plaso.formatters package

Submodules

plaso.formatters.amcache module

The Windows Registry Amcache entries event formatter.

class plaso.formatters.amcache.AmcacheFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Amcache Windows Registry event.

DATA_TYPE = u'windows:registry:amcache'
FORMAT_STRING_PIECES = [u'path: {full_path}', u'sha1: {sha1}', u'productname: {productname}', u'companyname: {companyname}', u'fileversion: {fileversion}', u'languagecode: {languagecode}', u'filesize: {filesize}', u'filedescription: {filedescription}', u'linkerts: {linkerts}', u'lastmodifiedts: {lastmodifiedts}', u'createdts: {createdts}', u'programid: {programid}']
FORMAT_STRING_SHORT_PIECES = [u'path: {full_path}']
SOURCE_LONG = u'Amcache Registry Entry'
SOURCE_SHORT = u'AMCACHE'
class plaso.formatters.amcache.AmcacheProgramsFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Amcache Programs Windows Registry event.

DATA_TYPE = u'windows:registry:amcache:programs'
FORMAT_STRING_PIECES = [u'name: {name}', u'version: {version}', u'publisher: {publisher}', u'languagecode: {languagecode}', u'entrytype: {entrytype}', u'uninstallkey: {uninstallkey}', u'filepaths: {filepaths}', u'productcode: {productcode}', u'packagecode: {packagecode}', u'msiproductcode: {msiproductcode}', u'msipackagecode: {msipackagecode}', u'files: {files}']
FORMAT_STRING_SHORT_PIECES = [u'name: {name}']
SOURCE_LONG = u'Amcache Programs Registry Entry'
SOURCE_SHORT = u'AMCACHEPROGRAM'

plaso.formatters.android_app_usage module

The Android Application Usage event formatter.

class plaso.formatters.android_app_usage.AndroidApplicationFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Application Last Resumed event.

DATA_TYPE = u'android:event:last_resume_time'
FORMAT_STRING_PIECES = [u'Package: {package}', u'Component: {component}']
SOURCE_LONG = u'Android App Usage'
SOURCE_SHORT = u'LOG'

plaso.formatters.android_calls module

The Android contacts2.db database event formatter.

class plaso.formatters.android_calls.AndroidCallFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Android call history event.

DATA_TYPE = u'android:event:call'
FORMAT_STRING_PIECES = [u'{call_type}', u'Number: {number}', u'Name: {name}', u'Duration: {duration} seconds']
FORMAT_STRING_SHORT_PIECES = [u'{call_type} Call']
SOURCE_LONG = u'Android Call History'
SOURCE_SHORT = u'LOG'

plaso.formatters.android_sms module

The Android mmssms.db database event formatter.

class plaso.formatters.android_sms.AndroidSmsFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Android SMS event.

DATA_TYPE = u'android:messaging:sms'
FORMAT_STRING_PIECES = [u'Type: {sms_type}', u'Address: {address}', u'Status: {sms_read}', u'Message: {body}']
FORMAT_STRING_SHORT_PIECES = [u'{body}']
SOURCE_LONG = u'Android SMS messages'
SOURCE_SHORT = u'SMS'

plaso.formatters.android_webview module

The Android WebView database event formatter.

class plaso.formatters.android_webview.AndroidWebViewCookieEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for Android WebView Cookie event data.

DATA_TYPE = u'webview:cookie'
FORMAT_STRING_PIECES = [u'Domain: {domain}', u'Path: {path}', u'Cookie name: {name}', u'Value: {value}', u'Secure: {secure}']
FORMAT_STRING_SHORT_PIECES = [u'{domain}', u'{name}', u'{value}']
SOURCE_LONG = u'Android WebView'
SOURCE_SHORT = u'WebView'

plaso.formatters.android_webviewcache module

The Android WebViewCache database event formatter.

class plaso.formatters.android_webviewcache.AndroidWebViewCacheFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for Android WebViewCache event data.

DATA_TYPE = u'android:webviewcache'
FORMAT_STRING_PIECES = [u'URL: {url}', u'Content Length: {content_length}']
FORMAT_STRING_SHORT_PIECES = [u'{url}']
SOURCE_LONG = u'Android WebViewCache'
SOURCE_SHORT = u'WebViewCache'

plaso.formatters.apache_access module

Apache access log file event formatter.

class plaso.formatters.apache_access.ApacheAccessFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a apache access log event.

DATA_TYPE = u'apache:access'
FORMAT_STRING_PIECES = [u'http_request: {http_request}', u'from: {ip_address}', u'code: {http_response_code}', u'referer: {http_request_referer}', u'user_agent: {http_request_user_agent}']
FORMAT_STRING_SHORT_PIECES = [u'{http_request}', u'from: {ip_address}']
SOURCE_LONG = u'Apache Access'
SOURCE_SHORT = u'LOG'

plaso.formatters.appcompatcache module

The Windows Registry AppCompatCache entries event formatter.

class plaso.formatters.appcompatcache.AppCompatCacheFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an AppCompatCache Windows Registry event.

DATA_TYPE = u'windows:registry:appcompatcache'
FORMAT_STRING_PIECES = [u'[{key_path}]', u'Cached entry: {entry_index}', u'Path: {path}']
FORMAT_STRING_SHORT_PIECES = [u'Path: {path}']
SOURCE_LONG = u'AppCompatCache Registry Entry'
SOURCE_SHORT = u'REG'

plaso.formatters.appusage module

The MacOS application usage event formatter.

class plaso.formatters.appusage.ApplicationUsageFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a MacOS Application usage event.

DATA_TYPE = u'macosx:application_usage'
FORMAT_STRING = u'{application} v.{app_version} (bundle: {bundle_id}). Launched: {count} time(s)'
FORMAT_STRING_SHORT = u'{application} ({count} time(s))'
SOURCE_LONG = u'Application Usage'
SOURCE_SHORT = u'LOG'

plaso.formatters.asl module

The Apple System Log (ASL) event formatter.

class plaso.formatters.asl.ASLFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Apple System Log (ASL) log event.

DATA_TYPE = u'mac:asl:event'
FORMAT_STRING_PIECES = [u'MessageID: {message_id}', u'Level: {level}', u'User ID: {user_sid}', u'Group ID: {group_id}', u'Read User: {read_uid}', u'Read Group: {read_gid}', u'Host: {computer_name}', u'Sender: {sender}', u'Facility: {facility}', u'Message: {message}', u'{extra_information}']
FORMAT_STRING_SHORT_PIECES = [u'Host: {host}', u'Sender: {sender}', u'Facility: {facility}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'ASL entry'
SOURCE_SHORT = u'LOG'

plaso.formatters.bash_history module

The Bash history event formatter.

class plaso.formatters.bash_history.BashHistoryEventFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for Bash history events.

DATA_TYPE = u'bash:history:command'
FORMAT_STRING = u'Command executed: {command}'
FORMAT_STRING_SHORT = u'{command}'
SOURCE_LONG = u'Bash History'
SOURCE_SHORT = u'LOG'

plaso.formatters.bencode_parser module

The bencode parser event formatters.

class plaso.formatters.bencode_parser.TransmissionEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Transmission active torrents event.

DATA_TYPE = u'p2p:bittorrent:transmission'
FORMAT_STRING_PIECES = [u'Saved to {destination}', u'Minutes seeded: {seedtime}']
FORMAT_STRING_SEPARATOR = u'; '
SOURCE_LONG = u'Transmission Active Torrents'
SOURCE_SHORT = u'TORRENT'
class plaso.formatters.bencode_parser.UTorrentEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a BitTorrent uTorrent active torrents event.

DATA_TYPE = u'p2p:bittorrent:utorrent'
FORMAT_STRING_PIECES = [u'Torrent {caption}', u'Saved to {path}', u'Minutes seeded: {seedtime}']
FORMAT_STRING_SEPARATOR = u'; '
SOURCE_LONG = u'uTorrent Active Torrents'
SOURCE_SHORT = u'TORRENT'

plaso.formatters.bsm module

The Basic Security Module (BSM) binary files event formatter.

class plaso.formatters.bsm.BSMFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a BSM log entry.

DATA_TYPE = u'bsm:event'
FORMAT_STRING_PIECES = [u'Type: {event_type_string}', u'({event_type})', u'Return: {return_value}', u'Information: {extra_tokens}']
FORMAT_STRING_SHORT_PIECES = [u'Type: {event_type}', u'Return: {return_value}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'BSM entry'
SOURCE_SHORT = u'LOG'

plaso.formatters.ccleaner module

The CCleaner event formatter.

class plaso.formatters.ccleaner.CCleanerUpdateEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a CCleaner update event.

DATA_TYPE = u'ccleaner:update'
FORMAT_STRING_PIECES = [u'Origin: {key_path}']
FORMAT_STRING_SHORT_PIECES = [u'Origin: {key_path}']
SOURCE_LONG = u'System'
SOURCE_SHORT = u'LOG'

plaso.formatters.chrome module

The Google Chrome history event formatters.

class plaso.formatters.chrome.ChromeFileDownloadFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome file download event.

DATA_TYPE = u'chrome:history:file_downloaded'
FORMAT_STRING_PIECES = [u'{url}', u'({full_path}).', u'Received: {received_bytes} bytes', u'out of: {total_bytes} bytes.']
FORMAT_STRING_SHORT_PIECES = [u'{full_path} downloaded', u'({received_bytes} bytes)']
SOURCE_LONG = u'Chrome History'
SOURCE_SHORT = u'WEBHIST'
class plaso.formatters.chrome.ChromePageVisitedFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome page visited event.

DATA_TYPE = u'chrome:history:page_visited'
FORMAT_STRING_PIECES = [u'{url}', u'({title})', u'[count: {typed_count}]', u'Visit from: {from_visit}', u'Visit Source: [{visit_source}]', u'Type: [{page_transition}]', u'{extra}']
FORMAT_STRING_SHORT_PIECES = [u'{url}', u'({title})']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Chrome History'
SOURCE_SHORT = u'WEBHIST'

plaso.formatters.chrome_autofill module

The Google Chrome autofill database event formatter.

class plaso.formatters.chrome_autofill.ChromeAutofillFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome autofill event.

DATA_TYPE = u'chrome:autofill:entry'
FORMAT_STRING_PIECES = [u'Form field name: {field_name}', u'Entered value: {value}', u'Times used: {usage_count}']
FORMAT_STRING_SHORT_PIECES = [u'{field_name}:', u'{value}', u'({usage_count})']
SOURCE_LONG = u'Chrome Autofill'
SOURCE_SHORT = u'WEBHIST'

plaso.formatters.chrome_cache module

The Google Chrome Cache files event formatter.

class plaso.formatters.chrome_cache.ChromeCacheEntryEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome Cache entry event.

DATA_TYPE = u'chrome:cache:entry'
FORMAT_STRING_PIECES = [u'Original URL: {original_url}']
SOURCE_LONG = u'Chrome Cache'
SOURCE_SHORT = u'WEBHIST'

plaso.formatters.chrome_cookies module

The Google Chrome cookies database event formatter.

class plaso.formatters.chrome_cookies.ChromeCookieFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome cookie event.

DATA_TYPE = u'chrome:cookie:entry'
FORMAT_STRING_PIECES = [u'{url}', u'({cookie_name})', u'Flags:', u'[HTTP only] = {httponly}', u'[Persistent] = {persistent}']
FORMAT_STRING_SHORT_PIECES = [u'{host}', u'({cookie_name})']
SOURCE_LONG = u'Chrome Cookies'
SOURCE_SHORT = u'WEBHIST'

plaso.formatters.chrome_extension_activity module

The Google Chrome extension activity database event formatter.

class plaso.formatters.chrome_extension_activity.ChromeExtensionActivityEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome extension activity event.

DATA_TYPE = u'chrome:extension_activity:activity_log'
FORMAT_STRING_PIECES = [u'Chrome extension: {extension_id}', u'Action type: {action_type}', u'Activity identifier: {activity_id}', u'Page URL: {page_url}', u'Page title: {page_title}', u'API name: {api_name}', u'Args: {args}', u'Other: {other}']
FORMAT_STRING_SHORT_PIECES = [u'{extension_id}', u'{api_name}', u'{args}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Chrome Extension Activity'
SOURCE_SHORT = u'WEBHIST'

plaso.formatters.chrome_preferences module

The Google Chrome Preferences file event formatter.

class plaso.formatters.chrome_preferences.ChromeContentSettingsExceptionsFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome content_settings exceptions event.

