plaso.formatters package¶

Submodules¶

plaso.formatters.asl module¶

The Apple System Log (ASL) event formatter.

class plaso.formatters.asl.ASLFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Apple System Log (ASL) log event.

DATA_TYPE = 'mac:asl:event'¶

FORMAT_STRING_PIECES = ['MessageID: {message_id}', 'Level: {level}', 'User ID: {user_sid}', 'Group ID: {group_id}', 'Read User: {read_uid}', 'Read Group: {read_gid}', 'Host: {computer_name}', 'Sender: {sender}', 'Facility: {facility}', 'Message: {message}', '{extra_information}']¶

FORMAT_STRING_SHORT_PIECES = ['Host: {host}', 'Sender: {sender}', 'Facility: {facility}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'ASL entry'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.bsm module¶

The Basic Security Module (BSM) binary files event formatter.

class plaso.formatters.bsm.BSMFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a BSM log entry.

DATA_TYPE = 'bsm:event'¶

FORMAT_STRING_PIECES = ['Type: {event_type_string}', '({event_type})', 'Return: {return_value}', 'Information: {extra_tokens}']¶

FORMAT_STRING_SHORT_PIECES = ['Type: {event_type}', 'Return: {return_value}']¶

SOURCE_LONG = 'BSM entry'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.chrome module¶

The Google Chrome history event formatters.

class plaso.formatters.chrome.ChromePageVisitedFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome page visited event.

DATA_TYPE = 'chrome:history:page_visited'¶

FORMAT_STRING_PIECES = ['{url}', '({title})', '[count: {typed_count}]', 'Visit from: {from_visit}', 'Visit Source: [{visit_source}]', 'Type: [{page_transition}]', '{extra}']¶

FORMAT_STRING_SHORT_PIECES = ['{url}', '({title})']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Chrome History'¶

SOURCE_SHORT = 'WEBHIST'¶

plaso.formatters.chrome_extension_activity module¶

The Google Chrome extension activity database event formatter.

class plaso.formatters.chrome_extension_activity.ChromeExtensionActivityEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome extension activity event.

DATA_TYPE = 'chrome:extension_activity:activity_log'¶

FORMAT_STRING_PIECES = ['Chrome extension: {extension_id}', 'Action type: {action_type_string}', '(type {action_type})', 'Activity identifier: {activity_id}', 'Page URL: {page_url}', 'Page title: {page_title}', 'API name: {api_name}', 'Args: {args}', 'Other: {other}']¶

FORMAT_STRING_SHORT_PIECES = ['{extension_id}', '{api_name}', '{args}']¶

SOURCE_LONG = 'Chrome Extension Activity'¶

SOURCE_SHORT = 'WEBHIST'¶

plaso.formatters.chrome_preferences module¶

The Google Chrome Preferences file event formatter.

class plaso.formatters.chrome_preferences.ChromeContentSettingsExceptionsFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome content_settings exceptions event.

DATA_TYPE = 'chrome:preferences:content_settings:exceptions'¶

FORMAT_STRING_PIECES = ['Permission {permission}', 'used by {subject}']¶

FORMAT_STRING_SHORT_PIECES = ['Permission {permission}', 'used by {subject}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Chrome Permission Event'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.default module¶

The default event formatter.

class plaso.formatters.default.DefaultFormatter[source]¶

Bases: plaso.formatters.interface.EventFormatter

Formatter for events that do not have any defined formatter.

DATA_TYPE = 'event'¶

FORMAT_STRING = '<WARNING DEFAULT FORMATTER> Attributes: {attribute_driven}'¶

FORMAT_STRING_SHORT = '<DEFAULT> {attribute_driven}'¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

GetSources(event, event_data)[source]¶

Determines the the short and long source for an event.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.

Returns

short and long source string.

Return type

tuple(str, str)

plaso.formatters.file_system module¶

The file system stat event formatter.

class plaso.formatters.file_system.FileStatEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

The file system stat event formatter.

DATA_TYPE = 'fs:stat'¶

FORMAT_STRING_PIECES = ['{display_name}', 'Type: {file_entry_type}', '({unallocated})']¶

FORMAT_STRING_SHORT_PIECES = ['{filename}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

GetSources(event, event_data)[source]¶

Determines the the short and long source for an event.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.

Returns

short and long source string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_SHORT = 'FILE'¶

class plaso.formatters.file_system.NTFSFileStatEventFormatter[source]¶

Bases: plaso.formatters.file_system.FileStatEventFormatter

The NTFS file system stat event formatter.

