plaso.containers package

Submodules

plaso.containers.analysis_results module

Analysis result attribute containers.

class plaso.containers.analysis_results.BrowserSearchAnalysisResult(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Browser search analysis plugin result container.

number_of_queries

number of times the search engine was queried.

Type: int

search_engine

search engine that was queried.

Type: str

search_term

term searched for.

Type: str

CONTAINER_TYPE = 'browser_search_analysis_result'

SCHEMA = {'number_of_queries': 'int', 'search_engine': 'str', 'search_term': 'str'}

class plaso.containers.analysis_results.ChromeExtensionAnalysisResult(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Chrome extension analysis plugin result container.

extension

name of the Chrome extension.

Type: str

extension_identifier

identifier of the Chrome extension.

Type: str

username

name of a user that has installed the Chrome extension.

Type: str

CONTAINER_TYPE = 'chrome_extension_analysis_result'

SCHEMA = {'extension': 'str', 'extension_identifier': 'str', 'username': 'str'}

plaso.containers.analyzer_result module

Analyzer result attribute container.

class plaso.containers.analyzer_result.AnalyzerResult(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Attribute container to store results of analyzers.

Analyzers can produce results with different attribute names. For example, the ‘hashing’ analyzer could produce an attribute ‘md5_hash’, with a value of ‘d41d8cd98f00b204e9800998ecf8427e’.

analyzer_name

name of the analyzer that produce the result.

Type: str

attribute_name

name of the attribute produced.

Type: str

attribute_value

value of the attribute produced.

Type: str

CONTAINER_TYPE = 'analyzer_result'

plaso.containers.artifacts module

Artifact attribute containers.

class plaso.containers.artifacts.ArtifactAttributeContainer(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Base class to represent an artifact attribute container.

class plaso.containers.artifacts.EnvironmentVariableArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Environment variable artifact attribute container.

Also see:: https://en.wikipedia.org/wiki/Environment_variable

case_sensitive

True if environment variable name is case sensitive.

Type: bool

name

environment variable name such as “SystemRoot” as in “%SystemRoot%” or “HOME” as in “$HOME”.

Type: str

value

environment variable value such as “C:Windows” or “/home/user”.

Type: str

CONTAINER_TYPE = 'environment_variable'

SCHEMA = {'case_sensitive': 'bool', 'name': 'str', 'value': 'str'}

class plaso.containers.artifacts.HostnameArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Hostname artifact attribute container.

Also see:: https://en.wikipedia.org/wiki/Hostname Cybox / Stix Hostname Object

name

name of the host according to the naming schema.

Type: str

schema

naming schema such as “DNS”, “NIS”, “SMB/NetBIOS”.

Type: str

CONTAINER_TYPE = 'hostname'

SCHEMA = {'name': 'str', 'schema': 'str'}

class plaso.containers.artifacts.OperatingSystemArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Operating system artifact attribute container.

family

operating system family name, such as “Linux”, “MacOS” or “Windows”, defined in definitions.OPERATING_SYSTEM_FAMILIES. This value is used to programmatically link a parser preset to an operating system and therefore must be one of predefined values.

Type: str

name

operating system name, such as “macOS Mojave” or “Windows XP”. This value is used to programmatically link a parser preset to an operating system and therefore must be one of predefined values.

Type: str

product

product information, such as “macOS Mojave” or “Windows Professional XP”. This value is typically obtained from the source data.

Type: str

version

version, such as “10.14.1” or “5.1”. This value is typically obtained from the source data.

Type: str

CONTAINER_TYPE = 'operating_system'

IsEquivalent(other)[source]

Determines if 2 operating system artifacts are equivalent.

This function compares the operating systems based in order of: * name derived from product * family and version * family

Parameters

other (OperatingSystemArtifact) – operating system artifact attribute container to compare with.

Returns

True if the operating systems are considered equivalent, False if: the most specific criteria do no match, or no criteria are available.

Return type

bool

SCHEMA = {'family': 'str', 'name': 'str', 'product': 'str', 'version': 'str'}

property version_tuple

version tuple or None if version is not set or invalid.

