plaso.formatters package

Submodules

plaso.formatters.asl module

The Apple System Log (ASL) event formatter.

class plaso.formatters.asl.ASLFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Apple System Log (ASL) log event.

DATA_TYPE = 'mac:asl:event'

FORMAT_STRING_PIECES = ['MessageID: {message_id}', 'Level: {level}', 'User ID: {user_sid}', 'Group ID: {group_id}', 'Read User: {read_uid}', 'Read Group: {read_gid}', 'Host: {computer_name}', 'Sender: {sender}', 'Facility: {facility}', 'Message: {message}', '{extra_information}']

FORMAT_STRING_SHORT_PIECES = ['Host: {host}', 'Sender: {sender}', 'Facility: {facility}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'ASL entry'

SOURCE_SHORT = 'LOG'

plaso.formatters.bsm module

The Basic Security Module (BSM) binary files event formatter.

class plaso.formatters.bsm.BSMFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a BSM log entry.

DATA_TYPE = 'bsm:event'

FORMAT_STRING_PIECES = ['Type: {event_type_string}', '({event_type})', 'Return: {return_value}', 'Information: {extra_tokens}']

FORMAT_STRING_SHORT_PIECES = ['Type: {event_type}', 'Return: {return_value}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'BSM entry'

SOURCE_SHORT = 'LOG'

plaso.formatters.chrome module

The Google Chrome history event formatters.

class plaso.formatters.chrome.ChromeFileDownloadFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome file download event.

DATA_TYPE = 'chrome:history:file_downloaded'

FORMAT_STRING_PIECES = ['{url}', '({full_path}).', 'Received: {received_bytes} bytes', 'out of: {total_bytes} bytes.']

FORMAT_STRING_SHORT_PIECES = ['{full_path} downloaded', '({received_bytes} bytes)']

SOURCE_LONG = 'Chrome History'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.chrome.ChromePageVisitedFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome page visited event.

DATA_TYPE = 'chrome:history:page_visited'

FORMAT_STRING_PIECES = ['{url}', '({title})', '[count: {typed_count}]', 'Visit from: {from_visit}', 'Visit Source: [{visit_source}]', 'Type: [{page_transition}]', '{extra}']

FORMAT_STRING_SHORT_PIECES = ['{url}', '({title})']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Chrome History'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.chrome_cache module

The Google Chrome Cache files event formatter.

class plaso.formatters.chrome_cache.ChromeCacheEntryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome Cache entry event.

DATA_TYPE = 'chrome:cache:entry'

FORMAT_STRING_PIECES = ['Original URL: {original_url}']

SOURCE_LONG = 'Chrome Cache'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.chrome_extension_activity module

The Google Chrome extension activity database event formatter.

class plaso.formatters.chrome_extension_activity.ChromeExtensionActivityEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome extension activity event.

DATA_TYPE = 'chrome:extension_activity:activity_log'

FORMAT_STRING_PIECES = ['Chrome extension: {extension_id}', 'Action type: {action_type}', 'Activity identifier: {activity_id}', 'Page URL: {page_url}', 'Page title: {page_title}', 'API name: {api_name}', 'Args: {args}', 'Other: {other}']

FORMAT_STRING_SHORT_PIECES = ['{extension_id}', '{api_name}', '{args}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Chrome Extension Activity'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.chrome_preferences module

The Google Chrome Preferences file event formatter.

class plaso.formatters.chrome_preferences.ChromeContentSettingsExceptionsFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome content_settings exceptions event.

DATA_TYPE = 'chrome:preferences:content_settings:exceptions'

FORMAT_STRING_PIECES = ['Permission {permission}', 'used by {subject}']

FORMAT_STRING_SHORT_PIECES = ['Permission {permission}', 'used by {subject}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Chrome Permission Event'

SOURCE_SHORT = 'LOG'

plaso.formatters.cups_ipp module

The CUPS IPP file event formatter.

class plaso.formatters.cups_ipp.CupsIppFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a CUPS IPP event.

DATA_TYPE = 'cups:ipp:event'

FORMAT_STRING_PIECES = ['Status: {status}', 'User: {user}', 'Owner: {owner}', 'Job Name: {job_name}', 'Application: {application}', 'Document type: {type_doc}', 'Printer: {printer_id}']

FORMAT_STRING_SHORT_PIECES = ['Status: {status}', 'Job Name: {job_name}']

SOURCE_LONG = 'CUPS IPP Log'

SOURCE_SHORT = 'LOG'

plaso.formatters.default module

The default event formatter.

class plaso.formatters.default.DefaultFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for events that do not have any defined formatter.

DATA_TYPE = 'event'

FORMAT_STRING = '<WARNING DEFAULT FORMATTER> Attributes: {attribute_driven}'

FORMAT_STRING_SHORT = '<DEFAULT> {attribute_driven}'

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

plaso.formatters.docker module

The Docker event formatter.

class plaso.formatters.docker.DockerBaseEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Class that contains common Docker event formatter functionality.

DATA_TYPE = 'docker:json'

FORMAT_STRING_SHORT_PIECES = ['{id}']

SOURCE_SHORT = 'DOCKER'

class plaso.formatters.docker.DockerContainerEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Docker event.

DATA_TYPE = 'docker:json:container'

FORMAT_STRING_PIECES = ['Action: {action}', 'Container Name: {container_name}', 'Container ID: {container_id}']

FORMAT_STRING_SEPARATOR = ', '

SOURCE_LONG = 'Docker Container'

SOURCE_SHORT = 'DOCKER'

class plaso.formatters.docker.DockerContainerLogEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Docker container log event

DATA_TYPE = 'docker:json:container:log'

FORMAT_STRING_PIECES = ('Text: {log_line}', 'Container ID: {container_id}', 'Source: {log_source}')

FORMAT_STRING_SEPARATOR = ', '

SOURCE_LONG = 'Docker Container Logs'

SOURCE_SHORT = 'DOCKER'

class plaso.formatters.docker.DockerLayerEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Docker layer event.

DATA_TYPE = 'docker:json:layer'

FORMAT_STRING_PIECES = ('Command: {command}', 'Layer ID: {layer_id}')

FORMAT_STRING_SEPARATOR = ', '

SOURCE_LONG = 'Docker Layer'

SOURCE_SHORT = 'DOCKER'

plaso.formatters.dpkg module

The dpkg.log event formatter.

class plaso.formatters.dpkg.DpkgFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a dpkg log file event.

DATA_TYPE = 'dpkg:line'

FORMAT_STRING_PIECES = ['{body}']

FORMAT_STRING_SEPARATOR = ''

SOURCE_LONG = 'dpkg log File'

SOURCE_SHORT = 'LOG'

plaso.formatters.file_system module

The file system stat event formatter.

class plaso.formatters.file_system.FileStatEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The file system stat event formatter.

DATA_TYPE = 'fs:stat'

FORMAT_STRING_PIECES = ['{display_name}', 'Type: {file_entry_type}', '({unallocated})']

FORMAT_STRING_SHORT_PIECES = ['{filename}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

GetSources(event, event_data)

Determines the the short and long source for an event.

Parameters

• event (EventObject) – event.

• event_data (EventData) – event data.

Returns

short and long source string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_SHORT = 'FILE'

class plaso.formatters.file_system.NTFSFileStatEventFormatter

Bases: plaso.formatters.file_system.FileStatEventFormatter

The NTFS file system stat event formatter.

DATA_TYPE = 'fs:stat:ntfs'

FORMAT_STRING_PIECES = ['{display_name}', 'File reference: {file_reference}', 'Attribute name: {attribute_name}', 'Name: {name}', 'Parent file reference: {parent_file_reference}', '({unallocated})', 'Path hints: {path_hints}']

FORMAT_STRING_SHORT_PIECES = ['{filename}', '{file_reference}', '{attribute_name}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_SHORT = 'FILE'

class plaso.formatters.file_system.NTFSUSNChangeEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The NTFS USN change event formatter.

DATA_TYPE = 'fs:ntfs:usn_change'

FORMAT_STRING_PIECES = ['{filename}', 'File reference: {file_reference}', 'Parent file reference: {parent_file_reference}', 'Update source: {update_source}', 'Update reason: {update_reason}']

FORMAT_STRING_SHORT_PIECES = ['{filename}', '{file_reference}', '{update_reason}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_SHORT = 'FILE'

plaso.formatters.firefox module

The Mozilla Firefox history event formatter.

class plaso.formatters.firefox.FirefoxBookmarkAnnotationFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox bookmark annotation event formatter.

DATA_TYPE = 'firefox:places:bookmark_annotation'

FORMAT_STRING_PIECES = ['Bookmark Annotation: [{content}]', 'to bookmark [{title}]', '({url})']

FORMAT_STRING_SHORT_PIECES = ['Bookmark Annotation: {title}']

SOURCE_LONG = 'Firefox History'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.firefox.FirefoxBookmarkFolderFormatter

Bases: plaso.formatters.interface.EventFormatter

The Firefox bookmark folder event formatter.

DATA_TYPE = 'firefox:places:bookmark_folder'

FORMAT_STRING = '{title}'

SOURCE_LONG = 'Firefox History'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.firefox.FirefoxBookmarkFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox URL bookmark event formatter.

DATA_TYPE = 'firefox:places:bookmark'

FORMAT_STRING_PIECES = ['Bookmark {type}', '{title}', '({url})', '[{places_title}]', 'visit count {visit_count}']

FORMAT_STRING_SHORT_PIECES = ['Bookmarked {title}', '({url})']

SOURCE_LONG = 'Firefox History'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.firefox.FirefoxDowloadFormatter

Bases: plaso.formatters.interface.EventFormatter

The Firefox download event formatter.

DATA_TYPE = 'firefox:downloads:download'

FORMAT_STRING = '{url} ({full_path}). Received: {received_bytes} bytes out of: {total_bytes} bytes.'

FORMAT_STRING_SHORT = '{full_path} downloaded ({received_bytes} bytes)'

SOURCE_LONG = 'Firefox History'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.firefox.FirefoxPageVisitFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox page visited event formatter.

DATA_TYPE = 'firefox:places:page_visited'

FORMAT_STRING_PIECES = ['{url}', '({title})', '[count: {visit_count}]', 'Host: {host}', '{extra_string}']

FORMAT_STRING_SHORT_PIECES = ['URL: {url}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Firefox History'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.firefox_cache module

The Firefox cache record event formatter.

class plaso.formatters.firefox_cache.FirefoxCacheFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox cache record event formatter.

DATA_TYPE = 'firefox:cache:record'

FORMAT_STRING_PIECES = ['Fetched {fetch_count} time(s)', '[{response_code}]', '{request_method}', '"{url}"']

FORMAT_STRING_SHORT_PIECES = ['[{response_code}]', '{request_method}', '"{url}"']

SOURCE_LONG = 'Firefox Cache'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.firefox_cookies module

The Firefox cookie entry event formatter.

class plaso.formatters.firefox_cookies.FirefoxCookieFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox cookie entry event formatter.

DATA_TYPE = 'firefox:cookie:entry'

FORMAT_STRING_PIECES = ['{url}', '({cookie_name})', 'Flags:', '[HTTP only]: {httponly}', '(GA analysis: {ga_data})']

FORMAT_STRING_SHORT_PIECES = ['{host}', '({cookie_name})']

SOURCE_LONG = 'Firefox Cookies'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.fseventsd module

The fseventsd event formatter.

class plaso.formatters.fseventsd.FSEventsdEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The fseventsd event formatter.