DATA_TYPE = 'fs:stat:ntfs'¶

FORMAT_STRING_PIECES = ['{display_name}', 'File reference: {file_reference}', 'Attribute name: {attribute_name}', 'Name: {name}', 'Parent file reference: {parent_file_reference}', '({unallocated})', 'Path hints: {path_hints}']¶

FORMAT_STRING_SHORT_PIECES = ['{filename}', '{file_reference}', '{attribute_name}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_SHORT = 'FILE'¶

class plaso.formatters.file_system.NTFSUSNChangeEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

The NTFS USN change event formatter.

DATA_TYPE = 'fs:ntfs:usn_change'¶

FORMAT_STRING_PIECES = ['{filename}', 'File reference: {file_reference}', 'Parent file reference: {parent_file_reference}', 'Update source: {update_source}', 'Update reason: {update_reason}']¶

FORMAT_STRING_SHORT_PIECES = ['{filename}', '{file_reference}', '{update_reason}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_SHORT = 'FILE'¶

plaso.formatters.firefox module¶

The Mozilla Firefox history event formatter.

class plaso.formatters.firefox.FirefoxPageVisitFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox page visited event formatter.

DATA_TYPE = 'firefox:places:page_visited'¶

FORMAT_STRING_PIECES = ['{url}', '({title})', '[count: {visit_count}]', 'Host: {host}', '{extra_string}']¶

FORMAT_STRING_SHORT_PIECES = ['URL: {url}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Firefox History'¶

SOURCE_SHORT = 'WEBHIST'¶

plaso.formatters.fseventsd module¶

The fseventsd event formatter.

class plaso.formatters.fseventsd.FSEventsdEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

The fseventsd event formatter.

DATA_TYPE = 'macos:fseventsd:record'¶

FORMAT_STRING_PIECES = ['{path}', 'Flag Values:', '{flag_values}', 'Flags:', '{hex_flags}', 'Event Identifier:', '{event_identifier}']¶

FORMAT_STRING_SHORT_PIECES = ['{path}', '{flag_values}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_SHORT = 'FSEVENT'¶

plaso.formatters.gdrive module¶

The Google Drive snapshots event formatter.

class plaso.formatters.gdrive.GDriveCloudEntryFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive snapshot cloud event.

DATA_TYPE = 'gdrive:snapshot:cloud_entry'¶

FORMAT_STRING_PIECES = ['File Path: {path}', '[{shared}]', 'Size: {size}', 'URL: {url}', 'Type: {document_type}']¶

FORMAT_STRING_SHORT_PIECES = ['{path}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Google Drive (cloud entry)'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.gdrive.GDriveLocalEntryFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive snapshot local event.

DATA_TYPE = 'gdrive:snapshot:local_entry'¶

FORMAT_STRING_PIECES = ['File Path: {path}', 'Size: {size}']¶

FORMAT_STRING_SHORT_PIECES = ['{path}']¶

SOURCE_LONG = 'Google Drive (local entry)'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.hangouts_messages module¶

The Google Hangouts messages database event formatter.

class plaso.formatters.hangouts_messages.HangoutsFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Hangouts message event.

DATA_TYPE = 'android:messaging:hangouts'¶

FORMAT_STRING_PIECES = ['Sender: {sender}', 'Body: {body}', 'Status: {message_status}', 'Type: {message_type}']¶

FORMAT_STRING_SHORT_PIECES = ['{body}']¶

SOURCE_LONG = 'Google Hangouts Message'¶

SOURCE_SHORT = 'HANGOUTS'¶

plaso.formatters.imessage module¶

The iMessage chat.db (OSX) and sms.db (iOS)database event formatter.

class plaso.formatters.imessage.IMessageFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an iMessage chat event.

DATA_TYPE = 'imessage:event:chat'¶

FORMAT_STRING_PIECES = ['Row ID: {identifier}', 'iMessage ID: {imessage_id}', 'Read Receipt: {read_receipt}', 'Message Type: {message_type}', 'Service: {service}', 'Attachment Location: {attachment_location}', 'Message Content: {text}']¶

FORMAT_STRING_SHORT_PIECES = ['{text}']¶

SOURCE_LONG = 'Apple iMessage Application'¶

SOURCE_SHORT = 'iMessage'¶

plaso.formatters.interface module¶

This file contains the event formatters interface classes.

The l2t_csv and other formats are dependent on a message field, referred to as description_long and description_short in l2t_csv.

Plaso no longer stores these field explicitly.

A formatter, with a format string definition, is used to convert the event object values into a formatted string that is similar to the description_long and description_short field.

class plaso.formatters.interface.ConditionalEventFormatter[source]¶

Bases: plaso.formatters.interface.EventFormatter

Base class to conditionally format event data using format string pieces.

Define the (long) format string and the short format string by defining FORMAT_STRING_PIECES and FORMAT_STRING_SHORT_PIECES. The syntax of the format strings pieces is similar to of the event formatter (EventFormatter). Every format string piece should contain a single attribute name or none.

FORMAT_STRING_SEPARATOR is used to control the string which the separate string pieces should be joined. It contains a space by default.

