plaso.lib package

Submodules

plaso.lib.bufferlib module

Circular buffer for storing event objects.

class plaso.lib.bufferlib.CircularBuffer(size)[source]

Bases: object

Class that defines a circular buffer for storing event objects.

Append(item)[source]

Add an item to the list.

Parameters:

item (object) – item.

Clear()[source]

Removes all elements from the list.

Flush()[source]

Returns a generator for all items and clear the buffer.

GetCurrent()[source]

Retrieves the current item that index points to.

Returns:

item.

Return type:

object

__init__(size)[source]

Initializes a circular buffer object.

Parameters:

size (int) – number of elements in the buffer.

__iter__()[source]

Return all elements from the list.

__len__()[source]

Return the length (the fixed size).

property size

number of elements in the buffer.

Type:

int

plaso.lib.cookie_plugins_helper module

The cookie plugins helper mix-in.

class plaso.lib.cookie_plugins_helper.CookiePluginsHelper[source]

Bases: object

Cookie plugins helper mix-in.

__init__()[source]

Initializes the cookie plugins helper mix-in.

plaso.lib.dateless_helper module

The date-less log format helper mix-in.

class plaso.lib.dateless_helper.DateLessLogFormatHelper[source]

Bases: object

Date-less log format helper mix-in.

GetDateLessLogHelper()[source]

Retrieves a date-less log helper attribute container.

Returns:

date-less log helper.

Return type:

DateLessLogHelper

__init__()[source]

Initializes the date-less log format helper mix-in.

plaso.lib.decorators module

Function decorators.

plaso.lib.decorators.deprecated(function)[source]

Decorator to mark functions or methods as deprecated.

plaso.lib.definitions module

The definitions.

plaso.lib.dtfabric_helper module

The dtFabric helper mix-in.

class plaso.lib.dtfabric_helper.DtFabricHelper[source]

Bases: object

dtFabric format definition helper mix-in.

dtFabric defines its data format structures in dtFabric definition file, for example “dtfabric.yaml”:

name: int32 type: integer description: 32-bit signed integer type .. attribute:: format

signed

size

4

units

bytes

— name: point3d aliases: [POINT] type: structure description: Point in 3 dimensional space. .. attribute:: byte_order

little-endian

members: - name: x

aliases: [XCOORD] data_type: int32

  • name: y data_type: int32

  • name: z data_type: int32

The path to the definition file is defined in the class constant “_DEFINITION_FILE” and will be read on class instantiation.

The definition files contains data type definitions such as “int32” and “point3d” in the previous example.

A data type map can be used to create a Python object that represent the data type definition mapped to a byte stream, for example if we have the following byte stream: 01 00 00 00 02 00 00 00 03 00 00 00

The corresponding “point3d” Python object would be: point3d(x=1, y=2, z=3)

__init__()[source]

Initializes the dtFabric format definition helper mix-in.

plaso.lib.errors module

This file contains the error classes.

exception plaso.lib.errors.BadConfigObject[source]

Bases: Error

Raised when the configuration object is of the wrong type.

exception plaso.lib.errors.BadConfigOption[source]

Bases: Error

Raised when a faulty configuration option is encountered.

exception plaso.lib.errors.ConnectionError[source]

Bases: Error

Error connecting to a service.

exception plaso.lib.errors.Error[source]

Bases: Exception

Base error class.

exception plaso.lib.errors.InvalidEvent[source]

Bases: Error

Error indicating an event is malformed.

exception plaso.lib.errors.InvalidFilter[source]

Bases: Error

Error indicating an invalid filter was specified.

exception plaso.lib.errors.InvalidNumberOfOperands[source]

Bases: Error

The number of operands provided to an objectfilter operator is wrong.

exception plaso.lib.errors.MalformedPresetError[source]

Bases: Error

Raised when a parser preset definition is malformed.

exception plaso.lib.errors.MaximumRecursionDepth[source]

Bases: Error

Raised when the maximum recursion depth is reached.

exception plaso.lib.errors.ParseError[source]

Bases: Error

Raised when a parse error occurred.

exception plaso.lib.errors.PreProcessFail[source]

Bases: Error

Raised when a preprocess module is unable to gather information.

