plaso.storage package¶

Subpackages¶

Submodules¶

plaso.storage.event_heaps module¶

Heaps to sort events in chronological order.

class plaso.storage.event_heaps.EventHeap[source]¶

Bases: object

Event heap.

PopEvent()[source]¶

Pops an event from the heap.

Returns: event.
Return type: EventObject

PopEvents()[source]¶

Pops events from the heap.

Yields: EventObject – event.

PushEvent(event, event_index)[source]¶

Pushes an event onto the heap.

Parameters

event (EventObject) – event.
event_index (int) – index of the event in the storage.

property number_of_events¶

number of serialized events on the heap.

Type: int

class plaso.storage.event_heaps.SerializedEventHeap[source]¶

Bases: object

Serialized event heap.

data_size¶

total data size of the serialized events on the heap.

Type: int

Empty()[source]¶: Empties the heap.

PopEvent()[source]¶

Pops an event from the heap.

Returns

containing:

int: event timestamp or None if the heap is empty bytes: serialized event or None if the heap is empty

Return type

tuple

PushEvent(timestamp, event_data)[source]¶

Pushes a serialized event onto the heap.

Parameters

timestamp (int) – event timestamp, which contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.
event_data (bytes) – serialized event.

property number_of_events¶

number of serialized events on the heap.

Type: int

plaso.storage.event_tag_index module¶

The event tag index.

class plaso.storage.event_tag_index.EventTagIndex[source]¶

Bases: object

Event tag index.

The event tag index is used to map event tags to events.

It is necessary for the ZIP storage files since previously stored event tags cannot be altered.

GetEventTagByIdentifier(storage_file, event_identifier)[source]¶

Retrieves the most recently updated event tag for an event.

Parameters

storage_file (BaseStorageFile) – storage file.
event_identifier (AttributeContainerIdentifier) – event attribute container identifier.

Returns

event tag or None if the event has no event tag.

Return type

EventTag

SetEventTag(event_tag)[source]¶

Sets an event tag in the index.

Parameters: event_tag (EventTag) – event tag.

plaso.storage.factory module¶

This file contains the storage factory class.

class plaso.storage.factory.StorageFactory[source]¶

Bases: object

Storage factory.

classmethod CreateStorageFile(storage_format)[source]¶

Creates a storage file.

Parameters

storage_format (str) – storage format.

Returns

a storage file or None if the storage file cannot be: opened or the storage format is not supported.

Return type

StorageFile

classmethod CreateStorageReaderForFile(path)[source]¶

Creates a storage reader based on the file.

Parameters

path (str) – path to the storage file.

Returns

a storage reader or None if the storage file cannot be: opened or the storage format is not supported.

Return type

StorageReader

classmethod CreateStorageWriter(storage_format, session, path)[source]¶

Creates a storage writer.

Parameters

storage_format (str) – storage format.
session (Session) – session the storage changes are part of.
path (str) – path to the storage file.

Returns

a storage writer or None if the storage file cannot be: opened or the storage format is not supported.

Return type

StorageWriter

classmethod CreateStorageWriterForFile(session, path)[source]¶

Creates a storage writer based on the file.

Parameters

session (Session) – session the storage changes are part of.
path (str) – path to the storage file.

Returns

a storage writer or None if the storage file cannot be: opened or the storage format is not supported.

Return type

StorageWriter

plaso.storage.file_interface module¶

Storage interface classes for file-backed stores.

class plaso.storage.file_interface.BaseStorageFile[source]¶

Bases: plaso.storage.interface.BaseStore

Interface for file-based stores.

class plaso.storage.file_interface.SerializedAttributeContainerList[source]¶

Bases: object

Serialized attribute container list.

The list is unsorted and pops attribute containers in the same order as pushed to preserve order.

The GetAttributeContainerByIndex method should be used to read attribute containers from the list while it being filled.

data_size¶

total data size of the serialized attribute containers on the list.

Type: int

next_sequence_number¶

next attribute container sequence number.

Type: int

Empty()[source]¶: Empties the list.

GetAttributeContainerByIndex(index)[source]¶

Retrieves a specific serialized attribute container from the list.

Parameters: index (int) – attribute container index.
Returns: serialized attribute container data or None if not available.
Return type: bytes
Raises: IndexError – if the index is less than zero.