FORMAT_STRING_PIECES = ['']¶

FORMAT_STRING_SEPARATOR = ' '¶

FORMAT_STRING_SHORT_PIECES = ['']¶

GetFormatStringAttributeNames()[source]¶

Retrieves the attribute names in the format string.

Returns: attribute names.
Return type: set(str)

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

RuntimeError – when an invalid format string piece is encountered.
WrongFormatter – if the event data cannot be formatted by the formatter.

class plaso.formatters.interface.EnumerationEventFormatterHelper(default=None, input_attribute=None, output_attribute=None, values=None)[source]¶

Bases: object

Helper for formatting enumeration event data.

default¶

default value.

Type: str

input_attribute¶

name of the attribute that contains the enumeration input value.

Type: str

output_attribute¶

name of the attribute where the enumeration output value should be stored.

Type: str

values¶

mapping of enumeration input and output values.

Type: dict[str, str]

FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

class plaso.formatters.interface.EventFormatter[source]¶

Bases: object

Base class to format event data using a format string.

Define the (long) format string and the short format string by defining FORMAT_STRING and FORMAT_STRING_SHORT. The syntax of the format strings is similar to that of format() where the place holder for a certain event object attribute is defined as {attribute_name}.

helpers¶

event formatter helpers.

Type: list[EventFormatterHelper]

DATA_TYPE = 'internal'¶

FORMAT_STRING = ''¶

FORMAT_STRING_SHORT = ''¶

GetFormatStringAttributeNames()[source]¶

Retrieves the attribute names in the format string.

Returns: attribute names.
Return type: set(str)

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

GetSources(event, event_data)[source]¶

Determines the the short and long source for an event.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.

Returns

short and long source string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = ''¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.interface.EventFormatterHelper[source]¶

Bases: object

Base class of helper for formatting event data.

abstract FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

plaso.formatters.kik_ios module¶

The Kik kik.sqlite iOS database event formatter.

class plaso.formatters.kik_ios.KikIOSMessageFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an iOS Kik message event.

DATA_TYPE = 'ios:kik:messaging'¶

FORMAT_STRING_PIECES = ['Username: {username}', 'Displayname: {displayname}', 'Status: {message_status}', 'Type: {message_type}', 'Message: {body}']¶

FORMAT_STRING_SHORT_PIECES = ['{body}']¶

SOURCE_LONG = 'Kik iOS messages'¶

SOURCE_SHORT = 'Kik iOS'¶

plaso.formatters.logger module¶

The formatters sub module logger.

plaso.formatters.mac_notificationcenter module¶

The MacOS Notification Center event formatter.

class plaso.formatters.mac_notificationcenter.MacNotificationCenterFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS Notification Center event.

DATA_TYPE = 'mac:notificationcenter:db'¶

FORMAT_STRING_PIECES = ['Title: {title}', '(, subtitle: {subtitle}),', 'registered by: {bundle_name}.', 'Presented: {presented},', 'Content: {body}']¶

FORMAT_STRING_SHORT_PIECES = ['Title: {title},', 'Content: {body}']¶

SOURCE_LONG = 'Notification Center'¶

SOURCE_SHORT = 'NOTIFICATION'¶

plaso.formatters.macos_tcc module¶

The macOS TCC event formatter.

class plaso.formatters.macos_tcc.MacOSTCCFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for macOS TCC events.

DATA_TYPE = 'macos:tcc_entry'¶

FORMAT_STRING_PIECES = ['Service: {service}', 'Client: {client}', 'Allowed: {allowed}', 'Prompt count: {prompt_count}']¶

FORMAT_STRING_SHORT_PIECES = ['{service}:', '{client}']¶

SOURCE_LONG = 'macOS Transparenty, Control and Consent logs'¶

SOURCE_SHORT = 'macOS TCC'¶

plaso.formatters.manager module¶

This file contains the event formatters manager class.

class plaso.formatters.manager.FormattersManager[source]¶

Bases: object

Class that implements the formatters manager.

classmethod DeregisterFormatter(formatter_class)[source]¶

Deregisters a formatter class.

The formatter classes are identified based on their lower case data type.

Parameters: formatter_class (type) – class of the formatter.
Raises: KeyError – if formatter class is not set for the corresponding data type.

classmethod GetFormatterObject(data_type)[source]¶

Retrieves the formatter object for a specific data type.

Parameters

data_type (str) – data type.

Returns

corresponding formatter or the default formatter if: not available.

Return type

EventFormatter

classmethod GetMessageStrings(formatter_mediator, event_data)[source]¶

Retrieves the formatted message strings for a specific event.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

long and short version of the message string.

Return type

list[str, str]

classmethod GetSourceStrings(event, event_data)[source]¶

Retrieves the formatted source strings for a specific event.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.

