plaso.parsers package

Subpackages

Submodules

plaso.parsers.android_app_usage module

Parser for the Android usage history (usage-history.xml) files.

class plaso.parsers.android_app_usage.AndroidAppUsageEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Android application usage event data.

component

name of the individual component of the application.

Type

str

last_resume_time

date and time the application was last resumed.

Type

dfdatetime.DateTimeValues

package

name of the Android application.

Type

str

DATA_TYPE = 'android:app_usage'
class plaso.parsers.android_app_usage.AndroidAppUsageParser[source]

Bases: FileObjectParser

Parses the Android usage history (usage-history.xml) file.

DATA_FORMAT = 'Android usage history (usage-history.xml) file'
NAME = 'android_app_usage'
ParseFileObject(parser_mediator, file_object)[source]

Parses an Android usage-history file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.asl module

The Apple System Log (ASL) file parser.

class plaso.parsers.asl.ASLEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Apple System Log (ASL) event data.

computer_name

name of the host.

Type

str

extra_information

extra fields associated to the event.

Type

str

facility

facility.

Type

str

group_identifier

group identifier (GID).

Type

int

level

level of criticality of the event.

Type

str

message

message of the event.

Type

str

message_identifier

message identifier.

Type

int

process_identifier

process identifier (PID).

Type

int

read_group_identifier

the group identifier that can read this file, where -1 represents all.

Type

int

read_user_identifier

user identifier that can read this file, where -1 represents all.

Type

int

record_position

position of the event record.

Type

int

sender

sender or process that created the event.

Type

str

user_identifier

user identifier (UID).

Type

int

written_time

entry written date and time.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'macos:asl:entry'
class plaso.parsers.asl.ASLFileEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Apple System Log (ASL) file event data.

creation_time

creation date and time.

Type

dfdatetime.DateTimeValues

format_version

ASL file format version.

Type

int

is_dirty

True if the last log entry offset does not match value in file header and the file is considered dirty.

Type

bool

DATA_TYPE = 'macos:asl:file'
class plaso.parsers.asl.ASLParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for Apple System Log (ASL) files.

DATA_FORMAT = 'Apple System Log (ASL) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'asl_log'
ParseFileObject(parser_mediator, file_object)[source]

Parses an ASL file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.bencode_parser module

Parser for bencoded files.

class plaso.parsers.bencode_parser.BencodeFile[source]

Bases: object

Bencode file.

Close()[source]

Closes the file.

GetValues()[source]

Retrieves the values in the root of the bencode file.

Returns

values.

Return type

BencodeValues

IsEmpty()[source]

Determines if the bencode file has no values (is empty).

Returns

True if the bencode file is empty, False otherwise.

Return type

bool

Open(file_object)[source]

Opens a bencode file.

Parameters

file_object (dfvfs.FileIO) – file-like object.

Raises

  • IOError – if the file-like object cannot be read.

  • OSError – if the file-like object cannot be read.

  • ValueError – if the file-like object is missing.

property keys

names of all the keys.

Type

set[str]

class plaso.parsers.bencode_parser.BencodeParser[source]

Bases: FileObjectParser

Parser for bencoded files.

DATA_FORMAT = 'Bencoded file'
NAME = 'bencode'
ParseFileObject(parser_mediator, file_object)[source]

Parses a bencoded file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

class plaso.parsers.bencode_parser.BencodeValues(decoded_values)[source]

Bases: object

Bencode values.

GetDateTimeValue(name)[source]

Retrieves a date and time value.

Parameters

name (str) – name of the value.

Returns

date and time or None if not available.

Return type

dfdatetime.PosixTime

GetDecodedValue(name)[source]

Retrieves a decoded value.

Parameters

name (str) – name of the value.

Returns

decoded value or None if not available.

Return type

object

GetValues()[source]

Retrieves the values.

Yields

tuple[str, object] – name and decoded value.

plaso.parsers.bodyfile module

Parser for the Sleuthkit (TSK) bodyfile format.

Sleuthkit version 3 format: MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime 0|/lost+found|11|d/drwx——|0|0|12288|1337961350|1337961350|1337961350|0

More information about the format specifications can be read here:

https://forensics.wiki/bodyfile

class plaso.parsers.bodyfile.BodyfileEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Bodyfile event data.

access_time

file entry last access date and time.

Type

dfdatetime.DateTimeValues

change_time

file entry inode change (or metadata last modification) date and time.

Type

dfdatetime.DateTimeValues

creation_time

file entry creation date and time.

Type

dfdatetime.DateTimeValues

filename

name of the file.

Type

str

group_identifier

group identifier (GID), equivalent to st_gid.

Type

int

inode

“inode” of the file. Note that inode is an overloaded term in the context of a bodyfile and used for MFT entry index values as well.

Type

int

md5

MD5 hash of the file content, formatted as a hexadecimal string.

Type

str

mode_as_string

protection mode.

Type

str

modification_time

file entry last modification date and time.

Type

dfdatetime.DateTimeValues

offset

number of the corresponding line, from which the event data was extracted.

Type

int

owner_identifier

user identifier (UID or SID) of the owner.

Type

str

size

size of the file content.

Type

int

path of the symbolic link target.

Type

str

DATA_TYPE = 'fs:bodyfile:entry'
class plaso.parsers.bodyfile.BodyfileParser[source]

Bases: FileObjectParser

SleuthKit bodyfile parser.

DATA_FORMAT = 'SleuthKit version 3 bodyfile'
NAME = 'bodyfile'
ParseFileObject(parser_mediator, file_object)[source]

Parses a bodyfile file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.bsm module

Basic Security Module (BSM) event auditing file parser.

class plaso.parsers.bsm.BSMEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Basic Security Module (BSM) audit event data.

event_type

identifier that represents the type of the event.

Type

int

extra_tokens

event extra tokens, which is a list of dictionaries that contain: {token type: {token values}}

Type

list[dict[str, dict[str, str]]]

offset

offset of the BSM record relative to the start of the file, from which the event data was extracted.

Type

int

record_length

record length in bytes (trailer number).

Type

int

return_value

processed return value and exit status.

Type

str

written_time

entry written date and time.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'bsm:entry'
class plaso.parsers.bsm.BSMParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for Basic Security Module (BSM) event auditing files.

DATA_FORMAT = 'Basic Security Module (BSM) event auditing file'
NAME = 'bsm_log'
ParseFileObject(parser_mediator, file_object)[source]

Parses a BSM file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.chrome_cache module

Parser for Google Chrome and Chromium Cache files.

class plaso.parsers.chrome_cache.CacheAddress(cache_address)[source]

Bases: object

Chrome cache address.

block_number

block data file number.

Type

int

block_offset

offset within the block data file.

Type

int

block_size

block size.

Type

int

filename

name of the block data file.

Type

str

value

cache address.

Type

int

FILE_TYPE_BLOCK_1024 = 3
FILE_TYPE_BLOCK_256 = 2
FILE_TYPE_BLOCK_4096 = 4
FILE_TYPE_BLOCK_RANKINGS = 1
FILE_TYPE_SEPARATE = 0
class plaso.parsers.chrome_cache.CacheEntry[source]

Bases: object

Chrome cache entry.

creation_time

creation time, in number of microseconds since January 1, 1601, 00:00:00 UTC.

Type

int

hash

super fast hash of the key.

Type

int

key

key.

Type

bytes

next

cache address of the next cache entry.

Type

int

original_url

original URL derived from the key.

Type

str

rankings_node

cache address of the rankings node.

Type

int

class plaso.parsers.chrome_cache.ChromeCacheDataBlockFileParser[source]

Bases: FileObjectParser, DtFabricHelper

Chrome cache data block file parser.

ParseCacheEntry(file_object, block_offset)[source]

Parses a cache entry.

Parameters

  • file_object (dfvfs.FileIO) – a file-like object to read from.

  • block_offset (int) – block offset of the cache entry.

Returns

cache entry.

Return type

CacheEntry

Raises

ParseError – if the cache entry cannot be read.

ParseFileObject(parser_mediator, file_object)[source]

Parses a file-like object.

Parameters

  • parser_mediator (ParserMediator) – a parser mediator.

  • file_object (dfvfs.FileIO) – a file-like object to parse.

Raises

ParseError – when the file cannot be parsed.

class plaso.parsers.chrome_cache.ChromeCacheEntryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome Cache event data.

creation_time

creation date and time of the cache entry.

Type

dfdatetime.DateTimeValues

original_url

original URL.

Type

str

DATA_TYPE = 'chrome:cache:entry'
class plaso.parsers.chrome_cache.ChromeCacheIndexFileParser[source]

Bases: FileObjectParser, DtFabricHelper

Chrome cache index file parser.

creation_time

creation time, in number of microseconds since January 1, 1601, 00:00:00 UTC.

Type

int

index_table

the cache addresses which are stored in the index file.

Type

list[CacheAddress]

ParseFileObject(parser_mediator, file_object)[source]

Parses a file-like object.

Parameters

  • parser_mediator (ParserMediator) – a parser mediator.

  • file_object (dfvfs.FileIO) – a file-like object to parse.

Raises

ParseError – when the file cannot be parsed.

class plaso.parsers.chrome_cache.ChromeCacheParser[source]

Bases: FileEntryParser

Parses Chrome Cache files.

DATA_FORMAT = 'Google Chrome or Chromium Cache file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'chrome_cache'
ParseFileEntry(parser_mediator, file_entry)[source]

Parses Chrome Cache files.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_entry (dfvfs.FileEntry) – file entry.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.chrome_preferences module

A parser for the Chrome preferences file.

class plaso.parsers.chrome_preferences.ChromeContentSettingsExceptionsEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome content settings exceptions event data.

last_visited_time

date and time the URL was last visited.

Type

dfdatetime.DateTimeValues

permission

permission.

Type

str

primary_url

primary URL.

Type

str

secondary_url

secondary URL.

Type

str

DATA_TYPE = 'chrome:preferences:content_settings:exceptions'
class plaso.parsers.chrome_preferences.ChromeExtensionInstallationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome extension event data.

extension_identifier

extension identifier.

Type

str

extension_name

extension name.

Type

str

installation_time

date and time the Chrome extension was installed.

Type

dfdatetime.DateTimeValues

path

path.

Type

str

DATA_TYPE = 'chrome:preferences:extension_installation'
class plaso.parsers.chrome_preferences.ChromeExtensionsAutoupdaterEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome Extension Autoupdater event data.

message

message.

Type

str

recorded_time

date and time the entry was recorded.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'chrome:preferences:extensions_autoupdater'
class plaso.parsers.chrome_preferences.ChromePreferencesParser[source]

Bases: FileObjectParser

Parses Chrome Preferences files.

DATA_FORMAT = 'Google Chrome Preferences file'
NAME = 'chrome_preferences'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Chrome preferences file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – file-like object.

Raises

WrongParser – when the file cannot be parsed.

REQUIRED_KEYS = frozenset({'browser', 'extensions'})

plaso.parsers.cups_ipp module

The CUPS IPP files parser.