DATA_TYPE = 'macos:fseventsd:record'

FORMAT_STRING_PIECES = ['{path}', 'Flag Values:', '{flag_values}', 'Flags:', '{hex_flags}', 'Event Identifier:', '{event_identifier}']

FORMAT_STRING_SHORT_PIECES = ['{path}', '{flag_values}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_SHORT = 'FSEVENT'

plaso.formatters.ganalytics module

The Google Analytics cookie event formatters.

class plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The UTMA Google Analytics cookie event formatter.

DATA_TYPE = 'cookie:google:analytics:utma'

FORMAT_STRING_PIECES = ['{url}', '({cookie_name})', 'Sessions: {sessions}', 'Domain Hash: {domain_hash}', 'Visitor ID: {visitor_id}']

FORMAT_STRING_SHORT_PIECES = ['{url}', '({cookie_name})']

SOURCE_LONG = 'Google Analytics Cookies'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.ganalytics.AnalyticsUtmbCookieFormatter

Bases: plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

The UTMB Google Analytics cookie event formatter.

DATA_TYPE = 'cookie:google:analytics:utmb'

FORMAT_STRING_PIECES = ['{url}', '({cookie_name})', 'Pages Viewed: {pages_viewed}', 'Domain Hash: {domain_hash}']

class plaso.formatters.ganalytics.AnalyticsUtmtCookieFormatter

Bases: plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

The UTMT Google Analytics cookie event formatter.

DATA_TYPE = 'cookie:google:analytics:utmt'

FORMAT_STRING_PIECES = ['{url}', '({cookie_name})']

class plaso.formatters.ganalytics.AnalyticsUtmzCookieFormatter

Bases: plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

The UTMZ Google Analytics cookie event formatter.

DATA_TYPE = 'cookie:google:analytics:utmz'

FORMAT_STRING_PIECES = ['{url}', '({cookie_name})', 'Sessions: {sessions}', 'Domain Hash: {domain_hash}', 'Sources: {sources}', 'Last source used to access: {utmcsr}', 'Ad campaign information: {utmccn}', 'Last type of visit: {utmcmd}', 'Keywords used to find site: {utmctr}', 'Path to the page of referring link: {utmcct}']

plaso.formatters.gdrive module

The Google Drive snapshots event formatter.

class plaso.formatters.gdrive.GDriveCloudEntryFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive snapshot cloud event.

DATA_TYPE = 'gdrive:snapshot:cloud_entry'

FORMAT_STRING_PIECES = ['File Path: {path}', '[{shared}]', 'Size: {size}', 'URL: {url}', 'Type: {document_type}']

FORMAT_STRING_SHORT_PIECES = ['{path}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Google Drive (cloud entry)'

SOURCE_SHORT = 'LOG'

class plaso.formatters.gdrive.GDriveLocalEntryFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive snapshot local event.

DATA_TYPE = 'gdrive:snapshot:local_entry'

FORMAT_STRING_PIECES = ['File Path: {path}', 'Size: {size}']

FORMAT_STRING_SHORT_PIECES = ['{path}']

SOURCE_LONG = 'Google Drive (local entry)'

SOURCE_SHORT = 'LOG'

plaso.formatters.gdrive_synclog module

Google Drive Sync log event formatter.

class plaso.formatters.gdrive_synclog.GoogleDriveSyncLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive Sync log file event.

DATA_TYPE = 'gdrive_sync:log:line'

FORMAT_STRING_PIECES = ['[{log_level}', '{pid}', '{thread}', '{source_code}]', '{message}']

FORMAT_STRING_SHORT_PIECES = ['{message}']

SOURCE_LONG = 'GoogleDriveSync Log File'

SOURCE_SHORT = 'LOG'

plaso.formatters.hangouts_messages module

The Google Hangouts messages database event formatter.

class plaso.formatters.hangouts_messages.HangoutsFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Hangouts message event.

DATA_TYPE = 'android:messaging:hangouts'

FORMAT_STRING_PIECES = ['Sender: {sender}', 'Body: {body}', 'Status: {message_status}', 'Type: {message_type}']

FORMAT_STRING_SHORT_PIECES = ['{body}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

If any event values have a matching formatting function in VALUE_FORMATTERS, they are run through that function; then the dictionary is passed to the superclass’s formatting method.

Parameters

• formatter_mediator (FormatterMediator) – not used.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Google Hangouts Message'

SOURCE_SHORT = 'HANGOUTS'

VALUE_FORMATTERS = {'message_status': <function HangoutsFormatter.<lambda>>, 'message_type': <function HangoutsFormatter.<lambda>>}

plaso.formatters.iis module

The Microsoft IIS log file event formatter.

class plaso.formatters.iis.IISLogFileEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Microsoft IIS log file event.

DATA_TYPE = 'iis:log:line'

FORMAT_STRING_PIECES = ['{http_method}', '{requested_uri_stem}', '[', '{source_ip}', '>', '{dest_ip}', ':', '{dest_port}', ']', 'HTTP Status: {http_status}', 'Bytes Sent: {sent_bytes}', 'Bytes Received: {received_bytes}', 'User Agent: {user_agent}', 'Protocol Version: {protocol_version}']

FORMAT_STRING_SHORT_PIECES = ['{http_method}', '{requested_uri_stem}', '[', '{source_ip}', '>', '{dest_ip}', ':', '{dest_port}', ']']

SOURCE_LONG = 'IIS Log'

SOURCE_SHORT = 'LOG'

plaso.formatters.imessage module

The iMessage chat.db (OSX) and sms.db (iOS)database event formatter.

class plaso.formatters.imessage.IMessageFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an iMessage and SMS event.

DATA_TYPE = 'imessage:event:chat'

FORMAT_STRING_PIECES = ['Row ID: {identifier}', 'iMessage ID: {imessage_id}', 'Read Receipt: {read_receipt}', 'Message Type: {message_type}', 'Service: {service}', 'Attachment Location: {attachment_location}', 'Message Content: {text}']

FORMAT_STRING_SHORT_PIECES = ['{text}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Apple iMessage Application'

SOURCE_SHORT = 'iMessage'

plaso.formatters.interface module

This file contains the event formatters interface classes.

The l2t_csv and other formats are dependent on a message field, referred to as description_long and description_short in l2t_csv.

Plaso no longer stores these field explicitly.

A formatter, with a format string definition, is used to convert the event object values into a formatted string that is similar to the description_long and description_short field.

class plaso.formatters.interface.ConditionalEventFormatter

Bases: plaso.formatters.interface.EventFormatter

Base class to conditionally format event data using format string pieces.

Define the (long) format string and the short format string by defining FORMAT_STRING_PIECES and FORMAT_STRING_SHORT_PIECES. The syntax of the format strings pieces is similar to of the event formatter (EventFormatter). Every format string piece should contain a single attribute name or none.

FORMAT_STRING_SEPARATOR is used to control the string which the separate string pieces should be joined. It contains a space by default.

FORMAT_STRING_PIECES = ['']

FORMAT_STRING_SEPARATOR = ' '

FORMAT_STRING_SHORT_PIECES = ['']

GetFormatStringAttributeNames()

Retrieves the attribute names in the format string.

Returns

attribute names.

Return type

set(str)

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

• RuntimeError – when an invalid format string piece is encountered.

• WrongFormatter – if the event data cannot be formatted by the formatter.

class plaso.formatters.interface.EventFormatter

Bases: object

Base class to format event type specific data using a format string.

Define the (long) format string and the short format string by defining FORMAT_STRING and FORMAT_STRING_SHORT. The syntax of the format strings is similar to that of format() where the place holder for a certain event object attribute is defined as {attribute_name}.

DATA_TYPE = 'internal'

FORMAT_STRING = ''

FORMAT_STRING_SHORT = ''

GetFormatStringAttributeNames()

Retrieves the attribute names in the format string.

Returns

attribute names.

Return type

set(str)

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

GetSources(event, event_data)

Determines the the short and long source for an event.

Parameters

• event (EventObject) – event.

• event_data (EventData) – event data.

Returns

short and long source string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = ''

SOURCE_SHORT = 'LOG'

plaso.formatters.ipod module

The iPod device event formatter.

class plaso.formatters.ipod.IPodDeviceFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an iPod device event.

DATA_TYPE = 'ipod:device:entry'

FORMAT_STRING_PIECES = ['Device ID: {device_id}', 'Type: {device_class}', '[{family_id}]', 'Connected {use_count} times', 'Serial nr: {serial_number}', 'IMEI [{imei}]']

SOURCE_LONG = 'iPod Connections'

SOURCE_SHORT = 'LOG'

plaso.formatters.java_idx module

The Java WebStart Cache IDX event formatter.

class plaso.formatters.java_idx.JavaIDXFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Java WebStart Cache IDX download event.

DATA_TYPE = 'java:download:idx'

FORMAT_STRING_PIECES = ['IDX Version: {idx_version}', 'Host IP address: ({ip_address})', 'Download URL: {url}']

SOURCE_LONG = 'Java Cache IDX'

SOURCE_SHORT = 'JAVA_IDX'

plaso.formatters.kik_ios module

The Kik kik.sqlite iOS database event formatter.

class plaso.formatters.kik_ios.KikIOSMessageFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an iOS Kik message event.

DATA_TYPE = 'ios:kik:messaging'

FORMAT_STRING_PIECES = ['Username: {username}', 'Displayname: {displayname}', 'Status: {message_status}', 'Type: {message_type}', 'Message: {body}']

FORMAT_STRING_SHORT_PIECES = ['{body}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Kik iOS messages'

SOURCE_SHORT = 'Kik iOS'

plaso.formatters.kodi module

The Kodi MyVideos database event formatter.

class plaso.formatters.kodi.KodiFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Kodi Video event.

DATA_TYPE = 'kodi:videos:viewing'

FORMAT_STRING_PIECES = ['Video: {filename}', 'Play Count: {play_count}']

FORMAT_STRING_SHORT_PIECES = ['{filename}']

SOURCE_LONG = 'Kodi Video Viewed'

SOURCE_SHORT = 'KODI'

plaso.formatters.logger module

The formatters sub module logger.

plaso.formatters.ls_quarantine module

The MacOS launch services (LS) quarantine event formatter.

class plaso.formatters.ls_quarantine.LSQuarantineFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a launch services (LS) quarantine history event.

DATA_TYPE = 'macosx:lsquarantine'

FORMAT_STRING_PIECES = ['[{agent}]', 'Downloaded: {url}', '<{data}>']

FORMAT_STRING_SHORT_PIECES = ['{url}']

SOURCE_LONG = 'LS Quarantine Event'

SOURCE_SHORT = 'LOG'

plaso.formatters.mac_appfirewall module

The MacOS appfirewall.log file event formatter.

class plaso.formatters.mac_appfirewall.MacAppFirewallLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for MacOS appfirewall.log file event.

DATA_TYPE = 'mac:appfirewall:line'

FORMAT_STRING_PIECES = ['Computer: {computer_name}', 'Agent: {agent}', 'Status: {status}', 'Process name: {process_name}', 'Log: {action}']

FORMAT_STRING_SHORT_PIECES = ['Process name: {process_name}', 'Status: {status}']

SOURCE_LONG = 'Mac AppFirewall Log'

SOURCE_SHORT = 'LOG'

plaso.formatters.mac_document_versions module

The MacOS Document Versions files event formatter.

class plaso.formatters.mac_document_versions.MacDocumentVersionsFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS Document Versions page visited event.

