicode string.

Returns

string hash digest calculated over the data blocks passed to: Update(). The string consists of printable Unicode characters.

Return type

str

NAME = 'md5'¶

Update(data)[source]¶

Updates the current state of the hasher with a new block of data.

Repeated calls to update are equivalent to one single call with the concatenation of the arguments.

Parameters: data (bytes) – block of data with which to update the context of the hasher.

plaso.analyzers.hashers.sha1 module¶

The SHA-1 Hasher implementation

class plaso.analyzers.hashers.sha1.SHA1Hasher[source]¶

Bases: plaso.analyzers.hashers.interface.BaseHasher

This class provides SHA-1 hashing functionality.

ATTRIBUTE_NAME = 'sha1_hash'¶

DESCRIPTION = 'Calculates a SHA-1 digest hash over input data.'¶

GetStringDigest()[source]¶

Returns the digest of the hash function expressed as a Unicode string.

Returns

string hash digest calculated over the data blocks passed to: Update(). The string consists of printable Unicode characters.

Return type

str

NAME = 'sha1'¶

Update(data)[source]¶

Updates the current state of the hasher with a new block of data.

Repeated calls to update are equivalent to one single call with the concatenation of the arguments.

Parameters: data (bytes) – block of data with which to update the context of the hasher.

plaso.analyzers.hashers.sha256 module¶

The SHA-256 Hasher implementation

class plaso.analyzers.hashers.sha256.SHA256Hasher[source]¶

Bases: plaso.analyzers.hashers.interface.BaseHasher

This class provides SHA-256 hashing functionality.

ATTRIBUTE_NAME = 'sha256_hash'¶

DESCRIPTION = 'Calculates a SHA-256 digest hash over input data.'¶

GetStringDigest()[source]¶

Returns the digest of the hash function expressed as a Unicode string.

Returns

string hash digest calculated over the data blocks passed to: Update(). The string consists of printable Unicode characters.

Return type

str

NAME = 'sha256'¶

Update(data)[source]¶

Updates the current state of the hasher with a new block of data.

Repeated calls to update are equivalent to one single call with the concatenation of the arguments.

Parameters: data (bytes) – block of data with which to update the context of the hasher.

Module contents¶

This file imports Python modules that register hashers.

Submodules¶

plaso.analyzers.hashing_analyzer module¶

The hashing analyzer implementation.

class plaso.analyzers.hashing_analyzer.HashingAnalyzer[source]¶

Bases: plaso.analyzers.interface.BaseAnalyzer

This class contains code for calculating file hashes of input files.

In Plaso, hashers are classes that map arbitrarily sized file content to a fixed size value. See: https://en.wikipedia.org/wiki/Hash_function

Analyze(data)[source]¶

Updates the internal state of the analyzer, processing a block of data.

Repeated calls are equivalent to a single call with the concatenation of all the arguments.

Parameters: data (bytes) – block of data from the data stream.

DESCRIPTION = 'Calculates hashes of file content.'¶

GetResults()[source]¶

Retrieves the hashing results.

Returns: results.
Return type: list[AnalyzerResult]

INCREMENTAL_ANALYZER = True¶

NAME = 'hashing'¶

PROCESSING_STATUS_HINT = 'hashing'¶

Reset()[source]¶: Resets the internal state of the analyzer.

SetHasherNames(hasher_names_string)[source]¶

Sets the hashers that should be enabled.

Parameters: hasher_names_string (str) – comma separated names of hashers to enable.

plaso.analyzers.interface module¶

Definitions to provide a whole-file processing framework.

class plaso.analyzers.interface.BaseAnalyzer[source]¶

Bases: object

Class that provides the interface for whole-file analysis.

Analyze(data)[source]¶

Analyzes a block of data, updating the state of the analyzer

Parameters: data (bytes) – block of data to process.

DESCRIPTION = ''¶

GetResults()[source]¶

Retrieves the results of the analysis.

Returns: results.
Return type: list[AnalyzerResult]

INCREMENTAL_ANALYZER = False¶

NAME = 'base_analyzer'¶

PROCESSING_STATUS_HINT = 'analyzing'¶

Reset()[source]¶: Resets the internal state of the analyzer.

SIZE_LIMIT = 33554432¶

plaso.analyzers.logger module¶

The analyzers sub module logger.

plaso.analyzers.manager module¶

This file contains a class for managing digest analyzers for Plaso.

class plaso.analyzers.manager.AnalyzersManager[source]¶

Bases: object

Class that implements the analyzers manager.

classmethod DeregisterAnalyzer(analyzer_class)[source]¶

Deregisters a analyzer class.

The analyzer classes are identified based on their lower case name.

Parameters: analyzer_class (type) – class object of the analyzer.
Raises: KeyError – if analyzer class is not set for the corresponding name.

classmethod GetAnalyzerInstance(analyzer_name)[source]¶

Retrieves an instance of a specific analyzer.

Parameters: analyzer_name (str) – name of the analyzer to retrieve.
Returns: analyzer instance.
Return type: BaseAnalyzer
Raises: KeyError – if analyzer class is not set for the corresponding name.

classmethod GetAnalyzerInstances(analyzer_names)[source]¶

Retrieves instances for all the specified analyzers.

Parameters: analyzer_names (list[str]) – names of the analyzers to retrieve.
Returns: analyzer instances.
Return type: list[BaseAnalyzer]

classmethod GetAnalyzerNames()[source]¶

Retrieves the names of all loaded analyzers.

Returns: of analyzer names.
Return type: list[str]

classmethod GetAnalyzers()[source]¶

Retrieves the registered analyzers.

Yields

tuple –

containing:

str: the uniquely identifying name of the analyzer type: the analyzer class.

classmethod GetAnalyzersInformation()[source]¶

Retrieves the analyzers information.

Returns

containing:

str: analyzer name. str: analyzer description.

Return type

list[tuple]

classmethod RegisterAnalyzer(analyzer_class)[source]¶

Registers a analyzer class.

The analyzer classes are identified by their lower case name.

Parameters: analyzer_class (type) – the analyzer class to register.
Raises: KeyError – if analyzer class is already set for the corresponding name.

plaso.analyzers.yara_analyzer module¶

Analyzer that matches Yara rules.

class plaso.analyzers.yara_analyzer.YaraAnalyzer[source]¶

Bases: plaso.analyzers.interface.BaseAnalyzer

Analyzer that matches Yara rules.

Analyze(data)[source]¶

Analyzes a block of data, attempting to match Yara rules to it.

Parameters: data (bytes) – a block of data.

DESCRIPTION = 'Matches Yara rules over input data.'¶

GetResults()[source]¶

Retrieves results of the most recent analysis.

Returns: results.
Return type: list[AnalyzerResult]

INCREMENTAL_ANALYZER = False¶

NAME = 'yara'¶

PROCESSING_STATUS_HINT = 'yara scan'¶

Reset()[source]¶: Resets the internal state of the analyzer.

SetRules(rules_string)[source]¶

Sets the rules that the Yara analyzer will use.

Parameters: rules_string (str) – Yara rule definitions

Module contents¶

This file imports Python modules that register analyzers.

plaso.cli package¶

Subpackages¶

plaso.cli.helpers package¶

Submodules¶

plaso.cli.helpers.analysis_plugins module¶

plaso.cli.helpers.artifact_definitions module¶

plaso.cli.helpers.artifact_filters module¶

plaso.cli.helpers.data_location module¶

plaso.cli.helpers.database_config module¶

plaso.cli.helpers.date_filters module¶

plaso.cli.helpers.dynamic_output module¶

plaso.cli.helpers.elastic_output module¶

plaso.cli.helpers.event_filters module¶

plaso.cli.helpers.extraction module¶

plaso.cli.helpers.filter_file module¶

plaso.cli.helpers.hashers module¶

plaso.cli.helpers.interface module¶

plaso.cli.helpers.language module¶

plaso.cli.helpers.manager module¶

plaso.cli.helpers.mysql_4n6time_output module¶

plaso.cli.helpers.nsrlsvr_analysis module¶

plaso.cli.helpers.output_modules module¶

plaso.cli.helpers.parsers module¶

plaso.cli.helpers.process_resources module¶

plaso.cli.helpers.profiling module¶

plaso.cli.helpers.server_config module¶

plaso.cli.helpers.sessionize_analysis module¶

plaso.cli.helpers.shared_4n6time_output module¶

plaso.cli.helpers.sqlite_4n6time_output module¶

plaso.cli.helpers.status_view module¶

plaso.cli.helpers.storage_file module¶

plaso.cli.helpers.storage_format module¶

plaso.cli.helpers.tagging_analysis module¶

plaso.cli.helpers.temporary_directory module¶

plaso.cli.helpers.text_prepend module¶

plaso.cli.helpers.timesketch_output module¶

plaso.cli.helpers.viper_analysis module¶

plaso.cli.helpers.virustotal_analysis module¶

plaso.cli.helpers.windows_services_analysis module¶

plaso.cli.helpers.workers module¶

plaso.cli.helpers.xlsx_output module¶

plaso.cli.helpers.yara_rules module¶

plaso.cli.helpers.zeromq module¶

Module contents¶

Submodules¶

plaso.cli.extraction_tool module¶

plaso.cli.image_export_tool module¶

plaso.cli.log2timeline_tool module¶

plaso.cli.logger module¶

The cli sub module logger.

plaso.cli.pinfo_tool module¶

plaso.cli.psort_tool module¶

plaso.cli.psteal_tool module¶

plaso.cli.status_view module¶

The status view.

class plaso.cli.status_view.StatusView(output_writer, tool_name)[source]¶

Bases: object

Processing status view.

GetAnalysisStatusUpdateCallback()[source]¶

Retrieves the analysis status update callback function.

Returns: status update callback function or None if not available.
Return type: function

GetExtractionStatusUpdateCallback()[source]¶

Retrieves the extraction status update callback function.

Returns: status update callback function or None if not available.
Return type: function

MODE_LINEAR = 'linear'¶

MODE_WINDOW = 'window'¶

PrintExtractionStatusHeader(processing_status)[source]¶

Prints the extraction status header.

Parameters: processing_status (ProcessingStatus) – processing status.

PrintExtractionSummary(processing_status)[source]¶

Prints a summary of the extraction.

Parameters: processing_status (ProcessingStatus) – processing status.

SetMode(mode)[source]¶

Sets the mode.

Parameters: mode (str) – status view mode.

SetSourceInformation(source_path, source_type, artifact_filters=None, filter_file=None)[source]¶

Sets the source information.

Parameters

source_path (str) – path of the source.
source_type (str) – source type.
artifact_filters (Optional[list[str]]) – names of artifact definitions to use as filters.
filter_file (Optional[str]) – filter file.

SetStorageFileInformation(storage_file_path)[source]¶

Sets the storage file information.

Parameters: storage_file_path (str) – path to the storage file.

plaso.cli.storage_media_tool module¶

The storage media CLI tool.

class plaso.cli.storage_media_tool.StorageMediaTool(input_reader=None, output_writer=None)[source]¶

Bases: plaso.cli.tools.CLITool

CLI tool that supports a storage media device or image as input.

AddCredentialOptions(argument_group)[source]¶

Adds the credential options to the argument group.

The credential options are use to unlock encrypted volumes.

Parameters: argument_group (argparse._ArgumentGroup) – argparse argument group.

AddStorageMediaImageOptions(argument_group)[source]¶

Adds the storage media image options to the argument group.

Parameters: argument_group (argparse._ArgumentGroup) – argparse argument group.

AddVSSProcessingOptions(argument_group)[source]¶

Adds the VSS processing options to the argument group.

Parameters: argument_group (argparse._ArgumentGroup) – argparse argument group.

ScanSource(source_path)[source]¶

Scans the source path for volume and file systems.

This function sets the internal source path specification and source type values.

Parameters: source_path (str) – path to the source.
Returns: source scanner context.
Return type: dfvfs.SourceScannerContext
Raises: SourceScannerError – if the format of or within the source is not supported.

plaso.cli.time_slices module¶

The time slice.

class plaso.cli.time_slices.TimeSlice(event_timestamp, duration=5)[source]¶

Bases: object

Time slice.

The time slice is used to provide a context of events around an event of interest.

duration¶

duration of the time slice in minutes.

Type: int

event_timestamp¶

event timestamp of the time slice or None.

Type: int

end_timestamp¶

slice end timestamp or None.

Type: int

start_timestamp¶

slice start timestamp or None.

Type: int

plaso.cli.tool_options module¶

plaso.cli.tools module¶

The command line interface (CLI) tools classes.

class plaso.cli.tools.CLIInputReader(encoding='utf-8')[source]¶

Bases: object

Command line interface input reader interface.

Read()[source]¶

Reads a string from the input.

Returns: input.
Return type: str

class plaso.cli.tools.CLIOutputWriter(encoding='utf-8')[source]¶

Bases: object

Command line interface output writer interface.

Write(string)[source]¶

Writes a string to the output.

Parameters: string (str) – output.

class plaso.cli.tools.CLITool(input_reader=None, output_writer=None)[source]¶

Bases: object

Command line interface tool.

list_timezones¶

True if the time zones should be listed.

Type: bool

preferred_encoding¶

preferred encoding of single-byte or multi-byte character strings, sometimes referred to as extended ASCII.

Type: str

show_troubleshooting¶

True if troubleshooting information should be shown.

Type: bool

AddBasicOptions(argument_group)[source]¶

Adds the basic options to the argument group.

Parameters: argument_group (argparse._ArgumentGroup) – argparse argument group.

AddInformationalOptions(argument_group)[source]¶

Adds the informational options to the argument group.

Parameters: argument_group (argparse._ArgumentGroup) – argparse argument group.

AddLogFileOptions(argument_group)[source]¶

Adds the log file option to the argument group.

Parameters: argument_group (argparse._ArgumentGroup) – argparse argument group.

AddTimeZoneOption(argument_group)[source]¶

Adds the time zone option to the argument group.

Parameters: argument_group (argparse._ArgumentGroup) – argparse argument group.

GetCommandLineArguments()[source]¶

Retrieves the command line arguments.

Returns: command line arguments.
Return type: str

GetVersionInformation()[source]¶

Retrieves the version information.

Returns: version information.
Return type: str

ListTimeZones()[source]¶: Lists the timezones.

NAME = ''¶

ParseNumericOption(options, name, base=10, default_value=None)[source]¶

Parses a numeric option.

If the option is not set the default value is returned.

Parameters

options (argparse.Namespace) – command line arguments.
name (str) – name of the numeric option.
base (Optional[int]) – base of the numeric value.
default_value (Optional[object]) – default value.

Returns

numeric value.

Return type

int

Raises

BadConfigOption – if the options are invalid.

ParseStringOption(options, argument_name, default_value=None)[source]¶

Parses a string command line argument.

Parameters

options (argparse.Namespace) – command line arguments.
argument_name (str) – name of the command line argument.
default_value (Optional[object]) – default value of the command line argument.

Returns

command line argument value. If the command line argument is: not set the default value will be returned.

Return type

object

Raises

BadConfigOption – if the command line argument value cannot be converted to a Unicode string.

PrintSeparatorLine()[source]¶: Prints a separator line.

class plaso.cli.tools.FileObjectInputReader(file_object, encoding='utf-8')[source]¶

Bases: plaso.cli.tools.CLIInputReader

File object command line interface input reader.

This input reader relies on the file-like object having a readline method.

Read()[source]¶

Reads a string from the input.

Returns: input.
Return type: str

class plaso.cli.tools.FileObjectOutputWriter(file_object, encoding='utf-8')[source]¶

Bases: plaso.cli.tools.CLIOutputWriter

File object command line interface output writer.

This output writer relies on the file-like object having a write method.

Write(string)[source]¶

Writes a string to the output.

Parameters: string (str) – output.

class plaso.cli.tools.StdinInputReader(encoding='utf-8')[source]¶

Bases: plaso.cli.tools.FileObjectInputReader

Stdin command line interface input reader.

class plaso.cli.tools.StdoutOutputWriter(encoding='utf-8')[source]¶

Bases: plaso.cli.tools.FileObjectOutputWriter

Stdout command line interface output writer.

Write(string)[source]¶

Writes a string to the output.

Parameters: string (str) – output.

plaso.cli.views module¶

View classes.

class plaso.cli.views.BaseTableView(column_names=None, title=None)[source]¶

Bases: object

Table view interface.

AddRow(values)[source]¶

Adds a row of values.

Parameters: values (list[object]) – values.
Raises: ValueError – if the number of values is out of bounds.

Write(output_writer)[source]¶

Writes the table to the output writer.

Parameters: output_writer (OutputWriter) – output writer.

class plaso.cli.views.CLITableView(column_names=None, title=None)[source]¶

Bases: plaso.cli.views.BaseTableView

Command line table view.

Note that currently this table view does not support more than 2 columns.

AddRow(values)[source]¶

Adds a row of values.

Parameters: values (list[object]) – values.
Raises: ValueError – if the number of values is out of bounds.

Write(output_writer)[source]¶

Writes the table to the output writer.

Parameters: output_writer (OutputWriter) – output writer.
Raises: RuntimeError – if the title exceeds the maximum width or if the table has more than 2 columns or if the column width is out of bounds.

class plaso.cli.views.CLITabularTableView(column_names=None, column_sizes=None, title=None)[source]¶

Bases: plaso.cli.views.BaseTableView

Command line tabular table view interface.

AddRow(values)[source]¶

Adds a row of values.

Parameters: values (list[object]) – values.
Raises: ValueError – if the number of values is out of bounds.

Write(output_writer)[source]¶

Writes the table to the output writer.

Parameters: output_writer (OutputWriter) – output writer.

class plaso.cli.views.MarkdownTableView(column_names=None, title=None)[source]¶

Bases: plaso.cli.views.BaseTableView

Markdown table view.

Write(output_writer)[source]¶

Writes the table to the output writer.

Parameters: output_writer (OutputWriter) – output writer.

class plaso.cli.views.ViewsFactory[source]¶

Bases: object

Views factory.

FORMAT_TYPE_CLI = 'cli'¶

FORMAT_TYPE_MARKDOWN = 'markdown'¶

classmethod GetTableView(format_type, column_names=None, title=None)[source]¶

Retrieves a table view.

Parameters

format_type (str) – table view format type.
column_names (Optional[list[str]]) – column names.
title (Optional[str]) – title.

Returns

table view.

Return type

BaseTableView

Raises

ValueError – if the format type is not supported.

Module contents¶

plaso.containers package¶

Submodules¶

plaso.containers.analyzer_result module¶

Analyzer result attribute container.

class plaso.containers.analyzer_result.AnalyzerResult[source]¶

Bases: plaso.containers.interface.AttributeContainer

Attribute container to store results of analyzers.

Analyzers can produce results with different attribute names. For example, the ‘hashing’ analyzer could produce an attribute ‘md5_hash’, with a value of ‘d41d8cd98f00b204e9800998ecf8427e’.

analyzer_name¶

name of the analyzer that produce the result.

Type: str

attribute_name¶

name of the attribute produced.

Type: str

attribute_value¶

value of the attribute produced.

Type: str

CONTAINER_TYPE = 'analyzer_result'¶

plaso.containers.artifacts module¶

Artifact attribute containers.

class plaso.containers.artifacts.ArtifactAttributeContainer[source]¶

Bases: plaso.containers.interface.AttributeContainer

Base class to represent an artifact attribute container.

class plaso.containers.artifacts.EnvironmentVariableArtifact(case_sensitive=True, name=None, value=None)[source]¶

Bases: plaso.containers.artifacts.ArtifactAttributeContainer

Environment variable artifact attribute container.

Also see:: https://en.wikipedia.org/wiki/Environment_variable

case_sensitive¶

True if environment variable name is case sensitive.

Type: bool

name¶

environment variable name e.g. ‘SystemRoot’ as in ‘%SystemRoot%’ or ‘HOME’ in ‘$HOME’.

Type: str

value¶

environment variable value e.g. ‘C:Windows’ or ‘/home/user’.

Type: str

CONTAINER_TYPE = 'environment_variable'¶

class plaso.containers.artifacts.HostnameArtifact(name=None, schema='DNS')[source]¶

Bases: plaso.containers.artifacts.ArtifactAttributeContainer

Hostname artifact attribute container.

Also see:: https://en.wikipedia.org/wiki/Hostname http://cybox.mitre.org/language/version2.1/xsddocs/objects/ Hostname_Object.html

name¶

name of the host according to the naming schema.

Type: str

schema¶

naming schema e.g. DNS, NIS, SMB/NetBIOS.

Type: str

CONTAINER_TYPE = 'hostname'¶

class plaso.containers.artifacts.OperatingSystemArtifact(family=None, product=None, version=None)[source]¶

Bases: plaso.containers.artifacts.ArtifactAttributeContainer

Operating system artifact attribute container.

family¶

operating system family name, such as “Linux”, “MacOS” or “Windows”, defined in definitions.OPERATING_SYSTEM_FAMILIES. This value is used to programmatically link a parser preset to an operating system and therefore must be one of predefined values.

Type: str

name¶

operating system name, such as “macOS Mojave” or “Windows XP”. This value is used to programmatically link a parser preset to an operating system and therefore must be one of predefined values.

Type: str

product¶

product information, such as “macOS Mojave” or “Windows Professional XP”. This value is typically obtained from the source data.

Type: str

version¶

version, such as “10.14.1” or “5.1”. This value is typically obtained from the source data.

Type: str

CONTAINER_TYPE = 'operating_system'¶

IsEquivalent(other)[source]¶

Determines if 2 operating system artifacts are equivalent.

This function compares the operating systems based in order of: * name derived from product * family and version * family

Parameters

other (OperatingSystemArtifact) – operating system artifact attribute container to compare with.

Returns

True if the operating systems are considered equivalent, False if: the most specific criteria do no match, or no criteria are available.

Return type

bool

version_tuple¶

version tuple or None if version is not set or invalid.

Type: tuple[int]

class plaso.containers.artifacts.SystemConfigurationArtifact(code_page=None, time_zone=None)[source]¶

Bases: plaso.containers.artifacts.ArtifactAttributeContainer

System configuration artifact attribute container.

The system configuration contains the configuration data of a specific system installation e.g. Windows or Linux.

code_page¶

system code page.

Type: str

hostname¶

hostname.

Type: HostnameArtifact

keyboard_layout¶

keyboard layout.

Type: str

operating_system¶

operating system for example “MacOS” or “Windows”.

Type: str

operating_system_product¶

operating system product for example “Windows XP”.

Type: str

operating_system_version¶

operating system version for example “10.9.2” or “8.1”.

Type: str

time_zone¶

system time zone.

Type: str

user_accounts¶

user accounts.

Type: list[UserAccountArtifact]

CONTAINER_TYPE = 'system_configuration'¶

class plaso.containers.artifacts.UserAccountArtifact(full_name=None, group_identifier=None, identifier=None, path_separator='/', user_directory=None, username=None)[source]¶

Bases: plaso.containers.artifacts.ArtifactAttributeContainer

User account artifact attribute container.

Also see:: http://cybox.mitre.org/language/version2.1/xsddocs/objects/ User_Account_Object.html

full_name¶

name describing the user e.g. full name.

Type: str

group_identifier¶

identifier of the primary group the user is part of.

Type: str

identifier¶

user identifier.

Type: str

user_directory¶

path of the user (or home or profile) directory.

Type: str

username¶

name uniquely identifying the user.

Type: str

CONTAINER_TYPE = 'user_account'¶

GetUserDirectoryPathSegments()[source]¶

Retrieves the path segments of the user directory.

Returns

path segments of the user directory or an empty list if no: user directory is set.

Return type

list[str]

plaso.containers.event_sources module¶

Event source attribute containers.

class plaso.containers.event_sources.EventSource(path_spec=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Event source attribute container.

The event source object contains information about where a specific event originates e.g. a file, the $STANDARD_INFORMATION MFT attribute, or Application Compatibility cache.

data_type¶

attribute container type indicator.

Type: str

file_entry_type¶

dfVFS file entry type.

Type: str

path_spec¶

path specification.

Type: dfvfs.PathSpec

CONTAINER_TYPE = 'event_source'¶

DATA_TYPE = None¶

__lt__(other)[source]¶

Compares if the event source attribute container is less than the other.

Parameters: other (EventSource) – event source attribute container to compare to.
Returns: True if the event source attribute container is less than the other.
Return type: bool

class plaso.containers.event_sources.FileEntryEventSource(path_spec=None)[source]¶

Bases: plaso.containers.event_sources.EventSource

File entry event source.

The file entry event source is an event source that represents a file within a file system.

DATA_TYPE = 'file_entry'¶

plaso.containers.events module¶

Event attribute containers.

class plaso.containers.events.EventData(data_type=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Event data attribute container.

data_type¶

event data type indicator.

Type: str

offset¶

offset relative to the start of the data stream where the event data is stored.

Type: int

query¶

query that was used to obtain the event data.

Type: str

CONTAINER_TYPE = 'event_data'¶

class plaso.containers.events.EventObject[source]¶

Bases: plaso.containers.interface.AttributeContainer

Event attribute container.

The framework is designed to parse files and create events from individual records, log lines or keys extracted from files. The event object provides an extensible data store for event attributes.

data_type¶

event data type indicator.

Type: str

display_name¶

display friendly version of the path specification.

Type: str

filename¶

name of the file related to the event.

Type: str

hostname¶

name of the host related to the event.

Type: str

inode¶

inode of the file related to the event.

Type: int

offset¶

offset of the event data.

Type: int

pathspec¶

path specification of the file related to the event.

Type: dfvfs.PathSpec

tag¶

event tag.

Type: EventTag

timestamp¶

timestamp, which contains the number of microseconds since January 1, 1970, 00:00:00 UTC.

Type: int

timestamp_desc¶

description of the meaning of the timestamp.

Type: str

CONTAINER_TYPE = 'event'¶

DATA_TYPE = None¶

GetEventDataIdentifier()[source]¶

Retrieves the identifier of the event data associated with the event.

The event data identifier is a storage specific value that should not be serialized.

Returns: event identifier or None when not set.
Return type: AttributeContainerIdentifier

SetEventDataIdentifier(event_data_identifier)[source]¶

Sets the identifier of the event data associated with the event.

The event data identifier is a storage specific value that should not be serialized.

Parameters: event_data_identifier (AttributeContainerIdentifier) – event identifier.

__lt__(other)[source]¶

Compares if the event attribute container is less than the other.

Events are compared by timestamp.

Parameters: other (EventObject) – event attribute container to compare to.
Returns: True if the event attribute container is less than the other.
Return type: bool

class plaso.containers.events.EventTag(comment=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Event tag attribute container.

comment¶

comments.

Type: str

event_entry_index¶

serialized data stream entry index of the event, this attribute is used by the ZIP and GZIP storage files to uniquely identify the event linked to the tag.

Type: int

event_stream_number¶

number of the serialized event stream, this attribute is used by the ZIP and GZIP storage files to uniquely identify the event linked to the tag.

Type: int

labels¶

labels, such as “malware”, “application_execution”.

Type: list[str]

AddComment(comment)[source]¶

Adds a comment to the event tag.

Parameters: comment (str) – comment.

AddLabel(label)[source]¶

Adds a label to the event tag.

Parameters

label (str) – label.

Raises

TypeError – if the label provided is not a string.
ValueError – if a label is malformed.

AddLabels(labels)[source]¶

Adds labels to the event tag.

Parameters: labels (list[str]) – labels.
Raises: ValueError – if a label is malformed.

CONTAINER_TYPE = 'event_tag'¶

classmethod CopyTextToLabel(text, prefix='')[source]¶

Copies a string to a label.

A label only supports a limited set of characters therefore unsupported characters are replaced with an underscore.

Parameters

text (str) – label text.
prefix (Optional[str]) – label prefix.

Returns

label.

Return type

str

CopyToDict()[source]¶

Copies the event tag to a dictionary.

Returns: event tag attributes.
Return type: dict[str, object]

GetEventIdentifier()[source]¶

Retrieves the identifier of the event associated with the event tag.

The event identifier is a storage specific value that should not be serialized.

Returns: event identifier or None when not set.
Return type: AttributeContainerIdentifier

SetEventIdentifier(event_identifier)[source]¶

Sets the identifier of the event associated with the event tag.

The event identifier is a storage specific value that should not be serialized.

Parameters: event_identifier (AttributeContainerIdentifier) – event identifier.

plaso.containers.interface module¶

The attribute container interface.

class plaso.containers.interface.AttributeContainer[source]¶

Bases: object

The attribute container interface.

This is the the base class for those object that exists primarily as a container of attributes with basic accessors and mutators.

The CONTAINER_TYPE class attribute contains a string that identifies the container type e.g. the container type “event” identifiers an event object.

Attributes are public class members of an serializable type. Protected and private class members are not to be serialized.

CONTAINER_TYPE = None¶

CopyFromDict(attributes)[source]¶

Copies the attribute container from a dictionary.

Parameters: attributes (dict[str, object]) – attribute values per name.

CopyToDict()[source]¶

Copies the attribute container to a dictionary.

Returns: attribute values per name.
Return type: dict[str, object]

GetAttributeNames()[source]¶

Retrieves the names of all attributes.

Returns: attribute names.
Return type: list[str]

GetAttributeValuesHash()[source]¶

Retrieves a comparable string of the attribute values.

Returns: hash of comparable string of the attribute values.
Return type: int

GetAttributeValuesString()[source]¶

Retrieves a comparable string of the attribute values.

Returns: comparable string of the attribute values.
Return type: str

GetAttributes()[source]¶

Retrieves the attribute names and values.

Attributes that are set to None are ignored.

Yields: tuple[str, object] – attribute name and value.

GetIdentifier()[source]¶

Retrieves the identifier.

The identifier is a storage specific value that should not be serialized.

Returns: an unique identifier for the container.
Return type: AttributeContainerIdentifier

GetSessionIdentifier()[source]¶

Retrieves the session identifier.

The session identifier is a storage specific value that should not be serialized.

Returns: session identifier.
Return type: str

SetIdentifier(identifier)[source]¶

Sets the identifier.

The identifier is a storage specific value that should not be serialized.

Parameters: identifier (AttributeContainerIdentifier) – identifier.

SetSessionIdentifier(session_identifier)[source]¶

Sets the session identifier.

The session identifier is a storage specific value that should not be serialized.

Parameters: session_identifier (str) – session identifier.

class plaso.containers.interface.AttributeContainerIdentifier[source]¶

Bases: object

The attribute container identifier.

The identifier is used to uniquely identify attribute containers. The value should be unique at runtime and in storage.

CopyToString()[source]¶

Copies the identifier to a string representation.

Returns: unique identifier or None.
Return type: str

plaso.containers.manager module¶

This file contains the attribute container manager class.

class plaso.containers.manager.AttributeContainersManager[source]¶

Bases: object

Class that implements the attribute container manager.

classmethod DeregisterAttributeContainer(attribute_container_class)[source]¶

Deregisters an attribute container class.

The attribute container classes are identified based on their lower case container type.

Parameters: attribute_container_class (type) – attribute container class.
Raises: KeyError – if attribute container class is not set for the corresponding container type.

classmethod GetAttributeContainer(container_type)[source]¶

Retrieves the attribute container for a specific container type.

Parameters: container_type (str) – container type.
Returns: attribute container.
Return type: AttributeContainer

classmethod RegisterAttributeContainer(attribute_container_class)[source]¶

Registers a attribute container class.

The attribute container classes are identified based on their lower case container type.

Parameters: attribute_container_class (type) – attribute container class.
Raises: KeyError – if attribute container class is already set for the corresponding container type.

classmethod RegisterAttributeContainers(attribute_container_classes)[source]¶

Registers attribute container classes.

The attribute container classes are identified based on their lower case container type.

Parameters: attribute_container_classes (list[type]) – attribute container classes.
Raises: KeyError – if attribute container class is already set for the corresponding container type.

plaso.containers.plist_event module¶

Plist event attribute containers.

class plaso.containers.plist_event.PlistTimeEventData[source]¶

Bases: plaso.containers.events.EventData

Plist event data attribute container.

desc¶

description.

Type: str

hostname¶

hostname.

Type: str

key¶

name of plist key.

Type: str

root¶

path from the root to this plist key.

Type: str

username¶

unique username.

Type: str

DATA_TYPE = 'plist:key'¶

plaso.containers.reports module¶

Report related attribute container definitions.

class plaso.containers.reports.AnalysisReport(plugin_name=None, text=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Analysis report attribute container.

filter_string¶

event filter expression.

Type: str

plugin_name¶

name of the analysis plugin that generated the report.

Type: str

report_array¶

???

Type: array[str]

report_dict¶

???

Type: dict[str]

text¶

report text.

Type: str

time_compiled¶

timestamp of the date and time the report was compiled.

Type: int

CONTAINER_TYPE = 'analysis_report'¶

CopyToDict()[source]¶

Copies the attribute container to a dictionary.

Returns: attribute values per name.
Return type: dict[str, object]

GetString()[source]¶

Retrieves a string representation of the report.

Returns: string representation of the report.
Return type: str

plaso.containers.sessions module¶

Session related attribute container definitions.

class plaso.containers.sessions.Session[source]¶

Bases: plaso.containers.interface.AttributeContainer

Session attribute container.

aborted¶

True if the session was aborted.

Type: bool

analysis_reports_counter¶

number of analysis reports per analysis plugin.

Type: collections.Counter

artifact_filters¶

Names of artifact definitions that are used for filtering file system and Windows Registry key paths.

Type: list[str]

command_line_arguments¶

command line arguments.

Type: str

completion_time¶

time that the session was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

debug_mode¶

True if debug mode was enabled.

Type: bool

enabled_parser_names¶

parser and parser plugin names that were enabled.

Type: list[str]

event_labels_counter¶

number of event tags per label.

Type: collections.Counter

filter_file¶

path to a file with find specifications.

Type: str

identifier¶

unique identifier of the session.

Type: str

parser_filter_expression¶

parser filter expression.

Type: str

parsers_counter¶

number of events per parser or parser plugin.

Type: collections.Counter

preferred_encoding¶

preferred encoding.

Type: str

preferred_time_zone¶

preferred time zone.

Type: str

preferred_year¶

preferred year.

Type: int

product_name¶

name of the product that created the session e.g. ‘log2timeline’.

Type: str

product_version¶

version of the product that created the session.

Type: str

start_time¶

time that the session was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

CONTAINER_TYPE = 'session'¶

CopyAttributesFromSessionCompletion(session_completion)[source]¶

Copies attributes from a session completion.

Parameters: session_completion (SessionCompletion) – session completion attribute container.
Raises: ValueError – if the identifier of the session completion does not match that of the session.

CopyAttributesFromSessionStart(session_start)[source]¶

Copies attributes from a session start.

Parameters: session_start (SessionStart) – session start attribute container.

CreateSessionCompletion()[source]¶

Creates a session completion.

Returns: session completion attribute container.
Return type: SessionCompletion

CreateSessionStart()[source]¶

Creates a session start.

Returns: session start attribute container.
Return type: SessionStart

class plaso.containers.sessions.SessionCompletion(identifier=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Session completion attribute container.

aborted¶

True if the session was aborted.

Type: bool

analysis_reports_counter¶

number of analysis reports per analysis plugin.

Type: collections.Counter

event_labels_counter¶

number of event tags per label.

Type: collections.Counter

identifier¶

unique identifier of the session.

Type: str

parsers_counter¶

number of events per parser or parser plugin.

Type: collections.Counter

timestamp¶

time that the session was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

CONTAINER_TYPE = 'session_completion'¶

class plaso.containers.sessions.SessionStart(identifier=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Session start attribute container.

artifact_filters¶

names of artifact definitions that are used for filtering file system and Windows Registry key paths.

Type: list[str]

command_line_arguments¶

command line arguments.

Type: str

debug_mode¶

True if debug mode was enabled.

Type: bool

enabled_parser_names¶

parser and parser plugin names that were enabled.

Type: list[str]

filter_file¶

path to a file with find specifications.

Type: str

identifier¶

unique identifier of the session.

Type: str

parser_filter_expression¶

parser filter expression.

Type: str

preferred_encoding¶

preferred encoding.

Type: str

preferred_time_zone¶

preferred time zone.

Type: str

preferred_year¶

preferred year.

Type: int

product_name¶

name of the product that created the session e.g. ‘log2timeline’.

Type: str

product_version¶

version of the product that created the session.

Type: str

timestamp¶

time that the session was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

CONTAINER_TYPE = 'session_start'¶

plaso.containers.shell_item_events module¶

Shell item event attribute container.

class plaso.containers.shell_item_events.ShellItemFileEntryEventData[source]¶

Bases: plaso.containers.events.EventData

Shell item file entry event data attribute container.

name¶

name of the file entry shell item.

Type: str

long_name¶

long name of the file entry shell item.

Type: str

localized_name¶

localized name of the file entry shell item.

Type: str

file_reference¶

NTFS file reference, in the format: “MTF entry - sequence number”.

Type: str

shell_item_path¶

shell item path.

Type: str

origin¶

origin of the event.

Type: str

DATA_TYPE = 'windows:shell_item:file_entry'¶

plaso.containers.storage_media module¶

Storage media related attribute container definitions.

class plaso.containers.storage_media.MountPoint(mount_path=None, path_specification=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Mount point attribute container.

mount_path¶

path where the path specification is mounted, such as “/mnt/image” or “C:”.

Type: str

path_spec¶

path specification.

Type: dfvfs.PathSpec

CONTAINER_TYPE = 'mount_point'¶

plaso.containers.tasks module¶

Task related attribute container definitions.

class plaso.containers.tasks.Task(session_identifier=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Task attribute container.

A task describes a piece of work for a multi processing worker process e.g. to process a path specification or to analyze an event.

aborted¶

True if the session was aborted.

Type: bool

completion_time¶

time that the task was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

file_entry_type¶

dfVFS type of the file entry the path specification is referencing.

Type: str

has_retry¶

True if the task was previously abandoned and a retry task was created, False otherwise.

Type: bool

identifier¶

unique identifier of the task.

Type: str

last_processing_time¶

the last time the task was marked as being processed as number of milliseconds since January 1, 1970, 00:00:00 UTC.

Type: int

merge_priority¶

priority used for the task storage file merge, where a lower value indicates a higher priority to merge.

Type: int

path_spec¶

path specification.

Type: dfvfs.PathSpec

session_identifier¶

the identifier of the session the task is part of.

Type: str

start_time¶

time that the task was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

storage_file_size¶

size of the storage file in bytes.

Type: int

CONTAINER_TYPE = 'task'¶

CreateRetryTask()[source]¶

Creates a new task to retry a previously abandoned task.

The retry task will have a new identifier but most of the attributes will be a copy of the previously abandoned task.

Returns: a task to retry a previously abandoned task.
Return type: Task

CreateTaskCompletion()[source]¶

Creates a task completion.

Returns: task completion attribute container.
Return type: TaskCompletion

CreateTaskStart()[source]¶

Creates a task start.

Returns: task start attribute container.
Return type: TaskStart

UpdateProcessingTime()[source]¶: Updates the processing time to now.

__lt__(other)[source]¶

Compares if the task attribute container is less than the other.

Parameters: other (Task) – task attribute container to compare to.
Returns: True if the task attribute container is less than the other.
Return type: bool

class plaso.containers.tasks.TaskCompletion(identifier=None, session_identifier=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Task completion attribute container.

aborted¶

True if the session was aborted.

Type: bool

identifier¶

unique identifier of the task.

Type: str

session_identifier¶

the identifier of the session the task is part of.

Type: str

timestamp¶

time that the task was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

CONTAINER_TYPE = 'task_completion'¶

class plaso.containers.tasks.TaskStart(identifier=None, session_identifier=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Task start attribute container.

identifier¶

unique identifier of the task.

Type: str

session_identifier¶

the identifier of the session the task is part of.

Type: str

timestamp¶

time that the task was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

CONTAINER_TYPE = 'task_start'¶

plaso.containers.time_events module¶

Time-based event attribute containers.

class plaso.containers.time_events.DateTimeValuesEvent(date_time, date_time_description, data_type=None, time_zone=None)[source]¶

Bases: plaso.containers.time_events.TimestampEvent

dfDateTime date time values-based event attribute container.

class plaso.containers.time_events.PythonDatetimeEvent(datetime_value, date_time_description, data_type=None, time_zone=None)[source]¶

Bases: plaso.containers.time_events.DateTimeValuesEvent

Python datetime-based event attribute container.

class plaso.containers.time_events.TimestampEvent(timestamp, timestamp_description, data_type=None)[source]¶

Bases: plaso.containers.events.EventObject

Plaso timestamp-based event attribute container.

data_type¶

event data type.

Type: str

timestamp¶

timestamp, which contains the number of microseconds since January 1, 1970, 00:00:00 UTC.

Type: int

timestamp_desc¶

description of the meaning of the timestamp.

Type: str

plaso.containers.warnings module¶

Warning attribute containers.

class plaso.containers.warnings.ExtractionError(message=None, parser_chain=None, path_spec=None)[source]¶

Bases: plaso.containers.warnings.ExtractionWarning

Extraction error attribute container.

This class is provided for backwards compatiblity only, all new code must use ExtractionWarning.

message¶

warning message.

Type: str

parser_chain¶

parser chain to which the warning applies.

Type: str

path_spec¶

path specification of the file entry to which the warning applies.

Type: dfvfs.PathSpec

CONTAINER_TYPE = 'extraction_error'¶

class plaso.containers.warnings.ExtractionWarning(message=None, parser_chain=None, path_spec=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Extraction warning attribute container.

Extraction warnings are produced by parsers/plugins as well the Plaso engine when they encounter situations that should be brought to the users’ attention but are not events derived from the data being processed.

message¶

warning message.

Type: str

parser_chain¶

parser chain to which the warning applies.

Type: str

path_spec¶

path specification of the file entry to which the warning applies.

Type: dfvfs.PathSpec

CONTAINER_TYPE = 'extraction_warning'¶

plaso.containers.windows_events module¶

Windows event data attribute containers.

class plaso.containers.windows_events.WindowsDistributedLinkTrackingEventData(uuid, origin)[source]¶

Bases: plaso.containers.events.EventData

Windows distributed link event data attribute container.

mac_address¶

MAC address stored in the UUID.

Type: str

origin¶

origin of the event (event source). E.g. the path of the corresponding LNK file or file reference MFT entry with the corresponding NTFS $OBJECT_ID attribute.

Type: str

uuid¶

UUID.

Type: str

DATA_TYPE = 'windows:distributed_link_tracking:creation'¶

class plaso.containers.windows_events.WindowsRegistryEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Registry event data attribute container.

key_path¶

Windows Registry key path.

Type: str

regvalue¶

values in the key.

Type: dict[str, object]

source_append¶

text to append to the source_long of the event.

Type: str

urls¶

URLs.

Type: list[str]

DATA_TYPE = 'windows:registry:key_value'¶

class plaso.containers.windows_events.WindowsRegistryInstallationEventData[source]¶

Bases: plaso.containers.events.EventData

Windows installation event data attribute container.

key_path¶

Windows Registry key path.

Type: str

owner¶

owner.

Type: str

product_name¶

product name.

Type: str

service_pack¶

service pack.

Type: str

version¶

version.

Type: str

DATA_TYPE = 'windows:registry:installation'¶

class plaso.containers.windows_events.WindowsRegistryListEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Registry list event data attribute container.

Windows Registry list event data is used to store a MRU.

key_path¶

Windows Registry key path.

Type: str

known_folder_identifier¶

known folder identifier.

Type: str

list_name¶

name of the list.

Type: str

list_values¶

values in the list.

Type: str

value_name¶

Windows Registry value name.

Type: str

DATA_TYPE = 'windows:registry:list'¶

class plaso.containers.windows_events.WindowsRegistryServiceEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Registry service event data attribute container.

key_path¶

Windows Registry key path.

Type: str

offset¶

data offset of the Windows Registry key or value.

Type: int

regvalue¶

values of a key.

Type: dict[str, str]

urls¶

URLs.

Type: Optional[list[str]]

DATA_TYPE = 'windows:registry:service'¶

class plaso.containers.windows_events.WindowsVolumeEventData[source]¶

Bases: plaso.containers.events.EventData

Windows volume event data attribute container.

device_path¶

volume device path.

Type: str

origin¶

origin of the event (event source), for example the corresponding Prefetch file name.

Type: str

serial_number¶

volume serial number.

Type: str

DATA_TYPE = 'windows:volume:creation'¶

Module contents¶

This file imports Python modules that register attribute container types.

plaso.engine package¶

Submodules¶

plaso.engine.artifact_filters module¶

Helper to create filters based on forensic artifact definitions.

class plaso.engine.artifact_filters.ArtifactDefinitionsFiltersHelper(artifacts_registry, knowledge_base)[source]¶

Bases: plaso.engine.filters_helper.CollectionFiltersHelper

Helper to create collection filters based on artifact definitions.

Builds collection filters from forensic artifact definitions.

For more information about Forensic Artifacts see: https://github.com/ForensicArtifacts/artifacts/blob/master/docs/Artifacts%20definition%20format%20and%20style%20guide.asciidoc

file_system_artifact_names¶

names of artifacts definitions that generated file system find specifications.

Type: set[str]

registry_artifact_names¶

names of artifacts definitions that generated Windows Registry find specifications.

Type: set[str]

BuildFindSpecs(artifact_filter_names, environment_variables=None)[source]¶

Builds find specifications from artifact definitions.

Parameters

artifact_filter_names (list[str]) – names of artifact definitions that are used for filtering file system and Windows Registry key paths.
environment_variables (Optional[list[EnvironmentVariableArtifact]]) – environment variables.

classmethod CheckKeyCompatibility(key_path)[source]¶

Checks if a Windows Registry key path is supported by dfWinReg.

Parameters: key_path (str) – path of the Windows Registry key.
Returns: True if key is compatible or False if not.
Return type: bool

plaso.engine.configurations module¶

Processing configuration classes.

class plaso.engine.configurations.CredentialConfiguration(credential_data=None, credential_type=None, path_spec=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Configuration settings for a credential.

credential_data¶

credential data.

Type: bytes

credential_type¶

credential type.

Type: str

path_spec¶

path specification.

Type: dfvfs.PathSpec

CONTAINER_TYPE = 'credential_configuration'¶

class plaso.engine.configurations.EventExtractionConfiguration[source]¶

Bases: plaso.containers.interface.AttributeContainer

Configuration settings for event extraction.

These settings are primarily used by the parser mediator.

filter_object¶

filter that specifies which events to include.

Type: objectfilter.Filter

text_prepend¶

text to prepend to every event.

Type: str

CONTAINER_TYPE = 'event_extraction_configuration'¶

class plaso.engine.configurations.ExtractionConfiguration[source]¶

Bases: plaso.containers.interface.AttributeContainer

Configuration settings for extraction.

These settings are primarily used by the extraction worker.

hasher_file_size_limit¶

maximum file size that hashers should process, where 0 or None represents unlimited.

Type: int

hasher_names_string¶

comma separated string of names of hashers to use during processing.

Type: str

process_archives¶

True if archive files should be scanned for file entries.

Type: bool

process_compressed_streams¶

True if file content in compressed streams should be processed.

Type: bool

yara_rules_string¶

Yara rule definitions.

Type: str

CONTAINER_TYPE = 'extraction_configuration'¶

class plaso.engine.configurations.InputSourceConfiguration[source]¶

Bases: plaso.containers.interface.AttributeContainer

Configuration settings of an input source.

mount_path¶

path of a “mounted” directory input source.

Type: str

CONTAINER_TYPE = 'input_source'¶

class plaso.engine.configurations.ProcessingConfiguration[source]¶

Bases: plaso.containers.interface.AttributeContainer

Configuration settings for processing.

artifact_filters¶

names of artifact definitions that are used for filtering file system and Windows Registry key paths.

Type: Optional list[str]

credentials¶

credential configurations.

Type: list[CredentialConfiguration]

data_location¶

path to the data files.

Type: str

debug_output¶

True if debug output should be enabled.

Type: bool

event_extraction¶

event extraction configuration.

Type: EventExtractionConfiguration

extraction¶

extraction configuration.

Type: ExtractionConfiguration

filter_file¶

path to a file with find specifications.

Type: str

input_source¶

input source configuration.

Type: InputSourceConfiguration

log_filename¶

name of the log file.

Type: str

parser_filter_expression¶

parser filter expression, where None represents all parsers and plugins.

Type: str

preferred_year¶

preferred initial year value for year-less date and time values.

Type: int

profiling¶

profiling configuration.

Type: ProfilingConfiguration

temporary_directory¶

path of the directory for temporary files.

Type: str

CONTAINER_TYPE = 'processing_configuration'¶

class plaso.engine.configurations.ProfilingConfiguration[source]¶

Bases: plaso.containers.interface.AttributeContainer

Configuration settings for profiling.

directory¶

path to the directory where the profiling sample files should be stored.

Type: str

profilers¶

names of the profilers to enable. Supported profilers are:

‘guppy’, which profiles memory usage using guppy;
‘memory’, which profiles memory usage;
‘parsers’, which profiles CPU time consumed by individual parsers;
‘processing’, which profiles CPU time consumed by different parts of processing;
‘serializers’, which profiles CPU time consumed by individual serializers.
‘storage’, which profiles storage reads and writes.

Type: set(str)

sample_rate¶

the profiling sample rate. Contains the number of event sources processed.

Type: int

CONTAINER_TYPE = 'profiling_configuration'¶

HaveProfileMemory()[source]¶

Determines if memory profiling is configured.

Returns: True if memory profiling is configured.
Return type: bool

HaveProfileMemoryGuppy()[source]¶

Determines if memory profiling with guppy is configured.

Returns: True if memory profiling with guppy is configured.
Return type: bool

HaveProfileParsers()[source]¶

Determines if parsers profiling is configured.

Returns: True if parsers profiling is configured.
Return type: bool

HaveProfileProcessing()[source]¶

Determines if processing profiling is configured.

Returns: True if processing profiling is configured.
Return type: bool

HaveProfileSerializers()[source]¶

Determines if serializers profiling is configured.

Returns: True if serializers profiling is configured.
Return type: bool

HaveProfileStorage()[source]¶

Determines if storage profiling is configured.

Returns: True if storage profiling is configured.
Return type: bool

HaveProfileTaskQueue()[source]¶

Determines if task queue profiling is configured.

Returns: True if task queue profiling is configured.
Return type: bool

HaveProfileTasks()[source]¶

Determines if tasks profiling is configured.

Returns: True if task queue profiling is configured.
Return type: bool

plaso.engine.engine module¶

plaso.engine.extractors module¶

plaso.engine.filter_file module¶

Filter file.

class plaso.engine.filter_file.FilterFile[source]¶

Bases: object

Filter file.

A filter file contains one or more path filters.

A path filter may contain path expansion attributes. Such an attribute is defined as anything within a curly bracket, for example “System{my_attribute}PathKeyname”. If the attribute “my_attribute” is defined its runtime value will be replaced with placeholder in the path filter such as “SystemMyValuePathKeyname”.

If the path filter needs to have curly brackets in the path then these need to be escaped with another curly bracket, for example “System{my_attribute}{{123-AF25-E523}}KeyName”, where “{{123-AF25-E523}}” will be replaced with “{123-AF25-E523}” at runtime.