DATA_TYPE = u'chrome:preferences:content_settings:exceptions'
FORMAT_STRING_PIECES = [u'Permission {permission}', u'used by {subject}']
FORMAT_STRING_SHORT_PIECES = [u'Permission {permission}', u'used by {subject}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Chrome Permission Event'
SOURCE_SHORT = u'LOG'
class plaso.formatters.chrome_preferences.ChromeExtensionInstallationEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome extension installation event.

DATA_TYPE = u'chrome:preferences:extension_installation'
FORMAT_STRING_PIECES = [u'CRX ID: {extension_id}', u'CRX Name: {extension_name}', u'Path: {path}']
FORMAT_STRING_SHORT_PIECES = [u'{extension_id}', u'{path}']
SOURCE_LONG = u'Chrome Extension Installation'
SOURCE_SHORT = u'LOG'
class plaso.formatters.chrome_preferences.ChromeExtensionsAutoupdaterEvent[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for Chrome Extensions Autoupdater events.

DATA_TYPE = u'chrome:preferences:extensions_autoupdater'
FORMAT_STRING_PIECES = [u'{message}']
FORMAT_STRING_SHORT_PIECES = [u'{message}']
SOURCE_LONG = u'Chrome Extensions Autoupdater'
SOURCE_SHORT = u'LOG'
class plaso.formatters.chrome_preferences.ChromePreferencesClearHistoryEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for Chrome history clearing events.

DATA_TYPE = u'chrome:preferences:clear_history'
FORMAT_STRING_PIECES = [u'{message}']
FORMAT_STRING_SHORT_PIECES = [u'{message}']
SOURCE_LONG = u'Chrome History Deletion'
SOURCE_SHORT = u'LOG'

plaso.formatters.cron module

The syslog cron formatters.

class plaso.formatters.cron.CronTaskRunEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a syslog cron task run event.

DATA_TYPE = u'syslog:cron:task_run'
FORMAT_STRING_PIECES = [u'Cron ran: {command}', u'for user: {username}', u'pid: {pid}']
FORMAT_STRING_SEPARATOR = u' '
FORMAT_STRING_SHORT = u'{body}'
SOURCE_LONG = u'Cron log'
SOURCE_SHORT = u'LOG'

plaso.formatters.cups_ipp module

The CUPS IPP file event formatter.

class plaso.formatters.cups_ipp.CupsIppFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a CUPS IPP event.

DATA_TYPE = u'cups:ipp:event'
FORMAT_STRING_PIECES = [u'Status: {status}', u'User: {user}', u'Owner: {owner}', u'Job Name: {job_name}', u'Application: {application}', u'Document type: {type_doc}', u'Printer: {printer_id}']
FORMAT_STRING_SHORT_PIECES = [u'Status: {status}', u'Job Name: {job_name}']
SOURCE_LONG = u'CUPS IPP Log'
SOURCE_SHORT = u'LOG'

plaso.formatters.default module

The default event formatter.

class plaso.formatters.default.DefaultFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for events that do not have any defined formatter.

DATA_TYPE = u'event'
FORMAT_STRING = u'<WARNING DEFAULT FORMATTER> Attributes: {attribute_driven}'
FORMAT_STRING_SHORT = u'<DEFAULT> {attribute_driven}'
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)

plaso.formatters.docker module

The Docker event formatter.

class plaso.formatters.docker.DockerBaseEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Class that contains common Docker event formatter functionality.

DATA_TYPE = u'docker:json'
FORMAT_STRING_SHORT_PIECES = [u'{id}']
SOURCE_SHORT = u'DOCKER'
class plaso.formatters.docker.DockerContainerEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Docker event.

DATA_TYPE = u'docker:json:container'
FORMAT_STRING_PIECES = [u'Action: {action}', u'Container Name: {container_name}', u'Container ID: {container_id}']
FORMAT_STRING_SEPARATOR = u', '
SOURCE_LONG = u'Docker Container'
SOURCE_SHORT = u'DOCKER'
class plaso.formatters.docker.DockerContainerLogEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Docker container log event

DATA_TYPE = u'docker:json:container:log'
FORMAT_STRING_PIECES = (u'Text: {log_line}', u'Container ID: {container_id}', u'Source: {log_source}')
FORMAT_STRING_SEPARATOR = u', '
SOURCE_LONG = u'Docker Container Logs'
SOURCE_SHORT = u'DOCKER'
class plaso.formatters.docker.DockerLayerEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Docker layer event.

DATA_TYPE = u'docker:json:layer'
FORMAT_STRING_PIECES = (u'Command: {command}', u'Layer ID: {layer_id}')
FORMAT_STRING_SEPARATOR = u', '
SOURCE_LONG = u'Docker Layer'
SOURCE_SHORT = u'DOCKER'

plaso.formatters.dpkg module

The dpkg.log event formatter.

class plaso.formatters.dpkg.DpkgFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a dpkg log file event.

DATA_TYPE = u'dpkg:line'
FORMAT_STRING_PIECES = [u'{body}']
FORMAT_STRING_SEPARATOR = u''
SOURCE_LONG = u'dpkg log File'
SOURCE_SHORT = u'LOG'

plaso.formatters.file_history module

The file history ESE database event formatter.

class plaso.formatters.file_history.FileHistoryNamespaceEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a file history ESE database namespace table record.

DATA_TYPE = u'file_history:namespace:event'
FORMAT_STRING_PIECES = [u'Filename: {original_filename}', u'Identifier: {identifier}', u'Parent Identifier: {parent_identifier}', u'Attributes: {file_attribute}', u'USN number: {usn_number}']
FORMAT_STRING_SHORT_PIECES = [u'Filename: {original_filename}']
SOURCE_LONG = u'File History Namespace'
SOURCE_SHORT = u'LOG'

plaso.formatters.file_system module

The file system stat event formatter.

class plaso.formatters.file_system.FileStatEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

The file system stat event formatter.

DATA_TYPE = u'fs:stat'
FORMAT_STRING_PIECES = [u'{display_name}', u'Type: {file_entry_type}', u'({unallocated})']
FORMAT_STRING_SHORT_PIECES = [u'{filename}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
GetSources(event)[source]

Determines the the short and long source for an event object.

Parameters:event (EventObject) – event.
Returns:short and long source string.
Return type:tuple(str, str)
Raises:WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_SHORT = u'FILE'
class plaso.formatters.file_system.NTFSFileStatEventFormatter[source]

Bases: plaso.formatters.file_system.FileStatEventFormatter

The NTFS file system stat event formatter.

DATA_TYPE = u'fs:stat:ntfs'
FORMAT_STRING_PIECES = [u'{display_name}', u'File reference: {file_reference}', u'Attribute name: {attribute_name}', u'Name: {name}', u'Parent file reference: {parent_file_reference}', u'({unallocated})']
FORMAT_STRING_SHORT_PIECES = [u'{filename}', u'{file_reference}', u'{attribute_name}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_SHORT = u'FILE'
class plaso.formatters.file_system.NTFSUSNChangeEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

The NTFS USN change event formatter.

DATA_TYPE = u'fs:ntfs:usn_change'
FORMAT_STRING_PIECES = [u'{filename}', u'File reference: {file_reference}', u'Parent file reference: {parent_file_reference}', u'Update source: {update_source}', u'Update reason: {update_reason}']
FORMAT_STRING_SHORT_PIECES = [u'{filename}', u'{file_reference}', u'{update_reason}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_SHORT = u'FILE'

plaso.formatters.firefox module

The Mozilla Firefox history event formatter.

class plaso.formatters.firefox.FirefoxBookmarkAnnotationFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox bookmark annotation event formatter.

DATA_TYPE = u'firefox:places:bookmark_annotation'
FORMAT_STRING_PIECES = [u'Bookmark Annotation: [{content}]', u'to bookmark [{title}]', u'({url})']
FORMAT_STRING_SHORT_PIECES = [u'Bookmark Annotation: {title}']
SOURCE_LONG = u'Firefox History'
SOURCE_SHORT = u'WEBHIST'
class plaso.formatters.firefox.FirefoxBookmarkFolderFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

The Firefox bookmark folder event formatter.

DATA_TYPE = u'firefox:places:bookmark_folder'
FORMAT_STRING = u'{title}'
SOURCE_LONG = u'Firefox History'
SOURCE_SHORT = u'WEBHIST'
class plaso.formatters.firefox.FirefoxBookmarkFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox URL bookmark event formatter.

DATA_TYPE = u'firefox:places:bookmark'
FORMAT_STRING_PIECES = [u'Bookmark {type}', u'{title}', u'({url})', u'[{places_title}]', u'visit count {visit_count}']
FORMAT_STRING_SHORT_PIECES = [u'Bookmarked {title}', u'({url})']
SOURCE_LONG = u'Firefox History'
SOURCE_SHORT = u'WEBHIST'
class plaso.formatters.firefox.FirefoxDowloadFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

The Firefox download event formatter.

DATA_TYPE = u'firefox:downloads:download'
FORMAT_STRING = u'{url} ({full_path}). Received: {received_bytes} bytes out of: {total_bytes} bytes.'
FORMAT_STRING_SHORT = u'{full_path} downloaded ({received_bytes} bytes)'
SOURCE_LONG = u'Firefox History'
SOURCE_SHORT = u'WEBHIST'
class plaso.formatters.firefox.FirefoxPageVisitFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox page visited event formatter.

DATA_TYPE = u'firefox:places:page_visited'
FORMAT_STRING_PIECES = [u'{url}', u'({title})', u'[count: {visit_count}]', u'Host: {host}', u'{extra_string}']
FORMAT_STRING_SHORT_PIECES = [u'URL: {url}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Firefox History'
SOURCE_SHORT = u'WEBHIST'

plaso.formatters.firefox_cache module

The Firefox cache record event formatter.

class plaso.formatters.firefox_cache.FirefoxCacheFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox cache record event formatter.

DATA_TYPE = u'firefox:cache:record'
FORMAT_STRING_PIECES = [u'Fetched {fetch_count} time(s)', u'[{response_code}]', u'{request_method}', u'"{url}"']
FORMAT_STRING_SHORT_PIECES = [u'[{response_code}]', u'{request_method}', u'"{url}"']
SOURCE_LONG = u'Firefox Cache'
SOURCE_SHORT = u'WEBHIST'

plaso.formatters.firefox_cookies module

The Firefox cookie entry event formatter.

class plaso.formatters.firefox_cookies.FirefoxCookieFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox cookie entry event formatter.

DATA_TYPE = u'firefox:cookie:entry'
FORMAT_STRING_PIECES = [u'{url}', u'({cookie_name})', u'Flags:', u'[HTTP only]: {httponly}', u'(GA analysis: {ga_data})']
FORMAT_STRING_SHORT_PIECES = [u'{host}', u'({cookie_name})']
SOURCE_LONG = u'Firefox Cookies'
SOURCE_SHORT = u'WEBHIST'

plaso.formatters.fseventsd module

The fseventsd event formatter.

class plaso.formatters.fseventsd.FSEventsdEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

The fseventsd event formatter.

DATA_TYPE = u'macos:fseventsd:record'
FORMAT_STRING_PIECES = [u'{path}', u'Flag Values:', u'{flag_values}', u'Flags:', u'{hex_flags}', u'Event Identifier:', u'{event_identifier}']
FORMAT_STRING_SHORT_PIECES = [u'{path}', u'{flag_values}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_SHORT = u'FSEVENT'

plaso.formatters.ganalytics module

The Google Analytics cookie event formatters.

class plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

The UTMA Google Analytics cookie event formatter.

DATA_TYPE = u'cookie:google:analytics:utma'
FORMAT_STRING_PIECES = [u'{url}', u'({cookie_name})', u'Sessions: {sessions}', u'Domain Hash: {domain_hash}', u'Visitor ID: {visitor_id}']
FORMAT_STRING_SHORT_PIECES = [u'{url}', u'({cookie_name})']
SOURCE_LONG = u'Google Analytics Cookies'
SOURCE_SHORT = u'WEBHIST'
class plaso.formatters.ganalytics.AnalyticsUtmbCookieFormatter[source]

Bases: plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

The UTMB Google Analytics cookie event formatter.

DATA_TYPE = u'cookie:google:analytics:utmb'
FORMAT_STRING_PIECES = [u'{url}', u'({cookie_name})', u'Pages Viewed: {pages_viewed}', u'Domain Hash: {domain_hash}']
class plaso.formatters.ganalytics.AnalyticsUtmtCookieFormatter[source]

Bases: plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

The UTMT Google Analytics cookie event formatter.

DATA_TYPE = u'cookie:google:analytics:utmt'
FORMAT_STRING_PIECES = [u'{url}', u'({cookie_name})']
class plaso.formatters.ganalytics.AnalyticsUtmzCookieFormatter[source]

Bases: plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

The UTMZ Google Analytics cookie event formatter.