DATA_TYPE = 'mac:document_versions:file'

FORMAT_STRING_PIECES = ['Version of [{name}]', '({path})', 'stored in {version_path}', 'by {user_sid}']

FORMAT_STRING_SHORT_PIECES = ['Stored a document version of [{name}]']

SOURCE_LONG = 'Document Versions'

SOURCE_SHORT = 'HISTORY'

plaso.formatters.mac_keychain module

The MacOS keychain password database file event formatter.

class plaso.formatters.mac_keychain.KeychainApplicationRecordFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a keychain application record event.

DATA_TYPE = 'mac:keychain:application'

FORMAT_STRING_PIECES = ['Name: {entry_name}', 'Account: {account_name}']

FORMAT_STRING_SHORT_PIECES = ['{entry_name}']

SOURCE_LONG = 'Keychain Application password'

SOURCE_SHORT = 'LOG'

class plaso.formatters.mac_keychain.KeychainInternetRecordFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a keychain Internet record event.

DATA_TYPE = 'mac:keychain:internet'

FORMAT_STRING_PIECES = ['Name: {entry_name}', 'Account: {account_name}', 'Where: {where}', 'Protocol: {protocol}', '({type_protocol})']

FORMAT_STRING_SHORT_PIECES = ['{entry_name}']

SOURCE_LONG = 'Keychain Internet password'

SOURCE_SHORT = 'LOG'

plaso.formatters.mac_knowledgec module

The MacOS KnowledgeC datbase event formatters.

class plaso.formatters.mac_knowledgec.MacKnowledgeCApplicationFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS KnowledgeC application event.

DATA_TYPE = 'mac:knowledgec:application'

FORMAT_STRING_PIECES = ['Application {bundle_identifier} executed', 'for {duration} seconds']

FORMAT_STRING_SHORT_PIECES = ['Application {bundle_identifier}']

SOURCE_LONG = 'KnowledgeC Application'

SOURCE_SHORT = 'LOG'

class plaso.formatters.mac_knowledgec.MacKnowledgeCSafariFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS KnowledgeC Safari event.

DATA_TYPE = 'mac:knowledgec:safari'

FORMAT_STRING_PIECES = ['Visited: {url}', '({title})', 'Duration: {duration}']

FORMAT_STRING_SHORT_PIECES = ['Safari: {url}']

SOURCE_LONG = 'KnowledgeC Safari'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.mac_notes module

The Mac Notes event formatter.

class plaso.formatters.mac_notes.MacNotesNotesFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Mac Notes record

DATA_TYPE = 'mac:notes:note'

FORMAT_STRING_PIECES = ['title:{title}', 'note_text:{text}']

FORMAT_STRING_SHORT_PIECES = ['title:{title}']

SOURCE_LONG = 'Mac Notes'

SOURCE_SHORT = 'Mac Note'

plaso.formatters.mac_notificationcenter module

The MacOS Notification Center event formatter.

class plaso.formatters.mac_notificationcenter.MacNotificationCenterFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS Notification Center event.

DATA_TYPE = 'mac:notificationcenter:db'

FORMAT_STRING_PIECES = ['Title: {title}', '(, subtitle: {subtitle}),', 'registered by: {bundle_name}.', 'Presented: {presented},', 'Content: {body}']

FORMAT_STRING_SHORT_PIECES = ['Title: {title},', 'Content: {body}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Notification Center'

SOURCE_SHORT = 'NOTIFICATION'

plaso.formatters.mac_securityd module

The MacOS securityd log file event formatter.

class plaso.formatters.mac_securityd.MacOSSecuritydLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS securityd log event.

DATA_TYPE = 'mac:securityd:line'

FORMAT_STRING_PIECES = ['Sender: {sender}', '({sender_pid})', 'Level: {level}', 'Facility: {facility}', 'Text: {message}']

FORMAT_STRING_SHORT_PIECES = ['Text: {message}']

SOURCE_LONG = 'Mac Securityd Log'

SOURCE_SHORT = 'LOG'

plaso.formatters.mac_wifi module

The MacOS wifi.log file event formatter.

class plaso.formatters.mac_wifi.MacWifiLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a wifi.log file event.

DATA_TYPE = 'mac:wifilog:line'

FORMAT_STRING_PIECES = ['Action: {action}', 'Agent: {agent}', '({function})', 'Log: {text}']

FORMAT_STRING_SHORT_PIECES = ['Action: {action}']

SOURCE_LONG = 'Mac Wifi Log'

SOURCE_SHORT = 'LOG'

plaso.formatters.mackeeper_cache module

The MacKeeper Cache event formatter.

class plaso.formatters.mackeeper_cache.MacKeeperCacheFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacKeeper Cache event.

DATA_TYPE = 'mackeeper:cache'

FORMAT_STRING_PIECES = ['{description}', '<{event_type}>', ':', '{text}', '[', 'URL: {url}', 'Event ID: {record_id}', 'Room: {room}', ']']

FORMAT_STRING_SHORT_PIECES = ['<{event_type}>', '{text}']

SOURCE_LONG = 'MacKeeper Cache'

SOURCE_SHORT = 'LOG'

plaso.formatters.mactime module

The Sleuthkit (TSK) bodyfile (or mactime) event formatter.

class plaso.formatters.mactime.MactimeFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for a mactime event.

DATA_TYPE = 'fs:mactime:line'

FORMAT_STRING = '{filename}'

SOURCE_LONG = 'Mactime Bodyfile'

SOURCE_SHORT = 'FILE'

plaso.formatters.manager module

This file contains the event formatters manager class.

class plaso.formatters.manager.FormattersManager

Bases: object

Class that implements the formatters manager.

classmethod DeregisterFormatter(formatter_class)

Deregisters a formatter class.

The formatter classes are identified based on their lower case data type.

Parameters

formatter_class (type) – class of the formatter.

Raises

KeyError – if formatter class is not set for the corresponding data type.

classmethod GetFormatterObject(data_type)

Retrieves the formatter object for a specific data type.

Parameters

data_type (str) – data type.

Returns

corresponding formatter or the default formatter if

not available.

Return type

EventFormatter

classmethod GetMessageStrings(formatter_mediator, event_data)

Retrieves the formatted message strings for a specific event.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

long and short version of the message string.

Return type

list[str, str]

classmethod GetSourceStrings(event, event_data)

Retrieves the formatted source strings for a specific event.

Parameters

• event (EventObject) – event.

• event_data (EventData) – event data.

Returns

short and long version of the source of the event.

Return type

list[str, str]

classmethod GetUnformattedAttributes(event_data)

Retrieves names of the event data attributes that are not formatted.

Parameters

event_data (EventData) – event data.

Returns

names of the event data attributes that are not formatted.

Return type

list[str]

classmethod ReadFormattersFromDirectory(path)

Reads formatters from a directory.

Parameters

path (str) – path of directory that contains the formatters configuration files.

Raises

KeyError – if formatter class is already set for the corresponding data type.

classmethod ReadFormattersFromFile(path)

Reads formatters from a file.

Parameters

path (str) – path of file that contains the formatters configuration.

Raises

KeyError – if formatter class is already set for the corresponding data type.

classmethod RegisterFormatter(formatter_class)

Registers a formatter class.

The formatter classes are identified based on their lower case data type.

Parameters

formatter_class (type) – class of the formatter.

Raises

KeyError – if formatter class is already set for the corresponding data type.

classmethod RegisterFormatters(formatter_classes)

Registers formatter classes.

The formatter classes are identified based on their lower case data type.

Parameters

formatter_classes (list[type]) – classes of the formatters.

Raises

KeyError – if formatter class is already set for the corresponding data type.

classmethod Reset()

Resets the manager to the hardcoded formatter classes.

This method is used during unit testing.

plaso.formatters.mcafeeav module

The McAfee AV Logs file event formatter.

class plaso.formatters.mcafeeav.McafeeAccessProtectionLogEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a McAfee Access Protection Log event.

DATA_TYPE = 'av:mcafee:accessprotectionlog'

FORMAT_STRING_PIECES = ['File Name: {filename}', 'User: {username}', '{trigger_location}', '{status}', '{rule}', '{action}']

FORMAT_STRING_SHORT_PIECES = ['{filename}', '{action}']

SOURCE_LONG = 'McAfee Access Protection Log'

SOURCE_SHORT = 'LOG'

plaso.formatters.mediator module

The formatter mediator object.

class plaso.formatters.mediator.FormatterMediator(data_location=None)

Bases: object

Class that implements the formatter mediator.

DEFAULT_LANGUAGE_IDENTIFIER = 'en-US'

DEFAULT_LCID = 1033

GetWindowsEventMessage(log_source, message_identifier)

Retrieves the message string for a specific Windows Event Log source.

Parameters

• log_source (str) – Event Log source, such as “Application Error”.

• message_identifier (int) – message identifier.

Returns

message string or None if not available.

Return type

str

SetPreferredLanguageIdentifier(language_identifier)

Sets the preferred language identifier.

Parameters

language_identifier (str) – language identifier string such as “en-US” for US English or “is-IS” for Icelandic.

Raises

• KeyError – if the language identifier is not defined.

• ValueError – if the language identifier is not a string type.

lcid

preferred Language Code identifier (LCID).

Type

int

plaso.formatters.mrulist module

The MRUList event formatter.

class plaso.formatters.mrulist.MRUListEventFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for a MRUList event.

DATA_TYPE = 'windows:registry:mrulist'

FORMAT_STRING = '[{key_path}] {entries}'

FORMAT_STRING_ALTERNATIVE = '{entries}'

SOURCE_LONG = 'Registry Key : MRU List'

SOURCE_SHORT = 'REG'

plaso.formatters.mrulistex module

The MRUListEx event formatter.

class plaso.formatters.mrulistex.MRUListExEventFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for a MRUListEx event.

DATA_TYPE = 'windows:registry:mrulistex'

FORMAT_STRING = '[{key_path}] {entries}'

FORMAT_STRING_ALTERNATIVE = '{entries}'

SOURCE_LONG = 'Registry Key : MRUListEx'

SOURCE_SHORT = 'REG'

plaso.formatters.msie_webcache module

The MSIE WebCache ESE database event formatters.

class plaso.formatters.msie_webcache.MsieWebCacheContainerEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database Container_# table record.

DATA_TYPE = 'msie:webcache:container'

FORMAT_STRING_PIECES = ['URL: {url}', 'Redirect URL: {redirect_url}', 'Access count: {access_count}', 'Sync count: {sync_count}', 'Filename: {cached_filename}', 'File extension: {file_extension}', 'Cached file size: {cached_file_size}', 'Request headers: {request_headers}', 'Response headers: {response_headers}', 'Entry identifier: {entry_identifier}', 'Container identifier: {container_identifier}', 'Cache identifier: {cache_identifier}']

FORMAT_STRING_SHORT_PIECES = ['URL: {url}']

SOURCE_LONG = 'MSIE WebCache container record'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.msie_webcache.MsieWebCacheContainersEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database Containers table record.

DATA_TYPE = 'msie:webcache:containers'

FORMAT_STRING_PIECES = ['Name: {name}', 'Directory: {directory}', 'Table: Container_{container_identifier}', 'Container identifier: {container_identifier}', 'Set identifier: {set_identifier}']

FORMAT_STRING_SHORT_PIECES = ['Directory: {directory}']

SOURCE_LONG = 'MSIE WebCache containers record'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.msie_webcache.MsieWebCacheLeakFilesEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database LeakFiles table record.