Returns

short and long version of the source of the event.

Return type

list[str, str]

classmethod GetUnformattedAttributes(event_data)[source]¶

Retrieves names of the event data attributes that are not formatted.

Parameters: event_data (EventData) – event data.
Returns: names of the event data attributes that are not formatted.
Return type: list[str]

classmethod ReadFormattersFromDirectory(path)[source]¶

Reads formatters from a directory.

Parameters: path (str) – path of directory that contains the formatters configuration files.
Raises: KeyError – if formatter class is already set for the corresponding data type.

classmethod ReadFormattersFromFile(path)[source]¶

Reads formatters from a file.

Parameters: path (str) – path of file that contains the formatters configuration.
Raises: KeyError – if formatter class is already set for the corresponding data type.

classmethod RegisterFormatter(formatter_class)[source]¶

Registers a formatter class.

The formatter classes are identified based on their lower case data type.

Parameters: formatter_class (type) – class of the formatter.
Raises: KeyError – if formatter class is already set for the corresponding data type.

classmethod RegisterFormatters(formatter_classes)[source]¶

Registers formatter classes.

The formatter classes are identified based on their lower case data type.

Parameters: formatter_classes (list[type]) – classes of the formatters.
Raises: KeyError – if formatter class is already set for the corresponding data type.

classmethod Reset()[source]¶

Resets the manager to the hardcoded formatter classes.

This method is used during unit testing.

plaso.formatters.mediator module¶

The formatter mediator object.

class plaso.formatters.mediator.FormatterMediator(data_location=None)[source]¶

Bases: object

Class that implements the formatter mediator.

DEFAULT_LANGUAGE_IDENTIFIER = 'en-US'¶

DEFAULT_LCID = 1033¶

GetWindowsEventMessage(log_source, message_identifier)[source]¶

Retrieves the message string for a specific Windows Event Log source.

Parameters

log_source (str) – Event Log source, such as “Application Error”.
message_identifier (int) – message identifier.

Returns

message string or None if not available.

Return type

str

SetPreferredLanguageIdentifier(language_identifier)[source]¶

Sets the preferred language identifier.

Parameters

language_identifier (str) – language identifier string such as “en-US” for US English or “is-IS” for Icelandic.

Raises

KeyError – if the language identifier is not defined.
ValueError – if the language identifier is not a string type.

property lcid¶

preferred Language Code identifier (LCID).

Type: int

plaso.formatters.msiecf module¶

The Microsoft Internet Explorer (MSIE) Cache Files (CF) event formatters.

class plaso.formatters.msiecf.MsiecfItemFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIECF item event.

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

class plaso.formatters.msiecf.MsiecfLeakFormatter[source]¶

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF leak item event.

DATA_TYPE = 'msiecf:leak'¶

FORMAT_STRING_PIECES = ['Cached file: {cached_file_path}', 'Cached file size: {cached_file_size}', '{recovered_string}']¶

FORMAT_STRING_SHORT_PIECES = ['Cached file: {cached_file_path}']¶

SOURCE_LONG = 'MSIE Cache File leak record'¶

SOURCE_SHORT = 'WEBHIST'¶

class plaso.formatters.msiecf.MsiecfRedirectedFormatter[source]¶

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF leak redirected event.

DATA_TYPE = 'msiecf:redirected'¶

FORMAT_STRING_PIECES = ['Location: {url}', '{recovered_string}']¶

FORMAT_STRING_SHORT_PIECES = ['Location: {url}']¶

SOURCE_LONG = 'MSIE Cache File redirected record'¶

SOURCE_SHORT = 'WEBHIST'¶

class plaso.formatters.msiecf.MsiecfUrlFormatter[source]¶

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF URL item event.

DATA_TYPE = 'msiecf:url'¶

FORMAT_STRING_PIECES = ['Location: {url}', 'Number of hits: {number_of_hits}', 'Cached file: {cached_file_path}', 'Cached file size: {cached_file_size}', 'HTTP headers: {http_headers}', '{recovered_string}']¶

FORMAT_STRING_SHORT_PIECES = ['Location: {url}', 'Cached file: {cached_file_path}']¶

SOURCE_LONG = 'MSIE Cache File URL record'¶

SOURCE_SHORT = 'WEBHIST'¶

plaso.formatters.olecf module¶

The OLE Compound File (OLECF) event formatters.

class plaso.formatters.olecf.OLECFDestListEntryFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF DestList stream event.

DATA_TYPE = 'olecf:dest_list:entry'¶

FORMAT_STRING_PIECES = ['Entry: {entry_number}', 'Pin status: {pin_status}', 'Hostname: {hostname}', 'Path: {path}', 'Droid volume identifier: {droid_volume_identifier}', 'Droid file identifier: {droid_file_identifier}', 'Birth droid volume identifier: {birth_droid_volume_identifier}', 'Birth droid file identifier: {birth_droid_file_identifier}']¶

FORMAT_STRING_SHORT_PIECES = ['Entry: {entry_number}', 'Pin status: {pin_status}', 'Path: {path}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

class plaso.formatters.olecf.OLECFSummaryInfoFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF Summary Info property set stream event.

