plaso.parsers package

Subpackages

Submodules

plaso.parsers.android_app_usage module

Parser for the Android usage history (usage-history.xml) files.

class plaso.parsers.android_app_usage.AndroidAppUsageEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Android application usage event data.

component

name of the individual component of the application.

Type:

str

last_resume_time

date and time the application was last resumed.

Type:

dfdatetime.DateTimeValues

package

name of the Android application.

Type:

str

DATA_TYPE = 'android:app_usage'
__init__()[source]

Initializes event data.

class plaso.parsers.android_app_usage.AndroidAppUsageParser[source]

Bases: FileObjectParser

Parses the Android usage history (usage-history.xml) file.

DATA_FORMAT = 'Android usage history (usage-history.xml) file'
NAME = 'android_app_usage'
ParseFileObject(parser_mediator, file_object)[source]

Parses an Android usage-history file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises:

WrongParser – when the file cannot be parsed.

plaso.parsers.asl module

The Apple System Log (ASL) file parser.

class plaso.parsers.asl.ASLEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Apple System Log (ASL) event data.

computer_name

name of the host.

Type:

str

extra_information

extra fields associated to the event.

Type:

str

facility

facility.

Type:

str

group_identifier

group identifier (GID).

Type:

int

level

level of criticality of the event.

Type:

str

message

message of the event.

Type:

str

message_identifier

message identifier.

Type:

int

process_identifier

process identifier (PID).

Type:

int

read_group_identifier

the group identifier that can read this file, where -1 represents all.

Type:

int

read_user_identifier

user identifier that can read this file, where -1 represents all.

Type:

int

record_position

position of the event record.

Type:

int

sender

sender or process that created the event.

Type:

str

user_identifier

user identifier (UID).

Type:

int

written_time

entry written date and time.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'macos:asl:entry'
__init__()[source]

Initializes event data.

class plaso.parsers.asl.ASLFileEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Apple System Log (ASL) file event data.

creation_time

creation date and time.

Type:

dfdatetime.DateTimeValues

format_version

ASL file format version.

Type:

int

is_dirty

True if the last log entry offset does not match value in file header and the file is considered dirty.

Type:

bool

DATA_TYPE = 'macos:asl:file'
__init__()[source]

Initializes event data.

class plaso.parsers.asl.ASLParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for Apple System Log (ASL) files.

DATA_FORMAT = 'Apple System Log (ASL) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'asl_log'
ParseFileObject(parser_mediator, file_object)[source]

Parses an ASL file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises:

WrongParser – when the file cannot be parsed.

plaso.parsers.bencode_parser module

Parser for bencoded files.

class plaso.parsers.bencode_parser.BencodeFile[source]

Bases: object

Bencode file.

Close()[source]

Closes the file.

GetValues()[source]

Retrieves the values in the root of the bencode file.

Returns:

values.

Return type:

BencodeValues

IsEmpty()[source]

Determines if the bencode file has no values (is empty).

Returns:

True if the bencode file is empty, False otherwise.

Return type:

bool

Open(file_object)[source]

Opens a bencode file.

Parameters:

file_object (dfvfs.FileIO) – file-like object.

Raises:

  • OSError – if the file-like object cannot be read.

  • ValueError – if the file-like object is missing.

__init__()[source]

Initializes a bencode file.

property keys

names of all the keys.

Type:

Set[str]

class plaso.parsers.bencode_parser.BencodeParser[source]

Bases: FileObjectParser

Parser for bencoded files.

DATA_FORMAT = 'Bencoded file'
NAME = 'bencode'
ParseFileObject(parser_mediator, file_object)[source]

Parses a bencoded file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises:

WrongParser – when the file cannot be parsed.

class plaso.parsers.bencode_parser.BencodeValues(decoded_values)[source]

Bases: object

Bencode values.

GetDateTimeValue(name)[source]

Retrieves a date and time value.

Parameters:

name (str) – name of the value.

Returns:

date and time or None if not available.

Return type:

dfdatetime.PosixTime

GetDecodedValue(name)[source]

Retrieves a decoded value.

Parameters:

name (str) – name of the value.

Returns:

decoded value or None if not available.

Return type:

object

GetValues()[source]

Retrieves the values.

Yields:

tuple[str, object] – name and decoded value.

__init__(decoded_values)[source]

Initializes bencode values.

Parameters:

decoded_values (collections.OrderedDict[bytes|str, object]) – decoded values.

plaso.parsers.bodyfile module

Parser for the Sleuthkit (TSK) bodyfile format.

Sleuthkit version 3 format: MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime 0|/lost+found|11|d/drwx——|0|0|12288|1337961350|1337961350|1337961350|0

More information about the format specifications can be read here:

https://forensics.wiki/bodyfile

class plaso.parsers.bodyfile.BodyfileEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Bodyfile event data.

access_time

file entry last access date and time.

Type:

dfdatetime.DateTimeValues

change_time

file entry inode change (or metadata last modification) date and time.

Type:

dfdatetime.DateTimeValues

creation_time

file entry creation date and time.

Type:

dfdatetime.DateTimeValues

filename

name of the file.

Type:

str

group_identifier

group identifier (GID), equivalent to st_gid.

Type:

int

inode

“inode” of the file. Note that inode is an overloaded term in the context of a bodyfile and used for MFT entry index values as well.

Type:

int

md5

MD5 hash of the file content, formatted as a hexadecimal string.

Type:

str

mode_as_string

protection mode.

Type:

str

modification_time

file entry last modification date and time.

Type:

dfdatetime.DateTimeValues

offset

number of the corresponding line, from which the event data was extracted.

Type:

int

owner_identifier

user identifier (UID or SID) of the owner.

Type:

str

size

size of the file content.

Type:

int

path of the symbolic link target.

Type:

str

DATA_TYPE = 'fs:bodyfile:entry'
__init__()[source]

Initializes event data.

class plaso.parsers.bodyfile.BodyfileParser[source]

Bases: FileObjectParser

SleuthKit bodyfile parser.

DATA_FORMAT = 'SleuthKit version 3 bodyfile'
NAME = 'bodyfile'
ParseFileObject(parser_mediator, file_object)[source]

Parses a bodyfile file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises:

WrongParser – when the file cannot be parsed.

plaso.parsers.bsm module

Basic Security Module (BSM) event auditing file parser.

class plaso.parsers.bsm.BSMEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Basic Security Module (BSM) audit event data.

event_type

identifier that represents the type of the event.

Type:

int

extra_tokens

event extra tokens, which is a list of dictionaries that contain: {token type: {token values}}

Type:

list[dict[str, dict[str, str]]]

offset

offset of the BSM record relative to the start of the file, from which the event data was extracted.

Type:

int

record_length

record length in bytes (trailer number).

Type:

int

return_value

processed return value and exit status.

Type:

str

written_time

entry written date and time.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'bsm:entry'
__init__()[source]

Initializes event data.

class plaso.parsers.bsm.BSMParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for Basic Security Module (BSM) event auditing files.

DATA_FORMAT = 'Basic Security Module (BSM) event auditing file'
NAME = 'bsm_log'
ParseFileObject(parser_mediator, file_object)[source]

Parses a BSM file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises:

WrongParser – when the file cannot be parsed.

plaso.parsers.chrome_cache module

Parser for Google Chrome and Chromium Cache files.

class plaso.parsers.chrome_cache.CacheAddress(cache_address)[source]

Bases: object

Chrome cache address.

block_number

block data file number.

Type:

int

block_offset

offset within the block data file.

Type:

int

block_size

block size.

Type:

int

filename

name of the block data file.

Type:

str

value

cache address.

Type:

int

FILE_TYPE_BLOCK_1024 = 3
FILE_TYPE_BLOCK_256 = 2
FILE_TYPE_BLOCK_4096 = 4
FILE_TYPE_BLOCK_RANKINGS = 1
FILE_TYPE_SEPARATE = 0
__init__(cache_address)[source]

Initializes a cache address.

Parameters:

cache_address (int) – cache address.

class plaso.parsers.chrome_cache.CacheEntry[source]

Bases: object

Chrome cache entry.

creation_time

creation time, in number of microseconds since January 1, 1601, 00:00:00 UTC.

Type:

int

hash

super fast hash of the key.

Type:

int

key

key.

Type:

bytes

next

cache address of the next cache entry.

Type:

int

original_url

original URL derived from the key.

Type:

str

payloads

filenames (and offsets) of the cache payloads.

Type:

[str]

rankings_node

cache address of the rankings node.

Type:

int

__init__()[source]

Initializes a cache entry.

class plaso.parsers.chrome_cache.ChromeCacheDataBlockFileParser[source]

Bases: FileObjectParser, DtFabricHelper

Chrome cache data block file parser.

ParseCacheEntry(file_object, block_offset)[source]

Parses a cache entry.

Parameters:

  • file_object (dfvfs.FileIO) – a file-like object to read from.

  • block_offset (int) – block offset of the cache entry.

Returns:

cache entry.

Return type:

CacheEntry

Raises:

ParseError – if the cache entry cannot be read.

ParseFileObject(parser_mediator, file_object)[source]

Parses a file-like object.

Parameters:

  • parser_mediator (ParserMediator) – a parser mediator.

  • file_object (dfvfs.FileIO) – a file-like object to parse.

Raises:

ParseError – when the file cannot be parsed.

class plaso.parsers.chrome_cache.ChromeCacheEntryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome Cache event data.

creation_time

creation date and time of the cache entry.

Type:

dfdatetime.DateTimeValues

original_url

original URL.

Type:

str

payloads

filenames (and offsets) of the cache payloads.

Type:

[str]

DATA_TYPE = 'chrome:cache:entry'
__init__()[source]

Initializes event data.

class plaso.parsers.chrome_cache.ChromeCacheIndexFileParser[source]

Bases: FileObjectParser, DtFabricHelper

Chrome cache index file parser.

creation_time

creation time, in number of microseconds since January 1, 1601, 00:00:00 UTC.

Type:

int

index_table

the cache addresses which are stored in the index file.

Type:

list[CacheAddress]

ParseFileObject(parser_mediator, file_object)[source]

Parses a file-like object.

Parameters:

  • parser_mediator (ParserMediator) – a parser mediator.

  • file_object (dfvfs.FileIO) – a file-like object to parse.

Raises:

ParseError – when the file cannot be parsed.

__init__()[source]

Initializes an index file.

class plaso.parsers.chrome_cache.ChromeCacheParser[source]

Bases: FileEntryParser

Parses Chrome Cache files.

DATA_FORMAT = 'Google Chrome or Chromium Cache file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'chrome_cache'
ParseFileEntry(parser_mediator, file_entry)[source]

Parses Chrome Cache files.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_entry (dfvfs.FileEntry) – file entry.

Raises:

WrongParser – when the file cannot be parsed.

__init__()[source]

Initializes a Chrome Cache files parser.

plaso.parsers.chrome_preferences module

A parser for the Chrome Preferences file.

class plaso.parsers.chrome_preferences.ChromeContentSettingsExceptionsEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome content settings exceptions event data.

last_visited_time

date and time the URL was last visited.

Type:

dfdatetime.DateTimeValues

permission

permission.

Type:

str

primary_url

primary URL.

Type:

str

secondary_url

secondary URL.

Type:

str

DATA_TYPE = 'chrome:preferences:content_settings:exceptions'
__init__()[source]

Initializes event data.

class plaso.parsers.chrome_preferences.ChromeExtensionInstallationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome extension event data.

extension_identifier

extension identifier.

Type:

str

extension_name

extension name.

Type:

str

installation_time

date and time the Chrome extension was installed.

Type:

dfdatetime.DateTimeValues

path

path.

Type:

str

DATA_TYPE = 'chrome:preferences:extension_installation'
__init__()[source]

Initializes event data.

class plaso.parsers.chrome_preferences.ChromeExtensionsAutoupdaterEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Chrome Extension Autoupdater event data.

message

message.

Type:

str

recorded_time

date and time the entry was recorded.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'chrome:preferences:extensions_autoupdater'
__init__()[source]

Initializes event data.

class plaso.parsers.chrome_preferences.ChromePreferencesParser[source]

Bases: FileObjectParser

Parses Chrome Preferences files.

DATA_FORMAT = 'Google Chrome Preferences file'
NAME = 'chrome_preferences'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Chrome preferences file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises:

WrongParser – when the file cannot be parsed.

REQUIRED_KEYS = frozenset({'browser', 'extensions'})

plaso.parsers.cups_ipp module

The CUPS IPP files parser.

CUPS IPP version 1.0: * https://datatracker.ietf.org/doc/html/rfc2565 * https://datatracker.ietf.org/doc/html/rfc2566 * https://datatracker.ietf.org/doc/html/rfc2567 * https://datatracker.ietf.org/doc/html/rfc2568 * https://datatracker.ietf.org/doc/html/rfc2569 * https://datatracker.ietf.org/doc/html/rfc2639

CUPS IPP version 1.1: * https://datatracker.ietf.org/doc/html/rfc2910 * https://datatracker.ietf.org/doc/html/rfc2911 * https://datatracker.ietf.org/doc/html/rfc3196 * https://datatracker.ietf.org/doc/html/rfc3510

CUPS IPP version 2.0: * N/A

class plaso.parsers.cups_ipp.CupsIppEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

CUPS IPP event data.

application

application that prints the document.

Type:

str

computer_name

name of the computer.

Type:

str

copies

number of copies.

Type:

int

creation_time

date and time the print job was created (added).

Type:

dfdatetime.DateTimeValues

doc_type

type of document.

Type:

str

end_time

date and time the print job was stopped.

Type:

dfdatetime.DateTimeValues

job_id

job identifier.

Type:

str

job_name

job name.

Type:

str

owner

real name of the user.

Type:

str

printer_id

identification name of the print.

Type:

str

start_time

date and time the print job was started.

Type:

dfdatetime.DateTimeValues

uri

URL of the CUPS service.

Type:

str

user

system user name.

Type:

str

DATA_TYPE = 'cups:ipp:event'
__init__()[source]

Initializes event data.

class plaso.parsers.cups_ipp.CupsIppParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for CUPS IPP files.

DATA_FORMAT = 'CUPS IPP file'
NAME = 'cups_ipp'
ParseFileObject(parser_mediator, file_object)[source]

Parses a CUPS IPP file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises:

WrongParser – when the file cannot be parsed.

__init__()[source]

Initializes a CUPS IPP file parser.

plaso.parsers.custom_destinations module

Parser for custom destinations jump list (.customDestinations-ms) files.

class plaso.parsers.custom_destinations.CustomDestinationsParser[source]

Bases: FileObjectParser, DtFabricHelper

Parses custom destinations jump list (.customDestinations-ms) files.

DATA_FORMAT = 'Custom destinations jump list (.customDestinations-ms) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'custom_destinations'
ParseFileObject(parser_mediator, file_object)[source]

Parses a .customDestinations-ms file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises:

WrongParser – when the file cannot be parsed.

plaso.parsers.czip module

This file contains a parser for compound ZIP files.

class plaso.parsers.czip.CompoundZIPParser[source]

Bases: FileObjectParser

Shared functionality for parsing compound ZIP files.

Compound ZIP files are ZIP files used as containers to create another file format, as opposed to archives of unrelated files.

DATA_FORMAT = 'Compound ZIP file'
NAME = 'czip'
ParseFileObject(parser_mediator, file_object)[source]

Parses a compound ZIP file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises:

WrongParser – when the file cannot be parsed.

plaso.parsers.dsv_parser module

Delimiter separated values (DSV) parser interface.

class plaso.parsers.dsv_parser.DSVParser[source]

Bases: FileObjectParser

Delimiter separated values (DSV) parser interface.

