plaso.output package

Submodules

plaso.output.dynamic module

Dynamic selected delimiter separated values output module.

class plaso.output.dynamic.DynamicFieldFormattingHelper[source]

Bases: FieldFormattingHelper

Dynamic output module field formatting helper.

class plaso.output.dynamic.DynamicOutputModule(output_mediator)[source]

Bases: DSVOutputModule

Dynamic selected delimiter separated values output module.

DESCRIPTION = 'Dynamic selection of fields for a separated value output format.'

NAME = 'dynamic'

plaso.output.formatting_helper module

Output module field formatting helper.

class plaso.output.formatting_helper.EventFormattingHelper(output_mediator)[source]

Bases: object

Output module event formatting helper.

abstract GetFormattedEvent(event, event_data, event_data_stream, event_tag)[source]

Retrieves a string representation of the event.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

Returns

string representation of the event.

Return type

str

class plaso.output.formatting_helper.FieldFormattingHelper[source]

Bases: object

Output module field formatting helper.

GetFormattedField(output_mediator, field_name, event, event_data, event_data_stream, event_tag)[source]

Formats the specified field.

Parameters

output_mediator (OutputMediator) – output mediator.
field_name (str) – name of the field.
event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

Returns

value of the field.

Return type

str

plaso.output.interface module

This file contains the output module interface classes.

class plaso.output.interface.OutputModule(output_mediator)[source]

Bases: object

Output module interface.

Close()[source]: Closes the output.

DESCRIPTION = ''

GetMissingArguments()[source]

Retrieves arguments required by the module that have not been specified.

Returns

names of argument that are required by the module and have: not been specified.

Return type

list[str]

NAME = ''

Open(**kwargs)[source]: Opens the output.

WRITES_OUTPUT_FILE = False

WriteEvent(event, event_data, event_data_stream, event_tag)[source]

Writes the event to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

abstract WriteEventBody(event, event_data, event_data_stream, event_tag)[source]

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

WriteEventMACBGroup(event_macb_group)[source]

Writes an event MACB group to the output.

An event MACB group is a group of events that have the same timestamp and event data (attributes and values), where the timestamp description (or usage) is one or more of MACB (modification, access, change, birth).

This function is called if the psort engine detected an event MACB group so that the output module, if supported, can represent the group as such. If not overridden this function will output every event individually.

Parameters

(list[tuple[EventObject (event_macb_group) – EventTag]]): group of events with identical timestamps, attributes and values.
EventData – EventTag]]): group of events with identical timestamps, attributes and values.
EventDataStream – EventTag]]): group of events with identical timestamps, attributes and values.

:paramEventTag]]): group of events with identical timestamps, attributes: and values.

WriteFooter()[source]

Writes the footer to the output.

Can be used for post-processing or output after the last event is written, such as writing a file footer.

WriteHeader()[source]

Writes the header to the output.

Can be used for pre-processing or output before the first event is written, such as writing a file header.

class plaso.output.interface.TextFileOutputModule(output_mediator, event_formatting_helper)[source]

Bases: OutputModule

Shared functionality of an output module that writes to a text file.

Close()[source]: Closes the output file.

Open(path=None, **kwargs)[source]

Opens the output file.

Parameters

path (Optional[str]) – path of the output file.

Raises

IOError – if the specified output file already exists.
OSError – if the specified output file already exists.
ValueError – if path is not set.

WRITES_OUTPUT_FILE = True

WriteEventBody(event, event_data, event_data_stream, event_tag)[source]

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

WriteLine(text)[source]

Writes a line of text to the output file.

Parameters: text (str) – text to output.

WriteText(text)[source]

Writes text to the output file.

Parameters: text (str) – text to output.

plaso.output.json_line module

Output module that saves data into a JSON line format.

JSON line format is a single JSON entry or event per line instead of grouping all the output into a single JSON entity.

class plaso.output.json_line.JSONLineOutputModule(output_mediator)[source]

Bases: TextFileOutputModule

Output module for the JSON line format.

DESCRIPTION = 'Saves the events into a JSON line format.'