DATA_TYPE = 'olecf:summary_info'¶

FORMAT_STRING_PIECES = ['Title: {title}', 'Subject: {subject}', 'Author: {author}', 'Keywords: {keywords}', 'Comments: {comments}', 'Template: {template}', 'Revision number: {revision_number}', 'Last saved by: {last_saved_by}', 'Total edit time: {total_edit_time}', 'Number of pages: {number_of_pages}', 'Number of words: {number_of_words}', 'Number of characters: {number_of_characters}', 'Application: {application}', 'Security: {security}']¶

FORMAT_STRING_SHORT_PIECES = ['Title: {title}', 'Subject: {subject}', 'Author: {author}', 'Revision number: {revision_number}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'OLECF Summary Info'¶

SOURCE_SHORT = 'OLECF'¶

plaso.formatters.recycler module¶

The Windows Recycler/Recycle Bin formatter.

class plaso.formatters.recycler.WinRecyclerFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Recycler/Recycle Bin file event.

DATA_TYPE = 'windows:metadata:deleted_item'¶

FORMAT_STRING_PIECES = ['DC{record_index} ->', '{original_filename}', '[{short_filename}]', '(from drive: {drive_letter})']¶

FORMAT_STRING_SHORT_PIECES = ['Deleted file: {original_filename}']¶

SOURCE_LONG = 'Recycle Bin'¶

SOURCE_SHORT = 'RECBIN'¶

plaso.formatters.safari_cookies module¶

The Safari Binary cookie event formatter.

class plaso.formatters.safari_cookies.SafariCookieFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Safari Binary Cookie file entry event.

DATA_TYPE = 'safari:cookie:entry'¶

FORMAT_STRING_PIECES = ['{url}', '<{path}>', '({cookie_name})', 'Flags: {flags}']¶

FORMAT_STRING_SHORT_PIECES = ['{url}', '({cookie_name})']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Safari Cookies'¶

SOURCE_SHORT = 'WEBHIST'¶

plaso.formatters.services module¶

The Windows services event formatter.

The Windows services are derived from Windows Registry files.

class plaso.formatters.services.WinRegistryServiceFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows service event.

DATA_TYPE = 'windows:registry:service'¶

FORMAT_STRING_PIECES = ['[{key_path}]', 'Type: {service_type}', 'Start: {start_type}', 'Image path: {image_path}', 'Error control: {error_control}', '{values}']¶

FORMAT_STRING_SHORT_PIECES = ['[{key_path}]', 'Type: {service_type}', 'Start: {start_type}', 'Image path: {image_path}', 'Error control: {error_control}', '{values}']¶

plaso.formatters.shell_items module¶

The shell item event formatter.

class plaso.formatters.shell_items.ShellItemFileEntryEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a shell item file entry event.

DATA_TYPE = 'windows:shell_item:file_entry'¶

FORMAT_STRING_PIECES = ['Name: {name}', 'Long name: {long_name}', 'Localized name: {localized_name}', 'NTFS file reference: {file_reference}', 'Shell item path: {shell_item_path}', 'Origin: {origin}']¶

FORMAT_STRING_SHORT_PIECES = ['Name: {file_entry_name}', 'NTFS file reference: {file_reference}', 'Origin: {origin}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'File entry shell item'¶

SOURCE_SHORT = 'FILE'¶

plaso.formatters.symantec module¶

The Symantec AV log file event formatter.

class plaso.formatters.symantec.SymantecAVFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Symantec AV log file event.

DATA_TYPE = 'av:symantec:scanlog'¶

FORMAT_STRING_PIECES = ['Event Name: {event_map}', 'Category Name: {category_map}', 'Malware Name: {virus}', 'Malware Path: {file}', 'Action0: {action0_map}', 'Action1: {action1_map}', 'Action2: {action2_map}', 'Description: {description}', 'Scan ID: {scanid}', 'Event Data: {event_data}', 'Remote Machine: {remote_machine}', 'Remote IP: {remote_machine_ip}']¶

FORMAT_STRING_SEPARATOR = '; '¶

FORMAT_STRING_SHORT_PIECES = ['{file}', '{virus}', '{action0_map}', '{action1_map}', '{action2_map}']¶

SOURCE_LONG = 'Symantec AV Log'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.tango_android module¶

Tango on Android databases formatter.

class plaso.formatters.tango_android.TangoAndroidContactFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Tango on Android contact event formatter.