Type: tuple[int]

class plaso.containers.artifacts.PathArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Path artifact attribute container.

data_stream

name of a data stream.

Type: str

path_segment_separator

path segment separator.

Type: str

path_segments

path segments.

Type: list[str]

CONTAINER_TYPE = 'path'

ContainedIn(other)[source]

Determines if the path are contained in other.

Parameters: other (str) – path to compare against.
Returns: True if the path is contained in other.
Return type: bool

SCHEMA = {'data_stream': 'str', 'path_segment_separator': 'str', 'path_segments': 'List[str]'}

__eq__(other)[source]

Determines if the path is equal to other.

Parameters: other (str) – path to compare against.
Returns: True if the path are equal to other.
Return type: bool

__ge__(other)[source]

Determines if the path are greater than or equal to other.

Parameters: other (str) – path to compare against.
Returns: True if the path are greater than or equal to other.
Return type: bool
Raises: ValueError – if other is not an instance of string.

__gt__(other)[source]

Determines if the path are greater than other.

Parameters: other (str) – path to compare against.
Returns: True if the path are greater than other.
Return type: bool
Raises: ValueError – if other is not an instance of string.

__le__(other)[source]

Determines if the path are greater than or equal to other.

Parameters: other (str) – path to compare against.
Returns: True if the path are greater than or equal to other.
Return type: bool
Raises: ValueError – if other is not an instance of string.

__lt__(other)[source]

Determines if the path are less than other.

Parameters: other (str) – path to compare against.
Returns: True if the path are less than other.
Return type: bool
Raises: ValueError – if other is not an instance of string.

__ne__(other)[source]

Determines if the path are not equal to other.

Parameters: other (str) – path to compare against.
Returns: True if the path are not equal to other.
Return type: bool

class plaso.containers.artifacts.SourceConfigurationArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Source configuration artifact attribute container.

The source configuration contains the configuration data of a source that is (or going to be) processed such storage media image or a mounted directory.

path

path of the source.

Type: str

source_type

type of source.

Type: str

CONTAINER_TYPE = 'source_configuration'

SCHEMA = {'path': 'str', 'source_type': 'str'}

class plaso.containers.artifacts.SystemConfigurationArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

System configuration artifact attribute container.

The system configuration contains the configuration data of a specific system installation such as Windows or Linux.

available_time_zones

available time zones.

Type: list[TimeZone]

code_page

system code page.

Type: str

environment_variables

environment variables.

Type: list[EnvironmentVariableArtifact]

hostname

hostname.

Type: HostnameArtifact

keyboard_layout

keyboard layout.

Type: str

language

system language.

Type: str

operating_system

operating system for example “MacOS” or “Windows”.

Type: str

operating_system_product

operating system product for example “Windows XP”.

Type: str

operating_system_version

operating system version for example “10.9.2” or “8.1”.

Type: str

path_specs

path specifications of the file systems the system configuration was retrieved from.

Type: list[dfvfs.PathSpec]

time_zone

system time zone.

Type: str

user_accounts

user accounts.

Type: list[UserAccountArtifact]

CONTAINER_TYPE = 'system_configuration'

class plaso.containers.artifacts.TimeZoneArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Time zone artifact attribute container.

localized_name

name describing the time zone in localized language for example “Greenwich (standaardtijd)”.

Type: str

mui_form

MUI form of the name describing the time zone for example “@tzres.dll,-112”.

Type: str

name

name describing the time zone for example “Greenwich Standard Time”.

Type: str

offset

time zone offset in number of minutes from UTC.

Type: int

CONTAINER_TYPE = 'time_zone'

SCHEMA = {'localized_name': 'str', 'mui_form': 'str', 'name': 'str', 'offset': 'int'}

class plaso.containers.artifacts.UserAccountArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

User account artifact attribute container.

Also see:: Cybox / Stix User Account Object

full_name

name describing the user.

Type: str

group_identifier

identifier of the primary group the user is part of.

Type: str

identifier

user identifier.

Type: str

user_directory

path of the user (or home or profile) directory.

Type: str

username

name uniquely identifying the user.

