plaso.formatters package

Submodules

plaso.formatters.amcache module

The Windows Registry Amcache entries event formatter.

class plaso.formatters.amcache.AmcacheFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Amcache Windows Registry event.

DATA_TYPE = 'windows:registry:amcache'
FORMAT_STRING_PIECES = ['path: {full_path}', 'sha1: {sha1}', 'productname: {productname}', 'companyname: {companyname}', 'fileversion: {fileversion}', 'languagecode: {languagecode}', 'filesize: {filesize}', 'filedescription: {filedescription}', 'linkerts: {linkerts}', 'lastmodifiedts: {lastmodifiedts}', 'createdts: {createdts}', 'programid: {programid}']
FORMAT_STRING_SHORT_PIECES = ['path: {full_path}']
SOURCE_LONG = 'Amcache Registry Entry'
SOURCE_SHORT = 'AMCACHE'
class plaso.formatters.amcache.AmcacheProgramsFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Amcache Programs Windows Registry event.

DATA_TYPE = 'windows:registry:amcache:programs'
FORMAT_STRING_PIECES = ['name: {name}', 'version: {version}', 'publisher: {publisher}', 'languagecode: {languagecode}', 'entrytype: {entrytype}', 'uninstallkey: {uninstallkey}', 'filepaths: {filepaths}', 'productcode: {productcode}', 'packagecode: {packagecode}', 'msiproductcode: {msiproductcode}', 'msipackagecode: {msipackagecode}', 'files: {files}']
FORMAT_STRING_SHORT_PIECES = ['name: {name}']
SOURCE_LONG = 'Amcache Programs Registry Entry'
SOURCE_SHORT = 'AMCACHEPROGRAM'

plaso.formatters.android_app_usage module

The Android Application Usage event formatter.

class plaso.formatters.android_app_usage.AndroidApplicationFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Application Last Resumed event.

DATA_TYPE = 'android:event:last_resume_time'
FORMAT_STRING_PIECES = ['Package: {package}', 'Component: {component}']
SOURCE_LONG = 'Android App Usage'
SOURCE_SHORT = 'LOG'

plaso.formatters.android_calls module

The Android contacts2.db database event formatter.

class plaso.formatters.android_calls.AndroidCallFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Android call history event.

DATA_TYPE = 'android:event:call'
FORMAT_STRING_PIECES = ['{call_type}', 'Number: {number}', 'Name: {name}', 'Duration: {duration} seconds']
FORMAT_STRING_SHORT_PIECES = ['{call_type} Call']
SOURCE_LONG = 'Android Call History'
SOURCE_SHORT = 'LOG'

plaso.formatters.android_sms module

The Android mmssms.db database event formatter.

class plaso.formatters.android_sms.AndroidSmsFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Android SMS event.

DATA_TYPE = 'android:messaging:sms'
FORMAT_STRING_PIECES = ['Type: {sms_type}', 'Address: {address}', 'Status: {sms_read}', 'Message: {body}']
FORMAT_STRING_SHORT_PIECES = ['{body}']
SOURCE_LONG = 'Android SMS messages'
SOURCE_SHORT = 'SMS'

plaso.formatters.android_webview module

The Android WebView database event formatter.

class plaso.formatters.android_webview.AndroidWebViewCookieEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for Android WebView Cookie event data.

DATA_TYPE = 'webview:cookie'
FORMAT_STRING_PIECES = ['Domain: {domain}', 'Path: {path}', 'Cookie name: {name}', 'Value: {value}', 'Secure: {secure}']
FORMAT_STRING_SHORT_PIECES = ['{domain}', '{name}', '{value}']
SOURCE_LONG = 'Android WebView'
SOURCE_SHORT = 'WebView'

plaso.formatters.android_webviewcache module

The Android WebViewCache database event formatter.

class plaso.formatters.android_webviewcache.AndroidWebViewCacheFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for Android WebViewCache event data.

DATA_TYPE = 'android:webviewcache'
FORMAT_STRING_PIECES = ['URL: {url}', 'Content Length: {content_length}']
FORMAT_STRING_SHORT_PIECES = ['{url}']
SOURCE_LONG = 'Android WebViewCache'
SOURCE_SHORT = 'WebViewCache'

plaso.formatters.apache_access module

Apache access log file event formatter.

class plaso.formatters.apache_access.ApacheAccessFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a apache access log event.

DATA_TYPE = 'apache:access'
FORMAT_STRING_PIECES = ['http_request: {http_request}', 'from: {ip_address}', 'code: {http_response_code}', 'referer: {http_request_referer}', 'user_agent: {http_request_user_agent}', 'server_name: {server_name}', 'port: {port_number}']
FORMAT_STRING_SHORT_PIECES = ['{http_request}', 'from: {ip_address}']
SOURCE_LONG = 'Apache Access'
SOURCE_SHORT = 'LOG'

plaso.formatters.appcompatcache module

The Windows Registry AppCompatCache entries event formatter.

class plaso.formatters.appcompatcache.AppCompatCacheFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an AppCompatCache Windows Registry event.

DATA_TYPE = 'windows:registry:appcompatcache'
FORMAT_STRING_PIECES = ['[{key_path}]', 'Cached entry: {entry_index}', 'Path: {path}']
FORMAT_STRING_SHORT_PIECES = ['Path: {path}']
SOURCE_LONG = 'AppCompatCache Registry Entry'
SOURCE_SHORT = 'REG'

plaso.formatters.appusage module

The MacOS application usage event formatter.

class plaso.formatters.appusage.ApplicationUsageFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a MacOS Application usage event.

DATA_TYPE = 'macosx:application_usage'
FORMAT_STRING = '{application} v.{app_version} (bundle: {bundle_id}). Launched: {count} time(s)'
FORMAT_STRING_SHORT = '{application} ({count} time(s))'
SOURCE_LONG = 'Application Usage'
SOURCE_SHORT = 'LOG'

plaso.formatters.apt_history module

Advanced Packaging Tool (APT) History log event formatter.

class plaso.formatters.apt_history.APTHistoryLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an APT History log file event.

DATA_TYPE = 'apt:history:line'
FORMAT_STRING_PIECES = ['{packages}', '[{command}]', '[{error}]', '[{requester}]']
FORMAT_STRING_SHORT_PIECES = ['{packages}']
SOURCE_LONG = 'APT History Log'
SOURCE_SHORT = 'LOG'

plaso.formatters.asl module

The Apple System Log (ASL) event formatter.

class plaso.formatters.asl.ASLFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Apple System Log (ASL) log event.

DATA_TYPE = 'mac:asl:event'
FORMAT_STRING_PIECES = ['MessageID: {message_id}', 'Level: {level}', 'User ID: {user_sid}', 'Group ID: {group_id}', 'Read User: {read_uid}', 'Read Group: {read_gid}', 'Host: {computer_name}', 'Sender: {sender}', 'Facility: {facility}', 'Message: {message}', '{extra_information}']
FORMAT_STRING_SHORT_PIECES = ['Host: {host}', 'Sender: {sender}', 'Facility: {facility}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'ASL entry'
SOURCE_SHORT = 'LOG'

plaso.formatters.bagmru module

The BagMRU event formatter.

class plaso.formatters.bagmru.BagMRUEventFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a BagMRU event.

DATA_TYPE = 'windows:registry:bagmru'
FORMAT_STRING = '[{key_path}] {entries}'
FORMAT_STRING_ALTERNATIVE = '{entries}'
SOURCE_LONG = 'Registry Key : BagMRU'
SOURCE_SHORT = 'REG'

plaso.formatters.bam module

The Windows Registry Background Activity Moderator event formatter.

class plaso.formatters.bam.BackgroundActivityModeratorFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Background Activity Moderator Windows Registry event.

DATA_TYPE = 'windows:registry:bam'
FORMAT_STRING_PIECES = ['{binary_path}', '[{user_sid}]']
FORMAT_STRING_SHORT_PIECES = ['{binary_path}']
SOURCE_LONG = 'Background Activity Moderator Registry Entry'
SOURCE_SHORT = 'REG'

plaso.formatters.bash_history module

The Bash history event formatter.

class plaso.formatters.bash_history.BashHistoryEventFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for Bash history events.

DATA_TYPE = 'bash:history:command'
FORMAT_STRING = 'Command executed: {command}'
FORMAT_STRING_SHORT = '{command}'
SOURCE_LONG = 'Bash History'
SOURCE_SHORT = 'LOG'

plaso.formatters.bencode_parser module

The bencode parser event formatters.

class plaso.formatters.bencode_parser.TransmissionEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Transmission active torrents event.

DATA_TYPE = 'p2p:bittorrent:transmission'
FORMAT_STRING_PIECES = ['Saved to {destination}', 'Minutes seeded: {seedtime}']
FORMAT_STRING_SEPARATOR = '; '
SOURCE_LONG = 'Transmission Active Torrents'
SOURCE_SHORT = 'TORRENT'
class plaso.formatters.bencode_parser.UTorrentEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a BitTorrent uTorrent active torrents event.

DATA_TYPE = 'p2p:bittorrent:utorrent'
FORMAT_STRING_PIECES = ['Torrent {caption}', 'Saved to {path}', 'Minutes seeded: {seedtime}']
FORMAT_STRING_SEPARATOR = '; '
SOURCE_LONG = 'uTorrent Active Torrents'
SOURCE_SHORT = 'TORRENT'

plaso.formatters.bsm module

The Basic Security Module (BSM) binary files event formatter.

class plaso.formatters.bsm.BSMFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a BSM log entry.

DATA_TYPE = 'bsm:event'
FORMAT_STRING_PIECES = ['Type: {event_type_string}', '({event_type})', 'Return: {return_value}', 'Information: {extra_tokens}']
FORMAT_STRING_SHORT_PIECES = ['Type: {event_type}', 'Return: {return_value}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'BSM entry'
SOURCE_SHORT = 'LOG'

plaso.formatters.ccleaner module

The CCleaner event formatter.

class plaso.formatters.ccleaner.CCleanerConfigurationEventFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a CCleaner configuration event.

DATA_TYPE = 'ccleaner:configuration'
FORMAT_STRING = '[{key_path}] {configuration}'
FORMAT_STRING_ALTERNATIVE = '{configuration}'
SOURCE_LONG = 'Registry Key : CCleaner Registry key'
SOURCE_SHORT = 'REG'
class plaso.formatters.ccleaner.CCleanerUpdateEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a CCleaner update event.

DATA_TYPE = 'ccleaner:update'
FORMAT_STRING_PIECES = ['Origin: {key_path}']
FORMAT_STRING_SHORT_PIECES = ['Origin: {key_path}']
SOURCE_LONG = 'System'
SOURCE_SHORT = 'LOG'

plaso.formatters.chrome module

The Google Chrome history event formatters.

class plaso.formatters.chrome.ChromeFileDownloadFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome file download event.

DATA_TYPE = 'chrome:history:file_downloaded'
FORMAT_STRING_PIECES = ['{url}', '({full_path}).', 'Received: {received_bytes} bytes', 'out of: {total_bytes} bytes.']
FORMAT_STRING_SHORT_PIECES = ['{full_path} downloaded', '({received_bytes} bytes)']
SOURCE_LONG = 'Chrome History'
SOURCE_SHORT = 'WEBHIST'
class plaso.formatters.chrome.ChromePageVisitedFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome page visited event.

DATA_TYPE = 'chrome:history:page_visited'
FORMAT_STRING_PIECES = ['{url}', '({title})', '[count: {typed_count}]', 'Visit from: {from_visit}', 'Visit Source: [{visit_source}]', 'Type: [{page_transition}]', '{extra}']
FORMAT_STRING_SHORT_PIECES = ['{url}', '({title})']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Chrome History'
SOURCE_SHORT = 'WEBHIST'

plaso.formatters.chrome_autofill module

The Google Chrome autofill database event formatter.

class plaso.formatters.chrome_autofill.ChromeAutofillFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome autofill event.

DATA_TYPE = 'chrome:autofill:entry'
FORMAT_STRING_PIECES = ['Form field name: {field_name}', 'Entered value: {value}', 'Times used: {usage_count}']
FORMAT_STRING_SHORT_PIECES = ['{field_name}:', '{value}', '({usage_count})']
SOURCE_LONG = 'Chrome Autofill'
SOURCE_SHORT = 'WEBHIST'

plaso.formatters.chrome_cache module

The Google Chrome Cache files event formatter.

class plaso.formatters.chrome_cache.ChromeCacheEntryEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome Cache entry event.

DATA_TYPE = 'chrome:cache:entry'
FORMAT_STRING_PIECES = ['Original URL: {original_url}']
SOURCE_LONG = 'Chrome Cache'
SOURCE_SHORT = 'WEBHIST'

plaso.formatters.chrome_cookies module

The Google Chrome cookies database event formatter.

class plaso.formatters.chrome_cookies.ChromeCookieFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome cookie event.

DATA_TYPE = 'chrome:cookie:entry'
FORMAT_STRING_PIECES = ['{url}', '({cookie_name})', 'Flags:', '[HTTP only] = {httponly}', '[Persistent] = {persistent}']
FORMAT_STRING_SHORT_PIECES = ['{host}', '({cookie_name})']
SOURCE_LONG = 'Chrome Cookies'
SOURCE_SHORT = 'WEBHIST'

plaso.formatters.chrome_extension_activity module

The Google Chrome extension activity database event formatter.

class plaso.formatters.chrome_extension_activity.ChromeExtensionActivityEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome extension activity event.

DATA_TYPE = 'chrome:extension_activity:activity_log'
FORMAT_STRING_PIECES = ['Chrome extension: {extension_id}', 'Action type: {action_type}', 'Activity identifier: {activity_id}', 'Page URL: {page_url}', 'Page title: {page_title}', 'API name: {api_name}', 'Args: {args}', 'Other: {other}']
FORMAT_STRING_SHORT_PIECES = ['{extension_id}', '{api_name}', '{args}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Chrome Extension Activity'
SOURCE_SHORT = 'WEBHIST'

plaso.formatters.chrome_preferences module

The Google Chrome Preferences file event formatter.

class plaso.formatters.chrome_preferences.ChromeContentSettingsExceptionsFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome content_settings exceptions event.