NAME = 'json_line'

WriteEventBody(event, event_data, event_data_stream, event_tag)[source]

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

plaso.output.json_out module

Output module that saves data into a JSON format.

class plaso.output.json_out.JSONOutputModule(output_mediator)[source]

Bases: TextFileOutputModule

Output module for the JSON format.

DESCRIPTION = 'Saves the events into a JSON format.'

NAME = 'json'

WriteEventBody(event, event_data, event_data_stream, event_tag)[source]

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

WriteFooter()[source]: Writes the footer to the output.

WriteHeader()[source]: Writes the header to the output.

plaso.output.kml module

An output module that writes event with geography data to a KML XML file.

The Keyhole Markup Language (KML) is an XML notation for expressing geographic annotation and visualization within Internet-based, two-dimensional maps and three-dimensional Earth browsers.

class plaso.output.kml.KMLEventFormattingHelper(output_mediator)[source]

Bases: NativePythonEventFormattingHelper

Keyhole Markup Language (KML) XML event formatting helper.

GetFormattedEvent(event, event_data, event_data_stream, event_tag)[source]

Retrieves a string representation of the event.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

Returns

string representation of the event.

Return type

str

class plaso.output.kml.KMLOutputModule(output_mediator)[source]

Bases: TextFileOutputModule

Output module for a Keyhole Markup Language (KML) XML file.

DESCRIPTION = 'Saves events with geography data into a KML format.'

NAME = 'kml'

WriteEventBody(event, event_data, event_data_stream, event_tag)[source]

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

WriteFooter()[source]: Writes the footer to the output.

WriteHeader()[source]: Writes the header to the output.

plaso.output.l2t_csv module

Output module for the log2timeline (L2T) CSV format.

For documentation on the L2T CSV format see: https://forensicswiki.xyz/wiki/index.php?title=L2T_CSV

class plaso.output.l2t_csv.L2TCSVEventFormattingHelper(output_mediator, field_formatting_helper, field_names, field_delimiter=',')[source]

Bases: DSVEventFormattingHelper

L2T CSV output module event formatting helper.

GetFormattedEventMACBGroup(event_macb_group)[source]

Retrieves a string representation of the event.

Parameters

(list[tuple[EventObject (event_macb_group) – EventTag]]): group of events with identical timestamps, attributes and values.
EventData – EventTag]]): group of events with identical timestamps, attributes and values.
EventDataStream – EventTag]]): group of events with identical timestamps, attributes and values.

:paramEventTag]]): group of events with identical timestamps, attributes: and values.

Returns: string representation of the event MACB group.
Return type: str

class plaso.output.l2t_csv.L2TCSVFieldFormattingHelper[source]

Bases: FieldFormattingHelper

L2T CSV output module field formatting helper.

class plaso.output.l2t_csv.L2TCSVOutputModule(output_mediator)[source]

Bases: TextFileOutputModule

CSV format used by log2timeline, with 17 fixed fields.

DESCRIPTION = 'CSV format used by legacy log2timeline, with 17 fixed fields.'

NAME = 'l2tcsv'

WriteEventMACBGroup(event_macb_group)[source]

Writes an event MACB group to the output.

Parameters

(list[tuple[EventObject (event_macb_group) – EventTag]]): group of events with identical timestamps, attributes and values.
EventData – EventTag]]): group of events with identical timestamps, attributes and values.
EventDataStream – EventTag]]): group of events with identical timestamps, attributes and values.

:paramEventTag]]): group of events with identical timestamps, attributes: and values.

WriteHeader()[source]: Writes the header to the output.

plaso.output.logger module

The output sub module logger.

plaso.output.manager module

Output plugin manager.

class plaso.output.manager.OutputManager[source]

Bases: object

Output module manager.

classmethod DeregisterOutput(output_class)[source]

Deregisters an output class.

The output classes are identified based on their NAME attribute.

Parameters: output_class (type) – output module class.
Raises: KeyError – if output class is not set for the corresponding data type.

classmethod GetDisabledOutputClasses()[source]

Retrieves the disabled output classes and its associated name.

Yields: tuple[str, type] – output module name and class.

classmethod GetOutputClass(name)[source]

Retrieves the output class for a specific name.

Parameters

name (str) – name of the output module.

Returns

output module class.