exception plaso.lib.errors.QueueAlreadyClosed[source]

Bases: Error

Raised when an attempt is made to close a queue that is already closed.

exception plaso.lib.errors.QueueAlreadyStarted[source]

Bases: Error

Raised when an attempt is made to start queue that is already started.

exception plaso.lib.errors.QueueClose[source]

Bases: Error

Class that implements a queue close exception.

exception plaso.lib.errors.QueueEmpty[source]

Bases: Error

Class that implements a queue empty exception.

exception plaso.lib.errors.QueueFull[source]

Bases: Error

Class that implements a queue full exception.

exception plaso.lib.errors.SerializationError[source]

Bases: Error

Class that defines serialization errors.

exception plaso.lib.errors.SourceScannerError[source]

Bases: Error

Class that defines source scanner errors.

exception plaso.lib.errors.TaggingFileError[source]

Bases: Error

Raised when the tagging file is invalid.

exception plaso.lib.errors.UnableToLoadRegistryHelper[source]

Bases: Error

Raised when unable to load a Registry helper object.

exception plaso.lib.errors.UserAbort[source]

Bases: Error

Class that defines an user initiated abort exception.

exception plaso.lib.errors.WrongParser[source]

Bases: Error

Raised when a parser is not designed to parse a file.

exception plaso.lib.errors.WrongPlugin[source]

Bases: Error

Raised when the plugin is of the wrong type.

exception plaso.lib.errors.WrongQueueType[source]

Bases: Error

Raised when an unsupported operation is attempted on a queue.

For example, attempting to Pop from a Push-only queue.

plaso.lib.line_reader_file module

Binary line reader file-like object.

class plaso.lib.line_reader_file.BinaryDSVReader(binary_line_reader, delimiter)[source]

Bases: object

Basic reader for delimiter separated text files of unknown encoding.

This is used for reading data from text files where the content is unknown, or possibly using a mixed encoding.

__init__(binary_line_reader, delimiter)[source]

Initializes the delimited separated values reader.

Parameters:

  • binary_line_reader (BinaryLineReader) – a binary file reader

  • delimiter (bytes) – field delimiter.

__iter__()[source]

Iterates over delimiter separates values.

Yields:

list(bytes) – lines of encoded bytes.

class plaso.lib.line_reader_file.BinaryLineReader(file_object, end_of_line=b'\n')[source]

Bases: object

Line reader for binary file-like objects.

end_of_line

byte sequence that separates lines from each other.

Type:

bytes

MAXIMUM_READ_BUFFER_SIZE = 16777216
__enter__()[source]

Enters a with statement.

__exit__(exception_type, value, traceback)[source]

Exits a with statement.

__init__(file_object, end_of_line=b'\n')[source]

Initializes the line reader.

Parameters:

  • file_object (FileIO) – a file-like object to read from.

  • end_of_line (Optional[bytes]) – end of line indicator.

__iter__()[source]

Returns a line of text.

Yields:

bytes – line of text.

readline(size=None)[source]

Reads a single line of text.

The functions reads one entire line from the file-like object. A trailing end-of-line indicator (newline by default) is kept in the byte string (but may be absent when a file ends with an incomplete line). An empty byte string is returned only when end-of-file is encountered immediately.

Parameters:

size (Optional[int]) – maximum byte size to read. If present and non-negative, it is a maximum byte count (including the trailing end-of-line) and an incomplete line may be returned.

Returns:

line of text.

Return type:

bytes

Raises:

ValueError – if the specified size is less than zero or greater than the maximum size allowed.

readlines(sizehint=None)[source]

Reads lines of text.

The function reads until EOF using readline() and return a list containing the lines read.

Parameters:

sizehint (Optional[int]) – maximum byte size to read. If present, instead of reading up to EOF, whole lines totalling sizehint bytes are read.

Returns:

lines of text.

Return type:

list[bytes]

tell()[source]

Retrieves the current offset into the file-like object.

Returns:

current offset into the file-like object.

Return type:

int

plaso.lib.loggers module

Logging related classes and functions.

class plaso.lib.loggers.CompressedFileHandler(filename, mode='a', encoding='utf-8')[source]

Bases: FileHandler

Compressed file handler for logging.

