plaso.parsers package

Subpackages

Submodules

plaso.parsers.android_app_usage module

Parser for the Android usage history (usage-history.xml) files.

class plaso.parsers.android_app_usage.AndroidAppUsageEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Android application usage event data.

component

name of the individual component of the application.

Type

str

last_resume_time

date and time the application was last resumed.

Type

dfdatetime.DateTimeValues

package

name of the Android application.

Type

str

DATA_TYPE = 'android:app_usage'
class plaso.parsers.android_app_usage.AndroidAppUsageParser[source]

Bases: FileObjectParser

Parses the Android usage history (usage-history.xml) file.

DATA_FORMAT = 'Android usage history (usage-history.xml) file'
NAME = 'android_app_usage'
ParseFileObject(parser_mediator, file_object)[source]

Parses an Android usage-history file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.asl module

The Apple System Log (ASL) file parser.

class plaso.parsers.asl.ASLEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Apple System Log (ASL) event data.

computer_name

name of the host.

Type

str

extra_information

extra fields associated to the event.

Type

str

facility

facility.

Type

str

group_identifier

group identifier (GID).

Type

int

level

level of criticality of the event.

Type

str

message

message of the event.

Type

str

message_identifier

message identifier.

Type

int

process_identifier

process identifier (PID).

Type

int

read_group_identifier

the group identifier that can read this file, where -1 represents all.

Type

int

read_user_identifier

user identifier that can read this file, where -1 represents all.

Type

int

record_position

position of the event record.

Type

int

sender

sender or process that created the event.

Type

str

user_identifier

user identifier (UID).

Type

int

written_time

entry written date and time.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'macos:asl:entry'
class plaso.parsers.asl.ASLFileEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Apple System Log (ASL) file event data.

creation_time

creation date and time.

Type

dfdatetime.DateTimeValues

format_version

ASL file format version.

Type

int

is_dirty

True if the last log entry offset does not match value in file header and the file is considered dirty.

Type

bool

DATA_TYPE = 'macos:asl:file'
class plaso.parsers.asl.ASLParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for Apple System Log (ASL) files.

DATA_FORMAT = 'Apple System Log (ASL) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'asl_log'
ParseFileObject(parser_mediator, file_object)[source]

Parses an ASL file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.bencode_parser module

Parser for bencoded files.

class plaso.parsers.bencode_parser.BencodeFile[source]

Bases: object

Bencode file.

Close()[source]

Closes the file.

GetValues()[source]

Retrieves the values in the root of the bencode file.

Returns

values.

Return type

BencodeValues

IsEmpty()[source]

Determines if the bencode file has no values (is empty).

Returns

True if the bencode file is empty, False otherwise.

Return type

bool

Open(file_object)[source]

Opens a bencode file.

Parameters

file_object (dfvfs.FileIO) – file-like object.

Raises

  • IOError – if the file-like object cannot be read.

  • OSError – if the file-like object cannot be read.

  • ValueError – if the file-like object is missing.

property keys

names of all the keys.

Type

set[str]

class plaso.parsers.bencode_parser.BencodeParser[source]

Bases: FileObjectParser

Parser for bencoded files.

DATA_FORMAT = 'Bencoded file'
NAME = 'bencode'
ParseFileObject(parser_mediator, file_object)[source]

Parses a bencoded file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

class plaso.parsers.bencode_parser.BencodeValues(decoded_values)[source]

Bases: object

Bencode values.

GetDateTimeValue(name)[source]

Retrieves a date and time value.

Parameters

name (str) – name of the value.

Returns

date and time or None if not available.

Return type

dfdatetime.PosixTime

GetDecodedValue(name)[source]

Retrieves a decoded value.

Parameters

name (str) – name of the value.

Returns

decoded value or None if not available.

Return type

object

GetValues()[source]

Retrieves the values.

Yields

tuple[str, object] – name and decoded value.

plaso.parsers.bodyfile module

Parser for the Sleuthkit (TSK) bodyfile format.

Sleuthkit version 3 format: MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime 0|/lost+found|11|d/drwx——|0|0|12288|1337961350|1337961350|1337961350|0

More information about the format specifications can be read here:

https://forensics.wiki/bodyfile

class plaso.parsers.bodyfile.BodyfileEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Bodyfile event data.

access_time

file entry last access date and time.

Type

dfdatetime.DateTimeValues

change_time

file entry inode change (or metadata last modification) date and time.

Type

dfdatetime.DateTimeValues

creation_time

file entry creation date and time.

Type

dfdatetime.DateTimeValues

filename

name of the file.