Type: str

CONTAINER_TYPE = 'user_account'

GetUserDirectoryPathSegments()[source]

Retrieves the path segments of the user directory.

Returns

path segments of the user directory or an empty list if no: user directory is set.

Return type

list[str]

SCHEMA = {'full_name': 'str', 'group_identifier': 'str', 'identifier': 'str', 'user_directory': 'str', 'username': 'str'}

class plaso.containers.artifacts.WindowsEventLogMessageFileArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Windows EventLog message file artifact attribute container.

path

path.

Type: str

windows_path

path as defined by the Windows EventLog provider.

Type: str

CONTAINER_TYPE = 'windows_eventlog_message_file'

SCHEMA = {'path': 'str', 'windows_path': 'str'}

class plaso.containers.artifacts.WindowsEventLogMessageStringArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Windows EventLog message string artifact attribute container.

language_identifier

language identifier.

Type: str

message_identifier

message identifier.

Type: int

string

string.

Type: str

CONTAINER_TYPE = 'windows_eventlog_message_string'

GetMessageFileIdentifier()[source]

Retrieves the identifier of the associated message file.

Returns

message file identifier or None when: not set.

Return type

AttributeContainerIdentifier

SCHEMA = {'_message_file_identifier': 'AttributeContainerIdentifier', 'language_identifier': 'int', 'message_identifier': 'int', 'string': 'str'}

SetMessageFileIdentifier(message_file_identifier)[source]

Sets the identifier of the associated message file.

Parameters: message_file_identifier (AttributeContainerIdentifier) – message file identifier.

class plaso.containers.artifacts.WindowsEventLogProviderArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Windows EventLog provider artifact attribute container.

additional_identifier

additional identifier of the provider, contains a GUID.

Type: str

category_message_files

filenames of the category message files.

Type: list[str]

event_message_files

filenames of the event message files.

Type: list[str]

identifier

identifier of the provider, contains a GUID.

Type: str

log_sources

names of the corresponding Event Log sources.

Type: list[str]

log_types

Windows Event Log types.

Type: list[str]

parameter_message_files

filenames of the parameter message files.

Type: list[str]

CONTAINER_TYPE = 'windows_eventlog_provider'

SCHEMA = {'_system_configuration_identifier': 'AttributeContainerIdentifier', 'additional_identifier': 'str', 'category_message_files': 'List[str]', 'event_message_files': 'List[str]', 'identifier': 'str', 'log_sources': 'List[str]', 'log_types': 'List[str]', 'parameter_message_files': 'List[str]'}

class plaso.containers.artifacts.WindowsMountedDeviceArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Windows mounted device artifact attribute container.

device

device.

Type: str

disk_identity

MBR disk identity.

Type: int

identifier

identifier.

Type: str

partition_identifier

GPT partition identifier.

Type: str

partition_offset

MBR partition offset.

Type: int

CONTAINER_TYPE = 'windows_mounted_device'

SCHEMA = {'device': 'str', 'disk_identity': 'int', 'identifier': 'str', 'partition_identifier': 'str', 'partition_offset': 'int'}

class plaso.containers.artifacts.WindowsServiceConfigurationArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Windows service (or driver) configuration artifact attribute container.

error_control

error control value of the service (or driver) executable.

Type: int

image_path

path of the service (or driver) executable.

Type: str

name

name of the service (or driver).

Type: str

object_name

service object name.

Type: str

service_dll

service DLL.

Type: str

service_type

service (or driver) type.

Type: int

start_type

service (or driver) start type.

Type: int

CONTAINER_TYPE = 'windows_service_configuration'

SCHEMA = {'error_control': 'int', 'image_path': 'str', 'name': 'str', 'object_name': 'str', 'service_dll': 'str', 'service_type': 'int', 'start_type': 'int'}

class plaso.containers.artifacts.WindowsWevtTemplateEvent(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Windows WEVT_TEMPLATE event definition.

identifier

event identifier.

Type: int

message_identifier

identifier of the event message.

Type: int

provider_identifier

identifier of the EventLog provider, contains a GUID.

Type: str

version

event version.

