plaso.parsers.olecf_plugins package

Submodules

plaso.parsers.olecf_plugins.automatic_destinations module

Plugin to parse .automaticDestinations-ms OLECF files.

class plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

.automaticDestinations-ms DestList entry event data.

birth_droid_file_identifier

birth droid file identifier.

Type:: str

birth_droid_volume_identifier

birth droid volume identifier.

Type:: str

droid_file_identifier

droid file identifier.

Type:: str

droid_volume_identifier

droid volume identifier.

Type:: str

entry_number

DestList entry number.

Type:: int

hostname

hostname.

Type:: str

modification_time

last modification date and time.

Type:: dfdatetime.DateTimeValues

offset

offset of the DestList entry relative to the start of the DestList stream, from which the event data was extracted.

Type:: int

path

path.

Type:: str

pin_status

pin status.

Type:: int

DATA_TYPE = 'olecf:dest_list:entry'

__init__()[source]: Initializes event data.

class plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsOLECFPlugin[source]

Bases: OLECFPlugin, DtFabricHelper

Plugin that parses an .automaticDestinations-ms OLECF file.

DATA_FORMAT = 'Automatic destinations jump list OLE compound file (.automaticDestinations-ms)'

NAME = 'olecf_automatic_destinations'

ParseDestList(parser_mediator, olecf_item)[source]

Parses the DestList OLECF item.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
olecf_item (pyolecf.item) – OLECF item.

Raises:

WrongParser – if the DestList cannot be parsed.

Process(parser_mediator, root_item=None, **kwargs)[source]

Extracts events from an OLECF file.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
root_item (Optional[pyolecf.item]) – root item of the OLECF file.

Raises:

ValueError – If the root_item is not set.

REQUIRED_ITEMS = frozenset({'DestList'})

plaso.parsers.olecf_plugins.default module

The default plugin for parsing OLE Compound Files (OLECF).

class plaso.parsers.olecf_plugins.default.DefaultOLECFPlugin[source]

Bases: OLECFPlugin

Class to define the default OLECF file plugin.

DATA_FORMAT = 'Generic OLE compound item'

NAME = 'olecf_default'

Process(parser_mediator, root_item=None, **kwargs)[source]

Extracts events from an OLECF file.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
root_item (Optional[pyolecf.item]) – root item of the OLECF file.

Raises:

ValueError – If the root item is not set.

class plaso.parsers.olecf_plugins.default.OLECFItemEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

OLECF item event data.

creation_time

creation date and time of the item.

Type:: dfdatetime.DateTimeValues

modification_time

modification date and time of the item.

Type:: dfdatetime.DateTimeValues

name

name of the OLE Compound File item.

Type:: str

size

data size of the OLE Compound File item.

Type:: int

DATA_TYPE = 'olecf:item'

__init__()[source]: Initializes event data.

plaso.parsers.olecf_plugins.interface module

This file contains the necessary interface for OLECF plugins.

class plaso.parsers.olecf_plugins.interface.OLECFPlugin[source]

Bases: BasePlugin

The OLECF parser plugin interface.

DATA_FORMAT = 'OLE compound file'

NAME = 'olecf_plugin'

abstractmethod Process(parser_mediator, root_item=None, **kwargs)[source]

Extracts events from an OLECF file.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
root_item (Optional[pyolecf.item]) – root item of the OLECF file.

REQUIRED_ITEMS = frozenset({})

plaso.parsers.olecf_plugins.summary module

Plugin to parse the OLECF summary/document summary information items.

class plaso.parsers.olecf_plugins.summary.DocumentSummaryInformationOLECFPlugin[source]

Bases: OLECFPlugin

Plugin that parses DocumentSummaryInformation item from an OLECF file.

DATA_FORMAT = 'Document summary information (\\0x05DocumentSummaryInformation)'

NAME = 'olecf_document_summary'

Process(parser_mediator, root_item=None, **kwargs)[source]

Extracts events from a document summary information OLECF item.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
root_item (Optional[pyolecf.item]) – root item of the OLECF file.

Raises:

ValueError – If the root item is not set.

REQUIRED_ITEMS = frozenset({'\x05DocumentSummaryInformation'})

class plaso.parsers.olecf_plugins.summary.OLECFDocumentSummaryInformation(olecf_item)[source]

Bases: OLECFPropertySetStream

OLECF Document Summary information property set.

class plaso.parsers.olecf_plugins.summary.OLECFDocumentSummaryInformationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

OLECF document summary information event data.

application_version

application version.