DATA_TYPE = 'chrome:preferences:content_settings:exceptions'
FORMAT_STRING_PIECES = ['Permission {permission}', 'used by {subject}']
FORMAT_STRING_SHORT_PIECES = ['Permission {permission}', 'used by {subject}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Chrome Permission Event'
SOURCE_SHORT = 'LOG'
class plaso.formatters.chrome_preferences.ChromeExtensionInstallationEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome extension installation event.

DATA_TYPE = 'chrome:preferences:extension_installation'
FORMAT_STRING_PIECES = ['CRX ID: {extension_id}', 'CRX Name: {extension_name}', 'Path: {path}']
FORMAT_STRING_SHORT_PIECES = ['{extension_id}', '{path}']
SOURCE_LONG = 'Chrome Extension Installation'
SOURCE_SHORT = 'LOG'
class plaso.formatters.chrome_preferences.ChromeExtensionsAutoupdaterEvent[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for Chrome Extensions Autoupdater events.

DATA_TYPE = 'chrome:preferences:extensions_autoupdater'
FORMAT_STRING_PIECES = ['{message}']
FORMAT_STRING_SHORT_PIECES = ['{message}']
SOURCE_LONG = 'Chrome Extensions Autoupdater'
SOURCE_SHORT = 'LOG'
class plaso.formatters.chrome_preferences.ChromePreferencesClearHistoryEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for Chrome history clearing events.

DATA_TYPE = 'chrome:preferences:clear_history'
FORMAT_STRING_PIECES = ['{message}']
FORMAT_STRING_SHORT_PIECES = ['{message}']
SOURCE_LONG = 'Chrome History Deletion'
SOURCE_SHORT = 'LOG'

plaso.formatters.cron module

The syslog cron formatters.

class plaso.formatters.cron.CronTaskRunEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a syslog cron task run event.

DATA_TYPE = 'syslog:cron:task_run'
FORMAT_STRING_PIECES = ['Cron ran: {command}', 'for user: {username}', 'pid: {pid}']
FORMAT_STRING_SEPARATOR = ' '
FORMAT_STRING_SHORT = '{body}'
SOURCE_LONG = 'Cron log'
SOURCE_SHORT = 'LOG'

plaso.formatters.cups_ipp module

The CUPS IPP file event formatter.

class plaso.formatters.cups_ipp.CupsIppFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a CUPS IPP event.

DATA_TYPE = 'cups:ipp:event'
FORMAT_STRING_PIECES = ['Status: {status}', 'User: {user}', 'Owner: {owner}', 'Job Name: {job_name}', 'Application: {application}', 'Document type: {type_doc}', 'Printer: {printer_id}']
FORMAT_STRING_SHORT_PIECES = ['Status: {status}', 'Job Name: {job_name}']
SOURCE_LONG = 'CUPS IPP Log'
SOURCE_SHORT = 'LOG'

plaso.formatters.default module

The default event formatter.

class plaso.formatters.default.DefaultFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for events that do not have any defined formatter.

DATA_TYPE = 'event'
FORMAT_STRING = '<WARNING DEFAULT FORMATTER> Attributes: {attribute_driven}'
FORMAT_STRING_SHORT = '<DEFAULT> {attribute_driven}'
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

plaso.formatters.docker module

The Docker event formatter.

class plaso.formatters.docker.DockerBaseEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Class that contains common Docker event formatter functionality.

DATA_TYPE = 'docker:json'
FORMAT_STRING_SHORT_PIECES = ['{id}']
SOURCE_SHORT = 'DOCKER'
class plaso.formatters.docker.DockerContainerEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Docker event.

DATA_TYPE = 'docker:json:container'
FORMAT_STRING_PIECES = ['Action: {action}', 'Container Name: {container_name}', 'Container ID: {container_id}']
FORMAT_STRING_SEPARATOR = ', '
SOURCE_LONG = 'Docker Container'
SOURCE_SHORT = 'DOCKER'
class plaso.formatters.docker.DockerContainerLogEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Docker container log event

DATA_TYPE = 'docker:json:container:log'
FORMAT_STRING_PIECES = ('Text: {log_line}', 'Container ID: {container_id}', 'Source: {log_source}')
FORMAT_STRING_SEPARATOR = ', '
SOURCE_LONG = 'Docker Container Logs'
SOURCE_SHORT = 'DOCKER'
class plaso.formatters.docker.DockerLayerEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Docker layer event.

DATA_TYPE = 'docker:json:layer'
FORMAT_STRING_PIECES = ('Command: {command}', 'Layer ID: {layer_id}')
FORMAT_STRING_SEPARATOR = ', '
SOURCE_LONG = 'Docker Layer'
SOURCE_SHORT = 'DOCKER'

plaso.formatters.dpkg module

The dpkg.log event formatter.

class plaso.formatters.dpkg.DpkgFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a dpkg log file event.

DATA_TYPE = 'dpkg:line'
FORMAT_STRING_PIECES = ['{body}']
FORMAT_STRING_SEPARATOR = ''
SOURCE_LONG = 'dpkg log File'
SOURCE_SHORT = 'LOG'

plaso.formatters.file_history module

The file history ESE database event formatter.

class plaso.formatters.file_history.FileHistoryNamespaceEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a file history ESE database namespace table record.

DATA_TYPE = 'file_history:namespace:event'
FORMAT_STRING_PIECES = ['Filename: {original_filename}', 'Identifier: {identifier}', 'Parent Identifier: {parent_identifier}', 'Attributes: {file_attribute}', 'USN number: {usn_number}']
FORMAT_STRING_SHORT_PIECES = ['Filename: {original_filename}']
SOURCE_LONG = 'File History Namespace'
SOURCE_SHORT = 'LOG'

plaso.formatters.file_system module

The file system stat event formatter.

class plaso.formatters.file_system.FileStatEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

The file system stat event formatter.

DATA_TYPE = 'fs:stat'
FORMAT_STRING_PIECES = ['{display_name}', 'Type: {file_entry_type}', '({unallocated})']
FORMAT_STRING_SHORT_PIECES = ['{filename}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

GetSources(event, event_data)[source]

Determines the the short and long source for an event.

Parameters
Returns

short and long source string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_SHORT = 'FILE'
class plaso.formatters.file_system.NTFSFileStatEventFormatter[source]

Bases: plaso.formatters.file_system.FileStatEventFormatter

The NTFS file system stat event formatter.

DATA_TYPE = 'fs:stat:ntfs'
FORMAT_STRING_PIECES = ['{display_name}', 'File reference: {file_reference}', 'Attribute name: {attribute_name}', 'Name: {name}', 'Parent file reference: {parent_file_reference}', '({unallocated})', 'Path hints: {path_hints}']
FORMAT_STRING_SHORT_PIECES = ['{filename}', '{file_reference}', '{attribute_name}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_SHORT = 'FILE'
class plaso.formatters.file_system.NTFSUSNChangeEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

The NTFS USN change event formatter.

DATA_TYPE = 'fs:ntfs:usn_change'
FORMAT_STRING_PIECES = ['{filename}', 'File reference: {file_reference}', 'Parent file reference: {parent_file_reference}', 'Update source: {update_source}', 'Update reason: {update_reason}']
FORMAT_STRING_SHORT_PIECES = ['{filename}', '{file_reference}', '{update_reason}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_SHORT = 'FILE'

plaso.formatters.firefox module

The Mozilla Firefox history event formatter.

class plaso.formatters.firefox.FirefoxBookmarkAnnotationFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox bookmark annotation event formatter.

DATA_TYPE = 'firefox:places:bookmark_annotation'
FORMAT_STRING_PIECES = ['Bookmark Annotation: [{content}]', 'to bookmark [{title}]', '({url})']
FORMAT_STRING_SHORT_PIECES = ['Bookmark Annotation: {title}']
SOURCE_LONG = 'Firefox History'
SOURCE_SHORT = 'WEBHIST'
class plaso.formatters.firefox.FirefoxBookmarkFolderFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

The Firefox bookmark folder event formatter.

DATA_TYPE = 'firefox:places:bookmark_folder'
FORMAT_STRING = '{title}'
SOURCE_LONG = 'Firefox History'
SOURCE_SHORT = 'WEBHIST'
class plaso.formatters.firefox.FirefoxBookmarkFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox URL bookmark event formatter.

DATA_TYPE = 'firefox:places:bookmark'
FORMAT_STRING_PIECES = ['Bookmark {type}', '{title}', '({url})', '[{places_title}]', 'visit count {visit_count}']
FORMAT_STRING_SHORT_PIECES = ['Bookmarked {title}', '({url})']
SOURCE_LONG = 'Firefox History'
SOURCE_SHORT = 'WEBHIST'
class plaso.formatters.firefox.FirefoxDowloadFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

The Firefox download event formatter.

DATA_TYPE = 'firefox:downloads:download'
FORMAT_STRING = '{url} ({full_path}). Received: {received_bytes} bytes out of: {total_bytes} bytes.'
FORMAT_STRING_SHORT = '{full_path} downloaded ({received_bytes} bytes)'
SOURCE_LONG = 'Firefox History'
SOURCE_SHORT = 'WEBHIST'
class plaso.formatters.firefox.FirefoxPageVisitFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox page visited event formatter.

DATA_TYPE = 'firefox:places:page_visited'
FORMAT_STRING_PIECES = ['{url}', '({title})', '[count: {visit_count}]', 'Host: {host}', '{extra_string}']
FORMAT_STRING_SHORT_PIECES = ['URL: {url}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Firefox History'
SOURCE_SHORT = 'WEBHIST'

plaso.formatters.firefox_cache module

The Firefox cache record event formatter.

class plaso.formatters.firefox_cache.FirefoxCacheFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox cache record event formatter.

DATA_TYPE = 'firefox:cache:record'
FORMAT_STRING_PIECES = ['Fetched {fetch_count} time(s)', '[{response_code}]', '{request_method}', '"{url}"']
FORMAT_STRING_SHORT_PIECES = ['[{response_code}]', '{request_method}', '"{url}"']
SOURCE_LONG = 'Firefox Cache'
SOURCE_SHORT = 'WEBHIST'

plaso.formatters.firefox_cookies module

The Firefox cookie entry event formatter.

class plaso.formatters.firefox_cookies.FirefoxCookieFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox cookie entry event formatter.

DATA_TYPE = 'firefox:cookie:entry'
FORMAT_STRING_PIECES = ['{url}', '({cookie_name})', 'Flags:', '[HTTP only]: {httponly}', '(GA analysis: {ga_data})']
FORMAT_STRING_SHORT_PIECES = ['{host}', '({cookie_name})']
SOURCE_LONG = 'Firefox Cookies'
SOURCE_SHORT = 'WEBHIST'

plaso.formatters.fseventsd module

The fseventsd event formatter.

class plaso.formatters.fseventsd.FSEventsdEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

The fseventsd event formatter.

DATA_TYPE = 'macos:fseventsd:record'
FORMAT_STRING_PIECES = ['{path}', 'Flag Values:', '{flag_values}', 'Flags:', '{hex_flags}', 'Event Identifier:', '{event_identifier}']
FORMAT_STRING_SHORT_PIECES = ['{path}', '{flag_values}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_SHORT = 'FSEVENT'

plaso.formatters.ganalytics module

The Google Analytics cookie event formatters.

class plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

The UTMA Google Analytics cookie event formatter.

DATA_TYPE = 'cookie:google:analytics:utma'
FORMAT_STRING_PIECES = ['{url}', '({cookie_name})', 'Sessions: {sessions}', 'Domain Hash: {domain_hash}', 'Visitor ID: {visitor_id}']
FORMAT_STRING_SHORT_PIECES = ['{url}', '({cookie_name})']
SOURCE_LONG = 'Google Analytics Cookies'
SOURCE_SHORT = 'WEBHIST'
class plaso.formatters.ganalytics.AnalyticsUtmbCookieFormatter[source]

Bases: plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

The UTMB Google Analytics cookie event formatter.

DATA_TYPE = 'cookie:google:analytics:utmb'
FORMAT_STRING_PIECES = ['{url}', '({cookie_name})', 'Pages Viewed: {pages_viewed}', 'Domain Hash: {domain_hash}']
class plaso.formatters.ganalytics.AnalyticsUtmtCookieFormatter[source]

Bases: plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

The UTMT Google Analytics cookie event formatter.

DATA_TYPE = 'cookie:google:analytics:utmt'
FORMAT_STRING_PIECES = ['{url}', '({cookie_name})']
class plaso.formatters.ganalytics.AnalyticsUtmzCookieFormatter[source]

Bases: plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

The UTMZ Google Analytics cookie event formatter.

DATA_TYPE = 'cookie:google:analytics:utmz'
FORMAT_STRING_PIECES = ['{url}', '({cookie_name})', 'Sessions: {sessions}', 'Domain Hash: {domain_hash}', 'Sources: {sources}', 'Last source used to access: {utmcsr}', 'Ad campaign information: {utmccn}', 'Last type of visit: {utmcmd}', 'Keywords used to find site: {utmctr}', 'Path to the page of referring link: {utmcct}']

plaso.formatters.gdrive module

The Google Drive snapshots event formatter.

class plaso.formatters.gdrive.GDriveCloudEntryFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive snapshot cloud event.

DATA_TYPE = 'gdrive:snapshot:cloud_entry'
FORMAT_STRING_PIECES = ['File Path: {path}', '[{shared}]', 'Size: {size}', 'URL: {url}', 'Type: {document_type}']
FORMAT_STRING_SHORT_PIECES = ['{path}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Google Drive (cloud entry)'
SOURCE_SHORT = 'LOG'
class plaso.formatters.gdrive.GDriveLocalEntryFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive snapshot local event.

DATA_TYPE = 'gdrive:snapshot:local_entry'
FORMAT_STRING_PIECES = ['File Path: {path}', 'Size: {size}']
FORMAT_STRING_SHORT_PIECES = ['{path}']
SOURCE_LONG = 'Google Drive (local entry)'
SOURCE_SHORT = 'LOG'

plaso.formatters.gdrive_synclog module

Google Drive Sync log event formatter.

class plaso.formatters.gdrive_synclog.GoogleDriveSyncLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive Sync log file event.

