plaso.formatters package

Submodules

plaso.formatters.chrome module

Google Chrome history custom event formatter helpers.

class plaso.formatters.chrome.ChromeHistoryTypedCountFormatterHelper[source]

Bases: plaso.formatters.interface.CustomEventFormatterHelper

Google Chrome history typed count formatter helper.

FormatEventValues(event_values)[source]

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'chrome_history_typed_count'

plaso.formatters.chrome_preferences module

Google Chrome preferences custom event formatter helpers.

class plaso.formatters.chrome_preferences.ChromePreferencesPrimaryURLFormatterHelper[source]

Bases: plaso.formatters.interface.CustomEventFormatterHelper

Google Chrome preferences primary URL formatter helper.

FormatEventValues(event_values)[source]

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'chrome_preferences_primary_url'

class plaso.formatters.chrome_preferences.ChromePreferencesSecondaryURLFormatterHelper[source]

Bases: plaso.formatters.interface.CustomEventFormatterHelper

Google Chrome preferences secondary URL formatter helper.

FormatEventValues(event_values)[source]

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'chrome_preferences_secondary_url'

plaso.formatters.default module

The default event formatter.

class plaso.formatters.default.DefaultEventFormatter[source]

Bases: plaso.formatters.interface.BasicEventFormatter

Formatter for events that do not have any defined formatter.

DATA_TYPE = 'event'

FORMAT_STRING = '<WARNING DEFAULT FORMATTER> Attributes: {attribute_driven}'

FORMAT_STRING_SHORT = '<DEFAULT> {attribute_driven}'

FormatEventValues(event_values)[source]

Formats event values using the helpers.

Parameters: event_values (dict[str, object]) – event values.

plaso.formatters.file_system module

File system custom event formatter helpers.

class plaso.formatters.file_system.NTFSFileReferenceFormatterHelper[source]

Bases: plaso.formatters.interface.CustomEventFormatterHelper

NTFS file reference formatter helper.

FormatEventValues(event_values)[source]

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'ntfs_file_reference'

class plaso.formatters.file_system.NTFSParentFileReferenceFormatterHelper[source]

Bases: plaso.formatters.interface.CustomEventFormatterHelper

NTFS parent file reference formatter helper.

FormatEventValues(event_values)[source]

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'ntfs_parent_file_reference'

class plaso.formatters.file_system.NTFSPathHintsFormatterHelper[source]

Bases: plaso.formatters.interface.CustomEventFormatterHelper

NTFS path hints formatter helper.

FormatEventValues(event_values)[source]

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'ntfs_path_hints'

plaso.formatters.firefox module

Mozilla Firefox history custom event formatter helpers.

class plaso.formatters.firefox.FirefoxHistoryTypedCountFormatterHelper[source]

Bases: plaso.formatters.interface.CustomEventFormatterHelper

Mozilla Firefox history typed count formatter helper.

FormatEventValues(event_values)[source]

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'firefox_history_typed_count'

class plaso.formatters.firefox.FirefoxHistoryURLHiddenFormatterHelper[source]

Bases: plaso.formatters.interface.CustomEventFormatterHelper

Mozilla Firefox history URL hidden formatter helper.

FormatEventValues(event_values)[source]

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'firefox_history_url_hidden'

plaso.formatters.interface module

This file contains the event formatters interface classes.

The l2t_csv and other formats are dependent on a message field, referred to as description_long and description_short in l2t_csv.

Plaso no longer stores these field explicitly.

A formatter, with a format string definition, is used to convert the event object values into a formatted string that is similar to the description_long and description_short field.

class plaso.formatters.interface.BasicEventFormatter(data_type='basic', format_string=None, format_string_short=None)[source]

Bases: plaso.formatters.interface.EventFormatter

Format event values using a message format string.

custom_helpers

identifiers of custom event formatter helpers.

Type: list[str]

helpers

event formatter helpers.

Type: list[EventFormatterHelper]

GetFormatStringAttributeNames()[source]

Retrieves the attribute names in the format string.

Returns: attribute names.
Return type: set(str)

GetMessage(event_values)[source]

Determines the message.

Parameters: event_values (dict[str, object]) – event values.
Returns: message.
Return type: str

GetMessageShort(event_values)[source]

Determines the short message.