Type

str

group_identifier

group identifier (GID), equivalent to st_gid.

Type

int

inode

“inode” of the file. Note that inode is an overloaded term in the context of a bodyfile and used for MFT entry index values as well.

Type

int

md5

MD5 hash of the file content, formatted as a hexadecimal string.

Type

str

mode_as_string

protection mode.

Type

str

modification_time

file entry last modification date and time.

Type

dfdatetime.DateTimeValues

offset

number of the corresponding line, from which the event data was extracted.

Type

int

owner_identifier

user identifier (UID or SID) of the owner.

Type

str

size

size of the file content.

Type

int

path of the symbolic link target.

Type

str

DATA_TYPE = 'fs:bodyfile:entry'
class plaso.parsers.bodyfile.BodyfileParser[source]

Bases: FileObjectParser

SleuthKit bodyfile parser.

DATA_FORMAT = 'SleuthKit version 3 bodyfile'
NAME = 'bodyfile'
ParseFileObject(parser_mediator, file_object)[source]

Parses a bodyfile file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.bsm module

Basic Security Module (BSM) event auditing file parser.

class plaso.parsers.bsm.BSMEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Basic Security Module (BSM) audit event data.

event_type

identifier that represents the type of the event.

Type

int

extra_tokens

event extra tokens, which is a list of dictionaries that contain: {token type: {token values}}

Type

list[dict[str, dict[str, str]]]

offset

offset of the BSM record relative to the start of the file, from which the event data was extracted.

Type

int

record_length

record length in bytes (trailer number).

Type

int

return_value

processed return value and exit status.

Type

str

written_time

entry written date and time.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'bsm:entry'
class plaso.parsers.bsm.BSMParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for Basic Security Module (BSM) event auditing files.

DATA_FORMAT = 'Basic Security Module (BSM) event auditing file'
NAME = 'bsm_log'
ParseFileObject(parser_mediator, file_object)[source]

Parses a BSM file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.chrome_cache module

Parser for Google Chrome and Chromium Cache files.

class plaso.parsers.chrome_cache.CacheAddress(cache_address)[source]

Bases: object

Chrome cache address.

block_number

block data file number.

Type

int

block_offset

offset within the block data file.

Type

int

block_size

block size.

Type

int

filename

name of the block data file.

Type

str

value

cache address.

Type

int

FILE_TYPE_BLOCK_1024 = 3
FILE_TYPE_BLOCK_256 = 2
FILE_TYPE_BLOCK_4096 = 4
FILE_TYPE_BLOCK_RANKINGS = 1
FILE_TYPE_SEPARATE = 0
class plaso.parsers.chrome_cache.CacheEntry[source]

Bases: object

Chrome cache entry.

creation_time

creation time, in number of microseconds since January 1, 1601, 00:00:00 UTC.

Type

int

hash

super fast hash of the key.

Type

int

key

key.

Type

bytes

next

cache address of the next cache entry.

Type

int

original_url

original URL derived from the key.

Type

str

rankings_node

cache address of the rankings node.

Type

int

class plaso.parsers.chrome_cache.ChromeCacheDataBlockFileParser[source]

Bases: FileObjectParser, DtFabricHelper

Chrome cache data block file parser.

ParseCacheEntry(file_object, block_offset)[source]

Parses a cache entry.

Parameters

  • file_object (dfvfs.FileIO) – a file-like object to read from.

  • block_offset (int) – block offset of the cache entry.

Returns

cache entry.

Return type

CacheEntry

Raises

ParseError – if the cache entry cannot be read.

ParseFileObject(parser_mediator, file_object)[source]

Parses a file-like object.

Parameters

  • parser_mediator (ParserMediator) – a parser mediator.

  • file_object (dfvfs.FileIO) – a file-like object to parse.

Raises

ParseError – when the file cannot be parsed.

class plaso.parsers.chrome_cache.ChromeCacheEntryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome Cache event data.

creation_time

creation date and time of the cache entry.

Type

dfdatetime.DateTimeValues

original_url

original URL.

Type

str

DATA_TYPE = 'chrome:cache:entry'
class plaso.parsers.chrome_cache.ChromeCacheIndexFileParser[source]

Bases: FileObjectParser, DtFabricHelper

Chrome cache index file parser.

creation_time

creation time, in number of microseconds since January 1, 1601, 00:00:00 UTC.

Type

int

index_table

the cache addresses which are stored in the index file.

Type

list[CacheAddress]

ParseFileObject(parser_mediator, file_object)[source]

Parses a file-like object.

Parameters

  • parser_mediator (ParserMediator) – a parser mediator.

