plaso.parsers.esedb_plugins package

Submodules

plaso.parsers.esedb_plugins.file_history module

Parser for the Microsoft File History ESE database.

class plaso.parsers.esedb_plugins.file_history.FileHistoryESEDBPlugin[source]

Bases: ESEDBPlugin

Parses a File History ESE database file.

DATA_FORMAT = 'Windows 8 File History ESE database file'

NAME = 'file_history'

ParseNameSpace(parser_mediator, cache=None, database=None, table=None, **unused_kwargs)[source]

Parses the namespace table.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
cache (Optional[ESEDBCache]) – cache.
database (Optional[ESEDatabase]) – ESE database.
table (Optional[pyesedb.table]) – table.

Raises

ValueError – if the database or table value is missing.

REQUIRED_TABLES = {'backupset': '', 'file': '', 'library': '', 'namespace': 'ParseNameSpace'}

class plaso.parsers.esedb_plugins.file_history.FileHistoryNamespaceEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

File history namespace table event data.

creation_time

file entry creation date and time.

Type: dfdatetime.DateTimeValues

file_attribute

file attribute.

Type: int

identifier

identifier.

Type: str

modification_time

file entry last modification date and time.

Type: dfdatetime.DateTimeValues

original_filename

original file name.

Type: str

parent_identifier

parent identifier.

Type: str

usn_number

USN number.

Type: int

DATA_TYPE = 'windows:file_history:namespace'

plaso.parsers.esedb_plugins.interface module

This file contains the interface for ESE database plugins.

class plaso.parsers.esedb_plugins.interface.ESEDBPlugin[source]

Bases: BasePlugin, DtFabricHelper

The ESE database plugin interface.

BINARY_DATA_COLUMN_TYPES = frozenset({pyesedb.column_types.BINARY_DATA, pyesedb.column_types.LARGE_BINARY_DATA})

CheckRequiredTables(database)[source]

Check if the database has the minimal structure required by the plugin.

Parameters

database (ESEDatabase) – ESE database to check.

Returns

True if the database has the minimum tables defined by the plugin,: or False if it does not or no required tables are defined. The database can have more tables than specified by the plugin and still return True.

Return type

bool

DATA_FORMAT = 'ESE database file'

FLOATING_POINT_COLUMN_TYPES = frozenset({pyesedb.column_types.FLOAT_32BIT, pyesedb.column_types.DOUBLE_64BIT})

INTEGER_COLUMN_TYPES = frozenset({pyesedb.column_types.DATE_TIME, pyesedb.column_types.INTEGER_64BIT_SIGNED, pyesedb.column_types.INTEGER_16BIT_UNSIGNED, pyesedb.column_types.INTEGER_8BIT_UNSIGNED, pyesedb.column_types.INTEGER_32BIT_SIGNED, pyesedb.column_types.INTEGER_16BIT_SIGNED, pyesedb.column_types.CURRENCY, pyesedb.column_types.INTEGER_32BIT_UNSIGNED})

NAME = 'esedb_plugin'

OPTIONAL_TABLES = {}

Process(parser_mediator, cache=None, database=None, **kwargs)[source]

Extracts events from an ESE database.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
cache (Optional[ESEDBCache]) – cache.
database (Optional[ESEDatabase]) – ESE database.

Raises

ValueError – If the database argument is not valid.

REQUIRED_TABLES = {}

STRING_COLUMN_TYPES = frozenset({pyesedb.column_types.LARGE_TEXT, pyesedb.column_types.TEXT})

plaso.parsers.esedb_plugins.msie_webcache module

Parser for the Microsoft Internet Explorer WebCache ESE database.

The WebCache database (WebCacheV01.dat or WebCacheV24.dat) are used by MSIE as of version 10.

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MSIE WebCache Container table event data.

access_count

access count.

Type: int

access_time

last access date and time.

Type: dfdatetime.DateTimeValues

cached_filename

name of the cached file.

Type: str

cached_file_size

size of the cached file.

Type: int

cache_identifier

cache identifier.

Type: int

container_identifier

container identifier.

Type: int

creation_time

creation date and time.

Type: dfdatetime.DateTimeValues

entry_identifier

entry identifier.

Type: int

expiration_time

expiration date and time.