DATA_TYPE = u'cookie:google:analytics:utmz'
FORMAT_STRING_PIECES = [u'{url}', u'({cookie_name})', u'Sessions: {sessions}', u'Domain Hash: {domain_hash}', u'Sources: {sources}', u'Last source used to access: {utmcsr}', u'Ad campaign information: {utmccn}', u'Last type of visit: {utmcmd}', u'Keywords used to find site: {utmctr}', u'Path to the page of referring link: {utmcct}']

plaso.formatters.gdrive module

The Google Drive snapshots event formatter.

class plaso.formatters.gdrive.GDriveCloudEntryFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive snapshot cloud event.

DATA_TYPE = u'gdrive:snapshot:cloud_entry'
FORMAT_STRING_PIECES = [u'File Path: {path}', u'[{shared}]', u'Size: {size}', u'URL: {url}', u'Type: {document_type}']
FORMAT_STRING_SHORT_PIECES = [u'{path}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Google Drive (cloud entry)'
SOURCE_SHORT = u'LOG'
class plaso.formatters.gdrive.GDriveLocalEntryFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive snapshot local event.

DATA_TYPE = u'gdrive:snapshot:local_entry'
FORMAT_STRING_PIECES = [u'File Path: {path}', u'Size: {size}']
FORMAT_STRING_SHORT_PIECES = [u'{path}']
SOURCE_LONG = u'Google Drive (local entry)'
SOURCE_SHORT = u'LOG'

plaso.formatters.gdrive_synclog module

Google Drive Sync log event formatter.

class plaso.formatters.gdrive_synclog.GoogleDriveSyncLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive Sync log file event.

DATA_TYPE = u'gdrive_sync:log:line'
FORMAT_STRING_PIECES = [u'[{log_level}', u'{pid}', u'{thread}', u'{source_code}]', u'{message}']
FORMAT_STRING_SHORT_PIECES = [u'{message}']
SOURCE_LONG = u'GoogleDriveSync Log File'
SOURCE_SHORT = u'LOG'

plaso.formatters.hangouts_messages module

The Google Hangouts messages database event formatter.

class plaso.formatters.hangouts_messages.HangoutsFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Hangouts message event.

DATA_TYPE = u'android:messaging:hangouts'
FORMAT_STRING_PIECES = [u'Sender: {sender}', u'Body: {body}', u'Status: {message_status}', u'Type: {message_type}']
FORMAT_STRING_SHORT_PIECES = [u'{body}']
GetMessages(unused_formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

If any event values have a matching formatting function in VALUE_FORMATTERS, they are run through that function; then the dictionary is passed to the superclass’s formatting method.

Parameters:
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Google Hangouts Message'
SOURCE_SHORT = u'HANGOUTS'
VALUE_FORMATTERS = {u'message_status': <function <lambda> at 0x7f6f8604b1b8>, u'message_type': <function <lambda> at 0x7f6f8604b140>}

plaso.formatters.iis module

The Microsoft IIS log file event formatter.

class plaso.formatters.iis.IISLogFileEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Microsoft IIS log file event.

DATA_TYPE = u'iis:log:line'
FORMAT_STRING_PIECES = [u'{http_method}', u'{requested_uri_stem}', u'[', u'{source_ip}', u'>', u'{dest_ip}', u':', u'{dest_port}', u']', u'HTTP Status: {http_status}', u'Bytes Sent: {sent_bytes}', u'Bytes Received: {received_bytes}', u'User Agent: {user_agent}', u'Protocol Version: {protocol_version}']
FORMAT_STRING_SHORT_PIECES = [u'{http_method}', u'{requested_uri_stem}', u'[', u'{source_ip}', u'>', u'{dest_ip}', u':', u'{dest_port}', u']']
SOURCE_LONG = u'IIS Log'
SOURCE_SHORT = u'LOG'

plaso.formatters.imessage module

The iMessage chat.db (OSX) and sms.db (iOS)database event formatter.

class plaso.formatters.imessage.IMessageFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an iMessage and SMS event.

DATA_TYPE = u'imessage:event:chat'
FORMAT_STRING_PIECES = [u'Row ID: {identifier}', u'iMessage ID: {imessage_id}', u'Read Receipt: {read_receipt}', u'Message Type: {message_type}', u'Service: {service}', u'Attachment Location: {attachment_location}', u'Message Content: {text}']
FORMAT_STRING_SHORT_PIECES = [u'{text}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Apple iMessage Application'
SOURCE_SHORT = u'iMessage'

plaso.formatters.interface module

This file contains the event formatters interface classes.

The l2t_csv and other formats are dependent on a message field, referred to as description_long and description_short in l2t_csv.

Plaso no longer stores these field explicitly.

A formatter, with a format string definition, is used to convert the event object values into a formatted string that is similar to the description_long and description_short field.

class plaso.formatters.interface.ConditionalEventFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Base class to conditionally format event data using format string pieces.

Define the (long) format string and the short format string by defining FORMAT_STRING_PIECES and FORMAT_STRING_SHORT_PIECES. The syntax of the format strings pieces is similar to of the event formatter (EventFormatter). Every format string piece should contain a single attribute name or none.

FORMAT_STRING_SEPARATOR is used to control the string which the separate string pieces should be joined. It contains a space by default.

FORMAT_STRING_PIECES = [u'']
FORMAT_STRING_SEPARATOR = u' '
FORMAT_STRING_SHORT_PIECES = [u'']
GetFormatStringAttributeNames()[source]

Retrieves the attribute names in the format string.

Returns:attribute names.
Return type:set(str)
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
class plaso.formatters.interface.EventFormatter[source]

Bases: object

Base class to format event type specific data using a format string.

Define the (long) format string and the short format string by defining FORMAT_STRING and FORMAT_STRING_SHORT. The syntax of the format strings is similar to that of format() where the place holder for a certain event object attribute is defined as {attribute_name}.

DATA_TYPE = u'internal'
FORMAT_STRING = u''
FORMAT_STRING_SHORT = u''
GetFormatStringAttributeNames()[source]

Retrieves the attribute names in the format string.

Returns:attribute names.
Return type:set(str)
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
GetSources(event)[source]

Determines the the short and long source for an event object.

Parameters:event (EventObject) – event.
Returns:short and long source string.
Return type:tuple(str, str)
Raises:WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u''
SOURCE_SHORT = u'LOG'

plaso.formatters.ipod module

The iPod device event formatter.

class plaso.formatters.ipod.IPodDeviceFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an iPod device event.

DATA_TYPE = u'ipod:device:entry'
FORMAT_STRING_PIECES = [u'Device ID: {device_id}', u'Type: {device_class}', u'[{family_id}]', u'Connected {use_count} times', u'Serial nr: {serial_number}', u'IMEI [{imei}]']
SOURCE_LONG = u'iPod Connections'
SOURCE_SHORT = u'LOG'

plaso.formatters.java_idx module

The Java WebStart Cache IDX event formatter.

class plaso.formatters.java_idx.JavaIDXFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Java WebStart Cache IDX download event.

DATA_TYPE = u'java:download:idx'
FORMAT_STRING_PIECES = [u'IDX Version: {idx_version}', u'Host IP address: ({ip_address})', u'Download URL: {url}']
SOURCE_LONG = u'Java Cache IDX'
SOURCE_SHORT = u'JAVA_IDX'

plaso.formatters.kik_ios module

The Kik kik.sqlite iOS database event formatter.

class plaso.formatters.kik_ios.KikIOSMessageFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an iOS Kik message event.

DATA_TYPE = u'ios:kik:messaging'
FORMAT_STRING_PIECES = [u'Username: {username}', u'Displayname: {displayname}', u'Status: {message_status}', u'Type: {message_type}', u'Message: {body}']
FORMAT_STRING_SHORT_PIECES = [u'{body}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Kik iOS messages'
SOURCE_SHORT = u'Kik iOS'

plaso.formatters.kodi module

The Kodi MyVideos database event formatter.

class plaso.formatters.kodi.KodiFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Kodi Video event.

DATA_TYPE = u'kodi:videos:viewing'
FORMAT_STRING_PIECES = [u'Video: {filename}', u'Play Count: {play_count}']
FORMAT_STRING_SHORT_PIECES = [u'{filename}']
SOURCE_LONG = u'Kodi Video Viewed'
SOURCE_SHORT = u'KODI'

plaso.formatters.logger module

The formatters sub module logger.

plaso.formatters.ls_quarantine module

The MacOS launch services (LS) quarantine event formatter.

class plaso.formatters.ls_quarantine.LSQuarantineFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a launch services (LS) quarantine history event.

DATA_TYPE = u'macosx:lsquarantine'
FORMAT_STRING_PIECES = [u'[{agent}]', u'Downloaded: {url}', u'<{data}>']
FORMAT_STRING_SHORT_PIECES = [u'{url}']
SOURCE_LONG = u'LS Quarantine Event'
SOURCE_SHORT = u'LOG'

plaso.formatters.mac_appfirewall module

The MacOS appfirewall.log file event formatter.

class plaso.formatters.mac_appfirewall.MacAppFirewallLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for MacOS appfirewall.log file event.

DATA_TYPE = u'mac:appfirewall:line'
FORMAT_STRING_PIECES = [u'Computer: {computer_name}', u'Agent: {agent}', u'Status: {status}', u'Process name: {process_name}', u'Log: {action}']
FORMAT_STRING_SHORT_PIECES = [u'Process name: {process_name}', u'Status: {status}']
SOURCE_LONG = u'Mac AppFirewall Log'
SOURCE_SHORT = u'LOG'

plaso.formatters.mac_document_versions module

The MacOS Document Versions files event formatter.

class plaso.formatters.mac_document_versions.MacDocumentVersionsFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS Document Versions page visited event.

DATA_TYPE = u'mac:document_versions:file'
FORMAT_STRING_PIECES = [u'Version of [{name}]', u'({path})', u'stored in {version_path}', u'by {user_sid}']
FORMAT_STRING_SHORT_PIECES = [u'Stored a document version of [{name}]']
SOURCE_LONG = u'Document Versions'
SOURCE_SHORT = u'HISTORY'

plaso.formatters.mac_keychain module

The MacOS keychain password database file event formatter.

class plaso.formatters.mac_keychain.KeychainApplicationRecordFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a keychain application record event.

DATA_TYPE = u'mac:keychain:application'
FORMAT_STRING_PIECES = [u'Name: {entry_name}', u'Account: {account_name}']
FORMAT_STRING_SHORT_PIECES = [u'{entry_name}']
SOURCE_LONG = u'Keychain Application password'
SOURCE_SHORT = u'LOG'
class plaso.formatters.mac_keychain.KeychainInternetRecordFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a keychain Internet record event.

DATA_TYPE = u'mac:keychain:internet'
FORMAT_STRING_PIECES = [u'Name: {entry_name}', u'Account: {account_name}', u'Where: {where}', u'Protocol: {protocol}', u'({type_protocol})']
FORMAT_STRING_SHORT_PIECES = [u'{entry_name}']
SOURCE_LONG = u'Keychain Internet password'
SOURCE_SHORT = u'LOG'

plaso.formatters.mac_notificationcenter module

The MacOS Notification Center event formatter.

class plaso.formatters.mac_notificationcenter.MacNotificationCenterFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS Notification Center event.

DATA_TYPE = u'mac:notificationcenter:db'
FORMAT_STRING_PIECES = [u'Title: {title}', u'(, subtitle: {subtitle}),', u'registered by: {bundle_name}.', u'Presented: {presented},', u'Content: {body}']
FORMAT_STRING_SHORT_PIECES = [u'Title: {title},', u'Content: {body}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object. :param formatter_mediator: mediates the interactions between

formatters and other components
Parameters:event (EventObject) – event.
Returns:formatted message string and short message string.
Return type:tuple(str, str)
Raises:WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Notification Center'
SOURCE_SHORT = u'NOTIFICATION'

plaso.formatters.mac_securityd module

The MacOS securityd log file event formatter.

class plaso.formatters.mac_securityd.MacOSSecuritydLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS securityd log event.

DATA_TYPE = u'mac:securityd:line'
FORMAT_STRING_PIECES = [u'Sender: {sender}', u'({sender_pid})', u'Level: {level}', u'Facility: {facility}', u'Text: {message}']
FORMAT_STRING_SHORT_PIECES = [u'Text: {message}']
SOURCE_LONG = u'Mac Securityd Log'
SOURCE_SHORT = u'LOG'

plaso.formatters.mac_wifi module

The MacOS wifi.log file event formatter.

class plaso.formatters.mac_wifi.MacWifiLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a wifi.log file event.