COLUMNS = []
DELIMITER = ','
ESCAPE_CHARACTER = ''
FIELD_SIZE_LIMIT = 131072
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NUMBER_OF_HEADER_LINES = 0
ParseFileObject(parser_mediator, file_object)[source]

Parses a DSV text file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises:

WrongParser – when the file cannot be parsed.

abstractmethod ParseRow(parser_mediator, row_offset, row)[source]

Parses a line of the log file and produces events.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • row_offset (int) – offset of the line from which the row was extracted.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

QUOTE_CHAR = '"'
abstractmethod VerifyRow(parser_mediator, row)[source]

Verifies if a line of the file is in the expected format.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

__init__()[source]

Initializes a delimiter separated values (DSV) parser.

plaso.parsers.esedb module

Parser for Extensible Storage Engine (ESE) database files (EDB).

class plaso.parsers.esedb.ESEDBCache[source]

Bases: BasePluginCache

A cache storing query results for ESEDB plugins.

class plaso.parsers.esedb.ESEDBParser[source]

Bases: FileObjectParser

Parses Extensible Storage Engine (ESE) database files (EDB).

DATA_FORMAT = 'Extensible Storage Engine (ESE) Database File (EDB) format'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'esedb'
ParseFileObject(parser_mediator, file_object)[source]

Parses an ESE database file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

class plaso.parsers.esedb.ESEDatabase[source]

Bases: object

Extensible Storage Engine (ESE) database.

Close()[source]

Closes the database.

GetTableByName(name)[source]

Retrieves a table by its name.

Parameters:

name (str) – name of the table.

Returns:

the table with the corresponding name or None if there is

no table with the name.

Return type:

pyesedb.table

Open(file_object)[source]

Opens an Extensible Storage Engine (ESE) database file.

Parameters:

file_object (dfvfs.FileIO) – file-like object.

Raises:

  • OSError – if the file-like object cannot be read.

  • ValueError – if the file-like object is missing.

__init__()[source]

Initializes an Extensible Storage Engine (ESE) database.

property tables

names of all the tables.

Type:

List[str]

plaso.parsers.filestat module

File system stat object parser.

class plaso.parsers.filestat.FileStatEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

File system stat event data.

access_time

file entry last access date and time.

Type:

dfdatetime.DateTimeValues

added_time

file entry added date and time.

Type:

dfdatetime.DateTimeValues

attribute_names

extended attribute names.

Type:

[str]

backup_time

file entry backup date and time.

Type:

dfdatetime.DateTimeValues

change_time

file entry inode change (or metadata last modification) date and time.

Type:

dfdatetime.DateTimeValues

creation_time

file entry creation date and time.

Type:

dfdatetime.DateTimeValues

deletion_time

file entry deletion date and time.

Type:

dfdatetime.DateTimeValues

display_name

display name.

Type:

str

file_entry_type

dfVFS file entry type.

Type:

int

file_size

file size in bytes.

Type:

int

file_system_type

file system type.

Type:

str

filename

name of the file.

Type:

str

group_identifier

group identifier (GID), equivalent to st_gid.

Type:

int

inode

inode of the file.

Type:

int

is_allocated

True if the file is allocated.

Type:

bool

mode

access mode, equivalent to st_mode & 0x0fff.

Type:

int

modification_time

file entry last modification date and time.

Type:

dfdatetime.DateTimeValues

number of hard links, equivalent to st_nlink.

Type:

int

owner_identifier

user identifier (UID) of the owner, equivalent to st_uid.

Type:

int

DATA_TYPE = 'fs:stat'
__init__()[source]

Initializes event data.

class plaso.parsers.filestat.FileStatParser[source]

Bases: FileEntryParser

Parses file system stat object.

DATA_FORMAT = 'file system stat information'
NAME = 'filestat'
ParseFileEntry(parser_mediator, file_entry)[source]

Parses a file entry.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_entry (dfvfs.FileEntry) – a file entry.

plaso.parsers.firefox_cache module

Implements a parser for Firefox cache 1 and 2 files.

class plaso.parsers.firefox_cache.BaseFirefoxCacheParser[source]

Bases: FileObjectParser

Parses Firefox cache files.

class plaso.parsers.firefox_cache.FirefoxCache2Parser[source]

Bases: BaseFirefoxCacheParser, DtFabricHelper

Parses Firefox cache version 2 files (Firefox 32 or later).

DATA_FORMAT = 'Mozilla Firefox Cache version 2 file (version 32 or later)'
NAME = 'firefox_cache2'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Firefox cache file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises:

WrongParser – when the file cannot be parsed.

class plaso.parsers.firefox_cache.FirefoxCacheEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Firefox cache event data.

data_size

size of the cached data.

Type:

int

expiration_time

date and time the cache entry expires.

Type:

dfdatetime.DateTimeValues

fetch_count

number of times the cache entry was fetched.

Type:

int

frequency

???

Type:

int

info_size

size of the metadata.

Type:

int

last_fetched_time

date and time the cache entry was last fetched.

Type:

dfdatetime.DateTimeValues

last_modified_time

date and time the cache entry was last modified.

Type:

dfdatetime.DateTimeValues

location

???

Type:

str

request_method

HTTP request method.

Type:

str

request_size

HTTP request byte size.

Type:

int

response_code

HTTP response code.

Type:

int

url

URL of original content.

Type:

str

version

cache format version.

Type:

str

DATA_TYPE = 'firefox:cache:record'
__init__()[source]

Initializes event data.

class plaso.parsers.firefox_cache.FirefoxCacheParser[source]

Bases: BaseFirefoxCacheParser, DtFabricHelper

Parses Firefox cache version 1 files (Firefox 31 or earlier).

DATA_FORMAT = 'Mozilla Firefox Cache version 1 file (version 31 or earlier)'
FIREFOX_CACHE_CONFIG

alias of firefox_cache_config

NAME = 'firefox_cache'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Firefox cache file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises:

WrongParser – when the file cannot be parsed.

plaso.parsers.fish_history module

Parser for fish history files.

class plaso.parsers.fish_history.FishHistoryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Fish history log event data.

command

command that was executed.

Type:

str

written_time

date and time the entry was written.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'fish:history:entry'
__init__()[source]

Initializes event data.

class plaso.parsers.fish_history.FishHistoryParser[source]

Bases: FileObjectParser

Parses events from Fish history files.

DATA_FORMAT = 'Fish history file'
NAME = 'fish_history'
ParseFileObject(parser_mediator, file_object)[source]

Parses a fish history file from a file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises:

WrongParser – when the file cannot be parsed.

plaso.parsers.fseventsd module

Parsers for MacOS fseventsd files.

Also see:

https://github.com/libyal/dtformats/blob/main/documentation/MacOS%20File%20System%20Events%20Disk%20Log%20Stream%20format.asciidoc

class plaso.parsers.fseventsd.FseventsdEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS file system event (fseventsd) event data.

event_identifier

the record event identifier.

Type:

int

file_entry_modification_time

file entry last modification date and time.

Type:

dfdatetime.DateTimeValues

flags

flags stored in the record.

Type:

int

node_identifier

file system node identifier related to the file system event.

Type:

int

path

path recorded in the fseventsd record.

Type:

str

DATA_TYPE = 'macos:fseventsd:record'
__init__()[source]

Initializes an Fseventsd event data.

class plaso.parsers.fseventsd.FseventsdParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for fseventsd files.

This parser supports both version 1 and version 2 fseventsd files.

DATA_FORMAT = 'MacOS File System Events Disk Log Stream (fseventsd) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'fseventsd'
ParseFileObject(parser_mediator, file_object)[source]

Parses an fseventsd file.

Parameters:

  • parser_mediator (ParserMediator) – parser mediator.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises:

WrongParser – when the header cannot be parsed.

plaso.parsers.interface module

The parsers and plugins interface classes.

class plaso.parsers.interface.BaseFileEntryFilter[source]

Bases: object

File entry filter interface.

abstractmethod Match(file_entry)[source]

Determines if a file entry matches the filter.

Parameters:

file_entry (dfvfs.FileEntry) – a file entry.

Returns:

True if the file entry matches the filter.

Return type:

bool

class plaso.parsers.interface.BaseParser[source]

Bases: object

The parser interface.

ALL_PLUGINS = {'*'}
DATA_FORMAT = ''
classmethod DeregisterPlugin(plugin_class)[source]

Deregisters a plugin class.

The plugin classes are identified based on their lower case name.

Parameters:

plugin_class (type) – class of the plugin.

Raises:

KeyError – if plugin class is not set for the corresponding name.

EnablePlugins(plugin_includes)[source]

Enables parser plugins.

Parameters:

plugin_includes (set[str]) – names of the plugins to enable, where set([‘*’]) represents all plugins. Note the default plugin, if it exists, is always enabled and cannot be disabled.

FILTERS = frozenset({})
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

a format specification or None if not available.

Return type:

FormatSpecification

classmethod GetPluginNames()[source]

Retrieves the names of registered plugins.

Returns:

names of the plugins.

Return type:

list[str]

classmethod GetPluginObjectByName(plugin_name)[source]

Retrieves a specific plugin object by its name.

Parameters:

plugin_name (str) – name of the plugin.

Returns:

a plugin object or None if not available.

Return type:

BasePlugin

classmethod GetPlugins()[source]

Retrieves the registered plugins.

Yields:

tuple[str, type] – name and class of the plugin.

NAME = 'base_parser'
classmethod RegisterPlugin(plugin_class)[source]

Registers a plugin class.

The plugin classes are identified based on their lower case name.

Parameters:

plugin_class (type) – class of the plugin.

Raises:

KeyError – if plugin class is already set for the corresponding name.

classmethod RegisterPlugins(plugin_classes)[source]

Registers plugin classes.

Parameters:

plugin_classes (list[type]) – classes of plugins.

Raises:

KeyError – if plugin class is already set for the corresponding name.

classmethod SupportsPlugins()[source]

Determines if a parser supports plugins.

Returns:

True if the parser supports plugins.

Return type:

bool

__init__()[source]

Initializes a parser.

By default all plugins will be enabled. To only enable specific plugins use the EnablePlugins method and pass it a list of strings containing the names of the plugins to enable.

The default plugin, named “{self.NAME:s}_default”, if it exists, is always enabled and cannot be disabled.

class plaso.parsers.interface.FileEntryParser[source]

Bases: BaseParser

The file entry parser interface.

Parse(parser_mediator)[source]

Parses a file entry.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

Raises:

WrongParser – when the file cannot be parsed.

abstractmethod ParseFileEntry(parser_mediator, file_entry)[source]

Parses a file entry.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_entry (dfvfs.FileEntry) – a file entry to parse.

Raises:

WrongParser – when the file cannot be parsed.

class plaso.parsers.interface.FileNameFileEntryFilter(filename)[source]

Bases: BaseFileEntryFilter

File name file entry filter.

Match(file_entry)[source]

Determines if a file entry matches the filter.

Parameters:

file_entry (dfvfs.FileEntry) – a file entry.

Returns:

True if the file entry matches the filter.

Return type:

bool

__init__(filename)[source]

Initializes a file entry filter.

Parameters:

filename (str) – name of the file.

class plaso.parsers.interface.FileObjectParser[source]

Bases: BaseParser

The file-like object parser interface.

Parse(parser_mediator, file_object)[source]

Parses a single file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object to parse.

Raises:

WrongParser – when the file cannot be parsed.

abstractmethod ParseFileObject(parser_mediator, file_object)[source]

Parses a file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object to parse.

Raises:

WrongParser – when the file cannot be parsed.

plaso.parsers.ios_discord module

Parser for iOS Discord message (JSON) files.

class plaso.parsers.ios_discord.IOSDiscordMessageEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

iOS discord message event data.

attachment_name

The attachment filename.

Type:

str

attachment_proxy_urls

The attachment proxy URL.

Type:

str

attachment_size

The attachment size.

Type:

int

attachment_type

The attachment type.

Type:

str

channel_identifier

identifier of the user channel.

Type:

str

content

Message content.

Type:

str

edited_timestamp

Message edit time.

Type:

str

sent_time

Message timestamp.

Type:

dfdatetime.DateTimeValues

user_identifier

ID of the message author.

Type:

str

username

The username of the message sender.

Type:

str

DATA_TYPE = 'ios:discord:message'
__init__()[source]

Initializes event data.

class plaso.parsers.ios_discord.IOSDiscordParser[source]

Bases: FileObjectParser

Parses iOS discord message files.

DATA_FORMAT = 'iOS discord message'
NAME = 'discord_ios'
ParseFileObject(parser_mediator, file_object)[source]

Parses a iOS discord message file.

REQUIRED_MESSAGE_KEYS = frozenset({'attachments', 'author', 'channel_id', 'content', 'timestamp'})

plaso.parsers.java_idx module

Parser for Java Cache IDX files.

class plaso.parsers.java_idx.JavaIDXEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Java IDX cache file event data.

downloaded_time

date and time the content was downloaded.

Type:

dfdatetime.DateTimeValues

expiration_time

date and time the cached download expires.

Type:

dfdatetime.DateTimeValues

idx_version

format version of IDX file.

Type:

str

ip_address

IP address of the host in the URL.

Type:

str

modification_time

date and time the cached download expires.

Type:

dfdatetime.DateTimeValues

url

URL of the downloaded file.

Type:

str

DATA_TYPE = 'java:download:idx'
__init__()[source]

Initializes event data.

class plaso.parsers.java_idx.JavaIDXParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for Java WebStart Cache IDX files.

There are five structures defined. 6.02 files had one generic section that retained all data. From 6.03, the file went to a multi-section format where later sections were optional and had variable-lengths. 6.03, 6.04, and 6.05 files all have their main data section (#2) begin at offset 128. The short structure is because 6.05 files deviate after the 8th byte. So, grab the first 8 bytes to ensure it’s valid, get the file version, then continue on with the correct structures.

DATA_FORMAT = 'Java WebStart Cache IDX file'
NAME = 'java_idx'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Java WebStart Cache IDX file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object to parse.

Raises:

WrongParser – when the file cannot be parsed.

plaso.parsers.jsonl_parser module

Base parser for line-based JSON (JSON-L) log formats.

class plaso.parsers.jsonl_parser.JSONLParser[source]

Bases: FileObjectParser

Base parser for line-based JSON (JSON-L) log formats.

DATA_FORMAT = 'JSON-L log file'
NAME = 'jsonl'
ParseFileObject(parser_mediator, file_object)[source]

Parses a line-based JSON (JSON-L) log file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises:

WrongParser – when the file cannot be parsed.

plaso.parsers.locate module

Parser for locate database (updatedb) files.

class plaso.parsers.locate.LocateDatabaseEvent(*args: Any, **kwargs: Any)[source]

Bases: EventData

Linux locate database (updatedb) event data.

entries

contents of the locate database (updatedb) entry.

Type:

list[str]

path

path of the locate database (updatedb) entry.

Type:

str

written_time

entry written date and time.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'linux:locate_database:entry'
__init__()[source]

Initializes event data.

class plaso.parsers.locate.LocateDatabaseParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for locate database (updatedb) files.

DATA_FORMAT = 'Locate database file (updatedb)'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'locate_database'
ParseFileObject(parser_mediator, file_object, **kwargs)[source]

Parses a locate database (updatedb) file-like object.

Parameters:

  • parser_mediator (ParserMediator) – parser mediator.

  • file_object (dfvfs.FileIO) – file-like object to be parsed.

Raises:

WrongParser – when the file cannot be parsed, this will signal the event extractor to apply other parsers.

__init__()[source]

Initializes a locate database (updatedb) file parser.

plaso.parsers.logger module

The parsers sub module logger.

plaso.parsers.macos_keychain module

Parser for MacOS keychain database files.

class plaso.parsers.macos_keychain.KeychainApplicationRecordEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS keychain application password record event data.

account_name

name of the account.

Type:

str

comments

comments added by the user.

Type:

str

creation_time

creation date and time of the keychain record.

Type:

dfdatetime.DateTimeValues

entry_name

name of the entry.

Type:

str

modification_time

modification date and time of the keychain record.

