plaso.output package

Submodules

plaso.output.dynamic module

Dynamic selected delimiter separated values output module.

class plaso.output.dynamic.DynamicFieldFormattingHelper(output_mediator)[source]

Bases: plaso.output.formatting_helper.FieldFormattingHelper

Dynamic output module field formatting helper.

class plaso.output.dynamic.DynamicOutputModule(output_mediator)[source]

Bases: plaso.output.shared_dsv.DSVOutputModule

Dynamic selected delimiter separated values output module.

DESCRIPTION = 'Dynamic selection of fields for a separated value output format.'
NAME = 'dynamic'

plaso.output.elastic module

An output module that saves events to Elasticsearch.

class plaso.output.elastic.ElasticsearchOutputModule(output_mediator)[source]

Bases: plaso.output.shared_elastic.SharedElasticsearchOutputModule

Output module for Elasticsearch.

DESCRIPTION = 'Saves the events into an Elasticsearch database.'
NAME = 'elastic'
SetRawFields(raw_fields)[source]

Set raw (non-analyzed) fields.

This is used for sorting and aggregations in Elasticsearch. https://www.elastic.co/guide/en/elasticsearch/guide/current/ multi-fields.html

Parameters

raw_fields (bool) – True if raw (non-analyzed) fields should be added.

WriteHeader()[source]

Connects to the Elasticsearch server and creates the index.

plaso.output.formatting_helper module

Output module field formatting helper.

class plaso.output.formatting_helper.EventFormattingHelper(output_mediator)[source]

Bases: object

Output module event formatting helper.

abstract GetFormattedEvent(event, event_data, event_data_stream, event_tag)[source]

Retrieves a string representation of the event.

Parameters
Returns

string representation of the event.

Return type

str

class plaso.output.formatting_helper.FieldFormattingHelper(output_mediator)[source]

Bases: object

Output module field formatting helper.

GetFormattedField(field_name, event, event_data, event_data_stream, event_tag)[source]

Formats the specified field.

Parameters
Returns

value of the field.

Return type

str

plaso.output.interface module

This file contains the output module interface classes.

class plaso.output.interface.LinearOutputModule(output_mediator, event_formatting_helper)[source]

Bases: plaso.output.interface.OutputModule

Linear output module.

Close()[source]

Closes the output.

SetOutputWriter(output_writer)[source]

Set the output writer.

Parameters

output_writer (CLIOutputWriter) – output writer.

WriteEventBody(event, event_data, event_data_stream, event_tag)[source]

Writes event values to the output.

Parameters
class plaso.output.interface.OutputModule(output_mediator)[source]

Bases: object

Output module interface.

Close()[source]

Closes the output.

DESCRIPTION = ''
GetMissingArguments()[source]

Retrieves arguments required by the module that have not been specified.

Returns

names of argument that are required by the module and have

not been specified.

Return type

list[str]

NAME = ''
Open()[source]

Opens the output.

WriteEvent(event, event_data, event_data_stream, event_tag)[source]

Writes the event to the output.

Parameters
abstract WriteEventBody(event, event_data, event_data_stream, event_tag)[source]

Writes event values to the output.

Parameters
WriteEventEnd()[source]

Writes the end of an event to the output.

Can be used for post-processing or output after an individual event has been written, such as writing closing XML tags, etc.

WriteEventMACBGroup(event_macb_group)[source]

Writes an event MACB group to the output.

An event MACB group is a group of events that have the same timestamp and event data (attributes and values), where the timestamp description (or usage) is one or more of MACB (modification, access, change, birth).

This function is called if the psort engine detected an event MACB group so that the output module, if supported, can represent the group as such. If not overridden this function will output every event individually.

Parameters

  • (list[tuple[EventObject (event_macb_group) – EventTag]]): group of events with identical timestamps, attributes and values.

  • EventData – EventTag]]): group of events with identical timestamps, attributes and values.

  • EventDataStream – EventTag]]): group of events with identical timestamps, attributes and values.

:paramEventTag]]): group of events with identical timestamps, attributes

and values.

WriteEventStart()[source]

Writes the start of an event to the output.

Can be used for pre-processing or output before an individual event has been written, such as writing opening XML tags, etc.

WriteFooter()[source]

Writes the footer to the output.

Can be used for post-processing or output after the last event is written, such as writing a file footer.

WriteHeader()[source]

Writes the header to the output.