DATA_TYPE = 'msie:webcache:leak_file'

FORMAT_STRING_PIECES = ['Filename: {cached_filename}', 'Leak identifier: {leak_identifier}']

FORMAT_STRING_SHORT_PIECES = ['Filename: {cached_filename}']

SOURCE_LONG = 'MSIE WebCache partitions record'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.msie_webcache.MsieWebCachePartitionsEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database Partitions table record.

DATA_TYPE = 'msie:webcache:partitions'

FORMAT_STRING_PIECES = ['Partition identifier: {partition_identifier}', 'Partition type: {partition_type}', 'Directory: {directory}', 'Table identifier: {table_identifier}']

FORMAT_STRING_SHORT_PIECES = ['Directory: {directory}']

SOURCE_LONG = 'MSIE WebCache partitions record'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.msie_zones module

The MSIE zone settings event formatter.

class plaso.formatters.msie_zones.MSIEZoneSettingsEventFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for a MSIE zone settings event.

DATA_TYPE = 'windows:registry:msie_zone_settings'

FORMAT_STRING = '[{key_path}] {settings}'

FORMAT_STRING_ALTERNATIVE = '{settings}'

SOURCE_LONG = 'Registry Key'

SOURCE_SHORT = 'REG'

plaso.formatters.msiecf module

The Microsoft Internet Explorer (MSIE) Cache Files (CF) event formatters.

class plaso.formatters.msiecf.MsiecfItemFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIECF item event.

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

class plaso.formatters.msiecf.MsiecfLeakFormatter

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF leak item event.

DATA_TYPE = 'msiecf:leak'

FORMAT_STRING_PIECES = ['Cached file: {cached_file_path}', 'Cached file size: {cached_file_size}', '{recovered_string}']

FORMAT_STRING_SHORT_PIECES = ['Cached file: {cached_file_path}']

SOURCE_LONG = 'MSIE Cache File leak record'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.msiecf.MsiecfRedirectedFormatter

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF leak redirected event.

DATA_TYPE = 'msiecf:redirected'

FORMAT_STRING_PIECES = ['Location: {url}', '{recovered_string}']

FORMAT_STRING_SHORT_PIECES = ['Location: {url}']

SOURCE_LONG = 'MSIE Cache File redirected record'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.msiecf.MsiecfUrlFormatter

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF URL item event.

DATA_TYPE = 'msiecf:url'

FORMAT_STRING_PIECES = ['Location: {url}', 'Number of hits: {number_of_hits}', 'Cached file: {cached_file_path}', 'Cached file size: {cached_file_size}', 'HTTP headers: {http_headers}', '{recovered_string}']

FORMAT_STRING_SHORT_PIECES = ['Location: {url}', 'Cached file: {cached_file_path}']

SOURCE_LONG = 'MSIE Cache File URL record'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.networkminer module

The NetworkMiner file event formatter.

class plaso.formatters.networkminer.NetworkminerEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for NetworkMiner’s fileinfo Log event.

DATA_TYPE = 'networkminer:fileinfos:file'

FORMAT_STRING_PIECES = ['Source IP: {source_ip}', 'Source Port: {source_port}', 'Destination IP: {destination_ip}', 'Destination Port: {destination_port}', '{filename}', '{file_path}', '{file_size}', '{file_md5}', '{file_details}']

FORMAT_STRING_SHORT_PIECES = ['Source IP: {source_ip}', 'Destination IP: {destination_ip}', '{filename}', '{file_path}', '{file_md5}']

SOURCE_LONG = 'NetworkMiner fileinfos'

SOURCE_SHORT = 'NetworkMiner'

plaso.formatters.olecf module

The OLE Compound File (OLECF) event formatters.

class plaso.formatters.olecf.OLECFDestListEntryFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF DestList stream event.

DATA_TYPE = 'olecf:dest_list:entry'

FORMAT_STRING_PIECES = ['Entry: {entry_number}', 'Pin status: {pin_status}', 'Hostname: {hostname}', 'Path: {path}', 'Droid volume identifier: {droid_volume_identifier}', 'Droid file identifier: {droid_file_identifier}', 'Birth droid volume identifier: {birth_droid_volume_identifier}', 'Birth droid file identifier: {birth_droid_file_identifier}']

FORMAT_STRING_SHORT_PIECES = ['Entry: {entry_number}', 'Pin status: {pin_status}', 'Path: {path}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

class plaso.formatters.olecf.OLECFDocumentSummaryInfoFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF Document Summary Info property set stream event.

DATA_TYPE = 'olecf:document_summary_info'

FORMAT_STRING_PIECES = ['Number of bytes: {number_of_bytes}', 'Number of lines: {number_of_lines}', 'Number of paragraphs: {number_of_paragraphs}', 'Number of slides: {number_of_slides}', 'Number of notes: {number_of_notes}', 'Number of hidden slides: {number_of_hidden_slides}', 'Number of multi-media clips: {number_of_clips}', 'Company: {company}', 'Manager: {manager}', 'Shared document: {shared_document}', 'Application version: {application_version}', 'Content type: {content_type}', 'Content status: {content_status}', 'Language: {language}', 'Document version: {document_version}']

FORMAT_STRING_SHORT_PIECES = ['Company: {company}']

SOURCE_LONG = 'OLECF Document Summary Info'

SOURCE_SHORT = 'OLECF'

class plaso.formatters.olecf.OLECFItemFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for an OLECF item event.

DATA_TYPE = 'olecf:item'

FORMAT_STRING = 'Name: {name}'

FORMAT_STRING_SHORT = 'Name: {name}'

SOURCE_LONG = 'OLECF Item'

SOURCE_SHORT = 'OLECF'

class plaso.formatters.olecf.OLECFSummaryInfoFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF Summary Info property set stream event.

DATA_TYPE = 'olecf:summary_info'

FORMAT_STRING_PIECES = ['Title: {title}', 'Subject: {subject}', 'Author: {author}', 'Keywords: {keywords}', 'Comments: {comments}', 'Template: {template}', 'Revision number: {revision_number}', 'Last saved by: {last_saved_by}', 'Total edit time: {total_edit_time}', 'Number of pages: {number_of_pages}', 'Number of words: {number_of_words}', 'Number of characters: {number_of_characters}', 'Application: {application}', 'Security: {security}']

FORMAT_STRING_SHORT_PIECES = ['Title: {title}', 'Subject: {subject}', 'Author: {author}', 'Revision number: {revision_number}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'OLECF Summary Info'

SOURCE_SHORT = 'OLECF'

plaso.formatters.opera module

The Opera history event formatters.

class plaso.formatters.opera.OperaGlobalHistoryFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Opera global history event.

DATA_TYPE = 'opera:history:entry'

FORMAT_STRING_PIECES = ['{url}', '({title})', '[{description}]']

SOURCE_LONG = 'Opera Browser History'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.opera.OperaTypedHistoryFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Opera typed history event.

DATA_TYPE = 'opera:history:typed_entry'

FORMAT_STRING_PIECES = ['{url}', '({entry_selection})']

SOURCE_LONG = 'Opera Browser History'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.oxml module

The OpenXML event formatter.

class plaso.formatters.oxml.OpenXMLParserFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OXML event.

DATA_TYPE = 'metadata:openxml'

FORMAT_STRING_PIECES = ['Creating App: {creating_app}', 'App version: {app_version}', 'Title: {title}', 'Subject: {subject}', 'Last saved by: {last_saved_by}', 'Author: {author}', 'Total edit time (secs): {total_edit_time}', 'Keywords: {keywords}', 'Comments: {comments}', 'Revision number: {revision_number}', 'Template: {template}', 'Number of pages: {number_of_pages}', 'Number of words: {number_of_words}', 'Number of characters: {number_of_characters}', 'Number of characters with spaces: {number_of_characters_with_spaces}', 'Number of lines: {number_of_lines}', 'Company: {company}', 'Manager: {manager}', 'Shared: {shared}', 'Security: {security}', 'Hyperlinks changed: {hyperlinks_changed}', 'Links up to date: {links_up_to_date}', 'Scale crop: {scale_crop}', 'Digital signature: {dig_sig}', 'Slides: {slides}', 'Hidden slides: {hidden_slides}', 'Presentation format: {presentation_format}', 'MM clips: {mm_clips}', 'Notes: {notes}']

FORMAT_STRING_SHORT_PIECES = ['Title: {title}', 'Subject: {subject}', 'Author: {author}']

SOURCE_LONG = 'Open XML Metadata'

SOURCE_SHORT = 'META'

plaso.formatters.pe module

The PE event formatter.

class plaso.formatters.pe.PECompilationFormatter

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE compilation event.

DATA_TYPE = 'pe:compilation:compilation_time'

SOURCE_LONG = 'PE Compilation time'

class plaso.formatters.pe.PEDelayImportFormatter

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE delay import section event.

DATA_TYPE = 'pe:delay_import:import_time'

FORMAT_STRING_PIECES = ['DLL name: {dll_name}', 'PE Type: {pe_type}', 'Import hash: {imphash}']

FORMAT_STRING_SHORT_PIECES = ['{dll_name}']

SOURCE_LONG = 'PE Delay Import Time'

class plaso.formatters.pe.PEEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Parent class for PE event formatters.

DATA_TYPE = 'pe'

FORMAT_STRING_PIECES = ['PE Type: {pe_type}', 'Import hash: {imphash}']

FORMAT_STRING_SEPARATOR = ' '

FORMAT_STRING_SHORT_PIECES = ['pe_type']

SOURCE_LONG = 'PE Event'

SOURCE_SHORT = 'PE'

class plaso.formatters.pe.PEImportFormatter

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE import section event.

DATA_TYPE = 'pe:import:import_time'

FORMAT_STRING_PIECES = ['DLL name: {dll_name}', 'PE Type: {pe_type}', 'Import hash: {imphash}']

FORMAT_STRING_SHORT_PIECES = ['{dll_name}']

SOURCE_LONG = 'PE Import Time'

class plaso.formatters.pe.PELoadConfigModificationEvent

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE load configuration table event.

DATA_TYPE = 'pe:load_config:modification_time'

SOURCE_LONG = 'PE Load Configuration Table Time'

class plaso.formatters.pe.PEResourceCreationFormatter

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE resource creation event.

DATA_TYPE = 'pe:resource:creation_time'

SOURCE_LONG = 'PE Resource Creation Time'

plaso.formatters.plist module

The plist event formatter.

class plaso.formatters.plist.PlistFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a plist key event.

DATA_TYPE = 'plist:key'

FORMAT_STRING_PIECES = ['{root}/', '{key}', ' {desc}']

FORMAT_STRING_SEPARATOR = ''

SOURCE_LONG = 'Plist Entry'

SOURCE_SHORT = 'PLIST'

plaso.formatters.pls_recall module

The PL/SQL Recall event formatter.

class plaso.formatters.pls_recall.PlsRecallFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a PL/SQL Recall file container event.

DATA_TYPE = 'PLSRecall:event'

FORMAT_STRING_PIECES = ['Sequence number: {sequence_number}', 'Username: {username}', 'Database name: {database_name}', 'Query: {query}']

FORMAT_STRING_SHORT_PIECES = ['{sequence_number}', '{username}', '{database_name}', '{query}']

SOURCE_LONG = 'PL/SQL Developer Recall file'

SOURCE_SHORT = 'PLSRecall'

plaso.formatters.popcontest module

The Popularity Contest event formatters.

class plaso.formatters.popcontest.PopularityContestLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Popularity Contest Log event.