DATA_TYPE = 'gdrive_sync:log:line'
FORMAT_STRING_PIECES = ['[{log_level}', '{pid}', '{thread}', '{source_code}]', '{message}']
FORMAT_STRING_SHORT_PIECES = ['{message}']
SOURCE_LONG = 'GoogleDriveSync Log File'
SOURCE_SHORT = 'LOG'

plaso.formatters.hangouts_messages module

The Google Hangouts messages database event formatter.

class plaso.formatters.hangouts_messages.HangoutsFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Hangouts message event.

DATA_TYPE = 'android:messaging:hangouts'
FORMAT_STRING_PIECES = ['Sender: {sender}', 'Body: {body}', 'Status: {message_status}', 'Type: {message_type}']
FORMAT_STRING_SHORT_PIECES = ['{body}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

If any event values have a matching formatting function in VALUE_FORMATTERS, they are run through that function; then the dictionary is passed to the superclass’s formatting method.

Parameters
Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Google Hangouts Message'
SOURCE_SHORT = 'HANGOUTS'
VALUE_FORMATTERS = {'message_status': <function HangoutsFormatter.<lambda>>, 'message_type': <function HangoutsFormatter.<lambda>>}

plaso.formatters.iis module

The Microsoft IIS log file event formatter.

class plaso.formatters.iis.IISLogFileEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Microsoft IIS log file event.

DATA_TYPE = 'iis:log:line'
FORMAT_STRING_PIECES = ['{http_method}', '{requested_uri_stem}', '[', '{source_ip}', '>', '{dest_ip}', ':', '{dest_port}', ']', 'HTTP Status: {http_status}', 'Bytes Sent: {sent_bytes}', 'Bytes Received: {received_bytes}', 'User Agent: {user_agent}', 'Protocol Version: {protocol_version}']
FORMAT_STRING_SHORT_PIECES = ['{http_method}', '{requested_uri_stem}', '[', '{source_ip}', '>', '{dest_ip}', ':', '{dest_port}', ']']
SOURCE_LONG = 'IIS Log'
SOURCE_SHORT = 'LOG'

plaso.formatters.imessage module

The iMessage chat.db (OSX) and sms.db (iOS)database event formatter.

class plaso.formatters.imessage.IMessageFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an iMessage and SMS event.

DATA_TYPE = 'imessage:event:chat'
FORMAT_STRING_PIECES = ['Row ID: {identifier}', 'iMessage ID: {imessage_id}', 'Read Receipt: {read_receipt}', 'Message Type: {message_type}', 'Service: {service}', 'Attachment Location: {attachment_location}', 'Message Content: {text}']
FORMAT_STRING_SHORT_PIECES = ['{text}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Apple iMessage Application'
SOURCE_SHORT = 'iMessage'

plaso.formatters.interface module

This file contains the event formatters interface classes.

The l2t_csv and other formats are dependent on a message field, referred to as description_long and description_short in l2t_csv.

Plaso no longer stores these field explicitly.

A formatter, with a format string definition, is used to convert the event object values into a formatted string that is similar to the description_long and description_short field.

class plaso.formatters.interface.ConditionalEventFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Base class to conditionally format event data using format string pieces.

Define the (long) format string and the short format string by defining FORMAT_STRING_PIECES and FORMAT_STRING_SHORT_PIECES. The syntax of the format strings pieces is similar to of the event formatter (EventFormatter). Every format string piece should contain a single attribute name or none.

FORMAT_STRING_SEPARATOR is used to control the string which the separate string pieces should be joined. It contains a space by default.

FORMAT_STRING_PIECES = ['']
FORMAT_STRING_SEPARATOR = ' '
FORMAT_STRING_SHORT_PIECES = ['']
GetFormatStringAttributeNames()[source]

Retrieves the attribute names in the format string.

Returns

attribute names.

Return type

set(str)

GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

class plaso.formatters.interface.EventFormatter[source]

Bases: object

Base class to format event type specific data using a format string.

Define the (long) format string and the short format string by defining FORMAT_STRING and FORMAT_STRING_SHORT. The syntax of the format strings is similar to that of format() where the place holder for a certain event object attribute is defined as {attribute_name}.

DATA_TYPE = 'internal'
FORMAT_STRING = ''
FORMAT_STRING_SHORT = ''
GetFormatStringAttributeNames()[source]

Retrieves the attribute names in the format string.

Returns

attribute names.

Return type

set(str)

GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

GetSources(event, event_data)[source]

Determines the the short and long source for an event.

Parameters
Returns

short and long source string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = ''
SOURCE_SHORT = 'LOG'

plaso.formatters.ipod module

The iPod device event formatter.

class plaso.formatters.ipod.IPodDeviceFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an iPod device event.

DATA_TYPE = 'ipod:device:entry'
FORMAT_STRING_PIECES = ['Device ID: {device_id}', 'Type: {device_class}', '[{family_id}]', 'Connected {use_count} times', 'Serial nr: {serial_number}', 'IMEI [{imei}]']
SOURCE_LONG = 'iPod Connections'
SOURCE_SHORT = 'LOG'

plaso.formatters.java_idx module

The Java WebStart Cache IDX event formatter.

class plaso.formatters.java_idx.JavaIDXFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Java WebStart Cache IDX download event.

DATA_TYPE = 'java:download:idx'
FORMAT_STRING_PIECES = ['IDX Version: {idx_version}', 'Host IP address: ({ip_address})', 'Download URL: {url}']
SOURCE_LONG = 'Java Cache IDX'
SOURCE_SHORT = 'JAVA_IDX'

plaso.formatters.kik_ios module

The Kik kik.sqlite iOS database event formatter.

class plaso.formatters.kik_ios.KikIOSMessageFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an iOS Kik message event.

DATA_TYPE = 'ios:kik:messaging'
FORMAT_STRING_PIECES = ['Username: {username}', 'Displayname: {displayname}', 'Status: {message_status}', 'Type: {message_type}', 'Message: {body}']
FORMAT_STRING_SHORT_PIECES = ['{body}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Kik iOS messages'
SOURCE_SHORT = 'Kik iOS'

plaso.formatters.kodi module

The Kodi MyVideos database event formatter.

class plaso.formatters.kodi.KodiFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Kodi Video event.

DATA_TYPE = 'kodi:videos:viewing'
FORMAT_STRING_PIECES = ['Video: {filename}', 'Play Count: {play_count}']
FORMAT_STRING_SHORT_PIECES = ['{filename}']
SOURCE_LONG = 'Kodi Video Viewed'
SOURCE_SHORT = 'KODI'

plaso.formatters.lfu module

Event formatters for the Less Frequently Used Keys.

class plaso.formatters.lfu.WindowsBootExecuteFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Windows Boot Execute event.

DATA_TYPE = 'windows:registry:boot_execute'
FORMAT_STRING = '[{key_path}] BootExecute: {value}'
FORMAT_STRING_ALTERNATIVE = 'BootExecute: {value}'
SOURCE_LONG = 'Registry Key'
SOURCE_SHORT = 'REG'
class plaso.formatters.lfu.WindowsBootVerificationFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Windows Boot Verification event.

DATA_TYPE = 'windows:registry:boot_verification'
FORMAT_STRING = '[{key_path}] ImagePath: {image_path}'
FORMAT_STRING_ALTERNATIVE = 'ImagePath: {image_path}'
SOURCE_LONG = 'Registry Key'
SOURCE_SHORT = 'REG'

plaso.formatters.logger module

The formatters sub module logger.

plaso.formatters.ls_quarantine module

The MacOS launch services (LS) quarantine event formatter.

class plaso.formatters.ls_quarantine.LSQuarantineFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a launch services (LS) quarantine history event.

DATA_TYPE = 'macosx:lsquarantine'
FORMAT_STRING_PIECES = ['[{agent}]', 'Downloaded: {url}', '<{data}>']
FORMAT_STRING_SHORT_PIECES = ['{url}']
SOURCE_LONG = 'LS Quarantine Event'
SOURCE_SHORT = 'LOG'

plaso.formatters.mac_appfirewall module

The MacOS appfirewall.log file event formatter.

class plaso.formatters.mac_appfirewall.MacAppFirewallLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for MacOS appfirewall.log file event.

DATA_TYPE = 'mac:appfirewall:line'
FORMAT_STRING_PIECES = ['Computer: {computer_name}', 'Agent: {agent}', 'Status: {status}', 'Process name: {process_name}', 'Log: {action}']
FORMAT_STRING_SHORT_PIECES = ['Process name: {process_name}', 'Status: {status}']
SOURCE_LONG = 'Mac AppFirewall Log'
SOURCE_SHORT = 'LOG'

plaso.formatters.mac_document_versions module

The MacOS Document Versions files event formatter.

class plaso.formatters.mac_document_versions.MacDocumentVersionsFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS Document Versions page visited event.

DATA_TYPE = 'mac:document_versions:file'
FORMAT_STRING_PIECES = ['Version of [{name}]', '({path})', 'stored in {version_path}', 'by {user_sid}']
FORMAT_STRING_SHORT_PIECES = ['Stored a document version of [{name}]']
SOURCE_LONG = 'Document Versions'
SOURCE_SHORT = 'HISTORY'

plaso.formatters.mac_keychain module

The MacOS keychain password database file event formatter.

class plaso.formatters.mac_keychain.KeychainApplicationRecordFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a keychain application record event.

DATA_TYPE = 'mac:keychain:application'
FORMAT_STRING_PIECES = ['Name: {entry_name}', 'Account: {account_name}']
FORMAT_STRING_SHORT_PIECES = ['{entry_name}']
SOURCE_LONG = 'Keychain Application password'
SOURCE_SHORT = 'LOG'
class plaso.formatters.mac_keychain.KeychainInternetRecordFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a keychain Internet record event.

DATA_TYPE = 'mac:keychain:internet'
FORMAT_STRING_PIECES = ['Name: {entry_name}', 'Account: {account_name}', 'Where: {where}', 'Protocol: {protocol}', '({type_protocol})']
FORMAT_STRING_SHORT_PIECES = ['{entry_name}']
SOURCE_LONG = 'Keychain Internet password'
SOURCE_SHORT = 'LOG'

plaso.formatters.mac_knowledgec module

The MacOS KnowledgeC datbase event formatters.

class plaso.formatters.mac_knowledgec.MacKnowledgeCApplicationFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS KnowledgeC application event.

DATA_TYPE = 'mac:knowledgec:application'
FORMAT_STRING_PIECES = ['Application {bundle_identifier} executed', 'for {duration} seconds']
FORMAT_STRING_SHORT_PIECES = ['Application {bundle_identifier}']
SOURCE_LONG = 'KnowledgeC Application'
SOURCE_SHORT = 'LOG'
class plaso.formatters.mac_knowledgec.MacKnowledgeCSafariFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS KnowledgeC Safari event.

DATA_TYPE = 'mac:knowledgec:safari'
FORMAT_STRING_PIECES = ['Visited: {url}', '({title})', 'Duration: {duration}']
FORMAT_STRING_SHORT_PIECES = ['Safari: {url}']
SOURCE_LONG = 'KnowledgeC Safari'
SOURCE_SHORT = 'WEBHIST'

plaso.formatters.mac_notes module

The Mac Notes event formatter.

class plaso.formatters.mac_notes.MacNotesNotesFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Mac Notes record

DATA_TYPE = 'mac:notes:note'
FORMAT_STRING_PIECES = ['title:{title}', 'note_text:{text}']
FORMAT_STRING_SHORT_PIECES = ['title:{title}']
SOURCE_LONG = 'Mac Notes'
SOURCE_SHORT = 'Mac Note'

plaso.formatters.mac_notificationcenter module

The MacOS Notification Center event formatter.

class plaso.formatters.mac_notificationcenter.MacNotificationCenterFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS Notification Center event.

DATA_TYPE = 'mac:notificationcenter:db'
FORMAT_STRING_PIECES = ['Title: {title}', '(, subtitle: {subtitle}),', 'registered by: {bundle_name}.', 'Presented: {presented},', 'Content: {body}']
FORMAT_STRING_SHORT_PIECES = ['Title: {title},', 'Content: {body}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Notification Center'
SOURCE_SHORT = 'NOTIFICATION'

plaso.formatters.mac_securityd module

The MacOS securityd log file event formatter.

class plaso.formatters.mac_securityd.MacOSSecuritydLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS securityd log event.

DATA_TYPE = 'mac:securityd:line'
FORMAT_STRING_PIECES = ['Sender: {sender}', '({sender_pid})', 'Level: {level}', 'Facility: {facility}', 'Text: {message}']
FORMAT_STRING_SHORT_PIECES = ['Text: {message}']
SOURCE_LONG = 'Mac Securityd Log'
SOURCE_SHORT = 'LOG'

plaso.formatters.mac_wifi module

The MacOS wifi.log file event formatter.

class plaso.formatters.mac_wifi.MacWifiLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a wifi.log file event.

DATA_TYPE = 'mac:wifilog:line'
FORMAT_STRING_PIECES = ['Action: {action}', 'Agent: {agent}', '({function})', 'Log: {text}']
FORMAT_STRING_SHORT_PIECES = ['Action: {action}']
SOURCE_LONG = 'Mac Wifi Log'
SOURCE_SHORT = 'LOG'

plaso.formatters.mackeeper_cache module

The MacKeeper Cache event formatter.

class plaso.formatters.mackeeper_cache.MacKeeperCacheFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacKeeper Cache event.

DATA_TYPE = 'mackeeper:cache'
FORMAT_STRING_PIECES = ['{description}', '<{event_type}>', ':', '{text}', '[', 'URL: {url}', 'Event ID: {record_id}', 'Room: {room}', ']']
FORMAT_STRING_SHORT_PIECES = ['<{event_type}>', '{text}']
SOURCE_LONG = 'MacKeeper Cache'
SOURCE_SHORT = 'LOG'

plaso.formatters.mactime module

The Sleuthkit (TSK) bodyfile (or mactime) event formatter.

class plaso.formatters.mactime.MactimeFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a mactime event.