Can be used for pre-processing or output before the first event is written, such as writing a file header.

plaso.output.json_line module

Output module that saves data into a JSON line format.

JSON line format is a single JSON entry or event per line instead of grouping all the output into a single JSON entity.

class plaso.output.json_line.JSONLineOutputModule(output_mediator)[source]

Bases: plaso.output.interface.LinearOutputModule

Output module for the JSON line format.

DESCRIPTION = 'Saves the events into a JSON line format.'
NAME = 'json_line'
WriteEventBody(event, event_data, event_data_stream, event_tag)[source]

Writes event values to the output.

Parameters

plaso.output.json_out module

Output module that saves data into a JSON format.

class plaso.output.json_out.JSONOutputModule(output_mediator)[source]

Bases: plaso.output.interface.LinearOutputModule

Output module for the JSON format.

DESCRIPTION = 'Saves the events into a JSON format.'
NAME = 'json'
WriteEventBody(event, event_data, event_data_stream, event_tag)[source]

Writes event values to the output.

Parameters
WriteFooter()[source]

Writes the footer to the output.

WriteHeader()[source]

Writes the header to the output.

plaso.output.kml module

An output module that writes event with geography data to a KML XML file.

The Keyhole Markup Language (KML) is an XML notation for expressing geographic annotation and visualization within Internet-based, two-dimensional maps and three-dimensional Earth browsers.

class plaso.output.kml.KMLOutputModule(output_mediator)[source]

Bases: plaso.output.interface.LinearOutputModule

Output module for a Keyhole Markup Language (KML) XML file.

DESCRIPTION = 'Saves events with geography data into a KML format.'
NAME = 'kml'
WriteEventBody(event, event_data, event_data_stream, event_tag)[source]

Writes event values to the output.

Parameters
WriteFooter()[source]

Writes the footer to the output.

WriteHeader()[source]

Writes the header to the output.

plaso.output.l2t_csv module

Output module for the log2timeline (L2T) CSV format.

For documentation on the L2T CSV format see: https://forensicswiki.xyz/wiki/index.php?title=L2T_CSV

class plaso.output.l2t_csv.L2TCSVEventFormattingHelper(output_mediator, field_formatting_helper, field_names, field_delimiter=',')[source]

Bases: plaso.output.shared_dsv.DSVEventFormattingHelper

L2T CSV output module event formatting helper.

GetFormattedEventMACBGroup(event_macb_group)[source]

Retrieves a string representation of the event.

Parameters

  • (list[tuple[EventObject (event_macb_group) – EventTag]]): group of events with identical timestamps, attributes and values.

  • EventData – EventTag]]): group of events with identical timestamps, attributes and values.

  • EventDataStream – EventTag]]): group of events with identical timestamps, attributes and values.

:paramEventTag]]): group of events with identical timestamps, attributes

and values.

Returns

string representation of the event MACB group.

Return type

str

class plaso.output.l2t_csv.L2TCSVFieldFormattingHelper(output_mediator)[source]

Bases: plaso.output.formatting_helper.FieldFormattingHelper

L2T CSV output module field formatting helper.

class plaso.output.l2t_csv.L2TCSVOutputModule(output_mediator)[source]

Bases: plaso.output.interface.LinearOutputModule

CSV format used by log2timeline, with 17 fixed fields.

DESCRIPTION = 'CSV format used by legacy log2timeline, with 17 fixed fields.'
NAME = 'l2tcsv'
WriteEventMACBGroup(event_macb_group)[source]

Writes an event MACB group to the output.

Parameters

  • (list[tuple[EventObject (event_macb_group) – EventTag]]): group of events with identical timestamps, attributes and values.

  • EventData – EventTag]]): group of events with identical timestamps, attributes and values.

  • EventDataStream – EventTag]]): group of events with identical timestamps, attributes and values.

:paramEventTag]]): group of events with identical timestamps, attributes

and values.

WriteHeader()[source]

Writes the header to the output.

plaso.output.logger module

The output sub module logger.

plaso.output.manager module

Output plugin manager.

class plaso.output.manager.OutputManager[source]

Bases: object

Output module manager.

classmethod DeregisterOutput(output_class)[source]

Deregisters an output class.

The output classes are identified based on their NAME attribute.

Parameters

output_class (type) – output module class.

Raises

KeyError – if output class is not set for the corresponding data type.

classmethod GetDisabledOutputClasses()[source]

Retrieves the disabled output classes and its associated name.