Return type

type

Raises

KeyError – if there is no output class found with the supplied name.
ValueError – if name is not a string.

classmethod GetOutputClasses()[source]

Retrieves the available output classes its associated name.

Yields: tuple[str, type] – output class name and type object.

classmethod HasOutputClass(name)[source]

Determines if a specific output class is registered with the manager.

Parameters: name (str) – name of the output module.
Returns: True if the output class is registered.
Return type: bool

classmethod NewOutputModule(name, output_mediator)[source]

Creates a new output module object for the specified output format.

Parameters

name (str) – name of the output module.
output_mediator (OutputMediator) – output mediator.

Returns

output module.

Return type

OutputModule

Raises

KeyError – if there is no output class found with the supplied name.
ValueError – if name is not a string.

classmethod RegisterOutput(output_class, disabled=False)[source]

Registers an output class.

The output classes are identified based on their NAME attribute.

Parameters

output_class (type) – output module class.
disabled (Optional[bool]) – True if the output module is disabled due to the module not loading correctly or not.

Raises

KeyError – if output class is already set for the corresponding name.

classmethod RegisterOutputs(output_classes, disabled=False)[source]

Registers output classes.

The output classes are identified based on their NAME attribute.

Parameters

output_classes (list[type]) – output module classes.
disabled (Optional[bool]) – True if the output module is disabled due to the module not loading correctly or not.

Raises

KeyError – if output class is already set for the corresponding name.

plaso.output.mediator module

The output mediator object.

class plaso.output.mediator.OutputMediator(knowledge_base, data_location=None, dynamic_time=False, preferred_encoding='utf-8')[source]

Bases: object

Output mediator.

data_location

path of the formatter data files.

Type: Optional[str]

GetDisplayNameForPathSpec(path_spec)[source]

Retrieves the display name for a path specification.

Parameters: path_spec (dfvfs.PathSpec) – path specification.
Returns: human readable version of the path specification.
Return type: str

GetHostname(event_data, default_hostname='-')[source]

Retrieves the hostname related to the event.

Parameters

event_data (EventData) – event data.
default_hostname (Optional[str]) – default hostname.

Returns

hostname.

Return type

str

GetMACBRepresentation(event, event_data)[source]

Retrieves the MACB representation.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.

Returns

MACB representation.

Return type

str

GetMACBRepresentationFromDescriptions(timestamp_descriptions)[source]

Determines the MACB representation from the timestamp descriptions.

MACB representation is a shorthand for representing one or more of modification, access, change, birth timestamp descriptions as the letters “MACB” or a “.” if the corresponding timestamp is not set.

Note that this is an output format shorthand and does not guarantee that the timestamps represent the same occurrence.

Parameters: timestamp_descriptions (list[str]) – timestamp descriptions, which are defined in definitions.TIME_DESCRIPTIONS.
Returns: MACB representation.
Return type: str

GetMessageFormatter(data_type)[source]

Retrieves the message formatter for a specific data type.

Parameters

data_type (str) – data type.

Returns

corresponding message formatter or the default message: formatter if not available.

Return type

EventFormatter

GetRelativePathForPathSpec(path_spec)[source]

Retrieves the relative path for a path specification.

Parameters: path_spec (dfvfs.PathSpec) – path specification.
Returns: relateive path of the path specification.
Return type: str

GetUsername(event_data, default_username='-')[source]

Retrieves the username related to the event.

Parameters

event_data (EventData) – event data.
default_username (Optional[str]) – default username.

Returns

username.

Return type

str

GetWinevtResourcesHelper()[source]

Retrieves a Windows EventLog resources helper.

Returns: Windows EventLog resources helper.
Return type: WinevtResourcesHelper

ReadMessageFormattersFromDirectory(path)[source]

Reads message formatters from a directory.

Parameters: path (str) – path of directory that contains the message formatters configuration files.
Raises: KeyError – if the message formatter is already set for the corresponding data type.

ReadMessageFormattersFromFile(path)[source]

Reads message formatters from a file.

Parameters: path (str) – path of file that contains the message formatters configuration.
Raises: KeyError – if the message formatter is already set for the corresponding data type.

SetPreferredLanguageIdentifier(language_tag)[source]

Sets the preferred language identifier.