  • file_object (dfvfs.FileIO) – a file-like object to parse.

Raises

ParseError – when the file cannot be parsed.

class plaso.parsers.chrome_cache.ChromeCacheParser[source]

Bases: FileEntryParser

Parses Chrome Cache files.

DATA_FORMAT = 'Google Chrome or Chromium Cache file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'chrome_cache'
ParseFileEntry(parser_mediator, file_entry)[source]

Parses Chrome Cache files.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_entry (dfvfs.FileEntry) – file entry.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.chrome_preferences module

A parser for the Chrome preferences file.

class plaso.parsers.chrome_preferences.ChromeContentSettingsExceptionsEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome content settings exceptions event data.

last_visited_time

date and time the URL was last visited.

Type

dfdatetime.DateTimeValues

permission

permission.

Type

str

primary_url

primary URL.

Type

str

secondary_url

secondary URL.

Type

str

DATA_TYPE = 'chrome:preferences:content_settings:exceptions'
class plaso.parsers.chrome_preferences.ChromeExtensionInstallationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome extension event data.

extension_identifier

extension identifier.

Type

str

extension_name

extension name.

Type

str

installation_time

date and time the Chrome extension was installed.

Type

dfdatetime.DateTimeValues

path

path.

Type

str

DATA_TYPE = 'chrome:preferences:extension_installation'
class plaso.parsers.chrome_preferences.ChromeExtensionsAutoupdaterEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome Extension Autoupdater event data.

message

message.

Type

str

recorded_time

date and time the entry was recorded.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'chrome:preferences:extensions_autoupdater'
class plaso.parsers.chrome_preferences.ChromePreferencesParser[source]

Bases: FileObjectParser

Parses Chrome Preferences files.

DATA_FORMAT = 'Google Chrome Preferences file'
NAME = 'chrome_preferences'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Chrome preferences file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – file-like object.

Raises

WrongParser – when the file cannot be parsed.

REQUIRED_KEYS = frozenset({'browser', 'extensions'})

plaso.parsers.cups_ipp module

The CUPS IPP files parser.

CUPS IPP version 1.0: * https://datatracker.ietf.org/doc/html/rfc2565 * https://datatracker.ietf.org/doc/html/rfc2566 * https://datatracker.ietf.org/doc/html/rfc2567 * https://datatracker.ietf.org/doc/html/rfc2568 * https://datatracker.ietf.org/doc/html/rfc2569 * https://datatracker.ietf.org/doc/html/rfc2639

CUPS IPP version 1.1: * https://datatracker.ietf.org/doc/html/rfc2910 * https://datatracker.ietf.org/doc/html/rfc2911 * https://datatracker.ietf.org/doc/html/rfc3196 * https://datatracker.ietf.org/doc/html/rfc3510

CUPS IPP version 2.0: * N/A

class plaso.parsers.cups_ipp.CupsIppEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

CUPS IPP event data.

application

application that prints the document.

Type

str

computer_name

name of the computer.

Type

str

copies

number of copies.

Type

int

creation_time

date and time the print job was created (added).

Type

dfdatetime.DateTimeValues

doc_type

type of document.

Type

str

end_time

date and time the print job was stopped.

Type

dfdatetime.DateTimeValues

job_id

job identifier.

Type

str

job_name

job name.

Type

str

owner

real name of the user.

Type

str

printer_id

identification name of the print.

Type

str

start_time

date and time the print job was started.

Type

dfdatetime.DateTimeValues

uri

URL of the CUPS service.

Type

str

user

system user name.

Type

str

DATA_TYPE = 'cups:ipp:event'
class plaso.parsers.cups_ipp.CupsIppParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for CUPS IPP files.

DATA_FORMAT = 'CUPS IPP file'
NAME = 'cups_ipp'
ParseFileObject(parser_mediator, file_object)[source]

Parses a CUPS IPP file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.custom_destinations module

Parser for custom destinations jump list (.customDestinations-ms) files.

class plaso.parsers.custom_destinations.CustomDestinationsParser[source]

Bases: FileObjectParser, DtFabricHelper

Parses custom destinations jump list (.customDestinations-ms) files.

DATA_FORMAT = 'Custom destinations jump list (.customDestinations-ms) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'custom_destinations'
ParseFileObject(parser_mediator, file_object)[source]

Parses a .customDestinations-ms file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.czip module

This file contains a parser for compound ZIP files.

class plaso.parsers.czip.CompoundZIPParser[source]

Bases: FileObjectParser

Shared functionality for parsing compound ZIP files.

Compound ZIP files are ZIP files used as containers to create another file format, as opposed to archives of unrelated files.