PopAttributeContainer()[source]¶

Pops a serialized attribute container from the list.

Returns: serialized attribute container data or None if the list is empty.
Return type: bytes

PushAttributeContainer(serialized_data)[source]¶

Pushes a serialized attribute container onto the list.

Parameters: serialized_data (bytes) – serialized attribute container data.

property number_of_attribute_containers¶

number of serialized attribute containers on the list.

Type: int

class plaso.storage.file_interface.StorageFileMergeReader(storage_writer)[source]¶

Bases: plaso.storage.interface.StorageMergeReader

Storage reader interface for merging file-based stores.

class plaso.storage.file_interface.StorageFileReader(path)[source]¶

Bases: plaso.storage.interface.StorageReader

File-based storage reader interface.

Close()[source]¶: Closes the storage reader.

GetAnalysisReports()[source]¶

Retrieves the analysis reports.

Returns: analysis report generator.
Return type: generator(AnalysisReport)

GetEventData()[source]¶

Retrieves the event data.

Returns: event data generator.
Return type: generator(EventData)

GetEventDataByIdentifier(identifier)[source]¶

Retrieves specific event data.

Parameters: identifier (AttributeContainerIdentifier) – event data identifier.
Returns: event data or None if not available.
Return type: EventData

GetEventDataStreamByIdentifier(identifier)[source]¶

Retrieves a specific event data stream.

Parameters: identifier (AttributeContainerIdentifier) – event data identifier.
Returns: event data stream or None if not available.
Return type: EventDataStream

GetEventDataStreams()[source]¶

Retrieves the event data streams.

Returns: event data stream generator.
Return type: generator(EventDataStream)

GetEventSources()[source]¶

Retrieves the event sources.

Returns: event source generator.
Return type: generator(EventSource)

GetEventTagByIdentifier(identifier)[source]¶

Retrieves a specific event tag.

Parameters: identifier (AttributeContainerIdentifier) – event tag identifier.
Returns: event tag or None if not available.
Return type: EventTag

GetEventTags()[source]¶

Retrieves the event tags.

Returns: event tag generator.
Return type: generator(EventTag)

GetEvents()[source]¶

Retrieves the events.

Returns: event generator.
Return type: generator(EventObject)

GetFormatVersion()[source]¶

Retrieves the format version of the underlying storage file.

Returns: the format version, or None if not available.
Return type: int

GetNumberOfAnalysisReports()[source]¶

Retrieves the number analysis reports.

Returns: number of analysis reports.
Return type: int

GetNumberOfEventSources()[source]¶

Retrieves the number of event sources.

Returns: number of event sources.
Return type: int

GetSerializationFormat()[source]¶

Retrieves the serialization format of the underlying storage file.

Returns: the serialization format, or None if not available.
Return type: str

GetSessions()[source]¶

Retrieves the sessions.

Returns: session generator.
Return type: generator(Session)

GetSortedEvents(time_range=None)[source]¶

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters: time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.
Returns: event generator.
Return type: generator(EventObject)

GetStorageType()[source]¶

Retrieves the storage type of the underlying storage file.

Returns: the storage type, or None if not available.
Return type: str

GetWarnings()[source]¶

Retrieves the warnings.

Returns: warning generator.
Return type: generator(ExtractionWarning)

HasAnalysisReports()[source]¶

Determines if a store contains analysis reports.

Returns: True if the store contains analysis reports.
Return type: bool

HasEventTags()[source]¶

Determines if a store contains event tags.

Returns: True if the store contains event tags.
Return type: bool

HasWarnings()[source]¶

Determines if a store contains extraction warnings.

Returns: True if the store contains extraction warnings.
Return type: bool

ReadSystemConfiguration(knowledge_base)[source]¶

Reads system configuration information.

The system configuration contains information about various system specific configuration data, for example the user accounts.

Parameters: knowledge_base (KnowledgeBase) – is used to store the system configuration.

SetSerializersProfiler(serializers_profiler)[source]¶

Sets the serializers profiler.

Parameters: serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)[source]¶

Sets the storage profiler.