CUPS IPP version 1.0: * https://datatracker.ietf.org/doc/html/rfc2565 * https://datatracker.ietf.org/doc/html/rfc2566 * https://datatracker.ietf.org/doc/html/rfc2567 * https://datatracker.ietf.org/doc/html/rfc2568 * https://datatracker.ietf.org/doc/html/rfc2569 * https://datatracker.ietf.org/doc/html/rfc2639

CUPS IPP version 1.1: * https://datatracker.ietf.org/doc/html/rfc2910 * https://datatracker.ietf.org/doc/html/rfc2911 * https://datatracker.ietf.org/doc/html/rfc3196 * https://datatracker.ietf.org/doc/html/rfc3510

CUPS IPP version 2.0: * N/A

class plaso.parsers.cups_ipp.CupsIppEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

CUPS IPP event data.

application

application that prints the document.

Type

str

computer_name

name of the computer.

Type

str

copies

number of copies.

Type

int

creation_time

date and time the print job was created (added).

Type

dfdatetime.DateTimeValues

doc_type

type of document.

Type

str

end_time

date and time the print job was stopped.

Type

dfdatetime.DateTimeValues

job_id

job identifier.

Type

str

job_name

job name.

Type

str

owner

real name of the user.

Type

str

printer_id

identification name of the print.

Type

str

start_time

date and time the print job was started.

Type

dfdatetime.DateTimeValues

uri

URL of the CUPS service.

Type

str

user

system user name.

Type

str

DATA_TYPE = 'cups:ipp:event'
class plaso.parsers.cups_ipp.CupsIppParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for CUPS IPP files.

DATA_FORMAT = 'CUPS IPP file'
NAME = 'cups_ipp'
ParseFileObject(parser_mediator, file_object)[source]

Parses a CUPS IPP file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.custom_destinations module

Parser for custom destinations jump list (.customDestinations-ms) files.

class plaso.parsers.custom_destinations.CustomDestinationsParser[source]

Bases: FileObjectParser, DtFabricHelper

Parses custom destinations jump list (.customDestinations-ms) files.

DATA_FORMAT = 'Custom destinations jump list (.customDestinations-ms) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'custom_destinations'
ParseFileObject(parser_mediator, file_object)[source]

Parses a .customDestinations-ms file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.czip module

This file contains a parser for compound ZIP files.

class plaso.parsers.czip.CompoundZIPParser[source]

Bases: FileObjectParser

Shared functionality for parsing compound ZIP files.

Compound ZIP files are ZIP files used as containers to create another file format, as opposed to archives of unrelated files.

DATA_FORMAT = 'Compound ZIP file'
NAME = 'czip'
ParseFileObject(parser_mediator, file_object)[source]

Parses a compound ZIP file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.dsv_parser module

Delimiter separated values (DSV) parser interface.

class plaso.parsers.dsv_parser.DSVParser[source]

Bases: FileObjectParser

Delimiter separated values (DSV) parser interface.

COLUMNS = []
DELIMITER = ','
ESCAPE_CHARACTER = ''
FIELD_SIZE_LIMIT = 131072
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NUMBER_OF_HEADER_LINES = 0
ParseFileObject(parser_mediator, file_object)[source]

Parses a DSV text file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – file-like object.

Raises

WrongParser – when the file cannot be parsed.

abstract ParseRow(parser_mediator, row_offset, row)[source]

Parses a line of the log file and produces events.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • row_offset (int) – offset of the line from which the row was extracted.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

QUOTE_CHAR = '"'
abstract VerifyRow(parser_mediator, row)[source]

Verifies if a line of the file is in the expected format.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.esedb module

Parser for Extensible Storage Engine (ESE) database files (EDB).

class plaso.parsers.esedb.ESEDBCache[source]

Bases: BasePluginCache

A cache storing query results for ESEDB plugins.

StoreDictInCache(attribute_name, dict_object)[source]

Store a dict object in cache.

Parameters

  • attribute_name (str) – name of the attribute.

  • dict_object (dict) – dictionary.

class plaso.parsers.esedb.ESEDBParser[source]

Bases: FileObjectParser

Parses Extensible Storage Engine (ESE) database files (EDB).

DATA_FORMAT = 'Extensible Storage Engine (ESE) Database File (EDB) format'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'esedb'
ParseFileObject(parser_mediator, file_object)[source]

Parses an ESE database file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – file-like object.

class plaso.parsers.esedb.ESEDatabase[source]

Bases: object

Extensible Storage Engine (ESE) database.

Close()[source]

Closes the database.

GetTableByName(name)[source]

Retrieves a table by its name.

Parameters

name (str) – name of the table.

Returns

the table with the corresponding name or None if there is

no table with the name.

Return type

pyesedb.table

Open(file_object)[source]

Opens an Extensible Storage Engine (ESE) database file.

Parameters

file_object (dfvfs.FileIO) – file-like object.

Raises

  • IOError – if the file-like object cannot be read.

  • OSError – if the file-like object cannot be read.

  • ValueError – if the file-like object is missing.

property tables

names of all the tables.

Type

list[str]

plaso.parsers.filestat module

File system stat object parser.

class plaso.parsers.filestat.FileStatEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

File system stat event data.

access_time

file entry last access date and time.

Type

dfdatetime.DateTimeValues

added_time

file entry added date and time.

Type

dfdatetime.DateTimeValues

attribute_names

extended attribute names.

Type

[str]

backup_time

file entry backup date and time.

Type

dfdatetime.DateTimeValues

change_time

file entry inode change (or metadata last modification) date and time.

Type

dfdatetime.DateTimeValues

creation_time

file entry creation date and time.

Type

dfdatetime.DateTimeValues

deletion_time

file entry deletion date and time.

Type

dfdatetime.DateTimeValues

display_name

display name.

Type

str

file_entry_type

dfVFS file entry type.

Type

int

file_size

file size in bytes.

Type

int

file_system_type

file system type.

Type

str

filename

name of the file.

Type

str

group_identifier

group identifier (GID), equivalent to st_gid.

Type

int

inode

inode of the file.

Type

int

is_allocated

True if the file is allocated.

Type

bool

mode

access mode, equivalent to st_mode & 0x0fff.

Type

int

modification_time

file entry last modification date and time.

Type

dfdatetime.DateTimeValues

number of hard links, equivalent to st_nlink.

Type

int

owner_identifier

user identifier (UID) of the owner, equivalent to st_uid.

Type

int

DATA_TYPE = 'fs:stat'
class plaso.parsers.filestat.FileStatParser[source]

Bases: FileEntryParser

Parses file system stat object.

DATA_FORMAT = 'file system stat information'
NAME = 'filestat'
ParseFileEntry(parser_mediator, file_entry)[source]

Parses a file entry.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_entry (dfvfs.FileEntry) – a file entry.

plaso.parsers.firefox_cache module

Implements a parser for Firefox cache 1 and 2 files.

class plaso.parsers.firefox_cache.BaseFirefoxCacheParser[source]

Bases: FileObjectParser

Parses Firefox cache files.

class plaso.parsers.firefox_cache.FirefoxCache2Parser[source]

Bases: BaseFirefoxCacheParser, DtFabricHelper

Parses Firefox cache version 2 files (Firefox 32 or later).

DATA_FORMAT = 'Mozilla Firefox Cache version 2 file (version 32 or later)'
NAME = 'firefox_cache2'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Firefox cache file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

class plaso.parsers.firefox_cache.FirefoxCacheEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Firefox cache event data.

data_size

size of the cached data.

Type

int

expiration_time

date and time the cache entry expires.

Type

dfdatetime.DateTimeValues

fetch_count

number of times the cache entry was fetched.

Type

int

frequency

???

Type

int

info_size

size of the metadata.

Type

int

last_fetched_time

date and time the cache entry was last fetched.

Type

dfdatetime.DateTimeValues

last_modified_time

date and time the cache entry was last modified.

Type

dfdatetime.DateTimeValues

location

???

Type

str

request_method

HTTP request method.

Type

str

request_size

HTTP request byte size.

Type

int

response_code

HTTP response code.

Type

int

url

URL of original content.

Type

str

version

cache format version.

Type

str

DATA_TYPE = 'firefox:cache:record'
class plaso.parsers.firefox_cache.FirefoxCacheParser[source]

Bases: BaseFirefoxCacheParser, DtFabricHelper

Parses Firefox cache version 1 files (Firefox 31 or earlier).

DATA_FORMAT = 'Mozilla Firefox Cache version 1 file (version 31 or earlier)'
FIREFOX_CACHE_CONFIG

alias of firefox_cache_config

NAME = 'firefox_cache'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Firefox cache file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.fish_history module

Parser for fish history files.

class plaso.parsers.fish_history.FishHistoryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Fish history log event data.

command

command that was executed.

Type

str

written_time

date and time the entry was written.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'fish:history:entry'
class plaso.parsers.fish_history.FishHistoryParser[source]

Bases: FileObjectParser

Parses events from Fish history files.

DATA_FORMAT = 'Fish history file'
NAME = 'fish_history'
ParseFileObject(parser_mediator, file_object)[source]

Parses a fish history file from a file-like object

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.fseventsd module

Parsers for MacOS fseventsd files.

Also see:

https://github.com/libyal/dtformats/blob/main/documentation/MacOS%20File%20System%20Events%20Disk%20Log%20Stream%20format.asciidoc

class plaso.parsers.fseventsd.FseventsdEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS file system event (fseventsd) event data

event_identifier

the record event identifier.

Type

int

file_entry_modification_time

file entry last modification date and time.

Type

dfdatetime.DateTimeValues

flags

flags stored in the record.

Type

int

node_identifier

file system node identifier related to the file system event.

Type

int

path

path recorded in the fseventsd record.

Type

str

DATA_TYPE = 'macos:fseventsd:record'
class plaso.parsers.fseventsd.FseventsdParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for fseventsd files.

This parser supports both version 1 and version 2 fseventsd files.

DATA_FORMAT = 'MacOS File System Events Disk Log Stream (fseventsd) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'fseventsd'
ParseFileObject(parser_mediator, file_object)[source]

Parses an fseventsd file.

Parameters

  • parser_mediator (ParserMediator) – parser mediator.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the header cannot be parsed.

plaso.parsers.interface module

The parsers and plugins interface classes.

class plaso.parsers.interface.BaseFileEntryFilter[source]

Bases: object

File entry filter interface.

abstract Match(file_entry)[source]

Determines if a file entry matches the filter.

Parameters

file_entry (dfvfs.FileEntry) – a file entry.

Returns

True if the file entry matches the filter.

Return type

bool

class plaso.parsers.interface.BaseParser[source]

Bases: object

The parser interface.

ALL_PLUGINS = {'*'}
DATA_FORMAT = ''
classmethod DeregisterPlugin(plugin_class)[source]

Deregisters a plugin class.

The plugin classes are identified based on their lower case name.

Parameters

plugin_class (type) – class of the plugin.

Raises

KeyError – if plugin class is not set for the corresponding name.

EnablePlugins(plugin_includes)[source]

Enables parser plugins.