DATA_TYPE = 'popularity_contest:log:event'

FORMAT_STRING_PIECES = ['mru [{mru}]', 'package [{package}]', 'tag [{record_tag}]']

FORMAT_STRING_SHORT_PIECES = ['{mru}']

SOURCE_LONG = 'Popularity Contest Log'

SOURCE_SHORT = 'LOG'

class plaso.formatters.popcontest.PopularityContestSessionFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Popularity Contest Session information event.

DATA_TYPE = 'popularity_contest:session:event'

FORMAT_STRING_PIECES = ['Session {session}', '{status}', 'ID {hostid}', '[{details}]']

FORMAT_STRING_SHORT_PIECES = ['Session {session}', '{status}']

SOURCE_LONG = 'Popularity Contest Session'

SOURCE_SHORT = 'LOG'

plaso.formatters.programscache module

The Explorer ProgramsCache event formatter.

class plaso.formatters.programscache.ExplorerProgramsCacheEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Explorer ProgramsCache event.

DATA_TYPE = 'windows:registry:explorer:programcache'

FORMAT_STRING_PIECES = ['Key: {key_path}', 'Value: {value_name}', 'Entries: [{entries}]']

SOURCE_LONG = 'Registry Key'

SOURCE_SHORT = 'REG'

plaso.formatters.recycler module

The Windows Recycler/Recycle Bin formatter.

class plaso.formatters.recycler.WinRecyclerFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Recycler/Recycle Bin file event.

DATA_TYPE = 'windows:metadata:deleted_item'

FORMAT_STRING_PIECES = ['DC{record_index} ->', '{original_filename}', '[{short_filename}]', '(from drive: {drive_letter})']

FORMAT_STRING_SHORT_PIECES = ['Deleted file: {original_filename}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Recycle Bin'

SOURCE_SHORT = 'RECBIN'

plaso.formatters.safari module

The Safari history event formatter.

class plaso.formatters.safari.SafariHistoryFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Safari history event.

DATA_TYPE = 'safari:history:visit'

FORMAT_STRING_PIECES = ['Visited: {url}', '({title}', '- {display_title}', ')', 'Visit Count: {visit_count}']

SOURCE_LONG = 'Safari History'

SOURCE_SHORT = 'WEBHIST'

class plaso.formatters.safari.SafariHistoryFormatterSqlite

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Safari history event from Sqlite History.db

DATA_TYPE = 'safari:history:visit_sqlite'

FORMAT_STRING_PIECES = ['URL: {url}', 'Title: ({title})', '[count: {visit_count}]', 'http_non_get: {was_http_non_get}']

SOURCE_LONG = 'Safari History'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.safari_cookies module

The Safari Binary cookie event formatter.

class plaso.formatters.safari_cookies.SafariCookieFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Safari Binary Cookie file entry event.

DATA_TYPE = 'safari:cookie:entry'

FORMAT_STRING_PIECES = ['{url}', '<{path}>', '({cookie_name})', 'Flags: {flags}']

FORMAT_STRING_SHORT_PIECES = ['{url}', '({cookie_name})']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Safari Cookies'

SOURCE_SHORT = 'WEBHIST'

plaso.formatters.santa module

Santa log file event formatter.

class plaso.formatters.santa.SantaDiskMountsFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a santa disk mount event.

DATA_TYPE = 'santa:diskmount'

FORMAT_STRING_PIECES = ['Santa {action}', 'on ({mount})', 'serial: ({serial})', 'for ({dmg_path})']

FORMAT_STRING_SHORT_PIECES = ['{action}', '{volume}']

SOURCE_LONG = 'Santa disk mount'

SOURCE_SHORT = 'LOG'

class plaso.formatters.santa.SantaExecutionFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a santa execution event.

DATA_TYPE = 'santa:execution'

FORMAT_STRING_PIECES = ['Santa {decision}', 'process: {process_path}', 'hash: {process_hash}']

FORMAT_STRING_SHORT_PIECES = ['{decision}', 'process: {process_path}']

SOURCE_LONG = 'Santa Execution'

SOURCE_SHORT = 'LOG'

class plaso.formatters.santa.SantaFileSystemFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a santa file system event.

DATA_TYPE = 'santa:file_system_event'

FORMAT_STRING_PIECES = ['Santa {action} event', '{file_path}', 'by process: {process_path}']

FORMAT_STRING_SHORT_PIECES = ['File {action}', 'on: {file_path}']

SOURCE_LONG = 'Santa FSEvent'

SOURCE_SHORT = 'LOG'

plaso.formatters.sccm module

The SCCM log formatter.

class plaso.formatters.sccm.SCCMEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Class for SCCM event formatter.

DATA_TYPE = 'software_management:sccm:log'

FORMAT_STRING_PIECES = ['{component}', '{text}']

FORMAT_STRING_SEPARATOR = ' '

FORMAT_STRING_SHORT_PIECES = ['{text}']

SOURCE_LONG = 'SCCM Event'

SOURCE_SHORT = 'LOG'

plaso.formatters.selinux module

The selinux event formatter.

class plaso.formatters.selinux.SELinuxFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a selinux log file event.

DATA_TYPE = 'selinux:line'

FORMAT_STRING_PIECES = ['[', 'audit_type: {audit_type}', ', pid: {pid}', ']', ' {body}']

FORMAT_STRING_SEPARATOR = ''

SOURCE_LONG = 'Audit log File'

SOURCE_SHORT = 'LOG'

plaso.formatters.services module

The Windows services event formatter.

The Windows services are derived from Windows Registry files.

class plaso.formatters.services.WinRegistryServiceFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows service event.

DATA_TYPE = 'windows:registry:service'

FORMAT_STRING_PIECES = ['[{key_path}]', 'Type: {service_type}', 'Start: {start_type}', 'Image path: {image_path}', 'Error control: {error_control}', '{values}']

FORMAT_STRING_SHORT_PIECES = ['[{key_path}]', 'Type: {service_type}', 'Start: {start_type}', 'Image path: {image_path}', 'Error control: {error_control}', '{values}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

plaso.formatters.setupapi module

Windows Setupapi log event formatter.

class plaso.formatters.setupapi.SetupapiLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Setupapi log file event.

DATA_TYPE = 'setupapi:log:line'

FORMAT_STRING_PIECES = ['{entry_type}', '{exit_status}']

FORMAT_STRING_SEPARATOR = ' - '

FORMAT_STRING_SHORT_PIECES = ['{exit_status}', '{entry_type}']

SOURCE_LONG = 'Windows Setupapi Log'

SOURCE_SHORT = 'LOG'

plaso.formatters.shell_items module

The shell item event formatter.

class plaso.formatters.shell_items.ShellItemFileEntryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a shell item file entry event.

DATA_TYPE = 'windows:shell_item:file_entry'

FORMAT_STRING_PIECES = ['Name: {name}', 'Long name: {long_name}', 'Localized name: {localized_name}', 'NTFS file reference: {file_reference}', 'Shell item path: {shell_item_path}', 'Origin: {origin}']

FORMAT_STRING_SHORT_PIECES = ['Name: {file_entry_name}', 'NTFS file reference: {file_reference}', 'Origin: {origin}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'File entry shell item'

SOURCE_SHORT = 'FILE'

plaso.formatters.shutdown module

The shutdown Windows Registry event formatter.

class plaso.formatters.shutdown.ShutdownWindowsRegistryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a shutdown Windows Registry event.

DATA_TYPE = 'windows:registry:shutdown'

FORMAT_STRING_PIECES = ['[{key_path}]', 'Description: {value_name}']

FORMAT_STRING_SHORT_PIECES = ['{value_name}']

SOURCE_LONG = 'Registry Key Shutdown Entry'

SOURCE_SHORT = 'REG'

plaso.formatters.skydrivelog module

The SkyDrive log event formatter.

class plaso.formatters.skydrivelog.SkyDriveLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SkyDrive log file event.

DATA_TYPE = 'skydrive:log:line'

FORMAT_STRING_PIECES = ['[{module}', '{source_code}', '{log_level}]', '{detail}']

FORMAT_STRING_SHORT_PIECES = ['{detail}']

SOURCE_LONG = 'SkyDrive Log File'

SOURCE_SHORT = 'LOG'

class plaso.formatters.skydrivelog.SkyDriveOldLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SkyDrive old log file event.

DATA_TYPE = 'skydrive:log:old:line'

FORMAT_STRING_PIECES = ['[{source_code}]', '({log_level})', '{text}']

FORMAT_STRING_SHORT_PIECES = ['{text}']

SOURCE_LONG = 'SkyDrive Log File'

SOURCE_SHORT = 'LOG'

plaso.formatters.skype module

The Skype main database event formatter.

class plaso.formatters.skype.SkypeAccountFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype account event.

DATA_TYPE = 'skype:event:account'

FORMAT_STRING_PIECES = ['{username}', '[{email}]', 'Country: {country}']

SOURCE_LONG = 'Skype Account'

SOURCE_SHORT = 'LOG'

class plaso.formatters.skype.SkypeCallFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype call event.

DATA_TYPE = 'skype:event:call'

FORMAT_STRING_PIECES = ['From: {src_call}', 'To: {dst_call}', '[{call_type}]']

SOURCE_LONG = 'Skype Call'

SOURCE_SHORT = 'LOG'

class plaso.formatters.skype.SkypeChatFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype chat message event.

DATA_TYPE = 'skype:event:chat'

FORMAT_STRING_PIECES = ['From: {from_account}', 'To: {to_account}', '[{title}]', 'Message: [{text}]']

FORMAT_STRING_SHORT_PIECES = ['From: {from_account}', 'To: {to_account}']

SOURCE_LONG = 'Skype Chat MSG'

SOURCE_SHORT = 'LOG'

class plaso.formatters.skype.SkypeSMSFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype SMS event.

DATA_TYPE = 'skype:event:sms'

FORMAT_STRING_PIECES = ['To: {number}', '[{text}]']

SOURCE_LONG = 'Skype SMS'

SOURCE_SHORT = 'LOG'

class plaso.formatters.skype.SkypeTransferFileFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype transfer file event.

DATA_TYPE = 'skype:event:transferfile'

FORMAT_STRING_PIECES = ['Source: {source}', 'Destination: {destination}', 'File: {transferred_filename}', '[{action_type}]']

SOURCE_LONG = 'Skype Transfer Files'

SOURCE_SHORT = 'LOG'

plaso.formatters.sophos_av module

The Sophos Anti-Virus log (SAV.txt) file event formatter.

class plaso.formatters.sophos_av.SophosAVLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Sophos Anti-Virus log (SAV.txt) event data.

DATA_TYPE = 'sophos:av:log'

FORMAT_STRING_PIECES = ['{text}']

SOURCE_LONG = 'Sophos Anti-Virus log'

SOURCE_SHORT = 'LOG'

plaso.formatters.srum module

The System Resource Usage Monitor (SRUM) ESE database event formatters.

class plaso.formatters.srum.SRUMApplicationResourceUsageEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SRUM application resource usage event.

DATA_TYPE = 'windows:srum:application_usage'

FORMAT_STRING_PIECES = ['Application: {application}']

FORMAT_STRING_SHORT_PIECES = ['{application}']

class plaso.formatters.srum.SRUMNetworkConnectivityUsageEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SRUM network connectivity usage event.

