plaso.storage package

Submodules

plaso.storage.event_heaps module

Heaps to sort events in chronological order.

class plaso.storage.event_heaps.BaseEventHeap[source]

Bases: object

Event heap interface.

PopEvent()[source]

Pops an event from the heap.

Returns

event.

Return type

EventObject

PopEvents()[source]

Pops events from the heap.

Yields

EventObject – event.

PushEvent(event)[source]

Pushes an event onto the heap.

Parameters

event (EventObject) – event.

PushEvents(events)[source]

Pushes events onto the heap.

Parameters

list[EventObject] (events) – events.

number_of_events

number of serialized events on the heap.

Type

int

class plaso.storage.event_heaps.EventHeap[source]

Bases: plaso.storage.event_heaps.BaseEventHeap

Event heap.

PopEvent()[source]

Pops an event from the heap.

Returns

event.

Return type

EventObject

PushEvent(event)[source]

Pushes an event onto the heap.

Parameters

event (EventObject) – event.

class plaso.storage.event_heaps.SerializedEventHeap[source]

Bases: object

Serialized event heap.

data_size

total data size of the serialized events on the heap.

Type

int

Empty()[source]

Empties the heap.

PopEvent()[source]

Pops an event from the heap.

Returns

containing:

int: event timestamp or None if the heap is empty bytes: serialized event or None if the heap is empty

Return type

tuple

PushEvent(timestamp, event_data)[source]

Pushes a serialized event onto the heap.

Parameters

  • timestamp (int) – event timestamp, which contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

  • event_data (bytes) – serialized event.

number_of_events

number of serialized events on the heap.

Type

int

plaso.storage.event_tag_index module

The event tag index.

class plaso.storage.event_tag_index.EventTagIndex[source]

Bases: object

Event tag index.

The event tag index is used to map event tags to events.

It is necessary for the ZIP storage files since previously stored event tags cannot be altered.

GetEventTagByIdentifier(storage_file, event_identifier)[source]

Retrieves the most recently updated event tag for an event.

Parameters
Returns

event tag or None if the event has no event tag.

Return type

EventTag

SetEventTag(event_tag)[source]

Sets an event tag in the index.

Parameters

event_tag (EventTag) – event tag.

plaso.storage.factory module

This file contains the storage factory class.

class plaso.storage.factory.StorageFactory[source]

Bases: object

Storage factory.

classmethod CreateStorageFile(storage_format)[source]

Creates a storage file.

Parameters

storage_format (str) – storage format.

Returns

a storage file or None if the storage file cannot be

opened or the storage format is not supported.

Return type

StorageFile

classmethod CreateStorageReaderForFile(path)[source]

Creates a storage reader based on the file.

Parameters

path (str) – path to the storage file.

Returns

a storage reader or None if the storage file cannot be

opened or the storage format is not supported.

Return type

StorageReader

classmethod CreateStorageWriter(storage_format, session, path)[source]

Creates a storage writer.

Parameters

  • session (Session) – session the storage changes are part of.

  • path (str) – path to the storage file.

  • storage_format (str) – storage format.

Returns

a storage writer or None if the storage file cannot be

opened or the storage format is not supported.

Return type

StorageWriter

classmethod CreateStorageWriterForFile(session, path)[source]

Creates a storage writer based on the file.

Parameters

  • session (Session) – session the storage changes are part of.

  • path (str) – path to the storage file.

Returns

a storage writer or None if the storage file cannot be

opened or the storage format is not supported.

Return type

StorageWriter

plaso.storage.identifiers module

Storage attribute container identifier objects.

class plaso.storage.identifiers.FakeIdentifier(attribute_values_hash)[source]

Bases: plaso.containers.interface.AttributeContainerIdentifier

Fake attribute container identifier intended for testing.

attribute_values_hash

hash value of the attribute values.

Type

int

CopyToString()[source]

Copies the identifier to a string representation.

Returns

unique identifier or None.

Return type

str

class plaso.storage.identifiers.SQLTableIdentifier(name, row_identifier)[source]

Bases: plaso.containers.interface.AttributeContainerIdentifier

SQL table attribute container identifier.

The identifier is used to uniquely identify attribute containers. Where for example an attribute container is stored as a JSON serialized data in a SQLite database file.

name

name of the table.

