plaso.lib package

Submodules

plaso.lib.bufferlib module

Circular buffer for storing event objects.

class plaso.lib.bufferlib.CircularBuffer(size)[source]

Bases: object

Class that defines a circular buffer for storing event objects.

Append(item)[source]

Add an item to the list.

Parameters

item (object) – item.

Clear()[source]

Removes all elements from the list.

Flush()[source]

Returns a generator for all items and clear the buffer.

GetCurrent()[source]

Retrieves the current item that index points to.

Returns

item.

Return type

object

__iter__()[source]

Return all elements from the list.

__len__()[source]

Return the length (the fixed size).

property size

number of elements in the buffer.

Type

int

plaso.lib.cookie_plugins_helper module

The cookie plugins helper mix-in.

class plaso.lib.cookie_plugins_helper.CookiePluginsHelper[source]

Bases: object

Cookie plugins helper mix-in.

plaso.lib.decorators module

Function decorators.

plaso.lib.decorators.deprecated(function)[source]

Decorator to mark functions or methods as deprecated.

plaso.lib.definitions module

The definitions.

plaso.lib.dtfabric_helper module

The dtFabric helper mix-in.

class plaso.lib.dtfabric_helper.DtFabricHelper[source]

Bases: object

dtFabric format definition helper mix-in.

dtFabric defines its data format structures in dtFabric definition file, for example “dtfabric.yaml”:

name: int32 type: integer description: 32-bit signed integer type .. attribute:: format

signed

size

4

units

bytes

— name: point3d aliases: [POINT] type: structure description: Point in 3 dimensional space. .. attribute:: byte_order

little-endian

members: - name: x

aliases: [XCOORD] data_type: int32

  • name: y data_type: int32

  • name: z data_type: int32

The path to the definition file is defined in the class constant “_DEFINITION_FILE” and will be read on class instantiation.

The definition files contains data type definitions such as “int32” and “point3d” in the previous example.

A data type map can be used to create a Python object that represent the data type definition mapped to a byte stream, for example if we have the following byte stream: 01 00 00 00 02 00 00 00 03 00 00 00

The corresponding “point3d” Python object would be: point3d(x=1, y=2, z=3)

plaso.lib.errors module

This file contains the error classes.

exception plaso.lib.errors.BadConfigObject[source]

Bases: Error

Raised when the configuration object is of the wrong type.

exception plaso.lib.errors.BadConfigOption[source]

Bases: Error

Raised when a faulty configuration option is encountered.

exception plaso.lib.errors.ConnectionError[source]

Bases: Error

Error connecting to a service.

exception plaso.lib.errors.Error[source]

Bases: Exception

Base error class.

exception plaso.lib.errors.InvalidEvent[source]

Bases: Error

Error indicating an event is malformed.

exception plaso.lib.errors.InvalidFilter[source]

Bases: Error

Error indicating an invalid filter was specified.

exception plaso.lib.errors.InvalidNumberOfOperands[source]

Bases: Error

The number of operands provided to an objectfilter operator is wrong.

exception plaso.lib.errors.MalformedPresetError[source]

Bases: Error

Raised when a parser preset definition is malformed.

exception plaso.lib.errors.MaximumRecursionDepth[source]

Bases: Error

Raised when the maximum recursion depth is reached.

exception plaso.lib.errors.ParseError[source]

Bases: Error

Raised when a parse error occurred.

exception plaso.lib.errors.PreProcessFail[source]

Bases: Error

Raised when a preprocess module is unable to gather information.

exception plaso.lib.errors.QueueAlreadyClosed[source]

Bases: Error

Raised when an attempt is made to close a queue that is already closed.

exception plaso.lib.errors.QueueAlreadyStarted[source]

Bases: Error

Raised when an attempt is made to start queue that is already started.

exception plaso.lib.errors.QueueClose[source]

Bases: Error

Class that implements a queue close exception.

exception plaso.lib.errors.QueueEmpty[source]

Bases: Error

Class that implements a queue empty exception.

exception plaso.lib.errors.QueueFull[source]

Bases: Error

Class that implements a queue full exception.

exception plaso.lib.errors.SerializationError[source]

Bases: Error

Class that defines serialization errors.

exception plaso.lib.errors.SourceScannerError[source]

Bases: Error

Class that defines source scanner errors.

exception plaso.lib.errors.TaggingFileError[source]

Bases: Error

Raised when the tagging file is invalid.

exception plaso.lib.errors.UnableToLoadRegistryHelper[source]

Bases: Error

Raised when unable to load a Registry helper object.

exception plaso.lib.errors.UserAbort[source]

Bases: Error

Class that defines an user initiated abort exception.

exception plaso.lib.errors.WrongParser[source]

Bases: Error

Raised when a parser is not designed to parse a file.

exception plaso.lib.errors.WrongPlugin[source]

Bases: Error

Raised when the plugin is of the wrong type.

exception plaso.lib.errors.WrongQueueType[source]

Bases: Error

Raised when an unsupported operation is attempted on a queue.

For example, attempting to Pop from a Push-only queue.

plaso.lib.line_reader_file module

Binary line reader file-like object.

class plaso.lib.line_reader_file.BinaryDSVReader(binary_line_reader, delimiter)[source]

Bases: object

Basic reader for delimiter separated text files of unknown encoding.