ReadFromFile(path)[source]¶

Reads the path filters from the filter file.

Parameters: path (str) – path to a filter file.
Returns: path filters.
Return type: list[PathFilter]

plaso.engine.filters_helper module¶

Collection filters helper.

class plaso.engine.filters_helper.CollectionFiltersHelper[source]¶

Bases: object

Helper for collection filters.

excluded_file_system_find_specs¶

file system find specifications of paths to exclude from the collection.

Type: list[dfvfs.FindSpec]

included_file_system_find_specs¶

file system find specifications of paths to include in the collection.

Type: list[dfvfs.FindSpec]

registry_find_specs¶

Windows Registry find specifications.

Type: list[dfwinreg.FindSpec]

plaso.engine.knowledge_base module¶

The artifact knowledge base object.

The knowledge base is filled by user provided input and the pre-processing phase. It is intended to provide successive phases, like the parsing and analysis phases, with essential information like e.g. the timezone and codepage of the source data.

class plaso.engine.knowledge_base.KnowledgeBase[source]¶

Bases: object

The knowledge base.

AddEnvironmentVariable(environment_variable)[source]¶

Adds an environment variable.

Parameters: environment_variable (EnvironmentVariableArtifact) – environment variable artifact.
Raises: KeyError – if the environment variable already exists.

AddUserAccount(user_account, session_identifier=0)[source]¶

Adds an user account.

Parameters

user_account (UserAccountArtifact) – user account artifact.
session_identifier (Optional[str])) – session identifier, where CURRENT_SESSION represents the active session.

Raises

KeyError – if the user account already exists.

CURRENT_SESSION = 0¶

GetEnvironmentVariable(name)[source]¶

Retrieves an environment variable.

Parameters

name (str) – name of the environment variable.

Returns

environment variable artifact or None: if there was no value set for the given name.

Return type

EnvironmentVariableArtifact

GetEnvironmentVariables()[source]¶

Retrieves the environment variables.

Returns: environment variable artifacts.
Return type: list[EnvironmentVariableArtifact]

GetHostname(session_identifier=0)[source]¶

Retrieves the hostname related to the event.

If the hostname is not stored in the event it is determined based on the preprocessing information that is stored inside the storage file.

Parameters: session_identifier (Optional[str])) – session identifier, where CURRENT_SESSION represents the active session.
Returns: hostname.
Return type: str

GetStoredHostname()[source]¶

Retrieves the stored hostname.

The hostname is determined based on the preprocessing information that is stored inside the storage file.

Returns: hostname.
Return type: str

GetSystemConfigurationArtifact(session_identifier=0)[source]¶

Retrieves the knowledge base as a system configuration artifact.

Parameters: session_identifier (Optional[str])) – session identifier, where CURRENT_SESSION represents the active session.
Returns: system configuration artifact.
Return type: SystemConfigurationArtifact

GetUsernameByIdentifier(user_identifier, session_identifier=0)[source]¶

Retrieves the username based on an user identifier.

Parameters

user_identifier (str) – user identifier, either a UID or SID.
session_identifier (Optional[str])) – session identifier, where CURRENT_SESSION represents the active session.

Returns

username.

Return type

str

GetUsernameForPath(path)[source]¶

Retrieves a username for a specific path.

This is determining if a specific path is within a user’s directory and returning the username of the user if so.

Parameters

path (str) – path.

Returns

username or None if the path does not appear to be within a user’s: directory.

Return type

str

GetValue(identifier, default_value=None)[source]¶

Retrieves a value by identifier.

Parameters

identifier (str) – case insensitive unique identifier for the value.
default_value (object) – default value.

Returns

value or default value if not available.

Return type

object

Raises

TypeError – if the identifier is not a string type.

HasUserAccounts()[source]¶

Determines if the knowledge base contains user accounts.

Returns: True if the knowledge base contains user accounts.
Return type: bool

ReadSystemConfigurationArtifact(system_configuration, session_identifier=0)[source]¶

Reads the knowledge base values from a system configuration artifact.

Note that this overwrites existing values in the knowledge base.

Parameters

system_configuration (SystemConfigurationArtifact) – system configuration artifact.
session_identifier (Optional[str])) – session identifier, where CURRENT_SESSION represents the active session.

SetCodepage(codepage)[source]¶

Sets the codepage.

Parameters: codepage (str) – codepage.
Raises: ValueError – if the codepage is not supported.

SetEnvironmentVariable(environment_variable)[source]¶

Sets an environment variable.

Parameters: environment_variable (EnvironmentVariableArtifact) – environment variable artifact.

SetHostname(hostname, session_identifier=0)[source]¶

Sets a hostname.

Parameters

hostname (HostnameArtifact) – hostname artifact.
session_identifier (Optional[str])) – session identifier, where CURRENT_SESSION represents the active session.

SetTimeZone(time_zone)[source]¶

Sets the time zone.

Parameters: time_zone (str) – time zone.
Raises: ValueError – if the timezone is not supported.

SetValue(identifier, value)[source]¶

Sets a value by identifier.

Parameters

identifier (str) – case insensitive unique identifier for the value.
value (object) – value.

Raises

TypeError – if the identifier is not a string type.

codepage¶

codepage of the current session.

Type: str

hostname¶

hostname of the current session.

Type: str

timezone¶

timezone of the current session.

Type: datetime.tzinfo

user_accounts¶

user accounts of the current session.

Type: list[UserAccountArtifact]

year¶

year of the current session.

Type: int

plaso.engine.logger module¶

The engine sub module logger.

plaso.engine.path_filters module¶

Path filters.

Path filters are specified in filter files and are used during collection to include or exclude file system paths.

class plaso.engine.path_filters.PathCollectionFiltersHelper[source]¶

Bases: plaso.engine.filters_helper.CollectionFiltersHelper

Path collection filters helper.

BuildFindSpecs(path_filters, environment_variables=None)[source]¶

Builds find specifications from path filters.

Parameters

path_filters (list[PathFilter]) – path filters.
environment_variables (Optional[list[EnvironmentVariableArtifact]]) – environment variables.

class plaso.engine.path_filters.PathFilter(filter_type, description=None, path_separator='/', paths=None)[source]¶

Bases: object

Path filter.

description¶

description of the purpose of the filter or None if not set.

Type: str

filter_type¶

indicates if the filter should include or excludes paths during collection.

Type: str

path_separator¶

path segment separator.

Type: str

paths¶

paths to filter.

Type: list[str]

FILTER_TYPE_EXCLUDE = 'exclude'¶

FILTER_TYPE_INCLUDE = 'include'¶

plaso.engine.path_helper module¶

The path helper.

class plaso.engine.path_helper.PathHelper[source]¶

Bases: object

Class that implements the path helper.

classmethod AppendPathEntries(path, path_separator, number_of_wildcards, skip_first)[source]¶

Appends glob wildcards to a path.

This function will append glob wildcards “*” to a path, returning paths with an additional glob wildcard up to the specified number. E.g. given the path “/tmp” and a number of 2 wildcards, this function will return “tmp/”, “tmp//*”. When skip_first is true the path with the first wildcard is not returned as a result.

Parameters

path (str) – path to append glob wildcards to.
path_separator (str) – path segment separator.
number_of_wildcards (int) – number of glob wildcards to append.
skip_first (bool) – True if the the first path with glob wildcard should be skipped as a result.

Returns

paths with glob wildcards.

Return type

list[str]

classmethod ExpandRecursiveGlobs(path, path_separator)[source]¶

Expands recursive like globs present in an artifact path.

If a path ends in ‘**’, with up to two optional digits such as ‘10’, the ‘’ will recursively match all files and zero or more directories from the specified path. The optional digits indicate the recursion depth. By default recursion depth is 10 directories.

If the glob is followed by the specified path segment separator, only directories and subdirectories will be matched.

Parameters

path (str) – path to be expanded.
path_separator (str) – path segment separator.

Returns

String path expanded for each glob.

Return type

list[str]

classmethod ExpandUsersVariablePath(path, path_separator, user_accounts)[source]¶

Expands a path with a users variable, e.g. %%users.homedir%%.

Parameters

path (str) – path with users variable.
path_separator (str) – path segment separator.
user_accounts (list[UserAccountArtifact]) – user accounts.

Returns

paths for which the users variables have been expanded.

Return type

list[str]

classmethod ExpandWindowsPath(path, environment_variables)[source]¶

Expands a Windows path containing environment variables.

Parameters

path (str) – Windows path with environment variables.
environment_variables (list[EnvironmentVariableArtifact]) – environment variables.

Returns

expanded Windows path.

Return type

str

classmethod ExpandWindowsPathSegments(path_segments, environment_variables)[source]¶

Expands a Windows path segments containing environment variables.

Parameters

path_segments (list[str]) – Windows path segments with environment variables.
environment_variables (list[EnvironmentVariableArtifact]) – environment variables.

Returns

expanded Windows path segments.

Return type

list[str]

classmethod GetDisplayNameForPathSpec(path_spec, mount_path=None, text_prepend=None)[source]¶

Retrieves the display name of a path specification.

Parameters

path_spec (dfvfs.PathSpec) – path specification.
mount_path (Optional[str]) – path where the file system that is used by the path specification is mounted, such as “/mnt/image”. The mount path will be stripped from the absolute path defined by the path specification.
text_prepend (Optional[str]) – text to prepend.

Returns

human readable version of the path specification or None.

Return type

str

classmethod GetRelativePathForPathSpec(path_spec, mount_path=None)[source]¶

Retrieves the relative path of a path specification.

If a mount path is defined the path will be relative to the mount point, otherwise the path is relative to the root of the file system that is used by the path specification.

Parameters

path_spec (dfvfs.PathSpec) – path specification.
mount_path (Optional[str]) – path where the file system that is used by the path specification is mounted, such as “/mnt/image”. The mount path will be stripped from the absolute path defined by the path specification.

Returns

relative path or None.

Return type

str

plaso.engine.plaso_queue module¶

Queue management implementation for Plaso.

This file contains an implementation of a queue used by plaso for queue management.

The queue has been abstracted in order to provide support for different implementations of the queueing mechanism, to support multi processing and scalability.

class plaso.engine.plaso_queue.Queue[source]¶

Bases: object

Class that implements the queue interface.

Close(abort=False)[source]¶

Closes the queue.

Parameters: abort (Optional[bool]) – whether the Close is the result of an abort condition. If True, queue contents may be lost.

IsEmpty()[source]¶: Determines if the queue is empty.

Open()[source]¶: Opens the queue, ready to enqueue or dequeue items.

PopItem()[source]¶

Pops an item off the queue.

Raises: QueueEmpty – when the queue is empty.

PushItem(item, block=True)[source]¶

Pushes an item onto the queue.

Parameters

item (object) – item to add.
block (bool) – whether to block if the queue is full.

Raises

QueueFull – if the queue is full, and the item could not be added.

class plaso.engine.plaso_queue.QueueAbort[source]¶

Bases: object

Class that implements a queue abort.

plaso.engine.process_info module¶

Information about running process.

class plaso.engine.process_info.ProcessInfo(pid)[source]¶

Bases: object

Provides information about a running process.

GetUsedMemory()[source]¶

Retrieves the amount of memory used by the process.

Returns

amount of memory in bytes used by the process or None: if not available.

Return type

int

plaso.engine.processing_status module¶

Processing status classes.

class plaso.engine.processing_status.EventsStatus[source]¶

Bases: object

The status of the events.

number_of_duplicate_events¶

number of duplicate events, not including the original.

Type: int

number_of_events_from_time_slice¶

number of events from time slice.

Type: int

number_of_filtered_events¶

number of events excluded by the event filter.

Type: int

number_of_macb_grouped_events¶

number of events grouped based on MACB.

Type: int

total_number_of_events¶

total number of events in the storage file.

Type: int

class plaso.engine.processing_status.ProcessStatus[source]¶

Bases: object

The status of an individual process.

display_name¶

human readable of the file entry currently being processed by the process.

Type: str

identifier¶

process identifier.

Type: str

last_running_time¶

timestamp of the last update when the process had a running process status.

Type: int

number_of_consumed_event_tags¶

total number of event tags consumed by the process.

Type: int

number_of_consumed_event_tags_delta¶

number of event tags consumed by the process since the last status update.

Type: int

number_of_consumed_events¶

total number of events consumed by the process.

Type: int

number_of_consumed_events_delta¶

number of events consumed by the process since the last status update.

Type: int

number_of_consumed_reports¶

total number of event reports consumed by the process.

Type: int

number_of_consumed_reports_delta¶

number of event reports consumed by the process since the last status update.

Type: int

number_of_consumed_sources¶

total number of event sources consumed by the process.

Type: int

number_of_consumed_sources_delta¶

number of event sources consumed by the process since the last status update.

Type: int

number_of_consumed_warnings¶

total number of warnings consumed by the process.

Type: int

number_of_consumed_warnings_delta¶

number of warnings consumed by the process since the last status update.

Type: int

number_of_produced_event_tags¶

total number of event tags produced by the process.

Type: int

number_of_produced_event_tags_delta¶

number of event tags produced by the process since the last status update.

Type: int

number_of_produced_events¶

total number of events produced by the process.

Type: int

number_of_produced_events_delta¶

number of events produced by the process since the last status update.

Type: int

number_of_produced_reports¶

total number of event reports produced by the process.

Type: int

number_of_produced_reports_delta¶

number of event reports produced by the process since the last status update.

Type: int

number_of_produced_sources¶

total number of event sources produced by the process.

Type: int

number_of_produced_sources_delta¶

number of event sources produced by the process since the last status update.

Type: int

number_of_produced_warnings¶

total number of warnings produced by the process.

Type: int

number_of_produced_warnings_delta¶

number of warnings produced by the process since the last status update.

Type: int

pid¶

process identifier (PID).

Type: int

status¶

human readable status indication e.g. ‘Hashing’, ‘Idle’.

Type: str

used_memory¶

size of used memory in bytes.

Type: int

UpdateNumberOfEventReports(number_of_consumed_reports, number_of_produced_reports)[source]¶

Updates the number of event reports.

Parameters

number_of_consumed_reports (int) – total number of event reports consumed by the process.
number_of_produced_reports (int) – total number of event reports produced by the process.

Returns

True if either number of event reports has increased.

Return type

bool

Raises

ValueError – if the consumed or produced number of event reports is smaller than the value of the previous update.

UpdateNumberOfEventSources(number_of_consumed_sources, number_of_produced_sources)[source]¶

Updates the number of event sources.

Parameters

number_of_consumed_sources (int) – total number of event sources consumed by the process.
number_of_produced_sources (int) – total number of event sources produced by the process.

Returns

True if either number of event sources has increased.

Return type

bool

Raises

ValueError – if the consumed or produced number of event sources is smaller than the value of the previous update.

UpdateNumberOfEventTags(number_of_consumed_event_tags, number_of_produced_event_tags)[source]¶

Updates the number of event tags.

Parameters

number_of_consumed_event_tags (int) – total number of event tags consumed by the process.
number_of_produced_event_tags (int) – total number of event tags produced by the process.

Returns

True if either number of event tags has increased.

Return type

bool

Raises

ValueError – if the consumed or produced number of event tags is smaller than the value of the previous update.

UpdateNumberOfEvents(number_of_consumed_events, number_of_produced_events)[source]¶

Updates the number of events.

Parameters

number_of_consumed_events (int) – total number of events consumed by the process.
number_of_produced_events (int) – total number of events produced by the process.

Returns

True if either number of events has increased.

Return type

bool

Raises

ValueError – if the consumed or produced number of events is smaller than the value of the previous update.

UpdateNumberOfWarnings(number_of_consumed_warnings, number_of_produced_warnings)[source]¶

Updates the number of warnings.

Parameters

number_of_consumed_warnings (int) – total number of warnings consumed by the process.
number_of_produced_warnings (int) – total number of warnings produced by the process.

Returns

True if either number of warnings has increased.

Return type

bool

Raises

ValueError – if the consumed or produced number of warnings is smaller than the value of the previous update.

class plaso.engine.processing_status.ProcessingStatus[source]¶

Bases: object

The status of the overall extraction process (processing).

aborted¶

True if processing was aborted.

Type: bool

error_path_specs¶

path specifications that caused critical errors during processing.

Type: list[dfvfs.PathSpec]

events_status¶

status information about events.

Type: EventsStatus

foreman_status¶

foreman processing status.

Type: ProcessingStatus

start_time¶

time that the processing was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: float

tasks_status¶

status information about tasks.

Type: TasksStatus

UpdateEventsStatus(events_status)[source]¶

Updates the events status.

Parameters: events_status (EventsStatus) – status information about events.

UpdateForemanStatus(identifier, status, pid, used_memory, display_name, number_of_consumed_sources, number_of_produced_sources, number_of_consumed_events, number_of_produced_events, number_of_consumed_event_tags, number_of_produced_event_tags, number_of_consumed_reports, number_of_produced_reports, number_of_consumed_warnings, number_of_produced_warnings)[source]¶

Updates the status of the foreman.

Parameters

identifier (str) – foreman identifier.
status (str) – human readable status of the foreman e.g. ‘Idle’.
pid (int) – process identifier (PID).
used_memory (int) – size of used memory in bytes.
display_name (str) – human readable of the file entry currently being processed by the foreman.
number_of_consumed_sources (int) – total number of event sources consumed by the foreman.
number_of_produced_sources (int) – total number of event sources produced by the foreman.
number_of_consumed_events (int) – total number of events consumed by the foreman.
number_of_produced_events (int) – total number of events produced by the foreman.
number_of_consumed_event_tags (int) – total number of event tags consumed by the foreman.
number_of_produced_event_tags (int) – total number of event tags produced by the foreman.
number_of_consumed_warnings (int) – total number of warnings consumed by the foreman.
number_of_produced_warnings (int) – total number of warnings produced by the foreman.
number_of_consumed_reports (int) – total number of event reports consumed by the process.
number_of_produced_reports (int) – total number of event reports produced by the process.

UpdateTasksStatus(tasks_status)[source]¶

Updates the tasks status.

Parameters: tasks_status (TasksStatus) – status information about tasks.

UpdateWorkerStatus(identifier, status, pid, used_memory, display_name, number_of_consumed_sources, number_of_produced_sources, number_of_consumed_events, number_of_produced_events, number_of_consumed_event_tags, number_of_produced_event_tags, number_of_consumed_reports, number_of_produced_reports, number_of_consumed_warnings, number_of_produced_warnings)[source]¶

Updates the status of a worker.

Parameters

identifier (str) – worker identifier.
status (str) – human readable status of the worker e.g. ‘Idle’.
pid (int) – process identifier (PID).
used_memory (int) – size of used memory in bytes.
display_name (str) – human readable of the file entry currently being processed by the worker.
number_of_consumed_sources (int) – total number of event sources consumed by the worker.
number_of_produced_sources (int) – total number of event sources produced by the worker.
number_of_consumed_events (int) – total number of events consumed by the worker.
number_of_produced_events (int) – total number of events produced by the worker.
number_of_consumed_event_tags (int) – total number of event tags consumed by the worker.
number_of_produced_event_tags (int) – total number of event tags produced by the worker.
number_of_consumed_reports (int) – total number of event reports consumed by the process.
number_of_produced_reports (int) – total number of event reports produced by the process.
number_of_consumed_warnings (int) – total number of warnings consumed by the worker.
number_of_produced_warnings (int) – total number of warnings produced by the worker.

workers_status¶: The worker status objects sorted by identifier.

class plaso.engine.processing_status.TasksStatus[source]¶

Bases: object

The status of the tasks.

number_of_abandoned_tasks¶

number of abandoned tasks.

Type: int

number_of_queued_tasks¶

number of active tasks.

Type: int

number_of_tasks_pending_merge¶

number of tasks pending merge.

Type: int

number_of_tasks_processing¶

number of tasks processing.

Type: int

total_number_of_tasks¶

total number of tasks.

Type: int

plaso.engine.profilers module¶

The profiler classes.

class plaso.engine.profilers.CPUTimeMeasurement[source]¶

Bases: object

The CPU time measurement.

start_sample_time¶

start sample time or None if not set.

Type: float

total_cpu_time¶

total CPU time or None if not set.

Type: float

SampleStart()[source]¶: Starts measuring the CPU time.

SampleStop()[source]¶: Stops measuring the CPU time.

class plaso.engine.profilers.CPUTimeProfiler(identifier, configuration)[source]¶

Bases: plaso.engine.profilers.SampleFileProfiler

The CPU time profiler.

StartTiming(profile_name)[source]¶

Starts timing CPU time.

Parameters: profile_name (str) – name of the profile to sample.

StopTiming(profile_name)[source]¶

Stops timing CPU time.

Parameters: profile_name (str) – name of the profile to sample.

class plaso.engine.profilers.GuppyMemoryProfiler(identifier, configuration)[source]¶

Bases: object

The guppy-based memory profiler.

classmethod IsSupported()[source]¶

Determines if the profiler is supported.

Returns: True if the profiler is supported.
Return type: bool

Sample()[source]¶: Takes a sample for profiling.

Start()[source]¶: Starts the profiler.

Stop()[source]¶: Stops the profiler.

class plaso.engine.profilers.MemoryProfiler(identifier, configuration)[source]¶

Bases: plaso.engine.profilers.SampleFileProfiler

The memory profiler.

Sample(profile_name, used_memory)[source]¶

Takes a sample for profiling.

Parameters

profile_name (str) – name of the profile to sample.
used_memory (int) – amount of used memory in bytes.

class plaso.engine.profilers.ProcessingProfiler(identifier, configuration)[source]¶

Bases: plaso.engine.profilers.CPUTimeProfiler

The processing profiler.

class plaso.engine.profilers.SampleFileProfiler(identifier, configuration)[source]¶

Bases: object

Shared functionality for sample file-based profilers.

classmethod IsSupported()[source]¶

Determines if the profiler is supported.

Returns: True if the profiler is supported.
Return type: bool

Start()[source]¶: Starts the profiler.

Stop()[source]¶: Stops the profiler.

class plaso.engine.profilers.SerializersProfiler(identifier, configuration)[source]¶

Bases: plaso.engine.profilers.CPUTimeProfiler

The serializers profiler.

class plaso.engine.profilers.StorageProfiler(identifier, configuration)[source]¶

Bases: plaso.engine.profilers.SampleFileProfiler

The storage profiler.

Sample(operation, description, data_size, compressed_data_size)[source]¶

Takes a sample of data read or written for profiling.

Parameters

operation (str) – operation, either ‘read’ or ‘write’.
description (str) – description of the data read.
data_size (int) – size of the data read in bytes.
compressed_data_size (int) – size of the compressed data read in bytes.

class plaso.engine.profilers.TaskQueueProfiler(identifier, configuration)[source]¶

Bases: plaso.engine.profilers.SampleFileProfiler

The task queue profiler.

Sample(tasks_status)[source]¶

Takes a sample of the status of queued tasks for profiling.

Parameters: tasks_status (TasksStatus) – status information about tasks.

class plaso.engine.profilers.TasksProfiler(identifier, configuration)[source]¶

Bases: plaso.engine.profilers.SampleFileProfiler

The tasks profiler.

Sample(task, status)[source]¶

Takes a sample of the status of a task for profiling.

Parameters

task (Task) – a task.
status (str) – status.

plaso.engine.single_process module¶

plaso.engine.tagging_file module¶

Tagging file.

class plaso.engine.tagging_file.TaggingFile(path)[source]¶

Bases: object

Tagging file that defines one or more event tagging rules.

GetEventTaggingRules()[source]¶

Retrieves the event tagging rules from the tagging file.

Returns

tagging rules, that consists of one or more: filter objects per label.

Return type

dict[str, FilterObject]

Raises

TaggingFileError – if a filter expression cannot be compiled.

plaso.engine.worker module¶

plaso.engine.yaml_filter_file module¶

YAML-based filter file.

class plaso.engine.yaml_filter_file.YAMLFilterFile[source]¶

Bases: object

YAML-based filter file.

A YAML-based filter file contains one or more path filters. description: Include filter with Linux paths. type: include path_separator: ‘/’ paths: - ‘/usr/bin’

Where: * description, is an optional description of the purpose of the path filter; * type, defines the filter type, which can be “include” or “exclude”; * path_separator, defines the path segment separator, which is “/” by default; * paths, defines regular expression of paths to filter on.

Note that the regular expression need to be defined per path segment, for example to filter “/usr/bin/echo” and “/usr/sbin/echo” the following expression could be defined “/usr/(bin|sbin)/echo”.

Note that when the path segment separator is defined as “” it needs to be escaped as “", since “” is used by the regular expression as escape character.

A path may contain path expansion attributes, for example: %{SystemRoot}\System32

ReadFromFile(path)[source]¶

Reads the path filters from the YAML-based filter file.

Parameters: path (str) – path to a filter file.
Returns: path filters.
Return type: list[PathFilter]

plaso.engine.zeromq_queue module¶

ZeroMQ implementations of the Plaso queue interface.

class plaso.engine.zeromq_queue.ZeroMQBufferedQueue(buffer_timeout_seconds=2, buffer_max_size=10000, delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5)[source]¶

Bases: plaso.engine.zeromq_queue.ZeroMQQueue

Parent class for buffered Plaso queues.

Buffered queues use a regular Python queue to store items that are pushed or popped from the queue without blocking on underlying ZeroMQ operations.

This class should not be instantiated directly, a subclass should be instantiated instead.

Close(abort=False)[source]¶

Closes the queue.

Parameters

abort (Optional[bool]) – whether the Close is the result of an abort condition. If True, queue contents may be lost.

Raises

QueueAlreadyClosed – if the queue is not started, or has already been closed.
RuntimeError – if closed or terminate event is missing.

Empty()[source]¶: Removes all items from the internal buffer.

class plaso.engine.zeromq_queue.ZeroMQBufferedReplyBindQueue(buffer_timeout_seconds=2, buffer_max_size=10000, delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5)[source]¶

Bases: plaso.engine.zeromq_queue.ZeroMQBufferedReplyQueue

A Plaso queue backed by a ZeroMQ REP socket that binds to a port.

This queue may only be used to pop items, not to push.

SOCKET_CONNECTION_TYPE = 1¶

class plaso.engine.zeromq_queue.ZeroMQBufferedReplyQueue(buffer_timeout_seconds=2, buffer_max_size=10000, delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5)[source]¶

Bases: plaso.engine.zeromq_queue.ZeroMQBufferedQueue

Parent class for buffered Plaso queues backed by ZeroMQ REP sockets.

This class should not be instantiated directly, a subclass should be instantiated instead.

Instances of this class or subclasses may only be used to push items, not to pop.

PopItem()[source]¶

Pops an item of the queue.

Provided for compatibility with the API, but doesn’t actually work.

Raises: WrongQueueType – As Pop is not supported by this queue.

PushItem(item, block=True)[source]¶

Push an item on to the queue.

If no ZeroMQ socket has been created, one will be created the first time this method is called.

Parameters

item (object) – item to push on the queue.
block (Optional[bool]) – whether the push should be performed in blocking or non-blocking mode.

Raises

QueueAlreadyClosed – if the queue is closed.
QueueFull – if the internal buffer was full and it was not possible to push the item to the buffer within the timeout.
RuntimeError – if closed event is missing.

class plaso.engine.zeromq_queue.ZeroMQPullConnectQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5)[source]¶

Bases: plaso.engine.zeromq_queue.ZeroMQPullQueue

A Plaso queue backed by a ZeroMQ PULL socket that connects to a port.

This queue may only be used to pop items, not to push.

SOCKET_CONNECTION_TYPE = 2¶

class plaso.engine.zeromq_queue.ZeroMQPullQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5)[source]¶

Bases: plaso.engine.zeromq_queue.ZeroMQQueue

Parent class for Plaso queues backed by ZeroMQ PULL sockets.

This class should not be instantiated directly, a subclass should be instantiated instead.

Instances of this class or subclasses may only be used to pop items, not to push.

PopItem()[source]¶

Pops an item off the queue.

If no ZeroMQ socket has been created, one will be created the first time this method is called.

Returns

item from the queue.

Return type

object

Raises

KeyboardInterrupt – if the process is sent a KeyboardInterrupt while popping an item.
QueueEmpty – if the queue is empty, and no item could be popped within the queue timeout.
RuntimeError – if closed or terminate event is missing.
zmq.error.ZMQError – if a ZeroMQ error occurs.

PushItem(item, block=True)[source]¶

Pushes an item on to the queue.

Provided for compatibility with the API, but doesn’t actually work.

Parameters

item (object) – item to push on the queue.
block (Optional[bool]) – whether the push should be performed in blocking or non-blocking mode.

Raises

WrongQueueType – As Push is not supported this queue.

class plaso.engine.zeromq_queue.ZeroMQPushBindQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5)[source]¶

Bases: plaso.engine.zeromq_queue.ZeroMQPushQueue

A Plaso queue backed by a ZeroMQ PUSH socket that binds to a port.

This queue may only be used to push items, not to pop.

SOCKET_CONNECTION_TYPE = 1¶

class plaso.engine.zeromq_queue.ZeroMQPushQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5)[source]¶

Bases: plaso.engine.zeromq_queue.ZeroMQQueue

Parent class for Plaso queues backed by ZeroMQ PUSH sockets.

This class should not be instantiated directly, a subclass should be instantiated instead.

Instances of this class or subclasses may only be used to push items, not to pop.

PopItem()[source]¶

Pops an item of the queue.

Provided for compatibility with the API, but doesn’t actually work.

Raises: WrongQueueType – As Pull is not supported this queue.

PushItem(item, block=True)[source]¶

Push an item on to the queue.

If no ZeroMQ socket has been created, one will be created the first time this method is called.

Parameters

item (object) – item to push on the queue.
block (Optional[bool]) – whether the push should be performed in blocking or non-blocking mode.

Raises

KeyboardInterrupt – if the process is sent a KeyboardInterrupt while pushing an item.
QueueFull – if it was not possible to push the item to the queue within the timeout.
RuntimeError – if terminate event is missing.
zmq.error.ZMQError – if a ZeroMQ specific error occurs.

class plaso.engine.zeromq_queue.ZeroMQQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5)[source]¶

Bases: plaso.engine.plaso_queue.Queue

Interface for a ZeroMQ backed queue.

name¶

name to identify the queue.

Type: str

port¶

TCP port that the queue is connected or bound to. If the queue is not yet bound or connected to a port, this value will be None.

Type: int

timeout_seconds¶

number of seconds that calls to PopItem and PushItem may block for, before returning queue.QueueEmpty.

Type: int

Close(abort=False)[source]¶

Closes the queue.

Parameters

abort (Optional[bool]) – whether the Close is the result of an abort condition. If True, queue contents may be lost.

Raises

QueueAlreadyClosed – if the queue is not started, or has already been closed.
RuntimeError – if closed or terminate event is missing.

IsBound()[source]¶: Checks if the queue is bound to a port.

IsConnected()[source]¶: Checks if the queue is connected to a port.

IsEmpty()[source]¶

Checks if the queue is empty.

ZeroMQ queues don’t have a concept of “empty” - there could always be messages on the queue that a producer or consumer is unaware of. Thus, the queue is never empty, so we return False. Note that it is possible that a queue is unable to pop an item from a queue within a timeout, which will cause PopItem to raise a QueueEmpty exception, but this is a different condition.

Returns: False, to indicate the the queue isn’t empty.
Return type: bool

Open()[source]¶

Opens this queue, causing the creation of a ZeroMQ socket.

Raises: QueueAlreadyStarted – if the queue is already started, and a socket already exists.

PopItem()[source]¶

Pops an item off the queue.

Returns: item from the queue.
Return type: object
Raises: QueueEmpty – if the queue is empty, and no item could be popped within the queue timeout.

PushItem(item, block=True)[source]¶

Pushes an item on to the queue.

Parameters

item (object) – item to push on the queue.
block (Optional[bool]) – whether the push should be performed in blocking or non-blocking mode.

Raises

QueueAlreadyClosed – if the queue is closed.

SOCKET_CONNECTION_BIND = 1¶

SOCKET_CONNECTION_CONNECT = 2¶

SOCKET_CONNECTION_TYPE = None¶

class plaso.engine.zeromq_queue.ZeroMQRequestConnectQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5)[source]¶

Bases: plaso.engine.zeromq_queue.ZeroMQRequestQueue

A Plaso queue backed by a ZeroMQ REQ socket that connects to a port.

This queue may only be used to pop items, not to push.

SOCKET_CONNECTION_TYPE = 2¶

class plaso.engine.zeromq_queue.ZeroMQRequestQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5)[source]¶

Bases: plaso.engine.zeromq_queue.ZeroMQQueue

Parent class for Plaso queues backed by ZeroMQ REQ sockets.

This class should not be instantiated directly, a subclass should be instantiated instead.

Instances of this class or subclasses may only be used to pop items, not to push.

PopItem()[source]¶

Pops an item off the queue.

If no ZeroMQ socket has been created, one will be created the first time this method is called.

Returns

item from the queue.

Return type

object

Raises

KeyboardInterrupt – if the process is sent a KeyboardInterrupt while popping an item.
QueueEmpty – if the queue is empty, and no item could be popped within the queue timeout.
RuntimeError – if terminate event is missing.
zmq.error.ZMQError – if an error occurs in ZeroMQ.

PushItem(item, block=True)[source]¶

Pushes an item on to the queue.

Provided for compatibility with the API, but doesn’t actually work.

Parameters

item (object) – item to push on the queue.
block (Optional[bool]) – whether the push should be performed in blocking or non-blocking mode.

Raises

WrongQueueType – As Push is not supported this queue.

Module contents¶

plaso.filters package¶

Submodules¶

plaso.filters.event_filter module¶

The event filter.

class plaso.filters.event_filter.EventObjectFilter[source]¶

Bases: plaso.filters.interface.FilterObject

Event filter.

CompileFilter(filter_expression)[source]¶

Compiles the filter expression.

The filter expression contains an object filter expression.

Parameters: filter_expression (str) – filter expression.
Raises: ParseError – if the filter expression cannot be parsed.

Match(event, event_data, event_tag)[source]¶

Determines if an event matches the filter.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.

Returns

True if the event matches the filter, False otherwise.

Return type

bool

plaso.filters.expression_parser module¶

Event filter expression parser.

class plaso.filters.expression_parser.EventFilterExpressionParser[source]¶

Bases: object

Event filter expression parser.

Examples of valid syntax:: size is 40 (name contains “Program Files” AND hash.md5 is “123abc”) @imported_modules (num_symbols = 14 AND symbol.name is “FindWindow”)

Default(**kwarg)[source]¶: Default callback handler.

HexEscape(string, match, **unused_kwargs)[source]¶

Converts a hex escaped string.

Note that this function is used as a callback by _GetNextToken.

Returns: next state, which is None.
Return type: str
Raises: ParseError – if the string is not hex escaped.

InsertArg(string='', **unused_kwargs)[source]¶

Inserts an argument into the current expression.

Parameters

string (Optional[str]) – argument string.

Returns

state or None if the argument could not be added to the current: expression.

Return type

str

Raises

ParseError – if the operator does not support negation.

InsertFloatArg(string='', **unused_kwargs)[source]¶

Inserts a floating-point argument into the current expression.

Parameters

string (Optional[str]) – argument string that contains a floating-point value.

Returns

state or None if the argument could not be added to the current: expression.

Return type

str

Raises

ParseError – TBD.

InsertInt16Arg(string='', **unused_kwargs)[source]¶

Inserts a hexadecimal integer argument into the current expression.

Parameters

string (Optional[str]) – argument string that contains an integer value formatted in hexadecimal.

Returns

state or None if the argument could not be added to the current: expression.

Return type

str

Raises

ParseError – TBD.

InsertIntArg(string='', **unused_kwargs)[source]¶

Inserts a decimal integer argument into the current expression.

Parameters

string (Optional[str]) – argument string that contains an integer value formatted in decimal.

Returns

state or None if the argument could not be added to the current: expression.

Return type

str

Raises

ParseError – TBD.

Parse(expression)[source]¶

Parses an event filter expression.

Parameters: expression (str) – event filter expression.
Returns: expression.
Return type: Expression

class plaso.filters.expression_parser.Token(state, regex, actions, next_state)[source]¶

Bases: object

An event filter expression parser token.

actions¶

list of method names in the EventFilterExpressionParser to call.

Type: list[str]

next_state¶

next state we transition to if this Token matches.

Type: str

re_str¶

regular expression to try and match from the current point.

Type: str

state¶

parser state within the token should be applied or None if the token should be applied regardless of the parser state.

Type: str

CompareExpression(expression)[source]¶

Compares the token against an expression string.

Parameters

expression (str) – expression string.

Returns

the regular expression match object if the expression string: matches the token or None if no match.

Return type

re.Match

plaso.filters.expressions module¶

The event filter expression parser expression classes.

class plaso.filters.expressions.BinaryExpression(operator='')[source]¶

Bases: plaso.filters.expressions.Expression

An event filter parser expression which takes two other expressions.

AddOperands(lhs, rhs)[source]¶

Adds an operand.

Parameters

lhs (Expression) – left hand side expression.
rhs (Expression) – right hand side expression.

Raises

ParseError – if either left hand side or right hand side expression is not an instance of Expression.

Compile()[source]¶

Compiles the expression into a filter.

Returns: filter object corresponding the expression.
Return type: Filter
Raises: ParseError – if the operator is not supported.

class plaso.filters.expressions.EventExpression[source]¶

Bases: plaso.filters.expressions.Expression

Event expression.

Compile()[source]¶

Compiles the expression into a filter.

Returns: filter object corresponding the expression.
Return type: Filter
Raises: ParseError – if the operator is missing or unknown.

Negate()[source]¶: Reverses the logic of (negates) the expression.

class plaso.filters.expressions.Expression[source]¶

Bases: object

An event filter parser expression.

attribute¶

attribute or None if not set.

Type: str

args¶

arguments.

Type: list[str]

number_of_args¶

expected number of arguments.

Type: int

operator¶

operator or None if not set.

Type: str

AddArg(argument)[source]¶

Adds a new argument to this expression.

Parameters: argument (str) – argument to add.
Returns: True if the argument is the last argument, False otherwise.
Return type: bool
Raises: ParseError – If there are too many arguments.

Compile()[source]¶

Compiles the expression into a filter.

Returns: filter object corresponding the expression.
Return type: Filter

SetAttribute(attribute)[source]¶

Sets the attribute.

Parameters: attribute (str) – attribute, or None if not set.

SetOperator(operator)[source]¶

Set the operator.

Parameters: operator (str) – operator, such as “and” or “&&”, or None if not set.

attribute = None

class plaso.filters.expressions.IdentityExpression[source]¶

Bases: plaso.filters.expressions.Expression

An event filter parser expression which always evaluates to True.

Compile()[source]¶

Compiles the expression into a filter.

Returns: filter object which always evaluates to True.
Return type: IdentityFilter

plaso.filters.file_entry module¶

File entry filters.

class plaso.filters.file_entry.DateTimeFileEntryFilter[source]¶

Bases: plaso.filters.file_entry.FileEntryFilter

Date and time-based file entry filter.

AddDateTimeRange(time_value, start_time_string=None, end_time_string=None)[source]¶

Adds a date time filter range.

The time strings are formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and timezone offset are optional. The default timezone is UTC.

Parameters

time_value (str) – time value, such as, atime, ctime, crtime, dtime, bkup and mtime.
start_time_string (str) – start date and time value string.
end_time_string (str) – end date and time value string.

Raises

ValueError – If the filter is badly formed.

Matches(file_entry)[source]¶

Compares the file entry against the filter.

Parameters

file_entry (dfvfs.FileEntry) – file entry to compare.

Returns

True if the file entry matches the filter, False if not or: None if the filter does not apply.

Return type

bool

Print(output_writer)[source]¶

Prints a human readable version of the filter.

Parameters: output_writer (CLIOutputWriter) – output writer.

class plaso.filters.file_entry.ExtensionsFileEntryFilter(extensions)[source]¶

Bases: plaso.filters.file_entry.FileEntryFilter

Extensions-based file entry filter.

Matches(file_entry)[source]¶

Compares the file entry against the filter.

Parameters

file_entry (dfvfs.FileEntry) – file entry to compare.

Returns

True if the file entry matches the filter, False if not or: None if the filter does not apply.

Return type

bool

Print(output_writer)[source]¶

Prints a human readable version of the filter.

Parameters: output_writer (CLIOutputWriter) – output writer.

class plaso.filters.file_entry.FileEntryFilter[source]¶

Bases: object

File entry filter interface.

Matches(file_entry)[source]¶

Compares the file entry against the filter.

Parameters

file_entry (dfvfs.FileEntry) – file entry to compare.

Returns

True if the file entry matches the filter, False if not or: None if the filter does not apply.

Return type

bool

Print(output_writer)[source]¶

Prints a human readable version of the filter.

Parameters: output_writer (CLIOutputWriter) – output writer.

class plaso.filters.file_entry.FileEntryFilterCollection[source]¶

Bases: object

Collection of file entry filters.

AddFilter(file_entry_filter)[source]¶

Adds a file entry filter to the collection.

Parameters: file_entry_filter (FileEntryFilter) – file entry filter.

HasFilters()[source]¶

Determines if filters are defined.

Returns: True if filters are defined.
Return type: bool

Matches(file_entry)[source]¶

Compares the file entry against the filter collection.

Parameters

file_entry (dfvfs.FileEntry) – file entry to compare.

Returns

True if the file entry matches one of the filters. If no filters: are provided or applicable the result will be True.

Return type

bool

Print(output_writer)[source]¶

Prints a human readable version of the filter.

Parameters: output_writer (CLIOutputWriter) – output writer.

class plaso.filters.file_entry.NamesFileEntryFilter(names)[source]¶

Bases: plaso.filters.file_entry.FileEntryFilter

Names-based file entry filter.

Matches(file_entry)[source]¶

Compares the file entry against the filter.

Parameters: file_entry (dfvfs.FileEntry) – file entry to compare.
Returns: True if the file entry matches the filter.
Return type: bool

Print(output_writer)[source]¶

Prints a human readable version of the filter.

Parameters: output_writer (CLIOutputWriter) – output writer.

class plaso.filters.file_entry.SignaturesFileEntryFilter(specification_store, signature_identifiers)[source]¶

Bases: plaso.filters.file_entry.FileEntryFilter

Signature-based file entry filter.

Matches(file_entry)[source]¶

Compares the file entry against the filter.

Parameters

file_entry (dfvfs.FileEntry) – file entry to compare.

Returns

True if the file entry matches the filter, False if not or: None if the filter does not apply.

Return type

bool

Print(output_writer)[source]¶

Prints a human readable version of the filter.

Parameters: output_writer (CLIOutputWriter) – output writer.

plaso.filters.filters module¶

The event filter expression parser filter classes.

class plaso.filters.filters.AndFilter(arguments=None)[source]¶

Bases: plaso.filters.filters.Filter

A filter that performs a boolean AND on the arguments.

Note that if no conditions are passed, all objects will pass.

Matches(event, event_data, event_tag)[source]¶

Determines if the event, data and tag match the filter.

Parameters

event (EventObject) – event to compare against the filter.
event_data (EventData) – event data to compare against the filter.
event_tag (EventTag) – event tag to compare against the filter.

Returns

True if the event, data and tag match the filter, False otherwise.

Return type

bool

class plaso.filters.filters.BinaryOperator(arguments=None, **kwargs)[source]¶

Bases: plaso.filters.filters.Operator

Interface for binary operators.

left_operand¶

left hand operand.

Type: object

right_operand¶

right hand operand.

Type: object

Matches(event, event_data, event_tag)[source]¶

Determines if the event, data and tag match the filter.

Parameters

event (EventObject) – event to compare against the filter.
event_data (EventData) – event data to compare against the filter.
event_tag (EventTag) – event tag to compare against the filter.

Returns

True if the event, data and tag match the filter, False otherwise.

Return type

bool

class plaso.filters.filters.Contains(arguments=None, **kwargs)[source]¶

Bases: plaso.filters.filters.GenericBinaryOperator

Operator to determine if a value contains another value.

class plaso.filters.filters.EqualsOperator(arguments=None, **kwargs)[source]¶

Bases: plaso.filters.filters.GenericBinaryOperator

Equals (==) operator.

class plaso.filters.filters.Filter(arguments=None)[source]¶

Bases: object

Filter interface.

args¶

arguments provided to the filter.

Type: list[object]

Matches(event, event_data, event_tag)[source]¶

Determines if the event, data and tag match the filter.

Parameters

event (EventObject) – event to compare against the filter.
event_data (EventData) – event data to compare against the filter.
event_tag (EventTag) – event tag to compare against the filter.

Returns

True if the event, data and tag match the filter, False otherwise.

Return type

bool

class plaso.filters.filters.GenericBinaryOperator(arguments=None, **kwargs)[source]¶

Bases: plaso.filters.filters.BinaryOperator

Shared functionality for common binary operators.

FlipBool()[source]¶: Negates the internal boolean value attribute.

Matches(event, event_data, event_tag)[source]¶

Determines if the event, data and tag match the filter.

Parameters

event (EventObject) – event to compare against the filter.
event_data (EventData) – event data to compare against the filter.
event_tag (EventTag) – event tag to compare against the filter.

Returns

True if the event, data and tag match the filter, False otherwise.

Return type

bool

class plaso.filters.filters.GreaterEqualOperator(arguments=None, **kwargs)[source]¶

Bases: plaso.filters.filters.GenericBinaryOperator

Greater than or equals (>=) operator.

class plaso.filters.filters.GreaterThanOperator(arguments=None, **kwargs)[source]¶

Bases: plaso.filters.filters.GenericBinaryOperator

Greater than (>) operator.

class plaso.filters.filters.IdentityFilter(arguments=None)[source]¶

Bases: plaso.filters.filters.Operator

A filter which always evaluates to True.

Matches(event, event_data, event_tag)[source]¶

Determines if the event, data and tag match the filter.

Parameters

event (EventObject) – event to compare against the filter.
event_data (EventData) – event data to compare against the filter.
event_tag (EventTag) – event tag to compare against the filter.

Returns

True if the event, data and tag match the filter, False otherwise.

Return type

bool

class plaso.filters.filters.InSet(arguments=None, **kwargs)[source]¶

Bases: plaso.filters.filters.GenericBinaryOperator

Operator to determine if a value is part of another value.

class plaso.filters.filters.LessEqualOperator(arguments=None, **kwargs)[source]¶

Bases: plaso.filters.filters.GenericBinaryOperator

Less than or equals (<=) operator.

class plaso.filters.filters.LessThanOperator(arguments=None, **kwargs)[source]¶

Bases: plaso.filters.filters.GenericBinaryOperator

Less than (<) operator.

class plaso.filters.filters.NotEqualsOperator(arguments=None, **kwargs)[source]¶

Bases: plaso.filters.filters.GenericBinaryOperator

Not equals (!=) operator.

class plaso.filters.filters.Operator(arguments=None)[source]¶

Bases: plaso.filters.filters.Filter

Interface for filters that represent operators.

Matches(event, event_data, event_tag)[source]¶

Determines if the event, data and tag match the filter.

Parameters

event (EventObject) – event to compare against the filter.
event_data (EventData) – event data to compare against the filter.
event_tag (EventTag) – event tag to compare against the filter.

Returns

True if the event, data and tag match the filter, False otherwise.

Return type

bool

class plaso.filters.filters.OrFilter(arguments=None)[source]¶

Bases: plaso.filters.filters.Filter

A filter that performs a boolean OR on the arguments.

Note that if no conditions are passed, all objects will pass.

Matches(event, event_data, event_tag)[source]¶

Determines if the event, data and tag match the filter.

Parameters

event (EventObject) – event to compare against the filter.
event_data (EventData) – event data to compare against the filter.
event_tag (EventTag) – event tag to compare against the filter.

Returns

True if the event, data and tag match the filter, False otherwise.

Return type

bool

class plaso.filters.filters.Regexp(arguments=None, **kwargs)[source]¶

Bases: plaso.filters.filters.GenericBinaryOperator

Operator to determine if a value matches a regular expression.

compiled_re¶

compiled regular expression.

Type: ???

class plaso.filters.filters.RegexpInsensitive(arguments=None, **kwargs)[source]¶

Bases: plaso.filters.filters.Regexp

Operator to determine if a value matches a regular expression.

plaso.filters.helpers module¶

The event filter expression parser helper functions and classes.

class plaso.filters.helpers.DateCompareObject(data)[source]¶

Bases: object

A specific class created for date comparison.

This object takes a date representation, whether that is a direct integer datetime object or a string presenting the date, and uses that for comparing against timestamps stored in microseconds in in microseconds since Jan 1, 1970 00:00:00 UTC.

This makes it possible to use regular comparison operators for date, irrelevant of the format the date comes in, since plaso stores all timestamps in the same format, which is an integer/long, it is a simple manner of changing the input into the same format (int) and compare that.

__cmp__(x)[source]¶

A simple comparison operation.

Parameters: x (object) – object to compare against.
Returns: True if self is equal to the object.
Return type: bool

__eq__(x)[source]¶

Check if equal.

Parameters: x (object) – object to compare against.
Returns: True if self is equal to the object.
Return type: bool

__ge__(x)[source]¶

Greater or equal comparison.

Parameters: x (object) – object to compare against.
Returns: True if self is greater than or equal to the object.
Return type: bool

__gt__(x)[source]¶

Greater comparison.

Parameters: x (object) – object to compare against.
Returns: True if self is greater than the object.
Return type: bool

__le__(x)[source]¶

Less or equal comparison.

Parameters: x (object) – object to compare against.
Returns: True if self is less than or equal to the object.
Return type: bool

__lt__(x)[source]¶

Less comparison.

Parameters: x (object) – object to compare against.
Returns: True if self is less than the object.
Return type: bool

__ne__(x)[source]¶

Check if not equal.

Parameters: x (object) – object to compare against.
Returns: True if self is not equal to the object.
Return type: bool

__str__()[source]¶

Retrieves a string representation of the object.

Returns: string representation of the object.
Return type: str

class plaso.filters.helpers.DictObject(dict_object)[source]¶

Bases: object

A simple object representing a dict object.

To filter against an object that is stored as a dictionary the dict is converted into a simple object. Since keys can contain spaces and/or other symbols they are stripped out to make filtering work like it is another object.

Example dict:

{'A value': 234,
 'this (my) key_': 'value',
 'random': True,
}

This object would then allow access to object.thismykey that would access the key ‘this (my) key_’ inside the dict.

__getattr__(attr)[source]¶: Return back entries from the dictionary.

plaso.filters.helpers.GetUnicodeString(value)[source]¶

Attempts to convert the argument to a Unicode string.

Parameters: value (list|int|bytes|str) – value to convert.
Returns: string representation of the argument.
Return type: str

class plaso.filters.helpers.TimeRangeCache[source]¶

Bases: object

A class that stores time ranges from filters.

classmethod GetTimeRange()[source]¶: Return the first and last timestamp of filter range.