Type: int

CONTAINER_TYPE = 'windows_wevt_template_event'

GetMessageFileIdentifier()[source]

Retrieves the identifier of the associated message file.

Returns

message file identifier or None when: not set.

Return type

AttributeContainerIdentifier

SCHEMA = {'_message_file_identifier': 'AttributeContainerIdentifier', 'identifier': 'int', 'message_identifier': 'int', 'provider_identifier': 'str', 'version': 'int'}

SetMessageFileIdentifier(message_file_identifier)[source]

Sets the identifier of the associated message file.

Parameters: message_file_identifier (AttributeContainerIdentifier) – message file identifier.

plaso.containers.counts module

Count related attribute container definitions.

class plaso.containers.counts.EventLabelCount(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Event label count attribute container.

label

event label.

Type: str

number_of_events

number of events with label.

Type: int

CONTAINER_TYPE = 'event_label_count'

SCHEMA = {'label': 'str', 'number_of_events': 'int'}

class plaso.containers.counts.ParserCount(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Parser count attribute container.

name

name of the parser or parser plugin.

Type: str

number_of_events

number of events generated by the parser or parser plugin.

Type: int

CONTAINER_TYPE = 'parser_count'

SCHEMA = {'name': 'str', 'number_of_events': 'int'}

plaso.containers.event_sources module

Event source attribute containers.

class plaso.containers.event_sources.EventSource(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Event source attribute container.

The event source object contains information about where a specific event originates e.g. a file, the $STANDARD_INFORMATION MFT attribute, or Application Compatibility cache.

data_type

attribute container type indicator.

Type: str

file_entry_type

dfVFS file entry type.

Type: str

path_spec

path specification.

Type: dfvfs.PathSpec

CONTAINER_TYPE = 'event_source'

DATA_TYPE = None

SCHEMA = {'data_type': 'str', 'file_entry_type': 'str', 'path_spec': 'dfvfs.PathSpec'}

__lt__(other)[source]

Compares if the event source attribute container is less than the other.

Parameters: other (EventSource) – event source attribute container to compare to.
Returns: True if the event source attribute container is less than the other.
Return type: bool

class plaso.containers.event_sources.FileEntryEventSource(*args: Any, **kwargs: Any)[source]

Bases: EventSource

File entry event source.

The file entry event source is an event source that represents a file within a file system.

DATA_TYPE = 'file_entry'

plaso.containers.events module

Event attribute containers.

plaso.containers.events.CalculateEventValuesHash(event_data, event_data_stream)[source]

Calculates a digest hash of the event values.

Parameters

event_data (EventData) – event data.
event_data_stream (EventDataStream) – an event data stream or None if not available.

Returns

digest hash of the event values content.

Return type

str

Raises

RuntimeError – if the event values hash cannot be determined.

class plaso.containers.events.EventData(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Event data attribute container.

The event data attribute container represents the attributes of an entity, such as a database record or log line.

data_type

event data type indicator.

Type: str

CONTAINER_TYPE = 'event_data'

GetAttributeValuesString()[source]

Retrieves a comparable string of the attribute values.

Returns: comparable string of the attribute values.
Return type: str
Raises: TypeError – if the attribute value type is not supported.

GetEventDataStreamIdentifier()[source]

Retrieves the identifier of the associated event data stream.

The event data stream identifier is a storage specific value that requires special handling during serialization.

Returns: event data stream or None when not set.
Return type: AttributeContainerIdentifier

SetEventDataStreamIdentifier(event_data_stream_identifier)[source]

Sets the identifier of the associated event data stream.

The event data stream identifier is a storage specific value that requires special handling during serialization.

Parameters: event_data_stream_identifier (AttributeContainerIdentifier) – event data stream identifier.

property parser

string identifying the parser that produced the event data.

Type: str

class plaso.containers.events.EventDataStream(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Event data stream attribute container.

The event data stream attribute container represents the attributes of a data stream, such as the content of a file or extended attribute.

file_entropy

byte entropy value of the data stream.

Type: str

md5_hash

MD5 digest hash of the data stream.

Type: str

path_spec

path specification of the data stream.