Type

str

row_identifier

unique identifier of the row in the table.

Type

int

CopyToString()[source]

Copies the identifier to a string representation.

Returns

unique identifier or None.

Return type

str

class plaso.storage.identifiers.SerializedStreamIdentifier(stream_number, entry_index)[source]

Bases: plaso.containers.interface.AttributeContainerIdentifier

Serialized stream attribute container identifier.

The identifier is used to uniquely identify attribute containers. Where for example an attribute container is stored as a JSON serialized data in a ZIP file.

stream_number

number of the serialized attribute container stream.

Type

int

entry_index

number of the serialized event within the stream.

Type

int

CopyToString()[source]

Copies the identifier to a string representation.

Returns

unique identifier or None.

Return type

str

plaso.storage.interface module

The storage interface classes.

class plaso.storage.interface.BaseStorageFile[source]

Bases: plaso.storage.interface.BaseStore

Interface for file-based stores.

class plaso.storage.interface.BaseStore[source]

Bases: object

Storage interface.

format_version

storage format version.

Type

int

serialization_format

serialization format.

Type

str

storage_type

storage type.

Type

str

AddAnalysisReport(analysis_report)[source]

Adds an analysis report.

Parameters

analysis_report (AnalysisReport) – analysis report.

AddEvent(event)[source]

Adds an event.

Parameters

event (EventObject) – event.

AddEventSource(event_source)[source]

Adds an event source.

Parameters

event_source (EventSource) – event source.

AddEventTag(event_tag)[source]

Adds an event tag.

Parameters

event_tag (EventTag) – event tag.

AddWarning(warning)[source]

Adds a warning.

Parameters

warning (ExtractionWarning) – warning.

Close()[source]

Closes the storage.

GetAnalysisReports()[source]

Retrieves the analysis reports.

Yields

AnalysisReport – analysis report.

GetEventData()[source]

Retrieves the event data.

Yields

EventData – event data.

GetEventDataByIdentifier(identifier)[source]

Retrieves specific event data.

Parameters

identifier (AttributeContainerIdentifier) – event data identifier.

Returns

event data or None if not available.

Return type

EventData

GetEventSources()[source]

Retrieves the event sources.

Yields

EventSource – event source.

GetEventTagByIdentifier(identifier)[source]

Retrieves a specific event tag.

Parameters

identifier (AttributeContainerIdentifier) – event tag identifier.

Returns

event tag or None if not available.

Return type

EventTag

GetEventTags()[source]

Retrieves the event tags.

Yields

EventTag – event tag.

GetEvents()[source]

Retrieves the events.

Yields

EventObject – event.

GetNumberOfEventSources()[source]

Retrieves the number event sources.

Returns

number of event sources.

Return type

int

GetSessions()[source]

Retrieves the sessions.

Yields

Session – session.

GetSortedEvents(time_range=None)[source]

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Yields

EventObject – event.

GetWarnings()[source]

Retrieves the warnings.

Yields

ExtractionWarning – warning.

HasAnalysisReports()[source]

Determines if a store contains analysis reports.

Returns

True if the store contains analysis reports.

Return type

bool

HasEventTags()[source]

Determines if a store contains event tags.

Returns

True if the store contains event tags.

Return type

bool

HasWarnings()[source]

Determines if a store contains extraction warnings.

Returns

True if the store contains extraction warnings.

Return type

bool

Open(**kwargs)[source]

Opens the storage.

ReadPreprocessingInformation(knowledge_base)[source]

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters

knowledge_base (KnowledgeBase) – is used to store the preprocessing information.

SetSerializersProfiler(serializers_profiler)[source]

Sets the serializers profiler.

Parameters

serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)[source]

Sets the storage profiler.

Parameters

storage_profiler (StorageProfiler) – storage profiler.

WritePreprocessingInformation(knowledge_base)[source]

Writes preprocessing information.

Parameters

knowledge_base (KnowledgeBase) – contains the preprocessing information.

WriteSessionCompletion(session_completion)[source]

Writes session completion information.

Parameters

session_completion (SessionCompletion) – session completion information.

WriteSessionStart(session_start)[source]

Writes session start information.

Parameters

session_start (SessionStart) – session start information.

WriteTaskCompletion(task_completion)[source]

Writes task completion information.