DATA_TYPE = 'fs:mactime:line'
FORMAT_STRING = '{filename}'
SOURCE_LONG = 'Mactime Bodyfile'
SOURCE_SHORT = 'FILE'

plaso.formatters.manager module

This file contains the event formatters manager class.

class plaso.formatters.manager.FormattersManager[source]

Bases: object

Class that implements the formatters manager.

classmethod DeregisterFormatter(formatter_class)[source]

Deregisters a formatter class.

The formatter classes are identified based on their lower case data type.

Parameters

formatter_class (type) – class of the formatter.

Raises

KeyError – if formatter class is not set for the corresponding data type.

classmethod GetFormatterObject(data_type)[source]

Retrieves the formatter object for a specific data type.

Parameters

data_type (str) – data type.

Returns

corresponding formatter or the default formatter if

not available.

Return type

EventFormatter

classmethod GetMessageStrings(formatter_mediator, event_data)[source]

Retrieves the formatted message strings for a specific event.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

long and short version of the message string.

Return type

list[str, str]

classmethod GetSourceStrings(event, event_data)[source]

Retrieves the formatted source strings for a specific event.

Parameters
Returns

short and long version of the source of the event.

Return type

list[str, str]

classmethod GetUnformattedAttributes(event_data)[source]

Retrieves names of the event data attributes that are not formatted.

Parameters

event_data (EventData) – event data.

Returns

names of the event data attributes that are not formatted.

Return type

list[str]

classmethod RegisterFormatter(formatter_class)[source]

Registers a formatter class.

The formatter classes are identified based on their lower case data type.

Parameters

formatter_class (type) – class of the formatter.

Raises

KeyError – if formatter class is already set for the corresponding data type.

classmethod RegisterFormatters(formatter_classes)[source]

Registers formatter classes.

The formatter classes are identified based on their lower case data type.

Parameters

formatter_classes (list[type]) – classes of the formatters.

Raises

KeyError – if formatter class is already set for the corresponding data type.

plaso.formatters.mcafeeav module

The McAfee AV Logs file event formatter.

class plaso.formatters.mcafeeav.McafeeAccessProtectionLogEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a McAfee Access Protection Log event.

DATA_TYPE = 'av:mcafee:accessprotectionlog'
FORMAT_STRING_PIECES = ['File Name: {filename}', 'User: {username}', '{trigger_location}', '{status}', '{rule}', '{action}']
FORMAT_STRING_SHORT_PIECES = ['{filename}', '{action}']
SOURCE_LONG = 'McAfee Access Protection Log'
SOURCE_SHORT = 'LOG'

plaso.formatters.mediator module

The formatter mediator object.

class plaso.formatters.mediator.FormatterMediator(data_location=None)[source]

Bases: object

Class that implements the formatter mediator.

DEFAULT_LANGUAGE_IDENTIFIER = 'en-US'
DEFAULT_LCID = 1033
GetWindowsEventMessage(log_source, message_identifier)[source]

Retrieves the message string for a specific Windows Event Log source.

Parameters

  • log_source (str) – Event Log source, such as “Application Error”.

  • message_identifier (int) – message identifier.

Returns

message string or None if not available.

Return type

str

SetPreferredLanguageIdentifier(language_identifier)[source]

Sets the preferred language identifier.

Parameters

language_identifier (str) – language identifier string such as “en-US” for US English or “is-IS” for Icelandic.

Raises

  • KeyError – if the language identifier is not defined.

  • ValueError – if the language identifier is not a string type.

lcid

preferred Language Code identifier (LCID).

Type

int

plaso.formatters.mountpoints module

Event formatter for the MountPoints2 key.

class plaso.formatters.mountpoints.MountPoints2Formatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Boot Execute event.

DATA_TYPE = 'windows:registry:mount_points2'
FORMAT_STRING_PIECES = ['[{key_path}]', 'Label: {label}', 'Remote_Server: {server_name}', 'Share_Name: {share_name}', 'Type: {type}', 'Volume: {name}']
FORMAT_STRING_SHORT_PIECES = ['[{key_path}]', 'Label: {label}', 'Remote_Server: {server_name}', 'Share_Name: {share_name}', 'Type: {type}', 'Volume: {name}']
SOURCE_LONG = 'Registry Key'
SOURCE_SHORT = 'REG'

plaso.formatters.mrulist module

The MRUList event formatter.

class plaso.formatters.mrulist.MRUListEventFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a MRUList event.

DATA_TYPE = 'windows:registry:mrulist'
FORMAT_STRING = '[{key_path}] {entries}'
FORMAT_STRING_ALTERNATIVE = '{entries}'
SOURCE_LONG = 'Registry Key : MRU List'
SOURCE_SHORT = 'REG'

plaso.formatters.mrulistex module

The MRUListEx event formatter.

class plaso.formatters.mrulistex.MRUListExEventFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a MRUListEx event.

DATA_TYPE = 'windows:registry:mrulistex'
FORMAT_STRING = '[{key_path}] {entries}'
FORMAT_STRING_ALTERNATIVE = '{entries}'
SOURCE_LONG = 'Registry Key : MRUListEx'
SOURCE_SHORT = 'REG'

plaso.formatters.msie_webcache module

The MSIE WebCache ESE database event formatters.

class plaso.formatters.msie_webcache.MsieWebCacheContainerEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database Container_# table record.

DATA_TYPE = 'msie:webcache:container'
FORMAT_STRING_PIECES = ['URL: {url}', 'Redirect URL: {redirect_url}', 'Access count: {access_count}', 'Sync count: {sync_count}', 'Filename: {cached_filename}', 'File extension: {file_extension}', 'Cached file size: {cached_file_size}', 'Request headers: {request_headers}', 'Response headers: {response_headers}', 'Entry identifier: {entry_identifier}', 'Container identifier: {container_identifier}', 'Cache identifier: {cache_identifier}']
FORMAT_STRING_SHORT_PIECES = ['URL: {url}']
SOURCE_LONG = 'MSIE WebCache container record'
SOURCE_SHORT = 'WEBHIST'
class plaso.formatters.msie_webcache.MsieWebCacheContainersEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database Containers table record.

DATA_TYPE = 'msie:webcache:containers'
FORMAT_STRING_PIECES = ['Name: {name}', 'Directory: {directory}', 'Table: Container_{container_identifier}', 'Container identifier: {container_identifier}', 'Set identifier: {set_identifier}']
FORMAT_STRING_SHORT_PIECES = ['Directory: {directory}']
SOURCE_LONG = 'MSIE WebCache containers record'
SOURCE_SHORT = 'WEBHIST'
class plaso.formatters.msie_webcache.MsieWebCacheLeakFilesEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database LeakFiles table record.

DATA_TYPE = 'msie:webcache:leak_file'
FORMAT_STRING_PIECES = ['Filename: {cached_filename}', 'Leak identifier: {leak_identifier}']
FORMAT_STRING_SHORT_PIECES = ['Filename: {cached_filename}']
SOURCE_LONG = 'MSIE WebCache partitions record'
SOURCE_SHORT = 'WEBHIST'
class plaso.formatters.msie_webcache.MsieWebCachePartitionsEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database Partitions table record.

DATA_TYPE = 'msie:webcache:partitions'
FORMAT_STRING_PIECES = ['Partition identifier: {partition_identifier}', 'Partition type: {partition_type}', 'Directory: {directory}', 'Table identifier: {table_identifier}']
FORMAT_STRING_SHORT_PIECES = ['Directory: {directory}']
SOURCE_LONG = 'MSIE WebCache partitions record'
SOURCE_SHORT = 'WEBHIST'

plaso.formatters.msie_zones module

The MSIE zone settings event formatter.

class plaso.formatters.msie_zones.MSIEZoneSettingsEventFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a MSIE zone settings event.

DATA_TYPE = 'windows:registry:msie_zone_settings'
FORMAT_STRING = '[{key_path}] {settings}'
FORMAT_STRING_ALTERNATIVE = '{settings}'
SOURCE_LONG = 'Registry Key'
SOURCE_SHORT = 'REG'

plaso.formatters.msiecf module

The Microsoft Internet Explorer (MSIE) Cache Files (CF) event formatters.

class plaso.formatters.msiecf.MsiecfItemFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIECF item event.

GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

class plaso.formatters.msiecf.MsiecfLeakFormatter[source]

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF leak item event.

DATA_TYPE = 'msiecf:leak'
FORMAT_STRING_PIECES = ['Cached file: {cached_file_path}', 'Cached file size: {cached_file_size}', '{recovered_string}']
FORMAT_STRING_SHORT_PIECES = ['Cached file: {cached_file_path}']
SOURCE_LONG = 'MSIE Cache File leak record'
SOURCE_SHORT = 'WEBHIST'
class plaso.formatters.msiecf.MsiecfRedirectedFormatter[source]

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF leak redirected event.

DATA_TYPE = 'msiecf:redirected'
FORMAT_STRING_PIECES = ['Location: {url}', '{recovered_string}']
FORMAT_STRING_SHORT_PIECES = ['Location: {url}']
SOURCE_LONG = 'MSIE Cache File redirected record'
SOURCE_SHORT = 'WEBHIST'
class plaso.formatters.msiecf.MsiecfUrlFormatter[source]

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF URL item event.

DATA_TYPE = 'msiecf:url'
FORMAT_STRING_PIECES = ['Location: {url}', 'Number of hits: {number_of_hits}', 'Cached file: {cached_file_path}', 'Cached file size: {cached_file_size}', 'HTTP headers: {http_headers}', '{recovered_string}']
FORMAT_STRING_SHORT_PIECES = ['Location: {url}', 'Cached file: {cached_file_path}']
SOURCE_LONG = 'MSIE Cache File URL record'
SOURCE_SHORT = 'WEBHIST'

plaso.formatters.network_drives module

The Network drive event formatter.

class plaso.formatters.network_drives.NetworkDriveEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Network drive event.

DATA_TYPE = 'windows:registry:network_drive'
FORMAT_STRING_PIECES = ['[{key_path}]', 'DriveLetter: {drive_letter}', 'RemoteServer: {server_name}', 'ShareName: {share_name}', 'Type: Mapped Drive']
SOURCE_LONG = 'Registry Key : Network Drive'
SOURCE_SHORT = 'REG'

plaso.formatters.networkminer module

The NetworkMiner file event formatter.

class plaso.formatters.networkminer.NetworkminerEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for NetworkMiner’s fileinfo Log event.

DATA_TYPE = 'networkminer:fileinfos:file'
FORMAT_STRING_PIECES = ['Source IP: {source_ip}', 'Source Port: {source_port}', 'Destination IP: {destination_ip}', 'Destination Port: {destination_port}', '{filename}', '{file_path}', '{file_size}', '{file_md5}', '{file_details}']
FORMAT_STRING_SHORT_PIECES = ['Source IP: {source_ip}', 'Destination IP: {destination_ip}', '{filename}', '{file_path}', '{file_md5}']
SOURCE_LONG = 'NetworkMiner fileinfos'
SOURCE_SHORT = 'NetworkMiner'

plaso.formatters.officemru module

The Microsoft Office MRU Windows Registry event formatter.

class plaso.formatters.officemru.OfficeMRUListWindowsRegistryEventFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a BagMRU event.

DATA_TYPE = 'windows:registry:office_mru_list'
FORMAT_STRING = '[{key_path}] {entries}'
FORMAT_STRING_ALTERNATIVE = '{entries}'
SOURCE_LONG = 'Registry Key : Microsoft Office MRU'
SOURCE_SHORT = 'REG'
class plaso.formatters.officemru.OfficeMRUWindowsRegistryEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Microsoft Office MRU Windows Registry event.

DATA_TYPE = 'windows:registry:office_mru'
FORMAT_STRING_PIECES = ['[{key_path}]', 'Value: {value_string}']
FORMAT_STRING_SHORT_PIECES = ['{value_string}']
SOURCE_LONG = 'Registry Key: Microsoft Office MRU'
SOURCE_SHORT = 'REG'

plaso.formatters.olecf module

The OLE Compound File (OLECF) event formatters.

class plaso.formatters.olecf.OLECFDestListEntryFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF DestList stream event.

DATA_TYPE = 'olecf:dest_list:entry'
FORMAT_STRING_PIECES = ['Entry: {entry_number}', 'Pin status: {pin_status}', 'Hostname: {hostname}', 'Path: {path}', 'Droid volume identifier: {droid_volume_identifier}', 'Droid file identifier: {droid_file_identifier}', 'Birth droid volume identifier: {birth_droid_volume_identifier}', 'Birth droid file identifier: {birth_droid_file_identifier}']
FORMAT_STRING_SHORT_PIECES = ['Entry: {entry_number}', 'Pin status: {pin_status}', 'Path: {path}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

class plaso.formatters.olecf.OLECFDocumentSummaryInfoFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF Document Summary Info property set stream event.

DATA_TYPE = 'olecf:document_summary_info'
FORMAT_STRING_PIECES = ['Number of bytes: {number_of_bytes}', 'Number of lines: {number_of_lines}', 'Number of paragraphs: {number_of_paragraphs}', 'Number of slides: {number_of_slides}', 'Number of notes: {number_of_notes}', 'Number of hidden slides: {number_of_hidden_slides}', 'Number of multi-media clips: {number_of_clips}', 'Company: {company}', 'Manager: {manager}', 'Shared document: {shared_document}', 'Application version: {application_version}', 'Content type: {content_type}', 'Content status: {content_status}', 'Language: {language}', 'Document version: {document_version}']
FORMAT_STRING_SHORT_PIECES = ['Company: {company}']
SOURCE_LONG = 'OLECF Document Summary Info'
SOURCE_SHORT = 'OLECF'
class plaso.formatters.olecf.OLECFItemFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for an OLECF item event.

DATA_TYPE = 'olecf:item'
FORMAT_STRING = 'Name: {name}'
FORMAT_STRING_SHORT = 'Name: {name}'
SOURCE_LONG = 'OLECF Item'
SOURCE_SHORT = 'OLECF'
class plaso.formatters.olecf.OLECFSummaryInfoFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF Summary Info property set stream event.