Type: dfvfs.PathSpec

sha1_hash

SHA-1 digest hash of the data stream.

Type: str

sha256_hash

SHA-256 digest hash of the data stream.

Type: str

yara_match

names of the Yara rules that matched the data stream.

Type: list[str]

CONTAINER_TYPE = 'event_data_stream'

SCHEMA = {'file_entropy': 'str', 'md5_hash': 'str', 'path_spec': 'dfvfs.PathSpec', 'sha1_hash': 'str', 'sha256_hash': 'str', 'yara_match': 'List[str]'}

class plaso.containers.events.EventObject(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Event attribute container.

The framework is designed to parse files and create events from individual records, log lines or keys extracted from files. The event object provides an extensible data store for event attributes.

date_time

date and time values.

Type: dfdatetime.DateTimeValues

timestamp

timestamp, which contains the number of microseconds since January 1, 1970, 00:00:00 UTC.

Type: int

timestamp_desc

description of the meaning of the timestamp.

Type: str

CONTAINER_TYPE = 'event'

GetEventDataIdentifier()[source]

Retrieves the identifier of the associated event data.

The event data identifier is a storage specific value that requires special handling during serialization.

Returns: event data identifier or None when not set.
Return type: AttributeContainerIdentifier

SCHEMA = {'_event_data_identifier': 'AttributeContainerIdentifier', 'date_time': 'dfdatetime.DateTimeValues', 'timestamp': 'int', 'timestamp_desc': 'str'}

SetEventDataIdentifier(event_data_identifier)[source]

Sets the identifier of the associated event data.

The event data identifier is a storage specific value that requires special handling during serialization.

Parameters: event_data_identifier (AttributeContainerIdentifier) – event data identifier.

__lt__(other)[source]

Compares if the event attribute container is less than the other.

Events are compared by timestamp.

Parameters: other (EventObject) – event attribute container to compare to.
Returns: True if the event attribute container is less than the other.
Return type: bool

class plaso.containers.events.EventTag(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Event tag attribute container.

labels

labels, such as “malware”, “application_execution”.

Type: list[str]

AddLabel(label)[source]

Adds a label to the event tag.

Parameters

label (str) – label.

Raises

TypeError – if the label provided is not a string.
ValueError – if a label is malformed.

AddLabels(labels)[source]

Adds labels to the event tag.

Parameters: labels (list[str]) – labels.
Raises: ValueError – if a label is malformed.

CONTAINER_TYPE = 'event_tag'

classmethod CopyTextToLabel(text, prefix='')[source]

Copies a string to a label.

A label only supports a limited set of characters therefore unsupported characters are replaced with an underscore.

Parameters

text (str) – label text.
prefix (Optional[str]) – label prefix.

Returns

label.

Return type

str

GetEventIdentifier()[source]

Retrieves the identifier of the associated event.

The event identifier is a storage specific value that requires special handling during serialization.

Returns: event identifier or None when not set.
Return type: AttributeContainerIdentifier

SCHEMA = {'_event_identifier': 'AttributeContainerIdentifier', 'labels': 'List[str]'}

SetEventIdentifier(event_identifier)[source]

Sets the identifier of the associated event.

The event identifier is a storage specific value that requires special handling during serialization.

Parameters: event_identifier (AttributeContainerIdentifier) – event identifier.

class plaso.containers.events.YearLessLogHelper(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Year-less log helper attribute container.

earliest_year

earliest possible year the event data stream was created.

Type: int

last_relative_year

last relative year determined by the year-less log helper.

Type: int

latest_year

latest possible year the event data stream was created.

Type: int

CONTAINER_TYPE = 'year_less_log_helper'

GetEventDataStreamIdentifier()[source]

Retrieves the identifier of the associated event data stream.

The event data stream identifier is a storage specific value that requires special handling during serialization.

Returns: event data stream or None when not set.
Return type: AttributeContainerIdentifier

SCHEMA = {'_event_data_stream_identifier': 'AttributeContainerIdentifier', 'earliest_year': 'int', 'last_relative_year': 'int', 'latest_year': 'int'}

SetEventDataStreamIdentifier(event_data_stream_identifier)[source]

Sets the identifier of the associated event data stream.