Parameters: event_values (dict[str, object]) – event values.
Returns: short message.
Return type: str

class plaso.formatters.interface.BooleanEventFormatterHelper(input_attribute=None, output_attribute=None, value_if_false=None, value_if_true=None)[source]

Bases: plaso.formatters.interface.EventFormatterHelper

Helper for formatting boolean event data.

input_attribute

name of the attribute that contains the boolean input value.

Type: str

output_attribute

name of the attribute where the boolean output value should be stored.

Type: str

value_if_false

output value if the boolean input value is False.

Type: str

value_if_true

output value if the boolean input value is True.

Type: str

FormatEventValues(event_values)[source]

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

class plaso.formatters.interface.ConditionalEventFormatter(data_type='conditional', format_string_pieces=None, format_string_separator=None, format_string_short_pieces=None)[source]

Bases: plaso.formatters.interface.EventFormatter

Conditionally format event values using format string pieces.

GetFormatStringAttributeNames()[source]

Retrieves the attribute names in the format string.

Returns: attribute names.
Return type: set(str)

GetMessage(event_values)[source]

Determines the message.

Parameters: event_values (dict[str, object]) – event values.
Returns: message.
Return type: str

GetMessageShort(event_values)[source]

Determines the short message.

Parameters: event_values (dict[str, object]) – event values.
Returns: short message.
Return type: str

class plaso.formatters.interface.CustomEventFormatterHelper[source]

Bases: plaso.formatters.interface.EventFormatterHelper

Base class for a helper for custom formatting of event data.

DATA_TYPE = ''

abstract FormatEventValues(event_values)[source]

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = ''

class plaso.formatters.interface.EnumerationEventFormatterHelper(default=None, input_attribute=None, output_attribute=None, values=None)[source]

Bases: plaso.formatters.interface.EventFormatterHelper

Helper for formatting enumeration event data.

default

default value.

Type: str

input_attribute

name of the attribute that contains the enumeration input value.

Type: str

output_attribute

name of the attribute where the enumeration output value should be stored.

Type: str

values

mapping of enumeration input and output values.

Type: dict[str, str]

FormatEventValues(event_values)[source]

Formats event values using the helper.

If default value is None and there is no corresponding enumeration value then the original value is used.

Parameters: event_values (dict[str, object]) – event values.

class plaso.formatters.interface.EventFormatter(data_type='internal')[source]

Bases: object

Base class to format event values.

custom_helpers

identifiers of custom event formatter helpers.

Type: list[str]

helpers

event formatter helpers.

Type: list[EventFormatterHelper]

AddCustomHelper(identifier, input_attribute=None, output_attribute=None)[source]

Adds a custom event formatter helper.

Parameters

identifier (str) – identifier.
input_attribute (Optional[str]) – name of the attribute that contains the input value.
output_attribute (Optional[str]) – name of the attribute where the output value should be stored.

AddHelper(helper)[source]

Adds an event formatter helper.

Parameters: helper (EventFormatterHelper) – event formatter helper to add.

FormatEventValues(event_values)[source]

Formats event values using the helpers.

Parameters: event_values (dict[str, object]) – event values.

abstract GetFormatStringAttributeNames()[source]

Retrieves the attribute names in the format string.

Returns: attribute names.
Return type: set(str)

abstract GetMessage(event_values)[source]

Determines the message.

Parameters: event_values (dict[str, object]) – event values.
Returns: message.
Return type: str

abstract GetMessageShort(event_values)[source]

Determines the short message.

Parameters: event_values (dict[str, object]) – event values.
Returns: short message.
Return type: str

property data_type

unique identifier for the event data supported by the formatter.

Type: str

class plaso.formatters.interface.EventFormatterHelper[source]

Bases: object

Base class of helper for formatting event data.

abstract FormatEventValues(event_values)[source]

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

class plaso.formatters.interface.FlagsEventFormatterHelper(input_attribute=None, output_attribute=None, values=None)[source]

Bases: plaso.formatters.interface.EventFormatterHelper

Helper for formatting flags event data.

input_attribute

name of the attribute that contains the flags input value.

Type: str

output_attribute

name of the attribute where the flags output value should be stored.

Type: str

values

mapping of flags input and output values.

Type: dict[str, str]

FormatEventValues(event_values)[source]

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

plaso.formatters.logger module

The formatters sub module logger.

plaso.formatters.manager module

Manages custom event formatter helpers.

class plaso.formatters.manager.FormattersManager[source]

Bases: object

Custom event formatter helpers manager.

classmethod GetEventFormatterHelper(identifier)[source]

Retrieves a custom event formatter helper.