Yields

tuple[str, type] – output module name and class.

classmethod GetOutputClass(name)[source]

Retrieves the output class for a specific name.

Parameters

name (str) – name of the output module.

Returns

output module class.

Return type

type

Raises

  • KeyError – if there is no output class found with the supplied name.

  • ValueError – if name is not a string.

classmethod GetOutputClasses()[source]

Retrieves the available output classes its associated name.

Yields

tuple[str, type] – output class name and type object.

classmethod HasOutputClass(name)[source]

Determines if a specific output class is registered with the manager.

Parameters

name (str) – name of the output module.

Returns

True if the output class is registered.

Return type

bool

classmethod IsLinearOutputModule(name)[source]

Determines if a specific output class is a linear output module.

Parameters

name (str) – name of the output module.

Returns

if the output module is linear.

Return type

True

classmethod NewOutputModule(name, output_mediator)[source]

Creates a new output module object for the specified output format.

Parameters

  • name (str) – name of the output module.

  • output_mediator (OutputMediator) – output mediator.

Returns

output module.

Return type

OutputModule

Raises

  • KeyError – if there is no output class found with the supplied name.

  • ValueError – if name is not a string.

classmethod RegisterOutput(output_class, disabled=False)[source]

Registers an output class.

The output classes are identified based on their NAME attribute.

Parameters

  • output_class (type) – output module class.

  • disabled (Optional[bool]) – True if the output module is disabled due to the module not loading correctly or not.

Raises

KeyError – if output class is already set for the corresponding name.

classmethod RegisterOutputs(output_classes, disabled=False)[source]

Registers output classes.

The output classes are identified based on their NAME attribute.

Parameters

  • output_classes (list[type]) – output module classes.

  • disabled (Optional[bool]) – True if the output module is disabled due to the module not loading correctly or not.

Raises

KeyError – if output class is already set for the corresponding name.

plaso.output.mediator module

The output mediator object.

class plaso.output.mediator.OutputMediator(knowledge_base, formatter_mediator, fields_filter=None, preferred_encoding='utf-8')[source]

Bases: object

Output mediator.

fields_filter

filter object that indicates which fields to output.

Type

FilterObject

GetDisplayNameForPathSpec(path_spec)[source]

Retrieves the display name for a path specification.

Parameters

path_spec (dfvfs.PathSpec) – path specification.

Returns

human readable version of the path specification.

Return type

str

GetFormattedMessages(event_data)[source]

Retrieves the formatted messages related to the event data.

Parameters

event_data (EventData) – event data.

Returns

containing:

str: full message string or None if no event formatter was found. str: short message string or None if no event formatter was found.

Return type

tuple

GetFormattedSources(event, event_data)[source]

Retrieves the formatted sources related to the event.

Parameters
Returns

containing:

str: full source string or None if no event formatter was found. str: short source string or None if no event formatter was found.

Return type

tuple

GetHostname(event_data, default_hostname='-')[source]

Retrieves the hostname related to the event.

Parameters

  • event_data (EventData) – event data.

  • default_hostname (Optional[str]) – default hostname.

Returns

hostname.

Return type

str

GetMACBRepresentation(event, event_data)[source]

Retrieves the MACB representation.

Parameters
Returns

MACB representation.

Return type

str

GetMACBRepresentationFromDescriptions(timestamp_descriptions)[source]

Determines the MACB representation from the timestamp descriptions.

MACB representation is a shorthand for representing one or more of modification, access, change, birth timestamp descriptions as the letters “MACB” or a “.” if the corresponding timestamp is not set.

Note that this is an output format shorthand and does not guarantee that the timestamps represent the same occurrence.

Parameters

timestamp_descriptions (list[str]) – timestamp descriptions, which are defined in definitions.TIME_DESCRIPTIONS.

Returns

MACB representation.

Return type

str

GetRelativePathForPathSpec(path_spec)[source]

Retrieves the relative path for a path specification.

Parameters

path_spec (dfvfs.PathSpec) – path specification.

Returns

relateive path of the path specification.

Return type

str

GetStoredHostname()[source]

Retrieves the stored hostname.

Returns

hostname.

Return type

str

GetUsername(event_data, default_username='-')[source]

Retrieves the username related to the event.

Parameters

  • event_data (EventData) – event data.

  • default_username (Optional[str]) – default username.

Returns

username.

Return type

str

SetTimezone(timezone)[source]

Sets the timezone.

Parameters

timezone (str) – timezone.