Type:

dfdatetime.DateTimeValues

ssgp_hash

password/certificate hash formatted as a hexadecimal string.

Type:

str

text_description

description.

Type:

str

DATA_TYPE = 'macos:keychain:application'
__init__()[source]

Initializes event data.

class plaso.parsers.macos_keychain.KeychainDatabaseColumn[source]

Bases: object

MacOS keychain database column.

attribute_data_type

attribute (data) type.

Type:

int

attribute_identifier

attribute identifier.

Type:

int

attribute_name

attribute name.

Type:

str

__init__()[source]

Initializes a MacOS keychain database column.

class plaso.parsers.macos_keychain.KeychainDatabaseTable[source]

Bases: object

MacOS keychain database table.

columns

columns.

Type:

list[KeychainDatabaseColumn]

records

records.

Type:

list[dict[str, str]]

relation_identifier

relation identifier.

Type:

int

relation_name

relation name.

Type:

str

__init__()[source]

Initializes a MacOS keychain database table.

class plaso.parsers.macos_keychain.KeychainInternetRecordEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS keychain internet record event data.

account_name

name of the account.

Type:

str

comments

comments added by the user.

Type:

str

creation_time

creation date and time of the keychain record.

Type:

dfdatetime.DateTimeValues

entry_name

name of the entry.

Type:

str

modification_time

modification date and time of the keychain record.

Type:

dfdatetime.DateTimeValues

protocol

internet protocol used, for example “https”.

Type:

str

ssgp_hash

password/certificate hash formatted as a hexadecimal string.

Type:

str

text_description

description.

Type:

str

type_protocol

sub-protocol used, for example “form”.

Type:

str

where

domain name or IP where the password is used.

Type:

str

DATA_TYPE = 'macos:keychain:internet'
__init__()[source]

Initializes event data.

class plaso.parsers.macos_keychain.KeychainParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for MacOS keychain database files.

DATA_FORMAT = 'MacOS keychain database file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'mac_keychain'
ParseFileObject(parser_mediator, file_object)[source]

Parses a MacOS keychain file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises:

WrongParser – when the file cannot be parsed.

plaso.parsers.manager module

The parsers and plugins manager.

class plaso.parsers.manager.ParsersManager[source]

Bases: object

The parsers and plugins manager.

ALL_PLUGINS = {'*'}
classmethod CheckFilterExpression(parser_filter_expression)[source]

Checks parser and plugin names in a parser filter expression.

Parameters:

parser_filter_expression (str) –

parser filter expression, where None represents all parsers and plugins.

A parser filter expression is a comma separated value string that denotes which parsers and plugins should be used. See filters/parser_filter.py for details of the expression syntax.

This function does not support presets, and requires a parser filter expression where presets have been expanded.

Returns:

containing:

  • set(str): parser filter expression elements that contain known parser

    and/or plugin names.

  • set(str): parser filter expression elements that contain unknown parser

    and/or plugin names.

Return type:

tuple

classmethod CreateSignatureScanner(specification_store)[source]

Creates a signature scanner for format specifications with signatures.

Parameters:

specification_store (FormatSpecificationStore) – format specifications with signatures.

Returns:

signature scanner.

Return type:

pysigscan.scanner

classmethod DeregisterParser(parser_class)[source]

Deregisters a parser class.

The parser classes are identified based on their lower case name.

Parameters:

parser_class (type) – parser class (subclass of BaseParser).

Raises:

KeyError – if parser class is not set for the corresponding name.

classmethod GetFormatsWithSignatures(parser_filter_expression=None)[source]

Retrieves the format specifications that have signatures.

This method will create a specification store for parsers that define a format specification with signatures and a list of parser names for those that do not.

Parameters:

parser_filter_expression (Optional[str]) –

parser filter expression, where None represents all parsers and plugins.

A parser filter expression is a comma separated value string that denotes which parsers and plugins should be used. See filters/parser_filter.py for details of the expression syntax.

This function does not support presets, and requires a parser filter expression where presets have been expanded.

Returns:

containing:

  • FormatSpecificationStore: format specifications with signatures.

  • list[str]: names of parsers that do not have format specifications with

    signatures, or have signatures but also need to be applied ‘brute force’.

Return type:

tuple

classmethod GetNamesOfParsersWithPlugins()[source]

Retrieves the names of all parsers with plugins.

Returns:

names of all parsers with plugins.

Return type:

list[str]

classmethod GetParserObjects(parser_filter_expression=None)[source]

Retrieves the parser objects.

Parameters:

parser_filter_expression (Optional[str]) –

parser filter expression, where None represents all parsers and plugins.

A parser filter expression is a comma separated value string that denotes which parsers and plugins should be used. See filters/parser_filter.py for details of the expression syntax.

This function does not support presets, and requires a parser filter expression where presets have been expanded.

Returns:

parsers per name.

Return type:

dict[str, BaseParser]

classmethod GetParserPluginsInformation(parser_filter_expression=None)[source]

Retrieves the parser plugins information.

Parameters:

parser_filter_expression (Optional[str]) –

parser filter expression, where None represents all parsers and plugins.

A parser filter expression is a comma separated value string that denotes which parsers and plugins should be used. See filters/parser_filter.py for details of the expression syntax.

This function does not support presets, and requires a parser filter expression where presets have been expanded.

Returns:

pairs of parser plugin names and descriptions.

Return type:

list[tuple[str, str]]

classmethod GetParsersInformation()[source]

Retrieves the parsers information.

Returns:

parser names and descriptions.

Return type:

list[tuple[str, str]]

classmethod RegisterParser(parser_class)[source]

Registers a parser class.

The parser classes are identified based on their lower case name.

Parameters:

parser_class (type) – parser class (subclass of BaseParser).

Raises:

KeyError – if parser class is already set for the corresponding name.

classmethod RegisterParsers(parser_classes)[source]

Registers parser classes.

The parser classes are identified based on their lower case name.

Parameters:

parser_classes (list[type]) – parsers classes (subclasses of BaseParser).

Raises:

KeyError – if parser class is already set for the corresponding name.

plaso.parsers.mcafeeav module

Parser for McAfee Anti-Virus Logs.

McAfee AV uses 4 logs to track when scans were run, when virus databases were updated, and when files match the virus database.

class plaso.parsers.mcafeeav.McafeeAVEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

McAfee AV Log event data.

action

action.

Type:

str

filename

filename.

Type:

str

offset

offset of the line relative to the start of the file, from which the event data was extracted.

Type:

int

rule

rule.

Type:

str

status

status.

Type:

str

trigger_location

trigger location.

Type:

str

username

username.

Type:

str

written_time

entry written date and time.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'av:mcafee:accessprotectionlog'
__init__()[source]

Initializes event data.

class plaso.parsers.mcafeeav.McafeeAccessProtectionParser[source]

Bases: DSVParser

Parses the McAfee AV Access Protection Log.

COLUMNS = ['date', 'time', 'status', 'username', 'filename', 'trigger_location', 'rule', 'action']
DATA_FORMAT = 'McAfee Anti-Virus access protection log file'
DELIMITER = '\t'
NAME = 'mcafee_protection'
ParseRow(parser_mediator, row_offset, row)[source]

Parses a line of the log file and produces events.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • row_offset (int) – offset of the line from which the row was extracted.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]

Verifies if a line of the file is in the expected format.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

plaso.parsers.mediator module

The parser mediator.

class plaso.parsers.mediator.ParserMediator(registry_find_specs=None, resolver_context=None, system_configurations=None)[source]

Bases: object

Parser mediator.

last_activity_timestamp

timestamp received that indicates the last time activity was observed. The last activity timestamp is updated when the mediator produces an attribute container, such as an event source. This timestamp is used by the multi processing worker process to indicate the last time the worker was known to be active. This information is then used by the foreman to detect workers that are not responding (stalled).

Type:

int

parsers_counter

number of events per parser or parser plugin.

Type:

collections.Counter

registry_find_specs

Windows Registry find specifications.

Type:

list[dfwinreg.FindSpec]

AddDateLessLogHelper(date_less_log_helper)[source]

Adds a date-less log helper.

Parameters:

date_less_log_helper (DateLessLogHelper) – date-less log helper.

AddWindowsEventLogMessageFile(message_file)[source]

Adds a Windows EventLog message file.

Parameters:

message_file (WindowsEventLogMessageFileArtifact) – Windows EventLog message file.

AddWindowsEventLogMessageString(message_string)[source]

Adds a Windows EventLog message string.

Parameters:

message_string (WindowsEventLogMessageStringArtifact) – Windows EventLog message string.

AddWindowsWevtTemplateEvent(event_definition)[source]

Adds a Windows WEVT_TEMPLATE event definition.

Parameters:

event_definition (WindowsWevtTemplateEvent) – Windows WEVT_TEMPLATE event definition.

AppendToParserChain(name)[source]

Adds a parser or parser plugin to the parser chain.

Parameters:

name (str) – name of a parser or parser plugin.

ClearParserChain()[source]

Clears the parser chain.

ExpandWindowsPath(path)[source]

Expands a Windows path containing environment variables.

Parameters:

path (str) – Windows path with environment variables.

Returns:

expanded Windows path.

Return type:

str

GetCodePage()[source]

Retrieves the code page related to the file entry.

Returns:

code page.

Return type:

str

GetCurrentYear()[source]

Retrieves current year.

Returns:

the current year.

Return type:

int

GetDisplayName(file_entry=None)[source]

Retrieves the display name for a file entry.

Parameters:

file_entry (Optional[dfvfs.FileEntry]) – file entry object, where None will use the active file entry.

Returns:

human readable string that describes the path to the file entry.

Return type:

str

Raises:

ValueError – if the file entry is missing.

GetDisplayNameForPathSpec(path_spec)[source]

Retrieves the display name for a path specification.

Parameters:

path_spec (dfvfs.PathSpec) – path specification.

Returns:

human readable version of the path specification.

Return type:

str

GetFileEntry()[source]

Retrieves the active file entry.

Returns:

file entry or None if not available.

Return type:

dfvfs.FileEntry

GetFilename()[source]

Retrieves the name of the active file entry.

Returns:

name of the active file entry or None.

Return type:

str

GetLanguageTag()[source]

Retrieves the language tag related to the file entry.

Returns:

code page.

Return type:

str

GetParserChain()[source]

Retrieves the current parser chain.

Returns:

parser chain.

Return type:

str

GetRelativePath()[source]

Retrieves the relative path of the current file entry.

Returns:

relative path of the current file entry or None if no current

file entry.

Return type:

str

GetRelativePathForPathSpec(path_spec)[source]

Retrieves the relative path for a path specification.

Parameters:

path_spec (dfvfs.PathSpec) – path specification.

Returns:

relative path of the path specification.

Return type:

str

GetWindowsEventLogMessageFile()[source]

Retrieves the Windows EventLog message file for a specific path.

Returns:

Windows EventLog message file or None

if no current file entry or no Windows EventLog message file was found.

Return type:

WindowsEventLogMessageFileArtifact

PopFromParserChain()[source]

Removes the last added parser or parser plugin from the parser chain.

ProduceEventData(event_data)[source]

Produces event data.

Parameters:

event_data (EventData) – event data.

Raises:

RuntimeError – when storage writer is not set.

ProduceEventDataStream(event_data_stream)[source]

Produces an event data stream.

Parameters:

event_data_stream (EventDataStream) – an event data stream or None if no event data stream is needed.

Raises:

RuntimeError – when storage writer is not set.

ProduceEventSource(event_source)[source]

Produces an event source.

Parameters:

event_source (EventSource) – an event source.

Raises:

RuntimeError – when storage writer is not set.

ProduceExtractionWarning(message, path_spec=None)[source]

Produces an extraction warning.

Parameters:

  • message (str) – message of the warning.

  • path_spec (Optional[dfvfs.PathSpec]) – path specification, where None will use the path specification of current file entry set in the mediator.

Raises:

RuntimeError – when storage writer is not set.

ProduceRecoveryWarning(message, path_spec=None)[source]

Produces a recovery warning.

Parameters:

  • message (str) – message of the warning.

  • path_spec (Optional[dfvfs.PathSpec]) – path specification, where None will use the path specification of current file entry set in the mediator.

Raises:

RuntimeError – when storage writer is not set.

ResetFileEntry()[source]

Resets the active file entry.

SampleFormatCheckStartTiming(parser_name)[source]

Starts timing a CPU time sample for profiling.

Parameters:

parser_name (str) – name of the parser.

SampleFormatCheckStopTiming(parser_name)[source]

Stops timing a CPU time sample for profiling.

Parameters:

parser_name (str) – name of the parser.

SampleMemoryUsage(parser_name)[source]

Takes a sample of the memory usage for profiling.

Parameters:

parser_name (str) – name of the parser.

SampleStartTiming(parser_name)[source]

Starts timing a CPU time sample for profiling.

Parameters:

parser_name (str) – name of the parser.

SampleStopTiming(parser_name)[source]

Stops timing a CPU time sample for profiling.

Parameters:

parser_name (str) – name of the parser.

SetExtractWinEvtResources(extract_winevt_resources)[source]

Sets value to extract Windows EventLog resources.

Parameters:

extract_winevt_resources (bool) – True if Windows EventLog resources should be extracted.

SetExtractWinRegBinaryValues(extract_winreg_binary_values)[source]

Sets value to extract Windows Registry binary values.

Parameters:

extract_winreg_binary_values (bool) – True if Windows Registry binary values should be extracted.

SetFileEntry(file_entry)[source]

Sets the active file entry.

Parameters:

file_entry (dfvfs.FileEntry) – file entry.

SetPreferredCodepage(code_page)[source]

Sets the preferred code page.

Parameters:

code_page (str) – code page.

SetPreferredLanguage(language_tag)[source]

Sets the preferred language.

Parameters:

language_tag (str) – language tag such as “en-US” for US English or “is-IS” for Icelandic or None if the language determined by preprocessing or the default should be used.

Raises:

ValueError – if the language tag is not a string type or no LCID can be determined that corresponds with the language tag.

SetStorageWriter(storage_writer)[source]

Sets the storage writer.

Parameters:

storage_writer (StorageWriter) – storage writer.

SetTemporaryDirectory(temporary_directory)[source]

Sets the directory to store temporary files.

Parameters:

temporary_directory (str) – path of the directory to store temporary files.

SetWindowsEventLogProviders(windows_event_log_providers)[source]

Sets the Windows EventLog providers.

Rags:
windows_event_log_providers (list[WindowsEventLogProviderArtifact]):

Windows EventLog providers.

SignalAbort()[source]

Signals the parsers to abort.

StartProfiling(configuration, identifier, process_information)[source]

Starts profiling.

Parameters:

  • configuration (ProfilingConfiguration) – profiling configuration.

  • identifier (str) – identifier of the profiling session used to create the sample filename.

  • process_information (ProcessInfo) – process information.

StopProfiling()[source]

Stops profiling.

__init__(registry_find_specs=None, resolver_context=None, system_configurations=None)[source]

Initializes a parser mediator.

Parameters:

  • registry_find_specs (Optional[list[dfwinreg.FindSpec]]) – Windows Registry find specifications.

  • resolver_context (Optional[dfvfs.Context]) – resolver context.

  • system_configurations (Optional[list[SystemConfigurationArtifact]]) – system configurations.

property abort

True if parsing should be aborted.

Type:

bool

property extract_winevt_resources

extract Windows EventLog resources.

Type:

bool

property extract_winreg_binary_values

extract Windows Registry binary values.

Type:

bool

property number_of_produced_event_data

number of produced event data.

Type:

int

property number_of_produced_event_sources

number of produced event sources.

Type:

int

property number_of_produced_extraction_warnings

number of produced extraction warnings.

Type:

int

property resolver_context

resolver context.

Type:

dfvfs.Context

property temporary_directory

path of the directory for temporary files.