DATA_FORMAT = 'Compound ZIP file'
NAME = 'czip'
ParseFileObject(parser_mediator, file_object)[source]

Parses a compound ZIP file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.dsv_parser module

Delimiter separated values (DSV) parser interface.

class plaso.parsers.dsv_parser.DSVParser[source]

Bases: FileObjectParser

Delimiter separated values (DSV) parser interface.

COLUMNS = []
DELIMITER = ','
ESCAPE_CHARACTER = ''
FIELD_SIZE_LIMIT = 131072
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NUMBER_OF_HEADER_LINES = 0
ParseFileObject(parser_mediator, file_object)[source]

Parses a DSV text file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – file-like object.

Raises

WrongParser – when the file cannot be parsed.

abstract ParseRow(parser_mediator, row_offset, row)[source]

Parses a line of the log file and produces events.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • row_offset (int) – offset of the line from which the row was extracted.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

QUOTE_CHAR = '"'
abstract VerifyRow(parser_mediator, row)[source]

Verifies if a line of the file is in the expected format.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.esedb module

Parser for Extensible Storage Engine (ESE) database files (EDB).

class plaso.parsers.esedb.ESEDBCache[source]

Bases: BasePluginCache

A cache storing query results for ESEDB plugins.

StoreDictInCache(attribute_name, dict_object)[source]

Store a dict object in cache.

Parameters

  • attribute_name (str) – name of the attribute.

  • dict_object (dict) – dictionary.

class plaso.parsers.esedb.ESEDBParser[source]

Bases: FileObjectParser

Parses Extensible Storage Engine (ESE) database files (EDB).

DATA_FORMAT = 'Extensible Storage Engine (ESE) Database File (EDB) format'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'esedb'
ParseFileObject(parser_mediator, file_object)[source]

Parses an ESE database file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – file-like object.

class plaso.parsers.esedb.ESEDatabase[source]

Bases: object

Extensible Storage Engine (ESE) database.

Close()[source]

Closes the database.

GetTableByName(name)[source]

Retrieves a table by its name.

Parameters

name (str) – name of the table.

Returns

the table with the corresponding name or None if there is

no table with the name.

Return type

pyesedb.table

Open(file_object)[source]

Opens an Extensible Storage Engine (ESE) database file.

Parameters

file_object (dfvfs.FileIO) – file-like object.

Raises

  • IOError – if the file-like object cannot be read.

  • OSError – if the file-like object cannot be read.

  • ValueError – if the file-like object is missing.

property tables

names of all the tables.

Type

list[str]

plaso.parsers.filestat module

File system stat object parser.

class plaso.parsers.filestat.FileStatEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

File system stat event data.

access_time

file entry last access date and time.

Type

dfdatetime.DateTimeValues

added_time

file entry added date and time.

Type

dfdatetime.DateTimeValues

attribute_names

extended attribute names.

Type

[str]

backup_time

file entry backup date and time.

Type

dfdatetime.DateTimeValues

change_time

file entry inode change (or metadata last modification) date and time.

Type

dfdatetime.DateTimeValues

creation_time

file entry creation date and time.

Type

dfdatetime.DateTimeValues

deletion_time

file entry deletion date and time.

Type

dfdatetime.DateTimeValues

display_name

display name.

Type

str

file_entry_type

dfVFS file entry type.

Type

int

file_size

file size in bytes.

Type

int

file_system_type

file system type.

Type

str

filename

name of the file.

Type

str

group_identifier

group identifier (GID), equivalent to st_gid.

Type

int

inode

inode of the file.

Type

int

is_allocated

True if the file is allocated.

Type

bool

mode

access mode, equivalent to st_mode & 0x0fff.

Type

int

modification_time

file entry last modification date and time.

Type

dfdatetime.DateTimeValues

number of hard links, equivalent to st_nlink.

Type

int

owner_identifier

user identifier (UID) of the owner, equivalent to st_uid.

Type

int

DATA_TYPE = 'fs:stat'
class plaso.parsers.filestat.FileStatParser[source]

Bases: FileEntryParser

Parses file system stat object.

DATA_FORMAT = 'file system stat information'
NAME = 'filestat'
ParseFileEntry(parser_mediator, file_entry)[source]

Parses a file entry.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_entry (dfvfs.FileEntry) – a file entry.

plaso.parsers.firefox_cache module

Implements a parser for Firefox cache 1 and 2 files.

class plaso.parsers.firefox_cache.BaseFirefoxCacheParser[source]

Bases: FileObjectParser

Parses Firefox cache files.

class plaso.parsers.firefox_cache.FirefoxCache2Parser[source]

Bases: BaseFirefoxCacheParser, DtFabricHelper

Parses Firefox cache version 2 files (Firefox 32 or later).