DATA_TYPE = 'tango:android:contact'¶

FORMAT_STRING_PIECES = ['{first_name}', '{last_name}', '{gender}', 'birthday: {birthday}', 'Status: {status}', 'Friend: {is_friend}', 'Request type: {friend_request_type}', 'Request message: {friend_request_message}']¶

FORMAT_STRING_SHORT_PIECES = ['{first_name}', '{last_name}', 'Status: {status}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple[str, str]

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Tango Android Contact'¶

SOURCE_SHORT = 'Tango Android'¶

class plaso.formatters.tango_android.TangoAndroidMessageFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Tango on Android message event formatter.

DATA_TYPE = 'tango:android:message'¶

FORMAT_STRING_PIECES = ['{direction}', 'Message ({message_identifier})']¶

FORMAT_STRING_SHORT_PIECES = ['{direction}', 'Message ({message_identifier})']¶

SOURCE_LONG = 'Tango Android Message'¶

SOURCE_SHORT = 'Tango Android'¶

plaso.formatters.trendmicroav module¶

The Trend Micro AV Logs file event formatter.

class plaso.formatters.trendmicroav.OfficeScanVirusDetectionLogEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Trend Micro Office Scan Virus Detection Log event.

DATA_TYPE = 'av:trendmicro:scan'¶

FORMAT_STRING_PIECES = ['Path: {path}', 'File name: {filename}', '{threat}', ': {action}', '({scan_type})']¶

FORMAT_STRING_SHORT_PIECES = ['{path}', '{filename}', '{action}']¶

SOURCE_LONG = 'Trend Micro Office Scan Virus Detection Log'¶

SOURCE_SHORT = 'LOG'¶

class plaso.formatters.trendmicroav.OfficeScanWebReputationLogEventFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Trend Micro Office Scan Virus Detection Log event.

DATA_TYPE = 'av:trendmicro:webrep'¶

FORMAT_STRING_PIECES = ['{url}', '{ip}', 'Group: {group_name}', '{group_code}', 'Mode: {block_mode}', 'Policy ID: {policy_identifier}', 'Credibility rating: {credibility_rating}', 'Credibility score: {credibility_score}', 'Threshold value: {threshold}', 'Accessed by: {application_name}']¶

FORMAT_STRING_SHORT_PIECES = ['{url}', '{group_name}']¶

SOURCE_LONG = 'Trend Micro Office Scan Virus Detection Log'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.twitter_android module¶

Twitter on Android database formatter.

class plaso.formatters.twitter_android.TwitterAndroidStatusFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter for Android status event formatter.

DATA_TYPE = 'twitter:android:status'¶

FORMAT_STRING_PIECES = ['User: {username}', 'Status: {content}', 'Favorited: {favorited}', 'Retweeted: {retweeted}']¶

FORMAT_STRING_SHORT_PIECES = ['User: {username}', 'Status: {content}']¶

SOURCE_LONG = 'Twitter Android Status'¶

SOURCE_SHORT = 'Twitter Android'¶

plaso.formatters.twitter_ios module¶

Twitter on iOS 8+ database formatter.

class plaso.formatters.twitter_ios.TwitterIOSContactFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter on iOS 8+ contact event formatter.

DATA_TYPE = 'twitter:ios:contact'¶

FORMAT_STRING_PIECES = ['Screen name: {screen_name}', 'Profile picture URL: {profile_url}', 'Name: {name}', 'Location: {location}', 'Description: {description}', 'URL: {url}', 'Following: {following}', 'Number of followers: {followers_count}', 'Number of following: {following_count}']¶

FORMAT_STRING_SHORT_PIECES = ['Screen name: {screen_name}', 'Description: {description}', 'URL: {url}']¶

SOURCE_LONG = 'Twitter iOS Contacts'¶

SOURCE_SHORT = 'Twitter iOS'¶

class plaso.formatters.twitter_ios.TwitterIOSStatusFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter on iOS 8+ status event formatter.

DATA_TYPE = 'twitter:ios:status'¶

FORMAT_STRING_PIECES = ['Name: {name}', 'User Id: {user_id}', 'Message: {text}', 'Favorite: {favorited}', 'Retweet Count: {retweet_count}', 'Favorite Count: {favorite_count}']¶

FORMAT_STRING_SHORT_PIECES = ['Name: {name}', 'Message: {text}']¶

SOURCE_LONG = 'Twitter iOS Status'¶

SOURCE_SHORT = 'Twitter iOS'¶

plaso.formatters.utmp module¶

The UTMP binary file event formatter.

class plaso.formatters.utmp.UtmpSessionFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an UTMP session event.