The event data stream identifier is a storage specific value that requires special handling during serialization.

Parameters: event_data_stream_identifier (AttributeContainerIdentifier) – event data stream identifier.

plaso.containers.plist_event module

Plist event attribute containers.

class plaso.containers.plist_event.PlistTimeEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Plist event data attribute container.

key

name of plist key.

Type: str

root

path from the root to this plist key.

Type: str

written_time

entry written date and time.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'plist:key'

plaso.containers.reports module

Report related attribute container definitions.

class plaso.containers.reports.AnalysisReport(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Analysis report attribute container.

analysis_counter

counter of analysis results, for example number of events analyzed and tagged.

Type: collections.Counter

event_filter

event filter expression that was used when the analysis plugin was run.

Type: str

plugin_name

name of the analysis plugin that generated the report.

Type: str

text

report text.

Type: str

time_compiled

timestamp of the date and time the report was compiled.

Type: int

CONTAINER_TYPE = 'analysis_report'

CopyToDict()[source]

Copies the attribute container to a dictionary.

Returns: attribute values per name.
Return type: dict[str, object]

plaso.containers.sessions module

Session related attribute container definitions.

class plaso.containers.sessions.Session(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Session attribute container.

aborted

True if the session was aborted.

Type: bool

artifact_filters

Names of artifact definitions that are used for filtering file system and Windows Registry key paths.

Type: list[str]

command_line_arguments

command line arguments.

Type: str

completion_time

time that the session was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

debug_mode

True if debug mode was enabled.

Type: bool

enabled_parser_names

parser and parser plugin names that were enabled.

Type: list[str]

filter_file

path to a file with find specifications.

Type: str

identifier

unique identifier of the session.

Type: str

parser_filter_expression

parser filter expression.

Type: str

preferred_codepage

preferred codepage.

Type: str

preferred_encoding

preferred encoding.

Type: str

preferred_language

preferred language.

Type: str

preferred_time_zone

preferred time zone.

Type: str

preferred_year

preferred year.

Type: int

product_name

name of the product that created the session for example “log2timeline”.

Type: str

product_version

version of the product that created the session.

Type: str

start_time

time that the session was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

CONTAINER_TYPE = 'session'

CopyAttributesFromSessionCompletion(session_completion)[source]

Copies attributes from a session completion.

Parameters: session_completion (SessionCompletion) – session completion attribute container.
Raises: ValueError – if the identifier of the session completion does not match that of the session.

CopyAttributesFromSessionConfiguration(session_configuration)[source]

Copies attributes from a session configuration.

Parameters: session_configuration (SessionConfiguration) – session configuration attribute container.
Raises: ValueError – if the identifier of the session configuration does not match that of the session.

CopyAttributesFromSessionStart(session_start)[source]

Copies attributes from a session start.

Parameters: session_start (SessionStart) – session start attribute container.

CreateSessionCompletion()[source]

Creates a session completion.

Returns: session completion attribute container.
Return type: SessionCompletion

CreateSessionConfiguration()[source]

Creates a session configuraion.

Returns: session configuration attribute container.
Return type: SessionConfiguration

CreateSessionStart()[source]

Creates a session start.

Returns: session start attribute container.
Return type: SessionStart

SCHEMA = {'aborted': 'bool', 'artifact_filters': 'List[str]', 'command_line_arguments': 'str', 'completion_time': 'int', 'debug_mode': 'bool', 'enabled_parser_names': 'List[str]', 'file_entropy': 'str', 'filter_file': 'str', 'identifier': 'str', 'parser_filter_expression': 'str', 'preferred_codepage': 'str', 'preferred_encoding': 'str', 'preferred_language': 'str', 'preferred_time_zone': 'str', 'preferred_year': 'int', 'product_name': 'str', 'product_version': 'str', 'start_time': 'int'}

class plaso.containers.sessions.SessionCompletion(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Session completion attribute container.

aborted

True if the session was aborted.

Type: bool

identifier

unique identifier of the session.