Raises

ValueError – if the timezone is not supported.

property encoding

preferred encoding.

Type

str

property filter_expression

filter expression if a filter is set, None otherwise.

Type

str

property timezone

The timezone.

plaso.output.null module

Null device output module.

class plaso.output.null.NullOutputModule(output_mediator)[source]

Bases: plaso.output.interface.OutputModule

Null device output module.

DESCRIPTION = 'Output module that does not output anything.'
NAME = 'null'
WriteEventBody(event, event_data, event_data_stream, event_tag)[source]

Writes event values to the output.

Parameters

plaso.output.rawpy module

Output module for the native (or “raw”) Python format.

class plaso.output.rawpy.NativePythonEventFormattingHelper(output_mediator)[source]

Bases: plaso.output.formatting_helper.EventFormattingHelper

Native (or “raw”) Python output module event formatting helper.

GetFormattedEvent(event, event_data, event_data_stream, event_tag)[source]

Retrieves a string representation of the event.

Parameters
Returns

string representation of the event.

Return type

str

class plaso.output.rawpy.NativePythonOutputModule(output_mediator)[source]

Bases: plaso.output.interface.LinearOutputModule

Output module for native (or “raw”) Python output format.

DESCRIPTION = 'native (or "raw") Python output.'
NAME = 'rawpy'

plaso.output.shared_dsv module

Shared functionality for delimiter separated values output modules.

class plaso.output.shared_dsv.DSVEventFormattingHelper(output_mediator, field_formatting_helper, field_names, field_delimiter=',')[source]

Bases: plaso.output.formatting_helper.EventFormattingHelper

Delimiter separated values output module event formatting helper.

GetFormattedEvent(event, event_data, event_data_stream, event_tag)[source]

Retrieves a string representation of the event.

Parameters
Returns

string representation of the event.

Return type

str

GetFormattedFieldNames()[source]

Retrieves a string representation of the field names.

Returns

string representation of the field names.

Return type

str

SetFieldDelimiter(field_delimiter)[source]

Sets the field delimiter.

Parameters

field_delimiter (str) – field delimiter.

SetFields(field_names)[source]

Sets the names of the fields to output.

Parameters

field_names (list[str]) – names of the fields to output.

class plaso.output.shared_dsv.DSVOutputModule(output_mediator, field_formatting_helper, names, delimiter=',', header=None)[source]

Bases: plaso.output.interface.LinearOutputModule

Shared functionality for delimiter separated values output modules.

SetFieldDelimiter(field_delimiter)[source]

Sets the field delimiter.

Parameters

field_delimiter (str) – field delimiter.

SetFields(field_names)[source]

Sets the names of the fields to output.

Parameters

field_names (list[str]) – names of the fields to output.

WriteHeader()[source]

Writes the header to the output.

plaso.output.shared_elastic module

Shared functionality for Elasticsearch output modules.

class plaso.output.shared_elastic.SharedElasticsearchOutputModule(output_mediator)[source]

Bases: plaso.output.interface.OutputModule

Shared functionality for an Elasticsearch output module.

Close()[source]

Closes connection to Elasticsearch.

Inserts any remaining buffered event documents.

NAME = 'elastic_shared'
SetCACertificatesPath(ca_certificates_path)[source]

Sets the path to the CA certificates.

Parameters

ca_certificates_path (str) – path to file containing a list of root certificates to trust.

Raises

BadConfigOption – if the CA certificates file does not exist.

SetDocumentType(document_type)[source]

Sets the document type.

Parameters

document_type (str) – document type.

SetFlushInterval(flush_interval)[source]

Set the flush interval.

Parameters

flush_interval (int) – number of events to buffer before doing a bulk insert.

SetIndexName(index_name)[source]

Set the index name.

Parameters

index_name (str) – name of the index.

SetPassword(password)[source]

Set the password.

Parameters

password (str) – password to authenticate with.

SetServerInformation(server, port)[source]

Set the server information.

Parameters

  • server (str) – IP address or hostname of the server.

  • port (int) – Port number of the server.

SetURLPrefix(url_prefix)[source]

Sets the URL prefix.

Parameters

url_prefix (str) – URL prefix.

SetUseSSL(use_ssl)[source]

Sets the use of ssl.

Parameters

use_ssl (bool) – enforces use of ssl.

SetUsername(username)[source]

Sets the username.

Parameters

username (str) – username to authenticate with.