MAX_INT64 = 18446744073709551615¶

classmethod SetLowerTimestamp(timestamp)[source]¶: Sets the lower bound timestamp.

classmethod SetUpperTimestamp(timestamp)[source]¶: Sets the upper bound timestamp.

plaso.filters.interface module¶

Filter interface.

class plaso.filters.interface.FilterObject[source]¶

Bases: object

Filter object interface.

CompileFilter(filter_expression)[source]¶

Compiles the filter expression.

Parameters: filter_expression (str) – filter expression.
Raises: WrongPlugin – if the filter could not be compiled.

Match(event, event_data, event_tag)[source]¶

Determines if an event matches the filter.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.

Returns

True if the event matches the filter.

Return type

bool

fields¶

name of the fields.

Type: list[str]

filter_expression¶

compiled filter expression or None.

Type: object

filter_name¶

name of the filter.

Type: str

limit¶

row limit.

Type: int

separator¶

output field separator.

Type: str

plaso.filters.path_filter module¶

A scan tree-based path filter implementation.

The scan tree is a tree based on multiple paths that contains the path segments per node. The most significant path segment is at the root and therefore compared first. More information can be found here: https://github.com/libyal/libsigscan/wiki/Internals#scanning-tree-based-signature-scanning

The scan tree is used in the filter to filter provided paths.

class plaso.filters.path_filter.PathFilterScanTree(paths, case_sensitive=True, path_segment_separator='/')[source]¶

Bases: object

Path filter scan tree.

CheckPath(path, path_segment_separator=None)[source]¶

Checks if a path matches the scan tree-based path filter.

Parameters

path (str) – path.
path_segment_separator (Optional[str]) – path segment separator, where None defaults to the path segment separator that was set when the path filter scan tree was initialized.

Returns

True if the path matches the filter, False otherwise.

Return type

bool

class plaso.filters.path_filter.PathFilterScanTreeNode(path_segment_index)[source]¶

Bases: object

Class that implements a path filter scan tree node.

The path filter scan tree node defines the path segments for a specific path segment index to filter. Each path segment will point to a scan object that indicates the next part of the path filter. A default value indicates the scan object to use next when there was no match.

default_value¶

the default scan object, which is either a scan tree sub node or a path.

Type: str|PathFilterScanTreeNode

parent¶

the parent path filter scan tree node or None if the node has no parent.

Type: PathFilterScanTreeNode

path_segment_index¶

path segment index represented by the node.

Type: int

AddPathSegment(path_segment, scan_object)[source]¶

Adds a path segment.

Parameters

path_segment (str) – path segment.
scan_object (str|PathFilterScanTreeNode) – a scan object, which is either a scan tree sub node or a path.

Raises

ValueError – if the node already contains a scan object for the path segment.

GetScanObject(path_segment)[source]¶

Retrieves the scan object for a specific path segment.

Parameters

path_segment (str) – path segment.

Returns

a scan object, which is either: a scan tree sub node, a path or the default value.

Return type

str|PathFilterScanTreeNode

SetDefaultValue(scan_object)[source]¶

Sets the default (non-match) value.

Parameters

scan_object (str|PathFilterScanTreeNode) – a scan object, which is either a scan tree sub node or a path.

Raises

TypeError – if the scan object is of an unsupported type.
ValueError – if the default value is already set.

ToDebugString(indentation_level=1)[source]¶

Converts the path filter scan tree node into a debug string.

Parameters: indentation_level (int) – text indentation level.
Returns: debug string representing the path filter scan tree node.
Return type: str

path_segments¶

path segments.

Type: list[str]

Module contents¶

plaso.formatters package¶

Submodules¶

plaso.formatters.amcache module¶

The Windows Registry Amcache entries event formatter.

class plaso.formatters.amcache.AmcacheFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Amcache Windows Registry event.

DATA_TYPE = 'windows:registry:amcache'¶

FORMAT_STRING_PIECES = ['path: {full_path}', 'sha1: {sha1}', 'productname: {productname}', 'companyname: {companyname}', 'fileversion: {fileversion}', 'languagecode: {languagecode}', 'filesize: {filesize}', 'filedescription: {filedescription}', 'linkerts: {linkerts}', 'lastmodifiedts: {lastmodifiedts}', 'createdts: {createdts}', 'programid: {programid}']¶

FORMAT_STRING_SHORT_PIECES = ['path: {full_path}']¶

SOURCE_LONG = 'Amcache Registry Entry'¶

SOURCE_SHORT = 'AMCACHE'¶

class plaso.formatters.amcache.AmcacheProgramsFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Amcache Programs Windows Registry event.

DATA_TYPE = 'windows:registry:amcache:programs'¶

FORMAT_STRING_PIECES = ['name: {name}', 'version: {version}', 'publisher: {publisher}', 'languagecode: {languagecode}', 'entrytype: {entrytype}', 'uninstallkey: {uninstallkey}', 'filepaths: {filepaths}', 'productcode: {productcode}', 'packagecode: {packagecode}', 'msiproductcode: {msiproductcode}', 'msipackagecode: {msipackagecode}', 'files: {files}']¶

FORMAT_STRING_SHORT_PIECES = ['name: {name}']¶

SOURCE_LONG = 'Amcache Programs Registry Entry'¶

SOURCE_SHORT = 'AMCACHEPROGRAM'¶

plaso.formatters.android_app_usage module¶

The Android Application Usage event formatter.

class plaso.formatters.android_app_usage.AndroidApplicationFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Application Last Resumed event.

DATA_TYPE = 'android:event:last_resume_time'¶

FORMAT_STRING_PIECES = ['Package: {package}', 'Component: {component}']¶

SOURCE_LONG = 'Android App Usage'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.android_calls module¶

The Android contacts2.db database event formatter.

class plaso.formatters.android_calls.AndroidCallFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Android call history event.

DATA_TYPE = 'android:event:call'¶

FORMAT_STRING_PIECES = ['{call_type}', 'Number: {number}', 'Name: {name}', 'Duration: {duration} seconds']¶

FORMAT_STRING_SHORT_PIECES = ['{call_type} Call']¶

SOURCE_LONG = 'Android Call History'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.android_sms module¶

The Android mmssms.db database event formatter.

class plaso.formatters.android_sms.AndroidSmsFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Android SMS event.

DATA_TYPE = 'android:messaging:sms'¶

FORMAT_STRING_PIECES = ['Type: {sms_type}', 'Address: {address}', 'Status: {sms_read}', 'Message: {body}']¶

FORMAT_STRING_SHORT_PIECES = ['{body}']¶

SOURCE_LONG = 'Android SMS messages'¶

SOURCE_SHORT = 'SMS'¶

plaso.formatters.android_webview module¶

The Android WebView database event formatter.

class plaso.formatters.android_webview.AndroidWebViewCookieEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for Android WebView Cookie event data.

DATA_TYPE = 'webview:cookie'¶

FORMAT_STRING_PIECES = ['Domain: {domain}', 'Path: {path}', 'Cookie name: {name}', 'Value: {value}', 'Secure: {secure}']¶

FORMAT_STRING_SHORT_PIECES = ['{domain}', '{name}', '{value}']¶

SOURCE_LONG = 'Android WebView'¶

SOURCE_SHORT = 'WebView'¶

plaso.formatters.android_webviewcache module¶

The Android WebViewCache database event formatter.

class plaso.formatters.android_webviewcache.AndroidWebViewCacheFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for Android WebViewCache event data.

DATA_TYPE = 'android:webviewcache'¶

FORMAT_STRING_PIECES = ['URL: {url}', 'Content Length: {content_length}']¶

FORMAT_STRING_SHORT_PIECES = ['{url}']¶

SOURCE_LONG = 'Android WebViewCache'¶

SOURCE_SHORT = 'WebViewCache'¶

plaso.formatters.apache_access module¶

Apache access log file event formatter.

class plaso.formatters.apache_access.ApacheAccessFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a apache access log event.

DATA_TYPE = 'apache:access'¶

FORMAT_STRING_PIECES = ['http_request: {http_request}', 'from: {ip_address}', 'code: {http_response_code}', 'referer: {http_request_referer}', 'user_agent: {http_request_user_agent}']¶

FORMAT_STRING_SHORT_PIECES = ['{http_request}', 'from: {ip_address}']¶

SOURCE_LONG = 'Apache Access'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.appcompatcache module¶

The Windows Registry AppCompatCache entries event formatter.

class plaso.formatters.appcompatcache.AppCompatCacheFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an AppCompatCache Windows Registry event.

DATA_TYPE = 'windows:registry:appcompatcache'¶

FORMAT_STRING_PIECES = ['[{key_path}]', 'Cached entry: {entry_index}', 'Path: {path}']¶

FORMAT_STRING_SHORT_PIECES = ['Path: {path}']¶

SOURCE_LONG = 'AppCompatCache Registry Entry'¶

SOURCE_SHORT = 'REG'¶

plaso.formatters.appusage module¶

The MacOS application usage event formatter.

class plaso.formatters.appusage.ApplicationUsageFormatter[source]¶

Bases: plaso.formatters.interface.EventFormatter

Formatter for a MacOS Application usage event.

DATA_TYPE = 'macosx:application_usage'¶

FORMAT_STRING = '{application} v.{app_version} (bundle: {bundle_id}). Launched: {count} time(s)'¶

FORMAT_STRING_SHORT = '{application} ({count} time(s))'¶

SOURCE_LONG = 'Application Usage'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.asl module¶

The Apple System Log (ASL) event formatter.

class plaso.formatters.asl.ASLFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Apple System Log (ASL) log event.

DATA_TYPE = 'mac:asl:event'¶

FORMAT_STRING_PIECES = ['MessageID: {message_id}', 'Level: {level}', 'User ID: {user_sid}', 'Group ID: {group_id}', 'Read User: {read_uid}', 'Read Group: {read_gid}', 'Host: {computer_name}', 'Sender: {sender}', 'Facility: {facility}', 'Message: {message}', '{extra_information}']¶

FORMAT_STRING_SHORT_PIECES = ['Host: {host}', 'Sender: {sender}', 'Facility: {facility}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'ASL entry'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.bagmru module¶

The BagMRU event formatter.

class plaso.formatters.bagmru.BagMRUEventFormatter[source]¶

Bases: plaso.formatters.interface.EventFormatter

Formatter for a BagMRU event.

DATA_TYPE = 'windows:registry:bagmru'¶

FORMAT_STRING = '[{key_path}] {entries}'¶

FORMAT_STRING_ALTERNATIVE = '{entries}'¶

SOURCE_LONG = 'Registry Key : BagMRU'¶

SOURCE_SHORT = 'REG'¶

plaso.formatters.bash_history module¶

The Bash history event formatter.

class plaso.formatters.bash_history.BashHistoryEventFormatter[source]¶

Bases: plaso.formatters.interface.EventFormatter

Formatter for Bash history events.

DATA_TYPE = 'bash:history:command'¶

FORMAT_STRING = 'Command executed: {command}'¶

FORMAT_STRING_SHORT = '{command}'¶

SOURCE_LONG = 'Bash History'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.bencode_parser module¶

The bencode parser event formatters.

class plaso.formatters.bencode_parser.TransmissionEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Transmission active torrents event.

DATA_TYPE = 'p2p:bittorrent:transmission'¶

FORMAT_STRING_PIECES = ['Saved to {destination}', 'Minutes seeded: {seedtime}']¶

FORMAT_STRING_SEPARATOR = '; '¶

SOURCE_LONG = 'Transmission Active Torrents'¶

SOURCE_SHORT = 'TORRENT'¶

class plaso.formatters.bencode_parser.UTorrentEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a BitTorrent uTorrent active torrents event.

DATA_TYPE = 'p2p:bittorrent:utorrent'¶

FORMAT_STRING_PIECES = ['Torrent {caption}', 'Saved to {path}', 'Minutes seeded: {seedtime}']¶

FORMAT_STRING_SEPARATOR = '; '¶

SOURCE_LONG = 'uTorrent Active Torrents'¶

SOURCE_SHORT = 'TORRENT'¶

plaso.formatters.bsm module¶

The Basic Security Module (BSM) binary files event formatter.

class plaso.formatters.bsm.BSMFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a BSM log entry.

DATA_TYPE = 'bsm:event'¶

FORMAT_STRING_PIECES = ['Type: {event_type_string}', '({event_type})', 'Return: {return_value}', 'Information: {extra_tokens}']¶

FORMAT_STRING_SHORT_PIECES = ['Type: {event_type}', 'Return: {return_value}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'BSM entry'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.ccleaner module¶

The CCleaner event formatter.

class plaso.formatters.ccleaner.CCleanerConfigurationEventFormatter[source]¶

Bases: plaso.formatters.interface.EventFormatter

Formatter for a CCleaner configuration event.

DATA_TYPE = 'ccleaner:configuration'¶

FORMAT_STRING = '[{key_path}] {configuration}'¶

FORMAT_STRING_ALTERNATIVE = '{configuration}'¶

SOURCE_LONG = 'Registry Key : CCleaner Registry key'¶

SOURCE_SHORT = 'REG'¶

class plaso.formatters.ccleaner.CCleanerUpdateEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a CCleaner update event.

DATA_TYPE = 'ccleaner:update'¶

FORMAT_STRING_PIECES = ['Origin: {key_path}']¶

FORMAT_STRING_SHORT_PIECES = ['Origin: {key_path}']¶

SOURCE_LONG = 'System'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.chrome module¶

The Google Chrome history event formatters.

class plaso.formatters.chrome.ChromeFileDownloadFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome file download event.

DATA_TYPE = 'chrome:history:file_downloaded'¶

FORMAT_STRING_PIECES = ['{url}', '({full_path}).', 'Received: {received_bytes} bytes', 'out of: {total_bytes} bytes.']¶

FORMAT_STRING_SHORT_PIECES = ['{full_path} downloaded', '({received_bytes} bytes)']¶

SOURCE_LONG = 'Chrome History'¶

SOURCE_SHORT = 'WEBHIST'¶

class plaso.formatters.chrome.ChromePageVisitedFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome page visited event.

DATA_TYPE = 'chrome:history:page_visited'¶

FORMAT_STRING_PIECES = ['{url}', '({title})', '[count: {typed_count}]', 'Visit from: {from_visit}', 'Visit Source: [{visit_source}]', 'Type: [{page_transition}]', '{extra}']¶

FORMAT_STRING_SHORT_PIECES = ['{url}', '({title})']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Chrome History'¶

SOURCE_SHORT = 'WEBHIST'¶

plaso.formatters.chrome_autofill module¶

The Google Chrome autofill database event formatter.

class plaso.formatters.chrome_autofill.ChromeAutofillFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome autofill event.

DATA_TYPE = 'chrome:autofill:entry'¶

FORMAT_STRING_PIECES = ['Form field name: {field_name}', 'Entered value: {value}', 'Times used: {usage_count}']¶

FORMAT_STRING_SHORT_PIECES = ['{field_name}:', '{value}', '({usage_count})']¶

SOURCE_LONG = 'Chrome Autofill'¶

SOURCE_SHORT = 'WEBHIST'¶

plaso.formatters.chrome_cache module¶

The Google Chrome Cache files event formatter.

class plaso.formatters.chrome_cache.ChromeCacheEntryEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome Cache entry event.

DATA_TYPE = 'chrome:cache:entry'¶

FORMAT_STRING_PIECES = ['Original URL: {original_url}']¶

SOURCE_LONG = 'Chrome Cache'¶

SOURCE_SHORT = 'WEBHIST'¶

plaso.formatters.chrome_cookies module¶

The Google Chrome cookies database event formatter.

class plaso.formatters.chrome_cookies.ChromeCookieFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome cookie event.

DATA_TYPE = 'chrome:cookie:entry'¶

FORMAT_STRING_PIECES = ['{url}', '({cookie_name})', 'Flags:', '[HTTP only] = {httponly}', '[Persistent] = {persistent}']¶

FORMAT_STRING_SHORT_PIECES = ['{host}', '({cookie_name})']¶

SOURCE_LONG = 'Chrome Cookies'¶

SOURCE_SHORT = 'WEBHIST'¶

plaso.formatters.chrome_extension_activity module¶

The Google Chrome extension activity database event formatter.

class plaso.formatters.chrome_extension_activity.ChromeExtensionActivityEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome extension activity event.

DATA_TYPE = 'chrome:extension_activity:activity_log'¶

FORMAT_STRING_PIECES = ['Chrome extension: {extension_id}', 'Action type: {action_type}', 'Activity identifier: {activity_id}', 'Page URL: {page_url}', 'Page title: {page_title}', 'API name: {api_name}', 'Args: {args}', 'Other: {other}']¶

FORMAT_STRING_SHORT_PIECES = ['{extension_id}', '{api_name}', '{args}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Chrome Extension Activity'¶

SOURCE_SHORT = 'WEBHIST'¶

plaso.formatters.chrome_preferences module¶

The Google Chrome Preferences file event formatter.

class plaso.formatters.chrome_preferences.ChromeContentSettingsExceptionsFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome content_settings exceptions event.

DATA_TYPE = 'chrome:preferences:content_settings:exceptions'¶

FORMAT_STRING_PIECES = ['Permission {permission}', 'used by {subject}']¶

FORMAT_STRING_SHORT_PIECES = ['Permission {permission}', 'used by {subject}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Chrome Permission Event'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.chrome_preferences.ChromeExtensionInstallationEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome extension installation event.

DATA_TYPE = 'chrome:preferences:extension_installation'¶

FORMAT_STRING_PIECES = ['CRX ID: {extension_id}', 'CRX Name: {extension_name}', 'Path: {path}']¶

FORMAT_STRING_SHORT_PIECES = ['{extension_id}', '{path}']¶

SOURCE_LONG = 'Chrome Extension Installation'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.chrome_preferences.ChromeExtensionsAutoupdaterEvent[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for Chrome Extensions Autoupdater events.

DATA_TYPE = 'chrome:preferences:extensions_autoupdater'¶

FORMAT_STRING_PIECES = ['{message}']¶

FORMAT_STRING_SHORT_PIECES = ['{message}']¶

SOURCE_LONG = 'Chrome Extensions Autoupdater'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.chrome_preferences.ChromePreferencesClearHistoryEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for Chrome history clearing events.

DATA_TYPE = 'chrome:preferences:clear_history'¶

FORMAT_STRING_PIECES = ['{message}']¶

FORMAT_STRING_SHORT_PIECES = ['{message}']¶

SOURCE_LONG = 'Chrome History Deletion'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.cron module¶

The syslog cron formatters.

class plaso.formatters.cron.CronTaskRunEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a syslog cron task run event.

DATA_TYPE = 'syslog:cron:task_run'¶

FORMAT_STRING_PIECES = ['Cron ran: {command}', 'for user: {username}', 'pid: {pid}']¶

FORMAT_STRING_SEPARATOR = ' '¶

FORMAT_STRING_SHORT = '{body}'¶

SOURCE_LONG = 'Cron log'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.cups_ipp module¶

The CUPS IPP file event formatter.

class plaso.formatters.cups_ipp.CupsIppFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a CUPS IPP event.

DATA_TYPE = 'cups:ipp:event'¶

FORMAT_STRING_PIECES = ['Status: {status}', 'User: {user}', 'Owner: {owner}', 'Job Name: {job_name}', 'Application: {application}', 'Document type: {type_doc}', 'Printer: {printer_id}']¶

FORMAT_STRING_SHORT_PIECES = ['Status: {status}', 'Job Name: {job_name}']¶

SOURCE_LONG = 'CUPS IPP Log'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.default module¶

The default event formatter.

class plaso.formatters.default.DefaultFormatter[source]¶

Bases: plaso.formatters.interface.EventFormatter

Formatter for events that do not have any defined formatter.

DATA_TYPE = 'event'¶

FORMAT_STRING = '<WARNING DEFAULT FORMATTER> Attributes: {attribute_driven}'¶

FORMAT_STRING_SHORT = '<DEFAULT> {attribute_driven}'¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

plaso.formatters.docker module¶

The Docker event formatter.

class plaso.formatters.docker.DockerBaseEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Class that contains common Docker event formatter functionality.

DATA_TYPE = 'docker:json'¶

FORMAT_STRING_SHORT_PIECES = ['{id}']¶

SOURCE_SHORT = 'DOCKER'¶

class plaso.formatters.docker.DockerContainerEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Docker event.

DATA_TYPE = 'docker:json:container'¶

FORMAT_STRING_PIECES = ['Action: {action}', 'Container Name: {container_name}', 'Container ID: {container_id}']¶

FORMAT_STRING_SEPARATOR = ', '¶

SOURCE_LONG = 'Docker Container'¶

SOURCE_SHORT = 'DOCKER'¶

class plaso.formatters.docker.DockerContainerLogEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Docker container log event

DATA_TYPE = 'docker:json:container:log'¶

FORMAT_STRING_PIECES = ('Text: {log_line}', 'Container ID: {container_id}', 'Source: {log_source}')¶

FORMAT_STRING_SEPARATOR = ', '¶

SOURCE_LONG = 'Docker Container Logs'¶

SOURCE_SHORT = 'DOCKER'¶

class plaso.formatters.docker.DockerLayerEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Docker layer event.

DATA_TYPE = 'docker:json:layer'¶

FORMAT_STRING_PIECES = ('Command: {command}', 'Layer ID: {layer_id}')¶

FORMAT_STRING_SEPARATOR = ', '¶

SOURCE_LONG = 'Docker Layer'¶

SOURCE_SHORT = 'DOCKER'¶

plaso.formatters.dpkg module¶

The dpkg.log event formatter.

class plaso.formatters.dpkg.DpkgFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a dpkg log file event.

DATA_TYPE = 'dpkg:line'¶

FORMAT_STRING_PIECES = ['{body}']¶

FORMAT_STRING_SEPARATOR = ''¶

SOURCE_LONG = 'dpkg log File'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.file_history module¶

The file history ESE database event formatter.

class plaso.formatters.file_history.FileHistoryNamespaceEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a file history ESE database namespace table record.

DATA_TYPE = 'file_history:namespace:event'¶

FORMAT_STRING_PIECES = ['Filename: {original_filename}', 'Identifier: {identifier}', 'Parent Identifier: {parent_identifier}', 'Attributes: {file_attribute}', 'USN number: {usn_number}']¶

FORMAT_STRING_SHORT_PIECES = ['Filename: {original_filename}']¶

SOURCE_LONG = 'File History Namespace'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.file_system module¶

The file system stat event formatter.

class plaso.formatters.file_system.FileStatEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

The file system stat event formatter.

DATA_TYPE = 'fs:stat'¶

FORMAT_STRING_PIECES = ['{display_name}', 'Type: {file_entry_type}', '({unallocated})']¶

FORMAT_STRING_SHORT_PIECES = ['{filename}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

GetSources(event, event_data)[source]¶

Determines the the short and long source for an event.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.

Returns

short and long source string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_SHORT = 'FILE'¶

class plaso.formatters.file_system.NTFSFileStatEventFormatter[source]¶

Bases: plaso.formatters.file_system.FileStatEventFormatter

The NTFS file system stat event formatter.

DATA_TYPE = 'fs:stat:ntfs'¶

FORMAT_STRING_PIECES = ['{display_name}', 'File reference: {file_reference}', 'Attribute name: {attribute_name}', 'Name: {name}', 'Parent file reference: {parent_file_reference}', '({unallocated})']¶

FORMAT_STRING_SHORT_PIECES = ['{filename}', '{file_reference}', '{attribute_name}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_SHORT = 'FILE'¶

class plaso.formatters.file_system.NTFSUSNChangeEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

The NTFS USN change event formatter.

DATA_TYPE = 'fs:ntfs:usn_change'¶

FORMAT_STRING_PIECES = ['{filename}', 'File reference: {file_reference}', 'Parent file reference: {parent_file_reference}', 'Update source: {update_source}', 'Update reason: {update_reason}']¶

FORMAT_STRING_SHORT_PIECES = ['{filename}', '{file_reference}', '{update_reason}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_SHORT = 'FILE'¶

plaso.formatters.firefox module¶

The Mozilla Firefox history event formatter.

class plaso.formatters.firefox.FirefoxBookmarkAnnotationFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox bookmark annotation event formatter.

DATA_TYPE = 'firefox:places:bookmark_annotation'¶

FORMAT_STRING_PIECES = ['Bookmark Annotation: [{content}]', 'to bookmark [{title}]', '({url})']¶

FORMAT_STRING_SHORT_PIECES = ['Bookmark Annotation: {title}']¶

SOURCE_LONG = 'Firefox History'¶

SOURCE_SHORT = 'WEBHIST'¶

class plaso.formatters.firefox.FirefoxBookmarkFolderFormatter[source]¶

Bases: plaso.formatters.interface.EventFormatter

The Firefox bookmark folder event formatter.

DATA_TYPE = 'firefox:places:bookmark_folder'¶

FORMAT_STRING = '{title}'¶

SOURCE_LONG = 'Firefox History'¶

SOURCE_SHORT = 'WEBHIST'¶

class plaso.formatters.firefox.FirefoxBookmarkFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox URL bookmark event formatter.

DATA_TYPE = 'firefox:places:bookmark'¶

FORMAT_STRING_PIECES = ['Bookmark {type}', '{title}', '({url})', '[{places_title}]', 'visit count {visit_count}']¶

FORMAT_STRING_SHORT_PIECES = ['Bookmarked {title}', '({url})']¶

SOURCE_LONG = 'Firefox History'¶

SOURCE_SHORT = 'WEBHIST'¶

class plaso.formatters.firefox.FirefoxDowloadFormatter[source]¶

Bases: plaso.formatters.interface.EventFormatter

The Firefox download event formatter.

DATA_TYPE = 'firefox:downloads:download'¶

FORMAT_STRING = '{url} ({full_path}). Received: {received_bytes} bytes out of: {total_bytes} bytes.'¶

FORMAT_STRING_SHORT = '{full_path} downloaded ({received_bytes} bytes)'¶

SOURCE_LONG = 'Firefox History'¶

SOURCE_SHORT = 'WEBHIST'¶

class plaso.formatters.firefox.FirefoxPageVisitFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox page visited event formatter.

DATA_TYPE = 'firefox:places:page_visited'¶

FORMAT_STRING_PIECES = ['{url}', '({title})', '[count: {visit_count}]', 'Host: {host}', '{extra_string}']¶

FORMAT_STRING_SHORT_PIECES = ['URL: {url}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Firefox History'¶

SOURCE_SHORT = 'WEBHIST'¶

plaso.formatters.firefox_cache module¶

The Firefox cache record event formatter.

class plaso.formatters.firefox_cache.FirefoxCacheFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox cache record event formatter.

DATA_TYPE = 'firefox:cache:record'¶

FORMAT_STRING_PIECES = ['Fetched {fetch_count} time(s)', '[{response_code}]', '{request_method}', '"{url}"']¶

FORMAT_STRING_SHORT_PIECES = ['[{response_code}]', '{request_method}', '"{url}"']¶

SOURCE_LONG = 'Firefox Cache'¶

SOURCE_SHORT = 'WEBHIST'¶

plaso.formatters.firefox_cookies module¶

The Firefox cookie entry event formatter.

class plaso.formatters.firefox_cookies.FirefoxCookieFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox cookie entry event formatter.

DATA_TYPE = 'firefox:cookie:entry'¶

FORMAT_STRING_PIECES = ['{url}', '({cookie_name})', 'Flags:', '[HTTP only]: {httponly}', '(GA analysis: {ga_data})']¶

FORMAT_STRING_SHORT_PIECES = ['{host}', '({cookie_name})']¶

SOURCE_LONG = 'Firefox Cookies'¶

SOURCE_SHORT = 'WEBHIST'¶

plaso.formatters.fseventsd module¶

The fseventsd event formatter.

class plaso.formatters.fseventsd.FSEventsdEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

The fseventsd event formatter.

DATA_TYPE = 'macos:fseventsd:record'¶

FORMAT_STRING_PIECES = ['{path}', 'Flag Values:', '{flag_values}', 'Flags:', '{hex_flags}', 'Event Identifier:', '{event_identifier}']¶

FORMAT_STRING_SHORT_PIECES = ['{path}', '{flag_values}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_SHORT = 'FSEVENT'¶

plaso.formatters.ganalytics module¶

The Google Analytics cookie event formatters.

class plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

The UTMA Google Analytics cookie event formatter.

DATA_TYPE = 'cookie:google:analytics:utma'¶

FORMAT_STRING_PIECES = ['{url}', '({cookie_name})', 'Sessions: {sessions}', 'Domain Hash: {domain_hash}', 'Visitor ID: {visitor_id}']¶

FORMAT_STRING_SHORT_PIECES = ['{url}', '({cookie_name})']¶

SOURCE_LONG = 'Google Analytics Cookies'¶

SOURCE_SHORT = 'WEBHIST'¶

class plaso.formatters.ganalytics.AnalyticsUtmbCookieFormatter[source]¶

Bases: plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

The UTMB Google Analytics cookie event formatter.

DATA_TYPE = 'cookie:google:analytics:utmb'¶

FORMAT_STRING_PIECES = ['{url}', '({cookie_name})', 'Pages Viewed: {pages_viewed}', 'Domain Hash: {domain_hash}']¶

class plaso.formatters.ganalytics.AnalyticsUtmtCookieFormatter[source]¶

Bases: plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

The UTMT Google Analytics cookie event formatter.

DATA_TYPE = 'cookie:google:analytics:utmt'¶

FORMAT_STRING_PIECES = ['{url}', '({cookie_name})']¶

class plaso.formatters.ganalytics.AnalyticsUtmzCookieFormatter[source]¶

Bases: plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

The UTMZ Google Analytics cookie event formatter.

DATA_TYPE = 'cookie:google:analytics:utmz'¶

FORMAT_STRING_PIECES = ['{url}', '({cookie_name})', 'Sessions: {sessions}', 'Domain Hash: {domain_hash}', 'Sources: {sources}', 'Last source used to access: {utmcsr}', 'Ad campaign information: {utmccn}', 'Last type of visit: {utmcmd}', 'Keywords used to find site: {utmctr}', 'Path to the page of referring link: {utmcct}']¶

plaso.formatters.gdrive module¶

The Google Drive snapshots event formatter.

class plaso.formatters.gdrive.GDriveCloudEntryFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive snapshot cloud event.

DATA_TYPE = 'gdrive:snapshot:cloud_entry'¶

FORMAT_STRING_PIECES = ['File Path: {path}', '[{shared}]', 'Size: {size}', 'URL: {url}', 'Type: {document_type}']¶

FORMAT_STRING_SHORT_PIECES = ['{path}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Google Drive (cloud entry)'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.gdrive.GDriveLocalEntryFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive snapshot local event.

DATA_TYPE = 'gdrive:snapshot:local_entry'¶

FORMAT_STRING_PIECES = ['File Path: {path}', 'Size: {size}']¶

FORMAT_STRING_SHORT_PIECES = ['{path}']¶

SOURCE_LONG = 'Google Drive (local entry)'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.gdrive_synclog module¶

Google Drive Sync log event formatter.

class plaso.formatters.gdrive_synclog.GoogleDriveSyncLogFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive Sync log file event.

DATA_TYPE = 'gdrive_sync:log:line'¶

FORMAT_STRING_PIECES = ['[{log_level}', '{pid}', '{thread}', '{source_code}]', '{message}']¶

FORMAT_STRING_SHORT_PIECES = ['{message}']¶

SOURCE_LONG = 'GoogleDriveSync Log File'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.hangouts_messages module¶

The Google Hangouts messages database event formatter.

class plaso.formatters.hangouts_messages.HangoutsFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Hangouts message event.

DATA_TYPE = 'android:messaging:hangouts'¶

FORMAT_STRING_PIECES = ['Sender: {sender}', 'Body: {body}', 'Status: {message_status}', 'Type: {message_type}']¶

FORMAT_STRING_SHORT_PIECES = ['{body}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

If any event values have a matching formatting function in VALUE_FORMATTERS, they are run through that function; then the dictionary is passed to the superclass’s formatting method.

Parameters

formatter_mediator (FormatterMediator) – not used.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Google Hangouts Message'¶

SOURCE_SHORT = 'HANGOUTS'¶

VALUE_FORMATTERS = {'message_status': <function HangoutsFormatter.<lambda>>, 'message_type': <function HangoutsFormatter.<lambda>>}¶

plaso.formatters.iis module¶

The Microsoft IIS log file event formatter.

class plaso.formatters.iis.IISLogFileEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Microsoft IIS log file event.

DATA_TYPE = 'iis:log:line'¶

FORMAT_STRING_PIECES = ['{http_method}', '{requested_uri_stem}', '[', '{source_ip}', '>', '{dest_ip}', ':', '{dest_port}', ']', 'HTTP Status: {http_status}', 'Bytes Sent: {sent_bytes}', 'Bytes Received: {received_bytes}', 'User Agent: {user_agent}', 'Protocol Version: {protocol_version}']¶

FORMAT_STRING_SHORT_PIECES = ['{http_method}', '{requested_uri_stem}', '[', '{source_ip}', '>', '{dest_ip}', ':', '{dest_port}', ']']¶

SOURCE_LONG = 'IIS Log'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.imessage module¶

The iMessage chat.db (OSX) and sms.db (iOS)database event formatter.

class plaso.formatters.imessage.IMessageFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an iMessage and SMS event.

DATA_TYPE = 'imessage:event:chat'¶

FORMAT_STRING_PIECES = ['Row ID: {identifier}', 'iMessage ID: {imessage_id}', 'Read Receipt: {read_receipt}', 'Message Type: {message_type}', 'Service: {service}', 'Attachment Location: {attachment_location}', 'Message Content: {text}']¶

FORMAT_STRING_SHORT_PIECES = ['{text}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Apple iMessage Application'¶

SOURCE_SHORT = 'iMessage'¶

plaso.formatters.interface module¶

This file contains the event formatters interface classes.

The l2t_csv and other formats are dependent on a message field, referred to as description_long and description_short in l2t_csv.

Plaso no longer stores these field explicitly.

A formatter, with a format string definition, is used to convert the event object values into a formatted string that is similar to the description_long and description_short field.

class plaso.formatters.interface.ConditionalEventFormatter[source]¶

Bases: plaso.formatters.interface.EventFormatter

Base class to conditionally format event data using format string pieces.

Define the (long) format string and the short format string by defining FORMAT_STRING_PIECES and FORMAT_STRING_SHORT_PIECES. The syntax of the format strings pieces is similar to of the event formatter (EventFormatter). Every format string piece should contain a single attribute name or none.

FORMAT_STRING_SEPARATOR is used to control the string which the separate string pieces should be joined. It contains a space by default.

FORMAT_STRING_PIECES = ['']¶

FORMAT_STRING_SEPARATOR = ' '¶

FORMAT_STRING_SHORT_PIECES = ['']¶

GetFormatStringAttributeNames()[source]¶

Retrieves the attribute names in the format string.

Returns: attribute names.
Return type: set(str)

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

class plaso.formatters.interface.EventFormatter[source]¶

Bases: object

Base class to format event type specific data using a format string.

Define the (long) format string and the short format string by defining FORMAT_STRING and FORMAT_STRING_SHORT. The syntax of the format strings is similar to that of format() where the place holder for a certain event object attribute is defined as {attribute_name}.

DATA_TYPE = 'internal'¶

FORMAT_STRING = ''¶

FORMAT_STRING_SHORT = ''¶

GetFormatStringAttributeNames()[source]¶

Retrieves the attribute names in the format string.

Returns: attribute names.
Return type: set(str)

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

GetSources(event, event_data)[source]¶

Determines the the short and long source for an event.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.

Returns

short and long source string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = ''¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.ipod module¶

The iPod device event formatter.

class plaso.formatters.ipod.IPodDeviceFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an iPod device event.

DATA_TYPE = 'ipod:device:entry'¶

FORMAT_STRING_PIECES = ['Device ID: {device_id}', 'Type: {device_class}', '[{family_id}]', 'Connected {use_count} times', 'Serial nr: {serial_number}', 'IMEI [{imei}]']¶

SOURCE_LONG = 'iPod Connections'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.java_idx module¶

The Java WebStart Cache IDX event formatter.

class plaso.formatters.java_idx.JavaIDXFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Java WebStart Cache IDX download event.

DATA_TYPE = 'java:download:idx'¶

FORMAT_STRING_PIECES = ['IDX Version: {idx_version}', 'Host IP address: ({ip_address})', 'Download URL: {url}']¶

SOURCE_LONG = 'Java Cache IDX'¶

SOURCE_SHORT = 'JAVA_IDX'¶

plaso.formatters.kik_ios module¶

The Kik kik.sqlite iOS database event formatter.

class plaso.formatters.kik_ios.KikIOSMessageFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an iOS Kik message event.

DATA_TYPE = 'ios:kik:messaging'¶

FORMAT_STRING_PIECES = ['Username: {username}', 'Displayname: {displayname}', 'Status: {message_status}', 'Type: {message_type}', 'Message: {body}']¶

FORMAT_STRING_SHORT_PIECES = ['{body}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Kik iOS messages'¶

SOURCE_SHORT = 'Kik iOS'¶

plaso.formatters.kodi module¶

The Kodi MyVideos database event formatter.

class plaso.formatters.kodi.KodiFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Kodi Video event.

DATA_TYPE = 'kodi:videos:viewing'¶

FORMAT_STRING_PIECES = ['Video: {filename}', 'Play Count: {play_count}']¶

FORMAT_STRING_SHORT_PIECES = ['{filename}']¶

SOURCE_LONG = 'Kodi Video Viewed'¶

SOURCE_SHORT = 'KODI'¶

plaso.formatters.logger module¶

The formatters sub module logger.

plaso.formatters.ls_quarantine module¶

The MacOS launch services (LS) quarantine event formatter.

class plaso.formatters.ls_quarantine.LSQuarantineFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a launch services (LS) quarantine history event.

DATA_TYPE = 'macosx:lsquarantine'¶

FORMAT_STRING_PIECES = ['[{agent}]', 'Downloaded: {url}', '<{data}>']¶

FORMAT_STRING_SHORT_PIECES = ['{url}']¶

SOURCE_LONG = 'LS Quarantine Event'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.mac_appfirewall module¶

The MacOS appfirewall.log file event formatter.

class plaso.formatters.mac_appfirewall.MacAppFirewallLogFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for MacOS appfirewall.log file event.

DATA_TYPE = 'mac:appfirewall:line'¶

FORMAT_STRING_PIECES = ['Computer: {computer_name}', 'Agent: {agent}', 'Status: {status}', 'Process name: {process_name}', 'Log: {action}']¶

FORMAT_STRING_SHORT_PIECES = ['Process name: {process_name}', 'Status: {status}']¶

SOURCE_LONG = 'Mac AppFirewall Log'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.mac_document_versions module¶

The MacOS Document Versions files event formatter.

class plaso.formatters.mac_document_versions.MacDocumentVersionsFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS Document Versions page visited event.

DATA_TYPE = 'mac:document_versions:file'¶

FORMAT_STRING_PIECES = ['Version of [{name}]', '({path})', 'stored in {version_path}', 'by {user_sid}']¶

FORMAT_STRING_SHORT_PIECES = ['Stored a document version of [{name}]']¶

SOURCE_LONG = 'Document Versions'¶

SOURCE_SHORT = 'HISTORY'¶

plaso.formatters.mac_keychain module¶

The MacOS keychain password database file event formatter.

class plaso.formatters.mac_keychain.KeychainApplicationRecordFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a keychain application record event.

DATA_TYPE = 'mac:keychain:application'¶

FORMAT_STRING_PIECES = ['Name: {entry_name}', 'Account: {account_name}']¶

FORMAT_STRING_SHORT_PIECES = ['{entry_name}']¶

SOURCE_LONG = 'Keychain Application password'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.mac_keychain.KeychainInternetRecordFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a keychain Internet record event.

DATA_TYPE = 'mac:keychain:internet'¶

FORMAT_STRING_PIECES = ['Name: {entry_name}', 'Account: {account_name}', 'Where: {where}', 'Protocol: {protocol}', '({type_protocol})']¶

FORMAT_STRING_SHORT_PIECES = ['{entry_name}']¶

SOURCE_LONG = 'Keychain Internet password'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.mac_knowledgec module¶

The MacOS KnowledgeC datbase event formatters.

class plaso.formatters.mac_knowledgec.MacKnowledgeCApplicationFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS KnowledgeC application event.

DATA_TYPE = 'mac:knowledgec:application'¶

FORMAT_STRING_PIECES = ['Application {bundle_identifier} executed', 'for {duration} seconds']¶

FORMAT_STRING_SHORT_PIECES = ['Application {bundle_identifier}']¶

SOURCE_LONG = 'KnowledgeC Application'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.mac_knowledgec.MacKnowledgeCSafariFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS KnowledgeC Safari event.

DATA_TYPE = 'mac:knowledgec:safari'¶

FORMAT_STRING_PIECES = ['Visited: {url}', '({title})', 'Duration: {duration}']¶

FORMAT_STRING_SHORT_PIECES = ['Safari: {url}']¶

SOURCE_LONG = 'KnowledgeC Safari'¶

SOURCE_SHORT = 'WEBHIST'¶

plaso.formatters.mac_notes module¶

The Mac Notes event formatter.

class plaso.formatters.mac_notes.MacNotesNotesFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Mac Notes record

DATA_TYPE = 'mac:notes:note'¶

FORMAT_STRING_PIECES = ['title:{title}', 'note_text:{text}']¶

FORMAT_STRING_SHORT_PIECES = ['title:{title}']¶

SOURCE_LONG = 'Mac Notes'¶

SOURCE_SHORT = 'Mac Note'¶

plaso.formatters.mac_notificationcenter module¶

The MacOS Notification Center event formatter.

class plaso.formatters.mac_notificationcenter.MacNotificationCenterFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS Notification Center event.

DATA_TYPE = 'mac:notificationcenter:db'¶

FORMAT_STRING_PIECES = ['Title: {title}', '(, subtitle: {subtitle}),', 'registered by: {bundle_name}.', 'Presented: {presented},', 'Content: {body}']¶

FORMAT_STRING_SHORT_PIECES = ['Title: {title},', 'Content: {body}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Notification Center'¶

SOURCE_SHORT = 'NOTIFICATION'¶

plaso.formatters.mac_securityd module¶

The MacOS securityd log file event formatter.

class plaso.formatters.mac_securityd.MacOSSecuritydLogFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS securityd log event.

DATA_TYPE = 'mac:securityd:line'¶

FORMAT_STRING_PIECES = ['Sender: {sender}', '({sender_pid})', 'Level: {level}', 'Facility: {facility}', 'Text: {message}']¶

FORMAT_STRING_SHORT_PIECES = ['Text: {message}']¶

SOURCE_LONG = 'Mac Securityd Log'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.mac_wifi module¶

The MacOS wifi.log file event formatter.

class plaso.formatters.mac_wifi.MacWifiLogFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a wifi.log file event.

DATA_TYPE = 'mac:wifilog:line'¶

FORMAT_STRING_PIECES = ['Action: {action}', 'Agent: {agent}', '({function})', 'Log: {text}']¶

FORMAT_STRING_SHORT_PIECES = ['Action: {action}']¶

SOURCE_LONG = 'Mac Wifi Log'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.mackeeper_cache module¶

The MacKeeper Cache event formatter.

class plaso.formatters.mackeeper_cache.MacKeeperCacheFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacKeeper Cache event.

DATA_TYPE = 'mackeeper:cache'¶

FORMAT_STRING_PIECES = ['{description}', '<{event_type}>', ':', '{text}', '[', 'URL: {url}', 'Event ID: {record_id}', 'Room: {room}', ']']¶

FORMAT_STRING_SHORT_PIECES = ['<{event_type}>', '{text}']¶

SOURCE_LONG = 'MacKeeper Cache'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.mactime module¶

The Sleuthkit (TSK) bodyfile (or mactime) event formatter.

class plaso.formatters.mactime.MactimeFormatter[source]¶

Bases: plaso.formatters.interface.EventFormatter

Formatter for a mactime event.

DATA_TYPE = 'fs:mactime:line'¶

FORMAT_STRING = '{filename}'¶

SOURCE_LONG = 'Mactime Bodyfile'¶

SOURCE_SHORT = 'FILE'¶

plaso.formatters.manager module¶

This file contains the event formatters manager class.

class plaso.formatters.manager.FormattersManager[source]¶

Bases: object

Class that implements the formatters manager.

classmethod DeregisterFormatter(formatter_class)[source]¶

Deregisters a formatter class.

The formatter classes are identified based on their lower case data type.

Parameters: formatter_class (type) – class of the formatter.
Raises: KeyError – if formatter class is not set for the corresponding data type.

classmethod GetFormatterObject(data_type)[source]¶

Retrieves the formatter object for a specific data type.

Parameters

data_type (str) – data type.

Returns

corresponding formatter or the default formatter if: not available.

Return type

EventFormatter

classmethod GetMessageStrings(formatter_mediator, event_data)[source]¶

Retrieves the formatted message strings for a specific event.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

long and short version of the message string.

Return type

list[str, str]

classmethod GetSourceStrings(event, event_data)[source]¶

Retrieves the formatted source strings for a specific event.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.

Returns

short and long version of the source of the event.

Return type

list[str, str]

classmethod RegisterFormatter(formatter_class)[source]¶

Registers a formatter class.

The formatter classes are identified based on their lower case data type.

Parameters: formatter_class (type) – class of the formatter.
Raises: KeyError – if formatter class is already set for the corresponding data type.

classmethod RegisterFormatters(formatter_classes)[source]¶

Registers formatter classes.

The formatter classes are identified based on their lower case data type.

Parameters: formatter_classes (list[type]) – classes of the formatters.
Raises: KeyError – if formatter class is already set for the corresponding data type.

plaso.formatters.mcafeeav module¶

The McAfee AV Logs file event formatter.

class plaso.formatters.mcafeeav.McafeeAccessProtectionLogEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a McAfee Access Protection Log event.

DATA_TYPE = 'av:mcafee:accessprotectionlog'¶

FORMAT_STRING_PIECES = ['File Name: {filename}', 'User: {username}', '{trigger_location}', '{status}', '{rule}', '{action}']¶

FORMAT_STRING_SHORT_PIECES = ['{filename}', '{action}']¶

SOURCE_LONG = 'McAfee Access Protection Log'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.mediator module¶

The formatter mediator object.

class plaso.formatters.mediator.FormatterMediator(data_location=None)[source]¶

Bases: object

Class that implements the formatter mediator.

DEFAULT_LANGUAGE_IDENTIFIER = 'en-US'¶

DEFAULT_LCID = 1033¶

GetWindowsEventMessage(log_source, message_identifier)[source]¶

Retrieves the message string for a specific Windows Event Log source.

Parameters

log_source (str) – Event Log source, such as “Application Error”.
message_identifier (int) – message identifier.

Returns

message string or None if not available.

Return type

str

SetPreferredLanguageIdentifier(language_identifier)[source]¶

Sets the preferred language identifier.

Parameters

language_identifier (str) – language identifier string such as “en-US” for US English or “is-IS” for Icelandic.

Raises

KeyError – if the language identifier is not defined.
ValueError – if the language identifier is not a string type.

lcid¶

preferred Language Code identifier (LCID).

Type: int

plaso.formatters.mrulistex module¶

The MRUListEx event formatter.

class plaso.formatters.mrulistex.MRUListExEventFormatter[source]¶

Bases: plaso.formatters.interface.EventFormatter

Formatter for a MRUListEx event.

DATA_TYPE = 'windows:registry:mrulistex'¶

FORMAT_STRING = '[{key_path}] {entries}'¶

FORMAT_STRING_ALTERNATIVE = '{entries}'¶

SOURCE_LONG = 'Registry Key : MRUListEx'¶

SOURCE_SHORT = 'REG'¶

plaso.formatters.msie_webcache module¶

The MSIE WebCache ESE database event formatters.

class plaso.formatters.msie_webcache.MsieWebCacheContainerEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database Container_# table record.

DATA_TYPE = 'msie:webcache:container'¶

FORMAT_STRING_PIECES = ['URL: {url}', 'Redirect URL: {redirect_url}', 'Access count: {access_count}', 'Sync count: {sync_count}', 'Filename: {cached_filename}', 'File extension: {file_extension}', 'Cached file size: {cached_file_size}', 'Request headers: {request_headers}', 'Response headers: {response_headers}', 'Entry identifier: {entry_identifier}', 'Container identifier: {container_identifier}', 'Cache identifier: {cache_identifier}']¶

FORMAT_STRING_SHORT_PIECES = ['URL: {url}']¶

SOURCE_LONG = 'MSIE WebCache container record'¶

SOURCE_SHORT = 'WEBHIST'¶

class plaso.formatters.msie_webcache.MsieWebCacheContainersEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database Containers table record.

DATA_TYPE = 'msie:webcache:containers'¶

FORMAT_STRING_PIECES = ['Name: {name}', 'Directory: {directory}', 'Table: Container_{container_identifier}', 'Container identifier: {container_identifier}', 'Set identifier: {set_identifier}']¶

FORMAT_STRING_SHORT_PIECES = ['Directory: {directory}']¶

SOURCE_LONG = 'MSIE WebCache containers record'¶

SOURCE_SHORT = 'WEBHIST'¶

class plaso.formatters.msie_webcache.MsieWebCacheLeakFilesEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database LeakFiles table record.

DATA_TYPE = 'msie:webcache:leak_file'¶

FORMAT_STRING_PIECES = ['Filename: {cached_filename}', 'Leak identifier: {leak_identifier}']¶

FORMAT_STRING_SHORT_PIECES = ['Filename: {cached_filename}']¶

SOURCE_LONG = 'MSIE WebCache partitions record'¶

SOURCE_SHORT = 'WEBHIST'¶

class plaso.formatters.msie_webcache.MsieWebCachePartitionsEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database Partitions table record.

DATA_TYPE = 'msie:webcache:partitions'¶

FORMAT_STRING_PIECES = ['Partition identifier: {partition_identifier}', 'Partition type: {partition_type}', 'Directory: {directory}', 'Table identifier: {table_identifier}']¶

FORMAT_STRING_SHORT_PIECES = ['Directory: {directory}']¶

SOURCE_LONG = 'MSIE WebCache partitions record'¶

SOURCE_SHORT = 'WEBHIST'¶

plaso.formatters.msiecf module¶

The Microsoft Internet Explorer (MSIE) Cache Files (CF) event formatters.

class plaso.formatters.msiecf.MsiecfItemFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIECF item event.

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

class plaso.formatters.msiecf.MsiecfLeakFormatter[source]¶

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF leak item event.

DATA_TYPE = 'msiecf:leak'¶

FORMAT_STRING_PIECES = ['Cached file: {cached_file_path}', 'Cached file size: {cached_file_size}', '{recovered_string}']¶

FORMAT_STRING_SHORT_PIECES = ['Cached file: {cached_file_path}']¶

SOURCE_LONG = 'MSIE Cache File leak record'¶

SOURCE_SHORT = 'WEBHIST'¶

class plaso.formatters.msiecf.MsiecfRedirectedFormatter[source]¶

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF leak redirected event.