DATA_TYPE = u'mac:wifilog:line'
FORMAT_STRING_PIECES = [u'Action: {action}', u'Agent: {agent}', u'({function})', u'Log: {text}']
FORMAT_STRING_SHORT_PIECES = [u'Action: {action}']
SOURCE_LONG = u'Mac Wifi Log'
SOURCE_SHORT = u'LOG'

plaso.formatters.mackeeper_cache module

The MacKeeper Cache event formatter.

class plaso.formatters.mackeeper_cache.MacKeeperCacheFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacKeeper Cache event.

DATA_TYPE = u'mackeeper:cache'
FORMAT_STRING_PIECES = [u'{description}', u'<{event_type}>', u':', u'{text}', u'[', u'URL: {url}', u'Event ID: {record_id}', u'Room: {room}', u']']
FORMAT_STRING_SHORT_PIECES = [u'<{event_type}>', u'{text}']
SOURCE_LONG = u'MacKeeper Cache'
SOURCE_SHORT = u'LOG'

plaso.formatters.mactime module

The Sleuthkit (TSK) bodyfile (or mactime) event formatter.

class plaso.formatters.mactime.MactimeFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a mactime event.

DATA_TYPE = u'fs:mactime:line'
FORMAT_STRING = u'{filename}'
SOURCE_LONG = u'Mactime Bodyfile'
SOURCE_SHORT = u'FILE'

plaso.formatters.manager module

This file contains the event formatters manager class.

class plaso.formatters.manager.FormattersManager[source]

Bases: object

Class that implements the formatters manager.

classmethod DeregisterFormatter(formatter_class)[source]

Deregisters a formatter class.

The formatter classes are identified based on their lower case data type.

Parameters:formatter_class (type) – class of the formatter.
Raises:KeyError – if formatter class is not set for the corresponding data type.
classmethod GetFormatterObject(data_type)[source]

Retrieves the formatter object for a specific data type.

Parameters:data_type (str) – data type.
Returns:
corresponding formatter or the default formatter if
not available.
Return type:EventFormatter
classmethod GetMessageStrings(formatter_mediator, event)[source]

Retrieves the formatted message strings for a specific event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

long and short version of the message string.
Return type:

list[str, str]
classmethod GetSourceStrings(event)[source]

Retrieves the formatted source strings for a specific event object.

Parameters:event (EventObject) – event.
Returns:short and long version of the source of the event.
Return type:list[str, str]
classmethod RegisterFormatter(formatter_class)[source]

Registers a formatter class.

The formatter classes are identified based on their lower case data type.

Parameters:formatter_class (type) – class of the formatter.
Raises:KeyError – if formatter class is already set for the corresponding data type.
classmethod RegisterFormatters(formatter_classes)[source]

Registers formatter classes.

The formatter classes are identified based on their lower case data type.

Parameters:formatter_classes (list[type]) – classes of the formatters.
Raises:KeyError – if formatter class is already set for the corresponding data type.

plaso.formatters.mcafeeav module

The McAfee AV Logs file event formatter.

class plaso.formatters.mcafeeav.McafeeAccessProtectionLogEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a McAfee Access Protection Log event.

DATA_TYPE = u'av:mcafee:accessprotectionlog'
FORMAT_STRING_PIECES = [u'File Name: {filename}', u'User: {username}', u'{trigger_location}', u'{status}', u'{rule}', u'{action}']
FORMAT_STRING_SHORT_PIECES = [u'{filename}', u'{action}']
SOURCE_LONG = u'McAfee Access Protection Log'
SOURCE_SHORT = u'LOG'

plaso.formatters.mediator module

The formatter mediator object.

class plaso.formatters.mediator.FormatterMediator(data_location=None)[source]

Bases: object

Class that implements the formatter mediator.

DEFAULT_LANGUAGE_IDENTIFIER = u'en-US'
DEFAULT_LCID = 1033
GetWindowsEventMessage(log_source, message_identifier)[source]

Retrieves the message string for a specific Windows Event Log source.

Parameters:
  • log_source (str) – Event Log source, such as “Application Error”.
  • message_identifier (int) – message identifier.
Returns:

message string or None if not available.
Return type:

str
SetPreferredLanguageIdentifier(language_identifier)[source]

Sets the preferred language identifier.

Parameters:

language_identifier (str) – language identifier string such as “en-US” for US English or “is-IS” for Icelandic.
Raises:
  • KeyError – if the language identifier is not defined.
  • ValueError – if the language identifier is not a string type.
lcid

int – preferred Language Code identifier (LCID).

plaso.formatters.msie_webcache module

The MSIE WebCache ESE database event formatters.

class plaso.formatters.msie_webcache.MsieWebCacheContainerEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database Container_# table record.

DATA_TYPE = u'msie:webcache:container'
FORMAT_STRING_PIECES = [u'URL: {url}', u'Redirect URL: {redirect_url}', u'Access count: {access_count}', u'Sync count: {sync_count}', u'Filename: {cached_filename}', u'File extension: {file_extension}', u'Cached file size: {cached_file_size}', u'Request headers: {request_headers}', u'Response headers: {response_headers}', u'Entry identifier: {entry_identifier}', u'Container identifier: {container_identifier}', u'Cache identifier: {cache_identifier}']
FORMAT_STRING_SHORT_PIECES = [u'URL: {url}']
SOURCE_LONG = u'MSIE WebCache container record'
SOURCE_SHORT = u'WEBHIST'
class plaso.formatters.msie_webcache.MsieWebCacheContainersEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database Containers table record.

DATA_TYPE = u'msie:webcache:containers'
FORMAT_STRING_PIECES = [u'Name: {name}', u'Directory: {directory}', u'Table: Container_{container_identifier}', u'Container identifier: {container_identifier}', u'Set identifier: {set_identifier}']
FORMAT_STRING_SHORT_PIECES = [u'Directory: {directory}']
SOURCE_LONG = u'MSIE WebCache containers record'
SOURCE_SHORT = u'WEBHIST'
class plaso.formatters.msie_webcache.MsieWebCacheLeakFilesEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database LeakFiles table record.

DATA_TYPE = u'msie:webcache:leak_file'
FORMAT_STRING_PIECES = [u'Filename: {cached_filename}', u'Leak identifier: {leak_identifier}']
FORMAT_STRING_SHORT_PIECES = [u'Filename: {cached_filename}']
SOURCE_LONG = u'MSIE WebCache partitions record'
SOURCE_SHORT = u'WEBHIST'
class plaso.formatters.msie_webcache.MsieWebCachePartitionsEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database Partitions table record.

DATA_TYPE = u'msie:webcache:partitions'
FORMAT_STRING_PIECES = [u'Partition identifier: {partition_identifier}', u'Partition type: {partition_type}', u'Directory: {directory}', u'Table identifier: {table_identifier}']
FORMAT_STRING_SHORT_PIECES = [u'Directory: {directory}']
SOURCE_LONG = u'MSIE WebCache partitions record'
SOURCE_SHORT = u'WEBHIST'

plaso.formatters.msiecf module

The Microsoft Internet Explorer (MSIE) Cache Files (CF) event formatters.

class plaso.formatters.msiecf.MsiecfItemFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIECF item event.

GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
class plaso.formatters.msiecf.MsiecfLeakFormatter[source]

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF leak item event.

DATA_TYPE = u'msiecf:leak'
FORMAT_STRING_PIECES = [u'Cached file: {cached_file_path}', u'Cached file size: {cached_file_size}', u'{recovered_string}']
FORMAT_STRING_SHORT_PIECES = [u'Cached file: {cached_file_path}']
SOURCE_LONG = u'MSIE Cache File leak record'
SOURCE_SHORT = u'WEBHIST'
class plaso.formatters.msiecf.MsiecfRedirectedFormatter[source]

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF leak redirected event.

DATA_TYPE = u'msiecf:redirected'
FORMAT_STRING_PIECES = [u'Location: {url}', u'{recovered_string}']
FORMAT_STRING_SHORT_PIECES = [u'Location: {url}']
SOURCE_LONG = u'MSIE Cache File redirected record'
SOURCE_SHORT = u'WEBHIST'
class plaso.formatters.msiecf.MsiecfUrlFormatter[source]

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF URL item event.

DATA_TYPE = u'msiecf:url'
FORMAT_STRING_PIECES = [u'Location: {url}', u'Number of hits: {number_of_hits}', u'Cached file: {cached_file_path}', u'Cached file size: {cached_file_size}', u'HTTP headers: {http_headers}', u'{recovered_string}']
FORMAT_STRING_SHORT_PIECES = [u'Location: {url}', u'Cached file: {cached_file_path}']
SOURCE_LONG = u'MSIE Cache File URL record'
SOURCE_SHORT = u'WEBHIST'

plaso.formatters.officemru module

The Microsoft Office MRU Windows Registry event formatter.

class plaso.formatters.officemru.OfficeMRUWindowsRegistryEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Microsoft Office MRU Windows Registry event.

DATA_TYPE = u'windows:registry:office_mru'
FORMAT_STRING_PIECES = [u'[{key_path}]', u'Value: {value_string}']
FORMAT_STRING_SHORT_PIECES = [u'{value_string}']
SOURCE_LONG = u'Registry Key: Microsoft Office MRU'
SOURCE_SHORT = u'REG'

plaso.formatters.olecf module

The OLE Compound File (OLECF) event formatters.

class plaso.formatters.olecf.OLECFDestListEntryFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF DestList stream event.

DATA_TYPE = u'olecf:dest_list:entry'
FORMAT_STRING_PIECES = [u'Entry: {entry_number}', u'Pin status: {pin_status}', u'Hostname: {hostname}', u'Path: {path}', u'Droid volume identifier: {droid_volume_identifier}', u'Droid file identifier: {droid_file_identifier}', u'Birth droid volume identifier: {birth_droid_volume_identifier}', u'Birth droid file identifier: {birth_droid_file_identifier}']
FORMAT_STRING_SHORT_PIECES = [u'Entry: {entry_number}', u'Pin status: {pin_status}', u'Path: {path}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
class plaso.formatters.olecf.OLECFDocumentSummaryInfoFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF Document Summary Info property set stream event.

DATA_TYPE = u'olecf:document_summary_info'
FORMAT_STRING_PIECES = [u'Number of bytes: {number_of_bytes}', u'Number of lines: {number_of_lines}', u'Number of paragraphs: {number_of_paragraphs}', u'Number of slides: {number_of_slides}', u'Number of notes: {number_of_notes}', u'Number of hidden slides: {number_of_hidden_slides}', u'Number of multi-media clips: {number_of_clips}', u'Company: {company}', u'Manager: {manager}', u'Shared document: {shared_document}', u'Application version: {application_version}', u'Content type: {content_type}', u'Content status: {content_status}', u'Language: {language}', u'Document version: {document_version}']
FORMAT_STRING_SHORT_PIECES = [u'Company: {company}']
SOURCE_LONG = u'OLECF Document Summary Info'
SOURCE_SHORT = u'OLECF'
class plaso.formatters.olecf.OLECFItemFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for an OLECF item event.

DATA_TYPE = u'olecf:item'
FORMAT_STRING = u'Name: {name}'
FORMAT_STRING_SHORT = u'Name: {name}'
SOURCE_LONG = u'OLECF Item'
SOURCE_SHORT = u'OLECF'
class plaso.formatters.olecf.OLECFSummaryInfoFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF Summary Info property set stream event.

DATA_TYPE = u'olecf:summary_info'
FORMAT_STRING_PIECES = [u'Title: {title}', u'Subject: {subject}', u'Author: {author}', u'Keywords: {keywords}', u'Comments: {comments}', u'Template: {template}', u'Revision number: {revision_number}', u'Last saved by: {last_saved_by}', u'Total edit time: {total_edit_time}', u'Number of pages: {number_of_pages}', u'Number of words: {number_of_words}', u'Number of characters: {number_of_characters}', u'Application: {application}', u'Security: {security}']
FORMAT_STRING_SHORT_PIECES = [u'Title: {title}', u'Subject: {subject}', u'Author: {author}', u'Revision number: {revision_number}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'OLECF Summary Info'
SOURCE_SHORT = u'OLECF'

plaso.formatters.opera module

The Opera history event formatters.

class plaso.formatters.opera.OperaGlobalHistoryFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Opera global history event.

DATA_TYPE = u'opera:history:entry'
FORMAT_STRING_PIECES = [u'{url}', u'({title})', u'[{description}]']
SOURCE_LONG = u'Opera Browser History'
SOURCE_SHORT = u'WEBHIST'
class plaso.formatters.opera.OperaTypedHistoryFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Opera typed history event.