Type:

str

plaso.parsers.msiecf module

Parser for Microsoft Internet Explorer (MSIE) Cache Files (CF).

class plaso.parsers.msiecf.MSIECFLeakEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MSIECF leak event data.

cached_filename

name of the cached file.

Type:

str

cached_file_size

size of the cached file.

Type:

int

cache_directory_index

index of the cache directory.

Type:

int

cache_directory_name

name of the cache directory.

Type:

str

offset

offset of the MSIECF item relative to the start of the file, from which the event data was extracted.

Type:

int

recovered

True if the item was recovered.

Type:

bool

DATA_TYPE = 'msiecf:leak'
__init__()[source]

Initializes event data.

class plaso.parsers.msiecf.MSIECFParser[source]

Bases: FileObjectParser

Parses MSIE Cache Files (MSIECF).

DATA_FORMAT = 'Microsoft Internet Explorer (MSIE) 4 - 9 cache (index.dat) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'msiecf'
ParseFileObject(parser_mediator, file_object)[source]

Parses a MSIE Cache File (MSIECF) file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

class plaso.parsers.msiecf.MSIECFRedirectedEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MSIECF redirected event data.

offset

offset of the MSIECF item relative to the start of the file, from which the event data was extracted.

Type:

int

recovered

True if the item was recovered.

Type:

bool

url

location URL.

Type:

str

DATA_TYPE = 'msiecf:redirected'
__init__()[source]

Initializes event data.

class plaso.parsers.msiecf.MSIECFURLEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MSIECF URL event data.

access_time

date and time the MSIECF item was last accessed.

Type:

dfdatetime.DateTimeValues

cached_filename

name of the cached file.

Type:

str

cached_file_size

size of the cached file.

Type:

int

cache_directory_index

index of the cache directory.

Type:

int

cache_directory_name

name of the cache directory.

Type:

str

creation_time

date and time the MSIECF item was created.

Type:

dfdatetime.DateTimeValues

expiration_time

date and time the MSIECF item expires.

Type:

dfdatetime.DateTimeValues

http_headers

HTTP headers.

Type:

str

modification_time

date and time the MSIECF item was last modified.

Type:

dfdatetime.DateTimeValues

last_visited_time

date and time the MSIECF item was last visited.

Type:

dfdatetime.DateTimeValues

number_of_hits

number of hits.

Type:

int

offset

offset of the MSIECF item relative to the start of the file, from which the event data was extracted.

Type:

int

primary_time

unspecified primary date and time of the MSIECF item.

Type:

dfdatetime.DateTimeValues

recovered

True if the item was recovered.

Type:

bool

secondary_time

unspecified secondary date and time of the MSIECF item.

Type:

dfdatetime.DateTimeValues

synchronization_time

synchronization date and time.

Type:

dfdatetime.DateTimeValues

url

location URL.

Type:

str

DATA_TYPE = 'msiecf:url'
__init__()[source]

Initializes event data.

plaso.parsers.networkminer module

Parser for NetworkMiner .fileinfos files.

class plaso.parsers.networkminer.NetworkMinerEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

NetworkMiner event Data.

destination_ip

Destination IP address.

Type:

str

destination_port

Destination port number.

Type:

str

file_details

Details about the file.

Type:

string

file_md5

MD5 hash of the file.

Type:

string

file_path

File path to where it was downloaded.

Type:

string

file_size

Size of the file.

Type:

string

filename

Name of the file.

Type:

string

source_ip

Originating IP address.

Type:

str

source_port

Originating port number.

Type:

str

written_time

entry written date and time.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'networkminer:fileinfos:file'
class plaso.parsers.networkminer.NetworkMinerParser[source]

Bases: DSVParser

Parser for NetworkMiner .fileinfos files.

COLUMNS = ('source_ip', 'source_port', 'destination_ip', 'destination_port', 'filename', 'file_path', 'file_size', 'unused', 'file_md5', 'unused2', 'file_details', 'unused4', 'timestamp')
DATA_FORMAT = 'NetworkMiner .fileinfos file'
NAME = 'networkminer_fileinfo'
ParseRow(parser_mediator, row_offset, row)[source]

Parses a line of the log file and produces events.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • row_offset (int) – line number of the row.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]

Verifies if a line of the file is in the expected format.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

plaso.parsers.ntfs module

Parser for NTFS metadata files.

class plaso.parsers.ntfs.NTFSFileStatEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

NTFS file system stat event data.

access_time

file entry last access date and time.

Type:

dfdatetime.DateTimeValues

attribute_type

attribute type for example “0x00000030”, which represents “$FILE_NAME”.

Type:

int

creation_time

file entry creation date and time.

Type:

dfdatetime.DateTimeValues

display_name

display name.

Type:

str

entry_modification_time

file entry modification date and time.

Type:

dfdatetime.DateTimeValues

file_attribute_flags

NTFS file attribute flags.

Type:

int

file_reference

NTFS file reference.

Type:

int

file_system_type

file system type.

Type:

str

filename

name of the file.

Type:

str

is_allocated

True if the MFT entry is allocated (marked as in use).

Type:

bool

modification_time

file entry last modification date and time.

Type:

dfdatetime.DateTimeValues

name

name associated with the stat event, for example that of a $FILE_NAME attribute or None if not available.

Type:

str

parent_file_reference

NTFS file reference of the parent.

Type:

int

path_hints

hints about the full path of the file.

Type:

list[str]

path of the symbolic link target.

Type:

str

DATA_TYPE = 'fs:stat:ntfs'
__init__()[source]

Initializes event data.

class plaso.parsers.ntfs.NTFSMFTParser[source]

Bases: FileObjectParser

Parses a NTFS $MFT metadata file.

DATA_FORMAT = 'NTFS $MFT metadata file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'mft'
ParseFileObject(parser_mediator, file_object)[source]

Parses a NTFS $MFT metadata file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

class plaso.parsers.ntfs.NTFSUSNChangeEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

NTFS USN change event data.

file_attribute_flags

NTFS file attribute flags.

Type:

int

filename

name of the file associated with the event.

Type:

str

file_reference

NTFS file reference.

Type:

int

file_system_type

file system type.

Type:

str

parent_file_reference

NTFS file reference of the parent.

Type:

int

offset

offset of the USN record relative to the start of the $J data stream, from which the event data was extracted.

Type:

int

update_reason_flags

update reason flags.

Type:

int

update_sequence_number

update sequence number.

Type:

int

update_source_flags

update source flags.

Type:

int

update_time

update date and time.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'fs:ntfs:usn_change'
__init__()[source]

Initializes event data.

class plaso.parsers.ntfs.NTFSUsnJrnlParser[source]

Bases: FileObjectParser, DtFabricHelper

Parses a NTFS USN change journal.

DATA_FORMAT = 'NTFS USN change journal ($UsnJrnl:$J) file system metadata file'
NAME = 'usnjrnl'
ParseFileObject(parser_mediator, file_object)[source]

Parses a NTFS $UsnJrnl metadata file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.olecf module

Parser for OLE Compound Files (OLECF).

class plaso.parsers.olecf.OLECFParser[source]

Bases: FileObjectParser

Parses OLE Compound Files (OLECF).

DATA_FORMAT = 'OLE Compound File (OLECF) format'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'olecf'
ParseFileObject(parser_mediator, file_object)[source]

Parses an OLE Compound File (OLECF) file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.onedrive module

Parser for OneDrive Log (ODL/ODLGZ) files.

Reference: https://forensics.wiki/microsoft_onedrive/

class plaso.parsers.onedrive.OneDriveLogEvent(*args: Any, **kwargs: Any)[source]

Bases: EventData

OneDrive log event data.

code_filename

code filename.

Type:

str

code_function_name

code function name.

Type:

str

decoded_parameters

decoded (and decrypted) parameters.

Type:

str

raw_parameters

the raw parameters encoded as a hexadecimal formatted string.

Type:

str

recorded_time

date and time the entry was recorded.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'windows:onedrive:log'
__init__()[source]

Initializes event data.

class plaso.parsers.onedrive.OneDriveLogFileParser[source]

Bases: FileEntryParser, DtFabricHelper

Parser for OneDrive log files.

BLOCK_SIGNATURE = b'\xcc\xdd\xee\xff\x00\x00\x00\x00'
COMPRESSED_BLOCK_SIGNATURE = b'\x1f\x8b\x08\x00\x00\x00\x00\x00'
DATA_FORMAT = 'OneDrive Log file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'onedrive_log'
ParseFileEntry(parser_mediator, file_entry)[source]

Parses a OneDrive Log file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_entry (dfvfs.FileEntry) – file entry.

Raises:

plaso.parsers.opera module

Parsers for Opera Browser history files.

class plaso.parsers.opera.OperaGlobalHistoryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Opera global history entry data.

description

description.

Type:

str

last_visited_time

date and time the URL was last visited.

Type:

dfdatetime.DateTimeValues

popularity_index

popularity index.

Type:

int

title

title.

Type:

str

url

URL.

Type:

str

DATA_TYPE = 'opera:history:entry'
__init__()[source]

Initializes event data.

class plaso.parsers.opera.OperaGlobalHistoryParser[source]

Bases: FileObjectParser

Parses the Opera global_history.dat file.

DATA_FORMAT = 'Opera global history (global_history.dat) file'
NAME = 'opera_global'
ParseFileObject(parser_mediator, file_object)[source]

Parses an Opera global history file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises:

WrongParser – when the file cannot be parsed.

class plaso.parsers.opera.OperaTypedHistoryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Opera typed history entry data.

entry_selection

information about whether the URL was directly typed in or the result of the user choosing from the auto complete.

Type:

str

entry_type

information about whether the URL was directly typed in or the result of the user choosing from the auto complete.

Type:

str

last_typed_time

date and time the URL was last typed.

Type:

dfdatetime.DateTimeValues

url

typed URL or hostname.

Type:

str

DATA_TYPE = 'opera:history:typed_entry'
__init__()[source]

Initializes event data.

class plaso.parsers.opera.OperaTypedHistoryParser[source]

Bases: FileObjectParser

Parses the Opera typed_history.xml file.

DATA_FORMAT = 'Opera typed history (typed_history.xml) file'
NAME = 'opera_typed_history'
ParseFileObject(parser_mediator, file_object)[source]

Parses an Opera typed history file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises:

WrongParser – when the file cannot be parsed.

plaso.parsers.pe module

A parser for Portable Executable (PE) files.

Also see:

https://cloud.google.com/blog/topics/threat-intelligence/tracking-malware-import-hashing/

class plaso.parsers.pe.PEDLLImportEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Portable Executable (PE) DLL import event data.

delayed_import

True if the DLL is imported at run-time.

Type:

bool

modification_time

last modification date and time.

Type:

dfdatetime.DateTimeValues

name

name of the imported DLL.

Type:

str

DATA_TYPE = 'pe_coff:dll_import'
__init__()[source]

Initializes event data.

class plaso.parsers.pe.PEFileEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Portable Executable (PE) file event data.

creation_time

creation date and time.

Type:

dfdatetime.DateTimeValues

export_dll_name

name of the exported DLL.

Type:

str

export_table_modification_time

export table last modification date and time.

Type:

dfdatetime.DateTimeValues

imphash

“Import Hash” of the Portable Executable (PE) file.

Type:

str

load_configuration_table_modification_time

load configuration table last modification date and time.

Type:

dfdatetime.DateTimeValues

pe_type

type of Portable Executable (PE) file.

Type:

str

section_names

names of the sections in the Portable Executable (PE) file.

Type:

list[str]

DATA_TYPE = 'pe_coff:file'
__init__()[source]

Initializes event data.

class plaso.parsers.pe.PEParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for Portable Executable (PE) files.

DATA_FORMAT = 'Portable Executable (PE) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

NAME = 'pe'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Portable Executable (PE) file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises:

WrongParser – when the file cannot be parsed.

__init__()[source]

Initializes a PE parser.

class plaso.parsers.pe.PEResourceEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Portable Executable (PE) resource event data.

identifier

identifier of the resource.

Type:

int

modification_time

last modification date and time.

Type:

dfdatetime.DateTimeValues

name

name of the resource.

Type:

str

DATA_TYPE = 'pe_coff:resource'
__init__()[source]

Initializes event data.

plaso.parsers.plist module

Parser for binary and text Property List (plist) files.

class plaso.parsers.plist.PlistParser[source]

Bases: FileObjectParser

Parser for binary and text Property List (plist) files.

DATA_FORMAT = 'Property list (plist) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

a format specification or None if not available.

Return type:

FormatSpecification

NAME = 'plist'
ParseFileObject(parser_mediator, file_object)[source]

Parses a plist file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises:

WrongParser – when the file cannot be parsed.

plaso.parsers.pls_recall module

Parser for PL/SQL Developer Recall files.

class plaso.parsers.pls_recall.PlsRecallEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

PL/SQL Recall event data.

database_name

name of the database.

Type:

str

offset

offset of the PL/SQL Recall record relative to the start of the file, from which the event data was extracted.

Type:

int

query

PL/SQL query.

Type:

str

sequence_number

sequence number.

Type:

int

username

username used to query.

Type:

str

written_time

entry written date and time.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'pls_recall:entry'
__init__()[source]

Initializes event data.

class plaso.parsers.pls_recall.PlsRecallParser[source]

Bases: FileObjectParser, DtFabricHelper

Parse PL/SQL Recall files.

This parser is based on the Delphi definition of the data type:

TRecallRecord = packed record

Sequence: Integer; TimeStamp: TDateTime; Username: array[0..30] of Char; Database: array[0..80] of Char; Text: array[0..4000] of Char;

end;

Delphi TDateTime is a little-endian 64-bit floating-point value without time zone information.

DATA_FORMAT = 'PL SQL cache file (PL-SQL developer recall file) format'
NAME = 'pls_recall'
ParseFileObject(parser_mediator, file_object)[source]

Parses a PLSRecall.dat file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises:

WrongParser – when the file cannot be parsed.

__init__()[source]

Initializes a PL/SQL Recall file parser.

plaso.parsers.plugins module

This file contains basic interface for plugins within Plaso.

This library serves a basis for all plugins in Plaso, whether that are Windows Registry plugins, SQLite plugins or any other parsing plugins.

This is provided as a separate file to make it easier to inherit in other projects that may want to use the Plaso plugin system.

class plaso.parsers.plugins.BasePlugin[source]

Bases: object

A plugin is a lightweight parser that makes use of a common data structure.

When a data structure is common among several artifacts or files a plugin infrastructure can be written to make writing parsers simpler. The goal of a parser plugin is to have only a single parser that understands the data structure that can call plugins that have specialized knowledge of certain structures.

An example of this is a SQLite database. A plugin can be written that has knowledge of certain database, such as Chrome history, or Skype history, etc. This can be done without needing to write a fully-fledged parser that needs to re-implement the data structure knowledge. A single parser can be created that calls the plugins to see if it knows that particular database.

Another example is Windows Registry, there a single parser that can parse the Registry can be made and the job of a single plugin is to parse a particular Registry key. The parser can then read a Registry key and compare it to a list of available plugins to see if it can be parsed.

DATA_FORMAT = ''
NAME = 'base_plugin'
Process(parser_mediator, **kwargs)[source]

Extracts events using a parser plugin.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • kwargs (dict[str, object]) – Depending on the plugin they may require different sets of arguments to be able to evaluate whether or not this is the correct plugin.

Raises:

ValueError – when there are unused keyword arguments.

UpdateChainAndProcess(parser_mediator, **kwargs)[source]

Extracts events using a parser plugin and synchronizes the parser chain.

This method updates the parser chain object held by the mediator, transfers control to the plugin-specific Process() method, and updates the chain again once the processing is complete.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

class plaso.parsers.plugins.BasePluginCache[source]

Bases: object

A generic cache for parser plugins.

GetResults(attribute_name, default_value=None)[source]

Retrieves a cached attribute.

Parameters:

  • attribute_name (str) – name of the cached attribute.

  • default_value (Optional[object]) – default value.