DATA_TYPE = 'olecf:summary_info'
FORMAT_STRING_PIECES = ['Title: {title}', 'Subject: {subject}', 'Author: {author}', 'Keywords: {keywords}', 'Comments: {comments}', 'Template: {template}', 'Revision number: {revision_number}', 'Last saved by: {last_saved_by}', 'Total edit time: {total_edit_time}', 'Number of pages: {number_of_pages}', 'Number of words: {number_of_words}', 'Number of characters: {number_of_characters}', 'Application: {application}', 'Security: {security}']
FORMAT_STRING_SHORT_PIECES = ['Title: {title}', 'Subject: {subject}', 'Author: {author}', 'Revision number: {revision_number}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'OLECF Summary Info'
SOURCE_SHORT = 'OLECF'

plaso.formatters.opera module

The Opera history event formatters.

class plaso.formatters.opera.OperaGlobalHistoryFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Opera global history event.

DATA_TYPE = 'opera:history:entry'
FORMAT_STRING_PIECES = ['{url}', '({title})', '[{description}]']
SOURCE_LONG = 'Opera Browser History'
SOURCE_SHORT = 'WEBHIST'
class plaso.formatters.opera.OperaTypedHistoryFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Opera typed history event.

DATA_TYPE = 'opera:history:typed_entry'
FORMAT_STRING_PIECES = ['{url}', '({entry_selection})']
SOURCE_LONG = 'Opera Browser History'
SOURCE_SHORT = 'WEBHIST'

plaso.formatters.outlook module

The Outlook search MRU event formatter.

class plaso.formatters.outlook.OutlookSearchMRUEventFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Outlook search MRU event.

DATA_TYPE = 'windows:registry:outlook_search_mru'
FORMAT_STRING = '[{key_path}] {entries}'
FORMAT_STRING_ALTERNATIVE = '{entries}'
SOURCE_LONG = 'Registry Key : PST Paths'
SOURCE_SHORT = 'REG'

plaso.formatters.oxml module

The OpenXML event formatter.

class plaso.formatters.oxml.OpenXMLParserFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OXML event.

DATA_TYPE = 'metadata:openxml'
FORMAT_STRING_PIECES = ['Creating App: {creating_app}', 'App version: {app_version}', 'Title: {title}', 'Subject: {subject}', 'Last saved by: {last_saved_by}', 'Author: {author}', 'Total edit time (secs): {total_edit_time}', 'Keywords: {keywords}', 'Comments: {comments}', 'Revision number: {revision_number}', 'Template: {template}', 'Number of pages: {number_of_pages}', 'Number of words: {number_of_words}', 'Number of characters: {number_of_characters}', 'Number of characters with spaces: {number_of_characters_with_spaces}', 'Number of lines: {number_of_lines}', 'Company: {company}', 'Manager: {manager}', 'Shared: {shared}', 'Security: {security}', 'Hyperlinks changed: {hyperlinks_changed}', 'Links up to date: {links_up_to_date}', 'Scale crop: {scale_crop}', 'Digital signature: {dig_sig}', 'Slides: {slides}', 'Hidden slides: {hidden_slides}', 'Presentation format: {presentation_format}', 'MM clips: {mm_clips}', 'Notes: {notes}']
FORMAT_STRING_SHORT_PIECES = ['Title: {title}', 'Subject: {subject}', 'Author: {author}']
SOURCE_LONG = 'Open XML Metadata'
SOURCE_SHORT = 'META'

plaso.formatters.pe module

The PE event formatter.

class plaso.formatters.pe.PECompilationFormatter[source]

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE compilation event.

DATA_TYPE = 'pe:compilation:compilation_time'
SOURCE_LONG = 'PE Compilation time'
class plaso.formatters.pe.PEDelayImportFormatter[source]

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE delay import section event.

DATA_TYPE = 'pe:delay_import:import_time'
FORMAT_STRING_PIECES = ['DLL name: {dll_name}', 'PE Type: {pe_type}', 'Import hash: {imphash}']
FORMAT_STRING_SHORT_PIECES = ['{dll_name}']
SOURCE_LONG = 'PE Delay Import Time'
class plaso.formatters.pe.PEEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Parent class for PE event formatters.

DATA_TYPE = 'pe'
FORMAT_STRING_PIECES = ['PE Type: {pe_type}', 'Import hash: {imphash}']
FORMAT_STRING_SEPARATOR = ' '
FORMAT_STRING_SHORT_PIECES = ['pe_type']
SOURCE_LONG = 'PE Event'
SOURCE_SHORT = 'PE'
class plaso.formatters.pe.PEImportFormatter[source]

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE import section event.

DATA_TYPE = 'pe:import:import_time'
FORMAT_STRING_PIECES = ['DLL name: {dll_name}', 'PE Type: {pe_type}', 'Import hash: {imphash}']
FORMAT_STRING_SHORT_PIECES = ['{dll_name}']
SOURCE_LONG = 'PE Import Time'
class plaso.formatters.pe.PELoadConfigModificationEvent[source]

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE load configuration table event.

DATA_TYPE = 'pe:load_config:modification_time'
SOURCE_LONG = 'PE Load Configuration Table Time'
class plaso.formatters.pe.PEResourceCreationFormatter[source]

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE resource creation event.

DATA_TYPE = 'pe:resource:creation_time'
SOURCE_LONG = 'PE Resource Creation Time'

plaso.formatters.plist module

The plist event formatter.

class plaso.formatters.plist.PlistFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a plist key event.

DATA_TYPE = 'plist:key'
FORMAT_STRING_PIECES = ['{root}/', '{key}', ' {desc}']
FORMAT_STRING_SEPARATOR = ''
SOURCE_LONG = 'Plist Entry'
SOURCE_SHORT = 'PLIST'

plaso.formatters.pls_recall module

The PL/SQL Recall event formatter.

class plaso.formatters.pls_recall.PlsRecallFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a PL/SQL Recall file container event.

DATA_TYPE = 'PLSRecall:event'
FORMAT_STRING_PIECES = ['Sequence number: {sequence_number}', 'Username: {username}', 'Database name: {database_name}', 'Query: {query}']
FORMAT_STRING_SHORT_PIECES = ['{sequence_number}', '{username}', '{database_name}', '{query}']
SOURCE_LONG = 'PL/SQL Developer Recall file'
SOURCE_SHORT = 'PLSRecall'

plaso.formatters.popcontest module

The Popularity Contest event formatters.

class plaso.formatters.popcontest.PopularityContestLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Popularity Contest Log event.

DATA_TYPE = 'popularity_contest:log:event'
FORMAT_STRING_PIECES = ['mru [{mru}]', 'package [{package}]', 'tag [{record_tag}]']
FORMAT_STRING_SHORT_PIECES = ['{mru}']
SOURCE_LONG = 'Popularity Contest Log'
SOURCE_SHORT = 'LOG'
class plaso.formatters.popcontest.PopularityContestSessionFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Popularity Contest Session information event.

DATA_TYPE = 'popularity_contest:session:event'
FORMAT_STRING_PIECES = ['Session {session}', '{status}', 'ID {hostid}', '[{details}]']
FORMAT_STRING_SHORT_PIECES = ['Session {session}', '{status}']
SOURCE_LONG = 'Popularity Contest Session'
SOURCE_SHORT = 'LOG'

plaso.formatters.programscache module

The Explorer ProgramsCache event formatter.

class plaso.formatters.programscache.ExplorerProgramsCacheEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Explorer ProgramsCache event.

DATA_TYPE = 'windows:registry:explorer:programcache'
FORMAT_STRING_PIECES = ['Key: {key_path}', 'Value: {value_name}', 'Entries: [{entries}]']
SOURCE_LONG = 'Registry Key'
SOURCE_SHORT = 'REG'

plaso.formatters.recycler module

The Windows Recycler/Recycle Bin formatter.

class plaso.formatters.recycler.WinRecyclerFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Recycler/Recycle Bin file event.

DATA_TYPE = 'windows:metadata:deleted_item'
FORMAT_STRING_PIECES = ['DC{record_index} ->', '{original_filename}', '[{short_filename}]', '(from drive: {drive_letter})']
FORMAT_STRING_SHORT_PIECES = ['Deleted file: {original_filename}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Recycle Bin'
SOURCE_SHORT = 'RECBIN'

plaso.formatters.run module

The Run/RunOnce key event formatter.

class plaso.formatters.run.RunKeyEventFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Run/RunOnce key event.

DATA_TYPE = 'windows:registry:run'
FORMAT_STRING = '[{key_path}] {entries}'
FORMAT_STRING_ALTERNATIVE = '{entries}'
SOURCE_LONG = 'Registry Key : Run Key'
SOURCE_SHORT = 'REG'

plaso.formatters.safari module

The Safari history event formatter.

class plaso.formatters.safari.SafariHistoryFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Safari history event.

DATA_TYPE = 'safari:history:visit'
FORMAT_STRING_PIECES = ['Visited: {url}', '({title}', '- {display_title}', ')', 'Visit Count: {visit_count}']
SOURCE_LONG = 'Safari History'
SOURCE_SHORT = 'WEBHIST'
class plaso.formatters.safari.SafariHistoryFormatterSqlite[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Safari history event from Sqlite History.db

DATA_TYPE = 'safari:history:visit_sqlite'
FORMAT_STRING_PIECES = ['URL: {url}', 'Title: ({title})', '[count: {visit_count}]', 'http_non_get: {was_http_non_get}']
SOURCE_LONG = 'Safari History'
SOURCE_SHORT = 'WEBHIST'

plaso.formatters.safari_cookies module

The Safari Binary cookie event formatter.

class plaso.formatters.safari_cookies.SafariCookieFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Safari Binary Cookie file entry event.

DATA_TYPE = 'safari:cookie:entry'
FORMAT_STRING_PIECES = ['{url}', '<{path}>', '({cookie_name})', 'Flags: {flags}']
FORMAT_STRING_SHORT_PIECES = ['{url}', '({cookie_name})']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Safari Cookies'
SOURCE_SHORT = 'WEBHIST'

plaso.formatters.sam_users module

The SAM users Windows Registry event formatter.

class plaso.formatters.sam_users.SAMUsersWindowsRegistryEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SAM users Windows Registry event.

DATA_TYPE = 'windows:registry:sam_users'
FORMAT_STRING_PIECES = ['[{key_path}]', 'Username: {username}', 'Full name: {fullname}', 'Comments: {comments}', 'RID: {account_rid}', 'Login count: {login_count}']
FORMAT_STRING_SHORT_PIECES = ['{username}', 'RID: {account_rid}', 'Login count: {login_count}']
SOURCE_LONG = 'Registry Key: User Account Information'
SOURCE_SHORT = 'REG'

plaso.formatters.santa module

Santa log file event formatter.

class plaso.formatters.santa.SantaDiskMountsFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a santa disk mount event.

DATA_TYPE = 'santa:diskmount'
FORMAT_STRING_PIECES = ['Santa {action}', 'on ({mount})', 'serial: ({serial})', 'for ({dmg_path})']
FORMAT_STRING_SHORT_PIECES = ['{action}', '{volume}']
SOURCE_LONG = 'Santa disk mount'
SOURCE_SHORT = 'LOG'
class plaso.formatters.santa.SantaExecutionFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a santa execution event.

DATA_TYPE = 'santa:execution'
FORMAT_STRING_PIECES = ['Santa {decision}', 'process: {process_path}', 'hash: {process_hash}']
FORMAT_STRING_SHORT_PIECES = ['{decision}', 'process: {process_path}']
SOURCE_LONG = 'Santa Execution'
SOURCE_SHORT = 'LOG'
class plaso.formatters.santa.SantaFileSystemFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a santa file system event.

DATA_TYPE = 'santa:file_system_event'
FORMAT_STRING_PIECES = ['Santa {action} event', '{file_path}', 'by process: {process_path}']
FORMAT_STRING_SHORT_PIECES = ['File {action}', 'on: {file_path}']
SOURCE_LONG = 'Santa FSEvent'
SOURCE_SHORT = 'LOG'

plaso.formatters.sccm module

The SCCM log formatter.

class plaso.formatters.sccm.SCCMEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Class for SCCM event formatter.

DATA_TYPE = 'software_management:sccm:log'
FORMAT_STRING_PIECES = ['{component}', '{text}']
FORMAT_STRING_SEPARATOR = ' '
FORMAT_STRING_SHORT_PIECES = ['{text}']
SOURCE_LONG = 'SCCM Event'
SOURCE_SHORT = 'LOG'

plaso.formatters.selinux module

The selinux event formatter.

class plaso.formatters.selinux.SELinuxFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a selinux log file event.

DATA_TYPE = 'selinux:line'
FORMAT_STRING_PIECES = ['[', 'audit_type: {audit_type}', ', pid: {pid}', ']', ' {body}']
FORMAT_STRING_SEPARATOR = ''
SOURCE_LONG = 'Audit log File'
SOURCE_SHORT = 'LOG'

plaso.formatters.services module

The Windows services event formatter.

The Windows services are derived from Windows Registry files.

class plaso.formatters.services.WinRegistryServiceFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows service event.

DATA_TYPE = 'windows:registry:service'
FORMAT_STRING_PIECES = ['[{key_path}]', 'Type: {service_type}', 'Start: {start_type}', 'Image path: {image_path}', 'Error control: {error_control}', '{values}']
FORMAT_STRING_SHORT_PIECES = ['[{key_path}]', 'Type: {service_type}', 'Start: {start_type}', 'Image path: {image_path}', 'Error control: {error_control}', '{values}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

plaso.formatters.setupapi module

Windows Setupapi log event formatter.

class plaso.formatters.setupapi.SetupapiLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Setupapi log file event.

DATA_TYPE = 'setupapi:log:line'
FORMAT_STRING_PIECES = ['{entry_type}', '{exit_status}']
FORMAT_STRING_SEPARATOR = ' - '
FORMAT_STRING_SHORT_PIECES = ['{exit_status}', '{entry_type}']
SOURCE_LONG = 'Windows Setupapi Log'
SOURCE_SHORT = 'LOG'

plaso.formatters.shell_items module

The shell item event formatter.

class plaso.formatters.shell_items.ShellItemFileEntryEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a shell item file entry event.