WriteEventBody(event, event_data, event_data_stream, event_tag)[source]

Writes event values to the output.

Parameters

plaso.output.shared_json module

Shared functionality for JSON based output modules.

class plaso.output.shared_json.JSONEventFormattingHelper(output_mediator)[source]

Bases: plaso.output.formatting_helper.EventFormattingHelper

JSON output module event formatting helper.

GetFormattedEvent(event, event_data, event_data_stream, event_tag)[source]

Retrieves a string representation of the event.

Parameters
Returns

string representation of the event.

Return type

str

plaso.output.timesketch_out module

Timesketch output module.

class plaso.output.timesketch_out.TimesketchOutputModule(output_mediator)[source]

Bases: plaso.output.shared_elastic.SharedElasticsearchOutputModule

Output module for Timesketch.

Close()[source]

Closes the connection to TimeSketch Elasticsearch database.

Sends the remaining events for indexing and removes the processing status on the Timesketch search index object.

DESCRIPTION = 'Create a Timesketch timeline.'
GetMissingArguments()[source]

Retrieves a list of arguments that are missing from the input.

Returns

names of arguments that are required by the module and have

not been specified.

Return type

list[str]

NAME = 'timesketch'
SetTimelineName(timeline_name)[source]

Sets the timeline name.

Parameters

timeline_name (str) – timeline name.

SetTimelineOwner(username)[source]

Sets the username of the user that should own the timeline.

Parameters

username (str) – username.

WriteHeader()[source]

Sets up the Elasticsearch index and the Timesketch database object.

Creates the Elasticsearch index with Timesketch specific settings and the Timesketch SearchIndex database object.

plaso.output.tln module

Output module for the TLN format.

For documentation on the TLN format see: https://forensicswiki.xyz/wiki/index.php?title=TLN

class plaso.output.tln.L2TTLNOutputModule(output_mediator)[source]

Bases: plaso.output.shared_dsv.DSVOutputModule

Output module for the log2timeline extended variant of the TLN format.

l2tTLN is an extended variant of TLN introduced log2timeline 0.65.

l2tTLN extends basic TLN to 7 | separated fields, namely: * Time - 32-bit POSIX (or Unix) epoch timestamp. * Source - The name of the parser or plugin that produced the event. * Host - The source host system. * User - The user associated with the data. * Description - Message string describing the data. * TZ - L2T 0.65 field. Timezone of the event. * Notes - L2T 0.65 field. Optional notes field or filename and inode.

DESCRIPTION = 'Extended TLN 7 field | delimited output.'
NAME = 'l2ttln'
class plaso.output.tln.TLNFieldFormattingHelper(output_mediator)[source]

Bases: plaso.output.formatting_helper.FieldFormattingHelper

TLN output module field formatting helper.

class plaso.output.tln.TLNOutputModule(output_mediator)[source]

Bases: plaso.output.shared_dsv.DSVOutputModule

Output module for the TLN format.

TLN defines 5 | separated fields, namely: * Time - 32-bit POSIX (or Unix) epoch timestamp. * Source - The name of the parser or plugin that produced the event. * Host - The source host system. * User - The user associated with the data. * Description - Message string describing the data.

DESCRIPTION = 'TLN 5 field | delimited output.'
NAME = 'tln'

plaso.output.xlsx module

Output module for the Excel Spreadsheet (XLSX) output format.

class plaso.output.xlsx.XLSXOutputModule(output_mediator)[source]

Bases: plaso.output.interface.OutputModule

Output module for the Excel Spreadsheet (XLSX) output format.

Close()[source]

Closes the workbook.

DESCRIPTION = 'Excel Spreadsheet (XLSX) output'
NAME = 'xlsx'
Open()[source]

Creates a new workbook.

Raises

  • IOError – if the specified output file already exists.

  • OSError – if the specified output file already exists.

  • ValueError – if the filename is not set.

SetFields(fields)[source]

Sets the fields to output.

Parameters

fields (list[str]) – names of the fields to output.

SetFilename(filename)[source]

Sets the filename.

Parameters

filename (str) – filename.

SetTimestampFormat(timestamp_format)[source]

Set the timestamp format to use for the datetime column.

Parameters

timestamp_format (str) – format string of date and time values.

WriteEventBody(event, event_data, event_data_stream, event_tag)[source]

Writes event values to the output.

Parameters
WriteHeader()[source]

Writes the header to the spreadsheet.

Module contents

This file imports Python modules that register output modules.