Returns:

value of the cached attribute or default value if the cache

does not contain the attribute.

Return type:

object

SetResults(attribute_name, value)[source]

Sets a cached attribute.

Parameters:

  • attribute_name (str) – name of the cached attribute.

  • value (object) – value of the attribute.

plaso.parsers.presets module

The parser and parser plugin presets.

class plaso.parsers.presets.ParserPreset(name, parsers)[source]

Bases: object

Parser and parser plugin preset.

deprecated

True if the preset is deprecated.

Type:

bool

name

name of the preset.

Type:

str

operating_systems

operating system artifact attribute containers, that specify to which operating systems the preset applies.

Type:

list[OperatingSystemArtifact]

parsers

names of parser and parser plugins.

Type:

list[str]

__init__(name, parsers)[source]

Initializes a parser and parser plugin preset.

name

name of the preset.

Type:

str

parsers

names of parser and parser plugins.

Type:

list[str]

class plaso.parsers.presets.ParserPresetsManager[source]

Bases: object

The parsers and plugin presets manager.

GetNames()[source]

Retrieves the preset names.

Returns:

preset names in alphabetical order.

Return type:

list[str]

GetParsersByPreset(preset_name)[source]

Retrieves the parser and plugin names of a specific preset.

Parameters:

preset_name (str) – name of the preset.

Returns:

parser and plugin names in alphabetical order.

Return type:

list[str]

Raises:

KeyError – if the preset does not exist.

GetPresetByName(name)[source]

Retrieves a specific preset definition by name.

Parameters:

name (str) – name of the preset.

Returns:

a parser preset or None if not available.

Return type:

ParserPreset

GetPresetsByOperatingSystem(operating_system)[source]

Retrieves preset definitions for a specific operating system.

Parameters:

operating_system (OperatingSystemArtifact) – an operating system artifact attribute container.

Returns:

preset definition that correspond with the

operating system.

Return type:

list[PresetDefinition]

GetPresetsInformation()[source]

Retrieves the presets information.

Returns:

containing:

str: preset name. str: comma separated parser and plugin names that are defined by

the preset.

Return type:

list[tuple]

ReadFromFile(path)[source]

Reads parser and parser plugin presets from a file.

Parameters:

path (str) – path of file that contains the the parser and parser plugin presets configuration.

Raises:

MalformedPresetError – if one or more plugin preset definitions are malformed.

__init__()[source]

Initializes a parser and parser plugin presets manager.

plaso.parsers.recycler module

Parser for Windows Recycle files, INFO2 and $I/$R pairs.

class plaso.parsers.recycler.WinRecycleBinEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows Recycle Bin event data.

deletion_time

file entry deletion date and time.

Type:

dfdatetime.DateTimeValues

drive_number

drive number.

Type:

int

file_size

file size.

Type:

int

offset

offset of the Recycle Bin record relative to the start of the file, from which the event data was extracted.

Type:

int

original_filename

filename.

Type:

str

record_index

index of the record, from which the event data was extracted.

Type:

int

short_filename

short filename.

Type:

str

DATA_TYPE = 'windows:metadata:deleted_item'
__init__()[source]

Initializes Windows Recycle Bin event data.

class plaso.parsers.recycler.WinRecycleBinParser[source]

Bases: FileObjectParser, DtFabricHelper

Parses the Windows $Recycle.Bin $I files.

DATA_FORMAT = 'Windows $Recycle.Bin $I file'
NAME = 'recycle_bin'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Windows Recycle.Bin metadata ($I) file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises:

WrongParser – when the file cannot be parsed.

class plaso.parsers.recycler.WinRecyclerInfo2Parser[source]

Bases: FileObjectParser, DtFabricHelper

Parses the Windows Recycler INFO2 file.

DATA_FORMAT = 'Windows Recycler INFO2 file'
NAME = 'recycle_bin_info2'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Windows Recycler INFO2 file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises:

WrongParser – when the file cannot be parsed.

plaso.parsers.safari_cookies module

Parser for Safari Binary Cookie files.

class plaso.parsers.safari_cookies.BinaryCookieParser[source]

Bases: FileObjectParser, CookiePluginsHelper, DtFabricHelper

Parser for Safari Binary Cookie files.

DATA_FORMAT = 'Safari Binary Cookie file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification for parser selection.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'binary_cookies'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Safari binary cookie file-like object.

Parameters:

  • parser_mediator (ParserMediator) – parser mediator.

  • file_object (dfvfs.FileIO) – file-like object to be parsed.

Raises:

  • ParseError – when the page sizes array cannot be parsed.

  • WrongParser – when the file cannot be parsed, this will signal the event extractor to apply other parsers.

class plaso.parsers.safari_cookies.SafariBinaryCookieEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Safari binary cookie event data.

cookie_name

cookie name.

Type:

str

cookie_value

cookie value.

Type:

str

creation_time

date and time the cookie was created.

Type:

dfdatetime.DateTimeValues

expiration_time

date and time the cookie expires.

Type:

dfdatetime.DateTimeValues

flags

cookie flags.

Type:

int

path

path of the cookie.

Type:

str

url

URL where this cookie is valid.

Type:

str

DATA_TYPE = 'safari:cookie:entry'
__init__()[source]

Initializes event data.

plaso.parsers.spotlight_storedb module

Parser for Apple Spotlight store database files.

class plaso.parsers.spotlight_storedb.BaseSpotlightFile[source]

Bases: DtFabricHelper

Shared functionality for Apple Spotlight files.

Close()[source]

Closes an Apple Spotlight file.

Raises:

OSError – if the file is not opened.

Open(file_entry)[source]

Opens an Apple Spotlight file.

Parameters:

file_entry (dfvfs.FileEntry) – a file entry.

Raises:

OSError – if the file is already opened.

abstractmethod ReadFileObject(file_object)[source]

Reads an Apple Spotlight file-like object.

Parameters:

file_object (file) – file-like object.

__init__()[source]

Initializes a Apple Spotlight file.

class plaso.parsers.spotlight_storedb.SpotlightStoreDatabaseParser[source]

Bases: FileEntryParser, DtFabricHelper

Parser for Apple Spotlight store database (store.db) files.

DATA_FORMAT = 'Apple Spotlight store database (store.db) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'spotlight_storedb'
ParseFileEntry(parser_mediator, file_entry)[source]

Parses an Apple Spotlight store database file entry.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_entry (dfvfs.FileEntry) – a file entry to parse.

Raises:

WrongParser – when the file cannot be parsed.

__init__()[source]

Initializes an Apple Spotlight store database parser.

class plaso.parsers.spotlight_storedb.SpotlightStoreIndexValue[source]

Bases: object

Index value.

table_index

table index.

Type:

int

values_list

values list.

Type:

list[str]

__init__()[source]

Initializes an index value.

class plaso.parsers.spotlight_storedb.SpotlightStoreMetadataAttribute[source]

Bases: object

Metadata attribute.

key

key or name of the metadata attribute.

Type:

str

property_type

metadata attribute property type.

Type:

int

value

metadata attribute value.

Type:

object

value_type

metadata attribute value type.

Type:

int

__init__()[source]

Initializes a metadata attribute.

class plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItem[source]

Bases: object

Metadata item.

attributes

metadata attributes.

Type:

dict[str, SpotlightStoreMetadataAttribute]

data_size

size of the record data.

Type:

int

flags

record flags.

Type:

int

identifier

file (system) entry identifier.

Type:

int

item_identifier

item identifier.

Type:

int

last_update_time

last update time.

Type:

int

parent_identifier

parent file (system) entry identifier.

Type:

int

__init__()[source]

Initializes a record.

class plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Apple Spotlight store database metadata item event data.

added_time

date and time the item was added (kMDItemDateAdded).

Type:

dfdatetime.DateTimeValues

attribute_change_time

date and time an attribute was last changed (kMDItemAttributeChangeDate).

Type:

dfdatetime.DateTimeValues

content_creation_time

date and time the content was created (kMDItemContentCreationDate).

Type:

dfdatetime.DateTimeValues

content_modification_time

date and time the content was last modified (kMDItemContentModificationDate).

Type:

dfdatetime.DateTimeValues

content_type

content type of the corresponding file (system) entry (kMDItemContentType).

Type:

str

creation_time

date and time the item was created (_kMDItemCreationDate).

Type:

dfdatetime.DateTimeValues

downloaded_time

date and time the item was downloaded (kMDItemDownloadedDate).

Type:

dfdatetime.DateTimeValues

file_name

name of the corresponding file (system) entry (_kMDItemFileName).

Type:

str

file_system_identifier

file system identifier, for example the catalog node identifier (CNID) on HFS.

Type:

int

kind

item kind (kMDItemKind).

Type:

str

modification_time

date and time the item was last modified (_kMDItemContentChangeDate).

Type:

dfdatetime.DateTimeValues

parent_file_system_identifier

file system identifier of the parent.

Type:

int

purchase_time

date and time the item was purchased in the AppStore (kMDItemAppStorePurchaseDate).

Type:

dfdatetime.DateTimeValues

snapshot_times

dates and times of the creation of backup snaphots (_kTimeMachineOldestSnapshot and _kTimeMachineNewestSnapshot).

Type:

list[dfdatetime.DateTimeValues]

update_time

date and time the item was last updated.

Type:

dfdatetime.DateTimeValues

used_times

dates and times when the item was used (kMDItemUsedDates and kMDItemLastUsedDate).

Type:

list[dfdatetime.DateTimeValues]

DATA_TYPE = 'spotlight:metadata_item'
__init__()[source]

Initializes event data.

class plaso.parsers.spotlight_storedb.SpotlightStreamsMapDataFile(data_size, ranges)[source]

Bases: BaseSpotlightFile

Apple Spotlight database streams map data file (dbStr-#.map.data).

stream_values

stream values.

Type:

list[bytes]

ReadFileObject(file_object)[source]

Reads a database streams map data file-like object.

Parameters:

file_object (file) – file-like object.

Raises:

ParseError – if the file cannot be read.

__init__(data_size, ranges)[source]

Initializes a database streams map data file.

Parameters:

  • data_size (int) – data size.

  • ranges (list[tuple[int, int]]) – offset and size pairs of the stream value data ranges.

class plaso.parsers.spotlight_storedb.SpotlightStreamsMapHeaderFile[source]

Bases: BaseSpotlightFile

Apple Spotlight database streams map header file (dbStr-#.map.header).

data_size

data size.

Type:

int

number_of_buckets

number of entries in the database streams map buckets file (dbStr-#.map.buckets).

Type:

int

number_of_offsets

number of entries in the database streams map offsets file (dbStr-#.map.offsets).

Type:

int

ReadFileObject(file_object)[source]

Reads a database streams map header file-like object.

Parameters:

file_object (file) – file-like object.

Raises:

ParseError – if the file cannot be read.

__init__()[source]

Initializes a database streams map header file.

class plaso.parsers.spotlight_storedb.SpotlightStreamsMapOffsetsFile(data_size, number_of_entries)[source]

Bases: BaseSpotlightFile

Apple Spotlight database streams map offsets file (dbStr-#.map.offsets).

ranges

offset and size pairs of the stream value data ranges.

Type:

list[tuple[int, int]]

ReadFileObject(file_object)[source]

Reads a database streams map offsets file-like object.

Parameters:

file_object (file) – file-like object.

Raises:

ParseError – if the file cannot be read.

__init__(data_size, number_of_entries)[source]

Initializes a database streams map offsets file.

Parameters:

  • data_size (int) – data size.

  • number_of_entries (int) – number of entries in the offsets file.

plaso.parsers.sqlite module

SQLite parser.

class plaso.parsers.sqlite.SQLiteCache[source]

Bases: BasePluginCache

Cache for storing results of SQL queries.

CacheQueryResults(sql_results, attribute_name, key_name, column_names)[source]

Build a dictionary object based on a SQL command.

This function will take a SQL command, execute it and for each resulting row it will store a key in a dictionary.

An example:

sql_results = A SQL result object after executing the
              SQL command: 'SELECT foo, bla, bar FROM my_table'
attribute_name = 'all_the_things'
key_name = 'foo'
column_names = ['bla', 'bar']

Results from running this against the database: ‘first’, ‘stuff’, ‘things’ ‘second’, ‘another stuff’, ‘another thing’

This will result in a dictionary object being created in the cache, called ‘all_the_things’ and it will contain the following value:

all_the_things = {
    'first': ['stuff', 'things'],
    'second': ['another_stuff', 'another_thing'],
    'third': ['single_thing']}
Parameters:

  • sql_results (sqlite3.Cursor) – result after executing a SQL command on a database.

  • attribute_name (str) – attribute name in the cache to store results to. This will be the name of the dictionary attribute.

  • key_name (str) – name of the result field that should be used as a key in the resulting dictionary that is created.

  • column_names (list[str]) – of column names that are stored as values to the dictionary. If this list has only one value in it the value will be stored directly, otherwise the value will be a list containing the extracted results based on the names provided in this list.

GetRowCache(query)[source]

Retrieves the row cache for a specific query.

The row cache is a set that contains hashes of values in a row. The row cache is used to find duplicate row when a database and a database with a WAL file is parsed.

Parameters:

query (str) – query.

Returns:

hashes of the rows that have been parsed.

Return type:

set

__init__()[source]

Initializes a SQLite cache.

class plaso.parsers.sqlite.SQLiteDatabase(filename, temporary_directory=None)[source]

Bases: object

SQLite database.

schema

schema as an SQL query per table name, for example {‘Users’: ‘CREATE TABLE Users (“id” INTEGER PRIMARY KEY, …)’}.

Type:

dict[str, str]

Close()[source]

Closes the database connection and cleans up the temporary file.

Open(file_object, wal_file_object=None)[source]

Opens a SQLite database file.

Since pysqlite cannot read directly from a file-like object a temporary copy of the file is made. After creating a copy the database file this function sets up a connection with the database and determines the names of the tables.

Parameters:

  • file_object (dfvfs.FileIO) – file-like object.

  • wal_file_object (Optional[dfvfs.FileIO]) – file-like object for the Write-Ahead Log (WAL) file.

Raises:

  • OSError – if the file-like object cannot be read.

  • sqlite3.DatabaseError – if the database cannot be parsed.

  • ValueError – if the file-like object is missing.

Query(query)[source]

Queries the database.

Parameters:

query (str) – SQL query.

Returns:

results.

Return type:

sqlite3.Cursor

Raises:

sqlite3.DatabaseError – if querying the database fails.

SCHEMA_QUERY = 'SELECT tbl_name, sql FROM sqlite_master WHERE type = "table" AND tbl_name != "xp_proc" AND tbl_name != "sqlite_sequence"'
__init__(filename, temporary_directory=None)[source]

Initializes a SQLite database.

Parameters:

  • filename (str) – name of the file entry.

  • temporary_directory (Optional[str]) – path of the directory for temporary files.

property tables

names of all the tables.

Type:

List[str]

class plaso.parsers.sqlite.SQLiteParser[source]

Bases: FileEntryParser

Parses SQLite database files.

DATA_FORMAT = 'SQLite database file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

a format specification or None if not available.

Return type:

FormatSpecification

NAME = 'sqlite'
ParseFileEntry(parser_mediator, file_entry)[source]

Parses a SQLite database file entry.

Parameters:

  • parser_mediator (ParserMediator) – parser mediator.

  • file_entry (dfvfs.FileEntry) – file entry to be parsed.

plaso.parsers.symantec module

Symantec AV Corporate Edition and Endpoint Protection log file parser.

class plaso.parsers.symantec.SymantecEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Symantec event data.

access

access.

Type:

str

action0

action0.

Type:

str

action1

action1.

Type:

str

action1_status

action1 status.

Type:

str

action2

action2.

Type:

str

action2_status

action2 status.

Type:

str

address

address.

Type:

str

backup_id

backup identifier.

Type:

str

cat

category.

Type:

str

cleaninfo

clean information.

Type:

str

clientgroup

client group.