Type: dfdatetime.DateTimeValues

file_extension

file extension.

Type: str

modification_time

modification date and time.

Type: dfdatetime.DateTimeValues

post_check_time

post check date and time.

Type: dfdatetime.DateTimeValues

redirect_url

URL from which the request was redirected.

Type: str

request_headers

request headers.

Type: str

response_headers

response headers.

Type: str

synchronization_count

synchronization count.

Type: int

synchronization_time

synchronization date and time.

Type: dfdatetime.DateTimeValues

url

URL.

Type: str

DATA_TYPE = 'msie:webcache:container'

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainersEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MSIE WebCache Containers table event data.

access_time

last access date and time.

Type: dfdatetime.DateTimeValues

container_identifier

container identifier.

Type: int

directory

name of the cache directory.

Type: str

name

name of the cache container.

Type: str

scavenge_time

last scavenge date and time.

Type: dfdatetime.DateTimeValues

set_identifier

set identifier.

Type: int

DATA_TYPE = 'msie:webcache:containers'

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheESEDBPlugin[source]

Bases: ESEDBPlugin

Parses a MSIE WebCache ESE database file.

DATA_FORMAT = 'Internet Explorer WebCache ESE database (WebCacheV01.dat, WebCacheV24.dat) file'

NAME = 'msie_webcache'

OPTIONAL_TABLES = {'Partitions': 'ParsePartitionsTable', 'PartitionsEx': 'ParsePartitionsTable'}

ParseContainersTable(parser_mediator, database=None, table=None, **unused_kwargs)[source]

Parses a Containers table.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
database (Optional[ESEDatabase]) – ESE database.
table (Optional[pyesedb.table]) – table.

Raises

ValueError – if the database or table value is missing.

ParseLeakFilesTable(parser_mediator, database=None, table=None, **unused_kwargs)[source]

Parses a LeakFiles table.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
database (Optional[ESEDatabase]) – ESE database.
table (Optional[pyesedb.table]) – table.

Raises

ValueError – if the database or table value is missing.

ParsePartitionsTable(parser_mediator, database=None, table=None, **unused_kwargs)[source]

Parses a Partitions or PartitionsEx table.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
database (Optional[ESEDatabase]) – ESE database.
table (Optional[pyesedb.table]) – table.

Raises

ValueError – if the database or table value is missing.

REQUIRED_TABLES = {'Containers': 'ParseContainersTable', 'LeakFiles': 'ParseLeakFilesTable'}

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheLeakFilesEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MSIE WebCache LeakFiles event data.

cached_filename

name of the cached file.

Type: str

creation_time

creation date and time.

Type: dfdatetime.DateTimeValues

leak_identifier

leak identifier.

Type: int

DATA_TYPE = 'msie:webcache:leak_file'

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCachePartitionsEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MSIE WebCache Partitions table event data.

directory

directory.

Type: str

partition_identifier

partition identifier.

Type: int

partition_type

partition type.

Type: int

scavenge_time

last scavenge date and time.

Type: dfdatetime.DateTimeValues

table_identifier

table identifier.

Type: int

DATA_TYPE = 'msie:webcache:partitions'

plaso.parsers.esedb_plugins.srum module

Parser for the System Resource Usage Monitor (SRUM) ESE database.

class plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

SRUM application resource usage event data.

Note that the interpretation of some of these values is undocumented as far as currently known.

application

application.

Type: str

background_bytes_read

background number of bytes read.

Type: int

background_bytes_written

background number of bytes written.

Type: int

background_context_switches

number of background context switches.

Type: int

background_cycle_time

background cycle time.

Type: int

background_number_for_flushes

background number of flushes.

Type: int

background_number_for_read_operations

background number of read operations.

Type: int

background_number_for_write_operations

background number of write operations.

Type: int

face_time

face time.

Type: int

foreground_bytes_read

foreground number of bytes read.

Type: int

foreground_bytes_written

foreground number of bytes written.

Type: int

foreground_context_switches

number of foreground context switches.

Type: int

foreground_cycle_time

foreground cycle time.

Type: int

foreground_number_for_flushes

foreground number of flushes.

Type: int

foreground_number_for_read_operations

foreground number of read operations.