Parameters

plugin_includes (set[str]) – names of the plugins to enable, where set([‘*’]) represents all plugins. Note the default plugin, if it exists, is always enabled and cannot be disabled.

FILTERS = frozenset({})
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

a format specification or None if not available.

Return type

FormatSpecification

classmethod GetPluginNames()[source]

Retrieves the names of registered plugins.

Returns

names of the plugins.

Return type

list[str]

classmethod GetPluginObjectByName(plugin_name)[source]

Retrieves a specific plugin object by its name.

Parameters

plugin_name (str) – name of the plugin.

Returns

a plugin object or None if not available.

Return type

BasePlugin

classmethod GetPlugins()[source]

Retrieves the registered plugins.

Yields

tuple[str, type] – name and class of the plugin.

NAME = 'base_parser'
classmethod RegisterPlugin(plugin_class)[source]

Registers a plugin class.

The plugin classes are identified based on their lower case name.

Parameters

plugin_class (type) – class of the plugin.

Raises

KeyError – if plugin class is already set for the corresponding name.

classmethod RegisterPlugins(plugin_classes)[source]

Registers plugin classes.

Parameters

plugin_classes (list[type]) – classes of plugins.

Raises

KeyError – if plugin class is already set for the corresponding name.

classmethod SupportsPlugins()[source]

Determines if a parser supports plugins.

Returns

True if the parser supports plugins.

Return type

bool

class plaso.parsers.interface.FileEntryParser[source]

Bases: BaseParser

The file entry parser interface.

Parse(parser_mediator)[source]

Parses the file entry and extracts event objects.

Parameters

parser_mediator (ParserMediator) – a parser mediator.

Raises

WrongParser – when the file cannot be parsed.

abstract ParseFileEntry(parser_mediator, file_entry)[source]

Parses a file entry.

Parameters

  • parser_mediator (ParserMediator) – a parser mediator.

  • file_entry (dfvfs.FileEntry) – a file entry to parse.

Raises

WrongParser – when the file cannot be parsed.

class plaso.parsers.interface.FileNameFileEntryFilter(filename)[source]

Bases: BaseFileEntryFilter

File name file entry filter.

Match(file_entry)[source]

Determines if a file entry matches the filter.

Parameters

file_entry (dfvfs.FileEntry) – a file entry.

Returns

True if the file entry matches the filter.

Return type

bool

class plaso.parsers.interface.FileObjectParser[source]

Bases: BaseParser

The file-like object parser interface.

Parse(parser_mediator, file_object)[source]

Parses a single file-like object.

Parameters

  • parser_mediator (ParserMediator) – a parser mediator.

  • file_object (dfvfs.FileIO) – a file-like object to parse.

Raises

WrongParser – when the file cannot be parsed.

abstract ParseFileObject(parser_mediator, file_object)[source]

Parses a file-like object.

Parameters

  • parser_mediator (ParserMediator) – a parser mediator.

  • file_object (dfvfs.FileIO) – a file-like object to parse.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.java_idx module

Parser for Java Cache IDX files.

class plaso.parsers.java_idx.JavaIDXEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Java IDX cache file event data.

downloaded_time

date and time the content was downloaded.

Type

dfdatetime.DateTimeValues

expiration_time

date and time the cached download expires.

Type

dfdatetime.DateTimeValues

idx_version

format version of IDX file.

Type

str

ip_address

IP address of the host in the URL.

Type

str

modification_time

date and time the cached download expires.

Type

dfdatetime.DateTimeValues

url

URL of the downloaded file.

Type

str

DATA_TYPE = 'java:download:idx'
class plaso.parsers.java_idx.JavaIDXParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for Java WebStart Cache IDX files.

There are five structures defined. 6.02 files had one generic section that retained all data. From 6.03, the file went to a multi-section format where later sections were optional and had variable-lengths. 6.03, 6.04, and 6.05 files all have their main data section (#2) begin at offset 128. The short structure is because 6.05 files deviate after the 8th byte. So, grab the first 8 bytes to ensure it’s valid, get the file version, then continue on with the correct structures.

DATA_FORMAT = 'Java WebStart Cache IDX file'
NAME = 'java_idx'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Java WebStart Cache IDX file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – a file-like object to parse.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.jsonl_parser module

Base parser for line-based JSON (JSON-L) log formats.

class plaso.parsers.jsonl_parser.JSONLParser[source]

Bases: FileObjectParser

Base parser for line-based JSON (JSON-L) log formats.

DATA_FORMAT = 'JSON-L log file'
NAME = 'jsonl'
ParseFileObject(parser_mediator, file_object)[source]

Parses a line-based JSON (JSON-L) log file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.locate module

Parser for locate database (updatedb) files.

class plaso.parsers.locate.LocateDatabaseEvent(*args: Any, **kwargs: Any)[source]

Bases: EventData

Linux locate database (updatedb) event data.

entries

contents of the locate database (updatedb) entry.

Type

list[str]

path

path of the locate database (updatedb) entry.

Type

str

written_time

entry written date and time.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'linux:locate_database:entry'
class plaso.parsers.locate.LocateDatabaseParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for locate database (updatedb) files.

DATA_FORMAT = 'Locate database file (updatedb)'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'locate_database'
ParseFileObject(parser_mediator, file_object, **kwargs)[source]

Parses a locate database (updatedb) file-like object.

Parameters

  • parser_mediator (ParserMediator) – parser mediator.

  • file_object (dfvfs.FileIO) – file-like object to be parsed.

Raises

WrongParser – when the file cannot be parsed, this will signal the event extractor to apply other parsers.

plaso.parsers.logger module

The parsers sub module logger.

plaso.parsers.macos_keychain module

Parser for MacOS keychain database files.

class plaso.parsers.macos_keychain.KeychainApplicationRecordEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS keychain application password record event data.

account_name

name of the account.

Type

str

comments

comments added by the user.

Type

str

creation_time

creation date and time of the keychain record.

Type

dfdatetime.DateTimeValues

entry_name

name of the entry.

Type

str

modification_time

modification date and time of the keychain record.

Type

dfdatetime.DateTimeValues

ssgp_hash

password/certificate hash formatted as a hexadecimal string.

Type

str

text_description

description.

Type

str

DATA_TYPE = 'macos:keychain:application'
class plaso.parsers.macos_keychain.KeychainDatabaseColumn[source]

Bases: object

MacOS keychain database column.

attribute_data_type

attribute (data) type.

Type

int

attribute_identifier

attribute identifier.

Type

int

attribute_name

attribute name.

Type

str

class plaso.parsers.macos_keychain.KeychainDatabaseTable[source]

Bases: object

MacOS keychain database table.

columns

columns.

Type

list[KeychainDatabaseColumn]

records

records.

Type

list[dict[str, str]]

relation_identifier

relation identifier.

Type

int

relation_name

relation name.

Type

str

class plaso.parsers.macos_keychain.KeychainInternetRecordEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS keychain internet record event data.

account_name

name of the account.

Type

str

comments

comments added by the user.

Type

str

creation_time

creation date and time of the keychain record.

Type

dfdatetime.DateTimeValues

entry_name

name of the entry.

Type

str

modification_time

modification date and time of the keychain record.

Type

dfdatetime.DateTimeValues

protocol

internet protocol used, for example “https”.

Type

str

ssgp_hash

password/certificate hash formatted as a hexadecimal string.

Type

str

text_description

description.

Type

str

type_protocol

sub-protocol used, for example “form”.

Type

str

where

domain name or IP where the password is used.

Type

str

DATA_TYPE = 'macos:keychain:internet'
class plaso.parsers.macos_keychain.KeychainParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for MacOS keychain database files.

DATA_FORMAT = 'MacOS keychain database file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'mac_keychain'
ParseFileObject(parser_mediator, file_object)[source]

Parses a MacOS keychain file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.manager module

The parsers and plugins manager.

class plaso.parsers.manager.ParsersManager[source]

Bases: object

The parsers and plugins manager.

ALL_PLUGINS = {'*'}
classmethod CheckFilterExpression(parser_filter_expression)[source]

Checks parser and plugin names in a parser filter expression.

Parameters

parser_filter_expression (str) –

parser filter expression, where None represents all parsers and plugins.

A parser filter expression is a comma separated value string that denotes which parsers and plugins should be used. See filters/parser_filter.py for details of the expression syntax.

This function does not support presets, and requires a parser filter expression where presets have been expanded.

Returns

containing:

  • set(str): parser filter expression elements that contain known parser

    and/or plugin names.

  • set(str): parser filter expression elements that contain unknown parser

    and/or plugin names.

Return type

tuple

classmethod CreateSignatureScanner(specification_store)[source]

Creates a signature scanner for format specifications with signatures.

Parameters

specification_store (FormatSpecificationStore) – format specifications with signatures.

Returns

signature scanner.

Return type

pysigscan.scanner

classmethod DeregisterParser(parser_class)[source]

Deregisters a parser class.

The parser classes are identified based on their lower case name.

Parameters

parser_class (type) – parser class (subclass of BaseParser).

Raises

KeyError – if parser class is not set for the corresponding name.

classmethod GetFormatsWithSignatures(parser_filter_expression=None)[source]

Retrieves the format specifications that have signatures.

This method will create a specification store for parsers that define a format specification with signatures and a list of parser names for those that do not.

Parameters

parser_filter_expression (Optional[str]) –

parser filter expression, where None represents all parsers and plugins.

A parser filter expression is a comma separated value string that denotes which parsers and plugins should be used. See filters/parser_filter.py for details of the expression syntax.

This function does not support presets, and requires a parser filter expression where presets have been expanded.

Returns

containing:

  • FormatSpecificationStore: format specifications with signatures.

  • list[str]: names of parsers that do not have format specifications with

    signatures, or have signatures but also need to be applied ‘brute force’.

Return type

tuple

classmethod GetNamesOfParsersWithPlugins()[source]

Retrieves the names of all parsers with plugins.

Returns

names of all parsers with plugins.

Return type

list[str]

classmethod GetParserObjects(parser_filter_expression=None)[source]

Retrieves the parser objects.

Parameters

parser_filter_expression (Optional[str]) –

parser filter expression, where None represents all parsers and plugins.

A parser filter expression is a comma separated value string that denotes which parsers and plugins should be used. See filters/parser_filter.py for details of the expression syntax.

This function does not support presets, and requires a parser filter expression where presets have been expanded.

Returns

parsers per name.

Return type

dict[str, BaseParser]

classmethod GetParserPluginsInformation(parser_filter_expression=None)[source]

Retrieves the parser plugins information.

Parameters

parser_filter_expression (Optional[str]) –

parser filter expression, where None represents all parsers and plugins.

A parser filter expression is a comma separated value string that denotes which parsers and plugins should be used. See filters/parser_filter.py for details of the expression syntax.

This function does not support presets, and requires a parser filter expression where presets have been expanded.

Returns

pairs of parser plugin names and descriptions.

Return type

list[tuple[str, str]]

classmethod GetParsersInformation()[source]

Retrieves the parsers information.

Returns

parser names and descriptions.