Type:

str

compressed

compressed.

Type:

str

computer

computer.

Type:

str

definfo

definfo.

Type:

str

defseqnumber

def sequence number.

Type:

str

deleteinfo

delete information.

Type:

str

depth

depth.

Type:

str

description

description.

Type:

str

domain_guid

domain identifier (GUID).

Type:

str

domainname

domain name.

Type:

str

err_code

error code.

Type:

str

event_data

event data.

Type:

str

event

event.

Type:

str

extra

extra.

Type:

str

file

file.

Type:

str

flags

flags.

Type:

str

groupid

group identifier.

Type:

str

guid

guid.

Type:

str

last_written_time

entry last written date and time.

Type:

dfdatetime.DateTimeValues

license_expiration_dt

license expiration date.

Type:

str

license_feature_name

license feature name.

Type:

str

license_feature_ver

license feature ver.

Type:

str

license_fulfillment_id

license fulfillment identifier.

Type:

str

license_lifecycle

license lifecycle.

Type:

str

license_seats_delta

license seats delta.

Type:

str

license_seats

license seats.

Type:

str

license_seats_total

license seats total.

Type:

str

license_serial_num

license serial number.

Type:

str

license_start_dt

license start date.

Type:

str

logger

logger.

Type:

str

login_domain

login domain.

Type:

str

log_session_guid

log session identifier (GUID).

Type:

str

macaddr

MAC address.

Type:

str

new_ext

new ext.

Type:

str

ntdomain

ntdomain.

Type:

str

offset

offset.

Type:

str

parent

parent.

Type:

str

quarfwd_status

quarfwd status.

Type:

str

remote_machine_ip

remote machine IP address.

Type:

str

remote_machine

remote machine.

Type:

str

scanid

scan identifier.

Type:

str

snd_status

snd status.

Type:

str

status

status.

Type:

str

still_infected

still infected.

Type:

str

time

time.

Type:

str

user

user.

Type:

str

vbin_id

vbin identifier.

Type:

str

vbin_session_id

vbin session identifier.

Type:

str

version

version.

Type:

str

virus_id

virus identifier.

Type:

str

virus

virus.

Type:

str

virustype

virustype.

Type:

str

DATA_TYPE = 'av:symantec:scanlog'
__init__()[source]

Initializes event data.

class plaso.parsers.symantec.SymantecParser[source]

Bases: DSVParser

Parses Symantec AV Corporate Edition and Endpoint Protection log files.

COLUMNS = ['time', 'event', 'cat', 'logger', 'computer', 'user', 'virus', 'file', 'action1', 'action2', 'action0', 'virustype', 'flags', 'description', 'scanid', 'new_ext', 'groupid', 'event_data', 'vbin_id', 'virus_id', 'quarfwd_status', 'access', 'snd_status', 'compressed', 'depth', 'still_infected', 'definfo', 'defseqnumber', 'cleaninfo', 'deleteinfo', 'backup_id', 'parent', 'guid', 'clientgroup', 'address', 'domainname', 'ntdomain', 'macaddr', 'version:', 'remote_machine', 'remote_machine_ip', 'action1_status', 'action2_status', 'license_feature_name', 'license_feature_ver', 'license_serial_num', 'license_fulfillment_id', 'license_start_dt', 'license_expiration_dt', 'license_lifecycle', 'license_seats_total', 'license_seats', 'err_code', 'license_seats_delta', 'status', 'domain_guid', 'log_session_guid', 'vbin_session_id', 'login_domain', 'extra']
DATA_FORMAT = 'Symantec AV Corporate Edition and Endpoint Protection log file'
NAME = 'symantec_scanlog'
ParseRow(parser_mediator, row_offset, row)[source]

Parses a line of the log file and produces events.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • row_offset (int) – line number of the row.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]

Verifies if a line of the file is in the expected format.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

plaso.parsers.systemd_journal module

Parser for Systemd journal files.

class plaso.parsers.systemd_journal.SystemdJournalEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Systemd journal event data.

body

message body.

Type:

str

hostname

hostname.

Type:

str

pid

process identifier (PID).

Type:

int

reporter

reporter.

Type:

str

written_time

date and time the log entry was written.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'systemd:journal'
__init__()[source]

Initializes event data.

class plaso.parsers.systemd_journal.SystemdJournalParser[source]

Bases: FileObjectParser, DtFabricHelper

Parses Systemd Journal files.

DATA_FORMAT = 'Systemd journal file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'systemd_journal'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Systemd journal file-like object.

Parameters:

  • parser_mediator (ParserMediator) – parser mediator.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises:

WrongParser – when the header cannot be parsed.

__init__()[source]

Initializes a parser.

plaso.parsers.text_parser module

Text log parser.

class plaso.parsers.text_parser.EncodedTextReader(file_object, encoding='utf-8', encoding_errors='strict')[source]

Bases: object

Encoded text reader.

line_number

current line number.

Type:

int

lines

lines of text.

Type:

str

lines_size

size of the lines of text.

Type:

int

BUFFER_SIZE = 65536
ReadLine()[source]

Reads a line.

Returns:

line read from the lines buffer.

Return type:

str

ReadLines()[source]

Reads lines into the lines buffer.

SkipAhead(number_of_characters)[source]

Skips ahead a number of characters.

Parameters:

number_of_characters (int) – number of characters.

__init__(file_object, encoding='utf-8', encoding_errors='strict')[source]

Initializes the encoded text reader object.

Parameters:

  • file_object (FileIO) – a file-like object to read from.

  • encoding (Optional[str]) – text encoding.

  • encoding_errors (Optional[str]) – text encoding errors handler.

get_offset()[source]

Retrieves the current offset into the file-like object.

Returns:

current offset into the file-like object.

Return type:

int

class plaso.parsers.text_parser.TextLogParser[source]

Bases: FileObjectParser

Text-based log file parser.

DATA_FORMAT = 'text-based log file'
EnablePlugins(plugin_includes)[source]

Enables parser plugins.

Parameters:

plugin_includes (set[str]) – names of the plugins to enable, where set([‘*’]) represents all plugins. Note the default plugin, if it exists, is always enabled and cannot be disabled.

NAME = 'text'
ParseFileObject(parser_mediator, file_object)[source]

Parses a text log file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises:

WrongParser – when the file cannot be parsed.

__init__()[source]

Initializes a text-based log parser.

plaso.parsers.trendmicroav module

Parser for Trend Micro Antivirus logs.

Trend Micro uses two log files to track the scans (both manual/scheduled and real-time) and the web reputation (network scan/filtering).

Currently only the first log is supported.

class plaso.parsers.trendmicroav.OfficeScanVirusDetectionParser[source]

Bases: TrendMicroBaseParser

Parses the Trend Micro Office Scan Virus Detection Log.

COLUMNS = ['date', 'time', 'threat', 'action', 'scan_type', 'unused1', 'path', 'filename', 'unused2', 'timestamp', 'unused3', 'unused4']
DATA_FORMAT = 'Trend Micro Office Scan Virus Detection log file'
NAME = 'trendmicro_vd'
ParseRow(parser_mediator, row_offset, row)[source]

Parses a line of the log file and produces events.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • row_offset (int) – offset of the line from which the row was extracted.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]

Verifies if a line of the file is in the expected format.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

class plaso.parsers.trendmicroav.OfficeScanWebReputationParser[source]

Bases: TrendMicroBaseParser

Parses the Trend Micro Office Scan Web Reputation detection log.

COLUMNS = ('date', 'time', 'block_mode', 'url', 'group_code', 'group_name', 'credibility_rating', 'policy_identifier', 'application_name', 'credibility_score', 'ip', 'threshold', 'timestamp', 'unused')
DATA_FORMAT = 'Trend Micro Office Web Reputation log file'
NAME = 'trendmicro_url'
ParseRow(parser_mediator, row_offset, row)[source]

Parses a line of the log file and produces events.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • row_offset (int) – offset of the line from which the row was extracted.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]

Verifies if a line of the file is in the expected format.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

class plaso.parsers.trendmicroav.TrendMicroAVEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Trend Micro AV Log event data.

action

action.

Type:

str

filename

filename.

Type:

str

offset

offset of the line relative to the start of the file, from which the event data was extracted.

Type:

int

path

path.

Type:

str

scan_type

scan_type.

Type:

str

threat

threat.

Type:

str

written_time

date and time the log entry was written.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'av:trendmicro:scan'
__init__()[source]

Initializes event data.

class plaso.parsers.trendmicroav.TrendMicroBaseParser[source]

Bases: DSVParser

Common code for parsing Trend Micro log files.

The file format is reminiscent of CSV, but is not quite the same; the delimiter is a three-character sequence and there is no provision for quoting or escaping.

COLUMNS = ()
DELIMITER = '<;>'
class plaso.parsers.trendmicroav.TrendMicroUrlEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Trend Micro Web Reputation Log event data.

application_name

application name.

Type:

str

block_mode

operation mode.

Type:

str

credibility_rating

credibility rating.

Type:

int

credibility_score

credibility score.

Type:

int

group_code

group code.

Type:

str

group_name

group name.

Type:

str

ip

IP address.

Type:

str

offset

offset of the line relative to the start of the file, from which the event data was extracted.

Type:

int

policy_identifier

policy identifier.

Type:

int

threshold

threshold value.

Type:

int

url

accessed URL.

Type:

str

written_time

entry written date and time.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'av:trendmicro:webrep'
__init__()[source]

Initializes event data.

plaso.parsers.unified_logging module

The Apple Unified Logging (AUL) file parser.

class plaso.parsers.unified_logging.BacktraceFrame[source]

Bases: object

Backtrace frame.

image_identifier

image identifier, contains an UUID.

Type:

str

image_offset

image offset.

Type:

int

__init__()[source]

Initializes a backtrace frame.

class plaso.parsers.unified_logging.BaseFormatStringDecoder[source]

Bases: object

Format string decoder interface.

abstractmethod FormatValue(value, format_string_operator=None)[source]

Formats a value.

Parameters:

  • value (bytes) – value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted value.

Return type:

str

class plaso.parsers.unified_logging.BaseLocationStructureFormatStringDecoder[source]

Bases: BaseFormatStringDecoder, DtFabricHelper

Shared functionality for location structure format string decoders.

class plaso.parsers.unified_logging.BaseMDNSDNSStructureFormatStringDecoder[source]

Bases: BaseFormatStringDecoder, DtFabricHelper

Shared functionality for mDNS DNS structure format string decoders.

class plaso.parsers.unified_logging.BaseUnifiedLoggingFile[source]

Bases: DtFabricHelper

Shared functionality for Apple Unified Logging (AUL) files.

Close()[source]

Closes an Apple Unified Logging (AUL) file.

Raises:

OSError – if the file is not opened.

Open(file_entry)[source]

Opens an Apple Unified Logging (AUL) file.

Parameters:

file_entry (dfvfs.FileEntry) – a file entry.

Raises:

OSError – if the file is already opened.

abstractmethod ReadFileObject(file_object)[source]

Reads an Apple Unified Logging (AUL) file-like object.

Parameters:

file_object (file) – file-like object.

__init__()[source]

Initializes a Apple Unified Logging (AUL) file.

class plaso.parsers.unified_logging.BooleanFormatStringDecoder(false_value='false', true_value='true')[source]

Bases: BaseFormatStringDecoder

Boolean value format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a boolean value.

Parameters:

  • value (bytes) – boolean value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted boolean value.

Return type:

str

__init__(false_value='false', true_value='true')[source]

Initializes a boolean value format string decoder.

Parameters:

  • false_value (Optional[str]) – value that represents False.

  • true_value (Optional[str]) – value that represents True.

class plaso.parsers.unified_logging.DSCFile[source]

Bases: BaseUnifiedLoggingFile

Shared-Cache Strings (dsc) file.

ranges

the ranges.

Type:

list[DSCRange]

uuids

the UUIDs.

Type:

list[DSCUUID]

GetImageValues(string_reference, is_dynamic)[source]

Retrieves image values.

Parameters:

  • string_reference (int) – reference of the string.

  • is_dynamic (bool) – dynamic flag.

Returns:

image value or None if not available.

Return type:

ImageValues

Raises:

ParseError – if the image values cannot be read.

ReadFileObject(file_object)[source]

Reads a shared-cache strings (dsc) file-like object.

Parameters:

file_object (file) – file-like object.

Raises:

ParseError – if the file cannot be read.

__init__()[source]

Initializes a shared-cache strings (dsc) file.

class plaso.parsers.unified_logging.DSCRange[source]

Bases: object

Shared-Cache Strings (dsc) range.

data_offset

offset of the string data.

Type:

int

image_identifier

the image identifier.

Type:

uuid.UUID

image_path

the image path.

Type:

str

range_offset

the offset of the range.

Type:

int

range_sizes

the size of the range.

Type:

int

text_offset

the offset of the text.

Type:

int

text_size

the size of the text.

Type:

int

uuid_index

index of the dsc UUID.

Type:

int

__init__()[source]

Initializes a Shared-Cache Strings (dsc) range.

class plaso.parsers.unified_logging.DSCUUID[source]

Bases: object

Shared-Cache Strings (dsc) UUID.

image_identifier

the image identifier.

Type:

uuid.UUID

image_path

the image path.

Type:

str

text_offset

the offset of the text.

Type:

int

text_size

the size of the text.

Type:

int

__init__()[source]

Initializes a Shared-Cache Strings (dsc) UUID.

class plaso.parsers.unified_logging.DateTimeInSecondsFormatStringDecoder[source]

Bases: BaseFormatStringDecoder

Date and time value in seconds format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a date and time value in seconds.

Parameters:

  • value (bytes) – timestamp that contains the number of seconds since 1970-01-01 00:00:00.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted date and time value in seconds.

Return type:

str

class plaso.parsers.unified_logging.ErrorCodeFormatStringDecoder[source]

Bases: BaseFormatStringDecoder

Error code format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats an error code value.

Parameters:

  • value (bytes) – error code value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted error code value.

Return type:

str

class plaso.parsers.unified_logging.ExtendedErrorCodeFormatStringDecoder[source]

Bases: BaseFormatStringDecoder

Extended error code format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats an error code value.

Parameters:

  • value (bytes) – error code value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted error code value.

Return type:

str

class plaso.parsers.unified_logging.FileModeFormatStringDecoder[source]

Bases: BaseFormatStringDecoder

File mode format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a file mode value.

Parameters:

  • value (bytes) – file mode value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted file mode value.

Return type:

str

class plaso.parsers.unified_logging.FloatingPointFormatStringDecoder[source]

Bases: BaseFormatStringDecoder

Floating-point value format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a floating-point value.

Parameters:

  • value (bytes) – floating-point value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted floating-point value.

Return type:

str

class plaso.parsers.unified_logging.FormatStringOperator(flags=None, precision=None, specifier=None, width=None)[source]

Bases: object

Format string operator.

flags

flags.

Type:

str

precision

precision.

Type:

str

specifier

conversion specifier.

Type:

str

width

width.

Type:

str

GetPythonFormatString()[source]

Retrieves the Python format string.

Returns:

Python format string.

Return type:

str

__init__(flags=None, precision=None, specifier=None, width=None)[source]

Initializes a format string operator.

Parameters:

  • flags (Optional[str]) – flags.

  • precision (Optional[str]) – precision.

  • specifier (Optional[str]) – conversion specifier.

  • width (Optional[str]) – width.

class plaso.parsers.unified_logging.IPv4FormatStringDecoder[source]

Bases: BaseFormatStringDecoder

IPv4 value format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats an IPv4 value.

Parameters:

  • value (bytes) – IPv4 value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted IPv4 value.

Return type:

str

class plaso.parsers.unified_logging.IPv6FormatStringDecoder[source]

Bases: BaseFormatStringDecoder

IPv6 value format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats an IPv6 value.

Parameters:

  • value (bytes) – IPv6 value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted IPv6 value.