DATA_TYPE = 'windows:shell_item:file_entry'
FORMAT_STRING_PIECES = ['Name: {name}', 'Long name: {long_name}', 'Localized name: {localized_name}', 'NTFS file reference: {file_reference}', 'Shell item path: {shell_item_path}', 'Origin: {origin}']
FORMAT_STRING_SHORT_PIECES = ['Name: {file_entry_name}', 'NTFS file reference: {file_reference}', 'Origin: {origin}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'File entry shell item'
SOURCE_SHORT = 'FILE'

plaso.formatters.shutdown module

The shutdown Windows Registry event formatter.

class plaso.formatters.shutdown.ShutdownWindowsRegistryEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a shutdown Windows Registry event.

DATA_TYPE = 'windows:registry:shutdown'
FORMAT_STRING_PIECES = ['[{key_path}]', 'Description: {value_name}']
FORMAT_STRING_SHORT_PIECES = ['{value_name}']
SOURCE_LONG = 'Registry Key Shutdown Entry'
SOURCE_SHORT = 'REG'

plaso.formatters.skydrivelog module

The SkyDrive log event formatter.

class plaso.formatters.skydrivelog.SkyDriveLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SkyDrive log file event.

DATA_TYPE = 'skydrive:log:line'
FORMAT_STRING_PIECES = ['[{module}', '{source_code}', '{log_level}]', '{detail}']
FORMAT_STRING_SHORT_PIECES = ['{detail}']
SOURCE_LONG = 'SkyDrive Log File'
SOURCE_SHORT = 'LOG'
class plaso.formatters.skydrivelog.SkyDriveOldLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SkyDrive old log file event.

DATA_TYPE = 'skydrive:log:old:line'
FORMAT_STRING_PIECES = ['[{source_code}]', '({log_level})', '{text}']
FORMAT_STRING_SHORT_PIECES = ['{text}']
SOURCE_LONG = 'SkyDrive Log File'
SOURCE_SHORT = 'LOG'

plaso.formatters.skype module

The Skype main database event formatter.

class plaso.formatters.skype.SkypeAccountFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype account event.

DATA_TYPE = 'skype:event:account'
FORMAT_STRING_PIECES = ['{username}', '[{email}]', 'Country: {country}']
SOURCE_LONG = 'Skype Account'
SOURCE_SHORT = 'LOG'
class plaso.formatters.skype.SkypeCallFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype call event.

DATA_TYPE = 'skype:event:call'
FORMAT_STRING_PIECES = ['From: {src_call}', 'To: {dst_call}', '[{call_type}]']
SOURCE_LONG = 'Skype Call'
SOURCE_SHORT = 'LOG'
class plaso.formatters.skype.SkypeChatFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype chat message event.

DATA_TYPE = 'skype:event:chat'
FORMAT_STRING_PIECES = ['From: {from_account}', 'To: {to_account}', '[{title}]', 'Message: [{text}]']
FORMAT_STRING_SHORT_PIECES = ['From: {from_account}', 'To: {to_account}']
SOURCE_LONG = 'Skype Chat MSG'
SOURCE_SHORT = 'LOG'
class plaso.formatters.skype.SkypeSMSFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype SMS event.

DATA_TYPE = 'skype:event:sms'
FORMAT_STRING_PIECES = ['To: {number}', '[{text}]']
SOURCE_LONG = 'Skype SMS'
SOURCE_SHORT = 'LOG'
class plaso.formatters.skype.SkypeTransferFileFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype transfer file event.

DATA_TYPE = 'skype:event:transferfile'
FORMAT_STRING_PIECES = ['Source: {source}', 'Destination: {destination}', 'File: {transferred_filename}', '[{action_type}]']
SOURCE_LONG = 'Skype Transfer Files'
SOURCE_SHORT = 'LOG'

plaso.formatters.sophos_av module

The Sophos Anti-Virus log (SAV.txt) file event formatter.

class plaso.formatters.sophos_av.SophosAVLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Sophos Anti-Virus log (SAV.txt) event data.

DATA_TYPE = 'sophos:av:log'
FORMAT_STRING_PIECES = ['{text}']
SOURCE_LONG = 'Sophos Anti-Virus log'
SOURCE_SHORT = 'LOG'

plaso.formatters.srum module

The System Resource Usage Monitor (SRUM) ESE database event formatters.

class plaso.formatters.srum.SRUMApplicationResourceUsageEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SRUM application resource usage event.

DATA_TYPE = 'windows:srum:application_usage'
FORMAT_STRING_PIECES = ['Application: {application}']
FORMAT_STRING_SHORT_PIECES = ['{application}']
class plaso.formatters.srum.SRUMNetworkConnectivityUsageEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SRUM network connectivity usage event.

DATA_TYPE = 'windows:srum:network_connectivity'
FORMAT_STRING_PIECES = ['Application: {application}']
FORMAT_STRING_SHORT_PIECES = ['{application}']
class plaso.formatters.srum.SRUMNetworkDataUsageEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SRUM network data usage event.

DATA_TYPE = 'windows:srum:network_usage'
FORMAT_STRING_PIECES = ['Application: {application}', 'Bytes received: {bytes_received}', 'Bytes sent: {bytes_sent}', 'Interface LUID: {interface_luid}', 'User identifier: {user_identifier}']
FORMAT_STRING_SHORT_PIECES = ['{application}']

plaso.formatters.ssh module

The syslog SSH file event formatter.

class plaso.formatters.ssh.SSHFailedConnectionEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SSH failed connection event.

DATA_TYPE = 'syslog:ssh:failed_connection'
FORMAT_STRING_PIECES = ['Unsuccessful connection of user: {username}', 'from {address}:', '{port}', 'using authentication method: {authentication_method}', 'ssh pid: {pid}']
FORMAT_STRING_SEPARATOR = ''
FORMAT_STRING_SHORT = '{body}'
SOURCE_LONG = 'SSH log'
SOURCE_SHORT = 'LOG'
class plaso.formatters.ssh.SSHLoginEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SSH successful login event.

DATA_TYPE = 'syslog:ssh:login'
FORMAT_STRING_PIECES = ['Successful login of user: {username}', 'from {address}:', '{port}', 'using authentication method: {authentication_method}', 'ssh pid: {pid}']
FORMAT_STRING_SEPARATOR = ''
FORMAT_STRING_SHORT = '{body}'
SOURCE_LONG = 'SSH log'
SOURCE_SHORT = 'LOG'
class plaso.formatters.ssh.SSHOpenedConnectionEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SSH opened connection event.

DATA_TYPE = 'syslog:ssh:opened_connection'
FORMAT_STRING_PIECES = ['Connection opened {address}:', '{port}', 'ssh pid: {pid}']
FORMAT_STRING_SEPARATOR = ''
FORMAT_STRING_SHORT = '{body}'
SOURCE_LONG = 'SSH log'
SOURCE_SHORT = 'LOG'

plaso.formatters.symantec module

The Symantec AV log file event formatter.

class plaso.formatters.symantec.SymantecAVFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Symantec AV log file event.

ACTION_0_NAMES = {'1': 'Quarantined', '10': 'Renamed backup file', '11': 'Undo action in Quarantine View', '12': 'Write protected or lack of permissions - Unable to act on file', '13': 'Backed up file', '2': 'Renamed', '3': 'Deleted', '4': 'Left alone', '5': 'Cleaned', '6': 'Cleaned or macros deleted (no longer used as of Symantec AntiVirus 9.x)', '7': 'Saved file as...', '8': 'Sent to Intel (AMS)', '9': 'Moved to backup location'}
ACTION_1_2_NAMES = {'1': 'Quarantine infected file', '2': 'Rename infected file', '3': 'Delete infected file', '4': 'Leave alone (log only)', '5': 'Clean virus from file', '6': 'Clean or delete macros'}
CATEGORY_NAMES = {'1': 'GL_CAT_INFECTION', '2': 'GL_CAT_SUMMARY', '3': 'GL_CAT_PATTERN', '4': 'GL_CAT_SECURITY'}
DATA_TYPE = 'av:symantec:scanlog'
EVENT_NAMES = {'1': 'GL_EVENT_IS_ALERT', '10': 'GL_EVENT_CHECKSUM', '11': 'GL_EVENT_TRAP', '12': 'GL_EVENT_CONFIG_CHANGE', '13': 'GL_EVENT_SHUTDOWN', '14': 'GL_EVENT_STARTUP', '16': 'GL_EVENT_PATTERN_DOWNLOAD', '17': 'GL_EVENT_TOO_MANY_VIRUSES', '18': 'GL_EVENT_FWD_TO_QSERVER', '19': 'GL_EVENT_SCANDLVR', '2': 'GL_EVENT_SCAN_STOP', '20': 'GL_EVENT_BACKUP', '21': 'GL_EVENT_SCAN_ABORT', '22': 'GL_EVENT_RTS_LOAD_ERROR', '23': 'GL_EVENT_RTS_LOAD', '24': 'GL_EVENT_RTS_UNLOAD', '25': 'GL_EVENT_REMOVE_CLIENT', '26': 'GL_EVENT_SCAN_DELAYED', '27': 'GL_EVENT_SCAN_RESTART', '28': 'GL_EVENT_ADD_SAVROAMCLIENT_TOSERVER', '29': 'GL_EVENT_REMOVE_SAVROAMCLIENT_FROMSERVER', '3': 'GL_EVENT_SCAN_START', '30': 'GL_EVENT_LICENSE_WARNING', '31': 'GL_EVENT_LICENSE_ERROR', '32': 'GL_EVENT_LICENSE_GRACE', '33': 'GL_EVENT_UNAUTHORIZED_COMM', '34': 'GL_EVENT_LOG_FWD_THRD_ERR', '35': 'GL_EVENT_LICENSE_INSTALLED', '36': 'GL_EVENT_LICENSE_ALLOCATED', '37': 'GL_EVENT_LICENSE_OK', '38': 'GL_EVENT_LICENSE_DEALLOCATED', '39': 'GL_EVENT_BAD_DEFS_ROLLBACK', '4': 'GL_EVENT_PATTERN_UPDATE', '40': 'GL_EVENT_BAD_DEFS_UNPROTECTED', '41': 'GL_EVENT_SAV_PROVIDER_PARSING_ERROR', '42': 'GL_EVENT_RTS_ERROR', '43': 'GL_EVENT_COMPLIANCE_FAIL', '44': 'GL_EVENT_COMPLIANCE_SUCCESS', '45': 'GL_EVENT_SECURITY_SYMPROTECT_POLICYVIOLATION', '46': 'GL_EVENT_ANOMALY_START', '47': 'GL_EVENT_DETECTION_ACTION_TAKEN', '48': 'GL_EVENT_REMEDIATION_ACTION_PENDING', '49': 'GL_EVENT_REMEDIATION_ACTION_FAILED', '5': 'GL_EVENT_INFECTION', '50': 'GL_EVENT_REMEDIATION_ACTION_SUCCESSFUL', '51': 'GL_EVENT_ANOMALY_FINISH', '52': 'GL_EVENT_COMMS_LOGIN_FAILED', '53': 'GL_EVENT_COMMS_LOGIN_SUCCESS', '54': 'GL_EVENT_COMMS_UNAUTHORIZED_COMM', '55': 'GL_EVENT_CLIENT_INSTALL_AV', '56': 'GL_EVENT_CLIENT_INSTALL_FW', '57': 'GL_EVENT_CLIENT_UNINSTALL', '58': 'GL_EVENT_CLIENT_UNINSTALL_ROLLBACK', '59': 'GL_EVENT_COMMS_SERVER_GROUP_ROOT_CERT_ISSUE', '6': 'GL_EVENT_FILE_NOT_OPEN', '60': 'GL_EVENT_COMMS_SERVER_CERT_ISSUE', '61': 'GL_EVENT_COMMS_TRUSTED_ROOT_CHANGE', '62': 'GL_EVENT_COMMS_SERVER_CERT_STARTUP_FAILED', '63': 'GL_EVENT_CLIENT_CHECKIN', '64': 'GL_EVENT_CLIENT_NO_CHECKIN', '65': 'GL_EVENT_SCAN_SUSPENDED', '66': 'GL_EVENT_SCAN_RESUMED', '67': 'GL_EVENT_SCAN_DURATION_INSUFFICIENT', '68': 'GL_EVENT_CLIENT_MOVE', '69': 'GL_EVENT_SCAN_FAILED_ENHANCED', '7': 'GL_EVENT_LOAD_PATTERN', '70': 'GL_EVENT_MAX_event_name', '71': 'GL_EVENT_HEUR_THREAT_NOW_WHITELISTED', '72': 'GL_EVENT_INTERESTING_PROCESS_DETECTED_START', '73': 'GL_EVENT_LOAD_ERROR_COH', '74': 'GL_EVENT_LOAD_ERROR_SYKNAPPS', '75': 'GL_EVENT_INTERESTING_PROCESS_DETECTED_FINISH', '76': 'GL_EVENT_HPP_SCAN_NOT_SUPPORTED_FOR_OS', '77': 'GL_EVENT_HEUR_THREAT_NOW_KNOWN', '8': 'GL_STD_MESSAGE_INFO', '9': 'GL_STD_MESSAGE_ERROR'}
FORMAT_STRING_PIECES = ['Event Name: {event_map}', 'Category Name: {category_map}', 'Malware Name: {virus}', 'Malware Path: {file}', 'Action0: {action0_map}', 'Action1: {action1_map}', 'Action2: {action2_map}', 'Description: {description}', 'Scan ID: {scanid}', 'Event Data: {event_data}', 'Remote Machine: {remote_machine}', 'Remote IP: {remote_machine_ip}']
FORMAT_STRING_SEPARATOR = '; '
FORMAT_STRING_SHORT_PIECES = ['{file}', '{virus}', '{action0_map}', '{action1_map}', '{action2_map}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Symantec AV Log'
SOURCE_SHORT = 'LOG'

plaso.formatters.syslog module

The syslog file event formatter.

class plaso.formatters.syslog.SyslogCommentFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a syslog comment

DATA_TYPE = 'syslog:comment'
FORMAT_STRING_PIECES = ['{body}']
FORMAT_STRING_SEPARATOR = ''
SOURCE_LONG = 'Log File'
SOURCE_SHORT = 'LOG'
class plaso.formatters.syslog.SyslogLineFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a syslog line event.