Type: str

timestamp

time that the session was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

CONTAINER_TYPE = 'session_completion'

class plaso.containers.sessions.SessionConfiguration(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Session configuration attribute container.

The session configuration contains various settings used within a session, such as parser and collection filters that are used, and information about the source being processed, such as the system configuration determined by pre-processing.

artifact_filters

names of artifact definitions that are used for filtering file system and Windows Registry key paths.

Type: list[str]

command_line_arguments

command line arguments.

Type: str

debug_mode

True if debug mode was enabled.

Type: bool

enabled_parser_names

parser and parser plugin names that were enabled.

Type: list[str]

filter_file

path to a file with find specifications.

Type: str

identifier

unique identifier of the session.

Type: str

parser_filter_expression

parser filter expression.

Type: str

preferred_codepage

preferred codepage.

Type: str

preferred_encoding

preferred encoding.

Type: str

preferred_language

preferred language.

Type: str

preferred_time_zone

preferred time zone.

Type: str

preferred_year

preferred year.

Type: int

CONTAINER_TYPE = 'session_configuration'

class plaso.containers.sessions.SessionStart(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Session start attribute container.

identifier

unique identifier of the session.

Type: str

product_name

name of the product that created the session for example “log2timeline”.

Type: str

product_version

version of the product that created the session.

Type: str

timestamp

time that the session was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

CONTAINER_TYPE = 'session_start'

plaso.containers.tasks module

Task attribute container definition.

class plaso.containers.tasks.Task(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Task attribute container.

A task describes a piece of work for a multi processing worker process for example a task to process a path specification or to analyze an event.

aborted

True if the task was aborted.

Type: bool

completion_time

time that the task was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

file_entry_type

dfVFS type of the file entry the path specification is referencing.

Type: str

has_retry

True if the task was previously abandoned and a retry task was created, False otherwise.

Type: bool

identifier

unique identifier of the task.

Type: str

last_processing_time

the last time the task was marked as being processed as number of milliseconds since January 1, 1970, 00:00:00 UTC.

Type: int

merge_priority

priority used for the task storage file merge, where a lower value indicates a higher priority to merge.

Type: int

path_spec

path specification.

Type: dfvfs.PathSpec

session_identifier

the identifier of the session the task is part of.

Type: str

start_time

time that the task was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

storage_file_size

size of the storage file in bytes.

Type: int

storage_format

the format the task results are to be stored in.

Type: str

CONTAINER_TYPE = 'task'

CreateRetryTask()[source]

Creates a new task to retry a previously abandoned task.

The retry task will have a new identifier but most of the attributes will be a copy of the previously abandoned task.

Returns: a task to retry a previously abandoned task.
Return type: Task

SCHEMA = {'aborted': 'bool', 'completion_time': 'int', 'file_entry_type': 'str', 'has_retry': 'bool', 'identifier': 'str', 'last_processing_time': 'int', 'merge_priority': 'int', 'path_spec': 'dfvfs.PathSpec', 'session_identifier': 'str', 'start_time': 'int', 'storage_file_size': 'int', 'storage_format': 'str'}

UpdateProcessingTime()[source]: Updates the processing time to now.

__lt__(other)[source]

Compares if the task attribute container is less than the other.

Parameters: other (Task) – task attribute container to compare to.
Returns: True if the task attribute container is less than the other.
Return type: bool

plaso.containers.warnings module

Warning attribute containers.

class plaso.containers.warnings.AnalysisWarning(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Analysis warning attribute container.

Analysis warnings are produced by analysis plugins when they encounter situations that should be brought to the users’ attention but are not analysis results.

message

warning message.

Type: str

plugin_name

name of the analysis plugin to which the warning applies.

Type: str

CONTAINER_TYPE = 'analysis_warning'

SCHEMA = {'message': 'str', 'plugin_name': 'str'}

class plaso.containers.warnings.ExtractionWarning(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Extraction warning attribute container.

Extraction warnings are produced by parsers/plugins when they encounter situations that should be brought to the users’ attention but are not event data derived from the data being processed.

message

warning message.

Type: str

parser_chain

parser chain to which the warning applies.

Type: str

path_spec

path specification of the file entry to which the warning applies.