Parameters: storage_profiler (StorageProfiler) – storage profiler.

class plaso.storage.file_interface.StorageFileWriter(session, output_file, storage_type='session', task=None)[source]¶

Bases: plaso.storage.interface.StorageWriter

Defines an interface for a file-backed storage writer.

AddAnalysisReport(analysis_report, serialized_data=None)[source]¶

Adds an analysis report.

Parameters

analysis_report (AnalysisReport) – analysis report.
serialized_data (Optional[bytes]) – serialized form of the analysis report.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

AddEvent(event, serialized_data=None)[source]¶

Adds an event.

Parameters

event (EventObject) – an event.
serialized_data (Optional[bytes]) – serialized form of the event.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

AddEventData(event_data, serialized_data=None)[source]¶

Adds event data.

Parameters

event_data (EventData) – event data.
serialized_data (Optional[bytes]) – serialized form of the event data.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

AddEventDataStream(event_data_stream, serialized_data=None)[source]¶

Adds an event data stream.

Parameters

event_data_stream (EventDataStream) – event data stream.
serialized_data (Optional[bytes]) – serialized form of the event data stream.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

AddEventSource(event_source, serialized_data=None)[source]¶

Adds an event source.

Parameters

event_source (EventSource) – an event source.
serialized_data (Optional[bytes]) – serialized form of the event source.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

AddEventTag(event_tag, serialized_data=None)[source]¶

Adds an event tag.

Parameters

event_tag (EventTag) – an event tag.
serialized_data (Optional[bytes]) – serialized form of the event tag.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

AddWarning(warning, serialized_data=None)[source]¶

Adds an warning.

Parameters

warning (ExtractionWarning) – an extraction warning.
serialized_data (Optional[bytes]) – serialized form of the warning.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

Close()[source]¶

Closes the storage writer.

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

FinalizeTaskStorage(task)[source]¶

Finalizes a processed task storage.

Moves the task storage file from its temporary directory to the processed directory.

Parameters

task (Task) – task.

Raises

IOError – if the storage type or format is not supported or if the storage file cannot be renamed.
OSError – if the storage type or format is not supported or if the storage file cannot be renamed.

GetEventDataByIdentifier(identifier)[source]¶

Retrieves specific event data.

Parameters: identifier (AttributeContainerIdentifier) – event data identifier.
Returns: event data or None if not available.
Return type: EventData

GetEventDataStreamByIdentifier(identifier)[source]¶

Retrieves a specific event data stream.

Parameters: identifier (AttributeContainerIdentifier) – event data stream identifier.
Returns: event data stream or None if not available.
Return type: EventDataStream

GetEventTagByIdentifier(identifier)[source]¶

Retrieves a specific event tag.

Parameters: identifier (AttributeContainerIdentifier) – event tag identifier.
Returns: event tag or None if not available.
Return type: EventTag

GetEventTags()[source]¶

Retrieves the event tags.

Returns: event tag generator.
Return type: generator(EventTag)

GetEvents()[source]¶

Retrieves the events.

Returns

event generator.

Return type

generator(EventObject)

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

GetFirstWrittenEventSource()[source]¶

Retrieves the first event source that was written after open.

Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition.

Returns

event source or None if there are no newly written ones.

Return type

EventSource

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

GetNextWrittenEventSource()[source]¶

Retrieves the next event source that was written after open.

Returns

event source or None if there are no newly written ones.

Return type

EventSource

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

GetProcessedTaskIdentifiers()[source]¶

Identifiers for tasks which have been processed.

Returns

task identifiers that are processed.

Return type

list[str]

Raises

IOError – if the storage type is not supported or if the temporary path for the task storage does not exist.
OSError – if the storage type is not supported or if the temporary path for the task storage does not exist.

GetSortedEvents(time_range=None)[source]¶

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Returns

event generator.

Return type

generator(EventObject)

Raises

IOError – when the storage writer is closed.
OSError – when the storage writer is closed.

Open(**unused_kwargs)[source]¶

Opens the storage writer.

Raises

IOError – if the storage writer is already opened.
OSError – if the storage writer is already opened.

PrepareMergeTaskStorage(task)[source]¶

Prepares a task storage for merging.

Moves the task storage file from the processed directory to the merge directory.

Parameters

task (Task) – task.

Raises

IOError – if the storage type or format is not supported or if the storage file cannot be renamed.
OSError – if the storage type or format is not supported or if the storage file cannot be renamed.