DATA_TYPE = 'linux:utmp:event'¶

FORMAT_STRING_PIECES = ['User: {username}', 'Hostname: {hostname}', 'Terminal: {terminal}', 'PID: {pid}', 'Terminal identifier: {terminal_identifier}', 'Status: {status}', 'IP Address: {ip_address}', 'Exit status: {exit_status}']¶

FORMAT_STRING_SHORT_PIECES = ['User: {username}', 'PID: {pid}', 'Status: {status}']¶

SOURCE_LONG = 'UTMP session'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.utmpx module¶

The UTMPX binary file event formatter.

class plaso.formatters.utmpx.UtmpxSessionFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an UTMPX session event.

DATA_TYPE = 'mac:utmpx:event'¶

FORMAT_STRING_PIECES = ['User: {username}', 'Status: {status}', 'Hostname: {hostname}', 'Terminal: {terminal}', 'PID: {pid}', 'Terminal identifier: {terminal_identifier}']¶

FORMAT_STRING_SHORT_PIECES = ['User: {username}', 'PID: {pid}', 'Status: {status}']¶

SOURCE_LONG = 'UTMPX session'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.winevt module¶

The Windows EventLog (EVT) file event formatter.

class plaso.formatters.winevt.WinEVTFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows EventLog (EVT) record event.

DATA_TYPE = 'windows:evt:record'¶

FORMAT_STRING_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Source Name: {source_name}', 'Message string: {message_string}', 'Strings: {strings}', 'Computer Name: {computer_name}', 'Severity: {severity}', 'Record Number: {record_number}', 'Event Type: {event_type}', 'Event Category: {event_category}']¶

FORMAT_STRING_SHORT_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Strings: {strings}']¶

GetEventTypeString(event_type)[source]¶

Retrieves a string representation of the event type.

Parameters: event_type (int) – event type.
Returns: description of the event type.
Return type: str

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

GetSeverityString(severity)[source]¶

Retrieves a string representation of the severity.

Parameters: severity (int) – severity.
Returns: description of the event severity.
Return type: str

SOURCE_LONG = 'WinEVT'¶

SOURCE_SHORT = 'EVT'¶

plaso.formatters.winevt_rc module¶

Windows Event Log resources database reader.

class plaso.formatters.winevt_rc.Sqlite3DatabaseFile[source]¶

Bases: object

Class that defines a sqlite3 database file.

Close()[source]¶

Closes the database file.

Raises: RuntimeError – if the database is not opened.

GetValues(table_names, column_names, condition)[source]¶

Retrieves values from a table.

Parameters

table_names (list[str]) – table names.
column_names (list[str]) – column names.
condition (str) – query condition such as “log_source == ‘Application Error’”.

Yields

sqlite3.row – row.

Raises

RuntimeError – if the database is not opened.

HasTable(table_name)[source]¶

Determines if a specific table exists.

Parameters: table_name (str) – table name.
Returns: True if the table exists.
Return type: bool
Raises: RuntimeError – if the database is not opened.

Open(filename, read_only=False)[source]¶

Opens the database file.

Parameters

filename (str) – filename of the database.
read_only (Optional[bool]) – True if the database should be opened in read-only mode. Since sqlite3 does not support a real read-only mode we fake it by only permitting SELECT queries.

Returns

True if successful.

Return type

bool

Raises

RuntimeError – if the database is already opened.

class plaso.formatters.winevt_rc.Sqlite3DatabaseReader[source]¶

Bases: object

Class to represent a sqlite3 database reader.

Close()[source]¶: Closes the database reader object.

Open(filename)[source]¶

Opens the database reader object.

Parameters: filename (str) – filename of the database.
Returns: True if successful.
Return type: bool

class plaso.formatters.winevt_rc.WinevtResourcesSqlite3DatabaseReader[source]¶

Bases: plaso.formatters.winevt_rc.Sqlite3DatabaseReader

Class to represent a sqlite3 Event Log resources database reader.

GetMessage(log_source, lcid, message_identifier)[source]¶

Retrieves a specific message for a specific Event Log source.

Parameters

log_source (str) – Event Log source.
lcid (int) – language code identifier (LCID).
message_identifier (int) – message identifier.

Returns

message string or None if not available.

Return type

str

GetMetadataAttribute(attribute_name)[source]¶

Retrieves the metadata attribute.

Parameters: attribute_name (str) – name of the metadata attribute.
Returns: the metadata attribute or None.
Return type: str
Raises: RuntimeError – if more than one value is found in the database.

Open(filename)[source]¶

Opens the database reader object.

Parameters: filename (str) – filename of the database.
Returns: True if successful.
Return type: bool
Raises: RuntimeError – if the version or string format of the database is not supported.

plaso.formatters.winevtx module¶

The Windows XML EventLog (EVTX) file event formatter.

class plaso.formatters.winevtx.WinEVTXFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows XML EventLog (EVTX) record event.