Type:: str

category

category of the document, such as memo or proposal.

Type:: str

codepage

codepage of the document summary information.

Type:: str

company

name of the company of the document.

Type:: str

content_status

content status.

Type:: str

content_type

content type.

Type:: str

document_parts

names of document parts.

Type:: list[str]

document_version

Version of the document.

Type:: int

item_creation_time

creation date and time of the item.

Type:: dfdatetime.DateTimeValues

item_modification_time

modification date and time of the item.

Type:: dfdatetime.DateTimeValues

language

Language of the document.

Type:: str

links_up_to_date

True if the links are up to date.

Type:: bool

manager

name of the manager of the document.

Type:: str

number_of_bytes

size of the document in bytes.

Type:: int

number_of_characters_with_white_space

number of characters including spaces in the document.

Type:: int

number_of_clips

number of multi-media clips in the document.

Type:: int

number_of_hidden_slides

number of hidden slides in the document.

Type:: int

number_of_lines

number of lines in the document.

Type:: int

number_of_notes

number of notes in the document.

Type:: int

number_of_paragraphs

number of paragraphs in the document.

Type:: int

number_of_slides

number of slides in the document.

Type:: int

presentation_format

target format for presentation, such as 35mm, printer or video.

Type:: str

scale

True if scaling of the thumbnail is desired or false if cropping is desired.

Type:: bool

shared_document

True if the document is shared.

Type:: bool

DATA_TYPE = 'olecf:document_summary_info'

__init__()[source]: Initializes event data.

class plaso.parsers.olecf_plugins.summary.OLECFPropertySetStream(olecf_item)[source]

Bases: object

OLECF property set stream.

date_time_properties

date and time properties and values.

Type:: dict[str, dfdatetime.DateTimeValues]

SetEventData(event_data)[source]

Sets the properties as event data.

Parameters:: event_data (EventData) – event data.

__init__(olecf_item)[source]

Initialize an OLECF property set stream.

Parameters:: olecf_item (pyolecf.property_set_stream) – OLECF item.

class plaso.parsers.olecf_plugins.summary.OLECFSummaryInformation(olecf_item)[source]

Bases: OLECFPropertySetStream

OLECF Summary information property set.

class plaso.parsers.olecf_plugins.summary.OLECFSummaryInformationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

OLECF summary information event data.

application

name of application that created document.

Type:: str

author

author of the document.

Type:: str

codepage

codepage of the summary information.

Type:: str

comments

comments.

Type:: str

creation_time

creation date and time of the document.

Type:: dfdatetime.DateTimeValues

edit_duration

total editing time.

Type:: int

item_creation_time

creation date and time of the item.

Type:: dfdatetime.DateTimeValues

item_modification_time

modification date and time of the item.

Type:: dfdatetime.DateTimeValues

keywords

keywords.

Type:: str

last_printed_time

date and time the document was last printed.

Type:: dfdatetime.DateTimeValues

last_saved_by

name of user that last saved the document.

Type:: str

last_save_time

date and time the document was last saved.

Type:: dfdatetime.DateTimeValues

number_of_characters

number of characters without spaces in the document.

Type:: int

number_of_pages

number of pages in the document.

Type:: int

number_of_words

number of words in the document.

Type:: int

revision_number

revision number.

Type:: int

security_flags

security flags.

Type:: int

subject

subject.

Type:: str

template

name of the template used to created the document.

Type:: str

title

title of the document.

Type:: str

DATA_TYPE = 'olecf:summary_info'

__init__()[source]: Initializes event data.

class plaso.parsers.olecf_plugins.summary.SummaryInformationOLECFPlugin[source]

Bases: OLECFPlugin

Plugin that parses the SummaryInformation item from an OLECF file.

DATA_FORMAT = 'Summary information (\\0x05SummaryInformation) (top-level only)'

NAME = 'olecf_summary'

Process(parser_mediator, root_item=None, **kwargs)[source]

Extracts events from a summary information OLECF item.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
root_item (Optional[pyolecf.item]) – root item of the OLECF file.

Raises:

ValueError – If the root item is not set.

REQUIRED_ITEMS = frozenset({'\x05SummaryInformation'})

Module contents

This file contains an import statement for each OLECF plugin.