Return type

list[tuple[str, str]]

classmethod RegisterParser(parser_class)[source]

Registers a parser class.

The parser classes are identified based on their lower case name.

Parameters

parser_class (type) – parser class (subclass of BaseParser).

Raises

KeyError – if parser class is already set for the corresponding name.

classmethod RegisterParsers(parser_classes)[source]

Registers parser classes.

The parser classes are identified based on their lower case name.

Parameters

parser_classes (list[type]) – parsers classes (subclasses of BaseParser).

Raises

KeyError – if parser class is already set for the corresponding name.

plaso.parsers.mcafeeav module

Parser for McAfee Anti-Virus Logs.

McAfee AV uses 4 logs to track when scans were run, when virus databases were updated, and when files match the virus database.

class plaso.parsers.mcafeeav.McafeeAVEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

McAfee AV Log event data.

action

action.

Type

str

filename

filename.

Type

str

offset

offset of the line relative to the start of the file, from which the event data was extracted.

Type

int

rule

rule.

Type

str

status

status.

Type

str

trigger_location

trigger location.

Type

str

username

username.

Type

str

written_time

entry written date and time.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'av:mcafee:accessprotectionlog'
class plaso.parsers.mcafeeav.McafeeAccessProtectionParser[source]

Bases: DSVParser

Parses the McAfee AV Access Protection Log.

COLUMNS = ['date', 'time', 'status', 'username', 'filename', 'trigger_location', 'rule', 'action']
DATA_FORMAT = 'McAfee Anti-Virus access protection log file'
DELIMITER = '\t'
NAME = 'mcafee_protection'
ParseRow(parser_mediator, row_offset, row)[source]

Parses a line of the log file and produces events.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • row_offset (int) – offset of the line from which the row was extracted.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]

Verifies if a line of the file is in the expected format.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.mediator module

The parser mediator.

class plaso.parsers.mediator.ParserMediator(knowledge_base, collection_filters_helper=None, resolver_context=None)[source]

Bases: object

Parser mediator.

collection_filters_helper

collection filters helper.

Type

CollectionFiltersHelper

last_activity_timestamp

timestamp received that indicates the last time activity was observed. The last activity timestamp is updated when the mediator produces an attribute container, such as an event source. This timestamp is used by the multi processing worker process to indicate the last time the worker was known to be active. This information is then used by the foreman to detect workers that are not responding (stalled).

Type

int

parsers_counter

number of events per parser or parser plugin.

Type

collections.Counter

AddWindowsEventLogMessageFile(message_file)[source]

Adds a Windows EventLog message file.

Parameters

message_file (WindowsEventLogMessageFileArtifact) – Windows EventLog message file.

AddWindowsEventLogMessageString(message_string)[source]

Adds a Windows EventLog message string.

Parameters

message_string (WindowsEventLogMessageStringArtifact) – Windows EventLog message string.

AddWindowsWevtTemplateEvent(event_definition)[source]

Adds a Windows WEVT_TEMPLATE event definition.

Parameters

event_definition (WindowsWevtTemplateEvent) – Windows WEVT_TEMPLATE event definition.

AddYearLessLogHelper(year_less_log_helper)[source]

Adds a year-less log helper.

Parameters

year_less_log_helper (YearLessLogHelper) – year-less log helper.

AppendToParserChain(name)[source]

Adds a parser or parser plugin to the parser chain.

Parameters

name (str) – name of a parser or parser plugin.

ClearParserChain()[source]

Clears the parser chain.

ExpandWindowsPath(path)[source]

Expands a Windows path containing environment variables.

Parameters

path (str) – Windows path with environment variables.

Returns

expanded Windows path.

Return type

str

GetCurrentYear()[source]

Retrieves current year.

Returns

the current year.

Return type

int

GetDisplayName(file_entry=None)[source]

Retrieves the display name for a file entry.

Parameters

file_entry (Optional[dfvfs.FileEntry]) – file entry object, where None will return the display name of self._file_entry.

Returns

human readable string that describes the path to the file entry.

Return type

str

Raises

ValueError – if the file entry is missing.

GetDisplayNameForPathSpec(path_spec)[source]

Retrieves the display name for a path specification.

Parameters

path_spec (dfvfs.PathSpec) – path specification.

Returns

human readable version of the path specification.

Return type

str

GetFileEntry()[source]

Retrieves the active file entry.

Returns

file entry or None if not available.

Return type

dfvfs.FileEntry

GetFilename()[source]

Retrieves the name of the active file entry.

Returns

name of the active file entry or None.

Return type

str

GetParserChain()[source]

Retrieves the current parser chain.

Returns

parser chain.

Return type

str

GetRelativePath()[source]

Retrieves the relative path of the current file entry.

Returns

relative path of the current file entry or None if no current

file entry.

Return type

str

GetRelativePathForPathSpec(path_spec)[source]

Retrieves the relative path for a path specification.

Parameters

path_spec (dfvfs.PathSpec) – path specification.

Returns

relative path of the path specification.

Return type

str

GetWindowsEventLogMessageFile()[source]

Retrieves the Windows EventLog message file for a specific path.

Returns

Windows EventLog message file or None

if no current file entry or no Windows EventLog message file was found.

Return type

WindowsEventLogMessageFileArtifact

PopFromParserChain()[source]

Removes the last added parser or parser plugin from the parser chain.

ProduceEventData(event_data)[source]

Produces event data.

Parameters

event_data (EventData) – event data.

Raises

RuntimeError – when storage writer is not set.

ProduceEventDataStream(event_data_stream)[source]

Produces an event data stream.

Parameters

event_data_stream (EventDataStream) – an event data stream or None if no event data stream is needed.

Raises

RuntimeError – when storage writer is not set.

ProduceEventSource(event_source)[source]

Produces an event source.

Parameters

event_source (EventSource) – an event source.

Raises

RuntimeError – when storage writer is not set.

ProduceExtractionWarning(message, path_spec=None)[source]

Produces an extraction warning.

Parameters

  • message (str) – message of the warning.

  • path_spec (Optional[dfvfs.PathSpec]) – path specification, where None will use the path specification of current file entry set in the mediator.

Raises

RuntimeError – when storage writer is not set.

ProduceRecoveryWarning(message, path_spec=None)[source]

Produces a recovery warning.

Parameters

  • message (str) – message of the warning.

  • path_spec (Optional[dfvfs.PathSpec]) – path specification, where None will use the path specification of current file entry set in the mediator.

Raises

RuntimeError – when storage writer is not set.

ResetFileEntry()[source]

Resets the active file entry.

SampleFormatCheckStartTiming(parser_name)[source]

Starts timing a CPU time sample for profiling.

Parameters

parser_name (str) – name of the parser.

SampleFormatCheckStopTiming(parser_name)[source]

Stops timing a CPU time sample for profiling.

Parameters

parser_name (str) – name of the parser.

SampleMemoryUsage(parser_name)[source]

Takes a sample of the memory usage for profiling.

Parameters

parser_name (str) – name of the parser.

SampleStartTiming(parser_name)[source]

Starts timing a CPU time sample for profiling.

Parameters

parser_name (str) – name of the parser.

SampleStopTiming(parser_name)[source]

Stops timing a CPU time sample for profiling.

Parameters

parser_name (str) – name of the parser.

SetExtractWinEvtResources(extract_winevt_resources)[source]

Sets value to indicate if Windows EventLog resources should be extracted.

Parameters

extract_winevt_resources (bool) – True if Windows EventLog resources should be extracted.

SetFileEntry(file_entry)[source]

Sets the active file entry.

Parameters

file_entry (dfvfs.FileEntry) – file entry.

SetPreferredCodepage(codepage)[source]

Sets the preferred codepage.

Parameters

codepage (str) – codepage.

SetPreferredLanguage(language_tag)[source]

Sets the preferred language.

Parameters

language_tag (str) – language tag such as “en-US” for US English or “is-IS” for Icelandic or None if the language determined by preprocessing or the default should be used.

Raises

ValueError – if the language tag is not a string type or no LCID can be determined that corresponds with the language tag.

SetPreferredTimeZone(time_zone_string)[source]

Sets the preferred time zone for zone-less date and time values.

Parameters

time_zone_string (str) – time zone such as “Europe/Amsterdam” or None if the time zone determined by preprocessing or the default should be used.

Raises

ValueError – if the time zone is not supported.

SetStorageWriter(storage_writer)[source]

Sets the storage writer.

Parameters

storage_writer (StorageWriter) – storage writer.

SetTemporaryDirectory(temporary_directory)[source]

Sets the directory to store temporary files.

Parameters

temporary_directory (str) – path of the directory to store temporary files.

SignalAbort()[source]

Signals the parsers to abort.

StartProfiling(configuration, identifier, process_information)[source]

Starts profiling.

Parameters

  • configuration (ProfilingConfiguration) – profiling configuration.

  • identifier (str) – identifier of the profiling session used to create the sample filename.

  • process_information (ProcessInfo) – process information.

StopProfiling()[source]

Stops profiling.

property abort

True if parsing should be aborted.

Type

bool

property codepage

preferred codepage in lower case.

Type

str

property extract_winevt_resources

extract Windows EventLog resources.

Type

bool

property language

language tag in lower case.

Type

str

property number_of_produced_event_data

number of produced event data.

Type

int

property number_of_produced_event_sources

number of produced event sources.

Type

int

property number_of_produced_extraction_warnings

number of produced extraction warnings.

Type

int

property resolver_context

resolver context.

Type

dfvfs.Context

property temporary_directory

path of the directory for temporary files.

Type

str

property timezone

timezone.

Type

datetime.tzinfo

plaso.parsers.msiecf module

Parser for Microsoft Internet Explorer (MSIE) Cache Files (CF).

class plaso.parsers.msiecf.MSIECFLeakEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MSIECF leak event data.

cached_filename

name of the cached file.

Type

str

cached_file_size

size of the cached file.

Type

int

cache_directory_index

index of the cache directory.

Type

int

cache_directory_name

name of the cache directory.

Type

str

offset

offset of the MSIECF item relative to the start of the file, from which the event data was extracted.

Type

int

recovered

True if the item was recovered.

Type

bool

DATA_TYPE = 'msiecf:leak'
class plaso.parsers.msiecf.MSIECFParser[source]

Bases: FileObjectParser

Parses MSIE Cache Files (MSIECF).

DATA_FORMAT = 'Microsoft Internet Explorer (MSIE) 4 - 9 cache (index.dat) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'msiecf'
ParseFileObject(parser_mediator, file_object)[source]

Parses a MSIE Cache File (MSIECF) file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – file-like object.

class plaso.parsers.msiecf.MSIECFRedirectedEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MSIECF redirected event data.

offset

offset of the MSIECF item relative to the start of the file, from which the event data was extracted.

Type

int

recovered

True if the item was recovered.

Type

bool

url

location URL.

Type

str

DATA_TYPE = 'msiecf:redirected'
class plaso.parsers.msiecf.MSIECFURLEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MSIECF URL event data.

access_time

date and time the MSIECF item was last accessed.

