plaso.formatters package

Submodules

plaso.formatters.chrome module

Google Chrome history custom event formatter helpers.

class plaso.formatters.chrome.ChromeHistoryTypedCountFormatterHelper[source]

Bases: CustomEventFormatterHelper

Google Chrome history typed count formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'chrome_history_typed_count'

plaso.formatters.chrome_preferences module

Google Chrome preferences custom event formatter helpers.

class plaso.formatters.chrome_preferences.ChromePreferencesPrimaryURLFormatterHelper[source]

Bases: CustomEventFormatterHelper

Google Chrome preferences primary URL formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'chrome_preferences_primary_url'
class plaso.formatters.chrome_preferences.ChromePreferencesSecondaryURLFormatterHelper[source]

Bases: CustomEventFormatterHelper

Google Chrome preferences secondary URL formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'chrome_preferences_secondary_url'

plaso.formatters.default module

The default event formatter.

class plaso.formatters.default.DefaultEventFormatter[source]

Bases: BasicEventFormatter

Formatter for events that do not have any defined formatter.

DATA_TYPE = 'event'
FORMAT_STRING = '<WARNING DEFAULT FORMATTER> Attributes: {attribute_values}'
FORMAT_STRING_SHORT = '<DEFAULT> {attribute_values}'

plaso.formatters.file_system module

File system custom event formatter helpers.

class plaso.formatters.file_system.NTFSFileReferenceFormatterHelper[source]

Bases: CustomEventFormatterHelper

NTFS file reference formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'ntfs_file_reference'
class plaso.formatters.file_system.NTFSParentFileReferenceFormatterHelper[source]

Bases: CustomEventFormatterHelper

NTFS parent file reference formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'ntfs_parent_file_reference'
class plaso.formatters.file_system.NTFSPathHintsFormatterHelper[source]

Bases: CustomEventFormatterHelper

NTFS path hints formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'ntfs_path_hints'

plaso.formatters.firefox module

Mozilla Firefox history custom event formatter helpers.

class plaso.formatters.firefox.FirefoxHistoryTypedCountFormatterHelper[source]

Bases: CustomEventFormatterHelper

Mozilla Firefox history typed count formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'firefox_history_typed_count'
class plaso.formatters.firefox.FirefoxHistoryURLHiddenFormatterHelper[source]

Bases: CustomEventFormatterHelper

Mozilla Firefox history URL hidden formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'firefox_history_url_hidden'

plaso.formatters.interface module

This file contains the event formatters interface classes.

The l2t_csv and other formats are dependent on a message field, referred to as description_long and description_short in l2t_csv.

Plaso no longer stores these field explicitly.

A formatter, with a format string definition, is used to convert the event object values into a formatted string that is similar to the description_long and description_short field.

class plaso.formatters.interface.BasicEventFormatter(data_type='basic', format_string=None, format_string_short=None)[source]

Bases: EventFormatter

Format event values using a message format string.

custom_helpers

identifiers of custom event formatter helpers.

Type

list[str]

helpers

event formatter helpers.

Type

list[EventFormatterHelper]

GetFormatStringAttributeNames()[source]

Retrieves the attribute names in the format string.

Returns

attribute names.

Return type

set(str)

GetMessage(event_values)[source]

Determines the message.

Parameters

event_values (dict[str, object]) – event values.

Returns

message.

Return type

str

GetMessageShort(event_values)[source]

Determines the short message.

Parameters

event_values (dict[str, object]) – event values.

Returns

short message.

Return type

str

class plaso.formatters.interface.BooleanEventFormatterHelper(input_attribute=None, output_attribute=None, value_if_false=None, value_if_true=None)[source]

Bases: EventFormatterHelper

Helper for formatting boolean event data.

input_attribute

name of the attribute that contains the boolean input value.

Type

str

output_attribute

name of the attribute where the boolean output value should be stored.

Type

str

value_if_false

output value if the boolean input value is False.

Type

str

value_if_true

output value if the boolean input value is True.

Type

str

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

class plaso.formatters.interface.ConditionalEventFormatter(data_type='conditional', format_string_pieces=None, format_string_separator=None, format_string_short_pieces=None)[source]

Bases: EventFormatter

Conditionally format event values using format string pieces.

GetFormatStringAttributeNames()[source]

Retrieves the attribute names in the format string.

Returns

attribute names.

Return type

set(str)

GetMessage(event_values)[source]

Determines the message.

Parameters

event_values (dict[str, object]) – event values.

Returns

message.

Return type

str

GetMessageShort(event_values)[source]

Determines the short message.

Parameters

event_values (dict[str, object]) – event values.

Returns

short message.

Return type

str

class plaso.formatters.interface.CustomEventFormatterHelper[source]

Bases: EventFormatterHelper

Base class for a helper for custom formatting of event data.

DATA_TYPE = ''
abstract FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = ''
class plaso.formatters.interface.EnumerationEventFormatterHelper(default=None, input_attribute=None, output_attribute=None, values=None)[source]

Bases: EventFormatterHelper

Helper for formatting enumeration event data.

default

default value.

Type

str

input_attribute

name of the attribute that contains the enumeration input value.

Type

str

output_attribute

name of the attribute where the enumeration output value should be stored.

Type

str

values

mapping of enumeration input and output values.

Type

dict[str, str]

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

If default value is None and there is no corresponding enumeration value then the original value is used.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

class plaso.formatters.interface.EventFormatter(data_type='internal')[source]

Bases: object

Base class to format event values.

custom_helpers

identifiers of custom event formatter helpers.

Type

list[str]

helpers

event formatter helpers.

Type

list[EventFormatterHelper]

source_mapping

short and (long) source mapping.

Type

tuple[str, str]

AddCustomHelper(identifier, input_attribute=None, output_attribute=None)[source]

Adds a custom event formatter helper.