DATA_TYPE = 'msiecf:redirected'¶

FORMAT_STRING_PIECES = ['Location: {url}', '{recovered_string}']¶

FORMAT_STRING_SHORT_PIECES = ['Location: {url}']¶

SOURCE_LONG = 'MSIE Cache File redirected record'¶

SOURCE_SHORT = 'WEBHIST'¶

class plaso.formatters.msiecf.MsiecfUrlFormatter[source]¶

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF URL item event.

DATA_TYPE = 'msiecf:url'¶

FORMAT_STRING_PIECES = ['Location: {url}', 'Number of hits: {number_of_hits}', 'Cached file: {cached_file_path}', 'Cached file size: {cached_file_size}', 'HTTP headers: {http_headers}', '{recovered_string}']¶

FORMAT_STRING_SHORT_PIECES = ['Location: {url}', 'Cached file: {cached_file_path}']¶

SOURCE_LONG = 'MSIE Cache File URL record'¶

SOURCE_SHORT = 'WEBHIST'¶

plaso.formatters.network_drives module¶

The Network drive event formatter.

class plaso.formatters.network_drives.NetworkDriveEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Network drive event.

DATA_TYPE = 'windows:registry:network_drive'¶

FORMAT_STRING_PIECES = ['[{key_path}]', 'DriveLetter: {drive_letter}', 'RemoteServer: {server_name}', 'ShareName: {share_name}', 'Type: Mapped Drive']¶

SOURCE_LONG = 'Registry Key : Network Drive'¶

SOURCE_SHORT = 'REG'¶

plaso.formatters.officemru module¶

The Microsoft Office MRU Windows Registry event formatter.

class plaso.formatters.officemru.OfficeMRUWindowsRegistryEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Microsoft Office MRU Windows Registry event.

DATA_TYPE = 'windows:registry:office_mru'¶

FORMAT_STRING_PIECES = ['[{key_path}]', 'Value: {value_string}']¶

FORMAT_STRING_SHORT_PIECES = ['{value_string}']¶

SOURCE_LONG = 'Registry Key: Microsoft Office MRU'¶

SOURCE_SHORT = 'REG'¶

plaso.formatters.olecf module¶

The OLE Compound File (OLECF) event formatters.

class plaso.formatters.olecf.OLECFDestListEntryFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF DestList stream event.

DATA_TYPE = 'olecf:dest_list:entry'¶

FORMAT_STRING_PIECES = ['Entry: {entry_number}', 'Pin status: {pin_status}', 'Hostname: {hostname}', 'Path: {path}', 'Droid volume identifier: {droid_volume_identifier}', 'Droid file identifier: {droid_file_identifier}', 'Birth droid volume identifier: {birth_droid_volume_identifier}', 'Birth droid file identifier: {birth_droid_file_identifier}']¶

FORMAT_STRING_SHORT_PIECES = ['Entry: {entry_number}', 'Pin status: {pin_status}', 'Path: {path}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

class plaso.formatters.olecf.OLECFDocumentSummaryInfoFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF Document Summary Info property set stream event.

DATA_TYPE = 'olecf:document_summary_info'¶

FORMAT_STRING_PIECES = ['Number of bytes: {number_of_bytes}', 'Number of lines: {number_of_lines}', 'Number of paragraphs: {number_of_paragraphs}', 'Number of slides: {number_of_slides}', 'Number of notes: {number_of_notes}', 'Number of hidden slides: {number_of_hidden_slides}', 'Number of multi-media clips: {number_of_clips}', 'Company: {company}', 'Manager: {manager}', 'Shared document: {shared_document}', 'Application version: {application_version}', 'Content type: {content_type}', 'Content status: {content_status}', 'Language: {language}', 'Document version: {document_version}']¶

FORMAT_STRING_SHORT_PIECES = ['Company: {company}']¶

SOURCE_LONG = 'OLECF Document Summary Info'¶

SOURCE_SHORT = 'OLECF'¶

class plaso.formatters.olecf.OLECFItemFormatter[source]¶

Bases: plaso.formatters.interface.EventFormatter

Formatter for an OLECF item event.

DATA_TYPE = 'olecf:item'¶

FORMAT_STRING = 'Name: {name}'¶

FORMAT_STRING_SHORT = 'Name: {name}'¶

SOURCE_LONG = 'OLECF Item'¶

SOURCE_SHORT = 'OLECF'¶

class plaso.formatters.olecf.OLECFSummaryInfoFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF Summary Info property set stream event.

DATA_TYPE = 'olecf:summary_info'¶

FORMAT_STRING_PIECES = ['Title: {title}', 'Subject: {subject}', 'Author: {author}', 'Keywords: {keywords}', 'Comments: {comments}', 'Template: {template}', 'Revision number: {revision_number}', 'Last saved by: {last_saved_by}', 'Total edit time: {total_edit_time}', 'Number of pages: {number_of_pages}', 'Number of words: {number_of_words}', 'Number of characters: {number_of_characters}', 'Application: {application}', 'Security: {security}']¶

FORMAT_STRING_SHORT_PIECES = ['Title: {title}', 'Subject: {subject}', 'Author: {author}', 'Revision number: {revision_number}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'OLECF Summary Info'¶

SOURCE_SHORT = 'OLECF'¶

plaso.formatters.opera module¶

The Opera history event formatters.

class plaso.formatters.opera.OperaGlobalHistoryFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Opera global history event.

DATA_TYPE = 'opera:history:entry'¶

FORMAT_STRING_PIECES = ['{url}', '({title})', '[{description}]']¶

SOURCE_LONG = 'Opera Browser History'¶

SOURCE_SHORT = 'WEBHIST'¶

class plaso.formatters.opera.OperaTypedHistoryFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Opera typed history event.

DATA_TYPE = 'opera:history:typed_entry'¶

FORMAT_STRING_PIECES = ['{url}', '({entry_selection})']¶

SOURCE_LONG = 'Opera Browser History'¶

SOURCE_SHORT = 'WEBHIST'¶

plaso.formatters.oxml module¶

The OpenXML event formatter.

class plaso.formatters.oxml.OpenXMLParserFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OXML event.

DATA_TYPE = 'metadata:openxml'¶

FORMAT_STRING_PIECES = ['Creating App: {creating_app}', 'App version: {app_version}', 'Title: {title}', 'Subject: {subject}', 'Last saved by: {last_saved_by}', 'Author: {author}', 'Total edit time (secs): {total_edit_time}', 'Keywords: {keywords}', 'Comments: {comments}', 'Revision number: {revision_number}', 'Template: {template}', 'Number of pages: {number_of_pages}', 'Number of words: {number_of_words}', 'Number of characters: {number_of_characters}', 'Number of characters with spaces: {number_of_characters_with_spaces}', 'Number of lines: {number_of_lines}', 'Company: {company}', 'Manager: {manager}', 'Shared: {shared}', 'Security: {security}', 'Hyperlinks changed: {hyperlinks_changed}', 'Links up to date: {links_up_to_date}', 'Scale crop: {scale_crop}', 'Digital signature: {dig_sig}', 'Slides: {slides}', 'Hidden slides: {hidden_slides}', 'Presentation format: {presentation_format}', 'MM clips: {mm_clips}', 'Notes: {notes}']¶

FORMAT_STRING_SHORT_PIECES = ['Title: {title}', 'Subject: {subject}', 'Author: {author}']¶

SOURCE_LONG = 'Open XML Metadata'¶

SOURCE_SHORT = 'META'¶

plaso.formatters.pe module¶

The PE event formatter.

class plaso.formatters.pe.PECompilationFormatter[source]¶

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE compilation event.

DATA_TYPE = 'pe:compilation:compilation_time'¶

SOURCE_LONG = 'PE Compilation time'¶

class plaso.formatters.pe.PEDelayImportFormatter[source]¶

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE delay import section event.

DATA_TYPE = 'pe:delay_import:import_time'¶

FORMAT_STRING_PIECES = ['DLL name: {dll_name}', 'PE Type: {pe_type}', 'Import hash: {imphash}']¶

FORMAT_STRING_SHORT_PIECES = ['{dll_name}']¶

SOURCE_LONG = 'PE Delay Import Time'¶

class plaso.formatters.pe.PEEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Parent class for PE event formatters.

DATA_TYPE = 'pe'¶

FORMAT_STRING_PIECES = ['PE Type: {pe_type}', 'Import hash: {imphash}']¶

FORMAT_STRING_SEPARATOR = ' '¶

FORMAT_STRING_SHORT_PIECES = ['pe_type']¶

SOURCE_LONG = 'PE Event'¶

SOURCE_SHORT = 'PE'¶

class plaso.formatters.pe.PEImportFormatter[source]¶

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE import section event.

DATA_TYPE = 'pe:import:import_time'¶

FORMAT_STRING_PIECES = ['DLL name: {dll_name}', 'PE Type: {pe_type}', 'Import hash: {imphash}']¶

FORMAT_STRING_SHORT_PIECES = ['{dll_name}']¶

SOURCE_LONG = 'PE Import Time'¶

class plaso.formatters.pe.PELoadConfigModificationEvent[source]¶

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE load configuration table event.

DATA_TYPE = 'pe:load_config:modification_time'¶

SOURCE_LONG = 'PE Load Configuration Table Time'¶

class plaso.formatters.pe.PEResourceCreationFormatter[source]¶

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE resource creation event.

DATA_TYPE = 'pe:resource:creation_time'¶

SOURCE_LONG = 'PE Resource Creation Time'¶

plaso.formatters.plist module¶

The plist event formatter.

class plaso.formatters.plist.PlistFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a plist key event.

DATA_TYPE = 'plist:key'¶

FORMAT_STRING_PIECES = ['{root}/', '{key}', ' {desc}']¶

FORMAT_STRING_SEPARATOR = ''¶

SOURCE_LONG = 'Plist Entry'¶

SOURCE_SHORT = 'PLIST'¶

plaso.formatters.pls_recall module¶

The PL/SQL Recall event formatter.

class plaso.formatters.pls_recall.PlsRecallFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a PL/SQL Recall file container event.

DATA_TYPE = 'PLSRecall:event'¶

FORMAT_STRING_PIECES = ['Sequence number: {sequence_number}', 'Username: {username}', 'Database name: {database_name}', 'Query: {query}']¶

FORMAT_STRING_SHORT_PIECES = ['{sequence_number}', '{username}', '{database_name}', '{query}']¶

SOURCE_LONG = 'PL/SQL Developer Recall file'¶

SOURCE_SHORT = 'PLSRecall'¶

plaso.formatters.popcontest module¶

The Popularity Contest event formatters.

class plaso.formatters.popcontest.PopularityContestLogFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Popularity Contest Log event.

DATA_TYPE = 'popularity_contest:log:event'¶

FORMAT_STRING_PIECES = ['mru [{mru}]', 'package [{package}]', 'tag [{record_tag}]']¶

FORMAT_STRING_SHORT_PIECES = ['{mru}']¶

SOURCE_LONG = 'Popularity Contest Log'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.popcontest.PopularityContestSessionFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Popularity Contest Session information event.

DATA_TYPE = 'popularity_contest:session:event'¶

FORMAT_STRING_PIECES = ['Session {session}', '{status}', 'ID {hostid}', '[{details}]']¶

FORMAT_STRING_SHORT_PIECES = ['Session {session}', '{status}']¶

SOURCE_LONG = 'Popularity Contest Session'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.recycler module¶

The Windows Recycler/Recycle Bin formatter.

class plaso.formatters.recycler.WinRecyclerFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Recycler/Recycle Bin file event.

DATA_TYPE = 'windows:metadata:deleted_item'¶

FORMAT_STRING_PIECES = ['DC{record_index} ->', '{original_filename}', '[{short_filename}]', '(from drive: {drive_letter})']¶

FORMAT_STRING_SHORT_PIECES = ['Deleted file: {original_filename}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Recycle Bin'¶

SOURCE_SHORT = 'RECBIN'¶

plaso.formatters.safari module¶

The Safari history event formatter.

class plaso.formatters.safari.SafariHistoryFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Safari history event.

DATA_TYPE = 'safari:history:visit'¶

FORMAT_STRING_PIECES = ['Visited: {url}', '({title}', '- {display_title}', ')', 'Visit Count: {visit_count}']¶

SOURCE_LONG = 'Safari History'¶

SOURCE_SHORT = 'WEBHIST'¶

class plaso.formatters.safari.SafariHistoryFormatterSqlite[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Safari history event from Sqlite History.db

DATA_TYPE = 'safari:history:visit_sqlite'¶

FORMAT_STRING_PIECES = ['URL: {url}', 'Title: ({title})', '[count: {visit_count}]', 'http_non_get: {was_http_non_get}']¶

SOURCE_LONG = 'Safari History'¶

SOURCE_SHORT = 'WEBHIST'¶

plaso.formatters.safari_cookies module¶

The Safari Binary cookie event formatter.

class plaso.formatters.safari_cookies.SafariCookieFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Safari Binary Cookie file entry event.

DATA_TYPE = 'safari:cookie:entry'¶

FORMAT_STRING_PIECES = ['{url}', '<{path}>', '({cookie_name})', 'Flags: {flags}']¶

FORMAT_STRING_SHORT_PIECES = ['{url}', '({cookie_name})']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Safari Cookies'¶

SOURCE_SHORT = 'WEBHIST'¶

plaso.formatters.sam_users module¶

The SAM users Windows Registry event formatter.

class plaso.formatters.sam_users.SAMUsersWindowsRegistryEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SAM users Windows Registry event.

DATA_TYPE = 'windows:registry:sam_users'¶

FORMAT_STRING_PIECES = ['[{key_path}]', 'Username: {username}', 'Full name: {fullname}', 'Comments: {comments}', 'RID: {account_rid}', 'Login count: {login_count}']¶

FORMAT_STRING_SHORT_PIECES = ['{username}', 'RID: {account_rid}', 'Login count: {login_count}']¶

SOURCE_LONG = 'Registry Key: User Account Information'¶

SOURCE_SHORT = 'REG'¶

plaso.formatters.santa module¶

Santa log file event formatter.

class plaso.formatters.santa.SantaDiskMountsFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a santa disk mount event.

DATA_TYPE = 'santa:diskmount'¶

FORMAT_STRING_PIECES = ['Santa {action}', 'on ({mount})', 'serial: ({serial})', 'for ({dmg_path})']¶

FORMAT_STRING_SHORT_PIECES = ['{action}', '{volume}']¶

SOURCE_LONG = 'Santa disk mount'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.santa.SantaExecutionFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a santa execution event.

DATA_TYPE = 'santa:execution'¶

FORMAT_STRING_PIECES = ['Santa {decision}', 'process: {process_path}', 'hash: {process_hash}']¶

FORMAT_STRING_SHORT_PIECES = ['{decision}', 'process: {process_path}']¶

SOURCE_LONG = 'Santa Execution'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.santa.SantaFileSystemFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a santa file system event.

DATA_TYPE = 'santa:file_system_event'¶

FORMAT_STRING_PIECES = ['Santa {action} event', '{file_path}', 'by process: {process_path}']¶

FORMAT_STRING_SHORT_PIECES = ['File {action}', 'on: {file_path}']¶

SOURCE_LONG = 'Santa FSEvent'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.sccm module¶

The SCCM log formatter.

class plaso.formatters.sccm.SCCMEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Class for SCCM event formatter.

DATA_TYPE = 'software_management:sccm:log'¶

FORMAT_STRING_PIECES = ['{component}', '{text}']¶

FORMAT_STRING_SEPARATOR = ' '¶

FORMAT_STRING_SHORT_PIECES = ['{text}']¶

SOURCE_LONG = 'SCCM Event'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.selinux module¶

The selinux event formatter.

class plaso.formatters.selinux.SELinuxFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a selinux log file event.

DATA_TYPE = 'selinux:line'¶

FORMAT_STRING_PIECES = ['[', 'audit_type: {audit_type}', ', pid: {pid}', ']', ' {body}']¶

FORMAT_STRING_SEPARATOR = ''¶

SOURCE_LONG = 'Audit log File'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.shell_items module¶

The shell item event formatter.

class plaso.formatters.shell_items.ShellItemFileEntryEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a shell item file entry event.

DATA_TYPE = 'windows:shell_item:file_entry'¶

FORMAT_STRING_PIECES = ['Name: {name}', 'Long name: {long_name}', 'Localized name: {localized_name}', 'NTFS file reference: {file_reference}', 'Shell item path: {shell_item_path}', 'Origin: {origin}']¶

FORMAT_STRING_SHORT_PIECES = ['Name: {file_entry_name}', 'NTFS file reference: {file_reference}', 'Origin: {origin}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'File entry shell item'¶

SOURCE_SHORT = 'FILE'¶

plaso.formatters.shutdown module¶

The shutdown Windows Registry event formatter.

class plaso.formatters.shutdown.ShutdownWindowsRegistryEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a shutdown Windows Registry event.

DATA_TYPE = 'windows:registry:shutdown'¶

FORMAT_STRING_PIECES = ['[{key_path}]', 'Description: {value_name}']¶

FORMAT_STRING_SHORT_PIECES = ['{value_name}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Registry Key Shutdown Entry'¶

SOURCE_SHORT = 'REG'¶

plaso.formatters.skydrivelog module¶

The SkyDrive log event formatter.

class plaso.formatters.skydrivelog.SkyDriveLogFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SkyDrive log file event.

DATA_TYPE = 'skydrive:log:line'¶

FORMAT_STRING_PIECES = ['[{module}', '{source_code}', '{log_level}]', '{detail}']¶

FORMAT_STRING_SHORT_PIECES = ['{detail}']¶

SOURCE_LONG = 'SkyDrive Log File'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.skydrivelog.SkyDriveOldLogFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SkyDrive old log file event.

DATA_TYPE = 'skydrive:log:old:line'¶

FORMAT_STRING_PIECES = ['[{source_code}]', '({log_level})', '{text}']¶

FORMAT_STRING_SHORT_PIECES = ['{text}']¶

SOURCE_LONG = 'SkyDrive Log File'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.skype module¶

The Skype main database event formatter.

class plaso.formatters.skype.SkypeAccountFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype account event.

DATA_TYPE = 'skype:event:account'¶

FORMAT_STRING_PIECES = ['{username}', '[{email}]', 'Country: {country}']¶

SOURCE_LONG = 'Skype Account'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.skype.SkypeCallFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype call event.

DATA_TYPE = 'skype:event:call'¶

FORMAT_STRING_PIECES = ['From: {src_call}', 'To: {dst_call}', '[{call_type}]']¶

SOURCE_LONG = 'Skype Call'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.skype.SkypeChatFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype chat message event.

DATA_TYPE = 'skype:event:chat'¶

FORMAT_STRING_PIECES = ['From: {from_account}', 'To: {to_account}', '[{title}]', 'Message: [{text}]']¶

FORMAT_STRING_SHORT_PIECES = ['From: {from_account}', 'To: {to_account}']¶

SOURCE_LONG = 'Skype Chat MSG'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.skype.SkypeSMSFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype SMS event.

DATA_TYPE = 'skype:event:sms'¶

FORMAT_STRING_PIECES = ['To: {number}', '[{text}]']¶

SOURCE_LONG = 'Skype SMS'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.skype.SkypeTransferFileFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype transfer file event.

DATA_TYPE = 'skype:event:transferfile'¶

FORMAT_STRING_PIECES = ['Source: {source}', 'Destination: {destination}', 'File: {transferred_filename}', '[{action_type}]']¶

SOURCE_LONG = 'Skype Transfer Files'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.sophos_av module¶

The Sophos Anti-Virus log (SAV.txt) file event formatter.

class plaso.formatters.sophos_av.SophosAVLogFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Sophos Anti-Virus log (SAV.txt) event data.

DATA_TYPE = 'sophos:av:log'¶

FORMAT_STRING_PIECES = ['{text}']¶

SOURCE_LONG = 'Sophos Anti-Virus log'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.srum module¶

The System Resource Usage Monitor (SRUM) ESE database event formatters.

class plaso.formatters.srum.SRUMApplicationResourceUsageEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SRUM application resource usage event.

DATA_TYPE = 'windows:srum:application_usage'¶

FORMAT_STRING_PIECES = ['Application: {application}']¶

FORMAT_STRING_SHORT_PIECES = ['{application}']¶

class plaso.formatters.srum.SRUMNetworkConnectivityUsageEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SRUM network connectivity usage event.

DATA_TYPE = 'windows:srum:network_connectivity'¶

FORMAT_STRING_PIECES = ['Application: {application}']¶

FORMAT_STRING_SHORT_PIECES = ['{application}']¶

class plaso.formatters.srum.SRUMNetworkDataUsageEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SRUM network data usage event.

DATA_TYPE = 'windows:srum:network_usage'¶

FORMAT_STRING_PIECES = ['Application: {application}', 'Bytes received: {bytes_received}', 'Bytes sent: {bytes_sent}', 'Interface LUID: {interface_luid}', 'User identifier: {user_identifier}']¶

FORMAT_STRING_SHORT_PIECES = ['{application}']¶

plaso.formatters.ssh module¶

The syslog SSH file event formatter.

class plaso.formatters.ssh.SSHFailedConnectionEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SSH failed connection event.

DATA_TYPE = 'syslog:ssh:failed_connection'¶

FORMAT_STRING_PIECES = ['Unsuccessful connection of user: {username}', 'from {address}:', '{port}', 'using authentication method: {authentication_method}', 'ssh pid: {pid}']¶

FORMAT_STRING_SEPARATOR = ''¶

FORMAT_STRING_SHORT = '{body}'¶

SOURCE_LONG = 'SSH log'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.ssh.SSHLoginEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SSH successful login event.

DATA_TYPE = 'syslog:ssh:login'¶

FORMAT_STRING_PIECES = ['Successful login of user: {username}', 'from {address}:', '{port}', 'using authentication method: {authentication_method}', 'ssh pid: {pid}']¶

FORMAT_STRING_SEPARATOR = ''¶

FORMAT_STRING_SHORT = '{body}'¶

SOURCE_LONG = 'SSH log'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.ssh.SSHOpenedConnectionEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SSH opened connection event.

DATA_TYPE = 'syslog:ssh:opened_connection'¶

FORMAT_STRING_PIECES = ['Connection opened {address}:', '{port}', 'ssh pid: {pid}']¶

FORMAT_STRING_SEPARATOR = ''¶

FORMAT_STRING_SHORT = '{body}'¶

SOURCE_LONG = 'SSH log'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.symantec module¶

The Symantec AV log file event formatter.

class plaso.formatters.symantec.SymantecAVFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Symantec AV log file event.

ACTION_0_NAMES = {'1': 'Quarantined', '10': 'Renamed backup file', '11': 'Undo action in Quarantine View', '12': 'Write protected or lack of permissions - Unable to act on file', '13': 'Backed up file', '2': 'Renamed', '3': 'Deleted', '4': 'Left alone', '5': 'Cleaned', '6': 'Cleaned or macros deleted (no longer used as of Symantec AntiVirus 9.x)', '7': 'Saved file as...', '8': 'Sent to Intel (AMS)', '9': 'Moved to backup location'}¶

ACTION_1_2_NAMES = {'1': 'Quarantine infected file', '2': 'Rename infected file', '3': 'Delete infected file', '4': 'Leave alone (log only)', '5': 'Clean virus from file', '6': 'Clean or delete macros'}¶

CATEGORY_NAMES = {'1': 'GL_CAT_INFECTION', '2': 'GL_CAT_SUMMARY', '3': 'GL_CAT_PATTERN', '4': 'GL_CAT_SECURITY'}¶

DATA_TYPE = 'av:symantec:scanlog'¶

EVENT_NAMES = {'1': 'GL_EVENT_IS_ALERT', '10': 'GL_EVENT_CHECKSUM', '11': 'GL_EVENT_TRAP', '12': 'GL_EVENT_CONFIG_CHANGE', '13': 'GL_EVENT_SHUTDOWN', '14': 'GL_EVENT_STARTUP', '16': 'GL_EVENT_PATTERN_DOWNLOAD', '17': 'GL_EVENT_TOO_MANY_VIRUSES', '18': 'GL_EVENT_FWD_TO_QSERVER', '19': 'GL_EVENT_SCANDLVR', '2': 'GL_EVENT_SCAN_STOP', '20': 'GL_EVENT_BACKUP', '21': 'GL_EVENT_SCAN_ABORT', '22': 'GL_EVENT_RTS_LOAD_ERROR', '23': 'GL_EVENT_RTS_LOAD', '24': 'GL_EVENT_RTS_UNLOAD', '25': 'GL_EVENT_REMOVE_CLIENT', '26': 'GL_EVENT_SCAN_DELAYED', '27': 'GL_EVENT_SCAN_RESTART', '28': 'GL_EVENT_ADD_SAVROAMCLIENT_TOSERVER', '29': 'GL_EVENT_REMOVE_SAVROAMCLIENT_FROMSERVER', '3': 'GL_EVENT_SCAN_START', '30': 'GL_EVENT_LICENSE_WARNING', '31': 'GL_EVENT_LICENSE_ERROR', '32': 'GL_EVENT_LICENSE_GRACE', '33': 'GL_EVENT_UNAUTHORIZED_COMM', '34': 'GL_EVENT_LOG_FWD_THRD_ERR', '35': 'GL_EVENT_LICENSE_INSTALLED', '36': 'GL_EVENT_LICENSE_ALLOCATED', '37': 'GL_EVENT_LICENSE_OK', '38': 'GL_EVENT_LICENSE_DEALLOCATED', '39': 'GL_EVENT_BAD_DEFS_ROLLBACK', '4': 'GL_EVENT_PATTERN_UPDATE', '40': 'GL_EVENT_BAD_DEFS_UNPROTECTED', '41': 'GL_EVENT_SAV_PROVIDER_PARSING_ERROR', '42': 'GL_EVENT_RTS_ERROR', '43': 'GL_EVENT_COMPLIANCE_FAIL', '44': 'GL_EVENT_COMPLIANCE_SUCCESS', '45': 'GL_EVENT_SECURITY_SYMPROTECT_POLICYVIOLATION', '46': 'GL_EVENT_ANOMALY_START', '47': 'GL_EVENT_DETECTION_ACTION_TAKEN', '48': 'GL_EVENT_REMEDIATION_ACTION_PENDING', '49': 'GL_EVENT_REMEDIATION_ACTION_FAILED', '5': 'GL_EVENT_INFECTION', '50': 'GL_EVENT_REMEDIATION_ACTION_SUCCESSFUL', '51': 'GL_EVENT_ANOMALY_FINISH', '52': 'GL_EVENT_COMMS_LOGIN_FAILED', '53': 'GL_EVENT_COMMS_LOGIN_SUCCESS', '54': 'GL_EVENT_COMMS_UNAUTHORIZED_COMM', '55': 'GL_EVENT_CLIENT_INSTALL_AV', '56': 'GL_EVENT_CLIENT_INSTALL_FW', '57': 'GL_EVENT_CLIENT_UNINSTALL', '58': 'GL_EVENT_CLIENT_UNINSTALL_ROLLBACK', '59': 'GL_EVENT_COMMS_SERVER_GROUP_ROOT_CERT_ISSUE', '6': 'GL_EVENT_FILE_NOT_OPEN', '60': 'GL_EVENT_COMMS_SERVER_CERT_ISSUE', '61': 'GL_EVENT_COMMS_TRUSTED_ROOT_CHANGE', '62': 'GL_EVENT_COMMS_SERVER_CERT_STARTUP_FAILED', '63': 'GL_EVENT_CLIENT_CHECKIN', '64': 'GL_EVENT_CLIENT_NO_CHECKIN', '65': 'GL_EVENT_SCAN_SUSPENDED', '66': 'GL_EVENT_SCAN_RESUMED', '67': 'GL_EVENT_SCAN_DURATION_INSUFFICIENT', '68': 'GL_EVENT_CLIENT_MOVE', '69': 'GL_EVENT_SCAN_FAILED_ENHANCED', '7': 'GL_EVENT_LOAD_PATTERN', '70': 'GL_EVENT_MAX_event_name', '71': 'GL_EVENT_HEUR_THREAT_NOW_WHITELISTED', '72': 'GL_EVENT_INTERESTING_PROCESS_DETECTED_START', '73': 'GL_EVENT_LOAD_ERROR_COH', '74': 'GL_EVENT_LOAD_ERROR_SYKNAPPS', '75': 'GL_EVENT_INTERESTING_PROCESS_DETECTED_FINISH', '76': 'GL_EVENT_HPP_SCAN_NOT_SUPPORTED_FOR_OS', '77': 'GL_EVENT_HEUR_THREAT_NOW_KNOWN', '8': 'GL_STD_MESSAGE_INFO', '9': 'GL_STD_MESSAGE_ERROR'}¶

FORMAT_STRING_PIECES = ['Event Name: {event_map}', 'Category Name: {category_map}', 'Malware Name: {virus}', 'Malware Path: {file}', 'Action0: {action0_map}', 'Action1: {action1_map}', 'Action2: {action2_map}', 'Description: {description}', 'Scan ID: {scanid}', 'Event Data: {event_data}', 'Remote Machine: {remote_machine}', 'Remote IP: {remote_machine_ip}']¶

FORMAT_STRING_SEPARATOR = '; '¶

FORMAT_STRING_SHORT_PIECES = ['{file}', '{virus}', '{action0_map}', '{action1_map}', '{action2_map}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Symantec AV Log'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.syslog module¶

The syslog file event formatter.

class plaso.formatters.syslog.SyslogCommentFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a syslog comment

DATA_TYPE = 'syslog:comment'¶

FORMAT_STRING_PIECES = ['{body}']¶

FORMAT_STRING_SEPARATOR = ''¶

SOURCE_LONG = 'Log File'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.syslog.SyslogLineFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a syslog line event.

DATA_TYPE = 'syslog:line'¶

FORMAT_STRING_PIECES = ['{severity} ', '[', '{reporter}', ', pid: {pid}', '] {body}']¶

FORMAT_STRING_SEPARATOR = ''¶

SOURCE_LONG = 'Log File'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.systemd_journal module¶

The Systemd journal file event formatter.

class plaso.formatters.systemd_journal.SystemdJournalDirtyEventFormatter[source]¶

Bases: plaso.formatters.systemd_journal.SystemdJournalEventFormatter

Formatter for a Systemd journal dirty event.

DATA_TYPE = 'systemd:journal:dirty'¶

SOURCE_LONG = 'systemd-journal-dirty'¶

class plaso.formatters.systemd_journal.SystemdJournalEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Systemd journal event.

DATA_TYPE = 'systemd:journal'¶

FORMAT_STRING_PIECES = ['{hostname} ', '[', '{reporter}', ', pid: {pid}', '] {body}']¶

FORMAT_STRING_SEPARATOR = ''¶

SOURCE_LONG = 'systemd-journal'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.tango_android module¶

Tango on Android databases formatter.

class plaso.formatters.tango_android.TangoAndroidContactFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Tango on Android contact event formatter.

DATA_TYPE = 'tango:android:contact'¶

FORMAT_STRING_PIECES = ['{first_name}', '{last_name}', '{gender}', 'birthday: {birthday}', 'Status: {status}', 'Friend: {is_friend}', 'Request type: {friend_request_type}', 'Request message: {friend_request_message}']¶

FORMAT_STRING_SHORT_PIECES = ['{first_name}', '{last_name}', 'Status: {status}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple[str, str]

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Tango Android Contact'¶

SOURCE_SHORT = 'Tango Android'¶

class plaso.formatters.tango_android.TangoAndroidConversationFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Tango on Android conversation event formatter.

DATA_TYPE = 'tango:android:conversation'¶

FORMAT_STRING_PIECES = ['Conversation ({conversation_identifier})']¶

FORMAT_STRING_SHORT_PIECES = ['Conversation ({conversation_identifier})']¶

SOURCE_LONG = 'Tango Android Conversation'¶

SOURCE_SHORT = 'Tango Android'¶

class plaso.formatters.tango_android.TangoAndroidMessageFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Tango on Android message event formatter.

DATA_TYPE = 'tango:android:message'¶

FORMAT_STRING_PIECES = ['{direction}', 'Message ({message_identifier})']¶

FORMAT_STRING_SHORT_PIECES = ['{direction}', 'Message ({message_identifier})']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple[str, str]

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Tango Android Message'¶

SOURCE_SHORT = 'Tango Android'¶

plaso.formatters.task_scheduler module¶

The Task Scheduler event formatter.

class plaso.formatters.task_scheduler.TaskCacheEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Task Scheduler Cache event.

DATA_TYPE = 'task_scheduler:task_cache:entry'¶

FORMAT_STRING_PIECES = ['Task: {task_name}', '[Identifier: {task_identifier}]']¶

FORMAT_STRING_SHORT_PIECES = ['Task: {task_name}']¶

SOURCE_LONG = 'Task Cache'¶

SOURCE_SHORT = 'REG'¶

plaso.formatters.text module¶

The text file event formatter.

class plaso.formatters.text.TextEntryFormatter[source]¶

Bases: plaso.formatters.interface.EventFormatter

Formatter for a text file entry event.

DATA_TYPE = 'text:entry'¶

FORMAT_STRING = '{text}'¶

SOURCE_LONG = 'Text File'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.trendmicroav module¶

The Trend Micro AV Logs file event formatter.

class plaso.formatters.trendmicroav.OfficeScanVirusDetectionLogEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Trend Micro Office Scan Virus Detection Log event.

DATA_TYPE = 'av:trendmicro:scan'¶

FORMAT_STRING_PIECES = ['Path: {path}', 'File name: {filename}', '{threat}', ': {action}', '({scan_type})']¶

FORMAT_STRING_SHORT_PIECES = ['{path}', '{filename}', '{action}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

If any event values have a matching formatting function in VALUE_FORMATTERS, they are run through that function; then the dictionary is passed to the superclass’s formatting method.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Trend Micro Office Scan Virus Detection Log'¶

SOURCE_SHORT = 'LOG'¶

VALUE_FORMATTERS = {'action': <function OfficeScanVirusDetectionLogEventFormatter.<lambda>>, 'scan_type': <function OfficeScanVirusDetectionLogEventFormatter.<lambda>>}¶

class plaso.formatters.trendmicroav.OfficeScanWebReputationLogEventFormatter[source]¶

Bases: plaso.formatters.trendmicroav.OfficeScanVirusDetectionLogEventFormatter

Formatter for a Trend Micro Office Scan Virus Detection Log event.

DATA_TYPE = 'av:trendmicro:webrep'¶

FORMAT_STRING_PIECES = ['{url}', '{ip}', 'Group: {group_name}', '{group_code}', 'Mode: {block_mode}', 'Policy ID: {policy_identifier}', 'Credibility rating: {credibility_rating}', 'Credibility score: {credibility_score}', 'Threshold value: {threshold}', 'Accessed by: {application_name}']¶

FORMAT_STRING_SHORT_PIECES = ['{url}', '{group_name}']¶

SOURCE_LONG = 'Trend Micro Office Scan Virus Detection Log'¶

SOURCE_SHORT = 'LOG'¶

VALUE_FORMATTERS = {'block_mode': <function OfficeScanWebReputationLogEventFormatter.<lambda>>}¶

plaso.formatters.twitter_android module¶

Twitter on android database formatter.

class plaso.formatters.twitter_android.TwitterAndroidContactFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter for android contact event formatter.

DATA_TYPE = 'twitter:android:contact'¶

FORMAT_STRING_PIECES = ['Screen name: {username}', 'Profile picture URL: {image_url}', 'Name: {name}', 'Location: {location}', 'Description: {description}', 'URL: {web_url}', 'Number of followers: {followers}', 'Number of following: {friend}', 'Number of tweets: {statuses}']¶

FORMAT_STRING_SHORT_PIECES = ['Screen name: {username}', 'Description: {description}', 'URL: {web_url}']¶

SOURCE_LONG = 'Twitter Android Contacts'¶

SOURCE_SHORT = 'Twitter Android'¶

class plaso.formatters.twitter_android.TwitterAndroidSearchFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter for android search event formatter.

DATA_TYPE = 'twitter:android:search'¶

FORMAT_STRING_PIECES = ['Name: {name}', 'Query: {search_query}']¶

FORMAT_STRING_SHORT_PIECES = ['Query: {search_query}']¶

SOURCE_LONG = 'Twitter Android Search'¶

SOURCE_SHORT = 'Twitter Android'¶

class plaso.formatters.twitter_android.TwitterAndroidStatusFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter for android status event formatter.

DATA_TYPE = 'twitter:android:status'¶

FORMAT_STRING_PIECES = ['User: {username}', 'Status: {content}', 'Favorited: {favorited}', 'Retweeted: {retweeted}']¶

FORMAT_STRING_SHORT_PIECES = ['User: {username}', 'Status: {content}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Twitter Android Status'¶

SOURCE_SHORT = 'Twitter Android'¶

plaso.formatters.twitter_ios module¶

Twitter on iOS 8+ database formatter.

class plaso.formatters.twitter_ios.TwitterIOSContactFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter on iOS 8+ contact event formatter.

DATA_TYPE = 'twitter:ios:contact'¶

FORMAT_STRING_PIECES = ['Screen name: {screen_name}', 'Profile picture URL: {profile_url}', 'Name: {name}', 'Location: {location}', 'Description: {description}', 'URL: {url}', 'Following: {following}', 'Number of followers: {followers_count}', 'Number of following: {following_count}']¶

FORMAT_STRING_SHORT_PIECES = ['Screen name: {screen_name}', 'Description: {description}', 'URL: {url}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Twitter iOS Contacts'¶

SOURCE_SHORT = 'Twitter iOS'¶

class plaso.formatters.twitter_ios.TwitterIOSStatusFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter on iOS 8+ status event formatter.

DATA_TYPE = 'twitter:ios:status'¶

FORMAT_STRING_PIECES = ['Name: {name}', 'User Id: {user_id}', 'Message: {text}', 'Favorite: {favorited}', 'Retweet Count: {retweet_count}', 'Favorite Count: {favorite_count}']¶

FORMAT_STRING_SHORT_PIECES = ['Name: {name}', 'Message: {text}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Twitter iOS Status'¶

SOURCE_SHORT = 'Twitter iOS'¶

plaso.formatters.userassist module¶

The UserAssist Windows Registry event formatter.

class plaso.formatters.userassist.UserAssistWindowsRegistryEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an UserAssist Windows Registry event.

DATA_TYPE = 'windows:registry:userassist'¶

FORMAT_STRING_PIECES = ['[{key_path}]', 'UserAssist entry: {entry_index}', 'Value name: {value_name}', 'Count: {number_of_executions}', 'Application focus count: {application_focus_count}', 'Application focus duration: {application_focus_duration}']¶

FORMAT_STRING_SHORT_PIECES = ['{value_name}', 'Count: {number_of_executions}']¶

SOURCE_LONG = 'Registry Key: UserAssist'¶

SOURCE_SHORT = 'REG'¶

plaso.formatters.utmp module¶

The UTMP binary file event formatter.

class plaso.formatters.utmp.UtmpSessionFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an UTMP session event.

DATA_TYPE = 'linux:utmp:event'¶

FORMAT_STRING_PIECES = ['User: {username}', 'Hostname: {hostname}', 'Terminal: {terminal}', 'PID: {pid}', 'Terminal identifier: {terminal_identifier}', 'Status: {status}', 'IP Address: {ip_address}', 'Exit status: {exit_status}']¶

FORMAT_STRING_SHORT_PIECES = ['User: {username}', 'PID: {pid}', 'Status: {status}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'UTMP session'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.utmpx module¶

The UTMPX binary file event formatter.

class plaso.formatters.utmpx.UtmpxSessionFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an UTMPX session event.

DATA_TYPE = 'mac:utmpx:event'¶

FORMAT_STRING_PIECES = ['User: {username}', 'Status: {status}', 'Hostname: {hostname}', 'Terminal: {terminal}', 'PID: {pid}', 'Terminal identifier: {terminal_identifier}']¶

FORMAT_STRING_SHORT_PIECES = ['User: {username}', 'PID: {pid}', 'Status: {status}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'UTMPX session'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.windows module¶

The Windows event formatter.

class plaso.formatters.windows.WindowsDistributedLinkTrackingCreationEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows distributed link creation event.

DATA_TYPE = 'windows:distributed_link_tracking:creation'¶

FORMAT_STRING_PIECES = ['{uuid}', 'MAC address: {mac_address}', 'Origin: {origin}']¶

FORMAT_STRING_SHORT_PIECES = ['{uuid}', 'Origin: {origin}']¶

SOURCE_LONG = 'System'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.windows.WindowsRegistryInstallationEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows installation event.

DATA_TYPE = 'windows:registry:installation'¶

FORMAT_STRING_PIECES = ['{product_name}', '{version}', '{service_pack}', 'Owner: owner', 'Origin: {key_path}']¶

FORMAT_STRING_SHORT_PIECES = ['{product_name}', '{version}', '{service_pack}', 'Origin: {key_path}']¶

SOURCE_LONG = 'System'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.windows.WindowsRegistryListEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows list event e.g. MRU or Jump list.

DATA_TYPE = 'windows:registry:list'¶

FORMAT_STRING_PIECES = ['Key: {key_path}', 'Value: {value_name}', 'List: {list_name}', '[{list_values}]']¶

SOURCE_LONG = 'System'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.windows.WindowsRegistryNetworkEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows network event.

DATA_TYPE = 'windows:registry:network'¶

FORMAT_STRING_PIECES = ['SSID: {ssid}', 'Description: {description}', 'Connection Type: {connection_type}', 'Default Gateway Mac: {default_gateway_mac}', 'DNS Suffix: {dns_suffix}']¶

SOURCE_LONG = 'System: Network Connection'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.windows.WindowsVolumeCreationEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows volume creation event.

DATA_TYPE = 'windows:volume:creation'¶

FORMAT_STRING_PIECES = ['{device_path}', 'Serial number: 0x{serial_number:08X}', 'Origin: {origin}']¶

FORMAT_STRING_SHORT_PIECES = ['{device_path}', 'Origin: {origin}']¶

SOURCE_LONG = 'System'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.windows_timeline module¶

The Windows Timeline event formatter.

class plaso.formatters.windows_timeline.WindowsTimelineGenericEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for generic Windows Timeline events.

DATA_TYPE = 'windows:timeline:generic'¶

FORMAT_STRING_PIECES = ['Application Display Name: {application_display_name}', 'Package Identifier: {package_identifier}', 'Description: {description}']¶

FORMAT_STRING_SHORT_PIECES = ['{package_identifier}']¶

SOURCE_LONG = 'Windows Timeline - Generic'¶

SOURCE_SHORT = 'Windows Timeline'¶

class plaso.formatters.windows_timeline.WindowsTimelineUserEngagedEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for User Engaged Windows Timeline events

DATA_TYPE = 'windows:timeline:user_engaged'¶

FORMAT_STRING_PIECES = ['Package Identifier: {package_identifier}', 'Active Duration (seconds): {active_duration_seconds}', 'Reporting App: {reporting_app}']¶

FORMAT_STRING_SHORT_PIECES = ['{package_identifier}']¶

SOURCE_LONG = 'Windows Timeline - User Engaged'¶

SOURCE_SHORT = 'Windows Timeline'¶

plaso.formatters.winevt module¶

The Windows EventLog (EVT) file event formatter.

class plaso.formatters.winevt.WinEVTFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows EventLog (EVT) record event.

DATA_TYPE = 'windows:evt:record'¶

FORMAT_STRING_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Source Name: {source_name}', 'Message string: {message_string}', 'Strings: {strings}', 'Computer Name: {computer_name}', 'Severity: {severity}', 'Record Number: {record_number}', 'Event Type: {event_type}', 'Event Category: {event_category}']¶

FORMAT_STRING_SHORT_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Strings: {strings}']¶

GetEventTypeString(event_type)[source]¶

Retrieves a string representation of the event type.

Parameters: event_type (int) – event type.
Returns: description of the event type.
Return type: str

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

GetSeverityString(severity)[source]¶

Retrieves a string representation of the severity.

Parameters: severity (int) – severity.
Returns: description of the event severity.
Return type: str

SOURCE_LONG = 'WinEVT'¶

SOURCE_SHORT = 'EVT'¶

plaso.formatters.winevt_rc module¶

Windows Event Log resources database reader.

class plaso.formatters.winevt_rc.Sqlite3DatabaseFile[source]¶

Bases: object

Class that defines a sqlite3 database file.

Close()[source]¶

Closes the database file.

Raises: RuntimeError – if the database is not opened.

GetValues(table_names, column_names, condition)[source]¶

Retrieves values from a table.

Parameters

table_names (list[str]) – table names.
column_names (list[str]) – column names.
condition (str) – query condition such as “log_source == ‘Application Error’”.

Yields

sqlite3.row – row.

Raises

RuntimeError – if the database is not opened.

HasTable(table_name)[source]¶

Determines if a specific table exists.

Parameters: table_name (str) – table name.
Returns: True if the table exists.
Return type: bool
Raises: RuntimeError – if the database is not opened.

Open(filename, read_only=False)[source]¶

Opens the database file.

Parameters

filename (str) – filename of the database.
read_only (Optional[bool]) – True if the database should be opened in read-only mode. Since sqlite3 does not support a real read-only mode we fake it by only permitting SELECT queries.

Returns

True if successful.

Return type

bool

Raises

RuntimeError – if the database is already opened.

class plaso.formatters.winevt_rc.Sqlite3DatabaseReader[source]¶

Bases: object

Class to represent a sqlite3 database reader.

Close()[source]¶: Closes the database reader object.

Open(filename)[source]¶

Opens the database reader object.

Parameters: filename (str) – filename of the database.
Returns: True if successful.
Return type: bool

class plaso.formatters.winevt_rc.WinevtResourcesSqlite3DatabaseReader[source]¶

Bases: plaso.formatters.winevt_rc.Sqlite3DatabaseReader

Class to represent a sqlite3 Event Log resources database reader.

GetMessage(log_source, lcid, message_identifier)[source]¶

Retrieves a specific message for a specific Event Log source.

Parameters

log_source (str) – Event Log source.
lcid (int) – language code identifier (LCID).
message_identifier (int) – message identifier.

Returns

message string or None if not available.

Return type

str

GetMetadataAttribute(attribute_name)[source]¶

Retrieves the metadata attribute.

Parameters: attribute_name (str) – name of the metadata attribute.
Returns: the metadata attribute or None.
Return type: str
Raises: RuntimeError – if more than one value is found in the database.

Open(filename)[source]¶

Opens the database reader object.

Parameters: filename (str) – filename of the database.
Returns: True if successful.
Return type: bool
Raises: RuntimeError – if the version or string format of the database is not supported.

plaso.formatters.winevtx module¶

The Windows XML EventLog (EVTX) file event formatter.

class plaso.formatters.winevtx.WinEVTXFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows XML EventLog (EVTX) record event.

DATA_TYPE = 'windows:evtx:record'¶

FORMAT_STRING_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Source Name: {source_name}', 'Message string: {message_string}', 'Strings: {strings}', 'Computer Name: {computer_name}', 'Record Number: {record_number}', 'Event Level: {event_level}']¶

FORMAT_STRING_SHORT_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Strings: {strings}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'WinEVTX'¶

SOURCE_SHORT = 'EVT'¶

plaso.formatters.winfirewall module¶

The Windows firewall log file event formatter.

class plaso.formatters.winfirewall.WinFirewallFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows firewall log entry event.

DATA_TYPE = 'windows:firewall:log_entry'¶

FORMAT_STRING_PIECES = ['{action}', '[', '{protocol}', '{path}', ']', 'From: {source_ip}', ':{source_port}', '>', '{dest_ip}', ':{dest_port}', 'Size (bytes): {size}', 'Flags [{flags}]', 'TCP Seq Number: {tcp_seq}', 'TCP ACK Number: {tcp_ack}', 'TCP Window Size (bytes): {tcp_win}', 'ICMP type: {icmp_type}', 'ICMP code: {icmp_code}', 'Additional info: {info}']¶

FORMAT_STRING_SHORT_PIECES = ['{action}', '[{protocol}]', '{source_ip}', ': {source_port}', '>', '{dest_ip}', ': {dest_port}']¶

SOURCE_LONG = 'Windows Firewall Log'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.winjob module¶

The Windows Scheduled Task (job) event formatter.

class plaso.formatters.winjob.WinJobFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Scheduled Task (job) event.

DATA_TYPE = 'windows:tasks:job'¶

FORMAT_STRING_PIECES = ['Application: {application}', '{parameters}', 'Scheduled by: {username}', 'Working directory: {working_directory}', 'Trigger type: {trigger_type}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Windows Scheduled Task Job'¶

SOURCE_SHORT = 'JOB'¶

plaso.formatters.winlnk module¶

The Windows Shortcut (LNK) event formatter.

class plaso.formatters.winlnk.WinLnkLinkFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Shortcut (LNK) link event.

DATA_TYPE = 'windows:lnk:link'¶

FORMAT_STRING_PIECES = ['[{description}]', 'File size: {file_size}', 'File attribute flags: 0x{file_attribute_flags:08x}', 'Drive type: {drive_type}', 'Drive serial number: 0x{drive_serial_number:08x}', 'Volume label: {volume_label}', 'Local path: {local_path}', 'Network path: {network_path}', 'cmd arguments: {command_line_arguments}', 'env location: {env_var_location}', 'Relative path: {relative_path}', 'Working dir: {working_directory}', 'Icon location: {icon_location}', 'Link target: {link_target}']¶

FORMAT_STRING_SHORT_PIECES = ['[{description}]', '{linked_path}', '{command_line_arguments}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Windows Shortcut'¶

SOURCE_SHORT = 'LNK'¶

plaso.formatters.winprefetch module¶

The Windows Prefetch event formatter.

class plaso.formatters.winprefetch.WinPrefetchExecutionFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Prefetch execution event.

DATA_TYPE = 'windows:prefetch:execution'¶

FORMAT_STRING_PIECES = ['Prefetch', '[{executable}] was executed -', 'run count {run_count}', 'path: {path}', 'hash: 0x{prefetch_hash:08X}', '{volumes_string}']¶

FORMAT_STRING_SHORT_PIECES = ['{executable} was run', '{run_count} time(s)']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'WinPrefetch'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.winreg module¶

The Windows Registry key or value event formatter.

class plaso.formatters.winreg.WinRegistryGenericFormatter[source]¶

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Windows Registry key or value event.

DATA_TYPE = 'windows:registry:key_value'¶

FORMAT_STRING = '[{key_path}] {text}'¶

FORMAT_STRING_ALTERNATIVE = '{text}'¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

GetSources(event, event_data)[source]¶

Determines the the short and long source for an event.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.

Returns

short and long source string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Registry Key'¶

SOURCE_SHORT = 'REG'¶

plaso.formatters.winregservice module¶

The Windows services event formatter.

The Windows services are derived from Windows Registry files.

class plaso.formatters.winregservice.WinRegistryServiceFormatter[source]¶

Bases: plaso.formatters.winreg.WinRegistryGenericFormatter

Formatter for a Windows service event.

DATA_TYPE = 'windows:registry:service'¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

plaso.formatters.winrestore module¶

The Windows Restore Point (rp.log) file event formatter.

class plaso.formatters.winrestore.RestorePointInfoFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Windows Restore Point information event.