RemoveProcessedTaskStorage(task)[source]¶

Removes a processed task storage.

Parameters

task (Task) – task.

Raises

IOError – if the storage type or format is not supported or if the storage file cannot be removed.
OSError – if the storage type or format is not supported or if the storage file cannot be removed.

SetSerializersProfiler(serializers_profiler)[source]¶

Sets the serializers profiler.

Parameters: serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)[source]¶

Sets the storage profiler.

Parameters: storage_profiler (StorageProfiler) – storage profiler.

StartMergeTaskStorage(task)[source]¶

Starts a merge of a task store with the session storage.

Parameters

task (Task) – task.

Returns

storage merge reader of the task storage.

Return type

StorageMergeReader

Raises

IOError – if the storage file cannot be opened or if the storage type is not supported or if the temporary path for the task storage does not exist or if the temporary path for the task storage doe not refers to a file.
OSError – if the storage file cannot be opened or if the storage type is not supported or if the temporary path for the task storage does not exist or if the temporary path for the task storage doe not refers to a file.

StartTaskStorage()[source]¶

Creates a temporary path for the task storage.

Raises

IOError – if the storage type is not supported or if the temporary path for the task storage already exists.
OSError – if the storage type is not supported or if the temporary path for the task storage already exists.

StopTaskStorage(abort=False)[source]¶

Removes the temporary path for the task storage.

The results of tasks will be lost on abort.

Parameters

abort (bool) – True to indicate the stop is issued on abort.

Raises

IOError – if the storage type is not supported.
OSError – if the storage type is not supported.

WriteSessionCompletion(aborted=False)[source]¶

Writes session completion information.

Parameters

aborted (Optional[bool]) – True if the session was aborted.

Raises

IOError – if the storage type is not supported or when the storage writer is closed.
OSError – if the storage type is not supported or when the storage writer is closed.

WriteSessionConfiguration()[source]¶

Writes session configuration information.

Raises

IOError – if the storage type does not support writing session configuration information or when the storage writer is closed.
OSError – if the storage type does not support writing session configuration information or when the storage writer is closed.

WriteSessionStart()[source]¶

Writes session start information.

Raises

IOError – if the storage type is not supported or when the storage writer is closed.
OSError – if the storage type is not supported or when the storage writer is closed.

WriteTaskCompletion(aborted=False)[source]¶

Writes task completion information.

Parameters

aborted (Optional[bool]) – True if the session was aborted.

Raises

IOError – if the storage type is not supported or when the storage writer is closed.
OSError – if the storage type is not supported or when the storage writer is closed.

WriteTaskStart()[source]¶

Writes task start information.

Raises

IOError – if the storage type is not supported or when the storage writer is closed.
OSError – if the storage type is not supported or when the storage writer is closed.

plaso.storage.identifiers module¶

Storage attribute container identifier objects.

class plaso.storage.identifiers.FakeIdentifier(attribute_values_hash)[source]¶

Bases: plaso.containers.interface.AttributeContainerIdentifier

Fake attribute container identifier intended for testing.

attribute_values_hash¶

hash value of the attribute values.

Type: int

CopyToString()[source]¶

Copies the identifier to a string representation.

Returns: unique identifier or None.
Return type: str

class plaso.storage.identifiers.RedisKeyIdentifier(identifier=None)[source]¶

Bases: plaso.containers.interface.AttributeContainerIdentifier

Redis key attribute container identifier.

The identifier is used to uniquely identify attribute containers. Where for example an attribute container is stored as a JSON serialized data in a Redis instance.

identifier¶

unique identifier of a container.

Type: UUID

CopyToString()[source]¶

Copies the identifier to a string representation.

Returns: unique identifier or None.
Return type: str

class plaso.storage.identifiers.SQLTableIdentifier(name, row_identifier)[source]¶

Bases: plaso.containers.interface.AttributeContainerIdentifier

SQL table attribute container identifier.

The identifier is used to uniquely identify attribute containers. Where for example an attribute container is stored as a JSON serialized data in a SQLite database file.

name¶

name of the table.

Type: str

row_identifier¶

unique identifier of the row in the table.

Type: int

CopyToString()[source]¶

Copies the identifier to a string representation.