Type

dfdatetime.DateTimeValues

cached_filename

name of the cached file.

Type

str

cached_file_size

size of the cached file.

Type

int

cache_directory_index

index of the cache directory.

Type

int

cache_directory_name

name of the cache directory.

Type

str

creation_time

date and time the MSIECF item was created.

Type

dfdatetime.DateTimeValues

expiration_time

date and time the MSIECF item expires.

Type

dfdatetime.DateTimeValues

http_headers

HTTP headers.

Type

str

modification_time

date and time the MSIECF item was last modified.

Type

dfdatetime.DateTimeValues

last_visited_time

date and time the MSIECF item was last visited.

Type

dfdatetime.DateTimeValues

number_of_hits

number of hits.

Type

int

offset

offset of the MSIECF item relative to the start of the file, from which the event data was extracted.

Type

int

primary_time

unspecified primary date and time of the MSIECF item.

Type

dfdatetime.DateTimeValues

recovered

True if the item was recovered.

Type

bool

secondary_time

unspecified secondary date and time of the MSIECF item.

Type

dfdatetime.DateTimeValues

synchronization_time

synchronization date and time.

Type

dfdatetime.DateTimeValues

url

location URL.

Type

str

DATA_TYPE = 'msiecf:url'

plaso.parsers.networkminer module

Parser for NetworkMiner .fileinfos files.

class plaso.parsers.networkminer.NetworkMinerEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

NetworkMiner event Data.

destination_ip

Destination IP address.

Type

str

destination_port

Destination port number.

Type

str

file_details

Details about the file.

Type

string

file_md5

MD5 hash of the file.

Type

string

file_path

File path to where it was downloaded.

Type

string

file_size

Size of the file.

Type

string

filename

Name of the file.

Type

string

source_ip

Originating IP address.

Type

str

source_port

Originating port number.

Type

str

written_time

entry written date and time.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'networkminer:fileinfos:file'
class plaso.parsers.networkminer.NetworkMinerParser[source]

Bases: DSVParser

Parser for NetworkMiner .fileinfos files.

COLUMNS = ('source_ip', 'source_port', 'destination_ip', 'destination_port', 'filename', 'file_path', 'file_size', 'unused', 'file_md5', 'unused2', 'file_details', 'unused4', 'timestamp')
DATA_FORMAT = 'NetworkMiner .fileinfos file'
NAME = 'networkminer_fileinfo'
ParseRow(parser_mediator, row_offset, row)[source]

Parses a line of the log file and produces events.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • row_offset (int) – line number of the row.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]

Verifies if a line of the file is in the expected format.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.ntfs module

Parser for NTFS metadata files.

class plaso.parsers.ntfs.NTFSFileStatEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

NTFS file system stat event data.

access_time

file entry last access date and time.

Type

dfdatetime.DateTimeValues

attribute_type

attribute type for example “0x00000030”, which represents “$FILE_NAME”.

Type

int

creation_time

file entry creation date and time.

Type

dfdatetime.DateTimeValues

display_name

display name.

Type

str

entry_modification_time

file entry modification date and time.

Type

dfdatetime.DateTimeValues

file_attribute_flags

NTFS file attribute flags.

Type

int

file_reference

NTFS file reference.

Type

int

file_system_type

file system type.

Type

str

filename

name of the file.

Type

str

is_allocated

True if the MFT entry is allocated (marked as in use).

Type

bool

modification_time

file entry last modification date and time.

Type

dfdatetime.DateTimeValues

name

name associated with the stat event, for example that of a $FILE_NAME attribute or None if not available.

Type

str

parent_file_reference

NTFS file reference of the parent.

Type

int

path_hints

hints about the full path of the file.

Type

list[str]

path of the symbolic link target.

Type

str

DATA_TYPE = 'fs:stat:ntfs'
class plaso.parsers.ntfs.NTFSMFTParser[source]

Bases: FileObjectParser

Parses a NTFS $MFT metadata file.

DATA_FORMAT = 'NTFS $MFT metadata file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'mft'
ParseFileObject(parser_mediator, file_object)[source]

Parses a NTFS $MFT metadata file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – file-like object.

class plaso.parsers.ntfs.NTFSUSNChangeEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

NTFS USN change event data.

file_attribute_flags

NTFS file attribute flags.

Type

int

filename

name of the file associated with the event.

Type

str

file_reference

NTFS file reference.

Type

int

file_system_type

file system type.

Type

str

parent_file_reference

NTFS file reference of the parent.

Type

int

offset

offset of the USN record relative to the start of the $J data stream, from which the event data was extracted.

Type

int

update_reason_flags

update reason flags.

Type

int

update_sequence_number

update sequence number.

Type

int

update_source_flags

update source flags.

Type

int

update_time

update date and time.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'fs:ntfs:usn_change'
class plaso.parsers.ntfs.NTFSUsnJrnlParser[source]

Bases: FileObjectParser, DtFabricHelper

Parses a NTFS USN change journal.

DATA_FORMAT = 'NTFS USN change journal ($UsnJrnl:$J) file system metadata file'
NAME = 'usnjrnl'
ParseFileObject(parser_mediator, file_object)[source]

Parses a NTFS $UsnJrnl metadata file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.olecf module

Parser for OLE Compound Files (OLECF).

class plaso.parsers.olecf.OLECFParser[source]

Bases: FileObjectParser

Parses OLE Compound Files (OLECF).

DATA_FORMAT = 'OLE Compound File (OLECF) format'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'olecf'
ParseFileObject(parser_mediator, file_object)[source]

Parses an OLE Compound File (OLECF) file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.opera module

Parsers for Opera Browser history files.

class plaso.parsers.opera.OperaGlobalHistoryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Opera global history entry data.

description

description.

Type

str

last_visited_time

date and time the URL was last visited.

Type

dfdatetime.DateTimeValues

popularity_index

popularity index.

Type

int

title

title.

Type

str

url

URL.

Type

str

DATA_TYPE = 'opera:history:entry'
class plaso.parsers.opera.OperaGlobalHistoryParser[source]

Bases: FileObjectParser

Parses the Opera global_history.dat file.

DATA_FORMAT = 'Opera global history (global_history.dat) file'
NAME = 'opera_global'
ParseFileObject(parser_mediator, file_object)[source]

Parses an Opera global history file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises

WrongParser – when the file cannot be parsed.

class plaso.parsers.opera.OperaTypedHistoryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Opera typed history entry data.

entry_selection

information about whether the URL was directly typed in or the result of the user choosing from the auto complete.

Type

str

entry_type

information about whether the URL was directly typed in or the result of the user choosing from the auto complete.

Type

str

last_typed_time

date and time the URL was last typed.

Type

dfdatetime.DateTimeValues

url

typed URL or hostname.

Type

str

DATA_TYPE = 'opera:history:typed_entry'
class plaso.parsers.opera.OperaTypedHistoryParser[source]

Bases: FileObjectParser

Parses the Opera typed_history.xml file.

DATA_FORMAT = 'Opera typed history (typed_history.xml) file'
NAME = 'opera_typed_history'
ParseFileObject(parser_mediator, file_object)[source]

Parses an Opera typed history file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.pe module

A parser for Portable Executable (PE) files.

Also see:

https://www.mandiant.com/resources/blog/tracking-malware-import-hashing

class plaso.parsers.pe.PEDLLImportEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Portable Executable (PE) DLL import event data.

delayed_import

True if the DLL is imported at run-time.

Type

bool

modification_time

last modification date and time.

Type

dfdatetime.DateTimeValues

name

name of the imported DLL.

Type

str

DATA_TYPE = 'pe_coff:dll_import'
class plaso.parsers.pe.PEFileEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Portable Executable (PE) file event data.

creation_time

creation date and time.

Type

dfdatetime.DateTimeValues

export_dll_name

name of the exported DLL.

Type

str

export_table_modification_time

export table last modification date and time.

Type

dfdatetime.DateTimeValues

imphash

“Import Hash” of the Portable Executable (PE) file.

Type

str

load_configuration_table_modification_time

load configuration table last modification date and time.

Type

dfdatetime.DateTimeValues

pe_type

type of Portable Executable (PE) file.

Type

str

section_names

names of the sections in the Portable Executable (PE) file.

Type

list[str]

DATA_TYPE = 'pe_coff:file'
class plaso.parsers.pe.PEParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for Portable Executable (PE) files.

DATA_FORMAT = 'Portable Executable (PE) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

NAME = 'pe'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Portable Executable (PE) file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

class plaso.parsers.pe.PEResourceEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Portable Executable (PE) resource event data.

identifier

identifier of the resource.

Type

int

modification_time

last modification date and time.

Type

dfdatetime.DateTimeValues

name

name of the resource.

Type

str

DATA_TYPE = 'pe_coff:resource'

plaso.parsers.plist module

Parser for binary and text Property List (plist) files.

class plaso.parsers.plist.PlistParser[source]

Bases: FileObjectParser

Parser for binary and text Property List (plist) files.

DATA_FORMAT = 'Property list (plist) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

a format specification or None if not available.

Return type

FormatSpecification

NAME = 'plist'
ParseFileObject(parser_mediator, file_object)[source]

Parses a plist file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.pls_recall module

Parser for PL/SQL Developer Recall files.

class plaso.parsers.pls_recall.PlsRecallEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

PL/SQL Recall event data.

database_name

name of the database.

Type

str

offset

offset of the PL/SQL Recall record relative to the start of the file, from which the event data was extracted.

Type

int

query

PL/SQL query.

Type

str

sequence_number

sequence number.

Type

int

username

username used to query.

Type

str

written_time

entry written date and time.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'pls_recall:entry'
class plaso.parsers.pls_recall.PlsRecallParser[source]

Bases: FileObjectParser, DtFabricHelper

Parse PL/SQL Recall files.

This parser is based on the Delphi definition of the data type:

TRecallRecord = packed record

Sequence: Integer; TimeStamp: TDateTime; Username: array[0..30] of Char; Database: array[0..80] of Char; Text: array[0..4000] of Char;

end;

Delphi TDateTime is a little-endian 64-bit floating-point value without time zone information.

DATA_FORMAT = 'PL SQL cache file (PL-SQL developer recall file) format'
NAME = 'pls_recall'
ParseFileObject(parser_mediator, file_object)[source]

Parses a PLSRecall.dat file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.plugins module

This file contains basic interface for plugins within Plaso.

This library serves a basis for all plugins in Plaso, whether that are Windows Registry plugins, SQLite plugins or any other parsing plugins.

This is provided as a separate file to make it easier to inherit in other projects that may want to use the Plaso plugin system.

class plaso.parsers.plugins.BasePlugin[source]

Bases: object

A plugin is a lightweight parser that makes use of a common data structure.

When a data structure is common among several artifacts or files a plugin infrastructure can be written to make writing parsers simpler. The goal of a parser plugin is to have only a single parser that understands the data structure that can call plugins that have specialized knowledge of certain structures.

An example of this is a SQLite database. A plugin can be written that has knowledge of certain database, such as Chrome history, or Skype history, etc. This can be done without needing to write a fully-fledged parser that needs to re-implement the data structure knowledge. A single parser can be created that calls the plugins to see if it knows that particular database.