Type: int

foreground_number_for_write_operations

foreground number of write operations.

Type: int

identifier

record identifier.

Type: int

recorded_time

date and time the sample was recorded.

Type: dfdatetime.DateTimeValues

user_identifier

user identifier, which is a Windows NT security identifier.

Type: str

DATA_TYPE = 'windows:srum:application_usage'

class plaso.parsers.esedb_plugins.srum.SRUMNetworkConnectivityUsageEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

SRUM network connectivity usage event data.

Note that the interpretation of some of these values is undocumented as far as currently known.

application

application.

Type: str

identifier

record identifier.

Type: int

interface_luid

interface locally unique identifier (LUID).

Type: int

last_connected_time

last date and time the connection was established.

Type: dfdatetime.DateTimeValues

l2_profile_flags

L2 profile flags.

Type: int

l2_profile_identifier

L2 profile identifier.

Type: int

recorded_time

date and time the sample was recorded.

Type: dfdatetime.DateTimeValues

user_identifier

user identifier, which is a Windows NT security identifier.

Type: str

DATA_TYPE = 'windows:srum:network_connectivity'

class plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

SRUM network data usage event data.

Note that the interpretation of some of these values is undocumented as far as currently known.

application

application.

Type: str

bytes_received

number of bytes received.

Type: int

bytes_sent

number of bytes sent.

Type: int

identifier

record identifier.

Type: int

interface_luid

interface locally unique identifier (LUID).

Type: int

l2_profile_flags

L2 profile flags.

Type: int

l2_profile_identifier

L2 profile identifier.

Type: int

recorded_time

date and time the sample was recorded.

Type: dfdatetime.DateTimeValues

user_identifier

user identifier, which is a Windows NT security identifier.

Type: str

DATA_TYPE = 'windows:srum:network_usage'

class plaso.parsers.esedb_plugins.srum.SystemResourceUsageMonitorESEDBPlugin[source]

Bases: ESEDBPlugin

Parses a System Resource Usage Monitor (SRUM) ESE database file.

DATA_FORMAT = 'System Resource Usage Monitor (SRUM) ESE database file'

NAME = 'srum'

OPTIONAL_TABLES = {'{973F5D5C-1D90-4944-BE8E-24B94231A174}': 'ParseNetworkDataUsage', '{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}': 'ParseApplicationResourceUsage', '{DD6636C4-8929-4683-974E-22C046A43763}': 'ParseNetworkConnectivityUsage'}

ParseApplicationResourceUsage(parser_mediator, cache=None, database=None, table=None, **unused_kwargs)[source]

Parses the application resource usage table.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
cache (Optional[ESEDBCache]) – cache, which contains information about the identifiers stored in the SruDbIdMapTable table.
database (Optional[ESEDatabase]) – ESE database.
table (Optional[pyesedb.table]) – table.

ParseNetworkConnectivityUsage(parser_mediator, cache=None, database=None, table=None, **unused_kwargs)[source]

Parses the network connectivity usage monitor table.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
cache (Optional[ESEDBCache]) – cache, which contains information about the identifiers stored in the SruDbIdMapTable table.
database (Optional[ESEDatabase]) – ESE database.
table (Optional[pyesedb.table]) – table.

ParseNetworkDataUsage(parser_mediator, cache=None, database=None, table=None, **unused_kwargs)[source]

Parses the network data usage monitor table.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
cache (Optional[ESEDBCache]) – cache, which contains information about the identifiers stored in the SruDbIdMapTable table.
database (Optional[ESEDatabase]) – ESE database.
table (Optional[pyesedb.table]) – table.

REQUIRED_TABLES = {'SruDbIdMapTable': ''}

plaso.parsers.esedb_plugins.user_access_logging module

Parser for the Microsoft User Access Logging (UAL) ESE database.

User Access Logging (UAL) is present in Windows Server editions starting with Window Server 2012.

Also see:: https://www.crowdstrike.com/blog/user-access-logging-ual-overview/

class plaso.parsers.esedb_plugins.user_access_logging.UserAccessLoggingClientsEventsData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows User Access Logging CLIENTS table event data.

access_time

last access date and time.

Type: dfdatetime.DateTimeValues

authenticated_username

domain/user account name performing the access.