DATA_TYPE = 'windows:restore_point:info'¶

FORMAT_STRING_PIECES = ['{description}', 'Event type: {restore_point_event_type}', 'Restore point type: {restore_point_type}']¶

FORMAT_STRING_SHORT_PIECES = ['{description}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Windows Restore Point'¶

SOURCE_SHORT = 'RP'¶

plaso.formatters.xchatlog module¶

The XChat log file event formatter.

class plaso.formatters.xchatlog.XChatLogFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a XChat log file entry event.

DATA_TYPE = 'xchat:log:line'¶

FORMAT_STRING_PIECES = ['[nickname: {nickname}]', '{text}']¶

SOURCE_LONG = 'XChat Log File'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.xchatscrollback module¶

The XChat scrollback file event formatter.

class plaso.formatters.xchatscrollback.XChatScrollbackFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a XChat scrollback file entry event.

DATA_TYPE = 'xchat:scrollback:line'¶

FORMAT_STRING_PIECES = ['[', 'nickname: {nickname}', ']', ' {text}']¶

FORMAT_STRING_SEPARATOR = ''¶

SOURCE_LONG = 'XChat Scrollback File'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.zeitgeist module¶

The Zeitgeist event formatter.

class plaso.formatters.zeitgeist.ZeitgeistFormatter[source]¶

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Zeitgeist activity database event.

DATA_TYPE = 'zeitgeist:activity'¶

FORMAT_STRING = '{subject_uri}'¶

SOURCE_LONG = 'Zeitgeist activity log'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.zsh_extended_history module¶

The Zsh extended_history formatter.

class plaso.formatters.zsh_extended_history.ZshExtendedHistoryEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Class for the Zsh event formatter.

DATA_TYPE = 'shell:zsh:history'¶

FORMAT_STRING_PIECES = ['{command}', 'Time elapsed: {elapsed_seconds} seconds']¶

FORMAT_STRING_SEPARATOR = ' '¶

FORMAT_STRING_SHORT_PIECES = ['{command}']¶

SOURCE_LONG = 'Zsh Extended History'¶

SOURCE_SHORT = 'HIST'¶

Module contents¶

This file contains an import statement for each formatter.

plaso.lib package¶

Submodules¶

plaso.lib.bufferlib module¶

Circular buffer for storing event objects.

class plaso.lib.bufferlib.CircularBuffer(size)[source]¶

Bases: object

Class that defines a circular buffer for storing event objects.

Append(item)[source]¶

Add an item to the list.

Parameters: item (object) – item.

Clear()[source]¶: Removes all elements from the list.

Flush()[source]¶: Returns a generator for all items and clear the buffer.

GetCurrent()[source]¶

Retrieves the current item that index points to.

Returns: item.
Return type: object

__iter__()[source]¶: Return all elements from the list.

__len__()[source]¶: Return the length (the fixed size).

size¶

number of elements in the buffer.

Type: int

plaso.lib.decorators module¶

Function decorators.

plaso.lib.decorators.deprecated(function)[source]¶: Decorator to mark functions or methods as deprecated.

plaso.lib.definitions module¶

The definitions.

plaso.lib.errors module¶

This file contains the error classes.

exception plaso.lib.errors.BadConfigObject[source]¶

Bases: plaso.lib.errors.Error

Raised when the configuration object is of the wrong type.

exception plaso.lib.errors.BadConfigOption[source]¶

Bases: plaso.lib.errors.Error

Raised when a faulty configuration option is encountered.

exception plaso.lib.errors.ConnectionError[source]¶

Bases: plaso.lib.errors.Error

Error connecting to a service.

exception plaso.lib.errors.Error[source]¶

Bases: Exception

Base error class.

exception plaso.lib.errors.InvalidEvent[source]¶

Bases: plaso.lib.errors.Error

Error indicating an event is malformed.

exception plaso.lib.errors.InvalidFilter[source]¶

Bases: plaso.lib.errors.Error

Error indicating an invalid filter was specified.

exception plaso.lib.errors.InvalidNumberOfOperands[source]¶

Bases: plaso.lib.errors.Error

The number of operands provided to an objectfilter operator is wrong.

exception plaso.lib.errors.MalformedPresetError[source]¶

Bases: plaso.lib.errors.Error

Raised when a parser preset definition is malformed.

exception plaso.lib.errors.MaximumRecursionDepth[source]¶

Bases: plaso.lib.errors.Error

Raised when the maximum recursion depth is reached.

exception plaso.lib.errors.NoFormatterFound[source]¶

Bases: plaso.lib.errors.Error

Raised when no formatter is found for a particular event object.

exception plaso.lib.errors.ParseError[source]¶

Bases: plaso.lib.errors.Error

Raised when a parse error occurred.

exception plaso.lib.errors.PreProcessFail[source]¶

Bases: plaso.lib.errors.Error

Raised when a preprocess module is unable to gather information.

exception plaso.lib.errors.QueueAlreadyClosed[source]¶

Bases: plaso.lib.errors.Error

Raised when an attempt is made to close a queue that is already closed.

exception plaso.lib.errors.QueueAlreadyStarted[source]¶

Bases: plaso.lib.errors.Error

Raised when an attempt is made to start queue that is already started.

exception plaso.lib.errors.QueueClose[source]¶

Bases: plaso.lib.errors.Error

Class that implements a queue close exception.

exception plaso.lib.errors.QueueEmpty[source]¶

Bases: plaso.lib.errors.Error

Class that implements a queue empty exception.

exception plaso.lib.errors.QueueFull[source]¶

Bases: plaso.lib.errors.Error

Class that implements a queue full exception.

exception plaso.lib.errors.SerializationError[source]¶

Bases: plaso.lib.errors.Error

Class that defines serialization errors.

exception plaso.lib.errors.SourceScannerError[source]¶

Bases: plaso.lib.errors.Error

Class that defines source scanner errors.

exception plaso.lib.errors.TaggingFileError[source]¶

Bases: plaso.lib.errors.Error

Raised when the tagging file is invalid.

exception plaso.lib.errors.TimestampError[source]¶

Bases: plaso.lib.errors.Error

Class that defines timestamp errors.

exception plaso.lib.errors.UnableToLoadRegistryHelper[source]¶

Bases: plaso.lib.errors.Error

Raised when unable to load a Registry helper object.

exception plaso.lib.errors.UnableToParseFile[source]¶

Bases: plaso.lib.errors.Error

Raised when a parser is not designed to parse a file.

exception plaso.lib.errors.UserAbort[source]¶

Bases: plaso.lib.errors.Error

Class that defines an user initiated abort exception.

exception plaso.lib.errors.WrongBencodePlugin[source]¶

Bases: plaso.lib.errors.Error

Error reporting wrong bencode plugin used.

exception plaso.lib.errors.WrongCompoundZIPPlugin[source]¶

Bases: plaso.lib.errors.Error

Error reporting wrong compound ZIP plugin used.

exception plaso.lib.errors.WrongFormatter[source]¶

Bases: plaso.lib.errors.Error

Raised when the formatter is not applicable for a particular event.

exception plaso.lib.errors.WrongPlistPlugin[source]¶

Bases: plaso.lib.errors.Error

Error reporting wrong plist plugin used.

exception plaso.lib.errors.WrongPlugin[source]¶

Bases: plaso.lib.errors.Error

Raised when the plugin is of the wrong type.

exception plaso.lib.errors.WrongQueueType[source]¶

Bases: plaso.lib.errors.Error

Raised when an unsupported operation is attempted on a queue.

For example, attempting to Pop from a Push-only queue.

plaso.lib.line_reader_file module¶

Binary line reader file-like object.

class plaso.lib.line_reader_file.BinaryDSVReader(binary_line_reader, delimiter)[source]¶

Bases: object

Basic reader for delimiter separated text files of unknown encoding.

This is used for reading data from text files where the content is unknown, or possibly using a mixed encoding.

__iter__()[source]¶

Iterates over delimiter separates values.

Yields: list(bytes) – lines of encoded bytes.

class plaso.lib.line_reader_file.BinaryLineReader(file_object, end_of_line=b'n')[source]¶

Bases: object

Line reader for binary file-like objects.

end_of_line¶

byte sequence that separates lines from each other.

Type: bytes

MAXIMUM_READ_BUFFER_SIZE = 16777216¶

__enter__()[source]¶: Enters a with statement.

__exit__(exception_type, value, traceback)[source]¶: Exits a with statement.

__iter__()[source]¶

Returns a line of text.

Yields: bytes – line of text.

readline(size=None)[source]¶

Reads a single line of text.

The functions reads one entire line from the file-like object. A trailing end-of-line indicator (newline by default) is kept in the byte string (but may be absent when a file ends with an incomplete line). An empty byte string is returned only when end-of-file is encountered immediately.

Parameters: size (Optional[int]) – maximum byte size to read. If present and non-negative, it is a maximum byte count (including the trailing end-of-line) and an incomplete line may be returned.
Returns: line of text.
Return type: bytes
Raises: ValueError – if the specified size is less than zero or greater than the maximum size allowed.

readlines(sizehint=None)[source]¶

Reads lines of text.

The function reads until EOF using readline() and return a list containing the lines read.

Parameters: sizehint (Optional[int]) – maximum byte size to read. If present, instead of reading up to EOF, whole lines totalling sizehint bytes are read.
Returns: lines of text.
Return type: list[bytes]

tell()[source]¶

Retrieves the current offset into the file-like object.

Returns: current offset into the file-like object.
Return type: int

plaso.lib.loggers module¶

Logging related classes and functions.

class plaso.lib.loggers.CompressedFileHandler(filename, mode='a', encoding='utf-8')[source]¶

Bases: logging.FileHandler

Compressed file handler for logging.

plaso.lib.loggers.ConfigureLogging(debug_output=False, filename=None, mode='w', quiet_mode=False)[source]¶

Configures the logging root logger.

Parameters

debug_output (Optional[bool]) – True if the logging should include debug output.
filename (Optional[str]) – log filename.
mode (Optional[str]) – log file access mode.
quiet_mode (Optional[bool]) – True if the logging should not include information output. Note that debug_output takes precedence over quiet_mode.

plaso.lib.plist module¶

The plist file object.

class plaso.lib.plist.PlistFile[source]¶

Bases: object

Class that defines a plist file.

root_key¶

the plist root key.

Type: dict

GetValueByPath(path_segments)[source]¶

Retrieves a plist value by path.

Parameters: path_segments (list[str]) – path segment strings relative to the root of the plist.
Returns: The value of the key specified by the path or None.
Return type: object

Read(file_object)[source]¶

Reads a plist from a file-like object.

Parameters

file_object (dfvfs.FileIO) – a file-like object containing plist data.

Raises

IOError – if the plist file-like object cannot be read.
OSError – if the plist file-like object cannot be read.

plaso.lib.py2to3 module¶

The Python 2 and 3 compatible type definitions.

plaso.lib.specification module¶

The format specification classes.

class plaso.lib.specification.FormatSpecification(identifier, text_format=False)[source]¶

Bases: object

The format specification.

AddNewSignature(pattern, offset=None)[source]¶

Adds a signature.

Parameters

pattern (bytes) – pattern of the signature.
offset (int) – offset of the signature. None is used to indicate the signature has no offset. A positive offset is relative from the start of the data a negative offset is relative from the end of the data.

IsTextFormat()[source]¶

Determines if the format is a text format.

Returns: True if the format is a text format, False otherwise.
Return type: bool

class plaso.lib.specification.FormatSpecificationStore[source]¶

Bases: object

The store for format specifications.

AddNewSpecification(identifier)[source]¶

Adds a new format specification.

Parameters: identifier (str) – format identifier, which should be unique for the store.
Returns: format specification.
Return type: FormatSpecification
Raises: KeyError – if the store already contains a specification with the same identifier.

AddSpecification(specification)[source]¶

Adds a format specification.

Parameters: specification (FormatSpecification) – format specification.
Raises: KeyError – if the store already contains a specification with the same identifier.

GetSpecificationBySignature(signature_identifier)[source]¶

Retrieves a specification mapped to a signature identifier.

Parameters

signature_identifier (str) – unique signature identifier for a specification store.

Returns

format specification or None if the signature: identifier does not exist within the specification store.

Return type

FormatSpecification

specifications¶

specifications iterator.

Type: iterator

class plaso.lib.specification.Signature(pattern, offset=None)[source]¶

Bases: object

The format specification signature.

The signature consists of a byte string pattern, an optional offset relative to the start of the data, and a value to indicate if the pattern is bound to the offset.

SetIdentifier(identifier)[source]¶

Sets the identifier of the signature in the specification store.

Parameters: identifier (str) – unique signature identifier for a specification store.

plaso.lib.timelib module¶

Time manipulation functions and variables.

This module contain common methods that can be used to convert timestamps from various formats into number of micro seconds since January 1, 1970, 00:00:00 UTC that is used internally to store timestamps.

It also contains various functions to represent timestamps in a more human readable form.

plaso.lib.timelib.GetCurrentYear()[source]¶: Determines the current year.

plaso.lib.timelib.GetYearFromPosixTime(posix_time, timezone=<Mock id='140383575869424'>)[source]¶

Gets the year from a POSIX timestamp

The POSIX time is the number of seconds since 1970-01-01 00:00:00 UTC.

Parameters

posix_time – An integer containing the number of seconds since 1970-01-01 00:00:00 UTC.
timezone – Optional timezone of the POSIX timestamp.

Returns

The year of the POSIX timestamp.

Raises

ValueError – If the posix timestamp is out of the range of supported values.

class plaso.lib.timelib.Timestamp[source]¶

Bases: object

Class for converting timestamps to Plaso timestamps.

The Plaso timestamp is a 64-bit signed timestamp value containing: micro seconds since 1970-01-01 00:00:00.

The timestamp is not necessarily in UTC.

classmethod CopyFromString(time_string)[source]¶

Copies a timestamp from a string containing a date and time value.

Parameters: time_string – A string containing a date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and timezone offset are optional. The default timezone is UTC.
Returns: The timestamp which is an integer containing the number of micro seconds since January 1, 1970, 00:00:00 UTC.
Raises: ValueError – if the time string is invalid or not supported.

classmethod CopyToDatetime(timestamp, timezone, raise_error=False)[source]¶

Copies the timestamp to a datetime object.

Parameters

timestamp – The timestamp which is an integer containing the number of micro seconds since January 1, 1970, 00:00:00 UTC.
timezone – The timezone (pytz.timezone) object.
raise_error – Boolean that if set to True will not absorb an OverflowError if the timestamp is out of bounds. By default there will be no error raised.

Returns

A datetime object (instance of datetime.datetime). A datetime object of January 1, 1970 00:00:00 UTC is returned on error if raises_error is not set.

Raises

OverflowError – If raises_error is set to True and an overflow error occurs.
ValueError – If raises_error is set to True and no timestamp value is provided.

classmethod CopyToIsoFormat(timestamp, timezone=<Mock id='140383575868808'>, raise_error=False)[source]¶

Copies the timestamp to an ISO 8601 formatted string.

Parameters

timestamp – The timestamp which is an integer containing the number of micro seconds since January 1, 1970, 00:00:00 UTC.
timezone – Optional timezone (instance of pytz.timezone).
raise_error – Boolean that if set to True will not absorb an OverflowError if the timestamp is out of bounds. By default there will be no error raised.

Returns

A string containing an ISO 8601 formatted date and time.

classmethod FromTimeString(time_string, dayfirst=False, gmt_as_timezone=True, timezone=<Mock id='140383575868920'>)[source]¶

Converts a string containing a date and time value into a timestamp.

Parameters

time_string – String that contains a date and time value.
dayfirst – An optional boolean argument. If set to true then the parser will change the precedence in which it parses timestamps from MM-DD-YYYY to DD-MM-YYYY (and YYYY-MM-DD will be YYYY-DD-MM, etc).
gmt_as_timezone – Sometimes the dateutil parser will interpret GMT and UTC the same way, that is not make a distinction. By default this is set to true, that is GMT can be interpreted differently than UTC. If that is not the expected result this attribute can be set to false.
timezone – Optional timezone object (instance of pytz.timezone) that the data and time value in the string represents. This value is used when the timezone cannot be determined from the string.

Returns

The timestamp which is an integer containing the number of micro seconds since January 1, 1970, 00:00:00 UTC or 0 on error.

Raises

TimestampError – if the time string could not be parsed.

classmethod GetNow()[source]¶

Retrieves the current time (now) as a timestamp in UTC.

Returns: The timestamp which is an integer containing the number of micro seconds since January 1, 1970, 00:00:00 UTC.

classmethod LocaltimeToUTC(timestamp, timezone, is_dst=False)[source]¶

Converts the timestamp in localtime of the timezone to UTC.

Parameters

timestamp – The timestamp which is an integer containing the number of micro seconds since January 1, 1970, 00:00:00 UTC.
timezone – The timezone (pytz.timezone) object.
is_dst – A boolean to indicate the timestamp is corrected for daylight savings time (DST) only used for the DST transition period.

Returns

The timestamp which is an integer containing the number of micro seconds since January 1, 1970, 00:00:00 UTC or 0 on error.

NONE_TIMESTAMP = 0¶

classmethod RoundToSeconds(timestamp)[source]¶: Takes a timestamp value and rounds it to a second precision.

Module contents¶

plaso.multi_processing package¶

Submodules¶

plaso.multi_processing.analysis_process module¶

plaso.multi_processing.base_process module¶

Base class for a process used in multi-processing.

class plaso.multi_processing.base_process.MultiProcessBaseProcess(processing_configuration, enable_sigsegv_handler=False, **kwargs)[source]¶

Bases: multiprocessing.context.Process

Multi-processing process interface.

rpc_port¶

port number of the process status RPC server.

Type: int

SignalAbort()[source]¶: Signals the process to abort.

name¶

process name.

Type: str

run()[source]¶: Runs the process.

plaso.multi_processing.engine module¶

plaso.multi_processing.logger module¶

The multi-processing sub module logger.

plaso.multi_processing.multi_process_queue module¶

A multiprocessing-backed queue.

class plaso.multi_processing.multi_process_queue.MultiProcessingQueue(maximum_number_of_queued_items=0, timeout=None)[source]¶

Bases: plaso.engine.plaso_queue.Queue

Multi-processing queue.

Close(abort=False)[source]¶

Closes the queue.

This needs to be called from any process or thread putting items onto the queue.

Parameters: abort (Optional[bool]) – True if the close was issued on abort.

Empty()[source]¶: Empties the queue.

IsEmpty()[source]¶: Determines if the queue is empty.

Open()[source]¶: Opens the queue.

PopItem()[source]¶

Pops an item off the queue.

Returns

item from the queue.

Return type

object

Raises

QueueClose – if the queue has already been closed.
QueueEmpty – if no item could be retrieved from the queue within the specified timeout.

PushItem(item, block=True)[source]¶

Pushes an item onto the queue.

Parameters

item (object) – item to add.
block (Optional[bool]) – True to block the process when the queue is full.

Raises

QueueFull – if the item could not be pushed the queue because it’s full.

plaso.multi_processing.plaso_xmlrpc module¶

XML RPC server and client.

class plaso.multi_processing.plaso_xmlrpc.ThreadedXMLRPCServer(callback)[source]¶

Bases: plaso.multi_processing.rpc.RPCServer

Threaded XML RPC server.

Start(hostname, port)[source]¶

Starts the process status RPC server.

Parameters

hostname (str) – hostname or IP address to connect to for requests.
port (int) – port to connect to for requests.

Returns

True if the RPC server was successfully started.

Return type

bool

Stop()[source]¶: Stops the process status RPC server.

class plaso.multi_processing.plaso_xmlrpc.XMLProcessStatusRPCClient[source]¶

Bases: plaso.multi_processing.plaso_xmlrpc.XMLRPCClient

XML process status RPC client.

class plaso.multi_processing.plaso_xmlrpc.XMLProcessStatusRPCServer(callback)[source]¶

Bases: plaso.multi_processing.plaso_xmlrpc.ThreadedXMLRPCServer

XML process status threaded RPC server.

class plaso.multi_processing.plaso_xmlrpc.XMLRPCClient[source]¶

Bases: plaso.multi_processing.rpc.RPCClient

XML RPC client.

CallFunction()[source]¶: Calls the function via RPC.

Close()[source]¶: Closes the RPC communication channel to the server.

Open(hostname, port)[source]¶

Opens a RPC communication channel to the server.

Parameters

hostname (str) – hostname or IP address to connect to for requests.
port (int) – port to connect to for requests.

Returns

True if the communication channel was established.

Return type

bool

plaso.multi_processing.psort module¶

plaso.multi_processing.rpc module¶

The RPC client and server interface.

class plaso.multi_processing.rpc.RPCClient[source]¶

Bases: object

RPC client interface.

CallFunction()[source]¶: Calls the function via RPC.

Close()[source]¶: Closes the RPC communication channel to the server.

Open(hostname, port)[source]¶

Opens a RPC communication channel to the server.

Parameters

hostname (str) – hostname or IP address to connect to for requests.
port (int) – port to connect to for requests.

Returns

True if the communication channel was established.

Return type

bool

class plaso.multi_processing.rpc.RPCServer(callback)[source]¶

Bases: object

RPC server interface.

Start(hostname, port)[source]¶

Starts the RPC server.

Parameters

hostname (str) – hostname or IP address to connect to for requests.
port (int) – port to connect to for requests.

Returns

True if the RPC server was successfully started.

Return type

bool

Stop()[source]¶: Stops the RPC server.

plaso.multi_processing.task_engine module¶

plaso.multi_processing.task_manager module¶

The task manager.

class plaso.multi_processing.task_manager.TaskManager[source]¶

Bases: object

Manages tasks and tracks their completion and status.

A task being tracked by the manager must be in exactly one of the following states:

abandoned: a task assumed to be abandoned because a tasks that has been
queued or was processing exceeds the maximum inactive time.
merging: a task that is being merged by the engine.
pending_merge: the task has been processed and is ready to be merged with
the session storage.
processed: a worker has completed processing the task, but it is not ready
to be merged into the session storage.
processing: a worker is processing the task.
queued: the task is waiting for a worker to start processing it. It is also
possible that a worker has already completed the task, but no status update was collected from the worker while it processed the task.

Once the engine reports that a task is completely merged, it is removed from the task manager.

Tasks are considered “pending” when there is more work that needs to be done to complete these tasks. Pending applies to tasks that are: * not abandoned; * abandoned, but need to be retried.

Abandoned tasks without corresponding retry tasks are considered “failed” when the foreman is done processing.

CheckTaskToMerge(task)[source]¶

Checks if the task should be merged.

Parameters: task (Task) – task.
Returns: True if the task should be merged.
Return type: bool
Raises: KeyError – if the task was not queued, processing or abandoned.

CompleteTask(task)[source]¶

Completes a task.

The task is complete and can be removed from the task manager.

Parameters: task (Task) – task.
Raises: KeyError – if the task was not merging.

CreateRetryTask()[source]¶

Creates a task that to retry a previously abandoned task.

Returns

a task that was abandoned but should be retried or None if there are: no abandoned tasks that should be retried.

Return type

Task

CreateTask(session_identifier)[source]¶

Creates a task.

Parameters: session_identifier (str) – the identifier of the session the task is part of.
Returns: task attribute container.
Return type: Task

GetFailedTasks()[source]¶

Retrieves all failed tasks.

Failed tasks are tasks that were abandoned and have no retry task once the foreman is done processing.

Returns: tasks.
Return type: list[Task]

GetProcessedTaskByIdentifier(task_identifier)[source]¶

Retrieves a task that has been processed.

Parameters: task_identifier (str) – unique identifier of the task.
Returns: a task that has been processed.
Return type: Task
Raises: KeyError – if the task was not processing, queued or abandoned.

GetStatusInformation()[source]¶

Retrieves status information about the tasks.

Returns: tasks status information.
Return type: TasksStatus

GetTaskPendingMerge(current_task)[source]¶

Retrieves the first task that is pending merge or has a higher priority.

This function will check if there is a task with a higher merge priority than the current_task being merged. If so, that task with the higher priority is returned.

Parameters

current_task (Task) – current task being merged or None if no such task.

Returns

the next task to merge or None if there is no task pending merge or: with a higher priority.

Return type

Task

HasPendingTasks()[source]¶

Determines if there are tasks running or in need of retrying.

Returns

True if there are tasks that are active, ready to be merged or: need to be retried.

Return type

bool

RemoveTask(task)[source]¶

Removes an abandoned task.

Parameters: task (Task) – task.
Raises: KeyError – if the task was not abandoned or the task was abandoned and was not retried.

SampleTaskStatus(task, status)[source]¶

Takes a sample of the status of the task for profiling.

Parameters

task (Task) – a task.
status (str) – status.

StartProfiling(configuration, identifier)[source]¶

Starts profiling.

Parameters

configuration (ProfilingConfiguration) – profiling configuration.
identifier (str) – identifier of the profiling session used to create the sample filename.

StopProfiling()[source]¶: Stops profiling.

UpdateTaskAsPendingMerge(task)[source]¶

Updates the task manager to reflect the task is ready to be merged.

Parameters: task (Task) – task.
Raises: KeyError – if the task was not queued, processing or abandoned, or the task was abandoned and has a retry task.

UpdateTaskAsProcessingByIdentifier(task_identifier)[source]¶

Updates the task manager to reflect the task is processing.

Parameters: task_identifier (str) – unique identifier of the task.
Raises: KeyError – if the task is not known to the task manager.

plaso.multi_processing.worker_process module¶

Module contents¶

plaso.output package¶

Submodules¶

plaso.output.dynamic module¶

Contains a formatter for a dynamic output module for plaso.

class plaso.output.dynamic.DynamicFieldsHelper(output_mediator)[source]¶

Bases: object

Helper for outputting a dynamic selection of fields.

GetFormattedField(event, event_data, event_tag, field_name)[source]¶

Formats the specified field.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.
field_name (str) – name of the field.

Returns

value of the field.

Return type

str

class plaso.output.dynamic.DynamicOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.LinearOutputModule

Dynamic selection of fields for a separated value output format.

DESCRIPTION = 'Dynamic selection of fields for a separated value output format.'¶

NAME = 'dynamic'¶

SetFieldDelimiter(field_delimiter)[source]¶

Sets the field delimiter.

Parameters: field_delimiter (str) – field delimiter.

SetFields(fields)[source]¶

Sets the fields to output.

Parameters: fields (list[str]) – names of the fields to output.

WriteEventBody(event, event_data, event_tag)[source]¶

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.

WriteHeader()[source]¶: Writes the header to the output.

plaso.output.elastic module¶

An output module that saves events to Elasticsearch.

class plaso.output.elastic.ElasticsearchOutputModule(output_mediator)[source]¶

Bases: plaso.output.shared_elastic.SharedElasticsearchOutputModule

Output module for Elasticsearch.

DESCRIPTION = 'Saves the events into an Elasticsearch database.'¶

NAME = 'elastic'¶

SetRawFields(raw_fields)[source]¶

Set raw (non-analyzed) fields.

This is used for sorting and aggregations in Elasticsearch. https://www.elastic.co/guide/en/elasticsearch/guide/current/ multi-fields.html

Parameters: raw_fields (bool) – True if raw (non-analyzed) fields should be added.

WriteHeader()[source]¶: Connects to the Elasticsearch server and creates the index.

plaso.output.interface module¶

This file contains the output module interface classes.

class plaso.output.interface.LinearOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.OutputModule

Linear output module.

Close()[source]¶: Closes the output.

SetOutputWriter(output_writer)[source]¶

Set the output writer.

Parameters: output_writer (CLIOutputWriter) – output writer.

class plaso.output.interface.OutputModule(output_mediator)[source]¶

Bases: object

Output module interface.

Close()[source]¶: Closes the output.

DESCRIPTION = ''¶

GetMissingArguments()[source]¶

Retrieves arguments required by the module that have not been specified.

Returns

names of argument that are required by the module and have: not been specified.

Return type

list[str]

NAME = ''¶

Open()[source]¶: Opens the output.

WriteEvent(event, event_data, event_tag)[source]¶

Writes the event to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.

WriteEventBody(event, event_data, event_tag)[source]¶

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.

WriteEventEnd()[source]¶

Writes the end of an event to the output.

Can be used for post-processing or output after an individual event has been written, such as writing closing XML tags, etc.

WriteEventMACBGroup(event_macb_group)[source]¶

Writes an event MACB group to the output.

An event MACB group is a group of events that have the same timestamp and event data (attributes and values), where the timestamp description (or usage) is one or more of MACB (modification, access, change, birth).

This function is called if the psort engine detected an event MACB group so that the output module, if supported, can represent the group as such. If not overridden this function will output every event individually.

Parameters: event_macb_group (list[tuple[EventObject, EventData, EventTag]]) – group of events with identical timestamps, attributes and values.

WriteEventStart()[source]¶

Writes the start of an event to the output.

Can be used for pre-processing or output before an individual event has been written, such as writing opening XML tags, etc.

WriteFooter()[source]¶

Writes the footer to the output.

Can be used for post-processing or output after the last event is written, such as writing a file footer.

WriteHeader()[source]¶

Writes the header to the output.

Can be used for pre-processing or output before the first event is written, such as writing a file header.

plaso.output.json_line module¶

Output module that saves data into a JSON line format.

JSON line format is a single JSON entry or event per line instead of grouping all the output into a single JSON entity.

class plaso.output.json_line.JSONLineOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.LinearOutputModule

Output module for the JSON line format.

DESCRIPTION = 'Saves the events into a JSON line format.'¶

NAME = 'json_line'¶

WriteEventBody(event, event_data, event_tag)[source]¶

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.

plaso.output.json_out module¶

Output module that saves data into a JSON format.

class plaso.output.json_out.JSONOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.LinearOutputModule

Output module for the JSON format.

DESCRIPTION = 'Saves the events into a JSON format.'¶

NAME = 'json'¶

WriteEventBody(event, event_data, event_tag)[source]¶

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.

WriteFooter()[source]¶: Writes the footer to the output.

WriteHeader()[source]¶: Writes the header to the output.

plaso.output.kml module¶

An output module that writes event with geography data to a KML XML file.

The Keyhole Markup Language (KML) is an XML notation for expressing geographic annotation and visualization within Internet-based, two-dimensional maps and three-dimensional Earth browsers.

class plaso.output.kml.KMLOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.LinearOutputModule

Output module for a Keyhole Markup Language (KML) XML file.

DESCRIPTION = 'Saves events with geography data into a KML format.'¶

NAME = 'kml'¶

WriteEventBody(event, event_data, event_tag)[source]¶

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.

WriteFooter()[source]¶: Writes the footer to the output.

WriteHeader()[source]¶: Writes the header to the output.

plaso.output.l2t_csv module¶

Output module for the log2timeline (L2T) CSV format.

For documentation on the L2T CSV format see: http://forensicswiki.org/wiki/L2T_CSV

class plaso.output.l2t_csv.L2TCSVOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.LinearOutputModule

CSV format used by log2timeline, with 17 fixed fields.

DESCRIPTION = 'CSV format used by legacy log2timeline, with 17 fixed fields.'¶

NAME = 'l2tcsv'¶

WriteEventBody(event, event_data, event_tag)[source]¶

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.

Raises

NoFormatterFound – If no event formatter can be found to match the data type in the event data.object.

WriteEventMACBGroup(event_macb_group)[source]¶

Writes an event MACB group to the output.

Parameters: event_macb_group (list[EventObject]) – event MACB group.

WriteHeader()[source]¶: Writes the header to the output.

plaso.output.logger module¶

The output sub module logger.

plaso.output.manager module¶

Output plugin manager.

class plaso.output.manager.OutputManager[source]¶

Bases: object

Output module manager.

classmethod DeregisterOutput(output_class)[source]¶

Deregisters an output class.

The output classes are identified based on their NAME attribute.

Parameters: output_class (type) – output module class.
Raises: KeyError – if output class is not set for the corresponding data type.

classmethod GetDisabledOutputClasses()[source]¶

Retrieves the disabled output classes and its associated name.

Yields: tuple[str, type] – output module name and class.

classmethod GetOutputClass(name)[source]¶

Retrieves the output class for a specific name.

Parameters

name (str) – name of the output module.

Returns

output module class.

Return type

type

Raises

KeyError – if there is no output class found with the supplied name.
ValueError – if name is not a string.

classmethod GetOutputClasses()[source]¶

Retrieves the available output classes its associated name.

Yields: tuple[str, type] – output class name and type object.

classmethod HasOutputClass(name)[source]¶

Determines if a specific output class is registered with the manager.

Parameters: name (str) – name of the output module.
Returns: True if the output class is registered.
Return type: bool

classmethod IsLinearOutputModule(name)[source]¶

Determines if a specific output class is a linear output module.

Parameters: name (str) – name of the output module.
Returns: if the output module is linear.
Return type: True

classmethod NewOutputModule(name, output_mediator)[source]¶

Creates a new output module object for the specified output format.

Parameters

name (str) – name of the output module.
output_mediator (OutputMediator) – output mediator.

Returns

output module.

Return type

OutputModule

Raises

KeyError – if there is no output class found with the supplied name.
ValueError – if name is not a string.

classmethod RegisterOutput(output_class, disabled=False)[source]¶

Registers an output class.

The output classes are identified based on their NAME attribute.

Parameters

output_class (type) – output module class.
disabled (Optional[bool]) – True if the output module is disabled due to the module not loading correctly or not.

Raises

KeyError – if output class is already set for the corresponding name.

classmethod RegisterOutputs(output_classes, disabled=False)[source]¶

Registers output classes.

The output classes are identified based on their NAME attribute.

Parameters

output_classes (list[type]) – output module classes.
disabled (Optional[bool]) – True if the output module is disabled due to the module not loading correctly or not.

Raises

KeyError – if output class is already set for the corresponding name.

plaso.output.mediator module¶

The output mediator object.

class plaso.output.mediator.OutputMediator(knowledge_base, formatter_mediator, fields_filter=None, preferred_encoding='utf-8')[source]¶

Bases: object

Output mediator.

fields_filter¶

filter object that indicates which fields to output.

Type: FilterObject

GetEventFormatter(event)[source]¶

Retrieves the event formatter for a specific event type.

Parameters: event (EventObject) – event.
Returns: event formatter or None.
Return type: EventFormatter

GetFormatStringAttributeNames(event_data)[source]¶

Retrieves the attribute names in the format string.

Parameters

event_data (EventData) – event data.

Returns

list containing the attribute names. If no event formatter to: match the event can be found the function returns None.

Return type

list[str]

GetFormattedMessages(event)[source]¶

Retrieves the formatted messages related to the event.

Parameters

event (EventObject) – event.

Returns

containing:

str: full message string or None if no event formatter was found. str: short message string or None if no event formatter was found.

Return type

tuple

GetFormattedSources(event, event_data)[source]¶

Retrieves the formatted sources related to the event.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.

Returns

containing:

str: full source string or None if no event formatter was found. str: short source string or None if no event formatter was found.

Return type

tuple

GetHostname(event_data, default_hostname='-')[source]¶

Retrieves the hostname related to the event.

Parameters

event_data (EventData) – event data.
default_hostname (Optional[str]) – default hostname.

Returns

hostname.

Return type

str

GetMACBRepresentation(event, event_data)[source]¶

Retrieves the MACB representation.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.

Returns

MACB representation.

Return type

str

GetMACBRepresentationFromDescriptions(timestamp_descriptions)[source]¶

Determines the MACB representation from the timestamp descriptions.

MACB representation is a shorthand for representing one or more of modification, access, change, birth timestamp descriptions as the letters “MACB” or a “.” if the corresponding timestamp is not set.

Note that this is an output format shorthand and does not guarantee that the timestamps represent the same occurrence.

Parameters: timestamp_descriptions (list[str]) – timestamp descriptions, which are defined in definitions.TIME_DESCRIPTIONS.
Returns: MACB representation.
Return type: str

GetStoredHostname()[source]¶

Retrieves the stored hostname.

Returns: hostname.
Return type: str

GetUsername(event_data, default_username='-')[source]¶

Retrieves the username related to the event.

Parameters

event_data (EventData) – event data.
default_username (Optional[str]) – default username.

Returns

username.

Return type

str

SetTimezone(timezone)[source]¶

Sets the timezone.

Parameters: timezone (str) – timezone.
Raises: ValueError – if the timezone is not supported.

encoding¶

preferred encoding.

Type: str

filter_expression¶

filter expression if a filter is set, None otherwise.

Type: str

timezone¶: The timezone.

plaso.output.mysql_4n6time module¶

Defines the output module for the MySQL database used by 4n6time.

class plaso.output.mysql_4n6time.MySQL4n6TimeOutputModule(output_mediator)[source]¶

Bases: plaso.output.shared_4n6time.Shared4n6TimeOutputModule

Class defining the MySQL database output module for 4n6time.

Close()[source]¶

Disconnects from the database.

This method will create the necessary indices and commit outstanding transactions before disconnecting.

DESCRIPTION = 'MySQL database output for the 4n6time tool.'¶

NAME = '4n6time_mysql'¶

Open()[source]¶

Connects to the database and creates the required tables.

Raises

IOError – if the 4n6time tables cannot be created or data not inserted in the database.
OSError – if the 4n6time tables cannot be created or data not inserted in the database.
ValueError – if no database name given.

SetCredentials(password=None, username=None)[source]¶

Sets the database credentials.

Parameters

password (Optional[str]) – password to access the database.
username (Optional[str]) – username to access the database.

SetDatabaseName(name)[source]¶

Sets the database name.

Parameters: name (str) – name of the database.

SetServerInformation(server, port)[source]¶

Sets the server information.

Parameters

server (str) – hostname or IP address of the database server.
port (int) – port number of the database server.

WriteEventBody(event, event_data, event_tag)[source]¶

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.

plaso.output.null module¶

Null device output module.

class plaso.output.null.NullOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.OutputModule

Null device output module.

DESCRIPTION = 'Output module that does not output anything.'¶

NAME = 'null'¶

WriteEventBody(event, event_data, event_tag)[source]¶

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.

plaso.output.rawpy module¶

Output module for the “raw” (or native) Python format.

class plaso.output.rawpy.NativePythonFormatterHelper[source]¶

Bases: object

Helper for outputting as “raw” (or native) Python.

classmethod GetFormattedEvent(event, event_data, event_tag)[source]¶

Retrieves a string representation of the event.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.

Returns

string representation of the event.

Return type

str

class plaso.output.rawpy.NativePythonOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.LinearOutputModule

Output module for the “raw” (or native) Python output format.

DESCRIPTION = '"raw" (or native) Python output.'¶

NAME = 'rawpy'¶

WriteEventBody(event, event_data, event_tag)[source]¶

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.

plaso.output.shared_4n6time module¶

Shared functionality for 4n6time output modules.

class plaso.output.shared_4n6time.Shared4n6TimeOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.OutputModule

Shared functionality for an 4n6time output module.

NAME = '4n6time_shared'¶

SetAppendMode(append)[source]¶

Set the append status.

Parameters: append (bool) – True if the events should be added to the database.

SetEvidence(evidence)[source]¶

Set the evidence field.

Parameters: evidence (str) – the evidence field.

SetFields(fields)[source]¶

Set the fields that will be indexed in the database.

Parameters: fields (list[str]) – a list of fields that should be indexed.

SetStatusObject(status_object)[source]¶

Set the status object.

Parameters: status_object (object) – status object provided by the 4n6time tool.

plaso.output.shared_elastic module¶

Shared code for Elasticsearch based output modules.

class plaso.output.shared_elastic.SharedElasticsearchOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.OutputModule

Shared functionality for an Elasticsearch output module.

Close()[source]¶

Closes connection to Elasticsearch.

Inserts any remaining buffered event documents.

NAME = 'elastic_shared'¶

SetCACertificatesPath(ca_certificates_path)[source]¶

Sets the path to the CA certificates.

Parameters: ca_certificates_path (str) – path to file containing a list of root certificates to trust.
Raises: BadConfigOption – if the CA certificates file does not exist.

SetDocumentType(document_type)[source]¶

Sets the document type.

Parameters: document_type (str) – document type.

SetFlushInterval(flush_interval)[source]¶

Set the flush interval.

Parameters: flush_interval (int) – number of events to buffer before doing a bulk insert.

SetIndexName(index_name)[source]¶

Set the index name.

Parameters: index_name (str) – name of the index.

SetPassword(password)[source]¶

Set the password.

Parameters: password (str) – password to authenticate with.

SetServerInformation(server, port)[source]¶

Set the server information.

Parameters

server (str) – IP address or hostname of the server.
port (int) – Port number of the server.

SetURLPrefix(url_prefix)[source]¶

Sets the URL prefix.

Parameters: url_prefix (str) – URL prefix.

SetUseSSL(use_ssl)[source]¶

Sets the use of ssl.

Parameters: use_ssl (bool) – enforces use of ssl.

SetUsername(username)[source]¶

Sets the username.

Parameters: username (str) – username to authenticate with.

WriteEventBody(event, event_data, event_tag)[source]¶

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.

plaso.output.sqlite_4n6time module¶

Defines the output module for the SQLite database used by 4n6time.

class plaso.output.sqlite_4n6time.SQLite4n6TimeOutputModule(output_mediator)[source]¶

Bases: plaso.output.shared_4n6time.Shared4n6TimeOutputModule

Saves the data in a SQLite database, used by the tool 4n6time.

Close()[source]¶

Disconnects from the database.

This method will create the necessary indices and commit outstanding transactions before disconnecting.

DESCRIPTION = 'Saves the data in a SQLite database, used by the tool 4n6time.'¶

NAME = '4n6time_sqlite'¶

Open()[source]¶

Connects to the database and creates the required tables.

Raises

IOError – if the specified output file already exists.
OSError – if the specified output file already exists.
ValueError – if the filename is not set.

SetFilename(filename)[source]¶

Sets the filename.

Parameters: filename (str) – the filename.

WriteEventBody(event, event_data, event_tag)[source]¶

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.

plaso.output.timesketch_out module¶

Timesketch output module.

class plaso.output.timesketch_out.TimesketchOutputModule(output_mediator)[source]¶

Bases: plaso.output.shared_elastic.SharedElasticsearchOutputModule

Output module for Timesketch.

Close()[source]¶

Closes the connection to TimeSketch Elasticsearch database.

Sends the remaining events for indexing and removes the processing status on the Timesketch search index object.

DESCRIPTION = 'Create a Timesketch timeline.'¶

GetMissingArguments()[source]¶

Retrieves a list of arguments that are missing from the input.

Returns

names of arguments that are required by the module and have: not been specified.

Return type

list[str]

NAME = 'timesketch'¶

SetTimelineName(timeline_name)[source]¶

Sets the timeline name.

Parameters: timeline_name (str) – timeline name.

SetTimelineOwner(username)[source]¶

Sets the username of the user that should own the timeline.

Parameters: username (str) – username.

WriteHeader()[source]¶

Sets up the Elasticsearch index and the Timesketch database object.

Creates the Elasticsearch index with Timesketch specific settings and the Timesketch SearchIndex database object.

plaso.output.tln module¶

Output module for the TLN format.

For documentation on the TLN format see: http://forensicswiki.org/wiki/TLN

class plaso.output.tln.L2TTLNOutputModule(output_mediator)[source]¶

Bases: plaso.output.tln.TLNBaseOutputModule

Output module for the log2timeline extended variant of the TLN format.

l2tTLN is an extended variant of TLN introduced log2timeline 0.65.

l2tTLN extends basic TLN to 7 | separated fields, namely: * Time - 32-bit POSIX (or Unix) epoch timestamp. * Source - The name of the parser or plugin that produced the event. * Host - The source host system. * User - The user associated with the data. * Description - Message string describing the data. * TZ - L2T 0.65 field. Timezone of the event. * Notes - L2T 0.65 field. Optional notes field or filename and inode.

DESCRIPTION = 'Extended TLN 7 field | delimited output.'¶

NAME = 'l2ttln'¶

WriteEventBody(event, event_data, event_tag)[source]¶

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.

class plaso.output.tln.TLNBaseOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.LinearOutputModule

Base class for a TLN output module.

WriteHeader()[source]¶: Writes the header to the output.

class plaso.output.tln.TLNOutputModule(output_mediator)[source]¶

Bases: plaso.output.tln.TLNBaseOutputModule

Output module for the TLN format.

TLN defines 5 | separated fields, namely: * Time - 32-bit POSIX (or Unix) epoch timestamp. * Source - The name of the parser or plugin that produced the event. * Host - The source host system. * User - The user associated with the data. * Description - Message string describing the data.

DESCRIPTION = 'TLN 5 field | delimited output.'¶

NAME = 'tln'¶

WriteEventBody(event, event_data, event_tag)[source]¶

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.

plaso.output.xlsx module¶

Output module for the Excel Spreadsheet (XLSX) output format.

class plaso.output.xlsx.XLSXOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.OutputModule

Output module for the Excel Spreadsheet (XLSX) output format.

Close()[source]¶: Closes the output.

DESCRIPTION = 'Excel Spreadsheet (XLSX) output'¶

NAME = 'xlsx'¶

Open()[source]¶

Creates a new workbook.

Raises

IOError – if the specified output file already exists.
OSError – if the specified output file already exists.
ValueError – if the filename is not set.

SetFields(fields)[source]¶

Sets the fields to output.

Parameters: fields (list[str]) – names of the fields to output.

SetFilename(filename)[source]¶

Sets the filename.

Parameters: filename (str) – filename.

SetTimestampFormat(timestamp_format)[source]¶

Set the timestamp format to use for the datetime column.

Parameters: timestamp_format (str) – format string of date and time values.

WriteEventBody(event, event_data, event_tag)[source]¶

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.

WriteHeader()[source]¶: Writes the header to the spreadsheet.

Module contents¶

This file imports Python modules that register output modules.

plaso.parsers package¶

Subpackages¶

plaso.parsers.bencode_plugins package¶

Submodules¶

plaso.parsers.bencode_plugins.interface module¶

plaso.parsers.bencode_plugins.transmission module¶

plaso.parsers.bencode_plugins.utorrent module¶

Module contents¶

plaso.parsers.czip_plugins package¶

Submodules¶

plaso.parsers.czip_plugins.interface module¶

plaso.parsers.czip_plugins.oxml module¶

Module contents¶

plaso.parsers.esedb_plugins package¶

Submodules¶

plaso.parsers.esedb_plugins.file_history module¶

plaso.parsers.esedb_plugins.interface module¶

plaso.parsers.esedb_plugins.msie_webcache module¶

plaso.parsers.esedb_plugins.srum module¶

Module contents¶

plaso.parsers.olecf_plugins package¶

Submodules¶

plaso.parsers.olecf_plugins.automatic_destinations module¶

plaso.parsers.olecf_plugins.default module¶

plaso.parsers.olecf_plugins.dtfabric_plugin module¶

plaso.parsers.olecf_plugins.interface module¶

plaso.parsers.olecf_plugins.summary module¶

Module contents¶

plaso.parsers.plist_plugins package¶

Submodules¶

plaso.parsers.plist_plugins.airport module¶

plaso.parsers.plist_plugins.appleaccount module¶

plaso.parsers.plist_plugins.bluetooth module¶

plaso.parsers.plist_plugins.default module¶

plaso.parsers.plist_plugins.dtfabric_plugin module¶

plaso.parsers.plist_plugins.install_history module¶

plaso.parsers.plist_plugins.interface module¶

plaso.parsers.plist_plugins.ipod module¶

plaso.parsers.plist_plugins.macuser module¶

plaso.parsers.plist_plugins.safari module¶

plaso.parsers.plist_plugins.softwareupdate module¶

plaso.parsers.plist_plugins.spotlight module¶

plaso.parsers.plist_plugins.spotlight_volume module¶

plaso.parsers.plist_plugins.timemachine module¶

Module contents¶

plaso.parsers.shared package¶

Submodules¶

plaso.parsers.shared.shell_items module¶

Parser for Windows NT shell items.

class plaso.parsers.shared.shell_items.ShellItemsParser(origin)[source]¶

Bases: object

Parses for Windows NT shell items.

CopyToPath()[source]¶

Copies the shell items to a path.

Returns: converted shell item list path or None.
Return type: str

GetUpperPathSegment()[source]¶

Retrieves the upper shell item path segment.

Returns: shell item path segment or “N/A”.
Return type: str

NAME = 'shell_items'¶

ParseByteStream(parser_mediator, byte_stream, parent_path_segments=None, codepage='cp1252')[source]¶

Parses the shell items from the byte stream.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
byte_stream (bytes) – shell items data.
parent_path_segments (Optional[list[str]]) – parent shell item path segments.
codepage (Optional[str]) – byte stream codepage.