__init__(filename, mode='a', encoding='utf-8')[source]

Initializes a compressed file logging handler.

Parameters:

  • filename (str) – name of the log file.

  • mode (Optional[str]) – file access mode.

  • encoding (Optional[str]) – encoding of the log lines.

plaso.lib.loggers.ConfigureLogging(debug_output=False, filename=None, mode='w', quiet_mode=False)[source]

Configures the logging root logger.

Parameters:

  • debug_output (Optional[bool]) – True if the logging should include debug output.

  • filename (Optional[str]) – log filename.

  • mode (Optional[str]) – log file access mode.

  • quiet_mode (Optional[bool]) – True if the logging should not include information output. Note that debug_output takes precedence over quiet_mode.

plaso.lib.plist module

The plist file object.

class plaso.lib.plist.PlistFile[source]

Bases: object

Class that defines a plist file.

root_key

the plist root key.

Type:

dict

GetValueByPath(path_segments)[source]

Retrieves a plist value by path.

Parameters:

path_segments (list[str]) – path segment strings relative to the root of the plist.

Returns:

The value of the key specified by the path or None.

Return type:

object

Read(file_object)[source]

Reads a plist from a file-like object.

Parameters:

file_object (dfvfs.FileIO) – a file-like object containing plist data.

Raises:

  • IOError – if the plist file-like object cannot be read.

  • OSError – if the plist file-like object cannot be read.

__init__()[source]

Initializes the plist file object.

plaso.lib.specification module

The format specification classes.

class plaso.lib.specification.FormatSpecification(identifier, text_format=False)[source]

Bases: object

The format specification.

AddNewSignature(pattern, offset=None)[source]

Adds a signature.

Parameters:

  • pattern (bytes) – pattern of the signature.

  • offset (int) – offset of the signature. None is used to indicate the signature has no offset. A positive offset is relative from the start of the data a negative offset is relative from the end of the data.

IsTextFormat()[source]

Determines if the format is a text format.

Returns:

True if the format is a text format, False otherwise.

Return type:

bool

__init__(identifier, text_format=False)[source]

Initializes a format specification.

Parameters:

  • identifier (str) – unique name for the format.

  • text_format (Optional[bool]) – True if the format is a text format, False otherwise.

class plaso.lib.specification.FormatSpecificationStore[source]

Bases: object

The store for format specifications.

AddNewSpecification(identifier)[source]

Adds a new format specification.

Parameters:

identifier (str) – format identifier, which should be unique for the store.

Returns:

format specification.

Return type:

FormatSpecification

Raises:

KeyError – if the store already contains a specification with the same identifier.

AddSpecification(specification)[source]

Adds a format specification.

Parameters:

specification (FormatSpecification) – format specification.

Raises:

KeyError – if the store already contains a specification with the same identifier.

GetSpecificationBySignature(signature_identifier)[source]

Retrieves a specification mapped to a signature identifier.

Parameters:

signature_identifier (str) – unique signature identifier for a specification store.

Returns:

format specification or None if the signature

identifier does not exist within the specification store.

Return type:

FormatSpecification

__init__()[source]

Initializes a specification store.

property specifications

specifications iterator.

Type:

iterator

class plaso.lib.specification.Signature(pattern, offset=None)[source]

Bases: object

The format specification signature.

The signature consists of a byte string pattern, an optional offset relative to the start of the data, and a value to indicate if the pattern is bound to the offset.

SetIdentifier(identifier)[source]

Sets the identifier of the signature in the specification store.

Parameters:

identifier (str) – unique signature identifier for a specification store.

__init__(pattern, offset=None)[source]

Initializes a format specification signature.

The signatures can be defined in 3 different “modes”: * where offset >= 0, which represents that the signature is bound to the

start of the data and only the relevant part is scanned;

  • where offset < 0, which represents that the signature is bound to the end of the data and only the relevant part is scanned;

  • offset == None, which represents that the signature is not offset bound and that all of the data is scanned.

Parameters:

  • pattern (bytes) – pattern of the signature. Wildcards or regular expressions (regexp) are not supported.

  • offset (int) – offset of the signature. None is used to indicate the signature has no offset. A positive offset is relative from the start of the data a negative offset is relative from the end of the data.

Module contents