DATA_TYPE = 'syslog:line'
FORMAT_STRING_PIECES = ['{severity} ', '[', '{reporter}', ', pid: {pid}', '] {body}']
FORMAT_STRING_SEPARATOR = ''
SOURCE_LONG = 'Log File'
SOURCE_SHORT = 'LOG'

plaso.formatters.systemd_journal module

The Systemd journal file event formatter.

class plaso.formatters.systemd_journal.SystemdJournalDirtyEventFormatter[source]

Bases: plaso.formatters.systemd_journal.SystemdJournalEventFormatter

Formatter for a Systemd journal dirty event.

DATA_TYPE = 'systemd:journal:dirty'
SOURCE_LONG = 'systemd-journal-dirty'
class plaso.formatters.systemd_journal.SystemdJournalEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Systemd journal event.

DATA_TYPE = 'systemd:journal'
FORMAT_STRING_PIECES = ['{hostname} ', '[', '{reporter}', ', pid: {pid}', '] {body}']
FORMAT_STRING_SEPARATOR = ''
SOURCE_LONG = 'systemd-journal'
SOURCE_SHORT = 'LOG'

plaso.formatters.tango_android module

Tango on Android databases formatter.

class plaso.formatters.tango_android.TangoAndroidContactFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Tango on Android contact event formatter.

DATA_TYPE = 'tango:android:contact'
FORMAT_STRING_PIECES = ['{first_name}', '{last_name}', '{gender}', 'birthday: {birthday}', 'Status: {status}', 'Friend: {is_friend}', 'Request type: {friend_request_type}', 'Request message: {friend_request_message}']
FORMAT_STRING_SHORT_PIECES = ['{first_name}', '{last_name}', 'Status: {status}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple[str, str]

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Tango Android Contact'
SOURCE_SHORT = 'Tango Android'
class plaso.formatters.tango_android.TangoAndroidConversationFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Tango on Android conversation event formatter.

DATA_TYPE = 'tango:android:conversation'
FORMAT_STRING_PIECES = ['Conversation ({conversation_identifier})']
FORMAT_STRING_SHORT_PIECES = ['Conversation ({conversation_identifier})']
SOURCE_LONG = 'Tango Android Conversation'
SOURCE_SHORT = 'Tango Android'
class plaso.formatters.tango_android.TangoAndroidMessageFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Tango on Android message event formatter.

DATA_TYPE = 'tango:android:message'
FORMAT_STRING_PIECES = ['{direction}', 'Message ({message_identifier})']
FORMAT_STRING_SHORT_PIECES = ['{direction}', 'Message ({message_identifier})']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple[str, str]

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Tango Android Message'
SOURCE_SHORT = 'Tango Android'

plaso.formatters.task_scheduler module

The Task Scheduler event formatter.

class plaso.formatters.task_scheduler.TaskCacheEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Task Scheduler Cache event.

DATA_TYPE = 'task_scheduler:task_cache:entry'
FORMAT_STRING_PIECES = ['[{key_path}]', 'Task: {task_name}', '[Identifier: {task_identifier}]']
FORMAT_STRING_SHORT_PIECES = ['Task: {task_name}']
SOURCE_LONG = 'Task Cache'
SOURCE_SHORT = 'REG'

plaso.formatters.terminal_server module

The Terminal Server client event formatters.

class plaso.formatters.terminal_server.TerminalServerClientConnectionEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Terminal Server client connection event.

DATA_TYPE = 'windows:registry:mstsc:connection'
FORMAT_STRING_PIECES = ['[{key_path}]', 'Username hint: {username}']
FORMAT_STRING_SHORT_PIECES = ['[{key_path}]']
SOURCE_LONG = 'Registry Key : RDP Connection'
SOURCE_SHORT = 'REG'
class plaso.formatters.terminal_server.TerminalServerClientMRUEventFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Terminal Server client MRU event.

DATA_TYPE = 'windows:registry:mstsc:mru'
FORMAT_STRING = '[{key_path}] {entries}'
FORMAT_STRING_ALTERNATIVE = '{entries}'
SOURCE_LONG = 'Registry Key : RDP Connection'
SOURCE_SHORT = 'REG'

plaso.formatters.text module

The text file event formatter.

class plaso.formatters.text.TextEntryFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a text file entry event.

DATA_TYPE = 'text:entry'
FORMAT_STRING = '{text}'
SOURCE_LONG = 'Text File'
SOURCE_SHORT = 'LOG'

plaso.formatters.timezone module

The Windows timezone settings event formatter.

class plaso.formatters.timezone.WindowsTimezoneSettingsEventFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Windows timezone settings event.

DATA_TYPE = 'windows:registry:timezone'
FORMAT_STRING = '[{key_path}] {configuration}'
FORMAT_STRING_ALTERNATIVE = '{configuration}'
SOURCE_LONG = 'Registry Key'
SOURCE_SHORT = 'REG'

plaso.formatters.trendmicroav module

The Trend Micro AV Logs file event formatter.

class plaso.formatters.trendmicroav.OfficeScanVirusDetectionLogEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Trend Micro Office Scan Virus Detection Log event.

DATA_TYPE = 'av:trendmicro:scan'
FORMAT_STRING_PIECES = ['Path: {path}', 'File name: {filename}', '{threat}', ': {action}', '({scan_type})']
FORMAT_STRING_SHORT_PIECES = ['{path}', '{filename}', '{action}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

If any event values have a matching formatting function in VALUE_FORMATTERS, they are run through that function; then the dictionary is passed to the superclass’s formatting method.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Trend Micro Office Scan Virus Detection Log'
SOURCE_SHORT = 'LOG'
VALUE_FORMATTERS = {'action': <function OfficeScanVirusDetectionLogEventFormatter.<lambda>>, 'scan_type': <function OfficeScanVirusDetectionLogEventFormatter.<lambda>>}
class plaso.formatters.trendmicroav.OfficeScanWebReputationLogEventFormatter[source]

Bases: plaso.formatters.trendmicroav.OfficeScanVirusDetectionLogEventFormatter

Formatter for a Trend Micro Office Scan Virus Detection Log event.

DATA_TYPE = 'av:trendmicro:webrep'
FORMAT_STRING_PIECES = ['{url}', '{ip}', 'Group: {group_name}', '{group_code}', 'Mode: {block_mode}', 'Policy ID: {policy_identifier}', 'Credibility rating: {credibility_rating}', 'Credibility score: {credibility_score}', 'Threshold value: {threshold}', 'Accessed by: {application_name}']
FORMAT_STRING_SHORT_PIECES = ['{url}', '{group_name}']
SOURCE_LONG = 'Trend Micro Office Scan Virus Detection Log'
SOURCE_SHORT = 'LOG'
VALUE_FORMATTERS = {'block_mode': <function OfficeScanWebReputationLogEventFormatter.<lambda>>}

plaso.formatters.twitter_android module

Twitter on android database formatter.

class plaso.formatters.twitter_android.TwitterAndroidContactFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter for android contact event formatter.

DATA_TYPE = 'twitter:android:contact'
FORMAT_STRING_PIECES = ['Screen name: {username}', 'Profile picture URL: {image_url}', 'Name: {name}', 'Location: {location}', 'Description: {description}', 'URL: {web_url}', 'Number of followers: {followers}', 'Number of following: {friend}', 'Number of tweets: {statuses}']
FORMAT_STRING_SHORT_PIECES = ['Screen name: {username}', 'Description: {description}', 'URL: {web_url}']
SOURCE_LONG = 'Twitter Android Contacts'
SOURCE_SHORT = 'Twitter Android'
class plaso.formatters.twitter_android.TwitterAndroidSearchFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter for android search event formatter.

DATA_TYPE = 'twitter:android:search'
FORMAT_STRING_PIECES = ['Name: {name}', 'Query: {search_query}']
FORMAT_STRING_SHORT_PIECES = ['Query: {search_query}']
SOURCE_LONG = 'Twitter Android Search'
SOURCE_SHORT = 'Twitter Android'
class plaso.formatters.twitter_android.TwitterAndroidStatusFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter for android status event formatter.

DATA_TYPE = 'twitter:android:status'
FORMAT_STRING_PIECES = ['User: {username}', 'Status: {content}', 'Favorited: {favorited}', 'Retweeted: {retweeted}']
FORMAT_STRING_SHORT_PIECES = ['User: {username}', 'Status: {content}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Twitter Android Status'
SOURCE_SHORT = 'Twitter Android'

plaso.formatters.twitter_ios module

Twitter on iOS 8+ database formatter.

class plaso.formatters.twitter_ios.TwitterIOSContactFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter on iOS 8+ contact event formatter.

DATA_TYPE = 'twitter:ios:contact'
FORMAT_STRING_PIECES = ['Screen name: {screen_name}', 'Profile picture URL: {profile_url}', 'Name: {name}', 'Location: {location}', 'Description: {description}', 'URL: {url}', 'Following: {following}', 'Number of followers: {followers_count}', 'Number of following: {following_count}']
FORMAT_STRING_SHORT_PIECES = ['Screen name: {screen_name}', 'Description: {description}', 'URL: {url}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Twitter iOS Contacts'
SOURCE_SHORT = 'Twitter iOS'
class plaso.formatters.twitter_ios.TwitterIOSStatusFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter on iOS 8+ status event formatter.

DATA_TYPE = 'twitter:ios:status'
FORMAT_STRING_PIECES = ['Name: {name}', 'User Id: {user_id}', 'Message: {text}', 'Favorite: {favorited}', 'Retweet Count: {retweet_count}', 'Favorite Count: {favorite_count}']
FORMAT_STRING_SHORT_PIECES = ['Name: {name}', 'Message: {text}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Twitter iOS Status'
SOURCE_SHORT = 'Twitter iOS'

plaso.formatters.typedurls module

The typed URLs event formatter.

class plaso.formatters.typedurls.TypedURLsFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a typed URLs event.

DATA_TYPE = 'windows:registry:typedurls'
FORMAT_STRING = '[{key_path}] {entries}'
FORMAT_STRING_ALTERNATIVE = '{entries}'
SOURCE_LONG = 'Registry Key : Typed URLs'
SOURCE_SHORT = 'REG'

plaso.formatters.usb module

The Windows USB device event formatter.

class plaso.formatters.usb.WindowsUSBDeviceEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows USB device event.

DATA_TYPE = 'windows:registry:usb'
FORMAT_STRING_PIECES = ['[{key_path}]', 'Product: {product}', 'Serial: {serial}', 'Subkey name: {subkey_name}', 'Vendor: {vendor}']
FORMAT_STRING_SHORT_PIECES = ['[{key_path}]', 'Product: {product}', 'Serial: {serial}', 'Subkey name: {subkey_name}', 'Vendor: {vendor}']
SOURCE_LONG = 'Registry Key : USB Entries'
SOURCE_SHORT = 'REG'

plaso.formatters.usbstor module

The USBStor event formatter.

class plaso.formatters.usbstor.USBStorEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a USBStor event.

DATA_TYPE = 'windows:registry:usbstor'
FORMAT_STRING_PIECES = ['[{key_path}]', 'Device type: {device_type}', 'Display name: {display_name}', 'Product: {product}', 'Revision: {revision}', 'Serial: {serial}', 'Subkey name: {subkey_name}', 'Vendor: {vendor}']
FORMAT_STRING_SHORT_PIECES = ['[{key_path}]', 'Device type: {device_type}', 'Display name: {display_name}', 'Product: {product}', 'Revision: {revision}', 'Serial: {serial}', 'Subkey name: {subkey_name}', 'Vendor: {vendor}']
SOURCE_LONG = 'Registry Key : USBStor Entries'
SOURCE_SHORT = 'REG'

plaso.formatters.userassist module

The UserAssist Windows Registry event formatter.

class plaso.formatters.userassist.UserAssistWindowsRegistryEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an UserAssist Windows Registry event.

DATA_TYPE = 'windows:registry:userassist'
FORMAT_STRING_PIECES = ['[{key_path}]', 'UserAssist entry: {entry_index}', 'Value name: {value_name}', 'Count: {number_of_executions}', 'Application focus count: {application_focus_count}', 'Application focus duration: {application_focus_duration}']
FORMAT_STRING_SHORT_PIECES = ['{value_name}', 'Count: {number_of_executions}']
SOURCE_LONG = 'Registry Key: UserAssist'
SOURCE_SHORT = 'REG'

plaso.formatters.utmp module

The UTMP binary file event formatter.

class plaso.formatters.utmp.UtmpSessionFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an UTMP session event.

DATA_TYPE = 'linux:utmp:event'
FORMAT_STRING_PIECES = ['User: {username}', 'Hostname: {hostname}', 'Terminal: {terminal}', 'PID: {pid}', 'Terminal identifier: {terminal_identifier}', 'Status: {status}', 'IP Address: {ip_address}', 'Exit status: {exit_status}']
FORMAT_STRING_SHORT_PIECES = ['User: {username}', 'PID: {pid}', 'Status: {status}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'UTMP session'
SOURCE_SHORT = 'LOG'

plaso.formatters.utmpx module

The UTMPX binary file event formatter.

class plaso.formatters.utmpx.UtmpxSessionFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an UTMPX session event.

DATA_TYPE = 'mac:utmpx:event'
FORMAT_STRING_PIECES = ['User: {username}', 'Status: {status}', 'Hostname: {hostname}', 'Terminal: {terminal}', 'PID: {pid}', 'Terminal identifier: {terminal_identifier}']
FORMAT_STRING_SHORT_PIECES = ['User: {username}', 'PID: {pid}', 'Status: {status}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'UTMPX session'
SOURCE_SHORT = 'LOG'

plaso.formatters.vsftpd module

The vsftpd log file event formatter.

class plaso.formatters.vsftpd.VsftpdLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a vsftpd log event data.

DATA_TYPE = 'vsftpd:log'
FORMAT_STRING_PIECES = ['{text}']
SOURCE_LONG = 'vsftpd log'
SOURCE_SHORT = 'LOG'

plaso.formatters.windows module

The Windows event formatter.

class plaso.formatters.windows.WindowsDistributedLinkTrackingCreationEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows distributed link creation event.

DATA_TYPE = 'windows:distributed_link_tracking:creation'
FORMAT_STRING_PIECES = ['{uuid}', 'MAC address: {mac_address}', 'Origin: {origin}']
FORMAT_STRING_SHORT_PIECES = ['{uuid}', 'Origin: {origin}']
SOURCE_LONG = 'System'
SOURCE_SHORT = 'LOG'
class plaso.formatters.windows.WindowsRegistryNetworkEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows NetworkList event formatter.

