plaso.parsers.esedb_plugins package¶

Submodules¶

plaso.parsers.esedb_plugins.file_history module¶

Parser for the Microsoft File History ESE database.

class plaso.parsers.esedb_plugins.file_history.FileHistoryESEDBPlugin[source]¶

Bases: plaso.parsers.esedb_plugins.interface.ESEDBPlugin

Parses a File History ESE database file.

DATA_FORMAT = 'Windows 8 File History ESE database file'¶

NAME = 'file_history'¶

ParseNameSpace(parser_mediator, cache=None, database=None, table=None, **unused_kwargs)[source]¶

Parses the namespace table.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
cache (Optional[ESEDBCache]) – cache.
database (Optional[ESEDatabase]) – ESE database.
table (Optional[pyesedb.table]) – table.

Raises

ValueError – if the database or table value is missing.

REQUIRED_TABLES = {'backupset': '', 'file': '', 'library': '', 'namespace': 'ParseNameSpace'}¶

class plaso.parsers.esedb_plugins.file_history.FileHistoryNamespaceEventData[source]¶

Bases: plaso.containers.events.EventData

File history namespace table event data.

file_attribute¶

file attribute.

Type: int

identifier¶

identifier.

Type: str

original_filename¶

original file name.

Type: str

parent_identifier¶

parent identifier.

Type: str

usn_number¶

USN number.

Type: int

DATA_TYPE = 'file_history:namespace:event'¶

plaso.parsers.esedb_plugins.interface module¶

This file contains the interface for ESE database plugins.

class plaso.parsers.esedb_plugins.interface.ESEDBPlugin[source]¶

Bases: plaso.parsers.plugins.BasePlugin, plaso.lib.dtfabric_helper.DtFabricHelper

The ESE database plugin interface.

BINARY_DATA_COLUMN_TYPES = frozenset({pyesedb.column_types.LARGE_BINARY_DATA, pyesedb.column_types.BINARY_DATA})¶

CheckRequiredTables(database)[source]¶

Check if the database has the minimal structure required by the plugin.

Parameters

database (ESEDatabase) – ESE database to check.

Returns

True if the database has the minimum tables defined by the plugin,: or False if it does not or no required tables are defined. The database can have more tables than specified by the plugin and still return True.

Return type

bool

DATA_FORMAT = 'ESE database file'¶

FLOATING_POINT_COLUMN_TYPES = frozenset({pyesedb.column_types.DOUBLE_64BIT, pyesedb.column_types.FLOAT_32BIT})¶

INTEGER_COLUMN_TYPES = frozenset({pyesedb.column_types.INTEGER_32BIT_UNSIGNED, pyesedb.column_types.DATE_TIME, pyesedb.column_types.INTEGER_16BIT_UNSIGNED, pyesedb.column_types.INTEGER_64BIT_SIGNED, pyesedb.column_types.INTEGER_8BIT_UNSIGNED, pyesedb.column_types.INTEGER_32BIT_SIGNED, pyesedb.column_types.CURRENCY, pyesedb.column_types.INTEGER_16BIT_SIGNED})¶

NAME = 'esedb_plugin'¶

OPTIONAL_TABLES = {}¶

Process(parser_mediator, cache=None, database=None, **kwargs)[source]¶

Extracts events from an ESE database.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
cache (Optional[ESEDBCache]) – cache.
database (Optional[ESEDatabase]) – ESE database.

Raises

ValueError – If the database argument is not valid.

REQUIRED_TABLES = {}¶

STRING_COLUMN_TYPES = frozenset({pyesedb.column_types.TEXT, pyesedb.column_types.LARGE_TEXT})¶

plaso.parsers.esedb_plugins.msie_webcache module¶

Parser for the Microsoft Internet Explorer WebCache ESE database.

The WebCache database (WebCacheV01.dat or WebCacheV24.dat) are used by MSIE as of version 10.

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventData[source]¶

Bases: plaso.containers.events.EventData

MSIE WebCache Container table event data.

access_count¶

access count.

Type: int

cached_filename¶

name of the cached file.