DATA_TYPE = u'opera:history:typed_entry'
FORMAT_STRING_PIECES = [u'{url}', u'({entry_selection})']
SOURCE_LONG = u'Opera Browser History'
SOURCE_SHORT = u'WEBHIST'

plaso.formatters.oxml module

The OpenXML event formatter.

class plaso.formatters.oxml.OpenXMLParserFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OXML event.

DATA_TYPE = u'metadata:openxml'
FORMAT_STRING_PIECES = [u'Creating App: {creating_app}', u'App version: {app_version}', u'Title: {title}', u'Subject: {subject}', u'Last saved by: {last_saved_by}', u'Author: {author}', u'Total edit time (secs): {total_edit_time}', u'Keywords: {keywords}', u'Comments: {comments}', u'Revision number: {revision_number}', u'Template: {template}', u'Number of pages: {number_of_pages}', u'Number of words: {number_of_words}', u'Number of characters: {number_of_characters}', u'Number of characters with spaces: {number_of_characters_with_spaces}', u'Number of lines: {number_of_lines}', u'Company: {company}', u'Manager: {manager}', u'Shared: {shared}', u'Security: {security}', u'Hyperlinks changed: {hyperlinks_changed}', u'Links up to date: {links_up_to_date}', u'Scale crop: {scale_crop}', u'Digital signature: {dig_sig}', u'Slides: {slides}', u'Hidden slides: {hidden_slides}', u'Presentation format: {presentation_format}', u'MM clips: {mm_clips}', u'Notes: {notes}']
FORMAT_STRING_SHORT_PIECES = [u'Title: {title}', u'Subject: {subject}', u'Author: {author}']
SOURCE_LONG = u'Open XML Metadata'
SOURCE_SHORT = u'META'

plaso.formatters.pe module

The PE event formatter.

class plaso.formatters.pe.PECompilationFormatter[source]

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE compilation event.

DATA_TYPE = u'pe:compilation:compilation_time'
SOURCE_LONG = u'PE Compilation time'
class plaso.formatters.pe.PEDelayImportFormatter[source]

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE delay import section event.

DATA_TYPE = u'pe:delay_import:import_time'
FORMAT_STRING_PIECES = [u'DLL name: {dll_name}', u'PE Type: {pe_type}', u'Import hash: {imphash}']
FORMAT_STRING_SHORT_PIECES = [u'{dll_name}']
SOURCE_LONG = u'PE Delay Import Time'
class plaso.formatters.pe.PEEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Parent class for PE event formatters.

DATA_TYPE = u'pe'
FORMAT_STRING_PIECES = [u'PE Type: {pe_type}', u'Import hash: {imphash}']
FORMAT_STRING_SEPARATOR = u' '
FORMAT_STRING_SHORT_PIECES = [u'pe_type']
SOURCE_LONG = u'PE Event'
SOURCE_SHORT = u'PE'
class plaso.formatters.pe.PEImportFormatter[source]

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE import section event.

DATA_TYPE = u'pe:import:import_time'
FORMAT_STRING_PIECES = [u'DLL name: {dll_name}', u'PE Type: {pe_type}', u'Import hash: {imphash}']
FORMAT_STRING_SHORT_PIECES = [u'{dll_name}']
SOURCE_LONG = u'PE Import Time'
class plaso.formatters.pe.PELoadConfigModificationEvent[source]

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE load configuration table event.

DATA_TYPE = u'pe:load_config:modification_time'
SOURCE_LONG = u'PE Load Configuration Table Time'
class plaso.formatters.pe.PEResourceCreationFormatter[source]

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE resource creation event.

DATA_TYPE = u'pe:resource:creation_time'
SOURCE_LONG = u'PE Resource Creation Time'

plaso.formatters.plist module

The plist event formatter.

class plaso.formatters.plist.PlistFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a plist key event.

DATA_TYPE = u'plist:key'
FORMAT_STRING_PIECES = [u'{root}/', u'{key}', u' {desc}']
FORMAT_STRING_SEPARATOR = u''
SOURCE_LONG = u'Plist Entry'
SOURCE_SHORT = u'PLIST'

plaso.formatters.pls_recall module

The PL/SQL Recall event formatter.

class plaso.formatters.pls_recall.PlsRecallFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a PL/SQL Recall file container event.

DATA_TYPE = u'PLSRecall:event'
FORMAT_STRING_PIECES = [u'Sequence number: {sequence_number}', u'Username: {username}', u'Database name: {database_name}', u'Query: {query}']
FORMAT_STRING_SHORT_PIECES = [u'{sequence_number}', u'{username}', u'{database_name}', u'{query}']
SOURCE_LONG = u'PL/SQL Developer Recall file'
SOURCE_SHORT = u'PLSRecall'

plaso.formatters.popcontest module

The Popularity Contest event formatters.

class plaso.formatters.popcontest.PopularityContestLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Popularity Contest Log event.

DATA_TYPE = u'popularity_contest:log:event'
FORMAT_STRING_PIECES = [u'mru [{mru}]', u'package [{package}]', u'tag [{record_tag}]']
FORMAT_STRING_SHORT_PIECES = [u'{mru}']
SOURCE_LONG = u'Popularity Contest Log'
SOURCE_SHORT = u'LOG'
class plaso.formatters.popcontest.PopularityContestSessionFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Popularity Contest Session information event.

DATA_TYPE = u'popularity_contest:session:event'
FORMAT_STRING_PIECES = [u'Session {session}', u'{status}', u'ID {hostid}', u'[{details}]']
FORMAT_STRING_SHORT_PIECES = [u'Session {session}', u'{status}']
SOURCE_LONG = u'Popularity Contest Session'
SOURCE_SHORT = u'LOG'

plaso.formatters.recycler module

The Windows Recycler/Recycle Bin formatter.

class plaso.formatters.recycler.WinRecyclerFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Recycler/Recycle Bin file event.

DATA_TYPE = u'windows:metadata:deleted_item'
FORMAT_STRING_PIECES = [u'DC{record_index} ->', u'{original_filename}', u'[{short_filename}]', u'(from drive: {drive_letter})']
FORMAT_STRING_SHORT_PIECES = [u'Deleted file: {original_filename}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Recycle Bin'
SOURCE_SHORT = u'RECBIN'

plaso.formatters.safari module

The Safari history event formatter.

class plaso.formatters.safari.SafariHistoryFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Safari history event.

DATA_TYPE = u'safari:history:visit'
FORMAT_STRING_PIECES = [u'Visited: {url}', u'({title}', u'- {display_title}', u')', u'Visit Count: {visit_count}']
SOURCE_LONG = u'Safari History'
SOURCE_SHORT = u'WEBHIST'
class plaso.formatters.safari.SafariHistoryFormatterSqlite[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Safari history event from Sqlite History.db

DATA_TYPE = u'safari:history:visit_sqlite'
FORMAT_STRING_PIECES = [u'URL: {url}', u'Title: ({title})', u'[count: {visit_count}]', u'http_non_get: {was_http_non_get}']
SOURCE_LONG = u'Safari History'
SOURCE_SHORT = u'WEBHIST'

plaso.formatters.safari_cookies module

The Safari Binary cookie event formatter.

class plaso.formatters.safari_cookies.SafariCookieFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Safari Binary Cookie file entry event.

DATA_TYPE = u'safari:cookie:entry'
FORMAT_STRING_PIECES = [u'{url}', u'<{path}>', u'({cookie_name})', u'Flags: {flags}']
FORMAT_STRING_SHORT_PIECES = [u'{url}', u'({cookie_name})']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Safari Cookies'
SOURCE_SHORT = u'WEBHIST'

plaso.formatters.sam_users module

The SAM users Windows Registry event formatter.

class plaso.formatters.sam_users.SAMUsersWindowsRegistryEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SAM users Windows Registry event.

DATA_TYPE = u'windows:registry:sam_users'
FORMAT_STRING_PIECES = [u'[{key_path}]', u'Username: {username}', u'Full name: {fullname}', u'Comments: {comments}', u'RID: {account_rid}', u'Login count: {login_count}']
FORMAT_STRING_SHORT_PIECES = [u'{username}', u'RID: {account_rid}', u'Login count: {login_count}']
SOURCE_LONG = u'Registry Key: User Account Information'
SOURCE_SHORT = u'REG'

plaso.formatters.santa module

Santa log file event formatter.

class plaso.formatters.santa.SantaDiskMountsFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a santa disk mount event.

DATA_TYPE = u'santa:diskmount'
FORMAT_STRING_PIECES = [u'Santa {action}', u'on ({mount})', u'serial: ({serial})', u'for ({dmg_path})']
FORMAT_STRING_SHORT_PIECES = [u'{action}', u'{volume}']
SOURCE_LONG = u'Santa disk mount'
SOURCE_SHORT = u'LOG'
class plaso.formatters.santa.SantaExecutionFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a santa execution event.

DATA_TYPE = u'santa:execution'
FORMAT_STRING_PIECES = [u'Santa {decision}', u'process: {process_path}', u'hash: {process_hash}']
FORMAT_STRING_SHORT_PIECES = [u'{decision}', u'process: {process_path}']
SOURCE_LONG = u'Santa Execution'
SOURCE_SHORT = u'LOG'
class plaso.formatters.santa.SantaFileSystemFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a santa file system event.

DATA_TYPE = u'santa:file_system_event'
FORMAT_STRING_PIECES = [u'Santa {action} event', u'{file_path}', u'by process: {process_path}']
FORMAT_STRING_SHORT_PIECES = [u'File {action}', u'on: {file_path}']
SOURCE_LONG = u'Santa FSEvent'
SOURCE_SHORT = u'LOG'

plaso.formatters.sccm module

The SCCM log formatter.

class plaso.formatters.sccm.SCCMEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Class for SCCM event formatter.

DATA_TYPE = u'software_management:sccm:log'
FORMAT_STRING_PIECES = [u'{component}', u'{text}']
FORMAT_STRING_SEPARATOR = u' '
FORMAT_STRING_SHORT_PIECES = [u'{text}']
SOURCE_LONG = u'SCCM Event'
SOURCE_SHORT = u'LOG'

plaso.formatters.selinux module

The selinux event formatter.

class plaso.formatters.selinux.SELinuxFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a selinux log file event.

DATA_TYPE = u'selinux:line'
FORMAT_STRING_PIECES = [u'[', u'audit_type: {audit_type}', u', pid: {pid}', u']', u' {body}']
FORMAT_STRING_SEPARATOR = u''
SOURCE_LONG = u'Audit log File'
SOURCE_SHORT = u'LOG'

plaso.formatters.shell_items module

The shell item event formatter.

class plaso.formatters.shell_items.ShellItemFileEntryEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a shell item file entry event.

DATA_TYPE = u'windows:shell_item:file_entry'
FORMAT_STRING_PIECES = [u'Name: {name}', u'Long name: {long_name}', u'Localized name: {localized_name}', u'NTFS file reference: {file_reference}', u'Shell item path: {shell_item_path}', u'Origin: {origin}']
FORMAT_STRING_SHORT_PIECES = [u'Name: {file_entry_name}', u'NTFS file reference: {file_reference}', u'Origin: {origin}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'File entry shell item'
SOURCE_SHORT = u'FILE'

plaso.formatters.shutdown module

The shutdown Windows Registry event formatter.

class plaso.formatters.shutdown.ShutdownWindowsRegistryEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a shutdown Windows Registry event.

DATA_TYPE = u'windows:registry:shutdown'
FORMAT_STRING_PIECES = [u'[{key_path}]', u'Description: {value_name}']
FORMAT_STRING_SHORT_PIECES = [u'{value_name}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Registry Key Shutdown Entry'
SOURCE_SHORT = u'REG'

plaso.formatters.skydrivelog module

The SkyDrive log event formatter.

class plaso.formatters.skydrivelog.SkyDriveLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SkyDrive log file event.

DATA_TYPE = u'skydrive:log:line'
FORMAT_STRING_PIECES = [u'[{module}', u'{source_code}', u'{log_level}]', u'{detail}']
FORMAT_STRING_SHORT_PIECES = [u'{detail}']
SOURCE_LONG = u'SkyDrive Log File'
SOURCE_SHORT = u'LOG'
class plaso.formatters.skydrivelog.SkyDriveOldLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SkyDrive old log file event.