Another example is Windows Registry, there a single parser that can parse the Registry can be made and the job of a single plugin is to parse a particular Registry key. The parser can then read a Registry key and compare it to a list of available plugins to see if it can be parsed.

DATA_FORMAT = ''
NAME = 'base_plugin'
Process(parser_mediator, **kwargs)[source]

Extracts events using a parser plugin.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • kwargs (dict[str, object]) – Depending on the plugin they may require different sets of arguments to be able to evaluate whether or not this is the correct plugin.

Raises

ValueError – when there are unused keyword arguments.

UpdateChainAndProcess(parser_mediator, **kwargs)[source]

Extracts events using a parser plugin and synchronizes the parser chain.

This method updates the parser chain object held by the mediator, transfers control to the plugin-specific Process() method, and updates the chain again once the processing is complete.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

class plaso.parsers.plugins.BasePluginCache[source]

Bases: object

A generic cache for parser plugins.

GetResults(attribute, default_value=None)[source]

Retrieves a cached attribute.

Parameters

  • attribute (str) – name of the cached attribute.

  • default_value (Optional[object]) – default value.

Returns

value of the cached attribute or default value if the cache

does not contain the attribute.

Return type

object

plaso.parsers.presets module

The parser and parser plugin presets.

class plaso.parsers.presets.ParserPreset(name, parsers)[source]

Bases: object

Parser and parser plugin preset.

deprecated

True if the preset is deprecated.

Type

bool

name

name of the preset.

Type

str

operating_systems

operating system artifact attribute containers, that specify to which operating systems the preset applies.

Type

list[OperatingSystemArtifact]

parsers

names of parser and parser plugins.

Type

list[str]

class plaso.parsers.presets.ParserPresetsManager[source]

Bases: object

The parsers and plugin presets manager.

GetNames()[source]

Retrieves the preset names.

Returns

preset names in alphabetical order.

Return type

list[str]

GetParsersByPreset(preset_name)[source]

Retrieves the parser and plugin names of a specific preset.

Parameters

preset_name (str) – name of the preset.

Returns

parser and plugin names in alphabetical order.

Return type

list[str]

Raises

KeyError – if the preset does not exist.

GetPresetByName(name)[source]

Retrieves a specific preset definition by name.

Parameters

name (str) – name of the preset.

Returns

a parser preset or None if not available.

Return type

ParserPreset

GetPresetsByOperatingSystem(operating_system)[source]

Retrieves preset definitions for a specific operating system.

Parameters

operating_system (OperatingSystemArtifact) – an operating system artifact attribute container.

Returns

preset definition that correspond with the

operating system.

Return type

list[PresetDefinition]

GetPresetsInformation()[source]

Retrieves the presets information.

Returns

containing:

str: preset name. str: comma separated parser and plugin names that are defined by

the preset.

Return type

list[tuple]

ReadFromFile(path)[source]

Reads parser and parser plugin presets from a file.

Parameters

path (str) – path of file that contains the the parser and parser plugin presets configuration.

Raises

MalformedPresetError – if one or more plugin preset definitions are malformed.

plaso.parsers.recycler module

Parser for Windows Recycle files, INFO2 and $I/$R pairs.

class plaso.parsers.recycler.WinRecycleBinEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows Recycle Bin event data.

deletion_time

file entry deletion date and time.

Type

dfdatetime.DateTimeValues

drive_number

drive number.

Type

int

file_size

file size.

Type

int

offset

offset of the Recycle Bin record relative to the start of the file, from which the event data was extracted.

Type

int

original_filename

filename.

Type

str

record_index

index of the record, from which the event data was extracted.

Type

int

short_filename

short filename.

Type

str

DATA_TYPE = 'windows:metadata:deleted_item'
class plaso.parsers.recycler.WinRecycleBinParser[source]

Bases: FileObjectParser, DtFabricHelper

Parses the Windows $Recycle.Bin $I files.

DATA_FORMAT = 'Windows $Recycle.Bin $I file'
NAME = 'recycle_bin'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Windows Recycle.Bin metadata ($I) file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – file-like object.

Raises

WrongParser – when the file cannot be parsed.

class plaso.parsers.recycler.WinRecyclerInfo2Parser[source]

Bases: FileObjectParser, DtFabricHelper

Parses the Windows Recycler INFO2 file.

DATA_FORMAT = 'Windows Recycler INFO2 file'
NAME = 'recycle_bin_info2'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Windows Recycler INFO2 file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.safari_cookies module

Parser for Safari Binary Cookie files.

class plaso.parsers.safari_cookies.BinaryCookieParser[source]

Bases: FileObjectParser, CookiePluginsHelper, DtFabricHelper

Parser for Safari Binary Cookie files.

DATA_FORMAT = 'Safari Binary Cookie file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification for parser selection.

Returns

format specification.

Return type

FormatSpecification

NAME = 'binary_cookies'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Safari binary cookie file-like object.

Parameters

  • parser_mediator (ParserMediator) – parser mediator.

  • file_object (dfvfs.FileIO) – file-like object to be parsed.

Raises

  • ParseError – when the page sizes array cannot be parsed.

  • WrongParser – when the file cannot be parsed, this will signal the event extractor to apply other parsers.

class plaso.parsers.safari_cookies.SafariBinaryCookieEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Safari binary cookie event data.

cookie_name

cookie name.

Type

str

cookie_value

cookie value.

Type

str

creation_time

date and time the cookie was created.

Type

dfdatetime.DateTimeValues

expiration_time

date and time the cookie expires.

Type

dfdatetime.DateTimeValues

flags

cookie flags.

Type

int

path

path of the cookie.

Type

str

url

URL where this cookie is valid.

Type

str

DATA_TYPE = 'safari:cookie:entry'

plaso.parsers.spotlight_storedb module

Parser for Apple Spotlight store database files.

class plaso.parsers.spotlight_storedb.SpotlightStoreDatabaseParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for Apple Spotlight store database (store.db) files.

DATA_FORMAT = 'Apple Spotlight store database (store.db) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'spotlight_storedb'
ParseFileObject(parser_mediator, file_object)[source]

Parses an Apple Spotlight store database file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

class plaso.parsers.spotlight_storedb.SpotlightStoreMetadataAttribute[source]

Bases: object

Metadata attribute.

key

key or name of the metadata attribute.

Type

str

property_type

metadata attribute property type.

Type

int

value

metadata attribute value.

Type

object

value_type

metadata attribute value type.

Type

int

class plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItem[source]

Bases: object

Metadata item.

attributes

metadata attributes.

Type

dict[str, SpotlightStoreMetadataAttribute]

data_size

size of the record data.

Type

int

flags

record flags.

Type

int

identifier

file (system) entry identifier.

Type

int

item_identifier

item identifier.

Type

int

last_update_time

last update time.

Type

int

parent_identifier

parent file (system) entry identifier.

Type

int

class plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Apple Spotlight store database metadata item event data.

added_time

date and time the item was added (kMDItemDateAdded).

Type

dfdatetime.DateTimeValues

attribute_change_time

date and time an attribute was last changed (kMDItemAttributeChangeDate).

Type

dfdatetime.DateTimeValues

content_creation_time

date and time the content was created (kMDItemContentCreationDate).

Type

dfdatetime.DateTimeValues

content_modification_time

date and time the content was last modified (kMDItemContentModificationDate).

Type

dfdatetime.DateTimeValues

content_type

content type of the corresponding file (system) entry (kMDItemContentType).

Type

str

creation_time

date and time the item was created (_kMDItemCreationDate).

Type

dfdatetime.DateTimeValues

downloaded_time

date and time the item was downloaded (kMDItemDownloadedDate).

Type

dfdatetime.DateTimeValues

file_name

name of the corresponding file (system) entry (_kMDItemFileName).

Type

str

file_system_identifier

file system identifier, for example the catalog node identifier (CNID) on HFS.

Type

int

kind

item kind (kMDItemKind).

Type

str

modification_time

date and time the item was last modified (_kMDItemContentChangeDate).

Type

dfdatetime.DateTimeValues

parent_file_system_identifier

file system identifier of the parent.

Type

int

purchase_time

date and time the item was purchased in the AppStore (kMDItemAppStorePurchaseDate).

Type

dfdatetime.DateTimeValues

snapshot_times

dates and times of the creation of backup snaphots (_kTimeMachineOldestSnapshot and _kTimeMachineNewestSnapshot).

Type

list[dfdatetime.DateTimeValues]

update_time

date and time the item was last updated.

Type

dfdatetime.DateTimeValues

used_times

dates and times when the item was used (kMDItemUsedDates and kMDItemLastUsedDate).

Type

list[dfdatetime.DateTimeValues]

DATA_TYPE = 'spotlight:metadata_item'

plaso.parsers.sqlite module

SQLite parser.

class plaso.parsers.sqlite.SQLiteCache[source]

Bases: BasePluginCache

Cache for storing results of SQL queries.

CacheQueryResults(sql_results, attribute_name, key_name, column_names)[source]

Build a dictionary object based on a SQL command.

This function will take a SQL command, execute it and for each resulting row it will store a key in a dictionary.

An example:

sql_results = A SQL result object after executing the
              SQL command: 'SELECT foo, bla, bar FROM my_table'
attribute_name = 'all_the_things'
key_name = 'foo'
column_names = ['bla', 'bar']

Results from running this against the database: ‘first’, ‘stuff’, ‘things’ ‘second’, ‘another stuff’, ‘another thing’

This will result in a dictionary object being created in the cache, called ‘all_the_things’ and it will contain the following value:

all_the_things = {
    'first': ['stuff', 'things'],
    'second': ['another_stuff', 'another_thing'],
    'third': ['single_thing']}
Parameters

  • sql_results (sqlite3.Cursor) – result after executing a SQL command on a database.

  • attribute_name (str) – attribute name in the cache to store results to. This will be the name of the dictionary attribute.

  • key_name (str) – name of the result field that should be used as a key in the resulting dictionary that is created.

  • column_names (list[str]) – of column names that are stored as values to the dictionary. If this list has only one value in it the value will be stored directly, otherwise the value will be a list containing the extracted results based on the names provided in this list.

GetRowCache(query)[source]

Retrieves the row cache for a specific query.

The row cache is a set that contains hashes of values in a row. The row cache is used to find duplicate row when a database and a database with a WAL file is parsed.

Parameters

query (str) – query.

Returns

hashes of the rows that have been parsed.

Return type

set

class plaso.parsers.sqlite.SQLiteDatabase(filename, temporary_directory=None)[source]

Bases: object

SQLite database.

schema

schema as an SQL query per table name, for example {‘Users’: ‘CREATE TABLE Users (“id” INTEGER PRIMARY KEY, …)’}.

Type

dict[str, str]

Close()[source]

Closes the database connection and cleans up the temporary file.

Open(file_object, wal_file_object=None)[source]

Opens a SQLite database file.