Type: str

client_name

client name, use unknown.

Type: str

insert_time

date and time the entry was first inserted into the table.

Type: dfdatetime.DateTimeValues

role_identifier

identifier of the service accessed.

Type: str

role_name

Name of the service accessed.

Type: str

source_ip_address

source IP address.

Type: str

tenant_identifier

unique identifier of a tenant client.

Type: str

total_accesses

Count of accesses for the year.

Type: int

DATA_TYPE = 'windows:user_access_logging:clients'

class plaso.parsers.esedb_plugins.user_access_logging.UserAccessLoggingDNSEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows User Access Logging DNS table event data.

hostname

hostname.

Type: str

ip_address

IP address.

Type: str

last_seen_time

date and time the hostname to IP address mapping was last observed.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'windows:user_access_logging:dns'

class plaso.parsers.esedb_plugins.user_access_logging.UserAccessLoggingESEDBPlugin[source]

Bases: ESEDBPlugin

Parses Windows User Access Logging ESE database file.

DATA_FORMAT = 'Windows User Access Logging ESE database file'

NAME = 'user_access_logging'

ParseClientsTable(parser_mediator, database=None, table=None, **unused_kwargs)[source]

Parses a CLIENTS table.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
database (Optional[ESEDatabase]) – ESE database.
table (Optional[pyesedb.table]) – table.

Raises

ValueError – if the database or table value is missing.

ParseDNSTable(parser_mediator, database=None, table=None, **unused_kwargs)[source]

Parses a DNS table.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
database (Optional[ESEDatabase]) – ESE database.
table (Optional[pyesedb.table]) – table.

Raises

ValueError – if the database or table value is missing.

ParseRoleAccessTable(parser_mediator, database=None, table=None, **unused_kwargs)[source]

Parses a ROLE_ACCESS table.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
database (Optional[ESEDatabase]) – ESE database.
table (Optional[pyesedb.table]) – table.

Raises

ValueError – if the database or table value is missing.

ParseVirtualMachinesTable(parser_mediator, database=None, table=None, **unused_kwargs)[source]

Parses a VIRTUALMACHINES table.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
database (Optional[ESEDatabase]) – ESE database.
table (Optional[pyesedb.table]) – table.

Raises

ValueError – if the database or table value is missing.

REQUIRED_TABLES = {'CLIENTS': 'ParseClientsTable', 'DNS': 'ParseDNSTable', 'ROLE_ACCESS': 'ParseRoleAccessTable', 'VIRTUALMACHINES': 'ParseVirtualMachinesTable'}

class plaso.parsers.esedb_plugins.user_access_logging.UserAccessLoggingRoleAccessEventsData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows User Access Logging ROLE_ACCESS table event data.

first_seen_time

date and time the role was first observed to be used.

Type: dfdatetime.DateTimeValues

last_seen_time

date and time the role was last observed to be used.

Type: dfdatetime.DateTimeValues

role_identifier

identifier of the role.

Type: str

role_name

name of the role.

Type: str

DATA_TYPE = 'windows:user_access_logging:role_access'

class plaso.parsers.esedb_plugins.user_access_logging.UserAccessLoggingSystemIdentityEventdata(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows User Access Logging SYSTEM_IDENTITY table event data.

creation_time

date and time the system identity was created.

Type: dfdatetime.DateTimeValues

operating_system_build

operating system build.

Type: int

system_dns_hostname

System hostname.

Type: str

system_domain_name

System domain name.

Type: str

DATA_TYPE = 'windows:user_access_logging:system_identity'

class plaso.parsers.esedb_plugins.user_access_logging.UserAccessLoggingVirtualMachinesEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows User Access Logging VIRTUALMACHINES table event data.

bios_identifier

BIOS identifier.

Type: str

creation_time

date and time the virtual machine was created.

Type: dfdatetime.DateTimeValues

last_active_time

date and time the virtual machine was last observed to be active.

Type: dfdatetime.DateTimeValues

serial_number

Serial number.

Type: str

vm_identifier

identifier of the virtual machine.

Type: str

DATA_TYPE = 'windows:user_access_logging:virtual_machines'

Module contents

Imports for the ESE database parser.