plaso.formatters package¶

Submodules¶

plaso.formatters.chrome module¶

Google Chrome history custom event formatter helpers.

class plaso.formatters.chrome.ChromeHistoryTypedCountFormatterHelper[source]¶

Bases: plaso.formatters.interface.CustomEventFormatterHelper

Google Chrome history typed count formatter helper.

FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'chrome_history_typed_count'¶

plaso.formatters.chrome_preferences module¶

Google Chrome preferences custom event formatter helpers.

class plaso.formatters.chrome_preferences.ChromePreferencesPrimaryURLFormatterHelper[source]¶

Bases: plaso.formatters.interface.CustomEventFormatterHelper

Google Chrome preferences primary URL formatter helper.

FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'chrome_preferences_primary_url'¶

class plaso.formatters.chrome_preferences.ChromePreferencesSecondaryURLFormatterHelper[source]¶

Bases: plaso.formatters.interface.CustomEventFormatterHelper

Google Chrome preferences secondary URL formatter helper.

FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'chrome_preferences_secondary_url'¶

plaso.formatters.default module¶

The default event formatter.

class plaso.formatters.default.DefaultEventFormatter[source]¶

Bases: plaso.formatters.interface.BasicEventFormatter

Formatter for events that do not have any defined formatter.

DATA_TYPE = 'event'¶

FORMAT_STRING = '<WARNING DEFAULT FORMATTER> Attributes: {attribute_driven}'¶

FORMAT_STRING_SHORT = '<DEFAULT> {attribute_driven}'¶

FormatEventValues(event_values)[source]¶

Formats event values using the helpers.

Parameters: event_values (dict[str, object]) – event values.

plaso.formatters.file_system module¶

File system custom event formatter helpers.

class plaso.formatters.file_system.NTFSFileReferenceFormatterHelper[source]¶

Bases: plaso.formatters.interface.CustomEventFormatterHelper

NTFS file reference formatter helper.

FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'ntfs_file_reference'¶

class plaso.formatters.file_system.NTFSParentFileReferenceFormatterHelper[source]¶

Bases: plaso.formatters.interface.CustomEventFormatterHelper

NTFS parent file reference formatter helper.

FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'ntfs_parent_file_reference'¶

class plaso.formatters.file_system.NTFSPathHintsFormatterHelper[source]¶

Bases: plaso.formatters.interface.CustomEventFormatterHelper

NTFS path hints formatter helper.

FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'ntfs_path_hints'¶

plaso.formatters.firefox module¶

Mozilla Firefox history custom event formatter helpers.

class plaso.formatters.firefox.FirefoxHistoryTypedCountFormatterHelper[source]¶

Bases: plaso.formatters.interface.CustomEventFormatterHelper

Mozilla Firefox history typed count formatter helper.

FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'firefox_history_typed_count'¶

class plaso.formatters.firefox.FirefoxHistoryURLHiddenFormatterHelper[source]¶

Bases: plaso.formatters.interface.CustomEventFormatterHelper

Mozilla Firefox history URL hidden formatter helper.

FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'firefox_history_url_hidden'¶

plaso.formatters.interface module¶

This file contains the event formatters interface classes.

The l2t_csv and other formats are dependent on a message field, referred to as description_long and description_short in l2t_csv.

Plaso no longer stores these field explicitly.

A formatter, with a format string definition, is used to convert the event object values into a formatted string that is similar to the description_long and description_short field.

class plaso.formatters.interface.BasicEventFormatter(data_type='basic', format_string=None, format_string_short=None)[source]¶

Bases: plaso.formatters.interface.EventFormatter

Format event values using a message format string.

custom_helpers¶

identifiers of custom event formatter helpers.

Type: list[str]

helpers¶

event formatter helpers.

Type: list[EventFormatterHelper]

GetFormatStringAttributeNames()[source]¶

Retrieves the attribute names in the format string.

Returns: attribute names.
Return type: set(str)

GetMessage(event_values)[source]¶

Determines the message.

Parameters: event_values (dict[str, object]) – event values.
Returns: message.
Return type: str

GetMessageShort(event_values)[source]¶

Determines the short message.

Parameters: event_values (dict[str, object]) – event values.
Returns: short message.
Return type: str

class plaso.formatters.interface.BooleanEventFormatterHelper(input_attribute=None, output_attribute=None, value_if_false=None, value_if_true=None)[source]¶

Bases: plaso.formatters.interface.EventFormatterHelper

Helper for formatting boolean event data.

input_attribute¶

name of the attribute that contains the boolean input value.

Type: str

output_attribute¶

name of the attribute where the boolean output value should be stored.

Type: str

value_if_false¶

output value if the boolean input value is False.

Type: str

value_if_true¶

output value if the boolean input value is True.

Type: str

FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

class plaso.formatters.interface.ConditionalEventFormatter(data_type='conditional', format_string_pieces=None, format_string_separator=None, format_string_short_pieces=None)[source]¶

Bases: plaso.formatters.interface.EventFormatter

Conditionally format event values using format string pieces.

GetFormatStringAttributeNames()[source]¶

Retrieves the attribute names in the format string.

