Source code for plaso.formatters.file_system

"""File system custom event formatter helpers."""

from plaso.formatters import interface
from plaso.formatters import manager




[docs]
class NTFSFileReferenceFormatterHelper(interface.CustomEventFormatterHelper):
    """NTFS file reference formatter helper."""

    IDENTIFIER = "ntfs_file_reference"



[docs]
    def FormatEventValues(self, output_mediator, event_values):
        """Formats event values using the helper.

        Args:
          output_mediator (OutputMediator): output mediator.
          event_values (dict[str, object]): event values.
        """
        file_reference = event_values.get("file_reference")
        if file_reference:
            mft_entry_number = file_reference & 0xFFFFFFFFFFFF
            sequence_number = file_reference >> 48
            event_values["file_reference"] = f"{mft_entry_number:d}-{sequence_number:d}"








[docs]
class NTFSParentFileReferenceFormatterHelper(interface.CustomEventFormatterHelper):
    """NTFS parent file reference formatter helper."""

    IDENTIFIER = "ntfs_parent_file_reference"



[docs]
    def FormatEventValues(self, output_mediator, event_values):
        """Formats event values using the helper.

        Args:
          output_mediator (OutputMediator): output mediator.
          event_values (dict[str, object]): event values.
        """
        parent_file_reference = event_values.get("parent_file_reference")
        if parent_file_reference:
            mft_entry_number = parent_file_reference & 0xFFFFFFFFFFFF
            sequence_number = parent_file_reference >> 48
            event_values["parent_file_reference"] = (
                f"{mft_entry_number:d}-{sequence_number:d}"
            )








[docs]
class NTFSPathHintsFormatterHelper(interface.CustomEventFormatterHelper):
    """NTFS path hints formatter helper."""

    IDENTIFIER = "ntfs_path_hints"



[docs]
    def FormatEventValues(self, output_mediator, event_values):
        """Formats event values using the helper.

        Args:
          output_mediator (OutputMediator): output mediator.
          event_values (dict[str, object]): event values.
        """
        path_hints = event_values.get("path_hints")
        if path_hints:
            event_values["path_hints"] = ";".join(path_hints)






manager.FormattersManager.RegisterEventFormatterHelpers(
    [
        NTFSFileReferenceFormatterHelper,
        NTFSParentFileReferenceFormatterHelper,
        NTFSPathHintsFormatterHelper,
    ]
)