plaso.parsers.czip_plugins package

Submodules

plaso.parsers.czip_plugins.interface module

Interface for compound ZIP file plugins.

class plaso.parsers.czip_plugins.interface.CompoundZIPPlugin[source]

Bases: BasePlugin

Compound ZIP parser plugin.

CheckRequiredPaths(zip_file)[source]

Checks if the ZIP file has the minimal structure required by the plugin.

Parameters

zip_file (zipfile.ZipFile) – the ZIP file. It should not be closed in this method, but will be closed by the parser logic in czip.py.

Returns

True if the ZIP file has the minimum paths defined by the plugin,: or False if it does not or no required paths are defined. The ZIP file can have more paths than specified by the plugin and still return True.

Return type

bool

DATA_FORMAT = 'Compound ZIP file'

NAME = 'czip_plugin'

Process(parser_mediator, zip_file=None, **kwargs)[source]

Extracts events from the ZIP file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
zip_file (Optional[zipfile.ZipFile]) – the ZIP file. It should not be closed in this method, but will be closed by the parser logic in czip.py.

Raises

ValueError – If the ZIP file argument is not valid.

REQUIRED_PATHS = frozenset({})

plaso.parsers.czip_plugins.oxml module

Compound ZIP parser plugin for OpenXML files.

class plaso.parsers.czip_plugins.oxml.OpenXMLEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

OXML event data.

application

name of application that created document.

Type: str

application_version

version of application that created document.

Type: str

author

name of author.

Type: str

creation_time

creation date and time of the document.

Type: dfdatetime.DateTimeValues

digital_signature

digital signature.

Type: str

edit_duration

total editing time.

Type: int

hyperlinks_changed

True if hyperlinks have changed.

Type: bool

last_printed_time

date and time the document was last printed.

Type: dfdatetime.DateTimeValues

last_saved_by

name of user that last saved the document.

Type: str

links_up_to_date

True if the links are up to date.

Type: bool

modification_time

modification date and time of the document.

Type: dfdatetime.DateTimeValues

number_of_characters

number of characters without spaces in the document.

Type: int

number_of_characters_with_spaces

number of characters including spaces in the document.

Type: int

number_of_clips

number of multi-media clips in the document.

Type: int

number_of_hidden_slides

number of hidden slides in the document.

Type: int

number_of_lines

number of lines in the document.

Type: int

number_of_pages

number of pages in the document.

Type: int

number_of_paragraphs

number of paragraphs in the document.

Type: int

number_of_slides

number of slides in the document.

Type: int

number_of_words

number of words in the document.

Type: int

revision_number

revision number.

Type: int

scale

True if scaling of the thumbnail is desired or false if cropping is desired.

Type: bool

security_flags

security flags.

Type: int

shared_doc

True if document is shared.

Type: bool

template

name of the template used to created the document.

Type: str

DATA_TYPE = 'openxml:metadata'

class plaso.parsers.czip_plugins.oxml.OpenXMLPlugin[source]

Bases: CompoundZIPPlugin

Parse metadata from OXML files.

DATA_FORMAT = 'OpenXML (OXML) file'

NAME = 'oxml'

REQUIRED_PATHS = frozenset({'[Content_Types].xml', '_rels/.rels', 'docProps/core.xml'})

Module contents

Imports for the compound ZIP parser.