Module contents¶

plaso.parsers.sqlite_plugins package¶

Submodules¶

plaso.parsers.sqlite_plugins.android_calls module¶

plaso.parsers.sqlite_plugins.android_sms module¶

plaso.parsers.sqlite_plugins.android_webview module¶

plaso.parsers.sqlite_plugins.android_webviewcache module¶

plaso.parsers.sqlite_plugins.appusage module¶

plaso.parsers.sqlite_plugins.chrome module¶

plaso.parsers.sqlite_plugins.chrome_autofill module¶

plaso.parsers.sqlite_plugins.chrome_cookies module¶

plaso.parsers.sqlite_plugins.chrome_extension_activity module¶

plaso.parsers.sqlite_plugins.firefox module¶

plaso.parsers.sqlite_plugins.firefox_cookies module¶

plaso.parsers.sqlite_plugins.gdrive module¶

plaso.parsers.sqlite_plugins.hangouts_messages module¶

plaso.parsers.sqlite_plugins.imessage module¶

plaso.parsers.sqlite_plugins.interface module¶

plaso.parsers.sqlite_plugins.kik_ios module¶

plaso.parsers.sqlite_plugins.kodi module¶

plaso.parsers.sqlite_plugins.ls_quarantine module¶

plaso.parsers.sqlite_plugins.mac_document_versions module¶

plaso.parsers.sqlite_plugins.mac_knowledgec module¶

plaso.parsers.sqlite_plugins.mac_notes module¶

plaso.parsers.sqlite_plugins.mac_notificationcenter module¶

plaso.parsers.sqlite_plugins.mackeeper_cache module¶

plaso.parsers.sqlite_plugins.safari module¶

plaso.parsers.sqlite_plugins.skype module¶

plaso.parsers.sqlite_plugins.tango_android module¶

plaso.parsers.sqlite_plugins.twitter_android module¶

plaso.parsers.sqlite_plugins.twitter_ios module¶

plaso.parsers.sqlite_plugins.windows_timeline module¶

plaso.parsers.sqlite_plugins.zeitgeist module¶

Module contents¶

plaso.parsers.syslog_plugins package¶

Submodules¶

plaso.parsers.syslog_plugins.cron module¶

plaso.parsers.syslog_plugins.interface module¶

plaso.parsers.syslog_plugins.ssh module¶

Module contents¶

plaso.parsers.winreg_plugins package¶

Submodules¶

plaso.parsers.winreg_plugins.appcompatcache module¶

plaso.parsers.winreg_plugins.bagmru module¶

plaso.parsers.winreg_plugins.ccleaner module¶

plaso.parsers.winreg_plugins.default module¶

plaso.parsers.winreg_plugins.dtfabric_plugin module¶

plaso.parsers.winreg_plugins.interface module¶

plaso.parsers.winreg_plugins.lfu module¶

plaso.parsers.winreg_plugins.mountpoints module¶

plaso.parsers.winreg_plugins.mrulist module¶

plaso.parsers.winreg_plugins.mrulistex module¶

plaso.parsers.winreg_plugins.msie_zones module¶

plaso.parsers.winreg_plugins.network_drives module¶

plaso.parsers.winreg_plugins.networks module¶

plaso.parsers.winreg_plugins.officemru module¶

plaso.parsers.winreg_plugins.outlook module¶

plaso.parsers.winreg_plugins.programscache module¶

plaso.parsers.winreg_plugins.run module¶

plaso.parsers.winreg_plugins.sam_users module¶

plaso.parsers.winreg_plugins.services module¶

plaso.parsers.winreg_plugins.shutdown module¶

plaso.parsers.winreg_plugins.task_scheduler module¶

plaso.parsers.winreg_plugins.terminal_server module¶

plaso.parsers.winreg_plugins.timezone module¶

plaso.parsers.winreg_plugins.typedurls module¶

plaso.parsers.winreg_plugins.usb module¶

plaso.parsers.winreg_plugins.usbstor module¶

plaso.parsers.winreg_plugins.userassist module¶

plaso.parsers.winreg_plugins.windows_version module¶

plaso.parsers.winreg_plugins.winlogon module¶

plaso.parsers.winreg_plugins.winrar module¶

Module contents¶

Submodules¶

plaso.parsers.amcache module¶

File containing a Windows Registry plugin to parse the Amcache Hive.

class plaso.parsers.amcache.AmcacheEventData[source]¶

Bases: plaso.containers.events.EventData

Amcache event data.

full_path¶

full path of file

Type: str

sha1¶

sha1 of file

Type: str

productname¶

product name file belongs to

Type: str

companyname¶

company name that created product file belongs to

Type: str

fileversion¶

version of file

Type: str

languagecode¶

language code of file

Type: int

filesize¶

size of file in bytes

Type: int

filedescription¶

description of file

Type: str

linkerts¶

unix timestamp when file was linked

Type: int

lastmodifiedts¶

filetime timestamp of last modified datetime of file

Type: int

createdtd¶

filetime timestamp of created datetime of file

Type: int

programid¶

GUID of entry under Root/Program key file belongs to

Type: str

DATA_TYPE = 'windows:registry:amcache'¶

class plaso.parsers.amcache.AmcacheParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Amcache Registry plugin for recently run programs.

DESCRIPTION = 'Parser for Amcache Registry entries.'¶

NAME = 'amcache'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an Amcache.hve file for events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

URLS = ['http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html']¶

class plaso.parsers.amcache.AmcacheProgramEventData[source]¶

Bases: plaso.containers.events.EventData

Amcache programs event data.

name¶

name of installed program

Type: str

version¶

version of program

Type: str

publisher¶

publisher of program

Type: str

languagecode¶

languagecode of program

Type: int

entrytype¶

type of entry (usually AddRemoveProgram)

Type: str

uninstallkey¶

unicode string of uninstall registry key for program

Type: str

filepath¶

file path of installed program

Type: str

productcode¶

product code of program

Type: str

packagecode¶

package code of program

Type: str

msiproductcode¶

MSI product code of program

Type: str

msipackagecode¶

MSI package code of program

Type: str

files¶

list of files belonging to program

Type: str

DATA_TYPE = 'windows:registry:amcache:programs'¶

plaso.parsers.android_app_usage module¶

Parser for the Android usage-history.xml files.

class plaso.parsers.android_app_usage.AndroidAppUsageEventData[source]¶

Bases: plaso.containers.events.EventData

Android Application event data.

package_name¶

name of the Android application.

Type: str

component_name¶

name of the individual component of the application.

Type: str

DATA_TYPE = 'android:event:last_resume_time'¶

class plaso.parsers.android_app_usage.AndroidAppUsageParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses the Android usage-history.xml file.

DESCRIPTION = 'Parser for Android usage-history.xml files.'¶

NAME = 'android_app_usage'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an Android usage-history file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.apache_access module¶

Apache access log (access.log) parser.

Parser based on the two default apache formats, common and combined log format defined in https://httpd.apache.org/docs/2.4/logs.html

class plaso.parsers.apache_access.ApacheAccessEventData[source]¶

Bases: plaso.containers.events.EventData

Apache access event data.

http_request_referer¶

http request referer header information.

Type: str

http_request¶

first line of http request.

Type: str

http_request_user_agent¶

http request user agent header information.

Type: str

http_response_bytes¶

http response bytes size without headers.

Type: int

http_response_code¶

http response code from server.

Type: int

ip_address¶

IPv4 or IPv6 addresses.

Type: str

remote_name¶

remote logname (from identd, if supplied).

Type: str

user_name¶

logged user name.

Type: str

DATA_TYPE = 'apache:access'¶

class plaso.parsers.apache_access.ApacheAccessParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Apache access log file parser

DESCRIPTION = 'Apache access Parser'¶

LINE_STRUCTURES = [('combined_log_format', {{{{{{{{{{IPv4 address | IPv6 address} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} Group:({{{{{{{{{{{{{Suppress:("[") W:(0123...)} Suppress:("/")} W:(ABCD...)} Suppress:("/")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Combine:({- | + W:(0123...)})} Suppress:("]")})} {{Suppress:(""") SkipTo:(""")} Suppress:(""")}} W:(0123...)} {"-" | W:(0123...)}} {{Suppress:(""") SkipTo:(""")} Suppress:(""")}} {{Suppress:(""") SkipTo:(""")} Suppress:(""")}} lineEnd}), ('common_log_format', {{{{{{{{IPv4 address | IPv6 address} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} Group:({{{{{{{{{{{{{Suppress:("[") W:(0123...)} Suppress:("/")} W:(ABCD...)} Suppress:("/")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Combine:({- | + W:(0123...)})} Suppress:("]")})} {{Suppress:(""") SkipTo:(""")} Suppress:(""")}} W:(0123...)} {"-" | W:(0123...)}} lineEnd})]¶

MAX_LINE_LENGTH = 2048¶

NAME = 'apache_access'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a matching entry.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – elements parsed from the file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verifies that this is an apache access log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – line from the text file.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.asl module¶

The Apple System Log Parser.

class plaso.parsers.asl.ASLEventData[source]¶

Bases: plaso.containers.events.EventData

Convenience class for an ASL event.

computer_name¶

name of the host.

Type: str

extra_information¶

extra fields associated to the event.

Type: str

facility¶

facility.

Type: str

group_id¶

group identifier (GID).

Type: int

level¶

level of criticality of the event.

Type: str

message_id¶

message identifier.

Type: int

message¶

message of the event.

Type: str

pid¶

process identifier (PID).

Type: int

read_uid¶

user identifier that can read this file, where -1 represents all.

Type: int

read_gid¶

the group identifier that can read this file, where -1 represents all.

Type: int

record_position¶

position of the event record.

Type: int

sender¶

sender or process that created the event.

Type: str

user_sid¶

user identifier (UID).

Type: str

DATA_TYPE = 'mac:asl:event'¶

class plaso.parsers.asl.ASLParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for ASL log files.

DESCRIPTION = 'Parser for ASL log files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'asl_log'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an ASL file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.bash_history module¶

Parser for bash history files.

class plaso.parsers.bash_history.BashHistoryEventData[source]¶

Bases: plaso.containers.events.EventData

Bash history log event data.

command¶

command that was executed.

Type: str

DATA_TYPE = 'bash:history:command'¶

class plaso.parsers.bash_history.BashHistoryParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parses events from Bash history files.

DESCRIPTION = 'Parser for Bash history files'¶

LINE_STRUCTURES = [('log_entry', {{{Suppress:("#") W:(0123...)} Re:('.*?(?=($|\\n#\\d{10}))')} lineEnd})]¶

NAME = 'bash'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a record and produces a Bash history event.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – elements parsed from the file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)[source]¶

Verifies that this is a bash history file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
lines (str) – one or more lines from the text file.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.bencode_parser module¶

This file contains the Bencode Parser.

Plaso’s engine calls BencodeParser when it encounters bencoded files to be processed, typically seen for BitTorrent data.

class plaso.parsers.bencode_parser.BencodeParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Deserializes bencoded file; produces a dictionary containing bencoded data.

The Plaso engine calls parsers by their Parse() method. The Parse() function deserializes bencoded files using the BitTorrent-bencode library and calls plugins (BencodePlugin) registered through the interface by their Process() to produce event objects.

Plugins are how this parser understands the content inside a bencoded file, each plugin holds logic specific to a particular bencoded file. See the bencode_plugins / directory for examples of how bencode plugins are implemented.

BENCODE_RE = re.compile(b'd[0-9]')¶

DESCRIPTION = 'Parser for bencoded files.'¶

NAME = 'bencode'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a bencoded file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.bsm module¶

Basic Security Module (BSM) event auditing file parser.

class plaso.parsers.bsm.BSMEventData[source]¶

Bases: plaso.containers.events.EventData

Basic Security Module (BSM) audit event data.

event_type¶

identifier that represents the type of the event.

Type: int

extra_tokens¶

event extra tokens, which is a list of dictionaries that contain: {token type: {token values}}

Type: list[dict[str, dict[str, str]]]

record_length¶

record length in bytes (trailer number).

Type: int

return_value¶

processed return value and exit status.

Type: str

DATA_TYPE = 'bsm:event'¶

class plaso.parsers.bsm.BSMParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for BSM files.

DESCRIPTION = 'Parser for BSM log files.'¶

NAME = 'bsm_log'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a BSM file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.chrome_cache module¶

Parser for Google Chrome and Chromium Cache files.

class plaso.parsers.chrome_cache.CacheAddress(cache_address)[source]¶

Bases: object

Chrome cache address.

block_number¶

block data file number.

Type: int

block_offset¶

offset within the block data file.

Type: int

block_size¶

block size.

Type: int

filename¶

name of the block data file.

Type: str

value¶

cache address.

Type: int

FILE_TYPE_BLOCK_1024 = 3¶

FILE_TYPE_BLOCK_256 = 2¶

FILE_TYPE_BLOCK_4096 = 4¶

FILE_TYPE_BLOCK_RANKINGS = 1¶

FILE_TYPE_SEPARATE = 0¶

class plaso.parsers.chrome_cache.CacheEntry[source]¶

Bases: object

Chrome cache entry.

creation_time¶

creation time, in number of microseconds since since January 1, 1601, 00:00:00 UTC.

Type: int

hash¶

super fast hash of the key.

Type: int

key¶

key.

Type: bytes

next¶

cache address of the next cache entry.

Type: int

original_url¶

original URL derived from the key.

Type: str

rankings_node¶

cache address of the rankings node.

Type: int

class plaso.parsers.chrome_cache.ChromeCacheDataBlockFileParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Chrome cache data block file parser.

ParseCacheEntry(file_object, block_offset)[source]¶

Parses a cache entry.

Parameters

file_object (dfvfs.FileIO) – a file-like object to read from.
block_offset (int) – block offset of the cache entry.

Returns

cache entry.

Return type

CacheEntry

Raises

ParseError – if the cache entry cannot be read.

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a file-like object.

Parameters

parser_mediator (ParserMediator) – a parser mediator.
file_object (dfvfs.FileIO) – a file-like object to parse.

Raises

ParseError – when the file cannot be parsed.

class plaso.parsers.chrome_cache.ChromeCacheEntryEventData[source]¶

Bases: plaso.containers.events.EventData

Chrome Cache event data.

original_url¶

original URL.

Type: str

DATA_TYPE = 'chrome:cache:entry'¶

class plaso.parsers.chrome_cache.ChromeCacheIndexFileParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Chrome cache index file parser.

creation_time¶

creation time, in number of number of microseconds since January 1, 1601, 00:00:00 UTC.

Type: int

index_table¶

the cache addresses which are stored in the index file.

Type: list[CacheAddress]

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a file-like object.

Parameters

parser_mediator (ParserMediator) – a parser mediator.
file_object (dfvfs.FileIO) – a file-like object to parse.

Raises

ParseError – when the file cannot be parsed.

class plaso.parsers.chrome_cache.ChromeCacheParser[source]¶

Bases: plaso.parsers.interface.FileEntryParser

Parses Chrome Cache files.

DESCRIPTION = 'Parser for Chrome Cache files.'¶

NAME = 'chrome_cache'¶

ParseFileEntry(parser_mediator, file_entry)[source]¶

Parses Chrome Cache files.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_entry (dfvfs.FileEntry) – file entry.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.chrome_preferences module¶

A parser for the Chrome preferences file.

class plaso.parsers.chrome_preferences.ChromeContentSettingsExceptionsEventData[source]¶

Bases: plaso.containers.events.EventData

Chrome content settings exceptions event data.

permission¶

permission.

Type: str

primary_url¶

primary URL.

Type: str

secondary_url¶

secondary URL.

Type: str

DATA_TYPE = 'chrome:preferences:content_settings:exceptions'¶

class plaso.parsers.chrome_preferences.ChromeExtensionInstallationEventData[source]¶

Bases: plaso.containers.events.EventData

Chrome Extension event data.

extension_id¶

extension identifier.

Type: str

extension_name¶

extension name.

Type: str

path¶

path.

Type: str

DATA_TYPE = 'chrome:preferences:extension_installation'¶

class plaso.parsers.chrome_preferences.ChromeExtensionsAutoupdaterEventData[source]¶

Bases: plaso.containers.events.EventData

Chrome Extension Autoupdater event data.

message¶

message.

Type: str

DATA_TYPE = 'chrome:preferences:extensions_autoupdater'¶

class plaso.parsers.chrome_preferences.ChromePreferencesClearHistoryEventData[source]¶

Bases: plaso.containers.events.EventData

Chrome history clearing event data.

message¶

message.

Type: str

DATA_TYPE = 'chrome:preferences:clear_history'¶

class plaso.parsers.chrome_preferences.ChromePreferencesParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses Chrome Preferences files.

DESCRIPTION = 'Parser for Chrome Preferences files.'¶

NAME = 'chrome_preferences'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Chrome preferences file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

REQUIRED_KEYS = frozenset({'browser', 'extensions'})¶

plaso.parsers.cups_ipp module¶

The CUPS IPP files parser.

CUPS IPP version 1.0: * http://tools.ietf.org/html/rfc2565 * http://tools.ietf.org/html/rfc2566 * http://tools.ietf.org/html/rfc2567 * http://tools.ietf.org/html/rfc2568 * http://tools.ietf.org/html/rfc2569 * http://tools.ietf.org/html/rfc2639

CUPS IPP version 1.1: * http://tools.ietf.org/html/rfc2910 * http://tools.ietf.org/html/rfc2911 * http://tools.ietf.org/html/rfc3196 * http://tools.ietf.org/html/rfc3510

CUPS IPP version 2.0: * N/A

class plaso.parsers.cups_ipp.CupsIppEventData[source]¶

Bases: plaso.containers.events.EventData

CUPS IPP event data.

application¶

application that prints the document.

Type: str

data_dict¶

parsed data coming from the file.

Type: dict[str, object]

computer_name¶

name of the computer.

Type: str

copies¶

number of copies.

Type: int

doc_type¶

type of document.

Type: str

job_id¶

job identifier.

Type: str

job_name¶

job name.

Type: str

owner¶

real name of the user.

Type: str

printer_id¶

identification name of the print.

Type: str

uri¶

URL of the CUPS service.

Type: str

user¶

system user name.

Type: str

DATA_TYPE = 'cups:ipp:event'¶

class plaso.parsers.cups_ipp.CupsIppParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for CUPS IPP files.

DESCRIPTION = 'Parser for CUPS IPP files.'¶

NAME = 'cups_ipp'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a CUPS IPP file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.custom_destinations module¶

Parser for .customDestinations-ms files.

class plaso.parsers.custom_destinations.CustomDestinationsParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses .customDestinations-ms files.

DESCRIPTION = 'Parser for *.customDestinations-ms files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'custom_destinations'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a .customDestinations-ms file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.czip module¶

This file contains a parser for compound ZIP files.

class plaso.parsers.czip.CompoundZIPParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Shared functionality for parsing compound zip files.

Compound zip files are zip files used as containers to create another file format, as opposed to archives of unrelated files.

DESCRIPTION = 'Parser for compound ZIP files.'¶

NAME = 'czip'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a compound ZIP file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.docker module¶

Parser for Docker configuration and log files.

class plaso.parsers.docker.DockerJSONContainerEventData[source]¶

Bases: plaso.containers.events.EventData

Docker container’s configuration file event data.

action¶

whether the container was created, started, or finished.

Type: str

container_id¶

identifier of the container (SHA256).

Type: str

container_name¶

name of the container.

Type: str

DATA_TYPE = 'docker:json:container'¶

class plaso.parsers.docker.DockerJSONContainerLogEventData[source]¶

Bases: plaso.containers.events.EventData

Docker container’s log event data.

container_id¶

identifier of the container (sha256).

Type: str

log_line¶

log line.

Type: str

log_source¶

log source.

Type: str

DATA_TYPE = 'docker:json:container:log'¶

class plaso.parsers.docker.DockerJSONLayerEventData[source]¶

Bases: plaso.containers.events.EventData

Docker filesystem layer configuration file event data.

command¶: the command used which made Docker create a new layer

layer_id¶: the identifier of the current Docker layer (sha1)

DATA_TYPE = 'docker:json:layer'¶

class plaso.parsers.docker.DockerJSONParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Generates various events from Docker json config and log files.

This handles : * Per container config file

DOCKER_DIR/containers/<container_id>/config.json

Per container stdout/stderr output log DOCKER_DIR/containers/<container_id>/<container_id>-json.log
Filesystem layer config files DOCKER_DIR/graph/<layer_id>/json

DESCRIPTION = 'Parser for JSON Docker files.'¶

NAME = 'dockerjson'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses various Docker configuration and log files in JSON format.

This methods checks whether the file_object points to a docker JSON config or log file, and calls the corresponding _Parse* function to generate Events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.
ValueError – if the JSON file cannot be decoded.

plaso.parsers.dpkg module¶

This file contains the Debian dpkg.log file parser.

Information updated 02 September 2016.

An example:

2016-08-03 15:25:53 install base-passwd:amd64 <none> 3.5.33

Log messages are of the form:

YYYY-MM-DD HH:MM:SS startup type command Where type is:

archives (with a command of unpack or install) packages (with a command of configure, triggers-only, remove or purge)

YYYY-MM-DD HH:MM:SS status state pkg installed-version

YYYY-MM-DD HH:MM:SS action pkg installed-version available-version Where action is:

install, upgrade, configure, trigproc, disappear, remove or purge.

YYYY-MM-DD HH:MM:SS conffile filename decision Where decision is install or keep.

class plaso.parsers.dpkg.DpkgEventData[source]¶

Bases: plaso.containers.events.EventData

Dpkg event data.

body¶

body of the log line.

Type: str

DATA_TYPE = 'dpkg:line'¶

class plaso.parsers.dpkg.DpkgParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parser for Debian dpkg.log files.

DESCRIPTION = 'Parser for Debian dpkg.log files.'¶

LINE_STRUCTURES = [('line', {Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) {Combine:({{"startup" archives | packages} unpack | install | configure | triggers-only | remove | purge}) | Combine:({{{"status" W:(0123...)} W:(0123...)} W:(0123...)}) | Combine:({{{install | upgrade | configure | trigproc | disappear | remove | purge W:(0123...)} W:(0123...)} W:(0123...)}) | Combine:({{"conffile" W:(0123...)} install | keep})}})]¶

NAME = 'dpkg'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a structure of tokens derived from a line of a text file.

Parameters

parser_mediator (ParserMediator) – parser mediator.
key (str) – identifier of the structure of tokens.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verifies if a line from a text file is in the expected format.

Parameters

parser_mediator (ParserMediator) – parser mediator.
line (str) – line from a text file.

Returns

True if the line is in the expected format, False if not.

Return type

bool

plaso.parsers.dsv_parser module¶

Delimiter separated values (DSV) parser interface.

class plaso.parsers.dsv_parser.DSVParser(encoding=None)[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Delimiter separated values (DSV) parser interface.

COLUMNS = []¶

DELIMITER = b','¶

FIELD_SIZE_LIMIT = 131072¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NUMBER_OF_HEADER_LINES = 0¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a DSV text file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

ParseRow(parser_mediator, row_offset, row)[source]¶

Parses a line of the log file and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row_offset (int) – offset of the row.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

QUOTE_CHAR = b'"'¶

VerifyRow(parser_mediator, row)[source]¶

Verifies if a line of the file is in the expected format.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.dtfabric_parser module¶

Shared functionality for dtFabric-based data format parsers.

class plaso.parsers.dtfabric_parser.DtFabricBaseParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Shared functionality for dtFabric-based data format parsers.

A dtFabric-based data format parser defines its data format structures in dtFabric definition file, for example “dtfabric.yaml”:

name: int32 type: integer description: 32-bit signed integer type .. attribute:: format

signed

size¶: 4

units¶: bytes

— name: point3d aliases: [POINT] type: structure description: Point in 3 dimensional space. .. attribute:: byte_order

little-endian

members: - name: x

aliases: [XCOORD] data_type: int32

name: y data_type: int32
name: z data_type: int32

The path to the definition file is defined in the class constant “_DEFINITION_FILE” and will be read on class instantiation.

The definition files contains data type definitions such as “int32” and “point3d” in the previous example.

A data type map can be used to create a Python object that represent the data type definition mapped to a byte stream, for example if we have the following byte stream: 01 00 00 00 02 00 00 00 03 00 00 00

The corresponding “point3d” Python object would be: point3d(x=1, y=2, z=3)

A parser that wants to implement a dtFabric-based data format parser needs to: * define a definition file and override _DEFINITION_FILE; * implement the ParseFileObject method.

The _GetDataTypeMap method of this class can be used to retrieve data type maps from the “fabric”, which is the collection of the data type definitions in definition file. Data type maps are cached for reuse.

The _ReadStructure method of this class can be used to read structure data from a file-like object and create a Python object using a data type map.

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a file-like object.

Parameters

parser_mediator (ParserMediator) – a parser mediator.
file_object (dfvfs.FileIO) – a file-like object to parse.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.esedb module¶

Parser for Extensible Storage Engine (ESE) database files (EDB).

class plaso.parsers.esedb.ESEDBCache[source]¶

Bases: plaso.parsers.plugins.BasePluginCache

A cache storing query results for ESEDB plugins.

StoreDictInCache(attribute_name, dict_object)[source]¶

Store a dict object in cache.

Parameters

attribute_name (str) – name of the attribute.
dict_object (dict) – dictionary.

class plaso.parsers.esedb.ESEDBParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses Extensible Storage Engine (ESE) database files (EDB).

DESCRIPTION = 'Parser for Extensible Storage Engine (ESE) database files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'esedb'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an ESE database file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.filestat module¶

File system stat object parser.

class plaso.parsers.filestat.FileStatEventData[source]¶

Bases: plaso.containers.events.EventData

File system stat event data.

file_entry_type¶

dfVFS file entry type.

Type: int

file_size¶

file size in bytes.

Type: int

file_system_type¶

file system type.

Type: str

is_allocated¶

True if the file is allocated.

Type: bool

offset¶

the offset of the stat data in bytes.

Type: int

DATA_TYPE = 'fs:stat'¶

class plaso.parsers.filestat.FileStatParser[source]¶

Bases: plaso.parsers.interface.FileEntryParser

Parses file system stat object.

DESCRIPTION = 'Parser for file system stat information.'¶

NAME = 'filestat'¶

ParseFileEntry(parser_mediator, file_entry)[source]¶

Parses a file entry.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_entry (dfvfs.FileEntry) – a file entry.

plaso.parsers.firefox_cache module¶

Implements a parser for Firefox cache 1 and 2 files.

class plaso.parsers.firefox_cache.BaseFirefoxCacheParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses Firefox cache files.

class plaso.parsers.firefox_cache.FirefoxCache2Parser[source]¶

Bases: plaso.parsers.firefox_cache.BaseFirefoxCacheParser

Parses Firefox cache version 2 files (Firefox 32 or later).

DESCRIPTION = 'Parser for Firefox Cache version 2 files (Firefox 32 or later).'¶

NAME = 'firefox_cache2'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Firefox cache file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

class plaso.parsers.firefox_cache.FirefoxCacheEventData[source]¶

Bases: plaso.containers.events.EventData

Firefox cache event data.

data_size¶

size of the cached data.

Type: int

fetch_count¶

number of times the cache entry was fetched.

Type: int

frequency¶

???

Type: int

info_size¶

size of the metadata.

Type: int

location¶

???

Type: str

request_method¶

HTTP request method.

Type: str

request_size¶

HTTP request byte size.

Type: int

response_code¶

HTTP response code.

Type: int

url¶

URL of original content.

Type: str

version¶

cache format version.

Type: int

DATA_TYPE = 'firefox:cache:record'¶

class plaso.parsers.firefox_cache.FirefoxCacheParser[source]¶

Bases: plaso.parsers.firefox_cache.BaseFirefoxCacheParser

Parses Firefox cache version 1 files (Firefox 31 or earlier).

DESCRIPTION = 'Parser for Firefox Cache version 1 files (Firefox 31 or earlier).'¶

FIREFOX_CACHE_CONFIG¶: alias of firefox_cache_config

NAME = 'firefox_cache'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Firefox cache file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.fseventsd module¶

Parsers for MacOS fseventsd files.

class plaso.parsers.fseventsd.FseventsdEventData[source]¶

Bases: plaso.containers.events.EventData

MacOS file system event (fseventsd) event data

event_identifier¶

the record event identifier.

Type: int

flags¶

flags stored in the record.

Type: int

node_identifier¶

file system node identifier related to the file system event.

Type: int

path¶

path recorded in the fseventsd record.

Type: str

DATA_TYPE = 'macos:fseventsd:record'¶

class plaso.parsers.fseventsd.FseventsdParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for fseventsd files.

This parser supports both version 1 and version 2 fseventsd files. Refer to http://nicoleibrahim.com/apple-fsevents-forensics/ for details.

DESCRIPTION = 'Parser for fseventsd files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'fsevents'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an fseventsd file.

Parameters

parser_mediator (ParserMediator) – parser mediator.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the header cannot be parsed.

plaso.parsers.gdrive_synclog module¶

Parser for Google Drive Sync log files.

class plaso.parsers.gdrive_synclog.GoogleDriveSyncLogEventData[source]¶

Bases: plaso.containers.events.EventData

Google Drive Sync log event data.

log_level¶

logging level of event such as “DEBUG”, “WARN”, “INFO”, “ERROR”.

Type: str

message¶

log message.

Type: str

pid¶

process identifier of process which logged event.

Type: int

source_code¶

filename:line_number of source file which logged event.

Type: str

thread¶

colon-separated thread identifier in the form “ID:name” which logged event.

Type: str

time¶

date and time of the log entry event with timezone offset.

Type: str

DATA_TYPE = 'gdrive_sync:log:line'¶

class plaso.parsers.gdrive_synclog.GoogleDriveSyncLogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parses events from Google Drive Sync log files.

BUFFER_SIZE = 16384¶

DESCRIPTION = 'Parser for Google Drive Sync log files.'¶

LINE_STRUCTURES = [('logline', {{{{{{Group:({{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}} W:(0123...)}) W:(ABCD...)} W:(0123...)} W:(0123...)} W:(0123...)} SkipTo:({StringEnd | Group:({{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}} W:(0123...)})})} [lineEnd]...})]¶

NAME = 'gdrive_synclog'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – identifier of the structure of tokens.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)[source]¶

Verify that this file is a Google Drive Sync log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
lines (str) – one or more lines from the text file.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.iis module¶

Parser for Windows IIS Log file.

More documentation on fields can be found here: https://msdn.microsoft.com/en-us/library/ms525807(v=vs.90).aspx

class plaso.parsers.iis.IISEventData[source]¶

Bases: plaso.containers.events.EventData

IIS log event data.

Attributes:

DATA_TYPE = 'iis:log:line'¶

class plaso.parsers.iis.WinIISParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses a Microsoft IIS log file.

BLANK = "-"¶

COMMENT = {"#" {{{"Date:" {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}} | {"Fields:" SkipTo:(LineEnd)}} | SkipTo:(LineEnd)}}¶

DATE_METADATA = {"Date:" {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}}¶

DATE_TIME = {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}¶

DESCRIPTION = 'Parser for Microsoft IIS log files.'¶

FIELDS_METADATA = {"Fields:" SkipTo:(LineEnd)}¶

INTEGER = {W:(0123...) | "-"}¶

IP_ADDRESS = {{IPv4 address | IPv6 address} | "-"}¶

LINE_STRUCTURES = [('comment', {"#" {{{"Date:" {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}} | {"Fields:" SkipTo:(LineEnd)}} | SkipTo:(LineEnd)}}), ('logline', {{{{{{{{{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} {W:(ABCD...) | "-"}} {{IPv4 address | IPv6 address} | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(ABCD...) | "-"}} {{IPv4 address | IPv6 address} | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}})]¶

LOG_LINE_6_0 = {{{{{{{{{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} {W:(ABCD...) | "-"}} {{IPv4 address | IPv6 address} | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(ABCD...) | "-"}} {{IPv4 address | IPv6 address} | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}}¶

NAME = 'winiis'¶

PORT = {W:(0123...) | "-"}¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – structure parsed from the log file.

Raises

ParseError – when the structure type is unknown.

QUERY = {W:(ABCD...) | "-"}¶

URI = {W:(ABCD...) | "-"}¶

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is an IIS log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – line from a text file.

Returns

True if the line was successfully parsed.

Return type

bool

WORD = {W:(ABCD...) | "-"}¶

plaso.parsers.interface module¶

The parsers and plugins interface classes.

class plaso.parsers.interface.BaseFileEntryFilter[source]¶

Bases: object

File entry filter interface.

Match(file_entry)[source]¶

Determines if a file entry matches the filter.

Parameters: file_entry (dfvfs.FileEntry) – a file entry.
Returns: True if the file entry matches the filter.
Return type: bool

class plaso.parsers.interface.BaseParser[source]¶

Bases: object

The parser interface.

DESCRIPTION = ''¶

classmethod DeregisterPlugin(plugin_class)[source]¶

Deregisters a plugin class.

The plugin classes are identified based on their lower case name.

Parameters: plugin_class (type) – class of the plugin.
Raises: KeyError – if plugin class is not set for the corresponding name.

EnablePlugins(plugin_includes)[source]¶

Enables parser plugins.

Parameters: plugin_includes (list[str]) – names of the plugins to enable, where None or an empty list represents all plugins. Note the default plugin, if it exists, is always enabled and cannot be disabled.

FILTERS = frozenset({})¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: a format specification or None if not available.
Return type: FormatSpecification

classmethod GetPluginObjectByName(plugin_name)[source]¶

Retrieves a specific plugin object by its name.

Parameters: plugin_name (str) – name of the plugin.
Returns: a plugin object or None if not available.
Return type: BasePlugin

classmethod GetPlugins()[source]¶

Retrieves the registered plugins.

Yields: tuple[str, type] – name and class of the plugin.

NAME = 'base_parser'¶

classmethod RegisterPlugin(plugin_class)[source]¶

Registers a plugin class.

The plugin classes are identified based on their lower case name.

Parameters: plugin_class (type) – class of the plugin.
Raises: KeyError – if plugin class is already set for the corresponding name.

classmethod RegisterPlugins(plugin_classes)[source]¶

Registers plugin classes.

Parameters: plugin_classes (list[type]) – classes of plugins.
Raises: KeyError – if plugin class is already set for the corresponding name.

classmethod SupportsPlugins()[source]¶

Determines if a parser supports plugins.

Returns: True if the parser supports plugins.
Return type: bool

class plaso.parsers.interface.FileEntryParser[source]¶

Bases: plaso.parsers.interface.BaseParser

The file entry parser interface.

Parse(parser_mediator)[source]¶

Parsers the file entry and extracts event objects.

Parameters: parser_mediator (ParserMediator) – a parser mediator.
Raises: UnableToParseFile – when the file cannot be parsed.

ParseFileEntry(parser_mediator, file_entry)[source]¶

Parses a file entry.

Parameters

parser_mediator (ParserMediator) – a parser mediator.
file_entry (dfvfs.FileEntry) – a file entry to parse.

Raises

UnableToParseFile – when the file cannot be parsed.

class plaso.parsers.interface.FileNameFileEntryFilter(filename)[source]¶

Bases: plaso.parsers.interface.BaseFileEntryFilter

File name file entry filter.

Match(file_entry)[source]¶

Determines if a file entry matches the filter.

Parameters: file_entry (dfvfs.FileEntry) – a file entry.
Returns: True if the file entry matches the filter.
Return type: bool

class plaso.parsers.interface.FileObjectParser[source]¶

Bases: plaso.parsers.interface.BaseParser

The file-like object parser interface.

Parse(parser_mediator, file_object)[source]¶

Parses a single file-like object.

Parameters

parser_mediator (ParserMediator) – a parser mediator.
file_object (dvfvs.FileIO) – a file-like object to parse.

Raises

UnableToParseFile – when the file cannot be parsed.

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a file-like object.

Parameters

parser_mediator (ParserMediator) – a parser mediator.
file_object (dvfvs.FileIO) – a file-like object to parse.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.java_idx module¶

Parser for Java Cache IDX files.

class plaso.parsers.java_idx.JavaIDXEventData[source]¶

Bases: plaso.containers.events.EventData

Java IDX cache file event data.

idx_version¶

format version of IDX file.

Type: str

ip_address¶

IP address of the host in the URL.

Type: str

url¶

URL of the downloaded file.

Type: str

DATA_TYPE = 'java:download:idx'¶

class plaso.parsers.java_idx.JavaIDXParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Java WebStart Cache IDX files.

There are five structures defined. 6.02 files had one generic section that retained all data. From 6.03, the file went to a multi-section format where later sections were optional and had variable-lengths. 6.03, 6.04, and 6.05 files all have their main data section (#2) begin at offset 128. The short structure is because 6.05 files deviate after the 8th byte. So, grab the first 8 bytes to ensure it’s valid, get the file version, then continue on with the correct structures.

DESCRIPTION = 'Parser for Java WebStart Cache IDX files.'¶

NAME = 'java_idx'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Java WebStart Cache IDX file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dvfvs.FileIO) – a file-like object to parse.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.logger module¶

The parsers sub module logger.

plaso.parsers.mac_appfirewall module¶

This file contains a appfirewall.log (MacOS Firewall) parser.

class plaso.parsers.mac_appfirewall.MacAppFirewallLogEventData[source]¶

Bases: plaso.containers.events.EventData

MacOS Firewall log event data.

action¶

action.

Type: str

agent¶

agent that save the log.

Type: str

computer_name¶

name of the computer.

Type: str

process_name¶

name of the entity that tried do the action.

Type: str

status¶

saved status action.

Type: str

DATA_TYPE = 'mac:appfirewall:line'¶

class plaso.parsers.mac_appfirewall.MacAppFirewallParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse text based on appfirewall.log file.

DATE_TIME = Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}})¶

DESCRIPTION = 'Parser for appfirewall.log files.'¶

FIREWALL_LINE = {{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) W:(0123...)} W:(0123...)} Suppress:("<")} !W:(>)} Suppress:(">:")} !W:(:)} ":"} SkipTo:(lineEnd)}¶

LINE_STRUCTURES = [('logline', {{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) W:(0123...)} W:(0123...)} Suppress:("<")} !W:(>)} Suppress:(">:")} !W:(:)} ":"} SkipTo:(lineEnd)}), ('repeated', {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("---")} !W:(---)} Suppress:("---")})]¶

NAME = 'mac_appfirewall_log'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – identifier of the structure of tokens.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

REPEATED_LINE = {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("---")} !W:(---)} Suppress:("---")}¶

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a Mac AppFirewall log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – line from a text file.

Returns

True if the line is in the expected format, False if not.

Return type

bool

plaso.parsers.mac_keychain module¶

Parser for MacOS Keychain files.

class plaso.parsers.mac_keychain.KeychainApplicationRecordEventData[source]¶

Bases: plaso.containers.events.EventData

MacOS keychain application password record event data.

account_name¶

name of the account.

Type: str

comments¶

comments added by the user.

Type: str

entry_name¶

name of the entry.

Type: str

ssgp_hash¶

password/certificate hash formatted as an hexadecimal string.

Type: str

text_description¶

description.

Type: str

DATA_TYPE = 'mac:keychain:application'¶

class plaso.parsers.mac_keychain.KeychainDatabaseColumn[source]¶

Bases: object

MacOS keychain database column.

attribute_data_type¶

attribute (data) type.

Type: int

attribute_identifier¶

attribute identifier.

Type: int

attribute_name¶

attribute name.

Type: str

class plaso.parsers.mac_keychain.KeychainDatabaseTable[source]¶

Bases: object

MacOS keychain database table.

columns¶

columns.

Type: list[KeychainDatabaseColumn]

records¶

records.

Type: list[dict[str, str]]

relation_identifier¶

relation identifier.

Type: int

relation_name¶

relation name.

Type: str

class plaso.parsers.mac_keychain.KeychainInternetRecordEventData[source]¶

Bases: plaso.containers.events.EventData

MacOS keychain internet record event data.

account_name¶

name of the account.

Type: str

comments¶

comments added by the user.

Type: str

entry_name¶

name of the entry.

Type: str

protocol¶

internet protocol used, for example “https”.

Type: str

ssgp_hash¶

password/certificate hash formatted as an hexadecimal string.

Type: str

text_description¶

description.

Type: str

type_protocol¶

sub-protocol used, for example “form”.

Type: str

where¶

domain name or IP where the password is used.

Type: str

DATA_TYPE = 'mac:keychain:internet'¶

class plaso.parsers.mac_keychain.KeychainParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Keychain files.

DESCRIPTION = 'Parser for MacOS Keychain files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'mac_keychain'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a MacOS keychain file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.mac_securityd module¶

This file contains the MacOS securityd log plaintext parser.

Also see:: http://opensource.apple.com/source/Security/Security-55471/sec/securityd/

class plaso.parsers.mac_securityd.MacOSSecuritydLogEventData[source]¶

Bases: plaso.containers.events.EventData

MacOS securityd log event data.

caller¶

caller, consists of two hex numbers.

Type: str

facility¶

facility.

Type: str

level¶

priority level.

Type: str

message¶

message.

Type: str

security_api¶

name of securityd function.

Type: str

sender_pid¶

process identifier of the sender.

Type: int

sender¶

name of the sender.

Type: str

DATA_TYPE = 'mac:securityd:line'¶

class plaso.parsers.mac_securityd.MacOSSecuritydLogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses the securityd file that contains logs from the security daemon.

DATE_TIME = Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}})¶

DESCRIPTION = 'Parser for MacOS securityd log files.'¶

LINE_STRUCTURES = [('logline', {{{{{{{{{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) !W:([)} Suppress:("[")} W:(0123...)} Suppress:("]")} Suppress:("<")} !W:(>)} Suppress:(">")} Suppress:("[")} !W:({)} Suppress:("{")} [!W:(})]} Suppress:("}")} [!W:(]:)]} Suppress:("]:")} SkipTo:(lineEnd)}), ('repeated', {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("--- last message repeated")} W:(0123...)} Suppress:("time ---")})]¶

NAME = 'mac_securityd'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

REPEATED_LINE = {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("--- last message repeated")} W:(0123...)} Suppress:("time ---")}¶

SECURITYD_LINE = {{{{{{{{{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) !W:([)} Suppress:("[")} W:(0123...)} Suppress:("]")} Suppress:("<")} !W:(>)} Suppress:(">")} Suppress:("[")} !W:({)} Suppress:("{")} [!W:(})]} Suppress:("}")} [!W:(]:)]} Suppress:("]:")} SkipTo:(lineEnd)}¶

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a securityd log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – line from a text file.

Returns

True if the line is in the expected format, False if not.

Return type

bool

plaso.parsers.mac_wifi module¶

This file contains the wifi.log (MacOS) parser.

class plaso.parsers.mac_wifi.MacWifiLogEventData[source]¶

Bases: plaso.containers.events.EventData

Mac Wifi log event data.

action¶

known WiFI action, for example connected to an AP, configured, etc. If the action is not known, the value is the message of the log (text variable).

Type: str

agent¶

name and identifier of process that generated the log message.

Type: str

function¶

name of function that generated the log message.

Type: str

text¶

log message

Type: str

DATA_TYPE = 'mac:wifilog:line'¶

class plaso.parsers.mac_wifi.MacWifiLogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse text based on wifi.log file.

DESCRIPTION = 'Parser for MacOS wifi.log files.'¶

LINE_STRUCTURES = [('header', {Group:({{{{{W:(ABCD...) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}) "***Starting Up***"}), ('turned_over_header', {Group:({{W:(ABCD...,abcd...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Combine:({{{W:(0123...) W:(0123...)} "logfile turned over"} LineEnd})}), ('known_function_logline', {{{{Group:({{{{{W:(ABCD...) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}) {{"<" Combine:({"airportd" !W:(>)})} ">"}} airportdProcessDLILEvent | _doAutoJoin | _processSystemPSKAssoc} ":"} SkipTo:(lineEnd)}), ('logline', {{Group:({{{{{W:(ABCD...) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}) ~{{{{{"<" Combine:({"airportd" !W:(>)})} ">"} airportdProcessDLILEvent | _doAutoJoin | _processSystemPSKAssoc} ":"}}} SkipTo:(lineEnd)})]¶

NAME = 'macwifi'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

THREE_DIGITS = W:(0123...)¶

THREE_LETTERS = W:(ABCD...)¶

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a Mac Wifi log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – line from a text file.

Returns

True if the line is in the expected format, False if not.

Return type

bool

plaso.parsers.mactime module¶

Parser for the Sleuthkit (TSK) bodyfile or mactime format.

The format specifications can be read here:: http://wiki.sleuthkit.org/index.php?title=Body_file

class plaso.parsers.mactime.MactimeEventData[source]¶

Bases: plaso.containers.events.EventData

Mactime event data.

filename¶

name of the file.

Type: str

inode¶

“inode” of the file. Note that inode is an overloaded term in the context of mactime and used for MFT entry index values as well.

Type: int

md5¶

MD5 hash of the file content, formatted as a hexadecimal string.

Type: str

mode_as_string¶

protection mode.

Type: str

offset¶

number of the corresponding line.

Type: int

size¶

size of the file content.

Type: int

user_gid¶

user group identifier (GID).

Type: int

user_sid¶

user security identifier (SID).

Type: str

DATA_TYPE = 'fs:mactime:line'¶

class plaso.parsers.mactime.MactimeParser(encoding=None)[source]¶

Bases: plaso.parsers.dsv_parser.DSVParser

SleuthKit bodyfile parser.

COLUMNS = ['md5', 'name', 'inode', 'mode_as_string', 'uid', 'gid', 'size', 'atime', 'mtime', 'ctime', 'btime']¶

DELIMITER = b'|'¶

DESCRIPTION = 'Parser for SleuthKit version 3 bodyfiles.'¶

NAME = 'mactime'¶

ParseRow(parser_mediator, row_offset, row)[source]¶

Parses a line of the log file and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row_offset (int) – number of the corresponding line.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]¶

Verifies if a line of the file is in the expected format.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.manager module¶

The parsers and plugins manager.

class plaso.parsers.manager.ParsersManager[source]¶

Bases: object

The parsers and plugins manager.

classmethod CreateSignatureScanner(specification_store)[source]¶

Creates a signature scanner for format specifications with signatures.

Parameters: specification_store (FormatSpecificationStore) – format specifications with signatures.
Returns: signature scanner.
Return type: pysigscan.scanner

classmethod DeregisterParser(parser_class)[source]¶

Deregisters a parser class.

The parser classes are identified based on their lower case name.

Parameters: parser_class (type) – parser class (subclass of BaseParser).
Raises: KeyError – if parser class is not set for the corresponding name.

classmethod GetFormatsWithSignatures(parser_filter_expression=None)[source]¶

Retrieves the format specifications that have signatures.

This method will create a specification store for parsers that define a format specification with signatures and a list of parser names for those that do not.

Parameters

parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins.

Returns

containing:

FormatSpecificationStore: format specifications with signatures.
list[str]: names of parsers that do not have format specifications with
signatures, or have signatures but also need to be applied ‘brute force’.

Return type

tuple

classmethod GetNamesOfParsersWithPlugins()[source]¶

Retrieves the names of all parsers with plugins.

Returns: names of all parsers with plugins.
Return type: list[str]

classmethod GetParserAndPluginNames(parser_filter_expression=None)[source]¶

Retrieves the parser and parser plugin names.

Parameters: parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins.
Returns: parser and parser plugin names.
Return type: list[str]

classmethod GetParserObjectByName(parser_name)[source]¶

Retrieves a specific parser object by its name.

Parameters: parser_name (str) – name of the parser.
Returns: parser object or None.
Return type: BaseParser

classmethod GetParserObjects(parser_filter_expression=None)[source]¶

Retrieves the parser objects.

Parameters: parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins.
Returns: parsers per name.
Return type: dict[str, BaseParser]

classmethod GetParserPluginsInformation(parser_filter_expression=None)[source]¶

Retrieves the parser plugins information.

Parameters: parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins.
Returns: pairs of parser plugin names and descriptions.
Return type: list[tuple[str, str]]

classmethod GetParsers(parser_filter_expression=None)[source]¶

Retrieves the registered parsers and plugins.

Retrieves a dictionary of all registered parsers and associated plugins from a parser filter string. The filter string can contain direct names of parsers, presets or plugins. The filter string can also negate selection if prepended with an exclamation point, e.g.: “foo,!foo/bar” would include parser foo but not include plugin bar. A list of specific included and excluded plugins is also passed to each parser’s class.

The three types of entries in the filter string:

name of a parser: this would be the exact name of a single parser to include (or exclude), e.g. foo;
name of a preset, e.g. win7: the presets are defined in plaso/parsers/presets.py;
name of a plugin: if a plugin name is included the parent parser will be included in the list of registered parsers;

Parameters

parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins.

Yields

tuple – containing:

str: name of the parser:
type: parser class (subclass of BaseParser).

classmethod GetParsersInformation()[source]¶

Retrieves the parsers information.

Returns: parser names and descriptions.
Return type: list[tuple[str, str]]

classmethod GetPresets()[source]¶

Retrieves the preset definitions.

Returns

preset definition generator in alphabetical: order by name.

Return type

generator[PresetDefinition]

classmethod GetPresetsForOperatingSystem(operating_system, operating_system_product, operating_system_version)[source]¶

Determines the presets for a specific operating system.

Parameters

operating_system (str) – operating system for example “Windows”. This should be one of the values in definitions.OPERATING_SYSTEM_FAMILIES.
operating_system_product (str) – operating system product for example “Windows XP” as determined by preprocessing.
operating_system_version (str) – operating system version for example “5.1” as determined by preprocessing.

Returns

preset definitions, where an empty list: represents all parsers and parser plugins (no preset).

Return type

list[PresetDefinition]

classmethod GetPresetsInformation()[source]¶

Retrieves the presets information.

Returns

containing:

str: preset name str: comma separated parser names that are defined by the preset

Return type

list[tuple]

classmethod ReadPresetsFromFile(path)[source]¶

Reads parser and parser plugin presets from a file.

Parameters: path (str) – path of file that contains the the parser and parser plugin presets configuration.
Raises: MalformedPresetError – if one or more plugin preset definitions are malformed.

classmethod RegisterParser(parser_class)[source]¶

Registers a parser class.

The parser classes are identified based on their lower case name.

Parameters: parser_class (type) – parser class (subclass of BaseParser).
Raises: KeyError – if parser class is already set for the corresponding name.

classmethod RegisterParsers(parser_classes)[source]¶

Registers parser classes.

The parser classes are identified based on their lower case name.

Parameters: parser_classes (list[type]) – parsers classes (subclasses of BaseParser).
Raises: KeyError – if parser class is already set for the corresponding name.

plaso.parsers.mcafeeav module¶

Parser for McAfee Anti-Virus Logs.

McAfee AV uses 4 logs to track when scans were run, when virus databases were updated, and when files match the virus database.

class plaso.parsers.mcafeeav.McafeeAVEventData[source]¶

Bases: plaso.containers.events.EventData

McAfee AV Log event data.

action¶

action.

Type: str

filename¶

filename.

Type: str

rule¶

rule.

Type: str

status¶

status.

Type: str

trigger_location¶

trigger location.

Type: str

username¶

username.

Type: str

DATA_TYPE = 'av:mcafee:accessprotectionlog'¶

class plaso.parsers.mcafeeav.McafeeAccessProtectionParser(encoding=None)[source]¶

Bases: plaso.parsers.dsv_parser.DSVParser

Parses the McAfee AV Access Protection Log.

COLUMNS = ['date', 'time', 'status', 'username', 'filename', 'trigger_location', 'rule', 'action']¶

DELIMITER = b'\t'¶

DESCRIPTION = 'Parser for McAfee AV Access Protection log files.'¶

NAME = 'mcafee_protection'¶

ParseRow(parser_mediator, row_offset, row)[source]¶

Parses a line of the log file and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row_offset (int) – line number of the row.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]¶

Verifies if a line of the file is in the expected format.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.mediator module¶

plaso.parsers.msiecf module¶

Parser for Microsoft Internet Explorer (MSIE) Cache Files (CF).

class plaso.parsers.msiecf.MSIECFLeakEventData[source]¶

Bases: plaso.containers.events.EventData

MSIECF leak event data.

cached_filename¶

name of the cached file.

Type: str

cached_file_size¶

size of the cached file.

Type: int

cache_directory_index¶

index of the cache directory.

Type: int

cache_directory_name¶

name of the cache directory.

Type: str

recovered¶

True if the item was recovered.

Type: bool

DATA_TYPE = 'msiecf:leak'¶

class plaso.parsers.msiecf.MSIECFParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses MSIE Cache Files (MSIECF).

DESCRIPTION = 'Parser for MSIE Cache Files (MSIECF) also known as index.dat.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'msiecf'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a MSIE Cache File (MSIECF) file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

class plaso.parsers.msiecf.MSIECFRedirectedEventData[source]¶

Bases: plaso.containers.events.EventData

MSIECF redirected event data.

recovered¶

True if the item was recovered.

Type: bool

url¶

location URL.

Type: str

DATA_TYPE = 'msiecf:redirected'¶

class plaso.parsers.msiecf.MSIECFURLEventData[source]¶

Bases: plaso.containers.events.EventData

MSIECF URL event data.

cached_filename¶

name of the cached file.

Type: str

cached_file_size¶

size of the cached file.

Type: int

cache_directory_index¶

index of the cache directory.

Type: int

cache_directory_name¶

name of the cache directory.

Type: str

http_headers¶

HTTP headers.

Type: str

number_of_hits¶

number of hits.

Type: int

recovered¶

True if the item was recovered.

Type: bool

url¶

location URL.