Since pysqlite cannot read directly from a file-like object a temporary copy of the file is made. After creating a copy the database file this function sets up a connection with the database and determines the names of the tables.

Parameters

  • file_object (dfvfs.FileIO) – file-like object.

  • wal_file_object (Optional[dfvfs.FileIO]) – file-like object for the Write-Ahead Log (WAL) file.

Raises

  • IOError – if the file-like object cannot be read.

  • OSError – if the file-like object cannot be read.

  • sqlite3.DatabaseError – if the database cannot be parsed.

  • ValueError – if the file-like object is missing.

Query(query)[source]

Queries the database.

Parameters

query (str) – SQL query.

Returns

results.

Return type

sqlite3.Cursor

Raises

sqlite3.DatabaseError – if querying the database fails.

SCHEMA_QUERY = 'SELECT tbl_name, sql FROM sqlite_master WHERE type = "table" AND tbl_name != "xp_proc" AND tbl_name != "sqlite_sequence"'
property tables

names of all the tables.

Type

list[str]

class plaso.parsers.sqlite.SQLiteParser[source]

Bases: FileEntryParser

Parses SQLite database files.

DATA_FORMAT = 'SQLite database file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

a format specification or None if not available.

Return type

FormatSpecification

NAME = 'sqlite'
ParseFileEntry(parser_mediator, file_entry)[source]

Parses a SQLite database file entry.

Parameters

  • parser_mediator (ParserMediator) – parser mediator.

  • file_entry (dfvfs.FileEntry) – file entry to be parsed.

plaso.parsers.symantec module

Symantec AV Corporate Edition and Endpoint Protection log file parser.

class plaso.parsers.symantec.SymantecEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Symantec event data.

access

access.

Type

str

action0

action0.

Type

str

action1

action1.

Type

str

action1_status

action1 status.

Type

str

action2

action2.

Type

str

action2_status

action2 status.

Type

str

address

address.

Type

str

backup_id

backup identifier.

Type

str

cat

category.

Type

str

cleaninfo

clean information.

Type

str

clientgroup

client group.

Type

str

compressed

compressed.

Type

str

computer

computer.

Type

str

definfo

definfo.

Type

str

defseqnumber

def sequence number.

Type

str

deleteinfo

delete information.

Type

str

depth

depth.

Type

str

description

description.

Type

str

domain_guid

domain identifier (GUID).

Type

str

domainname

domain name.

Type

str

err_code

error code.

Type

str

event_data

event data.

Type

str

event

event.

Type

str

extra

extra.

Type

str

file

file.

Type

str

flags

flags.

Type

str

groupid

group identifier.

Type

str

guid

guid.

Type

str

last_written_time

entry last written date and time.

Type

dfdatetime.DateTimeValues

license_expiration_dt

license expiration date.

Type

str

license_feature_name

license feature name.

Type

str

license_feature_ver

license feature ver.

Type

str

license_fulfillment_id

license fulfillment identifier.

Type

str

license_lifecycle

license lifecycle.

Type

str

license_seats_delta

license seats delta.

Type

str

license_seats

license seats.

Type

str

license_seats_total

license seats total.

Type

str

license_serial_num

license serial number.

Type

str

license_start_dt

license start date.

Type

str

logger

logger.

Type

str

login_domain

login domain.

Type

str

log_session_guid

log session identifier (GUID).

Type

str

macaddr

MAC address.

Type

str

new_ext

new ext.

Type

str

ntdomain

ntdomain.

Type

str

offset

offset.

Type

str

parent

parent.

Type

str

quarfwd_status

quarfwd status.

Type

str

remote_machine_ip

remote machine IP address.

Type

str

remote_machine

remote machine.

Type

str

scanid

scan identifier.

Type

str

snd_status

snd status.

Type

str

status

status.

Type

str

still_infected

still infected.

Type

str

time

time.

Type

str

user

user.

Type

str

vbin_id

vbin identifier.

Type

str

vbin_session_id

vbin session identifier.

Type

str

version

version.

Type

str

virus_id

virus identifier.

Type

str

virus

virus.

Type

str

virustype

virustype.

Type

str

DATA_TYPE = 'av:symantec:scanlog'
class plaso.parsers.symantec.SymantecParser[source]

Bases: DSVParser

Parses Symantec AV Corporate Edition and Endpoint Protection log files.

COLUMNS = ['time', 'event', 'cat', 'logger', 'computer', 'user', 'virus', 'file', 'action1', 'action2', 'action0', 'virustype', 'flags', 'description', 'scanid', 'new_ext', 'groupid', 'event_data', 'vbin_id', 'virus_id', 'quarfwd_status', 'access', 'snd_status', 'compressed', 'depth', 'still_infected', 'definfo', 'defseqnumber', 'cleaninfo', 'deleteinfo', 'backup_id', 'parent', 'guid', 'clientgroup', 'address', 'domainname', 'ntdomain', 'macaddr', 'version:', 'remote_machine', 'remote_machine_ip', 'action1_status', 'action2_status', 'license_feature_name', 'license_feature_ver', 'license_serial_num', 'license_fulfillment_id', 'license_start_dt', 'license_expiration_dt', 'license_lifecycle', 'license_seats_total', 'license_seats', 'err_code', 'license_seats_delta', 'status', 'domain_guid', 'log_session_guid', 'vbin_session_id', 'login_domain', 'extra']
DATA_FORMAT = 'Symantec AV Corporate Edition and Endpoint Protection log file'
NAME = 'symantec_scanlog'
ParseRow(parser_mediator, row_offset, row)[source]

Parses a line of the log file and produces events.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • row_offset (int) – line number of the row.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]

Verifies if a line of the file is in the expected format.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.systemd_journal module

Parser for Systemd journal files.

class plaso.parsers.systemd_journal.SystemdJournalEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Systemd journal event data.

body

message body.

Type

str

hostname

hostname.

Type

str

pid

process identifier (PID).

Type

int

reporter

reporter.

Type

str

written_time

date and time the log entry was written.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'systemd:journal'
class plaso.parsers.systemd_journal.SystemdJournalParser[source]

Bases: FileObjectParser, DtFabricHelper

Parses Systemd Journal files.

DATA_FORMAT = 'Systemd journal file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'systemd_journal'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Systemd journal file-like object.

Parameters

  • parser_mediator (ParserMediator) – parser mediator.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the header cannot be parsed.

plaso.parsers.text_parser module

Text log parser.

class plaso.parsers.text_parser.EncodedTextReader(file_object, encoding='utf-8', encoding_errors='strict')[source]

Bases: object

Encoded text reader.

lines

lines of text.

Type

str

BUFFER_SIZE = 65536
ReadLine()[source]

Reads a line.

Returns

line read from the lines buffer.

Return type

str

ReadLines()[source]

Reads lines into the lines buffer.

SkipAhead(number_of_characters)[source]

Skips ahead a number of characters.

Parameters

number_of_characters (int) – number of characters.

get_offset()[source]

Retrieves the current offset into the file-like object.

Returns

current offset into the file-like object.

Return type

int

class plaso.parsers.text_parser.TextLogParser[source]

Bases: FileObjectParser

Text-based log file parser.

DATA_FORMAT = 'text-based log file'
EnablePlugins(plugin_includes)[source]

Enables parser plugins.

Parameters

plugin_includes (set[str]) – names of the plugins to enable, where set([‘*’]) represents all plugins. Note the default plugin, if it exists, is always enabled and cannot be disabled.

NAME = 'text'
ParseFileObject(parser_mediator, file_object)[source]

Parses a text log file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.trendmicroav module

Parser for Trend Micro Antivirus logs.

Trend Micro uses two log files to track the scans (both manual/scheduled and real-time) and the web reputation (network scan/filtering).

Currently only the first log is supported.

class plaso.parsers.trendmicroav.OfficeScanVirusDetectionParser[source]

Bases: TrendMicroBaseParser

Parses the Trend Micro Office Scan Virus Detection Log.

COLUMNS = ['date', 'time', 'threat', 'action', 'scan_type', 'unused1', 'path', 'filename', 'unused2', 'timestamp', 'unused3', 'unused4']
DATA_FORMAT = 'Trend Micro Office Scan Virus Detection log file'
NAME = 'trendmicro_vd'
ParseRow(parser_mediator, row_offset, row)[source]

Parses a line of the log file and produces events.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • row_offset (int) – offset of the line from which the row was extracted.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]

Verifies if a line of the file is in the expected format.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

class plaso.parsers.trendmicroav.OfficeScanWebReputationParser[source]

Bases: TrendMicroBaseParser

Parses the Trend Micro Office Scan Web Reputation detection log.

COLUMNS = ('date', 'time', 'block_mode', 'url', 'group_code', 'group_name', 'credibility_rating', 'policy_identifier', 'application_name', 'credibility_score', 'ip', 'threshold', 'timestamp', 'unused')
DATA_FORMAT = 'Trend Micro Office Web Reputation log file'
NAME = 'trendmicro_url'
ParseRow(parser_mediator, row_offset, row)[source]

Parses a line of the log file and produces events.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • row_offset (int) – offset of the line from which the row was extracted.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]

Verifies if a line of the file is in the expected format.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

class plaso.parsers.trendmicroav.TrendMicroAVEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Trend Micro AV Log event data.

action

action.

Type

str

filename

filename.

Type

str

offset

offset of the line relative to the start of the file, from which the event data was extracted.

Type

int

path

path.

Type

str

scan_type

scan_type.

Type

str

threat

threat.

Type

str

written_time

date and time the log entry was written.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'av:trendmicro:scan'
class plaso.parsers.trendmicroav.TrendMicroBaseParser[source]

Bases: DSVParser

Common code for parsing Trend Micro log files.

The file format is reminiscent of CSV, but is not quite the same; the delimiter is a three-character sequence and there is no provision for quoting or escaping.

COLUMNS = ()
DELIMITER = '<;>'
class plaso.parsers.trendmicroav.TrendMicroUrlEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Trend Micro Web Reputation Log event data.

application_name

application name.

Type

str

block_mode

operation mode.

Type

str

credibility_rating

credibility rating.

Type

int

credibility_score

credibility score.

Type

int

group_code

group code.

Type

str

group_name

group name.

Type

str

ip

IP address.

Type

str

offset

offset of the line relative to the start of the file, from which the event data was extracted.

Type

int

policy_identifier

policy identifier.

Type

int

threshold

threshold value.

Type

int

url

accessed URL.

Type

str

written_time

entry written date and time.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'av:trendmicro:webrep'

plaso.parsers.utmp module

Parser for Linux utmp files.

class plaso.parsers.utmp.UtmpEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Linux libc6 utmp event data.

exit_status

exit status.

Type

int

hostname

hostname or IP address.

Type

str

ip_address

IP address from the connection.

Type

str

offset

offset of the utmp record relative to the start of the file, from which the event data was extracted.

Type

int

pid

process identifier (PID).

Type

int

terminal_identifier

inittab identifier.

Type

int

terminal

type of terminal.

Type

str

type

type of login.

Type

int

username

user name.