Return type:

str

class plaso.parsers.unified_logging.ImageValues(identifier=None, path=None, string=None, text_offset=None)[source]

Bases: object

Image values.

identifier

the identifier.

Type:

uuid.UUID

path

the path.

Type:

str

string

the string.

Type:

str

text_offset

the offset of the text.

Type:

int

GetStringFormatter()[source]

Retrieves a string formatter.

Returns:

string formatter.

Return type:

StringFormatter

__init__(identifier=None, path=None, string=None, text_offset=None)[source]

Initializes image values.

Parameters:

  • identifier (Optional[uuid.UUID]) – the identifier.

  • path (Optional[str]) – the path.

  • string (Optional[str]) – the string.

  • text_offset (Optional[int]) – the offset of the text.

class plaso.parsers.unified_logging.LocationClientAuthorizationStatusFormatStringDecoder[source]

Bases: BaseFormatStringDecoder

Location client authorization status format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a client authorization status value.

Parameters:

  • value (bytes) – client authorization status value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted client authorization status value.

Return type:

str

class plaso.parsers.unified_logging.LocationClientManagerStateFormatStringDecoder[source]

Bases: BaseLocationStructureFormatStringDecoder

Location client manager state format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a location client manager state value.

Parameters:

  • value (bytes) – location client manager state value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted location client manager state value.

Return type:

str

class plaso.parsers.unified_logging.LocationEscapeOnlyFormatStringDecoder[source]

Bases: BaseFormatStringDecoder

Location escape only format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a location value.

Parameters:

  • value (bytes) – location value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted location value.

Return type:

str

class plaso.parsers.unified_logging.LocationLocationManagerStateFormatStringDecoder[source]

Bases: BaseLocationStructureFormatStringDecoder

Location location manager state format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a location location manager state value.

Parameters:

  • value (bytes) – location location manager state value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted location location manager state value.

Return type:

str

class plaso.parsers.unified_logging.LocationSQLiteResultFormatStringDecoder[source]

Bases: BaseFormatStringDecoder

Location SQLite result format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a SQLite result value.

Parameters:

  • value (bytes) – SQLite result.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted SQLite result value.

Return type:

str

class plaso.parsers.unified_logging.LogEntry[source]

Bases: object

Log entry.

activity_identifier

activity identifier.

Type:

int

backtrace_frames

backtrace frames.

Type:

list[BacktraceFrame]

boot_identifier

boot identifier.

Type:

uuid.UUID

category

(sub system) category.

Type:

str

creator_activity_identifier

creator activity identifier.

Type:

int

event_message

event message.

Type:

str

event_type

event type.

Type:

str

format_string

format string.

Type:

str

loss_count

number of message lost.

Type:

int

loss_end_mach_timestamp

Mach timestamp of the end of the message loss.

Type:

int

loss_end_timestamp

timestamp of the end of the message loss, in number of nanoseconds since January 1, 1970 00:00:00.000000000

Type:

int

loss_start_mach_timestamp

Mach timestamp of the start of the message loss.

Type:

int

loss_start_timestamp

timestamp of the start of the message loss, in number of nanoseconds since January 1, 1970 00:00:00.000000000

Type:

int

mach_timestamp

Mach timestamp.

Type:

int

message_type

message type.

Type:

str

parent_activity_identifier

parent activity identifier.

Type:

int

process_identifier

process identifier (PID).

Type:

int

process_image_identifier

process image identifier.

Type:

uuid.UUID

process_image_path

path of the process image.

Type:

str

sender_image_identifier

(sender) image identifier.

Type:

uuid.UUID

sender_image_path

path of the (sender) image.

Type:

str

sender_program_counter

(sender) program counter.

Type:

int

signpost_identifier

signpost identifier.

Type:

int

signpost_name

signpost name.

Type:

str

signpost_scope

signpost scope.

Type:

str

signpost_type

signpost type.

Type:

str

sub_system

sub system.

Type:

str

thread_identifier

thread identifier.

Type:

int

timestamp

number of nanoseconds since January 1, 1970 00:00:00.000000000.

Type:

int

time_zone_name

name of the time zone.

Type:

str

trace_identifier

trace identifier.

Type:

int

ttl

Time to live (TTL) value.

Type:

int

__init__()[source]

Initializes a log entry.

class plaso.parsers.unified_logging.MDNSDNSCountersFormatStringDecoder[source]

Bases: BaseMDNSDNSStructureFormatStringDecoder

mDNS DNS counters format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a mDNS DNS counters value.

Parameters:

  • value (bytes) – mDNS DNS counters value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted mDNS DNS counters value.

Return type:

str

class plaso.parsers.unified_logging.MDNSDNSHeaderFormatStringDecoder[source]

Bases: BaseMDNSDNSStructureFormatStringDecoder

mDNS DNS header format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a mDNS DNS header value.

Parameters:

  • value (bytes) – mDNS DNS header value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted mDNS DNS header value.

Return type:

str

class plaso.parsers.unified_logging.MDNSDNSIdentifierAndFlagsFormatStringDecoder[source]

Bases: BaseMDNSDNSStructureFormatStringDecoder

mDNS DNS identifier and flags string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a mDNS DNS identifier and flags value.

Parameters:

  • value (bytes) – mDNS DNS identifier and flags value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted mDNS DNS identifier and flags value.

Return type:

str

class plaso.parsers.unified_logging.MDNSProtocolFormatStringDecoder[source]

Bases: BaseFormatStringDecoder

mDNS protocol format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a mDNS protocol value.

Parameters:

  • value (bytes) – mDNS protocol value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted mDNS protocol value.

Return type:

str

class plaso.parsers.unified_logging.MDNSReasonFormatStringDecoder[source]

Bases: BaseFormatStringDecoder

mDNS reason format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a mDNS reason value.

Parameters:

  • value (bytes) – mDNS reason value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted mDNS reason value.

Return type:

str

class plaso.parsers.unified_logging.MDNSResourceRecordTypeFormatStringDecoder[source]

Bases: BaseFormatStringDecoder

mDNS resource record type format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a mDNS resource record type value.

Parameters:

  • value (bytes) – mDNS resource record type value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted mDNS resource record type value.

Return type:

str

class plaso.parsers.unified_logging.MaskHashFormatStringDecoder[source]

Bases: BaseFormatStringDecoder

Mask hash format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a value as a mask hash.

Parameters:

  • value (bytes) – value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted value as a mask hash.

Return type:

str

class plaso.parsers.unified_logging.OpenDirectoryErrorFormatStringDecoder[source]

Bases: BaseFormatStringDecoder

Open Directory error format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats an Open Directory error value.

Parameters:

  • value (bytes) – Open Directory error value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted Open Directory error value.

Return type:

str

class plaso.parsers.unified_logging.OpenDirectoryMembershipDetailsFormatStringDecoder[source]

Bases: BaseFormatStringDecoder, DtFabricHelper

Open Directory membership details format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats an Open Directory membership details value.

Parameters:

  • value (bytes) – Open Directory membership details value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted Open Directory membership details value.

Return type:

str

class plaso.parsers.unified_logging.OpenDirectoryMembershipTypeFormatStringDecoder[source]

Bases: BaseFormatStringDecoder

Open Directory membership type format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats an Open Directory membership type value.

Parameters:

  • value (bytes) – Open Directory membership type value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted Open Directory membership type value.

Return type:

str

class plaso.parsers.unified_logging.SignedIntegerFormatStringDecoder[source]

Bases: BaseFormatStringDecoder

Signed integer value format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a signed integer value.

Parameters:

  • value (bytes) – signed integer value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted signed integer value.

Return type:

str

class plaso.parsers.unified_logging.SignpostDescriptionAttributeFormatStringDecoder[source]

Bases: BaseFormatStringDecoder

Signpost description attribute value format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a Signpost description attribute value.

Parameters:

  • value (bytes) – Signpost description attribute value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted Signpost description attribute value.

Return type:

str

class plaso.parsers.unified_logging.SignpostDescriptionTimeFormatStringDecoder(time='begin')[source]

Bases: BaseFormatStringDecoder

Signpost description time value format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a Signpost description time value.

Parameters:

  • value (bytes) – Signpost description time value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted Signpost description time value.

Return type:

str

__init__(time='begin')[source]

Initializes a Signpost description time value format string decoder.

Parameters:

time (Optional[str]) – Signpost description time.

class plaso.parsers.unified_logging.SignpostTelemetryNumberFormatStringDecoder(number=1)[source]

Bases: BaseFormatStringDecoder

Signpost telemetry number value format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a Signpost telemetry number value.

Parameters:

  • value (bytes) – Signpost telemetry number value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted Signpost telemetry number value.

Return type:

str

__init__(number=1)[source]

Initializes a Signpost telemetry number value format string decoder.

Parameters:

number (Optional[int]) – Signpost telemetry number.

class plaso.parsers.unified_logging.SignpostTelemetryStringFormatStringDecoder(number=1)[source]

Bases: BaseFormatStringDecoder

Signpost telemetry string value format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a Signpost telemetry string value.

Parameters:

  • value (bytes) – Signpost telemetry string value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted Signpost telemetry string value.

Return type:

str

__init__(number=1)[source]

Initializes a Signpost telemetry string value format string decoder.

Parameters:

number (Optional[int]) – Signpost telemetry number.

class plaso.parsers.unified_logging.SocketAddressFormatStringDecoder[source]

Bases: BaseFormatStringDecoder

Socket address value format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a socket address value.

Parameters:

  • value (bytes) – socket address value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted socket address value.

Return type:

str

class plaso.parsers.unified_logging.StringFormatStringDecoder[source]

Bases: BaseFormatStringDecoder

String value format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a string value.

Parameters:

  • value (bytes) – string value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted string value.

Return type:

str

class plaso.parsers.unified_logging.StringFormatter[source]

Bases: object

String formatter.

FormatString(values)[source]

Formats the string.

Parameters:

values (list[str]) – values.

Returns:

formatted string.

Return type:

str

GetDecoderNamesByIndex(value_index)[source]

Retrieves the decoder names of a specific value.

Parameters:

value_index (int) – value index.

Returns:

decoder names.

Return type:

list[str]

GetFormatStringOperator(value_index)[source]

Retrieves the format string operator of a specific value.

Parameters:

value_index (int) – value index.

Returns:

format string operator or None if not available.

Return type:

FormatStringOperator

ParseFormatString(format_string)[source]

Parses an Unified Logging format string.

Parameters:

format_string (str) – Unified Logging format string.

__init__()[source]

Initializes a string formatter.

class plaso.parsers.unified_logging.TimesyncDatabaseFile[source]

Bases: BaseUnifiedLoggingFile

Timesync database file.

ReadFileObject(file_object)[source]

Reads a timesync file-like object.

Parameters:

file_object (file) – file-like object.

Raises:

ParseError – if the file cannot be read.

ReadRecords()[source]

Reads a timesync records.

Yields:

object – boot or sync record.

Raises:

ParseError – if the file cannot be read.

__init__()[source]

Initializes a timesync database file.

class plaso.parsers.unified_logging.TraceV3File(file_system=None)[source]

Bases: BaseUnifiedLoggingFile

Apple Unified Logging and Activity Tracing (tracev3) file.

ACTIVITY_IDENTIFIER_BITMASK = 9223372036854775807
Close()[source]

Closes a tracev3 file.

Raises:

OSError – if the file is not opened.

ReadFileObject(file_object)[source]

Reads a tracev3 file-like object.

Parameters:

file_object (file) – file-like object.

Raises:

ParseError – if the file cannot be read.

ReadLogEntries()[source]

Reads log traces.

Yields:

LogEntry – a log entry.

Raises:

ParseError – if the file cannot be read.

__init__(file_system=None)[source]

Initializes a tracev3 file.

Parameters:

file_system (Optional[dfvfs.FileSystem]) – file system.

class plaso.parsers.unified_logging.UUIDFormatStringDecoder[source]

Bases: BaseFormatStringDecoder

UUID value format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats an UUID value.

Parameters:

  • value (bytes) – UUID value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted UUID value.

Return type:

str

class plaso.parsers.unified_logging.UUIDTextFile[source]

Bases: BaseUnifiedLoggingFile

Apple Unified Logging and Activity Tracing (uuidtext) file.

GetImagePath()[source]

Retrieves the image path.

Returns:

image path or None if not available.

Return type:

str

GetString(string_reference)[source]

Retrieves a string.

Parameters:

string_reference (int) – reference of the string.

Returns:

string or None if not available.

Return type:

str

Raises:

ParseError – if the string cannot be read.

ReadFileObject(file_object)[source]

Reads an uuidtext file-like object.

Parameters:

file_object (file) – file-like object.

Raises:

ParseError – if the file cannot be read.

__init__()[source]

Initializes an uuidtext file.

class plaso.parsers.unified_logging.UnifiedLoggingEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Apple Unified Logging (AUL) event data.

activity_identifier

activity identifier.

Type:

int

boot_identifier

boot identifier.

Type:

str

category

event category.

Type:

str

event_message

event message.

Type:

str

event_type

event type.

Type:

str

message_type

message type.

Type:

str

process_identifier

process identifier (PID).

Type:

int

process_image_identifier

process image identifier.

Type:

str

process_image_identifier

process image identifier, contains an UUID.

Type:

str

recorded_time

date and time the log entry was recorded.

Type:

dfdatetime.DateTimeValues

sender_image_identifier

(sender) image identifier, contains an UUID.

Type:

str

sender_image_path

path of the (sender) image.

Type:

str

signpost_identifier

signpost identifier.

Type:

int

signpost_name

signpost name.

Type:

str

subsystem

subsystem that produced the logging event.

Type:

str

thread_identifier

thread identifier.

Type:

int

ttl

log time to live (TTL).

Type:

int

DATA_TYPE = 'macos:unified_logging:event'
__init__()[source]

Initialise event data.

class plaso.parsers.unified_logging.UnifiedLoggingParser[source]

Bases: FileEntryParser

Parses Apple Unified Logging (AUL) tracev3 files.

DATA_FORMAT = 'Apple Unified Logging (AUL) 64-bit tracev3 file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'unified_logging'
ParseFileEntry(parser_mediator, file_entry)[source]

Parses an Apple Unified Logging (AUL) tracev3 file entry:

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_entry (dfvfs.FileEntry) – a file entry to parse.

Raises:

WrongParser – when the file cannot be parsed.

class plaso.parsers.unified_logging.UnsignedIntegerFormatStringDecoder[source]

Bases: BaseFormatStringDecoder

Unsigned integer value format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats an unsigned integer value.

Parameters:

  • value (bytes) – unsigned integer value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted unsigned integer value.

Return type:

str

class plaso.parsers.unified_logging.WindowsNTSecurityIdentifierFormatStringDecoder[source]

Bases: BaseFormatStringDecoder, DtFabricHelper

Windows NT security identifier (SID) format string decoder.

FormatValue(value, format_string_operator=None)[source]

Formats a Windows NT security identifier (SID) value.

Parameters:

  • value (bytes) – Windows NT security identifier (SID) value.

  • format_string_operator (Optional[FormatStringOperator]) – format string operator.

Returns:

formatted Windows NT security identifier (SID) value.

Return type:

str

plaso.parsers.utmp module

Parser for Linux utmp files.

class plaso.parsers.utmp.UtmpEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Linux libc6 utmp event data.

exit_status

exit status.

Type:

int

hostname

hostname or IP address.

Type:

str

ip_address

IP address from the connection.

Type:

str

offset

offset of the utmp record relative to the start of the file, from which the event data was extracted.

Type:

int

pid

process identifier (PID).

Type:

int

terminal_identifier

inittab identifier.

Type:

int

terminal

type of terminal.

Type:

str

type

type of login.

Type:

int

username

user name.

Type:

str

written_time

entry written date and time.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'linux:utmp:event'
__init__()[source]

Initializes event data.

class plaso.parsers.utmp.UtmpParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for Linux libc6 utmp files.