DATA_TYPE = u'skydrive:log:old:line'
FORMAT_STRING_PIECES = [u'[{source_code}]', u'({log_level})', u'{text}']
FORMAT_STRING_SHORT_PIECES = [u'{text}']
SOURCE_LONG = u'SkyDrive Log File'
SOURCE_SHORT = u'LOG'

plaso.formatters.skype module

The Skype main database event formatter.

class plaso.formatters.skype.SkypeAccountFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype account event.

DATA_TYPE = u'skype:event:account'
FORMAT_STRING_PIECES = [u'{username}', u'[{email}]', u'Country: {country}']
SOURCE_LONG = u'Skype Account'
SOURCE_SHORT = u'LOG'
class plaso.formatters.skype.SkypeCallFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype call event.

DATA_TYPE = u'skype:event:call'
FORMAT_STRING_PIECES = [u'From: {src_call}', u'To: {dst_call}', u'[{call_type}]']
SOURCE_LONG = u'Skype Call'
SOURCE_SHORT = u'LOG'
class plaso.formatters.skype.SkypeChatFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype chat message event.

DATA_TYPE = u'skype:event:chat'
FORMAT_STRING_PIECES = [u'From: {from_account}', u'To: {to_account}', u'[{title}]', u'Message: [{text}]']
FORMAT_STRING_SHORT_PIECES = [u'From: {from_account}', u'To: {to_account}']
SOURCE_LONG = u'Skype Chat MSG'
SOURCE_SHORT = u'LOG'
class plaso.formatters.skype.SkypeSMSFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype SMS event.

DATA_TYPE = u'skype:event:sms'
FORMAT_STRING_PIECES = [u'To: {number}', u'[{text}]']
SOURCE_LONG = u'Skype SMS'
SOURCE_SHORT = u'LOG'
class plaso.formatters.skype.SkypeTransferFileFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype transfer file event.

DATA_TYPE = u'skype:event:transferfile'
FORMAT_STRING_PIECES = [u'Source: {source}', u'Destination: {destination}', u'File: {transferred_filename}', u'[{action_type}]']
SOURCE_LONG = u'Skype Transfer Files'
SOURCE_SHORT = u'LOG'

plaso.formatters.sophos_av module

The Sophos Anti-Virus log (SAV.txt) file event formatter.

class plaso.formatters.sophos_av.SophosAVLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Sophos Anti-Virus log (SAV.txt) event data.

DATA_TYPE = u'sophos:av:log'
FORMAT_STRING_PIECES = [u'{text}']
SOURCE_LONG = u'Sophos Anti-Virus log'
SOURCE_SHORT = u'LOG'

plaso.formatters.srum module

The System Resource Usage Monitor (SRUM) ESE database event formatters.

class plaso.formatters.srum.SRUMApplicationResourceUsageEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SRUM application resource usage event.

DATA_TYPE = u'windows:srum:application_usage'
FORMAT_STRING_PIECES = [u'Application: {application}']
FORMAT_STRING_SHORT_PIECES = [u'{application}']
class plaso.formatters.srum.SRUMNetworkConnectivityUsageEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SRUM network connectivity usage event.

DATA_TYPE = u'windows:srum:network_connectivity'
FORMAT_STRING_PIECES = [u'Application: {application}']
FORMAT_STRING_SHORT_PIECES = [u'{application}']
class plaso.formatters.srum.SRUMNetworkDataUsageEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SRUM network data usage event.

DATA_TYPE = u'windows:srum:network_usage'
FORMAT_STRING_PIECES = [u'Application: {application}', u'Bytes received: {bytes_received}', u'Bytes sent: {bytes_sent}', u'Interface LUID: {interface_luid}', u'User identifier: {user_identifier}']
FORMAT_STRING_SHORT_PIECES = [u'{application}']

plaso.formatters.ssh module

The syslog SSH file event formatter.

class plaso.formatters.ssh.SSHFailedConnectionEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SSH failed connection event.

DATA_TYPE = u'syslog:ssh:failed_connection'
FORMAT_STRING_PIECES = [u'Unsuccessful connection of user: {username}', u'from {address}:', u'{port}', u'using authentication method: {authentication_method}', u'ssh pid: {pid}']
FORMAT_STRING_SEPARATOR = u''
FORMAT_STRING_SHORT = u'{body}'
SOURCE_LONG = u'SSH log'
SOURCE_SHORT = u'LOG'
class plaso.formatters.ssh.SSHLoginEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SSH successful login event.

DATA_TYPE = u'syslog:ssh:login'
FORMAT_STRING_PIECES = [u'Successful login of user: {username}', u'from {address}:', u'{port}', u'using authentication method: {authentication_method}', u'ssh pid: {pid}']
FORMAT_STRING_SEPARATOR = u''
FORMAT_STRING_SHORT = u'{body}'
SOURCE_LONG = u'SSH log'
SOURCE_SHORT = u'LOG'
class plaso.formatters.ssh.SSHOpenedConnectionEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SSH opened connection event.

DATA_TYPE = u'syslog:ssh:opened_connection'
FORMAT_STRING_PIECES = [u'Connection opened {address}:', u'{port}', u'ssh pid: {pid}']
FORMAT_STRING_SEPARATOR = u''
FORMAT_STRING_SHORT = u'{body}'
SOURCE_LONG = u'SSH log'
SOURCE_SHORT = u'LOG'

plaso.formatters.symantec module

The Symantec AV log file event formatter.

class plaso.formatters.symantec.SymantecAVFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Symantec AV log file event.

ACTION_0_NAMES = {u'1': u'Quarantined', u'10': u'Renamed backup file', u'11': u'Undo action in Quarantine View', u'12': u'Write protected or lack of permissions - Unable to act on file', u'13': u'Backed up file', u'2': u'Renamed', u'3': u'Deleted', u'4': u'Left alone', u'5': u'Cleaned', u'6': u'Cleaned or macros deleted (no longer used as of Symantec AntiVirus 9.x)', u'7': u'Saved file as...', u'8': u'Sent to Intel (AMS)', u'9': u'Moved to backup location'}
ACTION_1_2_NAMES = {u'1': u'Quarantine infected file', u'2': u'Rename infected file', u'3': u'Delete infected file', u'4': u'Leave alone (log only)', u'5': u'Clean virus from file', u'6': u'Clean or delete macros'}
CATEGORY_NAMES = {u'1': u'GL_CAT_INFECTION', u'2': u'GL_CAT_SUMMARY', u'3': u'GL_CAT_PATTERN', u'4': u'GL_CAT_SECURITY'}
DATA_TYPE = u'av:symantec:scanlog'
EVENT_NAMES = {u'1': u'GL_EVENT_IS_ALERT', u'10': u'GL_EVENT_CHECKSUM', u'11': u'GL_EVENT_TRAP', u'12': u'GL_EVENT_CONFIG_CHANGE', u'13': u'GL_EVENT_SHUTDOWN', u'14': u'GL_EVENT_STARTUP', u'16': u'GL_EVENT_PATTERN_DOWNLOAD', u'17': u'GL_EVENT_TOO_MANY_VIRUSES', u'18': u'GL_EVENT_FWD_TO_QSERVER', u'19': u'GL_EVENT_SCANDLVR', u'2': u'GL_EVENT_SCAN_STOP', u'20': u'GL_EVENT_BACKUP', u'21': u'GL_EVENT_SCAN_ABORT', u'22': u'GL_EVENT_RTS_LOAD_ERROR', u'23': u'GL_EVENT_RTS_LOAD', u'24': u'GL_EVENT_RTS_UNLOAD', u'25': u'GL_EVENT_REMOVE_CLIENT', u'26': u'GL_EVENT_SCAN_DELAYED', u'27': u'GL_EVENT_SCAN_RESTART', u'28': u'GL_EVENT_ADD_SAVROAMCLIENT_TOSERVER', u'29': u'GL_EVENT_REMOVE_SAVROAMCLIENT_FROMSERVER', u'3': u'GL_EVENT_SCAN_START', u'30': u'GL_EVENT_LICENSE_WARNING', u'31': u'GL_EVENT_LICENSE_ERROR', u'32': u'GL_EVENT_LICENSE_GRACE', u'33': u'GL_EVENT_UNAUTHORIZED_COMM', u'34': u'GL_EVENT_LOG_FWD_THRD_ERR', u'35': u'GL_EVENT_LICENSE_INSTALLED', u'36': u'GL_EVENT_LICENSE_ALLOCATED', u'37': u'GL_EVENT_LICENSE_OK', u'38': u'GL_EVENT_LICENSE_DEALLOCATED', u'39': u'GL_EVENT_BAD_DEFS_ROLLBACK', u'4': u'GL_EVENT_PATTERN_UPDATE', u'40': u'GL_EVENT_BAD_DEFS_UNPROTECTED', u'41': u'GL_EVENT_SAV_PROVIDER_PARSING_ERROR', u'42': u'GL_EVENT_RTS_ERROR', u'43': u'GL_EVENT_COMPLIANCE_FAIL', u'44': u'GL_EVENT_COMPLIANCE_SUCCESS', u'45': u'GL_EVENT_SECURITY_SYMPROTECT_POLICYVIOLATION', u'46': u'GL_EVENT_ANOMALY_START', u'47': u'GL_EVENT_DETECTION_ACTION_TAKEN', u'48': u'GL_EVENT_REMEDIATION_ACTION_PENDING', u'49': u'GL_EVENT_REMEDIATION_ACTION_FAILED', u'5': u'GL_EVENT_INFECTION', u'50': u'GL_EVENT_REMEDIATION_ACTION_SUCCESSFUL', u'51': u'GL_EVENT_ANOMALY_FINISH', u'52': u'GL_EVENT_COMMS_LOGIN_FAILED', u'53': u'GL_EVENT_COMMS_LOGIN_SUCCESS', u'54': u'GL_EVENT_COMMS_UNAUTHORIZED_COMM', u'55': u'GL_EVENT_CLIENT_INSTALL_AV', u'56': u'GL_EVENT_CLIENT_INSTALL_FW', u'57': u'GL_EVENT_CLIENT_UNINSTALL', u'58': u'GL_EVENT_CLIENT_UNINSTALL_ROLLBACK', u'59': u'GL_EVENT_COMMS_SERVER_GROUP_ROOT_CERT_ISSUE', u'6': u'GL_EVENT_FILE_NOT_OPEN', u'60': u'GL_EVENT_COMMS_SERVER_CERT_ISSUE', u'61': u'GL_EVENT_COMMS_TRUSTED_ROOT_CHANGE', u'62': u'GL_EVENT_COMMS_SERVER_CERT_STARTUP_FAILED', u'63': u'GL_EVENT_CLIENT_CHECKIN', u'64': u'GL_EVENT_CLIENT_NO_CHECKIN', u'65': u'GL_EVENT_SCAN_SUSPENDED', u'66': u'GL_EVENT_SCAN_RESUMED', u'67': u'GL_EVENT_SCAN_DURATION_INSUFFICIENT', u'68': u'GL_EVENT_CLIENT_MOVE', u'69': u'GL_EVENT_SCAN_FAILED_ENHANCED', u'7': u'GL_EVENT_LOAD_PATTERN', u'70': u'GL_EVENT_MAX_event_name', u'71': u'GL_EVENT_HEUR_THREAT_NOW_WHITELISTED', u'72': u'GL_EVENT_INTERESTING_PROCESS_DETECTED_START', u'73': u'GL_EVENT_LOAD_ERROR_COH', u'74': u'GL_EVENT_LOAD_ERROR_SYKNAPPS', u'75': u'GL_EVENT_INTERESTING_PROCESS_DETECTED_FINISH', u'76': u'GL_EVENT_HPP_SCAN_NOT_SUPPORTED_FOR_OS', u'77': u'GL_EVENT_HEUR_THREAT_NOW_KNOWN', u'8': u'GL_STD_MESSAGE_INFO', u'9': u'GL_STD_MESSAGE_ERROR'}
FORMAT_STRING_PIECES = [u'Event Name: {event_map}', u'Category Name: {category_map}', u'Malware Name: {virus}', u'Malware Path: {file}', u'Action0: {action0_map}', u'Action1: {action1_map}', u'Action2: {action2_map}', u'Description: {description}', u'Scan ID: {scanid}', u'Event Data: {event_data}', u'Remote Machine: {remote_machine}', u'Remote IP: {remote_machine_ip}']
FORMAT_STRING_SEPARATOR = u'; '
FORMAT_STRING_SHORT_PIECES = [u'{file}', u'{virus}', u'{action0_map}', u'{action1_map}', u'{action2_map}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Symantec AV Log'
SOURCE_SHORT = u'LOG'

plaso.formatters.syslog module

The syslog file event formatter.

class plaso.formatters.syslog.SyslogCommentFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a syslog comment

DATA_TYPE = u'syslog:comment'
FORMAT_STRING_PIECES = [u'{body}']
FORMAT_STRING_SEPARATOR = u''
SOURCE_LONG = u'Log File'
SOURCE_SHORT = u'LOG'
class plaso.formatters.syslog.SyslogLineFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a syslog line event.