Type: str

cached_file_size¶

size of the cached file.

Type: int

cache_identifier¶

cache identifier.

Type: int

container_identifier¶

container identifier.

Type: int

entry_identifier¶

entry identifier.

Type: int

file_extension¶

file extension.

Type: str

redirect_url¶

URL from which the request was redirected.

Type: str

request_headers¶

request headers.

Type: str

response_headers¶

response headers.

Type: str

sync_count¶

sync count.

Type: int

url¶

URL.

Type: str

DATA_TYPE = 'msie:webcache:container'¶

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainersEventData[source]¶

Bases: plaso.containers.events.EventData

MSIE WebCache Containers table event data.

container_identifier¶

container identifier.

Type: int

directory¶

name of the cache directory.

Type: str

name¶

name of the cache container.

Type: str

set_identifier¶

set identifier.

Type: int

DATA_TYPE = 'msie:webcache:containers'¶

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheESEDBPlugin[source]¶

Bases: plaso.parsers.esedb_plugins.interface.ESEDBPlugin

Parses a MSIE WebCache ESE database file.

DATA_FORMAT = 'Internet Explorer WebCache ESE database (WebCacheV01.dat, WebCacheV24.dat) file'¶

NAME = 'msie_webcache'¶

OPTIONAL_TABLES = {'Partitions': 'ParsePartitionsTable', 'PartitionsEx': 'ParsePartitionsTable'}¶

ParseContainersTable(parser_mediator, database=None, table=None, **unused_kwargs)[source]¶

Parses a Containers table.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
database (Optional[ESEDatabase]) – ESE database.
table (Optional[pyesedb.table]) – table.

Raises

ValueError – if the database or table value is missing.

ParseLeakFilesTable(parser_mediator, database=None, table=None, **unused_kwargs)[source]¶

Parses a LeakFiles table.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
database (Optional[ESEDatabase]) – ESE database.
table (Optional[pyesedb.table]) – table.

Raises

ValueError – if the database or table value is missing.

ParsePartitionsTable(parser_mediator, database=None, table=None, **unused_kwargs)[source]¶

Parses a Partitions or PartitionsEx table.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
database (Optional[ESEDatabase]) – ESE database.
table (Optional[pyesedb.table]) – table.

Raises

ValueError – if the database or table value is missing.

REQUIRED_TABLES = {'Containers': 'ParseContainersTable', 'LeakFiles': 'ParseLeakFilesTable'}¶

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheLeakFilesEventData[source]¶

Bases: plaso.containers.events.EventData

MSIE WebCache LeakFiles event data.

cached_filename¶

name of the cached file.

Type: str

leak_identifier¶

leak identifier.

Type: int

DATA_TYPE = 'msie:webcache:leak_file'¶

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCachePartitionsEventData[source]¶

Bases: plaso.containers.events.EventData

MSIE WebCache Partitions table event data.

directory¶

directory.

Type: str

partition_identifier¶

partition identifier.

Type: int

partition_type¶

partition type.

Type: int

table_identifier¶

table identifier.

Type: int

DATA_TYPE = 'msie:webcache:partitions'¶

plaso.parsers.esedb_plugins.srum module¶

Parser for the System Resource Usage Monitor (SRUM) ESE database.

For more information about the database format see: https://github.com/libyal/esedb-kb/blob/main/documentation/

System%20Resource%20Usage%20Monitor%20(SRUM).asciidoc

class plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventData[source]¶

Bases: plaso.containers.events.EventData

SRUM application resource usage event data.

Note that the interpretation of some of these values is undocumented as far as currently known.

application¶

application.

Type: str

background_bytes_read¶

background number of bytes read.

Type: int

background_bytes_written¶

background number of bytes written.

Type: int

background_context_switches¶

number of background context switches.

Type: int

background_cycle_time¶

background cycle time.

Type: int

background_number_for_flushes¶

background number of flushes.

Type: int

background_number_for_read_operations¶

background number of read operations.

Type: int

background_number_for_write_operations¶

background number of write operations.

Type: int

face_time¶

face time.