Returns: unique identifier or None.
Return type: str

class plaso.storage.identifiers.SerializedStreamIdentifier(stream_number, entry_index)[source]¶

Bases: plaso.containers.interface.AttributeContainerIdentifier

Serialized stream attribute container identifier.

The identifier is used to uniquely identify attribute containers. Where for example an attribute container is stored as a JSON serialized data in a ZIP file.

stream_number¶

number of the serialized attribute container stream.

Type: int

entry_index¶

number of the serialized event within the stream.

Type: int

CopyToString()[source]¶

Copies the identifier to a string representation.

Returns: unique identifier or None.
Return type: str

plaso.storage.interface module¶

The storage interface classes.

class plaso.storage.interface.BaseStore[source]¶

Bases: object

Storage interface.

format_version¶

storage format version.

Type: int

serialization_format¶

serialization format.

Type: str

storage_type¶

storage type.

Type: str

AddAnalysisReport(analysis_report, serialized_data=None)[source]¶

Adds an analysis report.

Parameters

analysis_report (AnalysisReport) – analysis report.
serialized_data (Optional[bytes]) – serialized form of the analysis report.

AddEvent(event, serialized_data=None)[source]¶

Adds an event.

Parameters

event (EventObject) – event.
serialized_data (Optional[bytes]) – serialized form of the event.

AddEventData(event_data, serialized_data=None)[source]¶

Adds event data.

Parameters

event_data (EventData) – event data.
serialized_data (Optional[bytes]) – serialized form of the event data.

AddEventDataStream(event_data_stream, serialized_data=None)[source]¶

Adds an event data stream.

Parameters

event_data_stream (EventDataStream) – event data stream.
serialized_data (Optional[bytes]) – serialized form of the event data stream.

AddEventSource(event_source, serialized_data=None)[source]¶

Adds an event source.

Parameters

event_source (EventSource) – event source.
serialized_data (Optional[bytes]) – serialized form of the event source.

AddEventTag(event_tag, serialized_data=None)[source]¶

Adds an event tag.

Parameters

event_tag (EventTag) – event tag.
serialized_data (Optional[bytes]) – serialized form of the event tag.

AddWarning(warning, serialized_data=None)[source]¶

Adds a warning.

Parameters

warning (ExtractionWarning) – warning.
serialized_data (Optional[bytes]) – serialized form of the event tag.

abstract Close()[source]¶: Closes the store.

GetAnalysisReports()[source]¶

Retrieves the analysis reports.

Returns: analysis report generator.
Return type: generator(AnalysisReport)

GetEventData()[source]¶

Retrieves the event data.

Returns: event data generator.
Return type: generator(EventData)

GetEventDataByIdentifier(identifier)[source]¶

Retrieves specific event data.

Parameters: identifier (AttributeContainerIdentifier) – event data identifier.
Returns: event data or None if not available.
Return type: EventData

GetEventDataStreamByIdentifier(identifier)[source]¶

Retrieves a specific event data stream.

Parameters: identifier (AttributeContainerIdentifier) – event data stream identifier.
Returns: event data stream or None if not available.
Return type: EventDataStream

GetEventDataStreams()[source]¶

Retrieves the event data streams.

Returns: event data stream generator.
Return type: generator(EventDataStream)

GetEventSources()[source]¶

Retrieves the event sources.

Returns: event source generator.
Return type: generator(EventSource)

GetEventTagByIdentifier(identifier)[source]¶

Retrieves a specific event tag.

Parameters

identifier (AttributeContainerIdentifier) – event tag identifier.

Returns

event tag or None if not available.

Return type

EventTag

Raises

OSError – if an invalid identifier is provided.
IOError – if an invalid identifier is provided.

GetEventTags()[source]¶

Retrieves the event tags.

Returns: event tag generator.
Return type: generator(EventTag)

GetEvents()[source]¶

Retrieves the events.

Returns: event generator.
Return type: generator(Event)

GetNumberOfAnalysisReports()[source]¶

Retrieves the number analysis reports.

Returns: number of analysis reports.
Return type: int

GetNumberOfEventSources()[source]¶

Retrieves the number event sources.

Returns: number of event sources.
Return type: int

GetSessions()[source]¶

Retrieves the sessions.