Parameters

identifier (str) – identifier.

Returns

custom event formatter or None if not: available.

Return type

CustomEventFormatterHelper

classmethod RegisterEventFormatterHelper(formatter_helper_class)[source]

Registers a custom event formatter helper.

The custom event formatter helpers are identified based on their lower case identifier.

Parameters: formatter_helper_class (type) – class of the custom event formatter helper.
Raises: KeyError – if a custom formatter helper is already set for the corresponding identifier.

classmethod RegisterEventFormatterHelpers(formatter_helper_classes)[source]

Registers custom event formatter helpers.

The formatter classes are identified based on their lower case data type.

Parameters: formatter_helper_classes (list[type]) – classes of the custom event formatter helpers.
Raises: KeyError – if a custom formatter helper is already set for the corresponding data type.

plaso.formatters.msiecf module

MSIE cache file custom event formatter helpers.

class plaso.formatters.msiecf.MSIECFCachedPathFormatterHelper[source]

Bases: plaso.formatters.interface.CustomEventFormatterHelper

MSIE cache file cached path formatter helper.

FormatEventValues(event_values)[source]

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'msiecf_cached_path'

class plaso.formatters.msiecf.MSIECFHTTPHeadersventFormatterHelper[source]

Bases: plaso.formatters.interface.CustomEventFormatterHelper

MSIE cache file HTTP headers formatter helper.

FormatEventValues(event_values)[source]

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'msiecf_http_headers'

plaso.formatters.shell_items module

Windows shell item custom event formatter helpers.

class plaso.formatters.shell_items.ShellItemFileEntryNameFormatterHelper[source]

Bases: plaso.formatters.interface.CustomEventFormatterHelper

Windows shell item file entry formatter helper.

FormatEventValues(event_values)[source]

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'shell_item_file_entry_name'

plaso.formatters.winlnk module

Windows Shortcut (LNK) custom event formatter helpers.

class plaso.formatters.winlnk.WindowsShortcutLinkedPathFormatterHelper[source]

Bases: plaso.formatters.interface.CustomEventFormatterHelper

Windows Shortcut (LNK) linked path formatter helper.

FormatEventValues(event_values)[source]

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'windows_shortcut_linked_path'

plaso.formatters.winprefetch module

Windows Prefetch custom event formatter helpers.

class plaso.formatters.winprefetch.WindowsPrefetchPathHintsFormatterHelper[source]

Bases: plaso.formatters.interface.CustomEventFormatterHelper

Windows Prefetch path hints formatter helper.

FormatEventValues(event_values)[source]

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'windows_prefetch_path_hints'

class plaso.formatters.winprefetch.WindowsPrefetchVolumesStringFormatterHelper[source]

Bases: plaso.formatters.interface.CustomEventFormatterHelper

Windows Prefetch volumes string formatter helper.

FormatEventValues(event_values)[source]

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'windows_prefetch_volumes_string'

plaso.formatters.winreg module

Windows Registry custom event formatter helpers.

class plaso.formatters.winreg.WindowsRegistryValuesFormatterHelper[source]

Bases: plaso.formatters.interface.CustomEventFormatterHelper

Windows Registry values formatter helper.

FormatEventValues(event_values)[source]

Formats event values using the helper.

Parameters: event_values (dict[str, object]) – event values.

IDENTIFIER = 'windows_registry_values'

plaso.formatters.yaml_formatters_file module

YAML-based formatters file.

class plaso.formatters.yaml_formatters_file.YAMLFormattersFile[source]

Bases: object

YAML-based formatters file.

A YAML-based formatters file contains one or more event formatters. type: ‘conditional’ data_type: ‘fs:stat’ message: - ‘{display_name}’ - ‘Type: {file_entry_type}’ - ‘({unallocated})’ short_message: - ‘{filename}’

Where: * type, defines the formatter data type, which can be “basic” or

“conditional”;

data_type, defines the corresponding event data type;
message, defines a list of message string pieces;
separator, defines the message and short message string pieces separator;
short_message, defines the short message string pieces;

ReadFromFile(path)[source]

Reads the event formatters from the YAML-based formatters file.

Parameters: path (str) – path to a formatters file.
Returns: event formatters.
Return type: list[EventFormatter]

Module contents

This file contains an import statement for each formatter.