DATA_FORMAT = 'Linux libc6 utmp file'
NAME = 'utmp'
ParseFileObject(parser_mediator, file_object)[source]

Parses an utmp file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises:

WrongParser – when the file cannot be parsed.

plaso.parsers.utmpx module

Parser for MacOS utmpx files.

class plaso.parsers.utmpx.UtmpxMacOSEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MacOS utmpx event data.

hostname

hostname or IP address.

Type:

str

offset

offset of the utmpx record relative to the start of the file, from which the event data was extracted.

Type:

int

pid

process identifier (PID).

Type:

int

terminal

name of the terminal.

Type:

str

terminal_identifier

inittab identifier.

Type:

int

type

type of login.

Type:

int

username

user name.

Type:

str

written_time

entry written date and time.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'macos:utmpx:entry'
__init__()[source]

Initializes event data.

class plaso.parsers.utmpx.UtmpxParser[source]

Bases: FileObjectParser, DtFabricHelper

Parser for Mac OS X 10.5 utmpx files.

DATA_FORMAT = 'Mac OS X 10.5 utmpx file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'utmpx'
ParseFileObject(parser_mediator, file_object)[source]

Parses an UTMPX file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises:

WrongParser – when the file cannot be parsed.

plaso.parsers.wincc module

Text parser plugin for WinCC log files.

class plaso.parsers.wincc.SIMATICLogParser[source]

Bases: FileObjectParser

Text parser plugin for SIMATIC S7 Log files.

DATA_FORMAT = 'SIMATIC S7 Log file'
DELIMITER = ','
ENCODING = 'ascii'
END_OF_LINE = '\r\n'
NAME = 'simatic_s7'
ParseFileObject(parser_mediator, file_object)[source]

Parses a SIMATIC Log file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises:

WrongParser – when the file cannot be parsed.

class plaso.parsers.wincc.SIMATICS7EventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

SIMATIC S7 event data.

body

the message content of the event.

Type:

str

creation_time

date and time the log entry was created.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'wincc:simatic_s7:entry'
__init__()[source]

Initializes event data.

class plaso.parsers.wincc.WinCCSysLogEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

WinCC Sys Log event data.

body

the content of the log’s message.

Type:

str

creation_time

date and time the log entry was created.

Type:

dfdatetime.DateTimeValues

event_number

a number specifying the type of event.

Type:

int

log_hostname

the hostname of the machine logging the event.

Type:

str

log_identifier

identifier for this log file.

Type:

int

source_device

which device generated the event.

Type:

str

DATA_TYPE = 'wincc:sys_log:entry'
__init__()[source]

Initializes event data.

class plaso.parsers.wincc.WinCCSysLogParser[source]

Bases: FileObjectParser

Text parser plugin for WinCC Sys Log files.

DATA_FORMAT = 'WinCC Sys Log file'
DELIMITER = ','
ENCODING = 'utf-16-le'
NAME = 'wincc_sys'
ParseFileObject(parser_mediator, file_object)[source]

Parses a WinCC Sys Log file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises:

WrongParser – when the file cannot be parsed.

plaso.parsers.windefender_history module

Parser for Windows Defender scan DetectionHistory files.

class plaso.parsers.windefender_history.WinDefenderHistoryParser[source]

Bases: FileObjectParser, DtFabricHelper

Parses a Windows Defender scan DetectionHistory file.

DATA_FORMAT = 'Windows Defender scan DetectionHistory file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'windefender_history'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Windows Defender History file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises:

WrongParser – when the file cannot be parsed.

class plaso.parsers.windefender_history.WindowsDefenderHistoryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows Defender scan DetectionHistory event data.

additional_filenames

locations of additional detected files.

Type:

list[str]

container_filenames

location of files detected inside a container.

Type:

list[str]

filename

name of the file that the threat was detected in.

Type:

str

host_and_user

name of the host and user in “DOMAINUSER” format.

Type:

str

process

name of the process that caused the detection.

Type:

str

recorded_time

date and time the log entry was recorded.

Type:

dfdatetime.DateTimeValues

sha256

SHA-256 hash of the file.

Type:

str

threat_name

name of the threat that was detected.

Type:

str

web_filenames

URI of files detected as downloaded from the web.

Type:

list[str]

DATA_TYPE = 'av:defender:detection_history'
__init__()[source]

Initializes event data.

plaso.parsers.winevt module

Parser for Windows EventLog (EVT) files.

class plaso.parsers.winevt.WinEvtParser[source]

Bases: FileObjectParser

Parses Windows EventLog (EVT) files.

DATA_FORMAT = 'Windows EventLog (EVT) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'winevt'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Windows EventLog (EVT) file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

class plaso.parsers.winevt.WinEvtRecordEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows EventLog (EVT) record event data.

creation_time

event record creation date and time.

Type:

dfdatetime.DateTimeValues

computer_name

computer name stored in the event record.

Type:

str

event_category

event category.

Type:

int

event_identifier

event identifier.

Type:

int

event_type

event type.

Type:

int

facility

event facility.

Type:

int

message_identifier

event message identifier.

Type:

int

offset

offset of the event record relative to the start of the file, from which the event data was extracted.

Type:

int

record_number

event record number.

Type:

int

recovered

True if the record was recovered.

Type:

bool

severity

event severity.

Type:

int

source_name

name of the event source.

Type:

str

strings

event strings.

Type:

list[str]

user_sid

user security identifier (SID) stored in the event record.

Type:

str

written_time

event record written date and time.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'windows:evt:record'
__init__()[source]

Initializes event data.

plaso.parsers.winevtx module

Parser for Windows XML EventLog (EVTX) files.

class plaso.parsers.winevtx.WinEvtxParser[source]

Bases: FileObjectParser

Parses Windows XML EventLog (EVTX) files.

DATA_FORMAT = 'Windows XML EventLog (EVTX) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'winevtx'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Windows XML EventLog (EVTX) file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

class plaso.parsers.winevtx.WinEvtxRecordEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows XML EventLog (EVTX) record event data.

creation_time

event record creation date and time.

Type:

dfdatetime.DateTimeValues

computer_name

computer name stored in the event record.

Type:

str

event_identifier

event identifier.

Type:

int

event_level

event level.

Type:

int

event_version

event version.

Type:

int

message_identifier

event message identifier.

Type:

int

offset

offset of the EVTX record relative to the start of the file, from which the event data was extracted.

Type:

int

provider_identifier

identifier of the EventLog provider.

Type:

str

record_number

event record number.

Type:

int

recovered

True if the record was recovered.

Type:

bool

source_name

name of the event source.

Type:

str

strings

event strings.

Type:

list[str]

user_sid

user security identifier (SID) stored in the event record.

Type:

str

written_time

event record written date and time.

Type:

dfdatetime.DateTimeValues

xml_string

XML representation of the event.

Type:

str

DATA_TYPE = 'windows:evtx:record'
__init__()[source]

Initializes event data.

plaso.parsers.winjob module

Parser for Windows Scheduled Task job files.

class plaso.parsers.winjob.WinJobEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows Scheduled Task event data.

application

path to job executable.

Type:

str

comment

description of the scheduled task.

Type:

str

last_run_time

executable (binary) last run date and time.

Type:

dfdatetime.DateTimeValues

parameters

application command line parameters.

Type:

str

username

username that scheduled the task.

Type:

str

working_directory

working directory of the scheduled task.

Type:

str

DATA_TYPE = 'windows:tasks:job'
__init__()[source]

Initializes event data.

class plaso.parsers.winjob.WinJobParser[source]

Bases: FileObjectParser, DtFabricHelper

Parse Windows Scheduled Task files for job events.

DATA_FORMAT = 'Windows Scheduled Task job (or at-job) file'
NAME = 'winjob'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Windows job file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – a file-like object.

Raises:

WrongParser – when the file cannot be parsed.

class plaso.parsers.winjob.WinJobTriggerEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows Scheduled Task trigger event data.

application

path to job executable.

Type:

str

comment

description of the scheduled task.

Type:

str

end_time

date and time the end of the trigger.

Type:

dfdatetime.DateTimeValues

parameters

application command line parameters.

Type:

str

start_time

date and time the start of the trigger.

Type:

dfdatetime.DateTimeValues

trigger_type

trigger type.

Type:

int

username

username that scheduled the task.

Type:

str

working_directory

working directory of the scheduled task.

Type:

str

DATA_TYPE = 'windows:tasks:trigger'
__init__()[source]

Initializes event data.

plaso.parsers.winlnk module

Parser for Windows Shortcut (LNK) files.

class plaso.parsers.winlnk.WinLnkLinkEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows Shortcut (LNK) link event data.

access_time

file entry last access date and time.

Type:

dfdatetime.DateTimeValues

birth_droid_file_identifier

distributed link tracking birth droid file identifier.

Type:

str

birth_droid_volume_identifier

distributed link tracking birth droid volume identifier.

Type:

str

command_line_arguments

command line arguments.

Type:

str

creation_time

file entry creation date and time.

Type:

dfdatetime.DateTimeValues

description

description of the linked item.

Type:

str

drive_serial_number

drive serial number where the linked item resides.

Type:

int

drive_type

drive type where the linked item resided.

Type:

str

droid_file_identifier

distributed link tracking droid file identifier.

Type:

str

droid_volume_identifier

distributed link tracking droid volume identifier.

Type:

str

env_var_location

environment variables location.

Type:

str

file_attribute_flags

file attribute flags of the linked item.

Type:

int

file_size

size of the linked item.

Type:

int

icon_location

icon location.

Type:

str

shell item list of the link target.

Type:

str

local_path

local path of the linked item.

Type:

str

modification_time

file entry last modification date and time.

Type:

dfdatetime.DateTimeValues

network_path

local path of the linked item.

Type:

str

relative_path

relative path.

Type:

str

volume_label

volume label where the linked item resided.

Type:

str

working_directory

working directory.

Type:

str

DATA_TYPE = 'windows:lnk:link'
__init__()[source]

Initializes event data.

class plaso.parsers.winlnk.WinLnkParser[source]

Bases: FileObjectParser

Windows Shortcut (LNK) file parser.

DATA_FORMAT = 'Windows Shortcut (LNK) file'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'lnk'
ParseFileLNKFile(parser_mediator, file_object, display_name)[source]

Parses a Windows Shortcut (LNK) file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

  • display_name (str) – display name.

ParseFileObject(parser_mediator, file_object)[source]

Parses a Windows Shortcut (LNK) file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

__init__()[source]

Initializes a Windows Shortcut (LNK) file parser.

plaso.parsers.winpca module

Parser for Windows Program Compatibility Assistant (PCA) log files.

class plaso.parsers.winpca.WindowsPCABaseParser[source]

Bases: DSVParser

Shared code for parsing Program Compatibility Assistant (PCA) log files.

COLUMNS = ()
DELIMITER = '|'
VerifyRow(parser_mediator, row)[source]

Verifies if a line of the file is in the expected format.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

class plaso.parsers.winpca.WindowsPCADB0Parser[source]

Bases: WindowsPCABaseParser

Parses Windows Program Compatibility Assistant DB0 log files.

COLUMNS = ['datetime', 'run_status', 'program', 'description', 'vendor', 'version', 'program_id', 'exit_code']
DATA_FORMAT = 'Windows PCA DB0 log file'
NAME = 'winpca_db0'
ParseRow(parser_mediator, row_offset, row)[source]

Parses a line of the log file and produces events.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • row_offset (int) – offset of the line from which the row was extracted.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

class plaso.parsers.winpca.WindowsPCADicParser[source]

Bases: WindowsPCABaseParser

Parses the Windows Program Compatibility Assistant DIC log files.

COLUMNS = ['program', 'datetime']
DATA_FORMAT = 'Windows PCA DIC log file'
NAME = 'winpca_dic'
ParseRow(parser_mediator, row_offset, row)[source]

Parses a line of the log file and produces events.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • row_offset (int) – offset of the line from which the row was extracted.

  • row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

class plaso.parsers.winpca.WindowsPCAEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows PCA (Program Compatibility Assistant) event data.

description

description of the executable.

Type:

str

executable

executable filename.

Type:

str

exit_code

final result of the execution.

Type:

str

last_execution_time

entry last execution date and time.

Type:

dfdatetime.DateTimeValues

program_identifier

program identifier.

Type:

str

run_status

execution status.

Type:

str

vendor

vendor of executed software.

Type:

str

version

version of executed software.

Type:

str

DATA_TYPE = 'windows:pca_log:entry'
__init__()[source]

Initializes event data.

plaso.parsers.winprefetch module

Parser for Windows Prefetch files.

class plaso.parsers.winprefetch.WinPrefetchExecutionEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows Prefetch event data.

executable

executable filename.

Type:

str

format_version

format version.

Type:

int

last_run_time

executable (binary) last run date and time.

Type:

dfdatetime.DateTimeValues

mapped_files

mapped filenames.

Type:

list[str]

number_of_volumes

number of volumes.

Type:

int

path_hints

possible full paths to the executable.

Type:

list[str]

prefetch_hash

prefetch hash.

Type:

int

previous_run_times

previous executable (binary) run date and time.

Type:

list[dfdatetime.DateTimeValues]

run_count

run count.

Type:

int

volume_device_paths

volume device paths.

Type:

list[str]

volume_serial_numbers

volume serial numbers.

Type:

list[int]

DATA_TYPE = 'windows:prefetch:execution'
__init__()[source]

Initializes event data.

class plaso.parsers.winprefetch.WinPrefetchParser[source]

Bases: FileObjectParser

A parser for Windows Prefetch files.

DATA_FORMAT = 'Windows Prefetch File (PF)'
classmethod GetFormatSpecification()[source]

Retrieves the format specification.

Returns:

format specification.

Return type:

FormatSpecification

NAME = 'prefetch'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Windows Prefetch file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.winreg_parser module

Parser for Windows NT Registry (REGF) files.

class plaso.parsers.winreg_parser.WinRegistryParser[source]

Bases: FileObjectParser

Parses Windows NT Registry (REGF) files.

DATA_FORMAT = 'Windows NT Registry (REGF) file'
EnablePlugins(plugin_includes)[source]

Enables parser plugins.

Parameters:

plugin_includes (set[str]) – names of the plugins to enable, where set([‘*’]) represents all plugins. Note the default plugin, if it exists, is always enabled and cannot be disabled.

classmethod GetFormatSpecification()[source]

Retrieves the format specification.

NAME = 'winreg'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Windows Registry file-like object.

Parameters:

  • parser_mediator (ParserMediator) – parser mediator.

  • file_object (dfvfs.FileIO) – a file-like object.

__init__()[source]

Initializes a parser.

plaso.parsers.winrestore module

Parser for Windows Restore Point (rp.log) files.

class plaso.parsers.winrestore.RestorePointEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows Restore Point event data.

creation_time

creation date and time.

Type:

dfdatetime.DateTimeValues

description

description.

Type:

str

restore_point_event_type

restore point event type.

Type:

str

restore_point_type

restore point type.

Type:

str

sequence_number

sequence number.

Type:

str

DATA_TYPE = 'windows:restore_point:info'
__init__()[source]

Initializes Windows Recycle Bin event data.

class plaso.parsers.winrestore.RestorePointLogParser[source]

Bases: FileObjectParser, DtFabricHelper

A parser for Windows Restore Point (rp.log) files.

DATA_FORMAT = 'Windows Restore Point log (rp.log) file'
FILTERS = frozenset({<plaso.parsers.interface.FileNameFileEntryFilter object>})
NAME = 'rplog'
ParseFileObject(parser_mediator, file_object)[source]

Parses a Windows Restore Point (rp.log) log file-like object.

Parameters:

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (dfvfs.FileIO) – file-like object.

Raises:

WrongParser – when the file cannot be parsed.

Module contents

This file imports Python modules that register parsers.