Yields

Session – session attribute container.

Raises

IOError – if there is a mismatch in session identifiers between the session start and completion attribute containers.
OSError – if there is a mismatch in session identifiers between the session start and completion attribute containers.

abstract GetSortedEvents(time_range=None)[source]¶

Retrieves the events in increasing chronological order.

This includes all events written to the store including those pending being flushed (written) to the store.

Parameters: time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.
Yields: EventObject – event.

GetWarnings()[source]¶

Retrieves the warnings.

Returns: warning generator.
Return type: generator(ExtractionWarning)

HasAnalysisReports()[source]¶

Determines if a store contains analysis reports.

Returns: True if the store contains analysis reports.
Return type: bool

HasEventTags()[source]¶

Determines if a store contains event tags.

Returns: True if the store contains event tags.
Return type: bool

HasWarnings()[source]¶

Determines if a store contains extraction warnings.

Returns: True if the store contains extraction warnings.
Return type: bool

abstract Open(**kwargs)[source]¶: Opens the storage.

ReadSystemConfiguration(knowledge_base)[source]¶

Reads system configuration information.

The system configuration contains information about various system specific configuration data, for example the user accounts.

Parameters: knowledge_base (KnowledgeBase) – is used to store the system configuration.

SetSerializersProfiler(serializers_profiler)[source]¶

Sets the serializers profiler.

Parameters: serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)[source]¶

Sets the storage profiler.

Parameters: storage_profiler (StorageProfiler) – storage profiler.

WriteSessionCompletion(session_completion)[source]¶

Writes session completion information.

Parameters

session_completion (SessionCompletion) – session completion information.

Raises

IOError – if the storage type does not support writing a session completion or the storage file is closed or read-only.
OSError – if the storage type does not support writing a session completion or the storage file is closed or read-only.

WriteSessionConfiguration(session_configuration)[source]¶

Writes session configuration information.

Parameters

session_configuration (SessionConfiguration) – session configuration information.

Raises

IOError – when the storage file is closed or read-only.
OSError – when the storage file is closed or read-only.

WriteSessionStart(session_start)[source]¶

Writes session start information.

Parameters

session_start (SessionStart) – session start information.

Raises

IOError – if the storage type does not support writing a session start or the storage file is closed or read-only.
OSError – if the storage type does not support writing a session start or the storage file is closed or read-only.

WriteTaskCompletion(task_completion)[source]¶

Writes task completion information.

Parameters

task_completion (TaskCompletion) – task completion information.

Raises

IOError – if the storage type does not support writing a task completion or the storage file is closed or read-only.
OSError – if the storage type does not support writing a task completion or the storage file is closed or read-only.

WriteTaskStart(task_start)[source]¶

Writes task start information.

Parameters

task_start (TaskStart) – task start information.

Raises

IOError – if the storage type does not support writing a task start or the storage file is closed or read-only.
OSError – if the storage type does not support writing a task start or the storage file is closed or read-only.

class plaso.storage.interface.StorageMergeReader(storage_writer)[source]¶

Bases: object

Storage reader interface for merging.

abstract MergeAttributeContainers(callback=None, maximum_number_of_containers=0)[source]¶

Reads attribute containers from a task store into the writer.

Parameters

callback (function[StorageWriter, AttributeContainer]) – function to call after each attribute container is deserialized.
maximum_number_of_containers (Optional[int]) – maximum number of containers to merge, where 0 represent no limit.

Returns

True if the entire task storage file has been merged.

Return type

bool

SetStorageProfiler(storage_profiler)[source]¶

Sets the storage profiler.

Parameters: storage_profiler (StorageProfiler) – storage profile.

class plaso.storage.interface.StorageReader[source]¶

Bases: object

Storage reader interface.

abstract Close()[source]¶: Closes the storage reader.

abstract GetAnalysisReports()[source]¶

Retrieves the analysis reports.

Yields: AnalysisReport – analysis report.

abstract GetEventData()[source]¶

Retrieves the event data.

Yields: EventData – event data.

abstract GetEventDataByIdentifier(identifier)[source]¶

Retrieves specific event data.

Parameters: identifier (AttributeContainerIdentifier) – event data identifier.
Returns: event data or None if not available.
Return type: EventData

abstract GetEventDataStreamByIdentifier(identifier)[source]¶

Retrieves a specific event data stream.