This is used for reading data from text files where the content is unknown, or possibly using a mixed encoding.

__iter__()[source]

Iterates over delimiter separates values.

Yields

list(bytes) – lines of encoded bytes.

class plaso.lib.line_reader_file.BinaryLineReader(file_object, end_of_line=b'\n')[source]

Bases: object

Line reader for binary file-like objects.

end_of_line

byte sequence that separates lines from each other.

Type

bytes

MAXIMUM_READ_BUFFER_SIZE = 16777216
__enter__()[source]

Enters a with statement.

__exit__(exception_type, value, traceback)[source]

Exits a with statement.

__iter__()[source]

Returns a line of text.

Yields

bytes – line of text.

readline(size=None)[source]

Reads a single line of text.

The functions reads one entire line from the file-like object. A trailing end-of-line indicator (newline by default) is kept in the byte string (but may be absent when a file ends with an incomplete line). An empty byte string is returned only when end-of-file is encountered immediately.

Parameters

size (Optional[int]) – maximum byte size to read. If present and non-negative, it is a maximum byte count (including the trailing end-of-line) and an incomplete line may be returned.

Returns

line of text.

Return type

bytes

Raises

ValueError – if the specified size is less than zero or greater than the maximum size allowed.

readlines(sizehint=None)[source]

Reads lines of text.

The function reads until EOF using readline() and return a list containing the lines read.

Parameters

sizehint (Optional[int]) – maximum byte size to read. If present, instead of reading up to EOF, whole lines totalling sizehint bytes are read.

Returns

lines of text.

Return type

list[bytes]

tell()[source]

Retrieves the current offset into the file-like object.

Returns

current offset into the file-like object.

Return type

int

plaso.lib.loggers module

Logging related classes and functions.

class plaso.lib.loggers.CompressedFileHandler(filename, mode='a', encoding='utf-8')[source]

Bases: FileHandler

Compressed file handler for logging.

plaso.lib.loggers.ConfigureLogging(debug_output=False, filename=None, mode='w', quiet_mode=False)[source]

Configures the logging root logger.

Parameters

  • debug_output (Optional[bool]) – True if the logging should include debug output.

  • filename (Optional[str]) – log filename.

  • mode (Optional[str]) – log file access mode.

  • quiet_mode (Optional[bool]) – True if the logging should not include information output. Note that debug_output takes precedence over quiet_mode.

plaso.lib.plist module

The plist file object.

class plaso.lib.plist.PlistFile[source]

Bases: object

Class that defines a plist file.

root_key

the plist root key.

Type

dict

GetValueByPath(path_segments)[source]

Retrieves a plist value by path.

Parameters

path_segments (list[str]) – path segment strings relative to the root of the plist.

Returns

The value of the key specified by the path or None.

Return type

object

Read(file_object)[source]

Reads a plist from a file-like object.

Parameters

file_object (dfvfs.FileIO) – a file-like object containing plist data.

Raises

  • IOError – if the plist file-like object cannot be read.

  • OSError – if the plist file-like object cannot be read.

plaso.lib.specification module

The format specification classes.

class plaso.lib.specification.FormatSpecification(identifier, text_format=False)[source]

Bases: object

The format specification.

AddNewSignature(pattern, offset=None)[source]

Adds a signature.

Parameters

  • pattern (bytes) – pattern of the signature.

  • offset (int) – offset of the signature. None is used to indicate the signature has no offset. A positive offset is relative from the start of the data a negative offset is relative from the end of the data.

IsTextFormat()[source]

Determines if the format is a text format.

Returns

True if the format is a text format, False otherwise.

Return type

bool

class plaso.lib.specification.FormatSpecificationStore[source]

Bases: object

The store for format specifications.

AddNewSpecification(identifier)[source]

Adds a new format specification.

Parameters

identifier (str) – format identifier, which should be unique for the store.

Returns

format specification.

Return type

FormatSpecification

Raises

KeyError – if the store already contains a specification with the same identifier.

AddSpecification(specification)[source]

Adds a format specification.

Parameters

specification (FormatSpecification) – format specification.

Raises

KeyError – if the store already contains a specification with the same identifier.

GetSpecificationBySignature(signature_identifier)[source]

Retrieves a specification mapped to a signature identifier.

Parameters

signature_identifier (str) – unique signature identifier for a specification store.

Returns

format specification or None if the signature

identifier does not exist within the specification store.

Return type

FormatSpecification

property specifications

specifications iterator.

Type

iterator

class plaso.lib.specification.Signature(pattern, offset=None)[source]

Bases: object

The format specification signature.

The signature consists of a byte string pattern, an optional offset relative to the start of the data, and a value to indicate if the pattern is bound to the offset.

SetIdentifier(identifier)[source]

Sets the identifier of the signature in the specification store.

Parameters

identifier (str) – unique signature identifier for a specification store.

plaso.lib.yearless_helper module

The year-less log format helper mix-in.

class plaso.lib.yearless_helper.YearLessLogFormatHelper[source]

Bases: object

Year-less log format helper mix-in.

GetYearLessLogHelper()[source]

Retrieves a year-less log helper attribute container.

Returns

year-less log helper.

Return type

YearLessLogHelper

Module contents