Returns: attribute names.
Return type: set(str)

GetMessage(event_values)[source]¶

Determines the message.

Parameters: event_values (dict[str, object]) – event values.
Returns: message.
Return type: str

GetMessageShort(event_values)[source]¶

Determines the short message.

Parameters: event_values (dict[str, object]) – event values.
Returns: short message.
Return type: str

class plaso.formatters.interface.CustomEventFormatterHelper[source]¶

Bases: plaso.formatters.interface.EventFormatterHelper

Base class for a helper for custom formatting of event data.

DATA_TYPE = ''¶

abstract FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = ''¶

class plaso.formatters.interface.EnumerationEventFormatterHelper(default=None, input_attribute=None, output_attribute=None, values=None)[source]¶

Bases: plaso.formatters.interface.EventFormatterHelper

Helper for formatting enumeration event data.

default¶

default value.

Type: str

input_attribute¶

name of the attribute that contains the enumeration input value.

Type: str

output_attribute¶

name of the attribute where the enumeration output value should be stored.

Type: str

values¶

mapping of enumeration input and output values.

Type: dict[str, str]

FormatEventValues(event_values)[source]¶

Formats event values using the helper.

If default value is None and there is no corresponding enumeration value then the original value is used.

Parameters: event_values (dict[str, object]) – event values.

class plaso.formatters.interface.EventFormatter(data_type='internal')[source]¶

Bases: object

Base class to format event values.

custom_helpers¶

identifiers of custom event formatter helpers.

Type: list[str]

helpers¶

event formatter helpers.

Type: list[EventFormatterHelper]

AddCustomHelper(identifier, input_attribute=None, output_attribute=None)[source]¶

Adds a custom event formatter helper.

Parameters

identifier (str) – identifier.
input_attribute (Optional[str]) – name of the attribute that contains the input value.
output_attribute (Optional[str]) – name of the attribute where the output value should be stored.

AddHelper(helper)[source]¶

Adds an event formatter helper.

Parameters: helper (EventFormatterHelper) – event formatter helper to add.

FormatEventValues(event_values)[source]¶

Formats event values using the helpers.

Parameters: event_values (dict[str, object]) – event values.

abstract GetFormatStringAttributeNames()[source]¶

Retrieves the attribute names in the format string.

Returns: attribute names.
Return type: set(str)

abstract GetMessage(event_values)[source]¶

Determines the message.

Parameters: event_values (dict[str, object]) – event values.
Returns: message.
Return type: str

abstract GetMessageShort(event_values)[source]¶

Determines the short message.

Parameters: event_values (dict[str, object]) – event values.
Returns: short message.
Return type: str

property data_type¶

unique identifier for the event data supported by the formatter.

Type: str

class plaso.formatters.interface.EventFormatterHelper[source]¶

Bases: object

Base class of helper for formatting event data.

abstract FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

class plaso.formatters.interface.FlagsEventFormatterHelper(input_attribute=None, output_attribute=None, values=None)[source]¶

Bases: plaso.formatters.interface.EventFormatterHelper

Helper for formatting flags event data.

input_attribute¶

name of the attribute that contains the flags input value.

Type: str

output_attribute¶

name of the attribute where the flags output value should be stored.

Type: str

values¶

mapping of flags input and output values.

Type: dict[str, str]

FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

plaso.formatters.logger module¶

The formatters sub module logger.

plaso.formatters.manager module¶

Manages custom event formatter helpers.

class plaso.formatters.manager.FormattersManager[source]¶

Bases: object

Custom event formatter helpers manager.

classmethod GetEventFormatterHelper(identifier)[source]¶

Retrieves a custom event formatter helper.

Parameters

identifier (str) – identifier.

Returns

custom event formatter or None if not: available.

Return type

CustomEventFormatterHelper

classmethod RegisterEventFormatterHelper(formatter_helper_class)[source]¶

Registers a custom event formatter helper.

The custom event formatter helpers are identified based on their lower case identifier.

Parameters: formatter_helper_class (type) – class of the custom event formatter helper.
Raises: KeyError – if a custom formatter helper is already set for the corresponding identifier.

classmethod RegisterEventFormatterHelpers(formatter_helper_classes)[source]¶

Registers custom event formatter helpers.

The formatter classes are identified based on their lower case data type.

Parameters: formatter_helper_classes (list[type]) – classes of the custom event formatter helpers.
Raises: KeyError – if a custom formatter helper is already set for the corresponding data type.

plaso.formatters.msiecf module¶

MSIE cache file custom event formatter helpers.

class plaso.formatters.msiecf.MSIECFCachedPathFormatterHelper[source]¶

Bases: plaso.formatters.interface.CustomEventFormatterHelper

MSIE cache file cached path formatter helper.

FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'msiecf_cached_path'¶

class plaso.formatters.msiecf.MSIECFHTTPHeadersventFormatterHelper[source]¶

Bases: plaso.formatters.interface.CustomEventFormatterHelper

MSIE cache file HTTP headers formatter helper.

FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'msiecf_http_headers'¶

plaso.formatters.shell_items module¶

Windows shell item custom event formatter helpers.

class plaso.formatters.shell_items.ShellItemFileEntryNameFormatterHelper[source]¶

Bases: plaso.formatters.interface.CustomEventFormatterHelper

Windows shell item file entry formatter helper.

FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'shell_item_file_entry_name'¶

plaso.formatters.winevt_rc module¶

Windows Event Log resources database reader.

class plaso.formatters.winevt_rc.Sqlite3DatabaseFile[source]¶

Bases: object

Class that defines a sqlite3 database file.

Close()[source]¶

Closes the database file.

Raises: RuntimeError – if the database is not opened.

GetValues(table_names, column_names, condition)[source]¶

Retrieves values from a table.

Parameters

table_names (list[str]) – table names.
column_names (list[str]) – column names.
condition (str) – query condition such as “log_source == ‘Application Error’”.

Yields

sqlite3.row – row.

Raises

RuntimeError – if the database is not opened.

HasTable(table_name)[source]¶

Determines if a specific table exists.

Parameters: table_name (str) – table name.
Returns: True if the table exists.
Return type: bool
Raises: RuntimeError – if the database is not opened.

Open(filename, read_only=False)[source]¶

Opens the database file.

Parameters

filename (str) – filename of the database.
read_only (Optional[bool]) – True if the database should be opened in read-only mode. Since sqlite3 does not support a real read-only mode we fake it by only permitting SELECT queries.

Returns

True if successful.

Return type

bool

Raises

RuntimeError – if the database is already opened.

class plaso.formatters.winevt_rc.Sqlite3DatabaseReader[source]¶

Bases: object

Class to represent a sqlite3 database reader.

Close()[source]¶: Closes the database reader object.

Open(filename)[source]¶

Opens the database reader object.

Parameters: filename (str) – filename of the database.
Returns: True if successful.
Return type: bool

class plaso.formatters.winevt_rc.WinevtResourcesSqlite3DatabaseReader[source]¶

Bases: plaso.formatters.winevt_rc.Sqlite3DatabaseReader

Class to represent a sqlite3 Event Log resources database reader.

GetMessage(log_source, lcid, message_identifier)[source]¶

Retrieves a specific message for a specific Event Log source.

Parameters

log_source (str) – Event Log source.
lcid (int) – language code identifier (LCID).
message_identifier (int) – message identifier.

Returns

message string or None if not available.

Return type

str

GetMetadataAttribute(attribute_name)[source]¶

Retrieves the metadata attribute.

Parameters: attribute_name (str) – name of the metadata attribute.
Returns: the metadata attribute or None.
Return type: str
Raises: RuntimeError – if more than one value is found in the database.

Open(filename)[source]¶

Opens the database reader object.

Parameters: filename (str) – filename of the database.
Returns: True if successful.
Return type: bool
Raises: RuntimeError – if the version or string format of the database is not supported.

plaso.formatters.winlnk module¶

Windows Shortcut (LNK) custom event formatter helpers.

class plaso.formatters.winlnk.WindowsShortcutLinkedPathFormatterHelper[source]¶

Bases: plaso.formatters.interface.CustomEventFormatterHelper

Windows Shortcut (LNK) linked path formatter helper.

FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'windows_shortcut_linked_path'¶

plaso.formatters.winprefetch module¶

Windows Prefetch custom event formatter helpers.

class plaso.formatters.winprefetch.WindowsPrefetchPathHintsFormatterHelper[source]¶

Bases: plaso.formatters.interface.CustomEventFormatterHelper

Windows Prefetch path hints formatter helper.

FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'windows_prefetch_path_hints'¶

class plaso.formatters.winprefetch.WindowsPrefetchVolumesStringFormatterHelper[source]¶

Bases: plaso.formatters.interface.CustomEventFormatterHelper

Windows Prefetch volumes string formatter helper.

FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'windows_prefetch_volumes_string'¶

plaso.formatters.winreg module¶

Windows Registry custom event formatter helpers.

class plaso.formatters.winreg.WindowsRegistryValuesFormatterHelper[source]¶

Bases: plaso.formatters.interface.CustomEventFormatterHelper

Windows Registry values formatter helper.

FormatEventValues(event_values)[source]¶

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'windows_registry_values'¶

plaso.formatters.yaml_formatters_file module¶

YAML-based formatters file.

class plaso.formatters.yaml_formatters_file.YAMLFormattersFile[source]¶

Bases: object

YAML-based formatters file.

A YAML-based formatters file contains one or more event formatters. type: ‘conditional’ data_type: ‘fs:stat’ message: - ‘{display_name}’ - ‘Type: {file_entry_type}’ - ‘({unallocated})’ short_message: - ‘{filename}’

Where: * type, defines the formatter data type, which can be “basic” or

“conditional”;

data_type, defines the corresponding event data type;
message, defines a list of message string pieces;
separator, defines the message and short message string pieces separator;
short_message, defines the short message string pieces;

ReadFromFile(path)[source]¶

Reads the event formatters from the YAML-based formatters file.

Parameters: path (str) – path to a formatters file.
Returns: event formatters.
Return type: list[EventFormatter]

Module contents¶

This file contains an import statement for each formatter.