DATA_TYPE = 'windows:evtx:record'¶

FORMAT_STRING_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Source Name: {source_name}', 'Message string: {message_string}', 'Strings: {strings}', 'Computer Name: {computer_name}', 'Record Number: {record_number}', 'Event Level: {event_level}']¶

FORMAT_STRING_SHORT_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Strings: {strings}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'WinEVTX'¶

SOURCE_SHORT = 'EVT'¶

plaso.formatters.winjob module¶

The Windows Scheduled Task (job) event formatter.

class plaso.formatters.winjob.WinJobFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Scheduled Task (job) event.

DATA_TYPE = 'windows:tasks:job'¶

FORMAT_STRING_PIECES = ['Application: {application}', '{parameters}', 'Scheduled by: {username}', 'Working directory: {working_directory}', 'Trigger type: {trigger_type}']¶

SOURCE_LONG = 'Windows Scheduled Task Job'¶

SOURCE_SHORT = 'JOB'¶

plaso.formatters.winlnk module¶

The Windows Shortcut (LNK) event formatter.

class plaso.formatters.winlnk.WinLnkLinkFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Shortcut (LNK) link event.

DATA_TYPE = 'windows:lnk:link'¶

FORMAT_STRING_PIECES = ['[{description}]', 'File size: {file_size}', 'File attribute flags: 0x{file_attribute_flags:08x}', 'Drive type: {drive_type}', 'Drive serial number: 0x{drive_serial_number:08x}', 'Volume label: {volume_label}', 'Local path: {local_path}', 'Network path: {network_path}', 'cmd arguments: {command_line_arguments}', 'env location: {env_var_location}', 'Relative path: {relative_path}', 'Working dir: {working_directory}', 'Icon location: {icon_location}', 'Link target: {link_target}']¶

FORMAT_STRING_SHORT_PIECES = ['[{description}]', '{linked_path}', '{command_line_arguments}']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Windows Shortcut'¶

SOURCE_SHORT = 'LNK'¶

plaso.formatters.winprefetch module¶

The Windows Prefetch event formatter.

class plaso.formatters.winprefetch.WinPrefetchExecutionFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Prefetch execution event.

DATA_TYPE = 'windows:prefetch:execution'¶

FORMAT_STRING_PIECES = ['Prefetch', '[{executable}] was executed -', 'run count {run_count}', 'path hints: {path_hints}', 'hash: 0x{prefetch_hash:08X}', '{volumes_string}']¶

FORMAT_STRING_SHORT_PIECES = ['{executable} was run', '{run_count} time(s)']¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'WinPrefetch'¶

SOURCE_SHORT = 'LOG'¶

plaso.formatters.winreg module¶

The Windows Registry key or value event formatter.

class plaso.formatters.winreg.WinRegistryGenericFormatter[source]¶

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Windows Registry key or value event.

DATA_TYPE = 'windows:registry:key_value'¶

FORMAT_STRING = '[{key_path}] {values}'¶

FORMAT_STRING_ALTERNATIVE = '{values}'¶

GetMessages(formatter_mediator, event_data)[source]¶

Determines the formatted message strings for the event data.

Parameters

formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

GetSources(event, event_data)[source]¶

Determines the the short and long source for an event.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.

Returns

short and long source string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Registry Key'¶

SOURCE_SHORT = 'REG'¶

plaso.formatters.winrestore module¶

The Windows Restore Point (rp.log) file event formatter.

class plaso.formatters.winrestore.RestorePointInfoFormatter[source]¶

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Restore Point information event.

DATA_TYPE = 'windows:restore_point:info'¶

FORMAT_STRING_PIECES = ['{description}', 'Event type: {restore_point_event_type}', 'Restore point type: {restore_point_type}']¶

FORMAT_STRING_SHORT_PIECES = ['{description}']¶

SOURCE_LONG = 'Windows Restore Point'¶

SOURCE_SHORT = 'RP'¶

plaso.formatters.yaml_formatters_file module¶

YAML-based formatters file.

class plaso.formatters.yaml_formatters_file.YAMLFormattersFile[source]¶

Bases: object

YAML-based formatters file.

A YAML-based formatters file contains one or more event formatters. type: ‘conditional’ data_type: ‘fs:stat’ message: - ‘{display_name}’ - ‘Type: {file_entry_type}’ - ‘({unallocated})’ short_message: - ‘{filename}’ short_source: ‘FILE’ source: ‘File system’

Where: * type, defines the formatter data type, which can be “basic” or

“conditional”;

data_type, defines the corresponding event data type;
message, defines a list of message string pieces;
separator, defines the message and short message string pieces separator;
short_message, defines the short message string pieces;
short_source, defines the short source;
source, defines the source.

ReadFromFile(path)[source]¶

Reads the event formatters from the YAML-based formatters file.

Parameters: path (str) – path to a formatters file.
Returns: event formatters.
Return type: list[EventFormatter]

Module contents¶

This file contains an import statement for each formatter.