Parameters: language_tag (str) – language tag such as “en-US” for US English or “is-IS” for Icelandic.
Raises: ValueError – if the language tag is not a string type or no LCID can be determined that corresponds with the language tag.

SetStorageReader(storage_reader)[source]

Sets the storage reader.

Parameters: storage_reader (StorageReader) – storage reader.

SetTextPrepend(text_prepend)[source]

Sets the text to prepend to the display name.

Parameters: text_prepend (str) – text to prepend to the display name or None if no text should be prepended.

SetTimeZone(time_zone)[source]

Sets the time zone.

Parameters: time_zone (str) – time zone.
Raises: ValueError – if the time zone is not supported.

property dynamic_time

True if date and time values should be represented in their granularity or semantically.

Type: bool

property encoding

preferred encoding.

Type: str

property timezone: The time zone.

plaso.output.null module

Null device output module.

class plaso.output.null.NullOutputModule(output_mediator)[source]

Bases: OutputModule

Null device output module.

DESCRIPTION = 'Output module that does not output anything.'

NAME = 'null'

WriteEventBody(event, event_data, event_data_stream, event_tag)[source]

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

plaso.output.opensearch module

An output module that saves events to OpenSearch.

class plaso.output.opensearch.OpenSearchOutputModule(output_mediator)[source]

Bases: SharedOpenSearchOutputModule

Output module for OpenSearch.

DESCRIPTION = 'Saves the events into an OpenSearch database.'

MAPPINGS_FILENAME = 'opensearch.mappings'

NAME = 'opensearch'

WriteHeader()[source]: Connects to the OpenSearch server and creates the index.

plaso.output.opensearch_ts module

An output module that saves events to OpenSearch for Timesketch.

class plaso.output.opensearch_ts.OpenSearchTimesketchOutputModule(output_mediator)[source]

Bases: SharedOpenSearchOutputModule

Output module for Timesketch OpenSearch.

DESCRIPTION = 'Saves the events into an OpenSearch database for use with Timesketch.'

GetMissingArguments()[source]

Retrieves a list of arguments that are missing from the input.

Returns

names of arguments that are required by the module and have: not been specified.

Return type

list[str]

MAPPINGS_FILENAME = 'plaso.mappings'

MAPPINGS_PATH = '/etc/timesketch'

NAME = 'opensearch_ts'

SetTimelineIdentifier(timeline_identifier)[source]

Sets the timeline identifier.

Parameters: timeline_identifier (int) – timeline identifier.

WriteHeader()[source]: Connects to the OpenSearch server and creates the index.

plaso.output.rawpy module

Output module for the native (or “raw”) Python format.

class plaso.output.rawpy.NativePythonEventFormattingHelper(output_mediator)[source]

Bases: EventFormattingHelper

Native (or “raw”) Python output module event formatting helper.

GetFormattedEvent(event, event_data, event_data_stream, event_tag)[source]

Retrieves a string representation of the event.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

Returns

string representation of the event.

Return type

str

class plaso.output.rawpy.NativePythonOutputModule(output_mediator)[source]

Bases: TextFileOutputModule

Output module for native (or “raw”) Python output format.

DESCRIPTION = 'native (or "raw") Python output.'

NAME = 'rawpy'

plaso.output.shared_dsv module

Shared functionality for delimiter separated values output modules.

class plaso.output.shared_dsv.DSVEventFormattingHelper(output_mediator, field_formatting_helper, field_names, field_delimiter=',')[source]

Bases: EventFormattingHelper

Delimiter separated values output module event formatting helper.

GetFormattedEvent(event, event_data, event_data_stream, event_tag)[source]

Retrieves a string representation of the event.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

Returns

string representation of the event.

Return type

str

GetFormattedFieldNames()[source]

Retrieves a string representation of the field names.

Returns: string representation of the field names.
Return type: str

SetFieldDelimiter(field_delimiter)[source]

Sets the field delimiter.

Parameters: field_delimiter (str) – field delimiter.

SetFields(field_names)[source]

Sets the names of the fields to output.

Parameters: field_names (list[str]) – names of the fields to output.

class plaso.output.shared_dsv.DSVOutputModule(output_mediator, field_formatting_helper, names, delimiter=',', header=None)[source]

Bases: TextFileOutputModule

Shared functionality for delimiter separated values output modules.