DATA_FORMAT = 'Mozilla Firefox Cache version 2 file (version 32 or later)'
NAME = 'firefox_cache2'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Firefox cache file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

class plaso.parsers.firefox_cache.FirefoxCacheEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Firefox cache event data.

data_size

size of the cached data.

Type

int

expiration_time

date and time the cache entry expires.

Type

dfdatetime.DateTimeValues

fetch_count

number of times the cache entry was fetched.

Type

int

frequency

???

Type

int

info_size

size of the metadata.

Type

int

last_fetched_time

date and time the cache entry was last fetched.

Type

dfdatetime.DateTimeValues

last_modified_time

date and time the cache entry was last modified.

Type

dfdatetime.DateTimeValues

location

???

Type

str

request_method

HTTP request method.

Type

str

request_size

HTTP request byte size.

Type

int

response_code

HTTP response code.

Type

int

url

URL of original content.

Type

str

version

cache format version.

Type

str

DATA_TYPE = 'firefox:cache:record'
class plaso.parsers.firefox_cache.FirefoxCacheParser[source]

Bases: BaseFirefoxCacheParser, DtFabricHelper

Parses Firefox cache version 1 files (Firefox 31 or earlier).

DATA_FORMAT = 'Mozilla Firefox Cache version 1 file (version 31 or earlier)'
FIREFOX_CACHE_CONFIG

alias of firefox_cache_config

NAME = 'firefox_cache'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Firefox cache file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.fish_history module

Parser for fish history files.

class plaso.parsers.fish_history.FishHistoryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Fish history log event data.

command

command that was executed.

Type

str

written_time

date and time the entry was written.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'fish:history:entry'
class plaso.parsers.fish_history.FishHistoryParser[source]

Bases: FileObjectParser

Parses events from Fish history files.

DATA_FORMAT = 'Fish history file'
NAME = 'fish_history'
ParseFileObject(parser_mediator, file_object)[source]

Parses a fish history file from a file-like object

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.fseventsd module

Parsers for MacOS fseventsd files.

Also see:

https://github.com/libyal/dtformats/blob/main/documentation/MacOS%20File%20System%20Events%20Disk%20Log%20Stream%20format.asciidoc

class plaso.parsers.fseventsd.FseventsdEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS file system event (fseventsd) event data

event_identifier

the record event identifier.

Type

int

file_entry_modification_time

file entry last modification date and time.

Type

dfdatetime.DateTimeValues

flags

flags stored in the record.

Type

int

node_identifier

file system node identifier related to the file system event.

Type

int

path

path recorded in the fseventsd record.

Type

str

DATA_TYPE = 'macos:fseventsd:record'
class plaso.parsers.fseventsd.FseventsdParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for fseventsd files.

This parser supports both version 1 and version 2 fseventsd files.

DATA_FORMAT = 'MacOS File System Events Disk Log Stream (fseventsd) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'fseventsd'
ParseFileObject(parser_mediator, file_object)[source]

Parses an fseventsd file.

Parameters

  • parser_mediator (ParserMediator) – parser mediator.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the header cannot be parsed.

plaso.parsers.interface module

The parsers and plugins interface classes.

class plaso.parsers.interface.BaseFileEntryFilter[source]

Bases: object

File entry filter interface.

abstract Match(file_entry)[source]

Determines if a file entry matches the filter.

Parameters

file_entry (dfvfs.FileEntry) – a file entry.

Returns

True if the file entry matches the filter.

Return type

bool

class plaso.parsers.interface.BaseParser[source]

Bases: object

The parser interface.

ALL_PLUGINS = {'*'}
DATA_FORMAT = ''
classmethod DeregisterPlugin(plugin_class)[source]

Deregisters a plugin class.

The plugin classes are identified based on their lower case name.

Parameters

plugin_class (type) – class of the plugin.

Raises

KeyError – if plugin class is not set for the corresponding name.

EnablePlugins(plugin_includes)[source]

Enables parser plugins.

Parameters

plugin_includes (set[str]) – names of the plugins to enable, where set([‘*’]) represents all plugins. Note the default plugin, if it exists, is always enabled and cannot be disabled.

FILTERS = frozenset({})
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

a format specification or None if not available.

Return type

FormatSpecification

classmethod GetPluginNames()[source]

Retrieves the names of registered plugins.

Returns

names of the plugins.

Return type

list[str]

classmethod GetPluginObjectByName