Parameters: identifier (AttributeContainerIdentifier) – event data stream identifier.
Returns: event data stream or None if not available.
Return type: EventDataStream

abstract GetEventDataStreams()[source]¶

Retrieves the event data streams.

Yields: EventDataStream – event data stream.

abstract GetEventSources()[source]¶

Retrieves event sources.

Yields: EventSourceObject – event source.

abstract GetEventTagByIdentifier(identifier)[source]¶

Retrieves a specific event tag.

Parameters: identifier (AttributeContainerIdentifier) – event tag identifier.
Returns: event tag or None if not available.
Return type: EventTag

abstract GetEventTags()[source]¶

Retrieves the event tags.

Yields: EventTag – event tag.

abstract GetEvents()[source]¶

Retrieves the events.

Yields: EventObject – event.

abstract GetNumberOfAnalysisReports()[source]¶

Retrieves the number analysis reports.

Returns: number of analysis reports.
Return type: int

abstract GetNumberOfEventSources()[source]¶

Retrieves the number of event sources.

Returns: number of event sources.
Return type: int

abstract GetSessions()[source]¶

Retrieves the sessions.

Yields: Session – session.

abstract GetSortedEvents(time_range=None)[source]¶

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters: time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.
Yields: EventObject – event.

abstract GetWarnings()[source]¶

Retrieves the warnings.

Yields: ExtractionWarning – warning.

abstract HasAnalysisReports()[source]¶

Determines if a store contains analysis reports.

Returns: True if the store contains analysis reports.
Return type: bool

abstract HasEventTags()[source]¶

Determines if a store contains event tags.

Returns: True if the store contains event tags.
Return type: bool

abstract HasWarnings()[source]¶

Determines if a store contains extraction warnings.

Returns: True if the store contains extraction warnings.
Return type: bool

abstract ReadSystemConfiguration(knowledge_base)[source]¶

Reads system configuration information.

The system configuration contains information about various system specific configuration data, for example the user accounts.

Parameters: knowledge_base (KnowledgeBase) – is used to store the system configuration.

abstract SetSerializersProfiler(serializers_profiler)[source]¶

Sets the serializers profiler.

Parameters: serializers_profiler (SerializersProfiler) – serializers profiler.

abstract SetStorageProfiler(storage_profiler)[source]¶

Sets the storage profiler.

Parameters: storage_profiler (StorageProfiler) – storage profile.

__enter__()[source]¶: Make usable with “with” statement.

__exit__(exception_type, value, traceback)[source]¶: Make usable with “with” statement.

class plaso.storage.interface.StorageWriter(session, storage_type='session', task=None)[source]¶

Bases: object

Storage writer interface.

number_of_analysis_reports¶

number of analysis reports written.

Type: int

number_of_event_sources¶

number of event sources written.

Type: int

number_of_event_tags¶

number of event tags written.

Type: int

number_of_events¶

number of events written.

Type: int

number_of_warnings¶

number of warnings written.

Type: int

abstract AddAnalysisReport(analysis_report, serialized_data=None)[source]¶

Adds an analysis report.

Parameters

analysis_report (AnalysisReport) – a report.
serialized_data (Optional[bytes]) – serialized form of the analysis report.

abstract AddEvent(event, serialized_data=None)[source]¶

Adds an event.

Parameters

event (EventObject) – an event.
serialized_data (Optional[bytes]) – serialized form of the event.

abstract AddEventData(event_data, serialized_data=None)[source]¶

Adds event data.

Parameters

event_data (EventData) – event data.
serialized_data (Optional[bytes]) – serialized form of the event data.

abstract AddEventDataStream(event_data_stream, serialized_data=None)[source]¶

Adds an event data stream.

Parameters

event_data_stream (EventDataStream) – event data stream.
serialized_data (Optional[bytes]) – serialized form of the event data stream.

abstract AddEventSource(event_source, serialized_data=None)[source]¶

Adds an event source.

Parameters

event_source (EventSource) – an event source.
serialized_data (Optional[bytes]) – serialized form of the event source.

abstract AddEventTag(event_tag, serialized_data=None)[source]¶

Adds an event tag.