SetFieldDelimiter(field_delimiter)[source]

Sets the field delimiter.

Parameters: field_delimiter (str) – field delimiter.

SetFields(field_names)[source]

Sets the names of the fields to output.

Parameters: field_names (list[str]) – names of the fields to output.

WriteHeader()[source]: Writes the header to the output.

plaso.output.shared_json module

Shared functionality for JSON based output modules.

class plaso.output.shared_json.JSONEventFormattingHelper(output_mediator)[source]

Bases: EventFormattingHelper

JSON output module event formatting helper.

GetFormattedEvent(event, event_data, event_data_stream, event_tag)[source]

Retrieves a string representation of the event.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

Returns

string representation of the event.

Return type

str

plaso.output.shared_opensearch module

Shared functionality for OpenSearch output modules.

class plaso.output.shared_opensearch.SharedOpenSearchFieldFormattingHelper[source]

Bases: FieldFormattingHelper

Shared OpenSearch output module field formatting helper.

GetFormattedField(output_mediator, field_name, event, event_data, event_data_stream, event_tag)[source]

Formats the specified field.

Parameters

output_mediator (OutputMediator) – output mediator.
field_name (str) – name of the field.
event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

Returns

value of the field or None if not set.

Return type

object

class plaso.output.shared_opensearch.SharedOpenSearchOutputModule(output_mediator)[source]

Bases: OutputModule

Shared functionality for an OpenSearch output module.

Close()[source]

Closes connection to OpenSearch.

Inserts any remaining buffered event documents.

NAME = 'opensearch_shared'

SetCACertificatesPath(ca_certificates_path)[source]

Sets the path to the CA certificates.

Parameters: ca_certificates_path (str) – path to file containing a list of root certificates to trust.
Raises: BadConfigOption – if the CA certificates file does not exist.

SetFields(field_names)[source]

Sets the names of the fields to output.

Parameters: field_names (list[str]) – names of the fields to output.

SetFlushInterval(flush_interval)[source]

Sets the flush interval.

Parameters: flush_interval (int) – number of events to buffer before doing a bulk insert.

SetIndexName(index_name)[source]

Sets the index name.

Parameters: index_name (str) – name of the index.

SetMappings(mappings)[source]

Sets the mappings.

Parameters: mappings (dict[str, object]) – mappings of the index.

SetPassword(password)[source]

Sets the password.

Parameters: password (str) – password to authenticate with.

SetServerInformation(server, port)[source]

Sets the server information.

Parameters

server (str) – IP address or hostname of the server.
port (int) – Port number of the server.

SetURLPrefix(url_prefix)[source]

Sets the URL prefix.

Parameters: url_prefix (str) – URL prefix.

SetUseSSL(use_ssl)[source]

Sets the use of ssl.

Parameters: use_ssl (bool) – enforces use of ssl.

SetUsername(username)[source]

Sets the username.

Parameters: username (str) – username to authenticate with.

WriteEventBody(event, event_data, event_data_stream, event_tag)[source]

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

plaso.output.tln module

Output module for the TLN format.

For documentation on the TLN format see: https://forensicswiki.xyz/wiki/index.php?title=TLN

class plaso.output.tln.L2TTLNOutputModule(output_mediator)[source]

Bases: DSVOutputModule

Output module for the log2timeline extended variant of the TLN format.

l2tTLN is an extended variant of TLN introduced log2timeline.pl 0.65.

l2tTLN extends basic TLN to 7 | separated fields, namely: * Time - 32-bit POSIX (or Unix) epoch timestamp. * Source - The name of the parser or plugin that produced the event. * Host - The source host system. * User - The user associated with the data. * Description - Message string describing the data. * TZ - L2T 0.65 field. Timezone of the event. * Notes - L2T 0.65 field. Optional notes field or filename and inode.

DESCRIPTION = 'Extended TLN 7 field | delimited output.'

NAME = 'l2ttln'

class plaso.output.tln.TLNFieldFormattingHelper[source]

Bases: FieldFormattingHelper

TLN output module field formatting helper.

class plaso.output.tln.TLNOutputModule(output_mediator)[source]

Bases: DSVOutputModule

Output module for the TLN format.