Type: str

DATA_TYPE = 'msiecf:url'¶

plaso.parsers.ntfs module¶

Parser for NTFS metadata files.

class plaso.parsers.ntfs.NTFSFileStatEventData[source]¶

Bases: plaso.containers.events.EventData

NTFS file system stat event data.

attribute_type¶

attribute type e.g. 0x00000030 which represents $FILE_NAME.

Type: int

file_attribute_flags¶

NTFS file attribute flags.

Type: int

file_reference¶

NTFS file reference.

Type: int

file_system_type¶

file system type.

Type: str

is_allocated¶

True if the MFT entry is allocated (marked as in use).

Type: bool

name¶

name associated with the stat event, e.g. that of a $FILE_NAME attribute or None if not available.

Type: str

parent_file_reference¶

NTFS file reference of the parent.

Type: int

DATA_TYPE = 'fs:stat:ntfs'¶

class plaso.parsers.ntfs.NTFSMFTParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses a NTFS $MFT metadata file.

DESCRIPTION = 'Parser for NTFS $MFT metadata files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'mft'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a NTFS $MFT metadata file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

class plaso.parsers.ntfs.NTFSUSNChangeEventData[source]¶

Bases: plaso.containers.events.EventData

NTFS USN change event data.

file_attribute_flags¶

NTFS file attribute flags.

Type: int

filename¶

name of the file associated with the event.

Type: str

file_reference¶

NTFS file reference.

Type: int

file_system_type¶

file system type.

Type: str

parent_file_reference¶

NTFS file reference of the parent.

Type: int

update_reason_flags¶

update reason flags.

Type: int

update_sequence_number¶

update sequence number.

Type: int

update_source_flags¶

update source flags.

Type: int

DATA_TYPE = 'fs:ntfs:usn_change'¶

class plaso.parsers.ntfs.NTFSUsnJrnlParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses a NTFS USN change journal.

DESCRIPTION = 'Parser for NTFS USN change journal ($UsnJrnl).'¶

NAME = 'usnjrnl'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a NTFS $UsnJrnl metadata file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.olecf module¶

Parser for OLE Compound Files (OLECF).

class plaso.parsers.olecf.OLECFParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses OLE Compound Files (OLECF).

DESCRIPTION = 'Parser for OLE Compound Files (OLECF).'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'olecf'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an OLE Compound File (OLECF) file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.opera module¶

Parsers for Opera Browser history files.

class plaso.parsers.opera.OperaGlobalHistoryEventData[source]¶

Bases: plaso.containers.events.EventData

Opera global history entry data.

description¶

description.

Type: str

popularity_index¶

popularity index.

Type: int

title¶

title.

Type: str

url¶

URL.

Type: str

DATA_TYPE = 'opera:history:entry'¶

class plaso.parsers.opera.OperaGlobalHistoryParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses the Opera global_history.dat file.

DESCRIPTION = 'Parser for Opera global_history.dat files.'¶

NAME = 'opera_global'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an Opera global history file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

class plaso.parsers.opera.OperaTypedHistoryEventData[source]¶

Bases: plaso.containers.events.EventData

Opera typed history entry data.

entry_selection¶

information about whether the URL was directly typed in or the result of the user choosing from the auto complete.

Type: str

entry_type¶

information about whether the URL was directly typed in or the result of the user choosing from the auto complete.

Type: str

url¶

typed URL or hostname.

Type: str

DATA_TYPE = 'opera:history:typed_entry'¶

class plaso.parsers.opera.OperaTypedHistoryParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses the Opera typed_history.xml file.

DESCRIPTION = 'Parser for Opera typed_history.xml files.'¶

NAME = 'opera_typed_history'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an Opera typed history file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.pe module¶

A parser for Portable Executable format files.

class plaso.parsers.pe.PEEventData[source]¶

Bases: plaso.containers.events.EventData

Portable Executable (PE) event data.

dll_name¶

name of an imported DLL.

Type: str

imphash¶

“Import Hash” of the pe file the event relates to. Also see: https://www.mandiant.com/blog/tracking-malware-import-hashing

Type: str

pe_type¶

type of PE file the event relates to.

Type: str

section_names¶

names of the PE file’s sections.

Type: list[str]

DATA_TYPE = 'pe'¶

class plaso.parsers.pe.PEParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parser for Portable Executable (PE) files.

DESCRIPTION = 'Parser for Portable Executable (PE) files.'¶

classmethod GetFormatSpecification()[source]¶: Retrieves the format specification.

NAME = 'pe'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Portable Executable (PE) file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.plist module¶

This file contains the Property List (Plist) Parser.

Plaso’s engine calls PlistParser when it encounters Plist files to be processed.

class plaso.parsers.plist.PlistParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses binary and text plist plist files.

The Plaso engine calls parsers by their Parse() method. This parser’s Parse() has GetTopLevel() which deserializes plist files using the biplist library and calls plugins (PlistPlugin) registered through the interface by their Process() to produce event objects.

Plugins are how this parser understands the content inside a plist file, each plugin holds logic specific to a particular plist file. See the interface and plist_plugins/ directory for examples of how plist plugins are implemented.

DESCRIPTION = 'Parser for binary and text plist files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: a format specification or None if not available.
Return type: FormatSpecification

GetTopLevel(file_object)[source]¶

Returns the deserialized content of a plist as a dictionary object.

Parameters: file_object (dfvfs.FileIO) – a file-like object to parse.
Returns: contents of the plist.
Return type: dict[str, object]
Raises: UnableToParseFile – when the file cannot be parsed.

NAME = 'plist'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a plist file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.pls_recall module¶

Parser for PL/SQL Developer Recall files.

class plaso.parsers.pls_recall.PlsRecallEventData[source]¶

Bases: plaso.containers.events.EventData

PL/SQL Recall event data.

database_name¶

name of the database.

Type: str

query¶

PL/SQL query.

Type: str

sequence_number¶

sequence number.

Type: int

username¶

username used to query.

Type: str

DATA_TYPE = 'PLSRecall:event'¶

class plaso.parsers.pls_recall.PlsRecallParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parse PL/SQL Recall files.

This parser is based on the Delphi definition of the data type:

TRecallRecord = packed record
Sequence: Integer; TimeStamp: TDateTime; Username: array[0..30] of Char; Database: array[0..80] of Char; Text: array[0..4000] of Char;

end;

Delphi TDateTime is a little-endian 64-bit floating-point value without time zone information.

DESCRIPTION = 'Parser for PL/SQL Recall files.'¶

NAME = 'pls_recall'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a PLSRecall.dat file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.plugins module¶

This file contains basic interface for plugins within Plaso.

This library serves a basis for all plugins in Plaso, whether that are Windows registry plugins, SQLite plugins or any other parsing plugins.

This is provided as a separate file to make it easier to inherit in other projects that may want to use the Plaso plugin system.

class plaso.parsers.plugins.BasePlugin[source]¶

Bases: object

A plugin is a lightweight parser that makes use of a common data structure.

When a data structure is common among several artifacts or files a plugin infrastructure can be written to make writing parsers simpler. The goal of a plugin is have only a single parser that understands the data structure that can call plugins that have specialized knowledge of certain structures.

An example of this is a SQLite database. A plugin can be written that has knowledge of certain database, such as Chrome history, or Skype history, etc. This can be done without needing to write a full fledged parser that needs to re-implement the data structure knowledge. A single parser can be created that calls the plugins to see if it knows that particular database.

Another example is Windows registry, there a single parser that can parse the registry can be made and the job of a single plugin is to parse a particular registry key. The parser can then read a registry key and compare it to a list of available plugins to see if it can be parsed.

DESCRIPTION = ''¶

NAME = 'base_plugin'¶

Process(parser_mediator, **kwargs)[source]¶

Evaluates if this is the correct plugin and processes data accordingly.

The purpose of the process function is to evaluate if this particular plugin is the correct one for the particular data structure at hand. This function accepts one value to use for evaluation, that could be a registry key, list of table names for a database or any other criteria that can be used to evaluate if the plugin should be run or not.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
kwargs (dict[str, object]) – Depending on the plugin they may require different sets of arguments to be able to evaluate whether or not this is the correct plugin.

Raises

ValueError – when there are unused keyword arguments.

URLS = []¶

UpdateChainAndProcess(parser_mediator, **kwargs)[source]¶

Wrapper for Process() to synchronize the parser chain.

This convenience method updates the parser chain object held by the mediator, transfers control to the plugin-specific Process() method, and updates the chain again once the processing is complete. It provides a simpler parser API in most cases.

Parameters: parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

plugin_name¶: Return the name of the plugin.

class plaso.parsers.plugins.BasePluginCache[source]¶

Bases: object

A generic cache for parser plugins.

GetResults(attribute, default_value=None)[source]¶

Retrieves a cached attribute.

Parameters

attribute (str) – name of the cached attribute.
default_value (Optional[object]) – default value.

Returns

value of the cached attribute or default value if the cache: does not contain the attribute.

Return type

object

plaso.parsers.popcontest module¶

This file contains the Popularity Contest log file parser in plaso.

Information updated 20 january 2014. From Debian Package Popularity Contest Avery Pennarun <apenwarr@debian.org>

From ‘http://www.unix.com/man-page/Linux/8/popularity-contest/’:

The popularity-contest command gathers information about Debian pack- ages installed on the system, and prints the name of the most recently used executable program in that package as well as its last-accessed time (atime) and last-attribute-changed time (ctime) to stdout.

When aggregated with the output of popularity-contest from many other systems, this information is valuable because it can be used to deter- mine which Debian packages are commonly installed, used, or installed and never used. This helps Debian maintainers make decisions such as which packages should be installed by default on new systems.

The resulting statistic is available from the project home page http://popcon.debian.org/.

Normally, popularity-contest is run from a cron(8) job, /etc/cron.daily/popularity-contest, which automatically submits the results to Debian package maintainers (only once a week) according to the settings in /etc/popularity-contest.conf and /usr/share/popularity- contest/default.conf.

From ‘http://popcon.ubuntu.com/README’:

The popularity-contest output looks like this:

POPULARITY-CONTEST-0 TIME:914183330 ID:b92a5fc1809d8a95a12eb3a3c8445 914183333 909868335 grep /bin/fgrep 914183333 909868280 findutils /usr/bin/find 914183330 909885698 dpkg-awk /usr/bin/dpkg-awk 914183330 909868577 gawk /usr/bin/gawk […more lines…] END-POPULARITY-CONTEST-0 TIME:914183335

The first and last lines allow you to put more than one set of popularity-contest results into a single file and then split them up easily later.

The rest of the lines are package entries, one line for each package installed on your system. They have the format:

<atime> <ctime> <package-name> <mru-program> <tag>

<package-name> is the name of the Debian package that contains <mru-program>. <mru-program> is the most recently used program, static library, or header (.h) file in the package.

<atime> and <ctime> are the access time and creation time of the <mru-program> on your disk, respectively, represented as the number of seconds since midnight GMT on January 1, 1970 (i.e. in Unix time_t format). Linux updates <atime> whenever you open the file; <ctime> was set when you first installed the package.

<tag> is determined by popularity-contest depending on <atime>, <ctime>, and the current date. <tag> can be RECENT-CTIME, OLD, or NOFILES.

RECENT-CTIME means that atime is very close to ctime; it’s impossible to tell whether the package was used recently or not, since <atime> is also updated when <ctime> is set. Normally, this happens because you have recently upgraded the package to a new version, resetting the <ctime>.

OLD means that the <atime> is more than a month ago; you haven’t used the package for more than a month.

NOFILES means that no files in the package seemed to be programs, so <atime>, <ctime>, and <mru-program> are invalid.’

REMARKS. The parser will generate events solely based on the <atime> field and not using <ctime>, to reduce the generation of (possibly many) useless events all with the same <ctime>. Indeed, that <ctime> will be probably get from file system and/or package management logs. The <ctime> will be reported in the log line.

class plaso.parsers.popcontest.PopularityContestEventData[source]¶

Bases: plaso.containers.events.EventData

Popularity Contest event data.

mru¶

recently used app/library from package.

Type: str

package¶

installed packaged name, which the mru belongs to.

Type: str

record_tag¶

popularity context tag.

Type: str

DATA_TYPE = 'popularity_contest:log:event'¶

class plaso.parsers.popcontest.PopularityContestParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse popularity contest log files.

DESCRIPTION = 'Parser for popularity contest log files.'¶

FOOTER = {{{Suppress:("END-POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)}¶

HEADER = {{{{{{Suppress:("POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)} Suppress:("ID:")} W:(ABCD...)} SkipTo:(LineEnd)}¶

LINE_STRUCTURES = [('logline', {{W:(0123...) W:(0123...)} {{W:(0123...) quoted string, starting with < ending with >} | {{W:(0123...) W:(...)} [quoted string, starting with < ending with >]}}}), ('header', {{{{{{Suppress:("POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)} Suppress:("ID:")} W:(ABCD...)} SkipTo:(LineEnd)}), ('footer', {{{Suppress:("END-POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)})]¶

LOG_LINE = {{W:(0123...) W:(0123...)} {{W:(0123...) quoted string, starting with < ending with >} | {{W:(0123...) W:(...)} [quoted string, starting with < ending with >]}}}¶

MRU = W:(...)¶

NAME = 'popularity_contest'¶

PACKAGE = W:(0123...)¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – structure parsed from the log file.

Raises

ParseError – when the structure type is unknown.

TAG = quoted string, starting with < ending with >¶

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a Popularity Contest log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – line from a text file.

Returns

True if the line was successfully parsed.

Return type

bool

class plaso.parsers.popcontest.PopularityContestSessionEventData[source]¶

Bases: plaso.containers.events.EventData

Popularity Contest session event data.

details¶

version and host architecture.

Type: str

hostid¶

host uuid.

Type: str

session¶

session number.

Type: int

status¶

session status, either “start” or “end”.

Type: str

DATA_TYPE = 'popularity_contest:session:event'¶

plaso.parsers.presets module¶

The parser and parser plugin presets.

class plaso.parsers.presets.ParserPreset(name, parsers)[source]¶

Bases: object

Parser and parser plugin preset.

name¶

name of the preset.

Type: str

operating_systems¶

operating system artifact attribute containers, that specify to which operating systems the preset applies.

Type: list[OperatingSystemArtifact]

parsers¶

names of parser and parser plugins.

Type: list[str]

class plaso.parsers.presets.ParserPresetsManager[source]¶

Bases: object

The parsers and plugin presets manager.

GetNames()[source]¶

Retrieves the preset names.

Returns: preset names in alphabetical order.
Return type: list[str]

GetPresetByName(name)[source]¶

Retrieves a specific preset definition by name.

Parameters: name (str) – name of the preset.
Returns: a parser preset or None if not available.
Return type: ParserPreset

GetPresets()[source]¶

Retrieves the preset definitions.

Yields: ParserPreset – parser presets in alphabetical order by name.

GetPresetsByOperatingSystem(operating_system)[source]¶

Retrieves preset definitions for a specific operating system.

Parameters

operating_system (OperatingSystemArtifact) – an operating system artifact attribute container.

Returns

preset definition that correspond with the: operating system.

Return type

list[PresetDefinition]

ReadFromFile(path)[source]¶

Reads parser and parser plugin presets from a file.

Parameters: path (str) – path of file that contains the the parser and parser plugin presets configuration.
Raises: MalformedPresetError – if one or more plugin preset definitions are malformed.

plaso.parsers.recycler module¶

Parser for Windows Recycle files, INFO2 and $I/$R pairs.

class plaso.parsers.recycler.WinRecycleBinEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Recycle Bin event data.

drive_number¶

drive number.

Type: int

file_size¶

file size.

Type: int

original_filename¶

filename.

Type: str

record_index¶

index of the record on which the event is based.

Type: int

short_filename¶

short filename.

Type: str

DATA_TYPE = 'windows:metadata:deleted_item'¶

class plaso.parsers.recycler.WinRecycleBinParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses the Windows $Recycle.Bin $I files.

DESCRIPTION = 'Parser for Windows $Recycle.Bin $I files.'¶

NAME = 'recycle_bin'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows Recycle.Bin metadata ($I) file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

class plaso.parsers.recycler.WinRecyclerInfo2Parser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses the Windows Recycler INFO2 file.

DESCRIPTION = 'Parser for Windows Recycler INFO2 files.'¶

NAME = 'recycle_bin_info2'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows Recycler INFO2 file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.safari_cookies module¶

Parser for Safari Binary Cookie files.

class plaso.parsers.safari_cookies.BinaryCookieParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Safari Binary Cookie files.

DESCRIPTION = 'Parser for Safari Binary Cookie files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification for parser selection.

Returns: format specification.
Return type: FormatSpecification

NAME = 'binary_cookies'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Safari binary cookie file-like object.

Parameters

parser_mediator (ParserMediator) – parser mediator.
file_object (dfvfs.FileIO) – file-like object to be parsed.

Raises

UnableToParseFile – when the file cannot be parsed, this will signal the event extractor to apply other parsers.

class plaso.parsers.safari_cookies.SafariBinaryCookieEventData[source]¶

Bases: plaso.containers.events.EventData

Safari binary cookie event data.

cookie_name¶

cookie name.

Type: str

cookie_value¶

cookie value.

Type: str

flags¶

cookie flags.

Type: int

path¶

path of the cookie.

Type: str

url¶

URL where this cookie is valid.

Type: str

DATA_TYPE = 'safari:cookie:entry'¶

plaso.parsers.santa module¶

Santa log (santa.log) parser.

class plaso.parsers.santa.SantaExecutionEventData[source]¶

Bases: plaso.containers.events.EventData

Santa execution event data.

action¶

action recorded by Santa.

Type: str

decision¶

if the process was allowed or blocked.

Type: str

reason¶

reason behind santa decision to execute or block a process.

Type: str

process_hash¶

SHA256 hash for the executed process.

Type: str

certificate_hash¶

SHA256 hash for the certificate associated with the executed process.

Type: str

certificate_common_name¶

certificate common name.

Type: str

pid¶

process id for the process.

Type: str

ppid¶

parent process id for the executed process.

Type: str

uid¶

user id associated with the executed process.

Type: str

user¶

user name associated with the executed process.

Type: str

gid¶

group id associated with the executed process.

Type: str

group¶

group name associated with the executed process.

Type: str

mode¶

Santa execution mode, for example Monitor or Lockdown.

Type: str

process_path¶

process file path.

Type: str

process_arguments¶

executed process with its arguments.

Type: str

DATA_TYPE = 'santa:execution'¶

class plaso.parsers.santa.SantaFileSystemEventData[source]¶

Bases: plaso.containers.events.EventData

Santa file system event data.

action¶

event type recorded by Santa.

Type: str

file_path¶

file path and name for WRITE/DELETE events.

Type: str

file_new_path¶

new file path and name for RENAME events.

Type: str

pid¶

process id for the process.

Type: str

ppid¶

parent process id for the executed process.

Type: str

process¶

process name.

Type: str

process_path¶

process file path.

Type: str

uid¶

user id associated with the executed process.

Type: str

user¶

user name associated with the executed process.

Type: str

gid¶

group id associated with the executed process.

Type: str

group¶

group name associated with the executed process.

Type: str

DATA_TYPE = 'santa:file_system_event'¶

class plaso.parsers.santa.SantaMountEventData[source]¶

Bases: plaso.containers.events.EventData

Santa mount event data.

action¶

event type recorded by Santa.

Type: str

mount¶

disk mount point.

Type: str

volume¶

disk volume name.

Type: str

bsd_name¶

disk BSD name.

Type: str

fs¶

disk volume kind.

Type: str

model¶

disk model.

Type: str

serial¶

disk serial.

Type: str

bus¶

device protocol.

Type: str

dmg_path¶

DMG file path.

Type: str

appearance¶

disk appearance date.

Type: str

DATA_TYPE = 'santa:diskmount'¶

class plaso.parsers.santa.SantaParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses santa log files

DESCRIPTION = 'Santa Parser'¶

LINE_STRUCTURES = [('execution_line', {{{{{{{{{{{{{{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} "EXEC"} Suppress:("|")} {{Suppress:("decision=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("reason=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("sha256=") SkipTo:("|")} Suppress:("|")}} [{{Suppress:("cert_sha256=") SkipTo:("|")} Suppress:("|")}]} [{{Suppress:("cert_cn=") SkipTo:("|")} Suppress:("|")}]} [{{Suppress:("quarantine_url=") SkipTo:("|")} Suppress:("|")}]} {{Suppress:("pid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("ppid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("uid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("user=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("gid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("group=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} {{Suppress:("mode=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("path=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} [{Suppress:("args=") SkipTo:(lineEnd)}]}), ('file_system_event_line', {{{{{{{{{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} {{"WRITE" ^ "RENAME"} ^ "DELETE"}} Suppress:("|")} {{Suppress:("path=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} [{{Suppress:("newpath=") SkipTo:("|")} Suppress:("|")}]} {{Suppress:("pid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("ppid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("process=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("processpath=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("uid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("user=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("gid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("group=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}}), ('mount_line', {{{{{{{{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} "DISKAPPEAR"} Suppress:("|")} {{Suppress:("mount=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("volume=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("bsdname=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} {{Suppress:("fs=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("model=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("serial=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("bus=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("dmgpath=") SkipTo:("|")} Suppress:("|")}} {Suppress:("appearance=") SkipTo:(lineEnd)}}), ('umount_line', {{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} "DISKDISAPPEAR"} Suppress:("|")} {{Suppress:("mount=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("volume=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("bsdname=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}}), ('quota_exceeded_line', {Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) "*** LOG MESSAGE QUOTA EXCEEDED - SOME MESSAGES FROM THIS PROCESS HAVE BEEN DISCARDED ***"})]¶

MAX_LINE_LENGTH = 16384¶

NAME = 'santa'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a matching entry.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – elements parsed from the file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verifies that this is a santa log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – line from the text file.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.sccm module¶

Parser for SCCM Logs.

class plaso.parsers.sccm.SCCMLogEventData[source]¶

Bases: plaso.containers.events.EventData

SCCM log event data.

component¶

component.

Type: str

text¶

text.

Type: str

DATA_TYPE = 'software_management:sccm:log'¶

class plaso.parsers.sccm.SCCMParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parser for Windows System Center Configuration Manager (SCCM) logs.

BUFFER_SIZE = 16384¶

DESCRIPTION = 'Parser for SCCM logs files.'¶

LINE_GRAMMAR_BASE = {{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)}¶

LINE_GRAMMAR_OFFSET = {{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} Re:('[-+]\\d{2,3}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)}¶

LINE_STRUCTURES = [('log_entry', {{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)} Re:('.*?(?=(\\<!\\[LOG\\[))')}), ('log_entry_at_end', {{{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)} rest of line} lineEnd}), ('log_entry_offset', {{{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} Re:('[-+]\\d{2,3}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)} Re:('.*?(?=(\\<!\\[LOG\\[))')}), ('log_entry_offset_at_end', {{{{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} Re:('[-+]\\d{2,3}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)} rest of line} lineEnd})]¶

NAME = 'sccm'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parse the record and return an SCCM log event object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)[source]¶

Verifies whether content corresponds to an SCCM log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
lines (str) – one or more lines from the text file.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.selinux module¶

This file contains SELinux audit.log file parser.

Information updated 16 january 2013.

An example:

type=AVC msg=audit(1105758604.519:420): avc: denied { getattr } for pid=5962 comm=”httpd” path=”/home/auser/public_html” dev=sdb2 ino=921135

Where msg=audit(1105758604.519:420) contains the number of seconds since January 1, 1970 00:00:00 UTC and the number of milliseconds after the dot e.g. seconds: 1105758604, milliseconds: 519.

The number after the timestamp (420 in the example) is a ‘serial number’ that can be used to correlate multiple logs generated from the same event.

References:

taste_of_training/Summit_2010_SELinux.pdf

class plaso.parsers.selinux.SELinuxLogEventData[source]¶

Bases: plaso.containers.events.EventData

SELinux log event data.

audit_type¶

audit type.

Type: str

body¶

body of the log line.

Type: str

pid¶

process identifier (PID) that created the SELinux log line.

Type: int

DATA_TYPE = 'selinux:line'¶

class plaso.parsers.selinux.SELinuxParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parser for SELinux audit.log files.

DESCRIPTION = 'Parser for SELinux audit.log files.'¶

LINE_STRUCTURES = [('line', Dict:({{Group:({{"type" Suppress:("=")} {W:(ABCD...) ^ Re:('UNKNOWN\\[[0-9]+\\]')}}) Group:({{{{{{{"msg" Suppress:("=audit(")} W:(0123...)} Suppress:(".")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:("):")})} Group:({Empty rest of line})}))]¶

NAME = 'selinux'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a structure of tokens derived from a line of a text file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verifies if a line from a text file is in the expected format.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – line from a text file.

Returns

True if the line is in the expected format, False if not.

Return type

bool

plaso.parsers.skydrivelog module¶

This file contains SkyDrive log file parser in plaso.

class plaso.parsers.skydrivelog.SkyDriveLogEventData[source]¶

Bases: plaso.containers.events.EventData

SkyDrive log event data.

detail¶

details.

Type: str

log_level¶

log level.

Type: str

module¶

name of the module that generated the log message.

Type: str

source_code¶

source file and line number that generated the log message.

Type: str

DATA_TYPE = 'skydrive:log:line'¶

class plaso.parsers.skydrivelog.SkyDriveLogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parses SkyDrive log files.

DESCRIPTION = 'Parser for OneDrive (or SkyDrive) log files.'¶

IGNORE_FIELD = Suppress:(!W:(,))¶

LINE_STRUCTURES = [('logline', {{{{{{{{{{{{{{{{{{{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:(",")} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} !W:(,)} Suppress:(",")} !W:(,)} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} !W:(,)} Suppress:(",")} SkipTo:({{StringEnd | {Suppress:("######") "Logging started."}} | {{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:(",")} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}})} [lineEnd]...}), ('header', {{{{{{{{Suppress:("######") "Logging started."} "Version="} W:(0123...)} Suppress:("StartSystemTime:")} Group:({{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} W:(0123...)} W:(0123...)} Suppress:(".")} W:(0123...)})} "StartLocalTime:"} SkipTo:(lineEnd)} lineEnd})]¶

MSEC = W:(0123...)¶

NAME = 'skydrive_log'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parse each record structure and return an EventObject if applicable.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – identifier of the structure of tokens.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)[source]¶

Verify that this file is a SkyDrive log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
lines (str) – one or more lines from the text file.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

class plaso.parsers.skydrivelog.SkyDriveOldLogEventData[source]¶

Bases: plaso.containers.events.EventData

SkyDrive old log event data.

log_level¶

log level.

Type: str

source_code¶

source file and line number that generated the log message.

Type: str

text¶

log message.

Type: str

DATA_TYPE = 'skydrive:log:old:line'¶

class plaso.parsers.skydrivelog.SkyDriveOldLogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse SkyDrive old log files.

DESCRIPTION = 'Parser for OneDrive (or SkyDrive) old log files.'¶

LINE_STRUCTURES = [('logline', {{{{Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}}) Combine:({{{{!W:(:) ":"} W:(0123...)} "!"} W:(0123...)})} {{Suppress:("(") SkipTo:(")")} Suppress:(")")}} ":"} SkipTo:(lineEnd)}), ('no_header_single_line', {{~{Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}})} [Suppress:("->")]} SkipTo:(lineEnd)})]¶

NAME = 'skydrive_log_old'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parse each record structure and return an EventObject if applicable.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – identifier of the structure of tokens.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a SkyDrive old log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – line from a text file.

Returns

True if the line is in the expected format, False if not.

Return type

bool

plaso.parsers.sophos_av module¶

Sophos Anti-Virus log (SAV.txt) parser.

References https://community.sophos.com/kb/en-us/110923

class plaso.parsers.sophos_av.SophosAVLogEventData[source]¶

Bases: plaso.containers.events.EventData

Sophos Anti-Virus log event data.

text¶

Sophos Anti-Virus log message.

Type: str

DATA_TYPE = 'sophos:av:log'¶

class plaso.parsers.sophos_av.SophosAVLogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses Anti-Virus logs (SAV.txt) files.

DESCRIPTION = 'Parser for Anti-Virus log (SAV.txt) files.'¶

LINE_STRUCTURES = [('logline', {Group:({{{W:(0123...) W:(0123...)} W:(0123...)} {{W:(0123...) W:(0123...)} W:(0123...)}}) SkipTo:(lineEnd)})]¶

MAX_LINE_LENGTH = 4096¶

NAME = 'sophos_av'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – identifier of the structure of tokens.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a Sophos Anti-Virus log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
line (str) – line from a text file.

Returns

True if the line is in the expected format, False if not.

Return type

bool

plaso.parsers.sqlite module¶

SQLite parser.

class plaso.parsers.sqlite.SQLiteCache[source]¶

Bases: plaso.parsers.plugins.BasePluginCache

Cache for storing results of SQL queries.

CacheQueryResults(sql_results, attribute_name, key_name, column_names)[source]¶

Build a dictionary object based on a SQL command.

This function will take a SQL command, execute it and for each resulting row it will store a key in a dictionary.

An example:

sql_results = A SQL result object after executing the
              SQL command: 'SELECT foo, bla, bar FROM my_table'
attribute_name = 'all_the_things'
key_name = 'foo'
column_names = ['bla', 'bar']

Results from running this against the database: ‘first’, ‘stuff’, ‘things’ ‘second’, ‘another stuff’, ‘another thing’

This will result in a dictionary object being created in the cache, called ‘all_the_things’ and it will contain the following value:

all_the_things = {
    'first': ['stuff', 'things'],
    'second': ['another_stuff', 'another_thing'],
    'third': ['single_thing']}

Parameters

sql_results (sqlite3.Cursor) – result after executing a SQL command on a database.
attribute_name (str) – attribute name in the cache to store results to. This will be the name of the dictionary attribute.
key_name (str) – name of the result field that should be used as a key in the resulting dictionary that is created.
column_names (list[str]) – of column names that are stored as values to the dictionary. If this list has only one value in it the value will be stored directly, otherwise the value will be a list containing the extracted results based on the names provided in this list.

GetRowCache(query)[source]¶

Retrieves the row cache for a specific query.

The row cache is a set that contains hashes of values in a row. The row cache is used to find duplicate row when a database and a database with a WAL file is parsed.

Parameters: query (str) – query.
Returns: hashes of the rows that have been parsed.
Return type: set

class plaso.parsers.sqlite.SQLiteDatabase(filename, temporary_directory=None)[source]¶

Bases: object

SQLite database.

schema¶

schema as an SQL query per table name, for example {‘Users’: ‘CREATE TABLE Users (“id” INTEGER PRIMARY KEY, …)’}.

Type: dict[str, str]

Close()[source]¶: Closes the database connection and cleans up the temporary file.

Open(file_object, wal_file_object=None)[source]¶

Opens a SQLite database file.

Since pysqlite cannot read directly from a file-like object a temporary copy of the file is made. After creating a copy the database file this function sets up a connection with the database and determines the names of the tables.

Parameters

file_object (dfvfs.FileIO) – file-like object.
wal_file_object (Optional[dfvfs.FileIO]) – file-like object for the Write-Ahead Log (WAL) file.

Raises

IOError – if the file-like object cannot be read.
OSError – if the file-like object cannot be read.
sqlite3.DatabaseError – if the database cannot be parsed.
ValueError – if the file-like object is missing.

Query(query)[source]¶

Queries the database.

Parameters: query (str) – SQL query.
Returns: results.
Return type: sqlite3.Cursor
Raises: sqlite3.DatabaseError – if querying the database fails.

SCHEMA_QUERY = 'SELECT tbl_name, sql FROM sqlite_master WHERE type = "table" AND tbl_name != "xp_proc" AND tbl_name != "sqlite_sequence"'¶

tables¶

names of all the tables.

Type: list[str]

class plaso.parsers.sqlite.SQLiteParser[source]¶

Bases: plaso.parsers.interface.FileEntryParser

Parses SQLite database files.

DESCRIPTION = 'Parser for SQLite database files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: a format specification or None if not available.
Return type: FormatSpecification

NAME = 'sqlite'¶

ParseFileEntry(parser_mediator, file_entry)[source]¶

Parses a SQLite database file entry.

Parameters

parser_mediator (ParserMediator) – parser mediator.
file_entry (dfvfs.FileEntry) – file entry to be parsed.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.symantec module¶

This file contains a Symantec parser in plaso.

class plaso.parsers.symantec.SymantecEventData[source]¶

Bases: plaso.containers.events.EventData

Symantec event data.

access¶

access.

Type: str

action0¶

action0.

Type: str

action1¶

action1.

Type: str

action1_status¶

action1 status.

Type: str

action2¶

action2.

Type: str

action2_status¶

action2 status.

Type: str

address¶

address.

Type: str

backup_id¶

backup identifier.

Type: str

cat¶

category.

Type: str

cleaninfo¶

clean information.

Type: str

clientgroup¶

client group.

Type: str

compressed¶

compressed.

Type: str

computer¶

computer.

Type: str

definfo¶

definfo.

Type: str

defseqnumber¶

def sequence number.

Type: str

deleteinfo¶

delete information.

Type: str

depth¶

depth.

Type: str

description¶

description.

Type: str

domain_guid¶

domain identifier (GUID).

Type: str

domainname¶

domain name.

Type: str

err_code¶

error code.

Type: str

event_data¶

event data.

Type: str

event¶

event.

Type: str

extra¶

extra.

Type: str

file¶

file.

Type: str

flags¶

flags.

Type: str

groupid¶

group identifier.

Type: str

guid¶

guid.

Type: str

license_expiration_dt¶

license expiration date.

Type: str

license_feature_name¶

license feature name.

Type: str

license_feature_ver¶

license feature ver.

Type: str

license_fulfillment_id¶

license fulfillment identifier.

Type: str

license_lifecycle¶

license lifecycle.

Type: str

license_seats_delta¶

license seats delta.

Type: str

license_seats¶

license seats.

Type: str

license_seats_total¶

license seats total.

Type: str

license_serial_num¶

license serial number.

Type: str

license_start_dt¶

license start date.

Type: str

logger¶

logger.

Type: str

login_domain¶

login domain.

Type: str

log_session_guid¶

log session identifier (GUID).

Type: str

macaddr¶

MAC address.

Type: str

new_ext¶

new ext.

Type: str

ntdomain¶

ntdomain.

Type: str

offset¶

offset.

Type: str

parent¶

parent.

Type: str

quarfwd_status¶

quarfwd status.

Type: str

remote_machine_ip¶

remote machine IP address.

Type: str

remote_machine¶

remote machine.

Type: str

scanid¶

scan identifier.

Type: str

snd_status¶

snd status.

Type: str

status¶

status.

Type: str

still_infected¶

still infected.

Type: str

time¶

time.

Type: str

user¶

user.

Type: str

vbin_id¶

vbin identifier.

Type: str

vbin_session_id¶

vbin session identifier.

Type: str

version¶

version.

Type: str

virus_id¶

virus identifier.

Type: str

virus¶

virus.

Type: str

virustype¶

virustype.

Type: str

DATA_TYPE = 'av:symantec:scanlog'¶

class plaso.parsers.symantec.SymantecParser(encoding=None)[source]¶

Bases: plaso.parsers.dsv_parser.DSVParser

Parses Symantec AV Corporate Edition and Endpoint Protection log files.

COLUMNS = ['time', 'event', 'cat', 'logger', 'computer', 'user', 'virus', 'file', 'action1', 'action2', 'action0', 'virustype', 'flags', 'description', 'scanid', 'new_ext', 'groupid', 'event_data', 'vbin_id', 'virus_id', 'quarfwd_status', 'access', 'snd_status', 'compressed', 'depth', 'still_infected', 'definfo', 'defseqnumber', 'cleaninfo', 'deleteinfo', 'backup_id', 'parent', 'guid', 'clientgroup', 'address', 'domainname', 'ntdomain', 'macaddr', 'version:', 'remote_machine', 'remote_machine_ip', 'action1_status', 'action2_status', 'license_feature_name', 'license_feature_ver', 'license_serial_num', 'license_fulfillment_id', 'license_start_dt', 'license_expiration_dt', 'license_lifecycle', 'license_seats_total', 'license_seats', 'err_code', 'license_seats_delta', 'status', 'domain_guid', 'log_session_guid', 'vbin_session_id', 'login_domain', 'extra']¶

DESCRIPTION = 'Parser for Symantec Anti-Virus log files.'¶

NAME = 'symantec_scanlog'¶

ParseRow(parser_mediator, row_offset, row)[source]¶

Parses a line of the log file and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row_offset (int) – line number of the row.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]¶

Verifies if a line of the file is in the expected format.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.syslog module¶

Parser for syslog formatted log files

class plaso.parsers.syslog.SyslogCommentEventData[source]¶

Bases: plaso.containers.events.EventData

Syslog comment event data.

body¶

message body.

Type: str

DATA_TYPE = 'syslog:comment'¶

class plaso.parsers.syslog.SyslogLineEventData(data_type='syslog:line')[source]¶

Bases: plaso.containers.events.EventData

Syslog line event data.

body¶

message body.

Type: str

hostname¶

hostname of the reporter.

Type: str

pid¶

process identifier of the reporter.

Type: str

reporter¶

reporter.

Type: str

severity¶

severity.

Type: str

DATA_TYPE = 'syslog:line'¶

class plaso.parsers.syslog.SyslogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parses syslog formatted log files

DESCRIPTION = 'Syslog Parser'¶

EnablePlugins(plugin_includes)[source]¶

Enables parser plugins.

Parameters: plugin_includes (list[str]) – names of the plugins to enable, where None or an empty list represents all plugins. Note that the default plugin is handled separately.

LINE_STRUCTURES = [('syslog_line', {{{{{{{{{{{{{{W:(ABCD...,abcd...) W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} [{Suppress:(".") W:(0123...)}]} W:(0123...)} W:(0123...)} [{{Suppress:("[") W:(0123...)} Suppress:("]")}]} [{{Suppress:("<") W:(0123...)} Suppress:(">")}]} [Suppress:(":")]} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd}), ('syslog_line', {{{{{{{{{{{W:(ABCD...,abcd...) W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} [{Suppress:(".") W:(0123...)}]} "kernel"} Suppress:(":")} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd}), ('syslog_comment', {{{{{{{{{{{{W:(ABCD...,abcd...) W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} [{Suppress:(".") W:(0123...)}]} Suppress:(":")} Suppress:("---")} SkipTo:(" ---")} Suppress:("---")} LineEnd}), ('chromeos_syslog_line', {{{{{{{Combine:({{{{{{{{{{{{{{{W:(0123...) "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} - | +} W:(0123...)} [{":" W:(0123...)}]}) EMERG | ALERT | CRIT | ERR | WARNING | NOTICE | INFO | DEBUG} W:(0123...)} [Suppress:(":")]} [{{Suppress:("[") W:(0123...)} Suppress:("]")}]} [Suppress:(":")]} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd})]¶

NAME = 'syslog'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a matching entry.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – elements parsed from the file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)[source]¶

Verifies that this is a syslog-formatted file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
lines (str) – one or more lines from the text file.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.systemd_journal module¶

Parser for Systemd journal files.

class plaso.parsers.systemd_journal.SystemdJournalEventData[source]¶

Bases: plaso.containers.events.EventData

Systemd journal event data.

body¶

message body.

Type: str

hostname¶

hostname.

Type: str

pid¶

process identifier (PID).

Type: int

reporter¶

reporter.

Type: str

DATA_TYPE = 'systemd:journal'¶

class plaso.parsers.systemd_journal.SystemdJournalParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses Systemd Journal files.

DESCRIPTION = 'Parser for Systemd Journal files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'systemd_journal'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Systemd journal file-like object.

Parameters

parser_mediator (ParserMediator) – parser mediator.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the header cannot be parsed.

plaso.parsers.text_parser module¶

This file contains a class to provide a parsing framework to plaso.

This class contains a base framework class for parsing file-like objects, and also some implementations that extend it to provide a more comprehensive parser.

plaso.parsers.text_parser.ConvertTokenToInteger(string, location, tokens)[source]¶

Pyparsing parse action callback to convert a token into an integer value.

Parameters

string (str) – original string.
location (int) – location in the string where the token was found.
tokens (list[str]) – tokens.

Returns

integer value or None.

Return type

int

class plaso.parsers.text_parser.EncodedTextReader(encoding, buffer_size=2048)[source]¶

Bases: object

Encoded text reader.

ReadLine(file_object)[source]¶

Reads a line.

Parameters: file_object (dfvfs.FileIO) – file-like object.
Returns: line read from the lines buffer.
Return type: str

ReadLines(file_object)[source]¶

Reads lines into the lines buffer.

Parameters: file_object (dfvfs.FileIO) – file-like object.

Reset()[source]¶: Resets the encoded text reader.

SkipAhead(file_object, number_of_characters)[source]¶

Skips ahead a number of characters.

Parameters

file_object (dfvfs.FileIO) – file-like object.
number_of_characters (int) – number of characters.

plaso.parsers.text_parser.PyParseIntCast(string, location, tokens)[source]¶

Return an integer from a string.

This is a pyparsing callback method that converts the matched string into an integer.

The method modifies the content of the tokens list and converts them all to an integer value.

Parameters

string (str) – original string.
location (int) – location in the string where the match was made.
tokens (list[str]) – extracted tokens, where the string to be converted is stored.

plaso.parsers.text_parser.PyParseJoinList(string, location, tokens)[source]¶

Return a joined token from a list of tokens.

This is a callback method for pyparsing setParseAction that modifies the returned token list to join all the elements in the list to a single token.

Parameters

string (str) – original string.
location (int) – location in the string where the match was made.
tokens (list[str]) – extracted tokens, where the string to be converted is stored.

plaso.parsers.text_parser.PyParseRangeCheck(lower_bound, upper_bound)[source]¶

Verify that a number is within a defined range.

This is a callback method for pyparsing setParseAction that verifies that a read number is within a certain range.

To use this method it needs to be defined as a callback method in setParseAction with the upper and lower bound set as parameters.

Parameters

lower_bound (int) – lower bound of the range.
upper_bound (int) – upper bound of the range.

Returns

callback method that can be used by pyparsing setParseAction.

Return type

Function

class plaso.parsers.text_parser.PyparsingConstants[source]¶

Bases: object

Constants for pyparsing-based parsers.

COMMENT_LINE_HASH = {"#" SkipTo:(LineEnd)}¶

DATE = Group:({{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)})¶

DATE_ELEMENTS = {{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)}¶

DATE_TIME = Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}})¶

DATE_TIME_MSEC = Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}})¶

FOUR_DIGITS = W:(0123...)¶

HYPHEN = Suppress:("-")¶

INTEGER = W:(0123...)¶

IPV4_ADDRESS = IPv4 address¶

IPV6_ADDRESS = IPv6 address¶

IP_ADDRESS = {IPv4 address | IPv6 address}¶

MONTH = W:(ABCD...,abcd...)¶

ONE_OR_TWO_DIGITS = W:(0123...)¶

PID = W:(0123...)¶

THREE_DIGITS = W:(0123...)¶

THREE_LETTERS = W:(ABCD...)¶

TIME = Group:({{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)})¶

TIME_ELEMENTS = {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}¶

TIME_MSEC = {{Group:({{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}) Suppress:(".")} W:(0123...)}¶

TIME_MSEC_ELEMENTS = {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}¶

TWO_DIGITS = W:(0123...)¶

class plaso.parsers.text_parser.PyparsingMultiLineTextParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Multi line text parser interface based on pyparsing.

BUFFER_SIZE = 2048¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a text file-like object using a pyparsing definition.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

This function takes as an input a parsed pyparsing structure and produces an EventObject if possible from that structure.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – tokens from a parsed log line.

Returns

event or None.

Return type

EventObject

VerifyStructure(parser_mediator, lines)[source]¶

Verify the structure of the file and return boolean based on that check.

This function should read enough text from the text file to confirm that the file is the correct one for this particular parser.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
lines (str) – one or more lines from the text file.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

class plaso.parsers.text_parser.PyparsingSingleLineTextParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Single line text parser interface based on pyparsing.

LINE_STRUCTURES = []¶

MAXIMUM_CONSECUTIVE_LINE_FAILURES = 20¶

MAX_LINE_LENGTH = 400¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a text file-like object using a pyparsing definition.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

This function takes as an input a parsed pyparsing structure and produces an EventObject if possible from that structure.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – tokens from a parsed log line.

VerifyStructure(parser_mediator, line)[source]¶

Verify the structure of the file and return boolean based on that check.

This function should read enough text from the text file to confirm that the file is the correct one for this particular parser.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – single line from the text file.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.trendmicroav module¶

Parser for Trend Micro Antivirus logs.

Trend Micro uses two log files to track the scans (both manual/scheduled and real-time) and the web reputation (network scan/filtering).

Currently only the first log is supported.

class plaso.parsers.trendmicroav.OfficeScanVirusDetectionParser(encoding='cp1252')[source]¶

Bases: plaso.parsers.trendmicroav.TrendMicroBaseParser

Parses the Trend Micro Office Scan Virus Detection Log.

COLUMNS = ['date', 'time', 'threat', 'action', 'scan_type', 'unused1', 'path', 'filename', 'unused2', 'timestamp', 'unused3', 'unused4']¶

DESCRIPTION = 'Parser for Trend Micro Office Scan Virus Detection log files.'¶

MIN_COLUMNS = 8¶

NAME = 'trendmicro_vd'¶

ParseRow(parser_mediator, row_offset, row)[source]¶

Parses a line of the log file and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row_offset (int) – line number of the row.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]¶

Verifies if a line of the file is in the expected format.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

class plaso.parsers.trendmicroav.OfficeScanWebReputationParser(encoding='cp1252')[source]¶

Bases: plaso.parsers.trendmicroav.TrendMicroBaseParser

Parses the Trend Micro Office Scan Web Reputation detection log.

COLUMNS = ('date', 'time', 'block_mode', 'url', 'group_code', 'group_name', 'credibility_rating', 'policy_identifier', 'application_name', 'credibility_score', 'ip', 'threshold', 'timestamp', 'unused')¶

DESCRIPTION = 'Parser for Trend Micro Office Web Reputation log files.'¶

MIN_COLUMNS = 12¶

NAME = 'trendmicro_url'¶

ParseRow(parser_mediator, row_offset, row)[source]¶

Parses a line of the log file and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row_offset (int) – line number of the row.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]¶

Verifies if a line of the file is in the expected format.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

class plaso.parsers.trendmicroav.TrendMicroAVEventData[source]¶

Bases: plaso.containers.events.EventData

Trend Micro AV Log event data.

action¶

action.

Type: str

filename¶

filename.

Type: str

path¶

path.

Type: str

scan_type¶

scan_type.

Type: str

threat¶

threat.

Type: str

DATA_TYPE = 'av:trendmicro:scan'¶

class plaso.parsers.trendmicroav.TrendMicroBaseParser(encoding='cp1252')[source]¶

Bases: plaso.parsers.dsv_parser.DSVParser

Common code for parsing Trend Micro log files.

The file format is reminiscent of CSV, but is not quite the same; the delimiter is a three-character sequence and there is no provision for quoting or escaping.

COLUMNS = ()¶

DELIMITER = '<;>'¶

MIN_COLUMNS = None¶

class plaso.parsers.trendmicroav.TrendMicroUrlEventData[source]¶

Bases: plaso.containers.events.EventData

Trend Micro Web Reputation Log event data.

block_mode¶

operation mode.

Type: str

url¶

accessed URL.

Type: str

group_code¶

group code.

Type: str

group_name¶

group name.

Type: str

credibility_rating¶

credibility rating.

Type: int

credibility_score¶

credibility score.

Type: int

policy_identifier¶

policy identifier.

Type: int

application_name¶

application name.

Type: str

ip¶

IP address.

Type: str

threshold¶

threshold value.

Type: int

DATA_TYPE = 'av:trendmicro:webrep'¶

plaso.parsers.utmp module¶

Parser for Linux utmp files.

class plaso.parsers.utmp.UtmpEventData[source]¶

Bases: plaso.containers.events.EventData

utmp event data.

exit_status¶

exit status.

Type: int

hostname¶

hostname or IP address.

Type: str

ip_address¶

IP address from the connection.

Type: str

pid¶

process identifier (PID).

Type: int

terminal_identifier¶

inittab identifier.

Type: int

terminal¶

type of terminal.

Type: str

type¶

type of login.

Type: int

username¶

user name.

Type: str

DATA_TYPE = 'linux:utmp:event'¶

class plaso.parsers.utmp.UtmpParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Linux libc6 utmp files.

DESCRIPTION = 'Parser for Linux libc6 utmp files.'¶

NAME = 'utmp'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an utmp file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.utmpx module¶

Parser for utmpx files.

class plaso.parsers.utmpx.UtmpxMacOSEventData[source]¶

Bases: plaso.containers.events.EventData

MacOS utmpx event data.

hostname¶

hostname or IP address.

Type: str

pid¶

process identifier (PID).

Type: int

terminal¶

name of the terminal.

Type: str

terminal_identifier¶

inittab identifier.

Type: int

type¶

type of login.

Type: int

username¶

user name.

Type: str

DATA_TYPE = 'mac:utmpx:event'¶

class plaso.parsers.utmpx.UtmpxParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Mac OS X 10.5 utmpx files.

DESCRIPTION = 'Parser for Mac OS X 10.5 utmpx files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'utmpx'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an UTMPX file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.winevt module¶

Parser for Windows EventLog (EVT) files.

class plaso.parsers.winevt.WinEvtParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses Windows EventLog (EVT) files.

DESCRIPTION = 'Parser for Windows EventLog (EVT) files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'winevt'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows EventLog (EVT) file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

class plaso.parsers.winevt.WinEvtRecordEventData[source]¶

Bases: plaso.containers.events.EventData

Windows EventLog (EVT) record event data.

computer_name¶

computer name stored in the event record.

Type: str

event_category¶

event category.

Type: int

event_identifier¶

event identifier.

Type: int

event_type¶

event type.

Type: int

facility¶

event facility.

Type: int

message_identifier¶

event message identifier.

Type: int

record_number¶

event record number.

Type: int

recovered¶

True if the record was recovered.

Type: bool

severity¶

event severity.

Type: int

source_name¶

name of the event source.

Type: str

strings¶

event strings.

Type: list[str]

user_sid¶

user security identifier (SID) stored in the event record.

Type: str

DATA_TYPE = 'windows:evt:record'¶

plaso.parsers.winevtx module¶

Parser for Windows XML EventLog (EVTX) files.

class plaso.parsers.winevtx.WinEvtxParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses Windows XML EventLog (EVTX) files.

DESCRIPTION = 'Parser for Windows XML EventLog (EVTX) files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'winevtx'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows XML EventLog (EVTX) file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

class Rule(index, name)¶

Bases: tuple

index¶: Alias for field number 0

name¶: Alias for field number 1

class plaso.parsers.winevtx.WinEvtxRecordEventData[source]¶

Bases: plaso.containers.events.EventData

Windows XML EventLog (EVTX) record event data.

computer_name¶

computer name stored in the event record.

