plaso.formatters package

Submodules

plaso.formatters.chrome module

Google Chrome history custom event formatter helpers.

class plaso.formatters.chrome.ChromeHistoryTypedCountFormatterHelper[source]

Bases: CustomEventFormatterHelper

Google Chrome history typed count formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'chrome_history_typed_count'

plaso.formatters.chrome_preferences module

Google Chrome preferences custom event formatter helpers.

class plaso.formatters.chrome_preferences.ChromePreferencesPrimaryURLFormatterHelper[source]

Bases: CustomEventFormatterHelper

Google Chrome preferences primary URL formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'chrome_preferences_primary_url'
class plaso.formatters.chrome_preferences.ChromePreferencesSecondaryURLFormatterHelper[source]

Bases: CustomEventFormatterHelper

Google Chrome preferences secondary URL formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'chrome_preferences_secondary_url'

plaso.formatters.default module

The default event formatter.

class plaso.formatters.default.DefaultEventFormatter[source]

Bases: BasicEventFormatter

Formatter for events that do not have any defined formatter.

DATA_TYPE = 'event'
FORMAT_STRING = '<WARNING DEFAULT FORMATTER> Attributes: {attribute_values}'
FORMAT_STRING_SHORT = '<DEFAULT> {attribute_values}'
__init__()[source]

Initializes a default event formatter.

plaso.formatters.file_system module

File system custom event formatter helpers.

class plaso.formatters.file_system.NTFSFileReferenceFormatterHelper[source]

Bases: CustomEventFormatterHelper

NTFS file reference formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'ntfs_file_reference'
class plaso.formatters.file_system.NTFSParentFileReferenceFormatterHelper[source]

Bases: CustomEventFormatterHelper

NTFS parent file reference formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'ntfs_parent_file_reference'
class plaso.formatters.file_system.NTFSPathHintsFormatterHelper[source]

Bases: CustomEventFormatterHelper

NTFS path hints formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'ntfs_path_hints'

plaso.formatters.firefox module

Mozilla Firefox history custom event formatter helpers.

class plaso.formatters.firefox.FirefoxHistoryTypedCountFormatterHelper[source]

Bases: CustomEventFormatterHelper

Mozilla Firefox history typed count formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'firefox_history_typed_count'
class plaso.formatters.firefox.FirefoxHistoryURLHiddenFormatterHelper[source]

Bases: CustomEventFormatterHelper

Mozilla Firefox history URL hidden formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'firefox_history_url_hidden'

plaso.formatters.interface module

This file contains the event formatters interface classes.

The l2t_csv and other formats are dependent on a message field, referred to as description_long and description_short in l2t_csv.

Plaso no longer stores these field explicitly.

A formatter, with a format string definition, is used to convert the event object values into a formatted string that is similar to the description_long and description_short field.

class plaso.formatters.interface.BasicEventFormatter(data_type='basic', format_string=None, format_string_short=None)[source]

Bases: EventFormatter

Format event values using a message format string.

custom_helpers

identifiers of custom event formatter helpers.

Type:

list[str]

helpers

event formatter helpers.

Type:

list[EventFormatterHelper]

GetFormatStringAttributeNames()[source]

Retrieves the attribute names in the format string.

Returns:

attribute names.

Return type:

set(str)

GetMessage(event_values)[source]

Determines the message.

Parameters:

event_values (dict[str, object]) – event values.

Returns:

message.

Return type:

str

GetMessageShort(event_values)[source]

Determines the short message.

Parameters:

event_values (dict[str, object]) – event values.

Returns:

short message.

Return type:

str

__init__(data_type='basic', format_string=None, format_string_short=None)[source]

Initializes a basic event formatter.

The syntax of the format strings is similar to that of format() where the place holder for a certain event object attribute is defined as {attribute_name}.

Parameters:

  • data_type (Optional[str]) – unique identifier for the event data supported by the formatter.

  • format_string (Optional[str]) – (long) message format string.

  • format_string_short (Optional[str]) – short message format string.

class plaso.formatters.interface.BooleanEventFormatterHelper(input_attribute=None, output_attribute=None, value_if_false=None, value_if_true=None)[source]

Bases: EventFormatterHelper

Helper for formatting boolean event data.

input_attribute

name of the attribute that contains the boolean input value.

Type:

str

output_attribute

name of the attribute where the boolean output value should be stored.

Type:

str

value_if_false

output value if the boolean input value is False.

Type:

str

value_if_true

output value if the boolean input value is True.

Type:

str

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

__init__(input_attribute=None, output_attribute=None, value_if_false=None, value_if_true=None)[source]

Initialized a helper for formatting boolean event data.

Parameters:

  • input_attribute (Optional[str]) – name of the attribute that contains the boolean input value.

  • output_attribute (Optional[str]) – name of the attribute where the boolean output value should be stored.