TLN defines 5 | separated fields, namely: * Time - 32-bit POSIX (or Unix) epoch timestamp. * Source - The name of the parser or plugin that produced the event. * Host - The source host system. * User - The user associated with the data. * Description - Message string describing the data.

DESCRIPTION = 'TLN 5 field | delimited output.'

NAME = 'tln'

plaso.output.winevt_rc module

Windows EventLog resources database reader.

class plaso.output.winevt_rc.Sqlite3DatabaseFile[source]

Bases: object

Class that defines a sqlite3 database file.

Close()[source]

Closes the database file.

Raises: RuntimeError – if the database is not opened.

GetValues(table_names, column_names, condition)[source]

Retrieves values from a table.

Parameters

table_names (list[str]) – table names.
column_names (list[str]) – column names.
condition (str) – query condition such as “log_source == ‘Application Error’”.

Yields

sqlite3.row – row.

Raises

RuntimeError – if the database is not opened.

HasTable(table_name)[source]

Determines if a specific table exists.

Parameters: table_name (str) – table name.
Returns: True if the table exists.
Return type: bool
Raises: RuntimeError – if the database is not opened.

Open(filename, read_only=False)[source]

Opens the database file.

Parameters

filename (str) – filename of the database.
read_only (Optional[bool]) – True if the database should be opened in read-only mode. Since sqlite3 does not support a real read-only mode we fake it by only permitting SELECT queries.

Returns

True if successful.

Return type

bool

Raises

RuntimeError – if the database is already opened.

class plaso.output.winevt_rc.WinevtResourcesHelper(storage_reader, data_location, lcid, environment_variables)[source]

Bases: object

Windows EventLog resources helper.

DEFAULT_LCID = 1033

GetMessageString(log_source, message_identifier)[source]

Retrieves a specific Windows EventLog message string.

Parameters

log_source (str) – EventLog source, such as “Application Error”.
message_identifier (int) – message identifier.

Returns

message string or None if not available.

Return type

str

class plaso.output.winevt_rc.WinevtResourcesSqlite3DatabaseReader[source]

Bases: object

Windows EventLog resources SQLite database reader.

Close()[source]: Closes the database reader object.

GetMessage(log_source, lcid, message_identifier)[source]

Retrieves a specific message for a specific EventLog source.

Parameters

log_source (str) – EventLog source.
lcid (int) – language code identifier (LCID).
message_identifier (int) – message identifier.

Returns

message string or None if not available.

Return type

str

GetMetadataAttribute(attribute_name)[source]

Retrieves the metadata attribute.

Parameters: attribute_name (str) – name of the metadata attribute.
Returns: the metadata attribute or None.
Return type: str
Raises: RuntimeError – if more than one value is found in the database.

Open(filename)[source]

Opens the database reader object.

Parameters: filename (str) – filename of the database.
Returns: True if successful.
Return type: bool
Raises: RuntimeError – if the version or string format of the database is not supported.

plaso.output.xlsx module

Output module for the Excel Spreadsheet (XLSX) output format.

class plaso.output.xlsx.XLSXOutputModule(output_mediator)[source]

Bases: OutputModule

Output module for the Excel Spreadsheet (XLSX) output format.

Close()[source]: Closes the workbook.

DESCRIPTION = 'Excel Spreadsheet (XLSX) output'

NAME = 'xlsx'

Open(path=None, **kwargs)[source]

Creates a new workbook.

Parameters

path (Optional[str]) – path of the output file.

Raises

IOError – if the specified output file already exists.
OSError – if the specified output file already exists.
ValueError – if path is not set.

SetFields(fields)[source]

Sets the fields to output.

Parameters: fields (list[str]) – names of the fields to output.

SetTimestampFormat(timestamp_format)[source]

Set the timestamp format to use for the datetime column.

Parameters: timestamp_format (str) – format string of date and time values.

WRITES_OUTPUT_FILE = True

WriteEventBody(event, event_data, event_data_stream, event_tag)[source]

Writes event values to the output.

Parameters

event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

WriteHeader()[source]: Writes the header to the spreadsheet.

Module contents

This file imports Python modules that register output modules.