Type

str

written_time

entry written date and time.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'linux:utmp:event'
class plaso.parsers.utmp.UtmpParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for Linux libc6 utmp files.

DATA_FORMAT = 'Linux libc6 utmp file'
NAME = 'utmp'
ParseFileObject(parser_mediator, file_object)[source]

Parses an utmp file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.utmpx module

Parser for MacOS utmpx files.

class plaso.parsers.utmpx.UtmpxMacOSEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS utmpx event data.

hostname

hostname or IP address.

Type

str

offset

offset of the utmpx record relative to the start of the file, from which the event data was extracted.

Type

int

pid

process identifier (PID).

Type

int

terminal

name of the terminal.

Type

str

terminal_identifier

inittab identifier.

Type

int

type

type of login.

Type

int

username

user name.

Type

str

written_time

entry written date and time.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'macos:utmpx:entry'
class plaso.parsers.utmpx.UtmpxParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for Mac OS X 10.5 utmpx files.

DATA_FORMAT = 'Mac OS X 10.5 utmpx file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'utmpx'
ParseFileObject(parser_mediator, file_object)[source]

Parses an UTMPX file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

plaso.parsers.windefender_history module

Parser for Windows Defender scan DetectionHistory files.

class plaso.parsers.windefender_history.WinDefenderHistoryParser[source]

Bases: FileObjectParser, DtFabricHelper

Parses a Windows Defender scan DetectionHistory file.

DATA_FORMAT = 'Windows Defender scan DetectionHistory file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'windefender_history'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Windows Defender History file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises

WrongParser – when the file cannot be parsed.

class plaso.parsers.windefender_history.WindowsDefenderHistoryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows Defender scan DetectionHistory event data.

additional_filenames

locations of additional detected files.

Type

list[str]

container_filenames

location of files detected inside a container.

Type

list[str]

filename

name of the file that the threat was detected in.

Type

str

host_and_user

name of the host and user in “DOMAINUSER” format.

Type

str

process

name of the process that caused the detection.

Type

str

recorded_time

date and time the log entry was recorded.

Type

dfdatetime.DateTimeValues

sha256

SHA-256 hash of the file.

Type

str

threat_name

name of the threat that was detected.

Type

str

web_filenames

URI of files detected as downloaded from the web.

Type

list[str]

DATA_TYPE = 'av:defender:detection_history'

plaso.parsers.winevt module

Parser for Windows EventLog (EVT) files.

class plaso.parsers.winevt.WinEvtParser[source]

Bases: FileObjectParser

Parses Windows EventLog (EVT) files.

DATA_FORMAT = 'Windows EventLog (EVT) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'winevt'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Windows EventLog (EVT) file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – a file-like object.

class plaso.parsers.winevt.WinEvtRecordEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows EventLog (EVT) record event data.

creation_time

event record creation date and time.

Type

dfdatetime.DateTimeValues

computer_name

computer name stored in the event record.

Type

str

event_category

event category.

Type

int

event_identifier

event identifier.

Type

int

event_type

event type.

Type

int

facility

event facility.

Type

int

message_identifier

event message identifier.

Type

int

offset

offset of the event record relative to the start of the file, from which the event data was extracted.

Type

int

record_number

event record number.

Type

int

recovered

True if the record was recovered.

Type

bool

severity

event severity.

Type

int

source_name

name of the event source.

Type

str

strings

event strings.

Type

list[str]

user_sid

user security identifier (SID) stored in the event record.

Type

str

written_time

event record written date and time.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'windows:evt:record'

plaso.parsers.winevtx module

Parser for Windows XML EventLog (EVTX) files.

class plaso.parsers.winevtx.WinEvtxParser[source]

Bases: FileObjectParser

Parses Windows XML EventLog (EVTX) files.

DATA_FORMAT = 'Windows XML EventLog (EVTX) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'winevtx'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Windows XML EventLog (EVTX) file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • file_object (dfvfs.FileIO) – a file-like object.

class plaso.parsers.winevtx.WinEvtxRecordEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows XML EventLog (EVTX) record event data.

creation_time

event record creation date and time.

Type

dfdatetime.DateTimeValues

computer_name

computer name stored in the event record.

Type

str

event_identifier

event identifier.

Type

int

event_level

event level.

Type

int

event_version

event version.

Type

int

message_identifier

event message identifier.

Type

int

offset

offset of the EVTX record relative to the start of the file, from which the event data was extracted.

Type

int

provider_identifier

identifier of the EventLog provider.

Type

str

record_number

event record number.

Type

int

recovered

True if the record was recovered.

Type

bool

source_name

name of the event source.

Type

str

strings

event strings.

Type

list[str]

user_sid

user security identifier (SID) stored in the event record.

Type

str

written_time

event record written date and time.

Type

dfdatetime.DateTimeValues

xml_string

XML representation of the event.

Type

str

DATA_TYPE = 'windows:evtx:record'

plaso.parsers.winjob module

Parser for Windows Scheduled Task job files.

class plaso.parsers.winjob.WinJobEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows Scheduled Task event data.

application

path to job executable.

Type

str

comment

description of the scheduled task.

Type

str

last_run_time

executable (binary) last run date and time.

Type

dfdatetime.DateTimeValues

parameters

application command line parameters.

Type

str

username

username that scheduled the task.

Type

str

working_directory

working directory of the scheduled task.

Type

str

DATA_TYPE = 'windows:tasks:job'
class plaso.parsers.winjob.WinJobParser[source]

Bases: FileObjectParser, DtFabricHelper

Parse Windows Scheduled Task files for job events.

DATA_FORMAT = 'Windows Scheduled Task job (or at-job) file'
NAME = 'winjob'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Windows job file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises

WrongParser – when the file cannot be parsed.

class plaso.parsers.winjob.WinJobTriggerEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows Scheduled Task trigger event data.

application

path to job executable.

Type

str

comment

description of the scheduled task.

Type

str

end_time

date and time the end of the trigger.

Type

dfdatetime.DateTimeValues

parameters

application command line parameters.

Type

str

start_time

date and time the start of the trigger.

Type

dfdatetime.DateTimeValues

trigger_type

trigger type.

Type

int

username

username that scheduled the task.

Type

str

working_directory

working directory of the scheduled task.

Type

str

DATA_TYPE = 'windows:tasks:trigger'

plaso.parsers.winlnk module

Parser for Windows Shortcut (LNK) files.

class plaso.parsers.winlnk.WinLnkLinkEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows Shortcut (LNK) link event data.

access_time

file entry last access date and time.

Type

dfdatetime.DateTimeValues

birth_droid_file_identifier

distributed link tracking birth droid file identifier.

Type

str

birth_droid_volume_identifier

distributed link tracking birth droid volume identifier.

Type

str

command_line_arguments

command line arguments.

Type

str

creation_time

file entry creation date and time.

Type

dfdatetime.DateTimeValues

description

description of the linked item.

Type

str

drive_serial_number

drive serial number where the linked item resides.

Type

int

drive_type

drive type where the linked item resided.

Type

str

droid_file_identifier

distributed link tracking droid file identifier.

Type

str

droid_volume_identifier

distributed link tracking droid volume identifier.

Type

str

env_var_location

environment variables loction.

Type

str

file_attribute_flags

file attribute flags of the linked item.

Type

int

file_size

size of the linked item.

Type

int

icon_location

icon location.

Type

str

shell item list of the link target.

Type

str

local_path

local path of the linked item.

Type

str

modification_time

file entry last modification date and time.

Type

dfdatetime.DateTimeValues

network_path

local path of the linked item.

Type

str

relative_path

relative path.

Type

str

volume_label

volume label where the linked item resided.

Type

str

working_directory

working directory.

Type

str

DATA_TYPE = 'windows:lnk:link'
class plaso.parsers.winlnk.WinLnkParser[source]

Bases: FileObjectParser

Parses Windows Shortcut (LNK) files.

DATA_FORMAT = 'Windows Shortcut (LNK) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'lnk'
ParseFileLNKFile(parser_mediator, file_object, display_name)[source]

Parses a Windows Shortcut (LNK) file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

  • display_name (str) – display name.

ParseFileObject(parser_mediator, file_object)[source]

Parses a Windows Shortcut (LNK) file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.winprefetch module

Parser for Windows Prefetch files.

class plaso.parsers.winprefetch.WinPrefetchExecutionEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows Prefetch event data.

executable

executable filename.

Type

str

format_version

format version.

Type

int

last_run_time

executable (binary) last run date and time.

Type

dfdatetime.DateTimeValues

mapped_files

mapped filenames.

Type

list[str]

number_of_volumes

number of volumes.

Type

int

path_hints

possible full paths to the executable.

Type

list[str]

prefetch_hash

prefetch hash.

Type

int

previous_run_times

previous executable (binary) run date and time.

Type

list[dfdatetime.DateTimeValues]

run_count

run count.

Type

int

volume_device_paths

volume device paths.

Type

list[str]

volume_serial_numbers

volume serial numbers.

Type

list[int]

DATA_TYPE = 'windows:prefetch:execution'
class plaso.parsers.winprefetch.WinPrefetchParser[source]

Bases: FileObjectParser

A parser for Windows Prefetch files.

DATA_FORMAT = 'Windows Prefetch File (PF)'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns

format specification.

Return type

FormatSpecification

NAME = 'prefetch'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Windows Prefetch file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.winreg_parser module

Parser for Windows NT Registry (REGF) files.

class plaso.parsers.winreg_parser.WinRegistryParser[source]

Bases: FileObjectParser

Parses Windows NT Registry (REGF) files.

DATA_FORMAT = 'Windows NT Registry (REGF) file'
EnablePlugins(plugin_includes)[source]

Enables parser plugins.

Parameters

plugin_includes (set[str]) – names of the plugins to enable, where set([‘*’]) represents all plugins. Note the default plugin, if it exists, is always enabled and cannot be disabled.

classmethod GetFormatSpecification()[source]

Retrieves the format specification.

NAME = 'winreg'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Windows Registry file-like object.

Parameters

  • parser_mediator (ParserMediator) – parser mediator.

  • file_object (dfvfs.FileIO) – a file-like object.

plaso.parsers.winrestore module

Parser for Windows Restore Point (rp.log) files.

class plaso.parsers.winrestore.RestorePointEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows Restore Point event data.

creation_time

creation date and time.

Type

dfdatetime.DateTimeValues

description

description.

Type

str

restore_point_event_type

restore point event type.

Type

str

restore_point_type

restore point type.

Type

str

sequence_number

sequence number.

Type

str

DATA_TYPE = 'windows:restore_point:info'
class plaso.parsers.winrestore.RestorePointLogParser[source]

Bases: FileObjectParser, DtFabricHelper

A parser for Windows Restore Point (rp.log) files.

DATA_FORMAT = 'Windows Restore Point log (rp.log) file'
FILTERS = frozenset({<plaso.parsers.interface.FileNameFileEntryFilter object>})
NAME = 'rplog'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Windows Restore Point (rp.log) log file-like object.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises

WrongParser – when the file cannot be parsed.

Module contents

This file imports Python modules that register parsers.