  • value_if_false (str) – output value if the boolean input value is False.

  • value_if_true (str) – output value if the boolean input value is True.

class plaso.formatters.interface.ConditionalEventFormatter(data_type='conditional', format_string_pieces=None, format_string_separator=None, format_string_short_pieces=None)[source]

Bases: EventFormatter

Conditionally format event values using format string pieces.

GetFormatStringAttributeNames()[source]

Retrieves the attribute names in the format string.

Returns:

attribute names.

Return type:

set(str)

GetMessage(event_values)[source]

Determines the message.

Parameters:

event_values (dict[str, object]) – event values.

Returns:

message.

Return type:

str

GetMessageShort(event_values)[source]

Determines the short message.

Parameters:

event_values (dict[str, object]) – event values.

Returns:

short message.

Return type:

str

__init__(data_type='conditional', format_string_pieces=None, format_string_separator=None, format_string_short_pieces=None)[source]

Initializes a conditional event formatter.

The syntax of the format strings pieces is similar to of the basic event formatter (BasicEventFormatter). Every format string piece should contain at maximum one unique attribute name. Format string pieces without an attribute name are supported.

Parameters:

  • data_type (Optional[str]) – unique identifier for the event data supported by the formatter.

  • format_string_pieces (Optional[list[str]]) – (long) message format string pieces.

  • format_string_separator (Optional[str]) – string by which separate format string pieces should be joined.

  • format_string_short_pieces (Optional[list[str]]) – short message format string pieces.

class plaso.formatters.interface.CustomEventFormatterHelper[source]

Bases: EventFormatterHelper

Base class for a helper for custom formatting of event data.

DATA_TYPE = ''
abstract FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = ''
class plaso.formatters.interface.EnumerationEventFormatterHelper(default=None, input_attribute=None, output_attribute=None, values=None)[source]

Bases: EventFormatterHelper

Helper for formatting enumeration event data.

default

default value.

Type:

str

input_attribute

name of the attribute that contains the enumeration input value.

Type:

str

output_attribute

name of the attribute where the enumeration output value should be stored.

Type:

str

values

mapping of enumeration input and output values.

Type:

dict[str, str]

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

If default value is None and there is no corresponding enumeration value then the original value is used.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

__init__(default=None, input_attribute=None, output_attribute=None, values=None)[source]

Initialized a helper for formatting enumeration event data.

Parameters:

  • default (Optional[str]) – default value.

  • input_attribute (Optional[str]) – name of the attribute that contains the enumeration input value.

  • output_attribute (Optional[str]) – name of the attribute where the enumeration output value should be stored.

  • values (Optional[dict[str, str]]) – mapping of enumeration input and output values.

class plaso.formatters.interface.EventFormatter(data_type='internal')[source]

Bases: object

Base class to format event values.

custom_helpers

identifiers of custom event formatter helpers.

Type:

list[str]

helpers

event formatter helpers.

Type:

list[EventFormatterHelper]

source_mapping

short and (long) source mapping.

Type:

tuple[str, str]

AddCustomHelper(identifier, input_attribute=None, output_attribute=None)[source]

Adds a custom event formatter helper.

Parameters:

  • identifier (str) – identifier.

  • input_attribute (Optional[str]) – name of the attribute that contains the input value.

  • output_attribute (Optional[str]) – name of the attribute where the output value should be stored.

AddHelper(helper)[source]

Adds an event formatter helper.

Parameters:

helper (EventFormatterHelper) – event formatter helper to add.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

abstract GetFormatStringAttributeNames()[source]

Retrieves the attribute names in the format string.

Returns:

attribute names.

Return type:

set(str)

abstract GetMessage(event_values)[source]

Determines the message.

Parameters:

event_values (dict[str, object]) – event values.

Returns:

message.

Return type:

str

abstract GetMessageShort(event_values)[source]

Determines the short message.

Parameters:

event_values (dict[str, object]) – event values.

Returns:

short message.

Return type:

str

__init__(data_type='internal')[source]

Initializes an event formatter.

Parameters:

data_type (Optional[str]) – unique identifier for the event data supported by the formatter.

property data_type

unique identifier for the event data supported by the formatter.

Type:

str

class plaso.formatters.interface.EventFormatterHelper[source]

Bases: object

Base class of helper for formatting event data.

abstract FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

class plaso.formatters.interface.FlagsEventFormatterHelper(input_attribute=None, output_attribute=None, values=None)[source]

Bases: EventFormatterHelper

Helper for formatting flags event data.

input_attribute

name of the attribute that contains the flags input value.

Type:

str

output_attribute

name of the attribute where the flags output value should be stored.

Type:

str

values

mapping of flags input and output values.

Type:

dict[str, str]

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

__init__(input_attribute=None, output_attribute=None, values=None)[source]

Initialized a helper for formatting flags event data.

Parameters:

  • input_attribute (Optional[str]) – name of the attribute that contains the flags input value.