Parameters

  • identifier (str) – identifier.

  • input_attribute (Optional[str]) – name of the attribute that contains the input value.

  • output_attribute (Optional[str]) – name of the attribute where the output value should be stored.

AddHelper(helper)[source]

Adds an event formatter helper.

Parameters

helper (EventFormatterHelper) – event formatter helper to add.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

abstract GetFormatStringAttributeNames()[source]

Retrieves the attribute names in the format string.

Returns

attribute names.

Return type

set(str)

abstract GetMessage(event_values)[source]

Determines the message.

Parameters

event_values (dict[str, object]) – event values.

Returns

message.

Return type

str

abstract GetMessageShort(event_values)[source]

Determines the short message.

Parameters

event_values (dict[str, object]) – event values.

Returns

short message.

Return type

str

property data_type

unique identifier for the event data supported by the formatter.

Type

str

class plaso.formatters.interface.EventFormatterHelper[source]

Bases: object

Base class of helper for formatting event data.

abstract FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

class plaso.formatters.interface.FlagsEventFormatterHelper(input_attribute=None, output_attribute=None, values=None)[source]

Bases: EventFormatterHelper

Helper for formatting flags event data.

input_attribute

name of the attribute that contains the flags input value.

Type

str

output_attribute

name of the attribute where the flags output value should be stored.

Type

str

values

mapping of flags input and output values.

Type

dict[str, str]

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

plaso.formatters.logger module

The formatters sub module logger.

plaso.formatters.manager module

Manages custom event formatter helpers.

class plaso.formatters.manager.FormattersManager[source]

Bases: object

Custom event formatter helpers manager.

classmethod GetEventFormatterHelper(identifier)[source]

Retrieves a custom event formatter helper.

Parameters

identifier (str) – identifier.

Returns

custom event formatter or None if not

available.

Return type

CustomEventFormatterHelper

classmethod RegisterEventFormatterHelper(formatter_helper_class)[source]

Registers a custom event formatter helper.

The custom event formatter helpers are identified based on their lower case identifier.

Parameters

formatter_helper_class (type) – class of the custom event formatter helper.

Raises

KeyError – if a custom formatter helper is already set for the corresponding identifier.

classmethod RegisterEventFormatterHelpers(formatter_helper_classes)[source]

Registers custom event formatter helpers.

The formatter classes are identified based on their lower case data type.

Parameters

formatter_helper_classes (list[type]) – classes of the custom event formatter helpers.

Raises

KeyError – if a custom formatter helper is already set for the corresponding data type.

plaso.formatters.msiecf module

MSIE cache file custom event formatter helpers.

class plaso.formatters.msiecf.MSIECFCachedPathFormatterHelper[source]

Bases: CustomEventFormatterHelper

MSIE cache file cached path formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'msiecf_cached_path'
class plaso.formatters.msiecf.MSIECFHTTPHeadersventFormatterHelper[source]

Bases: CustomEventFormatterHelper

MSIE cache file HTTP headers formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'msiecf_http_headers'

plaso.formatters.shell_items module

Windows shell item custom event formatter helpers.

class plaso.formatters.shell_items.ShellItemFileEntryNameFormatterHelper[source]

Bases: CustomEventFormatterHelper

Windows shell item file entry formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'shell_item_file_entry_name'

plaso.formatters.winevt module

Windows EventLog custom event formatter helpers.

class plaso.formatters.winevt.WindowsEventLogMessageFormatterHelper[source]

Bases: CustomEventFormatterHelper

Windows EventLog message formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'windows_eventlog_message'

plaso.formatters.winlnk module

Windows Shortcut (LNK) custom event formatter helpers.

class plaso.formatters.winlnk.WindowsShortcutLinkedPathFormatterHelper[source]

Bases: CustomEventFormatterHelper

Windows Shortcut (LNK) linked path formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'windows_shortcut_linked_path'

plaso.formatters.winprefetch module

Windows Prefetch custom event formatter helpers.

class plaso.formatters.winprefetch.WindowsPrefetchPathHintsFormatterHelper[source]

Bases: CustomEventFormatterHelper

Windows Prefetch path hints formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'windows_prefetch_path_hints'
class plaso.formatters.winprefetch.WindowsPrefetchVolumesStringFormatterHelper[source]

Bases: CustomEventFormatterHelper

Windows Prefetch volumes string formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'windows_prefetch_volumes_string'

plaso.formatters.winreg module

Windows Registry custom event formatter helpers.

class plaso.formatters.winreg.WindowsRegistryValuesFormatterHelper[source]

Bases: CustomEventFormatterHelper

Windows Registry values formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'windows_registry_values'

plaso.formatters.yaml_formatters_file module

YAML-based formatters file.

class plaso.formatters.yaml_formatters_file.YAMLFormattersFile[source]

Bases: object

YAML-based formatters file.

A YAML-based formatters file contains one or more event formatter definitions. An event formatter definition consists of:

type: ‘conditional’ data_type: ‘fs:stat’ message: - ‘{display_name}’ - ‘Type: {file_entry_type}’ - ‘({unallocated})’ short_message: - ‘{filename}’ short_source: ‘FILE’ source: ‘File stat’

Where: * type, defines the formatter data type, which can be “basic” or

“conditional”;

  • data_type, defines the corresponding event data type;

  • message, defines a list of message string pieces;

  • separator, defines the message and short message string pieces separator;

  • short_message, defines the short message string pieces;

  • short_source, defines the short source description;

  • source, defines the source description.

ReadFromFile(path)[source]

Reads the event formatters from a YAML file.

Parameters

path (str) – path to a formatters file.

Yields

EventFormatter – an event formatter.

Module contents

This file contains an import statement for each formatter.