Type: int

foreground_bytes_read¶

foreground number of bytes read.

Type: int

foreground_bytes_written¶

foreground number of bytes written.

Type: int

foreground_context_switches¶

number of foreground context switches.

Type: int

foreground_cycle_time¶

foreground cycle time.

Type: int

foreground_number_for_flushes¶

foreground number of flushes.

Type: int

foreground_number_for_read_operations¶

foreground number of read operations.

Type: int

foreground_number_for_write_operations¶

foreground number of write operations.

Type: int

identifier¶

record identifier.

Type: int

user_identifier¶

user identifier, which is a Windows NT security identifier.

Type: str

DATA_TYPE = 'windows:srum:application_usage'¶

class plaso.parsers.esedb_plugins.srum.SRUMNetworkConnectivityUsageEventData[source]¶

Bases: plaso.containers.events.EventData

SRUM network connectivity usage event data.

Note that the interpretation of some of these values is undocumented as far as currently known.

application¶

application.

Type: str

identifier¶

record identifier.

Type: int

interface_luid¶

interface locally unique identifier (LUID).

Type: int

l2_profile_flags¶

L2 profile flags.

Type: int

l2_profile_identifier¶

L2 profile identifier.

Type: int

user_identifier¶

user identifier, which is a Windows NT security identifier.

Type: str

DATA_TYPE = 'windows:srum:network_connectivity'¶

class plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventData[source]¶

Bases: plaso.containers.events.EventData

SRUM network data usage event data.

Note that the interpretation of some of these values is undocumented as far as currently known.

application¶

application.

Type: str

bytes_received¶

number of bytes received.

Type: int

bytes_sent¶

number of bytes sent.

Type: int

identifier¶

record identifier.

Type: int

interface_luid¶

interface locally unique identifier (LUID).

Type: int

l2_profile_flags¶

L2 profile flags.

Type: int

l2_profile_identifier¶

L2 profile identifier.

Type: int

user_identifier¶

user identifier, which is a Windows NT security identifier.

Type: str

DATA_TYPE = 'windows:srum:network_usage'¶

class plaso.parsers.esedb_plugins.srum.SystemResourceUsageMonitorESEDBPlugin[source]¶

Bases: plaso.parsers.esedb_plugins.interface.ESEDBPlugin

Parses a System Resource Usage Monitor (SRUM) ESE database file.

DATA_FORMAT = 'System Resource Usage Monitor (SRUM) ESE database file'¶

NAME = 'srum'¶

OPTIONAL_TABLES = {'{973F5D5C-1D90-4944-BE8E-24B94231A174}': 'ParseNetworkDataUsage', '{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}': 'ParseApplicationResourceUsage', '{DD6636C4-8929-4683-974E-22C046A43763}': 'ParseNetworkConnectivityUsage'}¶

ParseApplicationResourceUsage(parser_mediator, cache=None, database=None, table=None, **unused_kwargs)[source]¶

Parses the application resource usage table.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
cache (Optional[ESEDBCache]) – cache, which contains information about the identifiers stored in the SruDbIdMapTable table.
database (Optional[ESEDatabase]) – ESE database.
table (Optional[pyesedb.table]) – table.

ParseNetworkConnectivityUsage(parser_mediator, cache=None, database=None, table=None, **unused_kwargs)[source]¶

Parses the network connectivity usage monitor table.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
cache (Optional[ESEDBCache]) – cache, which contains information about the identifiers stored in the SruDbIdMapTable table.
database (Optional[ESEDatabase]) – ESE database.
table (Optional[pyesedb.table]) – table.

ParseNetworkDataUsage(parser_mediator, cache=None, database=None, table=None, **unused_kwargs)[source]¶

Parses the network data usage monitor table.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
cache (Optional[ESEDBCache]) – cache, which contains information about the identifiers stored in the SruDbIdMapTable table.
database (Optional[ESEDatabase]) – ESE database.
table (Optional[pyesedb.table]) – table.

REQUIRED_TABLES = {'SruDbIdMapTable': ''}¶

Module contents¶

Imports for the ESE database parser.