  • output_attribute (Optional[str]) – name of the attribute where the flags output value should be stored.

  • values (Optional[dict[str, str]]) – mapping of flags input and output values.

plaso.formatters.logger module

The formatters sub module logger.

plaso.formatters.manager module

Manages custom event formatter helpers.

class plaso.formatters.manager.FormattersManager[source]

Bases: object

Custom event formatter helpers manager.

classmethod GetEventFormatterHelper(identifier)[source]

Retrieves a custom event formatter helper.

Parameters:

identifier (str) – identifier.

Returns:

custom event formatter or None if not

available.

Return type:

CustomEventFormatterHelper

classmethod RegisterEventFormatterHelper(formatter_helper_class)[source]

Registers a custom event formatter helper.

The custom event formatter helpers are identified based on their lower case identifier.

Parameters:

formatter_helper_class (type) – class of the custom event formatter helper.

Raises:

KeyError – if a custom formatter helper is already set for the corresponding identifier.

classmethod RegisterEventFormatterHelpers(formatter_helper_classes)[source]

Registers custom event formatter helpers.

The formatter classes are identified based on their lower case data type.

Parameters:

formatter_helper_classes (list[type]) – classes of the custom event formatter helpers.

Raises:

KeyError – if a custom formatter helper is already set for the corresponding data type.

plaso.formatters.msiecf module

MSIE cache file custom event formatter helpers.

class plaso.formatters.msiecf.MSIECFCachedPathFormatterHelper[source]

Bases: CustomEventFormatterHelper

MSIE cache file cached path formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'msiecf_cached_path'
class plaso.formatters.msiecf.MSIECFHTTPHeadersventFormatterHelper[source]

Bases: CustomEventFormatterHelper

MSIE cache file HTTP headers formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'msiecf_http_headers'

plaso.formatters.shell_items module

Windows shell item custom event formatter helpers.

class plaso.formatters.shell_items.ShellItemFileEntryNameFormatterHelper[source]

Bases: CustomEventFormatterHelper

Windows shell item file entry formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'shell_item_file_entry_name'

plaso.formatters.winevt module

Windows EventLog custom event formatter helpers.

class plaso.formatters.winevt.WindowsEventLogMessageFormatterHelper[source]

Bases: CustomEventFormatterHelper

Windows EventLog message formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'windows_eventlog_message'
__init__()[source]

Initialized a indows EventLog message formatter helper.

plaso.formatters.winlnk module

Windows Shortcut (LNK) custom event formatter helpers.

class plaso.formatters.winlnk.WindowsShortcutLinkedPathFormatterHelper[source]

Bases: CustomEventFormatterHelper

Windows Shortcut (LNK) linked path formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'windows_shortcut_linked_path'

plaso.formatters.winprefetch module

Windows Prefetch custom event formatter helpers.

class plaso.formatters.winprefetch.WindowsPrefetchPathHintsFormatterHelper[source]

Bases: CustomEventFormatterHelper

Windows Prefetch path hints formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'windows_prefetch_path_hints'
class plaso.formatters.winprefetch.WindowsPrefetchVolumesStringFormatterHelper[source]

Bases: CustomEventFormatterHelper

Windows Prefetch volumes string formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'windows_prefetch_volumes_string'

plaso.formatters.winreg module

Windows Registry custom event formatter helpers.

class plaso.formatters.winreg.WindowsRegistryValuesFormatterHelper[source]

Bases: CustomEventFormatterHelper

Windows Registry values formatter helper.

FormatEventValues(output_mediator, event_values)[source]

Formats event values using the helper.

Parameters:

  • output_mediator (OutputMediator) – output mediator.

  • event_values (dict[str, object]) – event values.

IDENTIFIER = 'windows_registry_values'

plaso.formatters.yaml_formatters_file module

YAML-based formatters file.

class plaso.formatters.yaml_formatters_file.YAMLFormattersFile[source]

Bases: object

YAML-based formatters file.

A YAML-based formatters file contains one or more event formatter definitions. An event formatter definition consists of:

type: ‘conditional’ data_type: ‘fs:stat’ message: - ‘{display_name}’ - ‘Type: {file_entry_type}’ - ‘({unallocated})’ short_message: - ‘{filename}’ short_source: ‘FILE’ source: ‘File stat’

Where: * type, defines the formatter data type, which can be “basic” or

“conditional”;

  • data_type, defines the corresponding event data type;

  • message, defines a list of message string pieces;

  • separator, defines the message and short message string pieces separator;

  • short_message, defines the short message string pieces;

  • short_source, defines the short source description;

  • source, defines the source description.

ReadFromFile(path)[source]

Reads the event formatters from a YAML file.

Parameters:

path (str) – path to a formatters file.

Yields:

EventFormatter – an event formatter.

Module contents

This file contains an import statement for each formatter.