DATA_TYPE = u'syslog:line'
FORMAT_STRING_PIECES = [u'{severity} ', u'[', u'{reporter}', u', pid: {pid}', u'] {body}']
FORMAT_STRING_SEPARATOR = u''
SOURCE_LONG = u'Log File'
SOURCE_SHORT = u'LOG'

plaso.formatters.systemd_journal module

The Systemd journal file event formatter.

class plaso.formatters.systemd_journal.SystemdJournalDirtyEventFormatter[source]

Bases: plaso.formatters.systemd_journal.SystemdJournalEventFormatter

Formatter for a Systemd journal dirty event.

DATA_TYPE = u'systemd:journal:dirty'
SOURCE_LONG = u'systemd-journal-dirty'
class plaso.formatters.systemd_journal.SystemdJournalEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Systemd journal event.

DATA_TYPE = u'systemd:journal'
FORMAT_STRING_PIECES = [u'{hostname} ', u'[', u'{reporter}', u', pid: {pid}', u'] {body}']
FORMAT_STRING_SEPARATOR = u''
SOURCE_LONG = u'systemd-journal'
SOURCE_SHORT = u'LOG'

plaso.formatters.tango_android module

Tango on Android databases formatter.

class plaso.formatters.tango_android.TangoAndroidContactFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Tango on Android contact event formatter.

DATA_TYPE = u'tango:android:contact'
FORMAT_STRING_PIECES = [u'{first_name}', u'{last_name}', u'{gender}', u'birthday: {birthday}', u'Status: {status}', u'Friend: {is_friend}', u'Request type: {friend_request_type}', u'Request message: {friend_request_message}']
FORMAT_STRING_SHORT_PIECES = [u'{first_name}', u'{last_name}', u'Status: {status}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple[str, str]
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Tango Android Contact'
SOURCE_SHORT = u'Tango Android'
class plaso.formatters.tango_android.TangoAndroidConversationFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Tango on Android conversation event formatter.

DATA_TYPE = u'tango:android:conversation'
FORMAT_STRING_PIECES = [u'Conversation ({conversation_identifier})']
FORMAT_STRING_SHORT_PIECES = [u'Conversation ({conversation_identifier})']
SOURCE_LONG = u'Tango Android Conversation'
SOURCE_SHORT = u'Tango Android'
class plaso.formatters.tango_android.TangoAndroidMessageFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Tango on Android message event formatter.

DATA_TYPE = u'tango:android:message'
FORMAT_STRING_PIECES = [u'{direction}', u'Message ({message_identifier})']
FORMAT_STRING_SHORT_PIECES = [u'{direction}', u'Message ({message_identifier})']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple[str, str]
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Tango Android Message'
SOURCE_SHORT = u'Tango Android'

plaso.formatters.task_scheduler module

The Task Scheduler event formatter.

class plaso.formatters.task_scheduler.TaskCacheEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Task Scheduler Cache event.

DATA_TYPE = u'task_scheduler:task_cache:entry'
FORMAT_STRING_PIECES = [u'Task: {task_name}', u'[Identifier: {task_identifier}]']
FORMAT_STRING_SHORT_PIECES = [u'Task: {task_name}']
SOURCE_LONG = u'Task Cache'
SOURCE_SHORT = u'REG'

plaso.formatters.text module

The text file event formatter.

class plaso.formatters.text.TextEntryFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a text file entry event.

DATA_TYPE = u'text:entry'
FORMAT_STRING = u'{text}'
SOURCE_LONG = u'Text File'
SOURCE_SHORT = u'LOG'

plaso.formatters.trendmicroav module

The Trend Micro AV Logs file event formatter.

class plaso.formatters.trendmicroav.OfficeScanVirusDetectionLogEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Trend Micro Office Scan Virus Detection Log event.

DATA_TYPE = u'av:trendmicro:scan'
FORMAT_STRING_PIECES = [u'Path: {path}', u'File name: {filename}', u'{threat}', u': {action}', u'({scan_type})']
FORMAT_STRING_SHORT_PIECES = [u'{path}', u'{filename}', u'{action}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

If any event values have a matching formatting function in VALUE_FORMATTERS, they are run through that function; then the dictionary is passed to the superclass’s formatting method.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Trend Micro Office Scan Virus Detection Log'
SOURCE_SHORT = u'LOG'
VALUE_FORMATTERS = {u'action': <function <lambda> at 0x7f6f85f9c398>, u'scan_type': <function <lambda> at 0x7f6f85f9c320>}
class plaso.formatters.trendmicroav.OfficeScanWebReputationLogEventFormatter[source]

Bases: plaso.formatters.trendmicroav.OfficeScanVirusDetectionLogEventFormatter

Formatter for a Trend Micro Office Scan Virus Detection Log event.

DATA_TYPE = u'av:trendmicro:webrep'
FORMAT_STRING_PIECES = [u'{url}', u'{ip}', u'Group: {group_name}', u'{group_code}', u'Mode: {block_mode}', u'Policy ID: {policy_identifier}', u'Credibility rating: {credibility_rating}', u'Credibility score: {credibility_score}', u'Threshold value: {threshold}', u'Accessed by: {application_name}']
FORMAT_STRING_SHORT_PIECES = [u'{url}', u'{group_name}']
SOURCE_LONG = u'Trend Micro Office Scan Virus Detection Log'
SOURCE_SHORT = u'LOG'
VALUE_FORMATTERS = {u'block_mode': <function <lambda> at 0x7f6f85f9c488>}

plaso.formatters.twitter_android module

Twitter on android database formatter.

class plaso.formatters.twitter_android.TwitterAndroidContactFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter for android contact event formatter.

DATA_TYPE = u'twitter:android:contact'
FORMAT_STRING_PIECES = [u'Screen name: {username}', u'Profile picture URL: {image_url}', u'Name: {name}', u'Location: {location}', u'Description: {description}', u'URL: {web_url}', u'Number of followers: {followers}', u'Number of following: {friend}', u'Number of tweets: {statuses}']
FORMAT_STRING_SHORT_PIECES = [u'Screen name: {username}', u'Description: {description}', u'URL: {web_url}']
SOURCE_LONG = u'Twitter Android Contacts'
SOURCE_SHORT = u'Twitter Android'
class plaso.formatters.twitter_android.TwitterAndroidSearchFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter for android search event formatter.

DATA_TYPE = u'twitter:android:search'
FORMAT_STRING_PIECES = [u'Name: {name}', u'Query: {search_query}']
FORMAT_STRING_SHORT_PIECES = [u'Query: {search_query}']
SOURCE_LONG = u'Twitter Android Search'
SOURCE_SHORT = u'Twitter Android'
class plaso.formatters.twitter_android.TwitterAndroidStatusFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter for android status event formatter.

DATA_TYPE = u'twitter:android:status'
FORMAT_STRING_PIECES = [u'User: {username}', u'Status: {content}', u'Favorited: {favorited}', u'Retweeted: {retweeted}']
FORMAT_STRING_SHORT_PIECES = [u'User: {username}', u'Status: {content}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Twitter Android Status'
SOURCE_SHORT = u'Twitter Android'

plaso.formatters.twitter_ios module

Twitter on iOS 8+ database formatter.

class plaso.formatters.twitter_ios.TwitterIOSContactFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter on iOS 8+ contact event formatter.

DATA_TYPE = u'twitter:ios:contact'
FORMAT_STRING_PIECES = [u'Screen name: {screen_name}', u'Profile picture URL: {profile_url}', u'Name: {name}', u'Location: {location}', u'Description: {description}', u'URL: {url}', u'Following: {following}', u'Number of followers: {followers_count}', u'Number of following: {following_count}']
FORMAT_STRING_SHORT_PIECES = [u'Screen name: {screen_name}', u'Description: {description}', u'URL: {url}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Twitter iOS Contacts'
SOURCE_SHORT = u'Twitter iOS'
class plaso.formatters.twitter_ios.TwitterIOSStatusFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter on iOS 8+ status event formatter.

DATA_TYPE = u'twitter:ios:status'
FORMAT_STRING_PIECES = [u'Name: {name}', u'User Id: {user_id}', u'Message: {text}', u'Favorite: {favorited}', u'Retweet Count: {retweet_count}', u'Favorite Count: {favorite_count}']
FORMAT_STRING_SHORT_PIECES = [u'Name: {name}', u'Message: {text}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Twitter iOS Status'
SOURCE_SHORT = u'Twitter iOS'

plaso.formatters.userassist module

The UserAssist Windows Registry event formatter.

class plaso.formatters.userassist.UserAssistWindowsRegistryEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an UserAssist Windows Registry event.

DATA_TYPE = u'windows:registry:userassist'
FORMAT_STRING_PIECES = [u'[{key_path}]', u'UserAssist entry: {entry_index}', u'Value name: {value_name}', u'Count: {number_of_executions}', u'Application focus count: {application_focus_count}', u'Application focus duration: {application_focus_duration}']
FORMAT_STRING_SHORT_PIECES = [u'{value_name}', u'Count: {number_of_executions}']
SOURCE_LONG = u'Registry Key: UserAssist'
SOURCE_SHORT = u'REG'

plaso.formatters.utmp module

The UTMP binary file event formatter.

class plaso.formatters.utmp.UtmpSessionFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an UTMP session event.

DATA_TYPE = u'linux:utmp:event'
FORMAT_STRING_PIECES = [u'User: {username}', u'Hostname: {hostname}', u'Terminal: {terminal}', u'PID: {pid}', u'Terminal identifier: {terminal_identifier}', u'Status: {status}', u'IP Address: {ip_address}', u'Exit status: {exit_status}']
FORMAT_STRING_SHORT_PIECES = [u'User: {username}', u'PID: {pid}', u'Status: {status}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'UTMP session'
SOURCE_SHORT = u'LOG'

plaso.formatters.utmpx module

The UTMPX binary file event formatter.

class plaso.formatters.utmpx.UtmpxSessionFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an UTMPX session event.

DATA_TYPE = u'mac:utmpx:event'
FORMAT_STRING_PIECES = [u'User: {username}', u'Status: {status}', u'Hostname: {hostname}', u'Terminal: {terminal}', u'PID: {pid}', u'Terminal identifier: {terminal_identifier}']
FORMAT_STRING_SHORT_PIECES = [u'User: {username}', u'PID: {pid}', u'Status: {status}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'UTMPX session'
SOURCE_SHORT = u'LOG'

plaso.formatters.windows module

The Windows event formatter.

class plaso.formatters.windows.WindowsDistributedLinkTrackingCreationEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows distributed link creation event.

DATA_TYPE = u'windows:distributed_link_tracking:creation'
FORMAT_STRING_PIECES = [u'{uuid}', u'MAC address: {mac_address}', u'Origin: {origin}']
FORMAT_STRING_SHORT_PIECES = [u'{uuid}', u'Origin: {origin}']
SOURCE_LONG = u'System'
SOURCE_SHORT = u'LOG'
class plaso.formatters.windows.WindowsRegistryInstallationEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows installation event.

DATA_TYPE = u'windows:registry:installation'
FORMAT_STRING_PIECES = [u'{product_name}', u'{version}', u'{service_pack}', u'Owner: owner', u'Origin: {key_path}']
FORMAT_STRING_SHORT_PIECES = [u'{product_name}', u'{version}', u'{service_pack}', u'Origin: {key_path}']
SOURCE_LONG = u'System'
SOURCE_SHORT = u'LOG'
class plaso.formatters.windows.WindowsRegistryListEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows list event e.g. MRU or Jump list.

DATA_TYPE = u'windows:registry:list'
FORMAT_STRING_PIECES = [u'Key: {key_path}', u'Value: {value_name}', u'List: {list_name}', u'[{list_values}]']
SOURCE_LONG = u'System'
SOURCE_SHORT = u'LOG'
class plaso.formatters.windows.WindowsRegistryNetworkEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows network event.

DATA_TYPE = u'windows:registry:network'
FORMAT_STRING_PIECES = [u'SSID: {ssid}', u'Description: {description}', u'Connection Type: {connection_type}', u'Default Gateway Mac: {default_gateway_mac}', u'DNS Suffix: {dns_suffix}']
SOURCE_LONG = u'System: Network Connection'
SOURCE_SHORT = u'LOG'
class plaso.formatters.windows.WindowsVolumeCreationEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows volume creation event.