Type: str

event_identifier¶

event identifier.

Type: int

event_level¶

event level.

Type: int

message_identifier¶

event message identifier.

Type: int

record_number¶

event record number.

Type: int

recovered¶

True if the record was recovered.

Type: bool

source_name¶

name of the event source.

Type: str

strings¶

event strings.

Type: list[str]

strings_parsed¶

parsed information from event strings.

Type: [dict]

user_sid¶

user security identifier (SID) stored in the event record.

Type: str

xml_string¶

XML representation of the event.

Type: str

DATA_TYPE = 'windows:evtx:record'¶

plaso.parsers.winfirewall module¶

Parser for Windows Firewall Log file.

class plaso.parsers.winfirewall.WinFirewallEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Firewall event data.

action¶

action taken.

Type: str

protocol¶

IP protocol.

Type: str

source_ip¶

source IP address.

Type: str

dest_ip¶

destination IP address.

Type: str

source_port¶

TCP or UDP source port.

Type: int

dest_port¶

TCP or UDP destination port.

Type: int

size¶

size of ???

Type: int

flags¶

TCP flags.

Type: str

tcp_seq¶

TCP sequence number.

Type: int

tcp_ack¶

TCP ACK ???

Type: int

tcp_win¶

TCP window size ???

Type: int

icmp_type¶

ICMP type.

Type: int

icmp_code¶

ICMP code.

Type: int

info¶

???

Type: str

path¶

???

Type: str

DATA_TYPE = 'windows:firewall:log_entry'¶

class plaso.parsers.winfirewall.WinFirewallParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses the Windows Firewall Log file.

DESCRIPTION = 'Parser for Windows Firewall Log files.'¶

LINE_STRUCTURES = [('comment', {"#" SkipTo:(LineEnd)}), ('logline', {{{{{{{{{{{{{{{Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {{IPv4 address | IPv6 address} | Suppress:("-")}} {{IPv4 address | IPv6 address} | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}})]¶

NAME = 'winfirewall'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – identifier of the structure of tokens.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a firewall log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – line from a text file.

Returns

True if the line is in the expected format, False if not.

Return type

bool

plaso.parsers.winjob module¶

Parser for Windows Scheduled Task job files.

class plaso.parsers.winjob.WinJobEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Scheduled Task event data.

application¶

path to job executable.

Type: str

description¶

description of the scheduled task.

Type: str

parameters¶

application command line parameters.

Type: str

trigger_type¶

trigger type.

Type: int

username¶

username that scheduled the task.

Type: str

working_directory¶

working directory of the scheduled task.

Type: str

DATA_TYPE = 'windows:tasks:job'¶

class plaso.parsers.winjob.WinJobParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parse Windows Scheduled Task files for job events.

DESCRIPTION = 'Parser for Windows Scheduled Task job (or At-job) files.'¶

NAME = 'winjob'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows job file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.winlnk module¶

Parser for Windows Shortcut (LNK) files.

class plaso.parsers.winlnk.WinLnkLinkEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Shortcut (LNK) link event data.

birth_droid_file_identifier¶

distributed link tracking birth droid file identifier.

Type: str

birth_droid_volume_identifier¶

distributed link tracking birth droid volume identifier.

Type: str

command_line_arguments¶

command line arguments.

Type: str

description¶

description of the linked item.

Type: str

drive_serial_number¶

drive serial number where the linked item resides.

Type: int

drive_type¶

drive type where the linked item resided.

Type: str

droid_file_identifier¶

distributed link tracking droid file identifier.

Type: str

droid_volume_identifier¶

distributed link tracking droid volume identifier.

Type: str

env_var_location¶

environment variables loction.

Type: str

file_attribute_flags¶

file attribute flags of the linked item.

Type: int

file_size¶

size of the linked item.

Type: int

icon_location¶

icon location.

Type: str

link_target¶

shell item list of the link target.

Type: str

local_path¶

local path of the linked item.

Type: str

network_path¶

local path of the linked item.

Type: str

relative_path¶

relative path.

Type: str

volume_label¶

volume label where the linked item resided.

Type: str

working_directory¶

working directory.

Type: str

DATA_TYPE = 'windows:lnk:link'¶

class plaso.parsers.winlnk.WinLnkParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses Windows Shortcut (LNK) files.

DESCRIPTION = 'Parser for Windows Shortcut (LNK) files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'lnk'¶

ParseFileLNKFile(parser_mediator, file_object, display_name)[source]¶

Parses a Windows Shortcut (LNK) file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.
display_name (str) – display name.

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows Shortcut (LNK) file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.winprefetch module¶

Parser for Windows Prefetch files.

class plaso.parsers.winprefetch.WinPrefetchExecutionEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Prefetch event data.

executable¶

executable filename.

Type: str

format_version¶

format version.

Type: int

mapped_files¶

mapped filenames.

Type: list[str]

number_of_volumes¶

number of volumes.

Type: int

path¶

path to the executable.

Type: str

prefetch_hash¶

prefetch hash.

Type: int

run_count¶

run count.

Type: int

volume_device_paths¶

volume device paths.

Type: list[str]

volume_serial_numbers¶

volume serial numbers.

Type: list[int]

DATA_TYPE = 'windows:prefetch:execution'¶

class plaso.parsers.winprefetch.WinPrefetchParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

A parser for Windows Prefetch files.

DESCRIPTION = 'Parser for Windows Prefetch files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'prefetch'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows Prefetch file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.winreg module¶

plaso.parsers.winrestore module¶

plaso.parsers.xchatlog module¶

plaso.parsers.xchatscrollback module¶

plaso.parsers.zsh_extended_history module¶

Module contents¶

plaso.preprocessors package¶

Submodules¶

plaso.preprocessors.interface module¶

This file contains classes used for preprocessing in plaso.

class plaso.preprocessors.interface.ArtifactPreprocessorPlugin[source]¶

Bases: object

The artifact preprocessor plugin interface.

The artifact preprocessor determines preprocessing attributes based on an artifact definition defined by ARTIFACT_DEFINITION_NAME.

ARTIFACT_DEFINITION_NAME = None¶

class plaso.preprocessors.interface.FileArtifactPreprocessorPlugin[source]¶

Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

File artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file artifact definition, such as file or path.

class plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin[source]¶

Bases: plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin

File entry artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file entry artifact definition, such as file or path.

class plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin[source]¶

Bases: plaso.preprocessors.interface.ArtifactPreprocessorPlugin

File system artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file system artifact definition, such as file or path.

Collect(knowledge_base, artifact_definition, searcher, file_system)[source]¶

Collects values using a file artifact definition.

Parameters

knowledge_base (KnowledgeBase) – to fill with preprocessing information.
artifact_definition (artifacts.ArtifactDefinition) – artifact definition.
searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system.
file_system (dfvfs.FileSystem) – file system to be preprocessed.

Raises

PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.interface.KnowledgeBasePreprocessorPlugin[source]¶

Bases: object

The knowledge base preprocessor plugin interface.

The knowledge base preprocessor determines preprocessing attributes based on other values in the knowledge base.

Collect(knowledge_base)[source]¶

Collects values from the knowledge base.

Parameters: knowledge_base (KnowledgeBase) – to fill with preprocessing information.
Raises: PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin[source]¶

Bases: plaso.preprocessors.interface.ArtifactPreprocessorPlugin

Windows Registry key artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a Windows Registry artifact definition, such as Windows Registry key or value.

Collect(knowledge_base, artifact_definition, searcher)[source]¶

Collects values using a Windows Registry value artifact definition.

Parameters

knowledge_base (KnowledgeBase) – to fill with preprocessing information.
artifact_definition (artifacts.ArtifactDefinition) – artifact definition.
searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher to preprocess the Windows Registry.

Raises

PreProcessFail – if the Windows Registry key or value cannot be read.

class plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin[source]¶

Bases: plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin

Windows Registry value artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a Windows Registry value artifact definition.

plaso.preprocessors.linux module¶

plaso.preprocessors.logger module¶

The preprocessors sub module logger.

plaso.preprocessors.macos module¶

plaso.preprocessors.manager module¶

plaso.preprocessors.windows module¶

Module contents¶

plaso.serializer package¶

Submodules¶

plaso.serializer.interface module¶

The serializer object interfaces.

class plaso.serializer.interface.AttributeContainerSerializer[source]¶

Bases: object

Class that implements the attribute container serializer interface.

ReadSerialized(serialized)[source]¶

Reads an attribute container from serialized form.

Parameters: serialized (object) – serialized form.
Returns: attribute container.
Return type: AttributeContainer

WriteSerialized(attribute_container)[source]¶

Writes an attribute container to serialized form.

Parameters: attribute_container (AttributeContainer) – attribute container.
Returns: serialized form.
Return type: object

plaso.serializer.json_serializer module¶

The json serializer object implementation.

class plaso.serializer.json_serializer.JSONAttributeContainerSerializer[source]¶

Bases: plaso.serializer.interface.AttributeContainerSerializer

Class that implements the json attribute container serializer.

classmethod ReadSerialized(json_string)[source]¶

Reads an attribute container from serialized form.

Parameters: json_string (str) – JSON serialized attribute container.
Returns: attribute container or None.
Return type: AttributeContainer

classmethod ReadSerializedDict(json_dict)[source]¶

Reads an attribute container from serialized dictionary form.

Parameters: json_dict (dict[str, object]) – JSON serialized objects.
Returns: attribute container or None.
Return type: AttributeContainer
Raises: TypeError – if the serialized dictionary does not contain an AttributeContainer.

classmethod WriteSerialized(attribute_container)[source]¶

Writes an attribute container to serialized form.

Parameters: attribute_container (AttributeContainer) – attribute container.
Returns: A JSON string containing the serialized form.
Return type: str

classmethod WriteSerializedDict(attribute_container)[source]¶

Writes an attribute container to serialized form.

Parameters: attribute_container (AttributeContainer) – attribute container.
Returns: JSON serialized objects.
Return type: dict[str, object]

plaso.serializer.logger module¶

The serializer sub module logger.

Module contents¶

plaso.storage package¶

Subpackages¶

plaso.storage.fake package¶

Submodules¶

plaso.storage.fake.writer module¶

Fake storage writer for testing.

class plaso.storage.fake.writer.FakeStorageWriter(session, storage_type='session', task=None)[source]¶

Bases: plaso.storage.interface.StorageWriter

Fake storage writer object.

analysis_reports¶

analysis reports.

Type: list[AnalysisReport]

session_completion¶

session completion attribute container.

Type: SessionCompletion

session_start¶

session start attribute container.

Type: SessionStart

task_completion¶

task completion attribute container.

Type: TaskCompletion

task_start¶

task start attribute container.

Type: TaskStart

AddAnalysisReport(analysis_report)[source]¶

Adds an analysis report.

Parameters

analysis_report (AnalysisReport) – analysis report.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

AddEvent(event)[source]¶

Adds an event.

Parameters

event (EventObject) – event.

Raises

IOError – when the storage writer is closed or if the event data identifier type is not supported.
OSError – when the storage writer is closed or if the event data identifier type is not supported.

AddEventData(event_data)[source]¶

Adds event data.

Parameters

event_data (EventData) – event data.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

AddEventSource(event_source)[source]¶

Adds an event source.

Parameters

event_source (EventSource) – event source.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

AddEventTag(event_tag)[source]¶

Adds an event tag.

Parameters

event_tag (EventTag) – event tag.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

AddWarning(warning)[source]¶

Adds a warnings.

Parameters

warning (ExtractionWarning) – warning.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

Close()[source]¶

Closes the storage writer.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

CreateTaskStorage(task)[source]¶

Creates a task storage.

Parameters

task (Task) – task.

Returns

storage writer.

Return type

FakeStorageWriter

Raises

IOError – if the task storage already exists.
OSError – if the task storage already exists.

FinalizeTaskStorage(task)[source]¶

Finalizes a processed task storage.

Parameters

task (Task) – task.

Raises

IOError – if the task storage does not exist.
OSError – if the task storage does not exist.

GetEventData()[source]¶

Retrieves the event data.

Returns: event data generator.
Return type: generator(EventData)

GetEventDataByIdentifier(identifier)[source]¶

Retrieves specific event data.

Parameters: identifier (AttributeContainerIdentifier) – event data identifier.
Returns: event data or None if not available.
Return type: EventData

GetEventSources()[source]¶

Retrieves the event sources.

Returns: event source generator.
Return type: generator(EventSource)

GetEventTags()[source]¶

Retrieves the event tags.

Returns: event tag generator.
Return type: generator(EventTags)

GetEvents()[source]¶

Retrieves the events.

Yields: EventObject – event.

GetFirstWrittenEventSource()[source]¶

Retrieves the first event source that was written after open.

Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition.

Returns

event source or None if there are no newly written ones.

Return type

EventSource

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

GetNextWrittenEventSource()[source]¶

Retrieves the next event source that was written after open.

Returns

event source or None if there are no newly written ones.

Return type

EventSource

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

GetSortedEvents(time_range=None)[source]¶

Retrieves the events in increasing chronological order.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Returns

event generator.

Return type

generator(EventObject)

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

GetWarnings()[source]¶

Retrieves the warnings.

Returns: warning generator.
Return type: generator(ExtractionWarning)

Open()[source]¶

Opens the storage writer.

Raises

IOError – if the storage writer is already opened.
OSError – if the storage writer is already opened.

PrepareMergeTaskStorage(task)[source]¶

Prepares a task storage for merging.

Parameters

task (Task) – task.

Raises

IOError – if the task storage does not exist.
OSError – if the task storage does not exist.

ReadPreprocessingInformation(knowledge_base)[source]¶

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters

knowledge_base (KnowledgeBase) – is used to store the preprocessing information.

Raises

IOError – if the storage type does not support writing preprocessing information or when the storage writer is closed.
OSError – if the storage type does not support writing preprocessing information or when the storage writer is closed.

RemoveProcessedTaskStorage(task)[source]¶

Removes a processed task storage.

Parameters

task (Task) – task.

Raises

IOError – if the task storage does not exist.
OSError – if the task storage does not exist.

SetSerializersProfiler(serializers_profiler)[source]¶

Sets the serializers profiler.

Parameters: serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)[source]¶

Sets the storage profiler.

Parameters: storage_profiler (StorageProfiler) – storage profiler.

WritePreprocessingInformation(knowledge_base)[source]¶

Writes preprocessing information.

Parameters

knowledge_base (KnowledgeBase) – used to store the preprocessing information.

Raises

IOError – if the storage type does not support writing preprocessing information or when the storage writer is closed.
OSError – if the storage type does not support writing preprocessing information or when the storage writer is closed.

WriteSessionCompletion(aborted=False)[source]¶

Writes session completion information.

Parameters

aborted (Optional[bool]) – True if the session was aborted.

Raises

IOError – if the storage type does not support writing a session completion or when the storage writer is closed.
OSError – if the storage type does not support writing a session completion or when the storage writer is closed.

WriteSessionStart()[source]¶

Writes session start information.

Raises

IOError – if the storage type does not support writing a session start or when the storage writer is closed.
OSError – if the storage type does not support writing a session start or when the storage writer is closed.

WriteTaskCompletion(aborted=False)[source]¶

Writes task completion information.

Parameters

aborted (Optional[bool]) – True if the session was aborted.

Raises

IOError – if the storage type does not support writing a task completion or when the storage writer is closed.
OSError – if the storage type does not support writing a task completion or when the storage writer is closed.

WriteTaskStart()[source]¶

Writes task start information.

Raises

IOError – if the storage type does not support writing a task start or when the storage writer is closed.
OSError – if the storage type does not support writing a task start or when the storage writer is closed.

Module contents¶

plaso.storage.sqlite package¶

Submodules¶

plaso.storage.sqlite.merge_reader module¶

Merge reader for SQLite storage files.

class plaso.storage.sqlite.merge_reader.SQLiteStorageMergeReader(storage_writer, path)[source]¶

Bases: plaso.storage.interface.StorageFileMergeReader

SQLite-based storage file reader for merging.

MergeAttributeContainers(callback=None, maximum_number_of_containers=0)[source]¶

Reads attribute containers from a task storage file into the writer.

Parameters

callback (function[StorageWriter, AttributeContainer]) – function to call after each attribute container is deserialized.
maximum_number_of_containers (Optional[int]) – maximum number of containers to merge, where 0 represent no limit.

Returns

True if the entire task storage file has been merged.

Return type

bool

Raises

RuntimeError – if the add method for the active attribute container type is missing.
OSError – if the task storage file cannot be deleted.
ValueError – if the maximum number of containers is a negative value.

plaso.storage.sqlite.reader module¶

Reader for SQLite storage files.

class plaso.storage.sqlite.reader.SQLiteStorageFileReader(path)[source]¶

Bases: plaso.storage.interface.StorageFileReader

SQLite-based storage file reader.

plaso.storage.sqlite.sqlite_file module¶

SQLite-based storage.

class plaso.storage.sqlite.sqlite_file.SQLiteStorageFile(maximum_buffer_size=0, storage_type='session')[source]¶

Bases: plaso.storage.interface.BaseStorageFile

SQLite-based storage file.

format_version¶

storage format version.

Type: int

serialization_format¶

serialization format.

Type: str

storage_type¶

storage type.

Type: str

AddAnalysisReport(analysis_report)[source]¶

Adds an analysis report.

Parameters

analysis_report (AnalysisReport) – analysis report.

Raises

IOError – when the storage file is closed or read-only.
OSError – when the storage file is closed or read-only.

AddEvent(event)[source]¶

Adds an event.

Parameters

event (EventObject) – event.

Raises

IOError – when the storage file is closed or read-only or if the event data identifier type is not supported.
OSError – when the storage file is closed or read-only or if the event data identifier type is not supported.

AddEventData(event_data)[source]¶

Adds event data.

Parameters

event_data (EventData) – event data.

Raises

IOError – when the storage file is closed or read-only.
OSError – when the storage file is closed or read-only.

AddEventSource(event_source)[source]¶

Adds an event source.

Parameters

event_source (EventSource) – event source.

Raises

IOError – when the storage file is closed or read-only.
OSError – when the storage file is closed or read-only.

AddEventTag(event_tag)[source]¶

Adds an event tag.

Parameters

event_tag (EventTag) – event tag.

Raises

IOError – when the storage file is closed or read-only or if the event identifier type is not supported.
OSError – when the storage file is closed or read-only or if the event identifier type is not supported.

AddEventTags(event_tags)[source]¶

Adds event tags.

Parameters

event_tags (list[EventTag]) – event tags.

Raises

IOError – when the storage file is closed or read-only or if the event tags cannot be serialized.
OSError – when the storage file is closed or read-only or if the event tags cannot be serialized.

AddWarning(warning)[source]¶

Adds an warning.

Parameters

warning (ExtractionWarning) – warning.

Raises

IOError – when the storage file is closed or read-only.
OSError – when the storage file is closed or read-only.

classmethod CheckSupportedFormat(path, check_readable_only=False)[source]¶

Checks if the storage file format is supported.

Parameters

path (str) – path to the storage file.
check_readable_only (Optional[bool]) – whether the store should only be checked to see if it can be read. If False, the store will be checked to see if it can be read and written to.

Returns

True if the format is supported.

Return type

bool

Close()[source]¶

Closes the storage.

Raises

IOError – if the storage file is already closed.
OSError – if the storage file is already closed.

GetAnalysisReports()[source]¶

Retrieves the analysis reports.

Returns: analysis report generator.
Return type: generator(AnalysisReport)

GetEventData()[source]¶

Retrieves the event data.

Returns: event data generator.
Return type: generator(EventData)

GetEventDataByIdentifier(identifier)[source]¶

Retrieves specific event data.

Parameters: identifier (SQLTableIdentifier) – event data identifier.
Returns: event data or None if not available.
Return type: EventData

GetEventSourceByIndex(index)[source]¶

Retrieves a specific event source.

Parameters: index (int) – event source index.
Returns: event source or None if not available.
Return type: EventSource

GetEventSources()[source]¶

Retrieves the event sources.

Returns: event source generator.
Return type: generator(EventSource)

GetEventTagByIdentifier(identifier)[source]¶

Retrieves a specific event tag.

Parameters: identifier (SQLTableIdentifier) – event tag identifier.
Returns: event tag or None if not available.
Return type: EventTag

GetEventTags()[source]¶

Retrieves the event tags.

Yields: EventTag – event tag.

GetEvents()[source]¶

Retrieves the events.

Yields: EventObject – event.

GetNumberOfAnalysisReports()[source]¶

Retrieves the number analysis reports.

Returns: number of analysis reports.
Return type: int

GetNumberOfEventSources()[source]¶

Retrieves the number event sources.

Returns: number of event sources.
Return type: int

GetSessions()[source]¶

Retrieves the sessions.

Yields

Session – session attribute container.

Raises

IOError – if there is a mismatch in session identifiers between the session start and completion attribute containers.
OSError – if there is a mismatch in session identifiers between the session start and completion attribute containers.

GetSortedEvents(time_range=None)[source]¶

Retrieves the events in increasing chronological order.

Parameters: time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.
Yields: EventObject – event.

GetWarnings()[source]¶

Retrieves the warnings.

Returns: warning generator.
Return type: generator(ExtractionWarning)

HasAnalysisReports()[source]¶

Determines if a store contains analysis reports.

Returns: True if the store contains analysis reports.
Return type: bool

HasEventTags()[source]¶

Determines if a store contains event tags.

Returns: True if the store contains event tags.
Return type: bool

HasWarnings()[source]¶

Determines if a store contains extraction warnings.

Returns: True if the store contains extraction warnings.
Return type: bool

Open(path=None, read_only=True, **unused_kwargs)[source]¶

Opens the storage.

Parameters

path (Optional[str]) – path to the storage file.
read_only (Optional[bool]) – True if the file should be opened in read-only mode.

Raises

IOError – if the storage file is already opened or if the database cannot be connected.
OSError – if the storage file is already opened or if the database cannot be connected.
ValueError – if path is missing.

ReadPreprocessingInformation(knowledge_base)[source]¶

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters: knowledge_base (KnowledgeBase) – is used to store the preprocessing information.

WritePreprocessingInformation(knowledge_base)[source]¶

Writes preprocessing information.

Parameters

knowledge_base (KnowledgeBase) – contains the preprocessing information.

Raises

IOError – if the storage type does not support writing preprocess information or the storage file is closed or read-only.
OSError – if the storage type does not support writing preprocess information or the storage file is closed or read-only.

WriteSessionCompletion(session_completion)[source]¶

Writes session completion information.

Parameters

session_completion (SessionCompletion) – session completion information.

Raises

IOError – when the storage file is closed or read-only.
OSError – when the storage file is closed or read-only.

WriteSessionStart(session_start)[source]¶

Writes session start information.

Parameters

session_start (SessionStart) – session start information.

Raises

IOError – when the storage file is closed or read-only.
OSError – when the storage file is closed or read-only.

WriteTaskCompletion(task_completion)[source]¶

Writes task completion information.

Parameters

task_completion (TaskCompletion) – task completion information.

Raises

IOError – when the storage file is closed or read-only.
OSError – when the storage file is closed or read-only.

WriteTaskStart(task_start)[source]¶

Writes task start information.

Parameters

task_start (TaskStart) – task start information.

Raises

IOError – when the storage file is closed or read-only.
OSError – when the storage file is closed or read-only.

plaso.storage.sqlite.writer module¶

Storage writer for SQLite storage files.

class plaso.storage.sqlite.writer.SQLiteStorageFileWriter(session, output_file, storage_type='session', task=None)[source]¶

Bases: plaso.storage.interface.StorageFileWriter

SQLite-based storage file writer.

Module contents¶

Submodules¶

plaso.storage.event_heaps module¶

Heaps to sort events in chronological order.

class plaso.storage.event_heaps.BaseEventHeap[source]¶

Bases: object

Event heap interface.

PopEvent()[source]¶

Pops an event from the heap.

Returns: event.
Return type: EventObject

PopEvents()[source]¶

Pops events from the heap.

Yields: EventObject – event.

PushEvent(event)[source]¶

Pushes an event onto the heap.

Parameters: event (EventObject) – event.

PushEvents(events)[source]¶

Pushes events onto the heap.

Parameters: list[EventObject] (events) – events.

number_of_events¶

number of serialized events on the heap.

Type: int

class plaso.storage.event_heaps.EventHeap[source]¶

Bases: plaso.storage.event_heaps.BaseEventHeap

Event heap.

PopEvent()[source]¶

Pops an event from the heap.

Returns: event.
Return type: EventObject

PushEvent(event)[source]¶

Pushes an event onto the heap.

Parameters: event (EventObject) – event.

class plaso.storage.event_heaps.SerializedEventHeap[source]¶

Bases: object

Serialized event heap.

data_size¶

total data size of the serialized events on the heap.

Type: int

Empty()[source]¶: Empties the heap.

PopEvent()[source]¶

Pops an event from the heap.

Returns

containing:

int: event timestamp or None if the heap is empty bytes: serialized event or None if the heap is empty

Return type

tuple

PushEvent(timestamp, event_data)[source]¶

Pushes a serialized event onto the heap.

Parameters

timestamp (int) – event timestamp, which contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.
event_data (bytes) – serialized event.

number_of_events¶

number of serialized events on the heap.

Type: int

plaso.storage.event_tag_index module¶

The event tag index.

class plaso.storage.event_tag_index.EventTagIndex[source]¶

Bases: object

Event tag index.

The event tag index is used to map event tags to events.

It is necessary for the ZIP storage files since previously stored event tags cannot be altered.

GetEventTagByIdentifier(storage_file, event_identifier)[source]¶

Retrieves the most recently updated event tag for an event.

Parameters

storage_file (BaseStorageFile) – storage file.
event_identifier (AttributeContainerIdentifier) – event attribute container identifier.

Returns

event tag or None if the event has no event tag.

Return type

EventTag

SetEventTag(event_tag)[source]¶

Sets an event tag in the index.

Parameters: event_tag (EventTag) – event tag.

plaso.storage.factory module¶

This file contains the storage factory class.

class plaso.storage.factory.StorageFactory[source]¶

Bases: object

Storage factory.

classmethod CreateStorageFile(storage_format)[source]¶

Creates a storage file.

Parameters

storage_format (str) – storage format.

Returns

a storage file or None if the storage file cannot be: opened or the storage format is not supported.

Return type

StorageFile

classmethod CreateStorageReaderForFile(path)[source]¶

Creates a storage reader based on the file.

Parameters

path (str) – path to the storage file.

Returns

a storage reader or None if the storage file cannot be: opened or the storage format is not supported.

Return type

StorageReader

classmethod CreateStorageWriter(storage_format, session, path)[source]¶

Creates a storage writer.

Parameters

session (Session) – session the storage changes are part of.
path (str) – path to the storage file.
storage_format (str) – storage format.

Returns

a storage writer or None if the storage file cannot be: opened or the storage format is not supported.

Return type

StorageWriter

classmethod CreateStorageWriterForFile(session, path)[source]¶

Creates a storage writer based on the file.

Parameters

session (Session) – session the storage changes are part of.
path (str) – path to the storage file.

Returns

a storage writer or None if the storage file cannot be: opened or the storage format is not supported.

Return type

StorageWriter

plaso.storage.identifiers module¶

Storage attribute container identifier objects.

class plaso.storage.identifiers.FakeIdentifier(attribute_values_hash)[source]¶

Bases: plaso.containers.interface.AttributeContainerIdentifier

Fake attribute container identifier intended for testing.

attribute_values_hash¶

hash value of the attribute values.

Type: int

CopyToString()[source]¶

Copies the identifier to a string representation.

Returns: unique identifier or None.
Return type: str

class plaso.storage.identifiers.SQLTableIdentifier(name, row_identifier)[source]¶

Bases: plaso.containers.interface.AttributeContainerIdentifier

SQL table attribute container identifier.

The identifier is used to uniquely identify attribute containers. Where for example an attribute container is stored as a JSON serialized data in a SQLite database file.

name¶

name of the table.

Type: str

row_identifier¶

unique identifier of the row in the table.

Type: int

CopyToString()[source]¶

Copies the identifier to a string representation.

Returns: unique identifier or None.
Return type: str

class plaso.storage.identifiers.SerializedStreamIdentifier(stream_number, entry_index)[source]¶

Bases: plaso.containers.interface.AttributeContainerIdentifier

Serialized stream attribute container identifier.

The identifier is used to uniquely identify attribute containers. Where for example an attribute container is stored as a JSON serialized data in a ZIP file.

stream_number¶

number of the serialized attribute container stream.

Type: int

entry_index¶

number of the serialized event within the stream.

Type: int

CopyToString()[source]¶

Copies the identifier to a string representation.

Returns: unique identifier or None.
Return type: str

plaso.storage.interface module¶

The storage interface classes.

class plaso.storage.interface.BaseStorageFile[source]¶

Bases: plaso.storage.interface.BaseStore

Interface for file-based stores.

class plaso.storage.interface.BaseStore[source]¶

Bases: object

Storage interface.

format_version¶

storage format version.

Type: int

serialization_format¶

serialization format.

Type: str

storage_type¶

storage type.

Type: str

AddAnalysisReport(analysis_report)[source]¶

Adds an analysis report.

Parameters: analysis_report (AnalysisReport) – analysis report.

AddEvent(event)[source]¶

Adds an event.

Parameters: event (EventObject) – event.

AddEventSource(event_source)[source]¶

Adds an event source.

Parameters: event_source (EventSource) – event source.

AddEventTag(event_tag)[source]¶

Adds an event tag.

Parameters: event_tag (EventTag) – event tag.

AddWarning(warning)[source]¶

Adds a warning.

Parameters: warning (ExtractionWarning) – warning.

Close()[source]¶: Closes the storage.

GetAnalysisReports()[source]¶

Retrieves the analysis reports.

Yields: AnalysisReport – analysis report.

GetEventData()[source]¶

Retrieves the event data.

Yields: EventData – event data.

GetEventDataByIdentifier(identifier)[source]¶

Retrieves specific event data.

Parameters: identifier (AttributeContainerIdentifier) – event data identifier.
Returns: event data or None if not available.
Return type: EventData

GetEventSources()[source]¶

Retrieves the event sources.

Yields: EventSource – event source.

GetEventTagByIdentifier(identifier)[source]¶

Retrieves a specific event tag.

Parameters: identifier (AttributeContainerIdentifier) – event tag identifier.
Returns: event tag or None if not available.
Return type: EventTag

GetEventTags()[source]¶

Retrieves the event tags.

Yields: EventTag – event tag.

GetEvents()[source]¶

Retrieves the events.

Yields: EventObject – event.

GetNumberOfEventSources()[source]¶

Retrieves the number event sources.

Returns: number of event sources.
Return type: int

GetSessions()[source]¶

Retrieves the sessions.

Yields: Session – session.

GetSortedEvents(time_range=None)[source]¶

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters: time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.
Yields: EventObject – event.

GetWarnings()[source]¶

Retrieves the warnings.

Yields: ExtractionWarning – warning.

HasAnalysisReports()[source]¶

Determines if a store contains analysis reports.

Returns: True if the store contains analysis reports.
Return type: bool

HasEventTags()[source]¶

Determines if a store contains event tags.

Returns: True if the store contains event tags.
Return type: bool

HasWarnings()[source]¶

Determines if a store contains extraction warnings.

Returns: True if the store contains extraction warnings.
Return type: bool

Open(**kwargs)[source]¶: Opens the storage.

ReadPreprocessingInformation(knowledge_base)[source]¶

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters: knowledge_base (KnowledgeBase) – is used to store the preprocessing information.

SetSerializersProfiler(serializers_profiler)[source]¶

Sets the serializers profiler.

Parameters: serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)[source]¶

Sets the storage profiler.

Parameters: storage_profiler (StorageProfiler) – storage profiler.

WritePreprocessingInformation(knowledge_base)[source]¶

Writes preprocessing information.

Parameters: knowledge_base (KnowledgeBase) – contains the preprocessing information.

WriteSessionCompletion(session_completion)[source]¶

Writes session completion information.

Parameters: session_completion (SessionCompletion) – session completion information.

WriteSessionStart(session_start)[source]¶

Writes session start information.

Parameters: session_start (SessionStart) – session start information.

WriteTaskCompletion(task_completion)[source]¶

Writes task completion information.

Parameters: task_completion (TaskCompletion) – task completion information.

WriteTaskStart(task_start)[source]¶

Writes task start information.

Parameters: task_start (TaskStart) – task start information.

class plaso.storage.interface.SerializedAttributeContainerList[source]¶

Bases: object

Serialized attribute container list.

The list is unsorted and pops attribute containers in the same order as pushed to preserve order.

The GetAttributeContainerByIndex method should be used to read attribute containers from the list while it being filled.

data_size¶

total data size of the serialized attribute containers on the list.

Type: int

next_sequence_number¶

next attribute container sequence number.

Type: int

Empty()[source]¶: Empties the list.

GetAttributeContainerByIndex(index)[source]¶

Retrieves a specific serialized attribute container from the list.

Parameters: index (int) – attribute container index.
Returns: serialized attribute container data or None if not available.
Return type: bytes
Raises: IndexError – if the index is less than zero.

PopAttributeContainer()[source]¶

Pops a serialized attribute container from the list.

Returns: serialized attribute container data.
Return type: bytes

PushAttributeContainer(serialized_data)[source]¶

Pushes a serialized attribute container onto the list.

Parameters: serialized_data (bytes) – serialized attribute container data.

number_of_attribute_containers¶

number of serialized attribute containers on the list.

Type: int

class plaso.storage.interface.StorageFileMergeReader(storage_writer)[source]¶

Bases: plaso.storage.interface.StorageMergeReader

Storage reader interface for merging file-based stores.

class plaso.storage.interface.StorageFileReader(path)[source]¶

Bases: plaso.storage.interface.StorageReader

File-based storage reader interface.

Close()[source]¶: Closes the storage reader.

GetAnalysisReports()[source]¶

Retrieves the analysis reports.

Returns: analysis report generator.
Return type: generator(AnalysisReport)

GetEventData()[source]¶

Retrieves the event data.

Returns: event data generator.
Return type: generator(EventData)

GetEventDataByIdentifier(identifier)[source]¶

Retrieves specific event data.

Parameters: identifier (AttributeContainerIdentifier) – event data identifier.
Returns: event data or None if not available.
Return type: EventData

GetEventSources()[source]¶

Retrieves the event sources.

Returns: event source generator.
Return type: generator(EventSource)

GetEventTagByIdentifier(identifier)[source]¶

Retrieves a specific event tag.

Parameters: identifier (AttributeContainerIdentifier) – event tag identifier.
Returns: event tag or None if not available.
Return type: EventTag

GetEventTags()[source]¶

Retrieves the event tags.

Returns: event tag generator.
Return type: generator(EventTag)

GetEvents()[source]¶

Retrieves the events.

Returns: event generator.
Return type: generator(EventObject)

GetNumberOfAnalysisReports()[source]¶

Retrieves the number analysis reports.

Returns: number of analysis reports.
Return type: int

GetSessions()[source]¶

Retrieves the sessions.

Returns: session generator.
Return type: generator(Session)

GetSortedEvents(time_range=None)[source]¶

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters: time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.
Returns: event generator.
Return type: generator(EventObject)

GetWarnings()[source]¶

Retrieves the warnings.

Returns: warning generator.
Return type: generator(ExtractionWarning)

HasAnalysisReports()[source]¶

Determines if a store contains analysis reports.

Returns: True if the store contains analysis reports.
Return type: bool

HasEventTags()[source]¶

Determines if a store contains event tags.

Returns: True if the store contains event tags.
Return type: bool

HasWarnings()[source]¶

Determines if a store contains extraction warnings.

Returns: True if the store contains extraction warnings.
Return type: bool

ReadPreprocessingInformation(knowledge_base)[source]¶

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters: knowledge_base (KnowledgeBase) – is used to store the preprocessing information.

SetSerializersProfiler(serializers_profiler)[source]¶

Sets the serializers profiler.

Parameters: serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)[source]¶

Sets the storage profiler.

Parameters: storage_profiler (StorageProfiler) – storage profiler.

format_version¶

format version or None if not set.

Type: int

serialization_format¶

serialization format or None if not set.

Type: str

storage_type¶

storage type or None if not set.

Type: str

class plaso.storage.interface.StorageFileWriter(session, output_file, storage_type='session', task=None)[source]¶

Bases: plaso.storage.interface.StorageWriter

Defines an interface for a file-backed storage writer.

AddAnalysisReport(analysis_report)[source]¶

Adds an analysis report.

Parameters

analysis_report (AnalysisReport) – analysis report.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

AddEvent(event)[source]¶

Adds an event.

Parameters

event (EventObject) – an event.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

AddEventData(event_data)[source]¶

Adds event data.

Parameters

event_data (EventData) – event data.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

AddEventSource(event_source)[source]¶

Adds an event source.

Parameters

event_source (EventSource) – an event source.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

AddEventTag(event_tag)[source]¶

Adds an event tag.

Parameters

event_tag (EventTag) – an event tag.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

AddWarning(warning)[source]¶

Adds an warning.

Parameters

warning (ExtractionWarning) – an extraction warning.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

CheckTaskReadyForMerge(task)[source]¶

Checks if a task is ready for merging with this session storage.

If the task is ready to be merged, this method also sets the task’s storage file size.

Parameters

task (Task) – task.

Returns

True if the task is ready to be merged.

Return type

bool

Raises

IOError – if the storage type is not supported or
OSError – if the storage type is not supported or if the temporary path for the task storage does not exist.

Close()[source]¶

Closes the storage writer.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

CreateTaskStorage(task)[source]¶

Creates a task storage.

The task storage is used to store attributes created by the task.

Parameters

task (Task) – task.

Returns

storage writer.

Return type

StorageWriter

Raises

IOError – if the storage type is not supported.
OSError – if the storage type is not supported.

FinalizeTaskStorage(task)[source]¶

Finalizes a processed task storage.

Moves the task storage file from its temporary directory to the processed directory.

Parameters

task (Task) – task.

Raises

IOError – if the storage type is not supported or if the storage file cannot be renamed.
OSError – if the storage type is not supported or if the storage file cannot be renamed.

GetEventDataByIdentifier(identifier)[source]¶

Retrieves specific event data.

Parameters: identifier (AttributeContainerIdentifier) – event data identifier.
Returns: event data or None if not available.
Return type: EventData

GetEventTagByIdentifier(identifier)[source]¶

Retrieves a specific event tag.

Parameters: identifier (AttributeContainerIdentifier) – event tag identifier.
Returns: event tag or None if not available.
Return type: EventTag

GetEventTags()[source]¶

Retrieves the event tags.

Returns: event tag generator.
Return type: generator(EventTag)

GetEvents()[source]¶

Retrieves the events.

Returns

event generator.

Return type

generator(EventObject)

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

GetFirstWrittenEventSource()[source]¶

Retrieves the first event source that was written after open.

Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition.

Returns

event source or None if there are no newly written ones.

Return type

EventSource

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

GetNextWrittenEventSource()[source]¶

Retrieves the next event source that was written after open.

Returns

event source or None if there are no newly written ones.

Return type

EventSource

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

GetProcessedTaskIdentifiers()[source]¶

Identifiers for tasks which have been processed.

Returns

task identifiers that are processed.

Return type

list[str]

Raises

IOError – if the storage type is not supported or if the temporary path for the task storage does not exist.
OSError – if the storage type is not supported or if the temporary path for the task storage does not exist.

GetSortedEvents(time_range=None)[source]¶

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Returns

event generator.

Return type

generator(EventObject)

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

Open()[source]¶

Opens the storage writer.

Raises

IOError – if the storage writer is already opened.
OSError – if the storage writer is already opened.

PrepareMergeTaskStorage(task)[source]¶

Prepares a task storage for merging.

Moves the task storage file from the processed directory to the merge directory.

Parameters

task (Task) – task.

Raises

IOError – if the storage type is not supported or if the storage file cannot be renamed.
OSError – if the storage type is not supported or if the storage file cannot be renamed.

ReadPreprocessingInformation(knowledge_base)[source]¶

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters

knowledge_base (KnowledgeBase) – is used to store the preprocessing information.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

RemoveProcessedTaskStorage(task)[source]¶

Removes a processed task storage.

Parameters

task (Task) – task.

Raises

IOError – if the storage type is not supported or if the storage file cannot be removed.
OSError – if the storage type is not supported or if the storage file cannot be removed.

SetSerializersProfiler(serializers_profiler)[source]¶

Sets the serializers profiler.

Parameters: serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)[source]¶

Sets the storage profiler.

Parameters: storage_profiler (StorageProfiler) – storage profiler.

StartMergeTaskStorage(task)[source]¶

Starts a merge of a task storage with the session storage.

Parameters

task (Task) – task.

Returns

storage merge reader of the task storage.

Return type

StorageMergeReader

Raises

IOError – if the storage file cannot be opened or if the storage type is not supported or if the temporary path for the task storage does not exist or if the temporary path for the task storage doe not refers to a file.
OSError – if the storage file cannot be opened or if the storage type is not supported or if the temporary path for the task storage does not exist or if the temporary path for the task storage doe not refers to a file.

StartTaskStorage()[source]¶

Creates a temporary path for the task storage.

Raises

IOError – if the storage type is not supported or if the temporary path for the task storage already exists.
OSError – if the storage type is not supported or if the temporary path for the task storage already exists.

StopTaskStorage(abort=False)[source]¶

Removes the temporary path for the task storage.

The results of tasks will be lost on abort.

Parameters

abort (bool) – True to indicate the stop is issued on abort.

Raises

IOError – if the storage type is not supported.
OSError – if the storage type is not supported.

WritePreprocessingInformation(knowledge_base)[source]¶

Writes preprocessing information.

Parameters

knowledge_base (KnowledgeBase) – contains the preprocessing information.

Raises

IOError – if the storage type does not support writing preprocessing information or when the storage writer is closed.
OSError – if the storage type does not support writing preprocessing information or when the storage writer is closed.

WriteSessionCompletion(aborted=False)[source]¶

Writes session completion information.

Parameters

aborted (Optional[bool]) – True if the session was aborted.

Raises

IOError – if the storage type is not supported or when the storage writer is closed.
OSError – if the storage type is not supported or when the storage writer is closed.

WriteSessionStart()[source]¶

Writes session start information.

Raises

IOError – if the storage type is not supported or when the storage writer is closed.
OSError – if the storage type is not supported or when the storage writer is closed.

WriteTaskCompletion(aborted=False)[source]¶

Writes task completion information.

Parameters

aborted (Optional[bool]) – True if the session was aborted.

Raises

IOError – if the storage type is not supported or when the storage writer is closed.
OSError – if the storage type is not supported or when the storage writer is closed.

WriteTaskStart()[source]¶

Writes task start information.

Raises

IOError – if the storage type is not supported or when the storage writer is closed.
OSError – if the storage type is not supported or when the storage writer is closed.

class plaso.storage.interface.StorageMergeReader(storage_writer)[source]¶

Bases: object

Storage reader interface for merging.

MergeAttributeContainers(callback=None, maximum_number_of_containers=0)[source]¶

Reads attribute containers from a task storage file into the writer.

Parameters

callback (function[StorageWriter, AttributeContainer]) – function to call after each attribute container is deserialized.
maximum_number_of_containers (Optional[int]) – maximum number of containers to merge, where 0 represent no limit.

Returns

True if the entire task storage file has been merged.

Return type

bool

class plaso.storage.interface.StorageReader[source]¶

Bases: object

Storage reader interface.

Close()[source]¶: Closes the storage reader.

GetAnalysisReports()[source]¶

Retrieves the analysis reports.

Yields: AnalysisReport – analysis report.

GetEventData()[source]¶

Retrieves the event data.

Yields: EventData – event data.

GetEventDataByIdentifier(identifier)[source]¶

Retrieves specific event data.

Parameters: identifier (AttributeContainerIdentifier) – event data identifier.
Returns: event data or None if not available.
Return type: EventData

GetEventSources()[source]¶

Retrieves event sources.

Yields: EventSourceObject – event source.

GetEventTagByIdentifier(identifier)[source]¶

Retrieves a specific event tag.

Parameters: identifier (AttributeContainerIdentifier) – event tag identifier.
Returns: event tag or None if not available.
Return type: EventTag

GetEventTags()[source]¶

Retrieves the event tags.

Yields: EventTag – event tag.

GetEvents()[source]¶

Retrieves the events.

Yields: EventObject – event.

GetNumberOfAnalysisReports()[source]¶

Retrieves the number analysis reports.

Returns: number of analysis reports.
Return type: int

GetSessions()[source]¶

Retrieves the sessions.

Yields: Session – session.

GetSortedEvents(time_range=None)[source]¶

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters: time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.
Yields: EventObject – event.

GetWarnings()[source]¶

Retrieves the warnings.

Yields: ExtractionWarning – warning.

HasAnalysisReports()[source]¶

Determines if a store contains analysis reports.

Returns: True if the store contains analysis reports.
Return type: bool

HasEventTags()[source]¶

Determines if a store contains event tags.

Returns: True if the store contains event tags.
Return type: bool

HasWarnings()[source]¶

Determines if a store contains extraction warnings.

Returns: True if the store contains extraction warnings.
Return type: bool

ReadPreprocessingInformation(knowledge_base)[source]¶

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters: knowledge_base (KnowledgeBase) – is used to store the preprocessing information.

SetSerializersProfiler(serializers_profiler)[source]¶

Sets the serializers profiler.

Parameters: serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)[source]¶

Sets the storage profiler.

Parameters: storage_profiler (StorageProfiler) – storage profile.

__enter__()[source]¶: Make usable with “with” statement.

__exit__(exception_type, value, traceback)[source]¶: Make usable with “with” statement.

format_version¶

format version

Type: int

serialization_format¶

serialization format.

Type: str

storage_type¶

storage type.

Type: str

class plaso.storage.interface.StorageWriter(session, storage_type='session', task=None)[source]¶

Bases: object

Storage writer interface.

number_of_analysis_reports¶

number of analysis reports written.

Type: int

number_of_event_sources¶

number of event sources written.

Type: int

number_of_event_tags¶

number of event tags written.

Type: int

number_of_events¶

number of events written.

Type: int

number_of_warnings¶

number of warnings written.

Type: int

AddAnalysisReport(analysis_report)[source]¶

Adds an analysis report.

Parameters: analysis_report (AnalysisReport) – a report.

AddEvent(event)[source]¶

Adds an event.

Parameters: event (EventObject) – an event.

AddEventSource(event_source)[source]¶

Adds an event source.

Parameters: event_source (EventSource) – an event source.

AddEventTag(event_tag)[source]¶

Adds an event tag.

Parameters: event_tag (EventTag) – an event tag.

AddWarning(warning)[source]¶

Adds an warning.

Parameters: warning (ExtractionWarning) – a warning.

Close()[source]¶: Closes the storage writer.

CreateTaskStorage(task)[source]¶

Creates a task storage.

Parameters: task (Task) – task.
Returns: storage writer.
Return type: StorageWriter
Raises: NotImplementedError – since there is no implementation.

FinalizeTaskStorage(task)[source]¶

Finalizes a processed task storage.

Parameters: task (Task) – task.
Raises: NotImplementedError – since there is no implementation.

GetEventDataByIdentifier(identifier)[source]¶

Retrieves specific event data.

Parameters: identifier (AttributeContainerIdentifier) – event data identifier.
Returns: event data or None if not available.
Return type: EventData

GetEvents()[source]¶

Retrieves the events.

Yields: EventObject – event.

GetFirstWrittenEventSource()[source]¶

Retrieves the first event source that was written after open.

Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition.

Returns: event source or None if there are no newly written ones.
Return type: EventSource

GetNextWrittenEventSource()[source]¶

Retrieves the next event source that was written after open.

Returns: event source or None if there are no newly written ones.
Return type: EventSource

GetSortedEvents(time_range=None)[source]¶

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters: time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.
Yields: EventObject – event.

Open()[source]¶: Opens the storage writer.

PrepareMergeTaskStorage(task)[source]¶

Prepares a task storage for merging.

Parameters: task (Task) – task.
Raises: NotImplementedError – since there is no implementation.

ReadPreprocessingInformation(knowledge_base)[source]¶

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters: knowledge_base (KnowledgeBase) – is used to store the preprocessing information.

RemoveProcessedTaskStorage(task)[source]¶

Removes a processed task storage.

Parameters: task (Task) – task.
Raises: NotImplementedError – since there is no implementation.

SetSerializersProfiler(serializers_profiler)[source]¶

Sets the serializers profiler.

Parameters: serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)[source]¶

Sets the storage profiler.

Parameters: storage_profiler (StorageProfiler) – storage profiler.

WritePreprocessingInformation(knowledge_base)[source]¶

Writes preprocessing information.

Parameters: knowledge_base (KnowledgeBase) – contains the preprocessing information.

WriteSessionCompletion(aborted=False)[source]¶

Writes session completion information.

Parameters: aborted (Optional[bool]) – True if the session was aborted.

WriteSessionStart()[source]¶: Writes session start information.

WriteTaskCompletion(aborted=False)[source]¶

Writes task completion information.

Parameters: aborted (Optional[bool]) – True if the session was aborted.

WriteTaskStart()[source]¶: Writes task start information.

plaso.storage.logger module¶

The storage sub module logger.

plaso.storage.time_range module¶

Storage time range objects.

class plaso.storage.time_range.TimeRange(start_timestamp, end_timestamp)[source]¶

Bases: object

Date and time range.

The timestamp are integers containing the number of microseconds since January 1, 1970, 00:00:00 UTC.

duration¶

duration of the range in microseconds.

Type: int

end_timestamp¶

timestamp that marks the end of the range.

Type: int

start_timestamp¶

timestamp that marks the start of the range.

Type: int

Module contents¶

plaso.unix package¶

Submodules¶

plaso.unix.bsmtoken module¶

This file contains the Basic Security Module definitions.

Module contents¶

plaso.winnt package¶

Submodules¶

plaso.winnt.human_readable_service_enums module¶

This file contains constants for making service keys more readable.

plaso.winnt.known_folder_ids module¶

This file contains the Windows NT Known Folder identifier definitions.

plaso.winnt.language_ids module¶

This file contains the Windows NT Language identifiers.

plaso.winnt.shell_folder_ids module¶

This file contains the Windows NT shell folder identifier definitions.

plaso.winnt.time_zones module¶

This file contains the Windows NT time zone definitions.

The Windows time zone names can be obtained from the following Windows Registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTime Zones

Module contents¶

Submodules¶

plaso.dependencies module¶

Functionality to check for the availability and version of dependencies.

This file is generated by l2tdevtools update-dependencies.py, any dependency related changes should be made in dependencies.ini.

plaso.dependencies.CheckDependencies(verbose_output=True)[source]¶

Checks the availability of the dependencies.

Parameters: verbose_output (Optional[bool]) – True if output should be verbose.
Returns: True if the dependencies are available, False otherwise.
Return type: bool

Module contents¶

Super timeline all the things (Plaso Langar Að Safna Öllu).

log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them. Plaso is the Python rewrite of log2timeline.