DATA_TYPE = 'windows:registry:network'
FORMAT_STRING_PIECES = ['SSID: {ssid}', 'Description: {description}', 'Connection Type: {connection_type}', 'Default Gateway Mac: {default_gateway_mac}', 'DNS Suffix: {dns_suffix}']
SOURCE_LONG = 'System: Network Connection'
SOURCE_SHORT = 'LOG'
class plaso.formatters.windows.WindowsVolumeCreationEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows volume creation event.

DATA_TYPE = 'windows:volume:creation'
FORMAT_STRING_PIECES = ['{device_path}', 'Serial number: 0x{serial_number:08X}', 'Origin: {origin}']
FORMAT_STRING_SHORT_PIECES = ['{device_path}', 'Origin: {origin}']
SOURCE_LONG = 'System'
SOURCE_SHORT = 'LOG'

plaso.formatters.windows_timeline module

The Windows Timeline event formatter.

class plaso.formatters.windows_timeline.WindowsTimelineGenericEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for generic Windows Timeline events.

DATA_TYPE = 'windows:timeline:generic'
FORMAT_STRING_PIECES = ['Application Display Name: {application_display_name}', 'Package Identifier: {package_identifier}', 'Description: {description}']
FORMAT_STRING_SHORT_PIECES = ['{package_identifier}']
SOURCE_LONG = 'Windows Timeline - Generic'
SOURCE_SHORT = 'Windows Timeline'
class plaso.formatters.windows_timeline.WindowsTimelineUserEngagedEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for User Engaged Windows Timeline events

DATA_TYPE = 'windows:timeline:user_engaged'
FORMAT_STRING_PIECES = ['Package Identifier: {package_identifier}', 'Active Duration (seconds): {active_duration_seconds}', 'Reporting App: {reporting_app}']
FORMAT_STRING_SHORT_PIECES = ['{package_identifier}']
SOURCE_LONG = 'Windows Timeline - User Engaged'
SOURCE_SHORT = 'Windows Timeline'

plaso.formatters.windows_version module

The Windows installation event formatter.

class plaso.formatters.windows_version.WindowsRegistryInstallationEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows installation event.

DATA_TYPE = 'windows:registry:installation'
FORMAT_STRING_PIECES = ['{product_name}', '{version}', '{build_number}', '{service_pack}', 'Owner: {owner}', 'Origin: {key_path}']
FORMAT_STRING_SHORT_PIECES = ['{product_name}', '{version}', '{build_number}', '{service_pack}', 'Origin: {key_path}']
SOURCE_LONG = 'System'
SOURCE_SHORT = 'LOG'

plaso.formatters.winevt module

The Windows EventLog (EVT) file event formatter.

class plaso.formatters.winevt.WinEVTFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows EventLog (EVT) record event.

DATA_TYPE = 'windows:evt:record'
FORMAT_STRING_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Source Name: {source_name}', 'Message string: {message_string}', 'Strings: {strings}', 'Computer Name: {computer_name}', 'Severity: {severity}', 'Record Number: {record_number}', 'Event Type: {event_type}', 'Event Category: {event_category}']
FORMAT_STRING_SHORT_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Strings: {strings}']
GetEventTypeString(event_type)[source]

Retrieves a string representation of the event type.

Parameters

event_type (int) – event type.

Returns

description of the event type.

Return type

str

GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

GetSeverityString(severity)[source]

Retrieves a string representation of the severity.

Parameters

severity (int) – severity.

Returns

description of the event severity.

Return type

str

SOURCE_LONG = 'WinEVT'
SOURCE_SHORT = 'EVT'

plaso.formatters.winevt_rc module

Windows Event Log resources database reader.

class plaso.formatters.winevt_rc.Sqlite3DatabaseFile[source]

Bases: object

Class that defines a sqlite3 database file.

Close()[source]

Closes the database file.

Raises

RuntimeError – if the database is not opened.

GetValues(table_names, column_names, condition)[source]

Retrieves values from a table.

Parameters

  • table_names (list[str]) – table names.

  • column_names (list[str]) – column names.

  • condition (str) – query condition such as “log_source == ‘Application Error’”.

Yields

sqlite3.row – row.

Raises

RuntimeError – if the database is not opened.

HasTable(table_name)[source]

Determines if a specific table exists.

Parameters

table_name (str) – table name.

Returns

True if the table exists.

Return type

bool

Raises

RuntimeError – if the database is not opened.

Open(filename, read_only=False)[source]

Opens the database file.

Parameters

  • filename (str) – filename of the database.

  • read_only (Optional[bool]) – True if the database should be opened in read-only mode. Since sqlite3 does not support a real read-only mode we fake it by only permitting SELECT queries.

Returns

True if successful.

Return type

bool

Raises

RuntimeError – if the database is already opened.

class plaso.formatters.winevt_rc.Sqlite3DatabaseReader[source]

Bases: object

Class to represent a sqlite3 database reader.

Close()[source]

Closes the database reader object.

Open(filename)[source]

Opens the database reader object.

Parameters

filename (str) – filename of the database.

Returns

True if successful.

Return type

bool

class plaso.formatters.winevt_rc.WinevtResourcesSqlite3DatabaseReader[source]

Bases: plaso.formatters.winevt_rc.Sqlite3DatabaseReader

Class to represent a sqlite3 Event Log resources database reader.

GetMessage(log_source, lcid, message_identifier)[source]

Retrieves a specific message for a specific Event Log source.

Parameters

  • log_source (str) – Event Log source.

  • lcid (int) – language code identifier (LCID).

  • message_identifier (int) – message identifier.

Returns

message string or None if not available.

Return type

str

GetMetadataAttribute(attribute_name)[source]

Retrieves the metadata attribute.

Parameters

attribute_name (str) – name of the metadata attribute.

Returns

the metadata attribute or None.

Return type

str

Raises

RuntimeError – if more than one value is found in the database.

Open(filename)[source]

Opens the database reader object.

Parameters

filename (str) – filename of the database.

Returns

True if successful.

Return type

bool

Raises

RuntimeError – if the version or string format of the database is not supported.

plaso.formatters.winevtx module

The Windows XML EventLog (EVTX) file event formatter.

class plaso.formatters.winevtx.WinEVTXFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows XML EventLog (EVTX) record event.

DATA_TYPE = 'windows:evtx:record'
FORMAT_STRING_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Source Name: {source_name}', 'Message string: {message_string}', 'Strings: {strings}', 'Computer Name: {computer_name}', 'Record Number: {record_number}', 'Event Level: {event_level}']
FORMAT_STRING_SHORT_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Strings: {strings}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'WinEVTX'
SOURCE_SHORT = 'EVT'

plaso.formatters.winfirewall module

The Windows firewall log file event formatter.

class plaso.formatters.winfirewall.WinFirewallFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows firewall log entry event.

DATA_TYPE = 'windows:firewall:log_entry'
FORMAT_STRING_PIECES = ['{action}', '[', '{protocol}', '{path}', ']', 'From: {source_ip}', ':{source_port}', '>', '{dest_ip}', ':{dest_port}', 'Size (bytes): {size}', 'Flags [{flags}]', 'TCP Seq Number: {tcp_seq}', 'TCP ACK Number: {tcp_ack}', 'TCP Window Size (bytes): {tcp_win}', 'ICMP type: {icmp_type}', 'ICMP code: {icmp_code}', 'Additional info: {info}']
FORMAT_STRING_SHORT_PIECES = ['{action}', '[{protocol}]', '{source_ip}', ': {source_port}', '>', '{dest_ip}', ': {dest_port}']
SOURCE_LONG = 'Windows Firewall Log'
SOURCE_SHORT = 'LOG'

plaso.formatters.winjob module

The Windows Scheduled Task (job) event formatter.

class plaso.formatters.winjob.WinJobFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Scheduled Task (job) event.

DATA_TYPE = 'windows:tasks:job'
FORMAT_STRING_PIECES = ['Application: {application}', '{parameters}', 'Scheduled by: {username}', 'Working directory: {working_directory}', 'Trigger type: {trigger_type}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Windows Scheduled Task Job'
SOURCE_SHORT = 'JOB'

plaso.formatters.winlnk module

The Windows Shortcut (LNK) event formatter.

class plaso.formatters.winlnk.WinLnkLinkFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Shortcut (LNK) link event.

DATA_TYPE = 'windows:lnk:link'
FORMAT_STRING_PIECES = ['[{description}]', 'File size: {file_size}', 'File attribute flags: 0x{file_attribute_flags:08x}', 'Drive type: {drive_type}', 'Drive serial number: 0x{drive_serial_number:08x}', 'Volume label: {volume_label}', 'Local path: {local_path}', 'Network path: {network_path}', 'cmd arguments: {command_line_arguments}', 'env location: {env_var_location}', 'Relative path: {relative_path}', 'Working dir: {working_directory}', 'Icon location: {icon_location}', 'Link target: {link_target}']
FORMAT_STRING_SHORT_PIECES = ['[{description}]', '{linked_path}', '{command_line_arguments}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Windows Shortcut'
SOURCE_SHORT = 'LNK'

plaso.formatters.winlogon module

The Winlogon key event formatter.

class plaso.formatters.winlogon.WinlogonEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Winlogon event.

DATA_TYPE = 'windows:registry:winlogon'
FORMAT_STRING_PIECES = ['[{key_path}]', 'Application: {application}', 'Command: {command}', 'Handler: {handler}', 'Trigger: {trigger}']
FORMAT_STRING_SHORT_PIECES = ['[{key_path}]', 'Application: {application}', 'Command: {command}', 'Handler: {handler}', 'Trigger: {trigger}']
SOURCE_LONG = 'Registry Key : Winlogon'
SOURCE_SHORT = 'REG'

plaso.formatters.winprefetch module

The Windows Prefetch event formatter.

class plaso.formatters.winprefetch.WinPrefetchExecutionFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Prefetch execution event.

DATA_TYPE = 'windows:prefetch:execution'
FORMAT_STRING_PIECES = ['Prefetch', '[{executable}] was executed -', 'run count {run_count}', 'path: {path}', 'hash: 0x{prefetch_hash:08X}', '{volumes_string}']
FORMAT_STRING_SHORT_PIECES = ['{executable} was run', '{run_count} time(s)']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'WinPrefetch'
SOURCE_SHORT = 'LOG'

plaso.formatters.winrar module

The WinRAR history event formatter.

class plaso.formatters.winrar.WinRARHistoryEventFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a WinRAR history event.

DATA_TYPE = 'winrar:history'
FORMAT_STRING = '[{key_path}] {entries}'
FORMAT_STRING_ALTERNATIVE = '{entries}'
SOURCE_LONG = 'Registry Key : WinRAR History'
SOURCE_SHORT = 'REG'

plaso.formatters.winreg module

The Windows Registry key or value event formatter.

class plaso.formatters.winreg.WinRegistryGenericFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Windows Registry key or value event.

DATA_TYPE = 'windows:registry:key_value'
FORMAT_STRING = '[{key_path}] {values}'
FORMAT_STRING_ALTERNATIVE = '{values}'
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

GetSources(event, event_data)[source]

Determines the the short and long source for an event.

Parameters
Returns

short and long source string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Registry Key'
SOURCE_SHORT = 'REG'

plaso.formatters.winrestore module

The Windows Restore Point (rp.log) file event formatter.

class plaso.formatters.winrestore.RestorePointInfoFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Windows Restore Point information event.

DATA_TYPE = 'windows:restore_point:info'
FORMAT_STRING_PIECES = ['{description}', 'Event type: {restore_point_event_type}', 'Restore point type: {restore_point_type}']
FORMAT_STRING_SHORT_PIECES = ['{description}']
GetMessages(formatter_mediator, event_data)[source]

Determines the formatted message strings for the event data.

Parameters

  • formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.

  • event_data (EventData) – event data.

Returns

formatted message string and short message string.

Return type

tuple(str, str)

Raises

WrongFormatter – if the event data cannot be formatted by the formatter.

SOURCE_LONG = 'Windows Restore Point'
SOURCE_SHORT = 'RP'

plaso.formatters.xchatlog module

The XChat log file event formatter.

class plaso.formatters.xchatlog.XChatLogFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a XChat log file entry event.

DATA_TYPE = 'xchat:log:line'
FORMAT_STRING_PIECES = ['[nickname: {nickname}]', '{text}']
SOURCE_LONG = 'XChat Log File'
SOURCE_SHORT = 'LOG'

plaso.formatters.xchatscrollback module

The XChat scrollback file event formatter.

class plaso.formatters.xchatscrollback.XChatScrollbackFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a XChat scrollback file entry event.

DATA_TYPE = 'xchat:scrollback:line'
FORMAT_STRING_PIECES = ['[', 'nickname: {nickname}', ']', ' {text}']
FORMAT_STRING_SEPARATOR = ''
SOURCE_LONG = 'XChat Scrollback File'
SOURCE_SHORT = 'LOG'

plaso.formatters.zeitgeist module

The Zeitgeist event formatter.

class plaso.formatters.zeitgeist.ZeitgeistFormatter[source]

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Zeitgeist activity database event.

DATA_TYPE = 'zeitgeist:activity'
FORMAT_STRING = '{subject_uri}'
SOURCE_LONG = 'Zeitgeist activity log'
SOURCE_SHORT = 'LOG'

plaso.formatters.zsh_extended_history module

The Zsh extended_history formatter.

class plaso.formatters.zsh_extended_history.ZshExtendedHistoryEventFormatter[source]

Bases: plaso.formatters.interface.ConditionalEventFormatter

Class for the Zsh event formatter.

DATA_TYPE = 'shell:zsh:history'
FORMAT_STRING_PIECES = ['{command}', 'Time elapsed: {elapsed_seconds} seconds']
FORMAT_STRING_SEPARATOR = ' '
FORMAT_STRING_SHORT_PIECES = ['{command}']
SOURCE_LONG = 'Zsh Extended History'
SOURCE_SHORT = 'HIST'

Module contents

This file contains an import statement for each formatter.