DATA_TYPE = 'windows:srum:network_connectivity'

FORMAT_STRING_PIECES = ['Application: {application}']

FORMAT_STRING_SHORT_PIECES = ['{application}']

class plaso.formatters.srum.SRUMNetworkDataUsageEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SRUM network data usage event.

DATA_TYPE = 'windows:srum:network_usage'

FORMAT_STRING_PIECES = ['Application: {application}', 'Bytes received: {bytes_received}', 'Bytes sent: {bytes_sent}', 'Interface LUID: {interface_luid}', 'User identifier: {user_identifier}']

FORMAT_STRING_SHORT_PIECES = ['{application}']

plaso.formatters.ssh module

The syslog SSH file event formatter.

class plaso.formatters.ssh.SSHFailedConnectionEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SSH failed connection event.

DATA_TYPE = 'syslog:ssh:failed_connection'

FORMAT_STRING_PIECES = ['Unsuccessful connection of user: {username}', 'from {address}:', '{port}', 'using authentication method: {authentication_method}', 'ssh pid: {pid}']

FORMAT_STRING_SEPARATOR = ''

FORMAT_STRING_SHORT = '{body}'

SOURCE_LONG = 'SSH log'

SOURCE_SHORT = 'LOG'

class plaso.formatters.ssh.SSHLoginEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SSH successful login event.

DATA_TYPE = 'syslog:ssh:login'

FORMAT_STRING_PIECES = ['Successful login of user: {username}', 'from {address}:', '{port}', 'using authentication method: {authentication_method}', 'ssh pid: {pid}']

FORMAT_STRING_SEPARATOR = ''

FORMAT_STRING_SHORT = '{body}'

SOURCE_LONG = 'SSH log'

SOURCE_SHORT = 'LOG'

class plaso.formatters.ssh.SSHOpenedConnectionEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SSH opened connection event.

DATA_TYPE = 'syslog:ssh:opened_connection'

FORMAT_STRING_PIECES = ['Connection opened {address}:', '{port}', 'ssh pid: {pid}']

FORMAT_STRING_SEPARATOR = ''

FORMAT_STRING_SHORT = '{body}'

SOURCE_LONG = 'SSH log'

SOURCE_SHORT = 'LOG'

plaso.formatters.symantec module

The Symantec AV log file event formatter.

class plaso.formatters.symantec.SymantecAVFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Symantec AV log file event.

ACTION_0_NAMES = {'1': 'Quarantined', '10': 'Renamed backup file', '11': 'Undo action in Quarantine View', '12': 'Write protected or lack of permissions - Unable to act on file', '13': 'Backed up file', '2': 'Renamed', '3': 'Deleted', '4': 'Left alone', '5': 'Cleaned', '6': 'Cleaned or macros deleted (no longer used as of Symantec AntiVirus 9.x)', '7': 'Saved file as...', '8': 'Sent to Intel (AMS)', '9': 'Moved to backup location'}

ACTION_1_2_NAMES = {'1': 'Quarantine infected file', '2': 'Rename infected file', '3': 'Delete infected file', '4': 'Leave alone (log only)', '5': 'Clean virus from file', '6': 'Clean or delete macros'}

CATEGORY_NAMES = {'1': 'GL_CAT_INFECTION', '2': 'GL_CAT_SUMMARY', '3': 'GL_CAT_PATTERN', '4': 'GL_CAT_SECURITY'}

DATA_TYPE = 'av:symantec:scanlog'

EVENT_NAMES = {'1': 'GL_EVENT_IS_ALERT', '10': 'GL_EVENT_CHECKSUM', '11': 'GL_EVENT_TRAP', '12': 'GL_EVENT_CONFIG_CHANGE', '13': 'GL_EVENT_SHUTDOWN', '14': 'GL_EVENT_STARTUP', '16': 'GL_EVENT_PATTERN_DOWNLOAD', '17': 'GL_EVENT_TOO_MANY_VIRUSES', '18': 'GL_EVENT_FWD_TO_QSERVER', '19': 'GL_EVENT_SCANDLVR', '2': 'GL_EVENT_SCAN_STOP', '20': 'GL_EVENT_BACKUP', '21': 'GL_EVENT_SCAN_ABORT', '22': 'GL_EVENT_RTS_LOAD_ERROR', '23': 'GL_EVENT_RTS_LOAD', '24': 'GL_EVENT_RTS_UNLOAD', '25': 'GL_EVENT_REMOVE_CLIENT', '26': 'GL_EVENT_SCAN_DELAYED', '27': 'GL_EVENT_SCAN_RESTART', '28': 'GL_EVENT_ADD_SAVROAMCLIENT_TOSERVER', '29': 'GL_EVENT_REMOVE_SAVROAMCLIENT_FROMSERVER', '3': 'GL_EVENT_SCAN_START', '30': 'GL_EVENT_LICENSE_WARNING', '31': 'GL_EVENT_LICENSE_ERROR', '32': 'GL_EVENT_LICENSE_GRACE', '33': 'GL_EVENT_UNAUTHORIZED_COMM', '34': 'GL_EVENT_LOG_FWD_THRD_ERR', '35': 'GL_EVENT_LICENSE_INSTALLED', '36': 'GL_EVENT_LICENSE_ALLOCATED', '37': 'GL_EVENT_LICENSE_OK', '38': 'GL_EVENT_LICENSE_DEALLOCATED', '39': 'GL_EVENT_BAD_DEFS_ROLLBACK', '4': 'GL_EVENT_PATTERN_UPDATE', '40': 'GL_EVENT_BAD_DEFS_UNPROTECTED', '41': 'GL_EVENT_SAV_PROVIDER_PARSING_ERROR', '42': 'GL_EVENT_RTS_ERROR', '43': 'GL_EVENT_COMPLIANCE_FAIL', '44': 'GL_EVENT_COMPLIANCE_SUCCESS', '45': 'GL_EVENT_SECURITY_SYMPROTECT_POLICYVIOLATION', '46': 'GL_EVENT_ANOMALY_START', '47': 'GL_EVENT_DETECTION_ACTION_TAKEN', '48': 'GL_EVENT_REMEDIATION_ACTION_PENDING', '49': 'GL_EVENT_REMEDIATION_ACTION_FAILED', '5': 'GL_EVENT_INFECTION', '50': 'GL_EVENT_REMEDIATION_ACTION_SUCCESSFUL', '51': 'GL_EVENT_ANOMALY_FINISH', '52': 'GL_EVENT_COMMS_LOGIN_FAILED', '53': 'GL_EVENT_COMMS_LOGIN_SUCCESS', '54': 'GL_EVENT_COMMS_UNAUTHORIZED_COMM', '55': 'GL_EVENT_CLIENT_INSTALL_AV', '56': 'GL_EVENT_CLIENT_INSTALL_FW', '57': 'GL_EVENT_CLIENT_UNINSTALL', '58': 'GL_EVENT_CLIENT_UNINSTALL_ROLLBACK', '59': 'GL_EVENT_COMMS_SERVER_GROUP_ROOT_CERT_ISSUE', '6': 'GL_EVENT_FILE_NOT_OPEN', '60': 'GL_EVENT_COMMS_SERVER_CERT_ISSUE', '61': 'GL_EVENT_COMMS_TRUSTED_ROOT_CHANGE', '62': 'GL_EVENT_COMMS_SERVER_CERT_STARTUP_FAILED', '63': 'GL_EVENT_CLIENT_CHECKIN', '64': 'GL_EVENT_CLIENT_NO_CHECKIN', '65': 'GL_EVENT_SCAN_SUSPENDED', '66': 'GL_EVENT_SCAN_RESUMED', '67': 'GL_EVENT_SCAN_DURATION_INSUFFICIENT', '68': 'GL_EVENT_CLIENT_MOVE', '69': 'GL_EVENT_SCAN_FAILED_ENHANCED', '7': 'GL_EVENT_LOAD_PATTERN', '70': 'GL_EVENT_MAX_event_name', '71': 'GL_EVENT_HEUR_THREAT_NOW_WHITELISTED', '72': 'GL_EVENT_INTERESTING_PROCESS_DETECTED_START', '73': 'GL_EVENT_LOAD_ERROR_COH', '74': 'GL_EVENT_LOAD_ERROR_SYKNAPPS', '75': 'GL_EVENT_INTERESTING_PROCESS_DETECTED_FINISH', '76': 'GL_EVENT_HPP_SCAN_NOT_SUPPORTED_FOR_OS', '77': 'GL_EVENT_HEUR_THREAT_NOW_KNOWN', '8': 'GL_STD_MESSAGE_INFO', '9': 'GL_STD_MESSAGE_ERROR'}

FORMAT_STRING_PIECES = ['Event Name: {event_map}', 'Category Name: {category_map}', 'Malware Name: {virus}', 'Malware Path: {file}', 'Action0: {action0_map}', 'Action1: {action1_map}', 'Action2: {action2_map}', 'Description: {description}', 'Scan ID: {scanid}', 'Event Data: {event_data}', 'Remote Machine: {remote_machine}', 'Remote IP: {remote_machine_ip}']

FORMAT_STRING_SEPARATOR = '; '

FORMAT_STRING_SHORT_PIECES = ['{file}', '{virus}', '{action0_map}', '{action1_map}', '{action2_map}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Symantec AV Log'

SOURCE_SHORT = 'LOG'

plaso.formatters.syslog module

The syslog file event formatter.

class plaso.formatters.syslog.SyslogCommentFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a syslog comment

DATA_TYPE = 'syslog:comment'

FORMAT_STRING_PIECES = ['{body}']

FORMAT_STRING_SEPARATOR = ''

SOURCE_LONG = 'Log File'

SOURCE_SHORT = 'LOG'

class plaso.formatters.syslog.SyslogLineFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a syslog line event.

DATA_TYPE = 'syslog:line'

FORMAT_STRING_PIECES = ['{severity} ', '[', '{reporter}', ', pid: {pid}', '] {body}']

FORMAT_STRING_SEPARATOR = ''

SOURCE_LONG = 'Log File'

SOURCE_SHORT = 'LOG'

plaso.formatters.systemd_journal module

The Systemd journal file event formatter.

class plaso.formatters.systemd_journal.SystemdJournalDirtyEventFormatter

Bases: plaso.formatters.systemd_journal.SystemdJournalEventFormatter

Formatter for a Systemd journal dirty event.

DATA_TYPE = 'systemd:journal:dirty'

SOURCE_LONG = 'systemd-journal-dirty'

class plaso.formatters.systemd_journal.SystemdJournalEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Systemd journal event.

DATA_TYPE = 'systemd:journal'

FORMAT_STRING_PIECES = ['{hostname} ', '[', '{reporter}', ', pid: {pid}', '] {body}']

FORMAT_STRING_SEPARATOR = ''

SOURCE_LONG = 'systemd-journal'

SOURCE_SHORT = 'LOG'

plaso.formatters.tango_android module

Tango on Android databases formatter.

class plaso.formatters.tango_android.TangoAndroidContactFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Tango on Android contact event formatter.

DATA_TYPE = 'tango:android:contact'

FORMAT_STRING_PIECES = ['{first_name}', '{last_name}', '{gender}', 'birthday: {birthday}', 'Status: {status}', 'Friend: {is_friend}', 'Request type: {friend_request_type}', 'Request message: {friend_request_message}']

FORMAT_STRING_SHORT_PIECES = ['{first_name}', '{last_name}', 'Status: {status}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple[str, str]

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Tango Android Contact'

SOURCE_SHORT = 'Tango Android'

class plaso.formatters.tango_android.TangoAndroidConversationFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Tango on Android conversation event formatter.