Type: dfvfs.PathSpec

CONTAINER_TYPE = 'extraction_warning'

SCHEMA = {'message': 'str', 'parser_chain': 'str', 'path_spec': 'dfvfs.PathSpec'}

class plaso.containers.warnings.PreprocessingWarning(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Preprocessing warning attribute container.

Preprocessing warnings are produced by preprocessing plugins when they encounter situations that should be brought to the users’ attention but are not preprocessing results.

message

warning message.

Type: str

path_spec

path specification of the file entry to which the warning applies.

Type: dfvfs.PathSpec

plugin_name

name of the preprocessing plugin to which the warning applies.

Type: str

CONTAINER_TYPE = 'preprocessing_warning'

SCHEMA = {'message': 'str', 'path_spec': 'dfvfs.PathSpec', 'plugin_name': 'str'}

class plaso.containers.warnings.RecoveryWarning(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Recovery warning attribute container.

Recovery warnings are warning encountered during recovery. They are typically produced by parsers/plugins when they are unable to recover event data.

message

warning message.

Type: str

parser_chain

parser chain to which the warning applies.

Type: str

path_spec

path specification of the file entry to which the warning applies.

Type: dfvfs.PathSpec

CONTAINER_TYPE = 'recovery_warning'

SCHEMA = {'message': 'str', 'parser_chain': 'str', 'path_spec': 'dfvfs.PathSpec'}

class plaso.containers.warnings.TimeliningWarning(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Timelining warning attribute container.

Timelining warnings are produced by the timeliner when it encounters situations that should be brought to the users’ attention but are not events derived from the event data being processed.

message

warning message.

Type: str

parser_chain

parser chain to which the warning applies.

Type: str

path_spec

path specification of the file entry to which the warning applies.

Type: dfvfs.PathSpec

CONTAINER_TYPE = 'timelining_warning'

SCHEMA = {'message': 'str', 'parser_chain': 'str', 'path_spec': 'dfvfs.PathSpec'}

plaso.containers.windows_events module

Windows event data attribute containers.

class plaso.containers.windows_events.WindowsDistributedLinkTrackingEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows distributed link event data attribute container.

creation_time

file entry creation date and time.

Type: dfdatetime.DateTimeValues

mac_address

MAC address stored in the UUID.

Type: str

origin

origin of the event (event source). E.g. the path of the corresponding LNK file or file reference MFT entry with the corresponding NTFS $OBJECT_ID attribute.

Type: str

uuid

UUID.

Type: str

DATA_TYPE = 'windows:distributed_link_tracking:creation'

class plaso.containers.windows_events.WindowsRegistryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows Registry event data attribute container.

key_path

Windows Registry key path.

Type: str

last_written_time

key last written date and time.

Type: dfdatetime.DateTimeValues

values

name, data type and data of the values in the key.

Type: list[tuple[str, str, str]]

DATA_TYPE = 'windows:registry:key_value'

class plaso.containers.windows_events.WindowsShellItemFileEntryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows shell item file entry event data attribute container.

access_time

file entry last access date and time.

Type: dfdatetime.DateTimeValues

creation_time

file entry creation date and time.

Type: dfdatetime.DateTimeValues

file_reference

NTFS file reference, in the format: “MTF entry - sequence number”.

Type: str

localized_name

localized name of the file entry shell item.

Type: str

long_name

long name of the file entry shell item.

Type: str

modification_time

file entry last modification date and time.

Type: dfdatetime.DateTimeValues

name

name of the file entry shell item.

Type: str

origin

origin of the event.

Type: str

shell_item_path

shell item path.

Type: str

DATA_TYPE = 'windows:shell_item:file_entry'

class plaso.containers.windows_events.WindowsVolumeEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows volume event data attribute container.

creation_time

volume creation date and time.

Type: dfdatetime.DateTimeValues

device_path

volume device path.

Type: str

origin

origin of the event (event source), for example the corresponding Prefetch file name.

Type: str

serial_number

volume serial number.

Type: str

DATA_TYPE = 'windows:volume:creation'

Module contents

This file imports Python modules that register attribute container types.