DATA_TYPE = u'windows:volume:creation'
FORMAT_STRING_PIECES = [u'{device_path}', u'Serial number: 0x{serial_number:08X}', u'Origin: {origin}']
FORMAT_STRING_SHORT_PIECES = [u'{device_path}', u'Origin: {origin}']
SOURCE_LONG = u'System'
SOURCE_SHORT = u'LOG'

plaso.formatters.windows_timeline module

The Windows Timeline event formatter.

class plaso.formatters.windows_timeline.WindowsTimelineGenericEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for generic Windows Timeline events.

DATA_TYPE = u'windows:timeline:generic'
FORMAT_STRING_PIECES = [u'Application Display Name: {application_display_name}', u'Package Identifier: {package_identifier}', u'Description: {description}']
FORMAT_STRING_SHORT_PIECES = [u'{package_identifier}']
SOURCE_LONG = u'Windows Timeline - Generic'
SOURCE_SHORT = u'Windows Timeline'
class plaso.formatters.windows_timeline.WindowsTimelineUserEngagedEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for User Engaged Windows Timeline events

DATA_TYPE = u'windows:timeline:user_engaged'
FORMAT_STRING_PIECES = [u'Package Identifier: {package_identifier}', u'Active Duration (seconds): {active_duration_seconds}', u'Reporting App: {reporting_app}']
FORMAT_STRING_SHORT_PIECES = [u'{package_identifier}']
SOURCE_LONG = u'Windows Timeline - User Engaged'
SOURCE_SHORT = u'Windows Timeline'

plaso.formatters.winevt module

The Windows EventLog (EVT) file event formatter.

class plaso.formatters.winevt.WinEVTFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows EventLog (EVT) record event.

DATA_TYPE = u'windows:evt:record'
FORMAT_STRING_PIECES = [u'[{event_identifier} /', u'0x{event_identifier:04x}]', u'Source Name: {source_name}', u'Message string: {message_string}', u'Strings: {strings}', u'Computer Name: {computer_name}', u'Severity: {severity}', u'Record Number: {record_number}', u'Event Type: {event_type}', u'Event Category: {event_category}']
FORMAT_STRING_SHORT_PIECES = [u'[{event_identifier} /', u'0x{event_identifier:04x}]', u'Strings: {strings}']
GetEventTypeString(event_type)[source]

Retrieves a string representation of the event type.

Parameters:event_type (int) – event type.
Returns:description of the event type.
Return type:str
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
GetSeverityString(severity)[source]

Retrieves a string representation of the severity.

Parameters:severity (int) – severity.
Returns:description of the event severity.
Return type:str
SOURCE_LONG = u'WinEVT'
SOURCE_SHORT = u'EVT'

plaso.formatters.winevt_rc module

Windows Event Log resources database reader.

class plaso.formatters.winevt_rc.Sqlite3DatabaseFile[source]

Bases: object

Class that defines a sqlite3 database file.

Close()[source]

Closes the database file.

Raises:RuntimeError – if the database is not opened.
GetValues(table_names, column_names, condition)[source]

Retrieves values from a table.

Parameters:
  • table_names (list[str]) – table names.
  • column_names (list[str]) – column names.
  • condition (str) – query condition such as “log_source == ‘Application Error’”.
Yields:

sqlite3.row – row.
Raises:

RuntimeError – if the database is not opened.
HasTable(table_name)[source]

Determines if a specific table exists.

Parameters:table_name (str) – table name.
Returns:True if the table exists.
Return type:bool
Raises:RuntimeError – if the database is not opened.
Open(filename, read_only=False)[source]

Opens the database file.

Parameters:
  • filename (str) – filename of the database.
  • read_only (Optional[bool]) – True if the database should be opened in read-only mode. Since sqlite3 does not support a real read-only mode we fake it by only permitting SELECT queries.
Returns:

True if successful.
Return type:

bool
Raises:

RuntimeError – if the database is already opened.
class plaso.formatters.winevt_rc.Sqlite3DatabaseReader[source]

Bases: object

Class to represent a sqlite3 database reader.

Close()[source]

Closes the database reader object.

Open(filename)[source]

Opens the database reader object.

Parameters:filename (str) – filename of the database.
Returns:True if successful.
Return type:bool
class plaso.formatters.winevt_rc.WinevtResourcesSqlite3DatabaseReader[source]

Bases: plaso.formatters.winevt_rc.Sqlite3DatabaseReader

Class to represent a sqlite3 Event Log resources database reader.

GetMessage(log_source, lcid, message_identifier)[source]

Retrieves a specific message for a specific Event Log source.

Parameters:
  • log_source (str) – Event Log source.
  • lcid (int) – language code identifier (LCID).
  • message_identifier (int) – message identifier.
Returns:

message string or None if not available.
Return type:

str
GetMetadataAttribute(attribute_name)[source]

Retrieves the metadata attribute.

Parameters:attribute_name (str) – name of the metadata attribute.
Returns:the metadata attribute or None.
Return type:str
Raises:RuntimeError – if more than one value is found in the database.
Open(filename)[source]

Opens the database reader object.

Parameters:filename (str) – filename of the database.
Returns:True if successful.
Return type:bool
Raises:RuntimeError – if the version or string format of the database is not supported.

plaso.formatters.winevtx module

The Windows XML EventLog (EVTX) file event formatter.

class plaso.formatters.winevtx.WinEVTXFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows XML EventLog (EVTX) record event.

DATA_TYPE = u'windows:evtx:record'
FORMAT_STRING_PIECES = [u'[{event_identifier} /', u'0x{event_identifier:04x}]', u'Source Name: {source_name}', u'Message string: {message_string}', u'Strings: {strings}', u'Computer Name: {computer_name}', u'Record Number: {record_number}', u'Event Level: {event_level}']
FORMAT_STRING_SHORT_PIECES = [u'[{event_identifier} /', u'0x{event_identifier:04x}]', u'Strings: {strings}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'WinEVTX'
SOURCE_SHORT = u'EVT'

plaso.formatters.winfirewall module

The Windows firewall log file event formatter.

class plaso.formatters.winfirewall.WinFirewallFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows firewall log entry event.

DATA_TYPE = u'windows:firewall:log_entry'
FORMAT_STRING_PIECES = [u'{action}', u'[', u'{protocol}', u'{path}', u']', u'From: {source_ip}', u':{source_port}', u'>', u'{dest_ip}', u':{dest_port}', u'Size (bytes): {size}', u'Flags [{flags}]', u'TCP Seq Number: {tcp_seq}', u'TCP ACK Number: {tcp_ack}', u'TCP Window Size (bytes): {tcp_win}', u'ICMP type: {icmp_type}', u'ICMP code: {icmp_code}', u'Additional info: {info}']
FORMAT_STRING_SHORT_PIECES = [u'{action}', u'[{protocol}]', u'{source_ip}', u': {source_port}', u'>', u'{dest_ip}', u': {dest_port}']
SOURCE_LONG = u'Windows Firewall Log'
SOURCE_SHORT = u'LOG'

plaso.formatters.winjob module

The Windows Scheduled Task (job) event formatter.

class plaso.formatters.winjob.WinJobFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Scheduled Task (job) event.

DATA_TYPE = u'windows:tasks:job'
FORMAT_STRING_PIECES = [u'Application: {application}', u'{parameters}', u'Scheduled by: {username}', u'Working directory: {working_directory}', u'Trigger type: {trigger_type}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Windows Scheduled Task Job'
SOURCE_SHORT = u'JOB'

plaso.formatters.winlnk module

The Windows Shortcut (LNK) event formatter.

class plaso.formatters.winlnk.WinLnkLinkFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Shortcut (LNK) link event.

DATA_TYPE = u'windows:lnk:link'
FORMAT_STRING_PIECES = [u'[{description}]', u'File size: {file_size}', u'File attribute flags: 0x{file_attribute_flags:08x}', u'Drive type: {drive_type}', u'Drive serial number: 0x{drive_serial_number:08x}', u'Volume label: {volume_label}', u'Local path: {local_path}', u'Network path: {network_path}', u'cmd arguments: {command_line_arguments}', u'env location: {env_var_location}', u'Relative path: {relative_path}', u'Working dir: {working_directory}', u'Icon location: {icon_location}', u'Link target: {link_target}']
FORMAT_STRING_SHORT_PIECES = [u'[{description}]', u'{linked_path}', u'{command_line_arguments}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Windows Shortcut'
SOURCE_SHORT = u'LNK'

plaso.formatters.winprefetch module

The Windows Prefetch event formatter.

class plaso.formatters.winprefetch.WinPrefetchExecutionFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Prefetch execution event.

DATA_TYPE = u'windows:prefetch:execution'
FORMAT_STRING_PIECES = [u'Prefetch', u'[{executable}] was executed -', u'run count {run_count}', u'path: {path}', u'hash: 0x{prefetch_hash:08X}', u'{volumes_string}']
FORMAT_STRING_SHORT_PIECES = [u'{executable} was run', u'{run_count} time(s)']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'WinPrefetch'
SOURCE_SHORT = u'LOG'

plaso.formatters.winreg module

The Windows Registry key or value event formatter.

class plaso.formatters.winreg.WinRegistryGenericFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Windows Registry key or value event.

DATA_TYPE = u'windows:registry:key_value'
FORMAT_STRING = u'[{key_path}] {text}'
FORMAT_STRING_ALTERNATIVE = u'{text}'
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
GetSources(event)[source]

Determines the the short and long source for an event object.

Parameters:event (EventObject) – event.
Returns:short and long source string.
Return type:tuple(str, str)
Raises:WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Registry Key'
SOURCE_SHORT = u'REG'

plaso.formatters.winregservice module

The Windows services event formatter.

The Windows services are derived from Windows Registry files.

class plaso.formatters.winregservice.WinRegistryServiceFormatter[source]

Bases: plaso.formatters.winreg.WinRegistryGenericFormatter

Formatter for a Windows service event.

DATA_TYPE = u'windows:registry:service'
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

plaso.formatters.winrestore module

The Windows Restore Point (rp.log) file event formatter.

class plaso.formatters.winrestore.RestorePointInfoFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Windows Restore Point information event.

DATA_TYPE = u'windows:restore_point:info'
FORMAT_STRING_PIECES = [u'{description}', u'Event type: {restore_point_event_type}', u'Restore point type: {restore_point_type}']
FORMAT_STRING_SHORT_PIECES = [u'{description}']
GetMessages(formatter_mediator, event)[source]

Determines the formatted message strings for an event object.

Parameters:
  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
  • event (EventObject) – event.
Returns:

formatted message string and short message string.
Return type:

tuple(str, str)
Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.
SOURCE_LONG = u'Windows Restore Point'
SOURCE_SHORT = u'RP'

plaso.formatters.xchatlog module

The XChat log file event formatter.

class plaso.formatters.xchatlog.XChatLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a XChat log file entry event.

DATA_TYPE = u'xchat:log:line'
FORMAT_STRING_PIECES = [u'[nickname: {nickname}]', u'{text}']
SOURCE_LONG = u'XChat Log File'
SOURCE_SHORT = u'LOG'

plaso.formatters.xchatscrollback module

The XChat scrollback file event formatter.

class plaso.formatters.xchatscrollback.XChatScrollbackFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a XChat scrollback file entry event.

DATA_TYPE = u'xchat:scrollback:line'
FORMAT_STRING_PIECES = [u'[', u'nickname: {nickname}', u']', u' {text}']
FORMAT_STRING_SEPARATOR = u''
SOURCE_LONG = u'XChat Scrollback File'
SOURCE_SHORT = u'LOG'

plaso.formatters.zeitgeist module

The Zeitgeist event formatter.

class plaso.formatters.zeitgeist.ZeitgeistFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Zeitgeist activity database event.

DATA_TYPE = u'zeitgeist:activity'
FORMAT_STRING = u'{subject_uri}'
SOURCE_LONG = u'Zeitgeist activity log'
SOURCE_SHORT = u'LOG'

plaso.formatters.zsh_extended_history module

The Zsh extended_history formatter.

class plaso.formatters.zsh_extended_history.ZshExtendedHistoryEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Class for the Zsh event formatter.

DATA_TYPE = u'shell:zsh:history'
FORMAT_STRING_PIECES = [u'{command}', u'Time elapsed: {elapsed_seconds} seconds']
FORMAT_STRING_SEPARATOR = u' '
FORMAT_STRING_SHORT_PIECES = [u'{command}']
SOURCE_LONG = u'Zsh Extended History'
SOURCE_SHORT = u'HIST'

Module contents

This file contains an import statement for each formatter.