DATA_TYPE = 'tango:android:conversation'

FORMAT_STRING_PIECES = ['Conversation ({conversation_identifier})']

FORMAT_STRING_SHORT_PIECES = ['Conversation ({conversation_identifier})']

SOURCE_LONG = 'Tango Android Conversation'

SOURCE_SHORT = 'Tango Android'

class plaso.formatters.tango_android.TangoAndroidMessageFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Tango on Android message event formatter.

DATA_TYPE = 'tango:android:message'

FORMAT_STRING_PIECES = ['{direction}', 'Message ({message_identifier})']

FORMAT_STRING_SHORT_PIECES = ['{direction}', 'Message ({message_identifier})']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple[str, str]

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Tango Android Message'

SOURCE_SHORT = 'Tango Android'

plaso.formatters.task_scheduler module

The Task Scheduler event formatter.

class plaso.formatters.task_scheduler.TaskCacheEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Task Scheduler Cache event.

DATA_TYPE = 'task_scheduler:task_cache:entry'

FORMAT_STRING_PIECES = ['[{key_path}]', 'Task: {task_name}', '[Identifier: {task_identifier}]']

FORMAT_STRING_SHORT_PIECES = ['Task: {task_name}']

SOURCE_LONG = 'Task Cache'

SOURCE_SHORT = 'REG'

plaso.formatters.terminal_server module

The Terminal Server client event formatters.

class plaso.formatters.terminal_server.TerminalServerClientConnectionEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Terminal Server client connection event.

DATA_TYPE = 'windows:registry:mstsc:connection'

FORMAT_STRING_PIECES = ['[{key_path}]', 'Username hint: {username}']

FORMAT_STRING_SHORT_PIECES = ['[{key_path}]']

SOURCE_LONG = 'Registry Key : RDP Connection'

SOURCE_SHORT = 'REG'

class plaso.formatters.terminal_server.TerminalServerClientMRUEventFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Terminal Server client MRU event.

DATA_TYPE = 'windows:registry:mstsc:mru'

FORMAT_STRING = '[{key_path}] {entries}'

FORMAT_STRING_ALTERNATIVE = '{entries}'

SOURCE_LONG = 'Registry Key : RDP Connection'

SOURCE_SHORT = 'REG'

plaso.formatters.text module

The text file event formatter.

class plaso.formatters.text.TextEntryFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for a text file entry event.

DATA_TYPE = 'text:entry'

FORMAT_STRING = '{text}'

SOURCE_LONG = 'Text File'

SOURCE_SHORT = 'LOG'

plaso.formatters.trendmicroav module

The Trend Micro AV Logs file event formatter.

class plaso.formatters.trendmicroav.OfficeScanVirusDetectionLogEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Trend Micro Office Scan Virus Detection Log event.

DATA_TYPE = 'av:trendmicro:scan'

FORMAT_STRING_PIECES = ['Path: {path}', 'File name: {filename}', '{threat}', ': {action}', '({scan_type})']

FORMAT_STRING_SHORT_PIECES = ['{path}', '{filename}', '{action}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

If any event values have a matching formatting function in VALUE_FORMATTERS, they are run through that function; then the dictionary is passed to the superclass’s formatting method.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Trend Micro Office Scan Virus Detection Log'

SOURCE_SHORT = 'LOG'

VALUE_FORMATTERS = {'action': <function OfficeScanVirusDetectionLogEventFormatter.<lambda>>, 'scan_type': <function OfficeScanVirusDetectionLogEventFormatter.<lambda>>}

class plaso.formatters.trendmicroav.OfficeScanWebReputationLogEventFormatter

Bases: plaso.formatters.trendmicroav.OfficeScanVirusDetectionLogEventFormatter

Formatter for a Trend Micro Office Scan Virus Detection Log event.

DATA_TYPE = 'av:trendmicro:webrep'

FORMAT_STRING_PIECES = ['{url}', '{ip}', 'Group: {group_name}', '{group_code}', 'Mode: {block_mode}', 'Policy ID: {policy_identifier}', 'Credibility rating: {credibility_rating}', 'Credibility score: {credibility_score}', 'Threshold value: {threshold}', 'Accessed by: {application_name}']

FORMAT_STRING_SHORT_PIECES = ['{url}', '{group_name}']

SOURCE_LONG = 'Trend Micro Office Scan Virus Detection Log'

SOURCE_SHORT = 'LOG'

VALUE_FORMATTERS = {'block_mode': <function OfficeScanWebReputationLogEventFormatter.<lambda>>}

plaso.formatters.twitter_android module

Twitter on android database formatter.

class plaso.formatters.twitter_android.TwitterAndroidContactFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter for android contact event formatter.

DATA_TYPE = 'twitter:android:contact'

FORMAT_STRING_PIECES = ['Screen name: {username}', 'Profile picture URL: {image_url}', 'Name: {name}', 'Location: {location}', 'Description: {description}', 'URL: {web_url}', 'Number of followers: {followers}', 'Number of following: {friend}', 'Number of tweets: {statuses}']

FORMAT_STRING_SHORT_PIECES = ['Screen name: {username}', 'Description: {description}', 'URL: {web_url}']

SOURCE_LONG = 'Twitter Android Contacts'

SOURCE_SHORT = 'Twitter Android'

class plaso.formatters.twitter_android.TwitterAndroidSearchFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter for android search event formatter.

DATA_TYPE = 'twitter:android:search'

FORMAT_STRING_PIECES = ['Name: {name}', 'Query: {search_query}']

FORMAT_STRING_SHORT_PIECES = ['Query: {search_query}']

SOURCE_LONG = 'Twitter Android Search'

SOURCE_SHORT = 'Twitter Android'

class plaso.formatters.twitter_android.TwitterAndroidStatusFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter for android status event formatter.

DATA_TYPE = 'twitter:android:status'

FORMAT_STRING_PIECES = ['User: {username}', 'Status: {content}', 'Favorited: {favorited}', 'Retweeted: {retweeted}']

FORMAT_STRING_SHORT_PIECES = ['User: {username}', 'Status: {content}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Twitter Android Status'

SOURCE_SHORT = 'Twitter Android'

plaso.formatters.twitter_ios module

Twitter on iOS 8+ database formatter.

class plaso.formatters.twitter_ios.TwitterIOSContactFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter on iOS 8+ contact event formatter.

DATA_TYPE = 'twitter:ios:contact'

FORMAT_STRING_PIECES = ['Screen name: {screen_name}', 'Profile picture URL: {profile_url}', 'Name: {name}', 'Location: {location}', 'Description: {description}', 'URL: {url}', 'Following: {following}', 'Number of followers: {followers_count}', 'Number of following: {following_count}']

FORMAT_STRING_SHORT_PIECES = ['Screen name: {screen_name}', 'Description: {description}', 'URL: {url}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Twitter iOS Contacts'

SOURCE_SHORT = 'Twitter iOS'

class plaso.formatters.twitter_ios.TwitterIOSStatusFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter on iOS 8+ status event formatter.

DATA_TYPE = 'twitter:ios:status'

FORMAT_STRING_PIECES = ['Name: {name}', 'User Id: {user_id}', 'Message: {text}', 'Favorite: {favorited}', 'Retweet Count: {retweet_count}', 'Favorite Count: {favorite_count}']

FORMAT_STRING_SHORT_PIECES = ['Name: {name}', 'Message: {text}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Twitter iOS Status'

SOURCE_SHORT = 'Twitter iOS'

plaso.formatters.userassist module

The UserAssist Windows Registry event formatter.

class plaso.formatters.userassist.UserAssistWindowsRegistryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an UserAssist Windows Registry event.

DATA_TYPE = 'windows:registry:userassist'

FORMAT_STRING_PIECES = ['[{key_path}]', 'UserAssist entry: {entry_index}', 'Value name: {value_name}', 'Count: {number_of_executions}', 'Application focus count: {application_focus_count}', 'Application focus duration: {application_focus_duration}']

FORMAT_STRING_SHORT_PIECES = ['{value_name}', 'Count: {number_of_executions}']

SOURCE_LONG = 'Registry Key: UserAssist'

SOURCE_SHORT = 'REG'

plaso.formatters.utmp module

The UTMP binary file event formatter.

class plaso.formatters.utmp.UtmpSessionFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an UTMP session event.

DATA_TYPE = 'linux:utmp:event'

FORMAT_STRING_PIECES = ['User: {username}', 'Hostname: {hostname}', 'Terminal: {terminal}', 'PID: {pid}', 'Terminal identifier: {terminal_identifier}', 'Status: {status}', 'IP Address: {ip_address}', 'Exit status: {exit_status}']

FORMAT_STRING_SHORT_PIECES = ['User: {username}', 'PID: {pid}', 'Status: {status}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'UTMP session'

SOURCE_SHORT = 'LOG'

plaso.formatters.utmpx module

The UTMPX binary file event formatter.

class plaso.formatters.utmpx.UtmpxSessionFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an UTMPX session event.

DATA_TYPE = 'mac:utmpx:event'

FORMAT_STRING_PIECES = ['User: {username}', 'Status: {status}', 'Hostname: {hostname}', 'Terminal: {terminal}', 'PID: {pid}', 'Terminal identifier: {terminal_identifier}']

FORMAT_STRING_SHORT_PIECES = ['User: {username}', 'PID: {pid}', 'Status: {status}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'UTMPX session'

SOURCE_SHORT = 'LOG'

plaso.formatters.vsftpd module

The vsftpd log file event formatter.

class plaso.formatters.vsftpd.VsftpdLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a vsftpd log event data.

DATA_TYPE = 'vsftpd:log'

FORMAT_STRING_PIECES = ['{text}']

SOURCE_LONG = 'vsftpd log'

SOURCE_SHORT = 'LOG'

plaso.formatters.windows module

The Windows event formatter.

class plaso.formatters.windows.WindowsDistributedLinkTrackingCreationEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows distributed link creation event.

DATA_TYPE = 'windows:distributed_link_tracking:creation'

FORMAT_STRING_PIECES = ['{uuid}', 'MAC address: {mac_address}', 'Origin: {origin}']

FORMAT_STRING_SHORT_PIECES = ['{uuid}', 'Origin: {origin}']

SOURCE_LONG = 'System'

SOURCE_SHORT = 'LOG'

class plaso.formatters.windows.WindowsRegistryNetworkEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows NetworkList event formatter.

DATA_TYPE = 'windows:registry:network'

FORMAT_STRING_PIECES = ['SSID: {ssid}', 'Description: {description}', 'Connection Type: {connection_type}', 'Default Gateway Mac: {default_gateway_mac}', 'DNS Suffix: {dns_suffix}']

SOURCE_LONG = 'System: Network Connection'

SOURCE_SHORT = 'LOG'

class plaso.formatters.windows.WindowsVolumeCreationEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows volume creation event.

DATA_TYPE = 'windows:volume:creation'

FORMAT_STRING_PIECES = ['{device_path}', 'Serial number: 0x{serial_number:08X}', 'Origin: {origin}']

FORMAT_STRING_SHORT_PIECES = ['{device_path}', 'Origin: {origin}']

SOURCE_LONG = 'System'

SOURCE_SHORT = 'LOG'

plaso.formatters.windows_timeline module

The Windows Timeline event formatter.

class plaso.formatters.windows_timeline.WindowsTimelineGenericEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for generic Windows Timeline events.