Parameters

event_tag (EventTag) – an event tag.
serialized_data (Optional[bytes]) – serialized form of the event tag.

abstract AddWarning(warning, serialized_data=None)[source]¶

Adds an warning.

Parameters

warning (ExtractionWarning) – a warning.
serialized_data (Optional[bytes]) – serialized form of the warning.

abstract CheckTaskReadyForMerge(task)[source]¶

Checks if a task is ready for merging into the store.

Parameters: task (Task) – task.
Returns: True if the task is ready to be merged.
Return type: bool

abstract Close()[source]¶: Closes the storage writer.

CreateTaskStorage(task, task_storage_format)[source]¶

Creates a task store.

Parameters

task (Task) – task.
task_storage_format (str) – storage format to store task results.

Returns

storage writer for the task store.

Return type

StorageWriter

Raises

NotImplementedError – since there is no implementation.

FinalizeTaskStorage(task)[source]¶

Finalizes a processed task storage.

Parameters: task (Task) – task.
Raises: NotImplementedError – since there is no implementation.

abstract GetEventDataByIdentifier(identifier)[source]¶

Retrieves specific event data.

Parameters: identifier (AttributeContainerIdentifier) – event data identifier.
Returns: event data or None if not available.
Return type: EventData

abstract GetEventDataStreamByIdentifier(identifier)[source]¶

Retrieves a specific event data stream.

Parameters: identifier (AttributeContainerIdentifier) – event data stream identifier.
Returns: event data stream or None if not available.
Return type: EventDataStream

abstract GetEvents()[source]¶

Retrieves the events.

Yields: EventObject – event.

abstract GetFirstWrittenEventSource()[source]¶

Retrieves the first event source that was written after open.

Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition.

Returns: event source or None if there are no newly written ones.
Return type: EventSource

abstract GetNextWrittenEventSource()[source]¶

Retrieves the next event source that was written after open.

Returns: event source or None if there are no newly written ones.
Return type: EventSource

abstract GetSortedEvents(time_range=None)[source]¶

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters: time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.
Yields: EventObject – event.

abstract Open(**kwargs)[source]¶: Opens the storage writer.

PrepareMergeTaskStorage(task)[source]¶

Prepares a task storage for merging.

Parameters: task (Task) – task.
Raises: NotImplementedError – since there is no implementation.

RemoveProcessedTaskStorage(task)[source]¶

Removes a processed task storage.

Parameters: task (Task) – task.
Raises: NotImplementedError – since there is no implementation.

abstract SetSerializersProfiler(serializers_profiler)[source]¶

Sets the serializers profiler.

Parameters: serializers_profiler (SerializersProfiler) – serializers profiler.

abstract SetStorageProfiler(storage_profiler)[source]¶

Sets the storage profiler.

Parameters: storage_profiler (StorageProfiler) – storage profiler.

abstract WriteSessionCompletion(aborted=False)[source]¶

Writes session completion information.

Parameters: aborted (Optional[bool]) – True if the session was aborted.

abstract WriteSessionConfiguration()[source]¶: Writes session configuration information.

abstract WriteSessionStart()[source]¶: Writes session start information.

abstract WriteTaskCompletion(aborted=False)[source]¶

Writes task completion information.

Parameters: aborted (Optional[bool]) – True if the session was aborted.

abstract WriteTaskStart()[source]¶: Writes task start information.

plaso.storage.logger module¶

The storage sub module logger.

plaso.storage.time_range module¶

Storage time range objects.

class plaso.storage.time_range.TimeRange(start_timestamp, end_timestamp)[source]¶

Bases: object

Date and time range.

The timestamp are integers containing the number of microseconds since January 1, 1970, 00:00:00 UTC.

duration¶

duration of the range in microseconds.

Type: int

end_timestamp¶

timestamp that marks the end of the range.

Type: int

start_timestamp¶

timestamp that marks the start of the range.

Type: int

plaso.storage package¶

Subpackages¶

Submodules¶

plaso.storage.event_heaps module¶

plaso.storage.event_tag_index module¶

plaso.storage.factory module¶

plaso.storage.file_interface module¶

plaso.storage.identifiers module¶

plaso.storage.interface module¶

plaso.storage.logger module¶

plaso.storage.time_range module¶

Module contents¶