DATA_TYPE = 'windows:timeline:generic'

FORMAT_STRING_PIECES = ['Application Display Name: {application_display_name}', 'Package Identifier: {package_identifier}', 'Description: {description}']

FORMAT_STRING_SHORT_PIECES = ['{package_identifier}']

SOURCE_LONG = 'Windows Timeline - Generic'

SOURCE_SHORT = 'Windows Timeline'

class plaso.formatters.windows_timeline.WindowsTimelineUserEngagedEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for User Engaged Windows Timeline events

DATA_TYPE = 'windows:timeline:user_engaged'

FORMAT_STRING_PIECES = ['Package Identifier: {package_identifier}', 'Active Duration (seconds): {active_duration_seconds}', 'Reporting App: {reporting_app}']

FORMAT_STRING_SHORT_PIECES = ['{package_identifier}']

SOURCE_LONG = 'Windows Timeline - User Engaged'

SOURCE_SHORT = 'Windows Timeline'

plaso.formatters.winevt module

The Windows EventLog (EVT) file event formatter.

class plaso.formatters.winevt.WinEVTFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows EventLog (EVT) record event.

DATA_TYPE = 'windows:evt:record'

FORMAT_STRING_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Source Name: {source_name}', 'Message string: {message_string}', 'Strings: {strings}', 'Computer Name: {computer_name}', 'Severity: {severity}', 'Record Number: {record_number}', 'Event Type: {event_type}', 'Event Category: {event_category}']

FORMAT_STRING_SHORT_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Strings: {strings}']

GetEventTypeString(event_type)

Retrieves a string representation of the event type.

Parameters

event_type (int) – event type.

Returns

description of the event type.

Return type

str

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

GetSeverityString(severity)

Retrieves a string representation of the severity.

Parameters

severity (int) – severity.

Returns

description of the event severity.

Return type

str

SOURCE_LONG = 'WinEVT'

SOURCE_SHORT = 'EVT'

plaso.formatters.winevt_rc module

Windows Event Log resources database reader.

class plaso.formatters.winevt_rc.Sqlite3DatabaseFile

Bases: object

Class that defines a sqlite3 database file.

Close()

Closes the database file.

Raises

RuntimeError – if the database is not opened.

GetValues(table_names, column_names, condition)

Retrieves values from a table.

Parameters

• table_names (list[str]) – table names.

• column_names (list[str]) – column names.

• condition (str) – query condition such as “log_source == ‘Application Error’”.

Yields

sqlite3.row – row.

Raises

RuntimeError – if the database is not opened.

HasTable(table_name)

Determines if a specific table exists.

Parameters

table_name (str) – table name.

Returns

True if the table exists.

Return type

bool

Raises

RuntimeError – if the database is not opened.

Open(filename, read_only=False)

Opens the database file.

Parameters

• filename (str) – filename of the database.

• read_only (Optional[bool]) – True if the database should be opened in read-only mode. Since sqlite3 does not support a real read-only mode we fake it by only permitting SELECT queries.

Returns

True if successful.

Return type

bool

Raises

RuntimeError – if the database is already opened.

class plaso.formatters.winevt_rc.Sqlite3DatabaseReader

Bases: object

Class to represent a sqlite3 database reader.

Close()

Closes the database reader object.

Open(filename)

Opens the database reader object.

Parameters

filename (str) – filename of the database.

Returns

True if successful.

Return type

bool

class plaso.formatters.winevt_rc.WinevtResourcesSqlite3DatabaseReader

Bases: plaso.formatters.winevt_rc.Sqlite3DatabaseReader

Class to represent a sqlite3 Event Log resources database reader.

GetMessage(log_source, lcid, message_identifier)

Retrieves a specific message for a specific Event Log source.

Parameters

• log_source (str) – Event Log source.

• lcid (int) – language code identifier (LCID).

• message_identifier (int) – message identifier.

Returns

message string or None if not available.

Return type

str

GetMetadataAttribute(attribute_name)

Retrieves the metadata attribute.

Parameters

attribute_name (str) – name of the metadata attribute.

Returns

the metadata attribute or None.

Return type

str

Raises

RuntimeError – if more than one value is found in the database.

Open(filename)

Opens the database reader object.

Parameters

filename (str) – filename of the database.

Returns

True if successful.

Return type

bool

Raises

RuntimeError – if the version or string format of the database is not supported.

plaso.formatters.winevtx module

The Windows XML EventLog (EVTX) file event formatter.

class plaso.formatters.winevtx.WinEVTXFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows XML EventLog (EVTX) record event.

DATA_TYPE = 'windows:evtx:record'

FORMAT_STRING_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Source Name: {source_name}', 'Message string: {message_string}', 'Strings: {strings}', 'Computer Name: {computer_name}', 'Record Number: {record_number}', 'Event Level: {event_level}']

FORMAT_STRING_SHORT_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Strings: {strings}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'WinEVTX'

SOURCE_SHORT = 'EVT'

plaso.formatters.winfirewall module

The Windows firewall log file event formatter.

class plaso.formatters.winfirewall.WinFirewallFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows firewall log entry event.

DATA_TYPE = 'windows:firewall:log_entry'

FORMAT_STRING_PIECES = ['{action}', '[', '{protocol}', '{path}', ']', 'From: {source_ip}', ':{source_port}', '>', '{dest_ip}', ':{dest_port}', 'Size (bytes): {size}', 'Flags [{flags}]', 'TCP Seq Number: {tcp_seq}', 'TCP ACK Number: {tcp_ack}', 'TCP Window Size (bytes): {tcp_win}', 'ICMP type: {icmp_type}', 'ICMP code: {icmp_code}', 'Additional info: {info}']

FORMAT_STRING_SHORT_PIECES = ['{action}', '[{protocol}]', '{source_ip}', ': {source_port}', '>', '{dest_ip}', ': {dest_port}']

SOURCE_LONG = 'Windows Firewall Log'

SOURCE_SHORT = 'LOG'

plaso.formatters.winjob module

The Windows Scheduled Task (job) event formatter.

class plaso.formatters.winjob.WinJobFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Scheduled Task (job) event.

DATA_TYPE = 'windows:tasks:job'

FORMAT_STRING_PIECES = ['Application: {application}', '{parameters}', 'Scheduled by: {username}', 'Working directory: {working_directory}', 'Trigger type: {trigger_type}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Windows Scheduled Task Job'

SOURCE_SHORT = 'JOB'

plaso.formatters.winlnk module

The Windows Shortcut (LNK) event formatter.

class plaso.formatters.winlnk.WinLnkLinkFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Shortcut (LNK) link event.

DATA_TYPE = 'windows:lnk:link'

FORMAT_STRING_PIECES = ['[{description}]', 'File size: {file_size}', 'File attribute flags: 0x{file_attribute_flags:08x}', 'Drive type: {drive_type}', 'Drive serial number: 0x{drive_serial_number:08x}', 'Volume label: {volume_label}', 'Local path: {local_path}', 'Network path: {network_path}', 'cmd arguments: {command_line_arguments}', 'env location: {env_var_location}', 'Relative path: {relative_path}', 'Working dir: {working_directory}', 'Icon location: {icon_location}', 'Link target: {link_target}']

FORMAT_STRING_SHORT_PIECES = ['[{description}]', '{linked_path}', '{command_line_arguments}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Windows Shortcut'

SOURCE_SHORT = 'LNK'

plaso.formatters.winprefetch module

The Windows Prefetch event formatter.

class plaso.formatters.winprefetch.WinPrefetchExecutionFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Prefetch execution event.

DATA_TYPE = 'windows:prefetch:execution'

FORMAT_STRING_PIECES = ['Prefetch', '[{executable}] was executed -', 'run count {run_count}', 'path hints: {path_hints}', 'hash: 0x{prefetch_hash:08X}', '{volumes_string}']

FORMAT_STRING_SHORT_PIECES = ['{executable} was run', '{run_count} time(s)']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'WinPrefetch'

SOURCE_SHORT = 'LOG'

plaso.formatters.winreg module

The Windows Registry key or value event formatter.

class plaso.formatters.winreg.WinRegistryGenericFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Windows Registry key or value event.

DATA_TYPE = 'windows:registry:key_value'

FORMAT_STRING = '[{key_path}] {values}'

FORMAT_STRING_ALTERNATIVE = '{values}'

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

GetSources(event, event_data)

Determines the the short and long source for an event.

Parameters

• event (EventObject) – event.

• event_data (EventData) – event data.

Returns

short and long source string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Registry Key'

SOURCE_SHORT = 'REG'

plaso.formatters.winrestore module

The Windows Restore Point (rp.log) file event formatter.

class plaso.formatters.winrestore.RestorePointInfoFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Windows Restore Point information event.

DATA_TYPE = 'windows:restore_point:info'

FORMAT_STRING_PIECES = ['{description}', 'Event type: {restore_point_event_type}', 'Restore point type: {restore_point_type}']

FORMAT_STRING_SHORT_PIECES = ['{description}']

GetMessages(formatter_mediator, event_data)

Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

• event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Windows Restore Point'

SOURCE_SHORT = 'RP'

plaso.formatters.xchatlog module

The XChat log file event formatter.

class plaso.formatters.xchatlog.XChatLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a XChat log file entry event.

DATA_TYPE = 'xchat:log:line'

FORMAT_STRING_PIECES = ['[nickname: {nickname}]', '{text}']

SOURCE_LONG = 'XChat Log File'

SOURCE_SHORT = 'LOG'

plaso.formatters.xchatscrollback module

The XChat scrollback file event formatter.

class plaso.formatters.xchatscrollback.XChatScrollbackFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a XChat scrollback file entry event.

DATA_TYPE = 'xchat:scrollback:line'

FORMAT_STRING_PIECES = ['[', 'nickname: {nickname}', ']', ' {text}']

FORMAT_STRING_SEPARATOR = ''

SOURCE_LONG = 'XChat Scrollback File'

SOURCE_SHORT = 'LOG'

plaso.formatters.yaml_formatters_file module

YAML-based formatters file.

class plaso.formatters.yaml_formatters_file.YAMLFormattersFile

Bases: object

YAML-based formatters file.

A YAML-based formatters file contains one or more event formatters. type: ‘conditional’ data_type: ‘fs:stat’ message: - ‘{display_name}’ - ‘Type: {file_entry_type}’ - ‘({unallocated})’ short_message: - ‘{filename}’ short_source: ‘FILE’ source: ‘File system’

Where: * type, defines the formatter data type, which can be “basic” or

“conditional”;

• data_type, defines the corresponding event data type;

• message, defines a list of message string pieces;

• separator, defines the message and short message string pieces separator;

• short_message, defines the short message string pieces;

• short_source, defines the short source;

• source, defines the source.

ReadFromFile(path)

Reads the event formatters from the YAML-based formatters file.

Parameters

path (str) – path to a formatters file.

Returns

event formatters.

Return type

list[EventFormatter]

plaso.formatters.zsh_extended_history module

The Zsh extended_history formatter.

class plaso.formatters.zsh_extended_history.ZshExtendedHistoryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Class for the Zsh event formatter.

DATA_TYPE = 'shell:zsh:history'

FORMAT_STRING_PIECES = ['{command}', 'Time elapsed: {elapsed_seconds} seconds']

FORMAT_STRING_SEPARATOR = ' '

FORMAT_STRING_SHORT_PIECES = ['{command}']

SOURCE_LONG = 'Zsh Extended History'

SOURCE_SHORT = 'HIST'

Module contents

This file contains an import statement for each formatter.