Parameters

task_completion (TaskCompletion) – task completion information.

WriteTaskStart(task_start)[source]

Writes task start information.

Parameters

task_start (TaskStart) – task start information.

class plaso.storage.interface.SerializedAttributeContainerList[source]

Bases: object

Serialized attribute container list.

The list is unsorted and pops attribute containers in the same order as pushed to preserve order.

The GetAttributeContainerByIndex method should be used to read attribute containers from the list while it being filled.

data_size

total data size of the serialized attribute containers on the list.

Type

int

next_sequence_number

next attribute container sequence number.

Type

int

Empty()[source]

Empties the list.

GetAttributeContainerByIndex(index)[source]

Retrieves a specific serialized attribute container from the list.

Parameters

index (int) – attribute container index.

Returns

serialized attribute container data or None if not available.

Return type

bytes

Raises

IndexError – if the index is less than zero.

PopAttributeContainer()[source]

Pops a serialized attribute container from the list.

Returns

serialized attribute container data.

Return type

bytes

PushAttributeContainer(serialized_data)[source]

Pushes a serialized attribute container onto the list.

Parameters

serialized_data (bytes) – serialized attribute container data.

number_of_attribute_containers

number of serialized attribute containers on the list.

Type

int

class plaso.storage.interface.StorageFileMergeReader(storage_writer)[source]

Bases: plaso.storage.interface.StorageMergeReader

Storage reader interface for merging file-based stores.

class plaso.storage.interface.StorageFileReader(path)[source]

Bases: plaso.storage.interface.StorageReader

File-based storage reader interface.

Close()[source]

Closes the storage reader.

GetAnalysisReports()[source]

Retrieves the analysis reports.

Returns

analysis report generator.

Return type

generator(AnalysisReport)

GetEventData()[source]

Retrieves the event data.

Returns

event data generator.

Return type

generator(EventData)

GetEventDataByIdentifier(identifier)[source]

Retrieves specific event data.

Parameters

identifier (AttributeContainerIdentifier) – event data identifier.

Returns

event data or None if not available.

Return type

EventData

GetEventSources()[source]

Retrieves the event sources.

Returns

event source generator.

Return type

generator(EventSource)

GetEventTagByIdentifier(identifier)[source]

Retrieves a specific event tag.

Parameters

identifier (AttributeContainerIdentifier) – event tag identifier.

Returns

event tag or None if not available.

Return type

EventTag

GetEventTags()[source]

Retrieves the event tags.

Returns

event tag generator.

Return type

generator(EventTag)

GetEvents()[source]

Retrieves the events.

Returns

event generator.

Return type

generator(EventObject)

GetNumberOfAnalysisReports()[source]

Retrieves the number analysis reports.

Returns

number of analysis reports.

Return type

int

GetSessions()[source]

Retrieves the sessions.

Returns

session generator.

Return type

generator(Session)

GetSortedEvents(time_range=None)[source]

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Returns

event generator.

Return type

generator(EventObject)

GetWarnings()[source]

Retrieves the warnings.

Returns

warning generator.

Return type

generator(ExtractionWarning)

HasAnalysisReports()[source]

Determines if a store contains analysis reports.

Returns

True if the store contains analysis reports.

Return type

bool

HasEventTags()[source]

Determines if a store contains event tags.

Returns

True if the store contains event tags.

Return type

bool

HasWarnings()[source]

Determines if a store contains extraction warnings.

Returns

True if the store contains extraction warnings.

Return type

bool

ReadPreprocessingInformation(knowledge_base)[source]

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters

knowledge_base (KnowledgeBase) – is used to store the preprocessing information.

SetSerializersProfiler(serializers_profiler)[source]

Sets the serializers profiler.

Parameters

serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)[source]

Sets the storage profiler.

Parameters

storage_profiler (StorageProfiler) – storage profiler.

format_version

format version or None if not set.

Type

int

serialization_format

serialization format or None if not set.

Type

str

storage_type

storage type or None if not set.

Type

str

class plaso.storage.interface.StorageFileWriter(session, output_file, storage_type='session', task=None)[source]

Bases: plaso.storage.interface.StorageWriter

Defines an interface for a file-backed storage writer.

AddAnalysisReport(analysis_report)[source]

Adds an analysis report.

Parameters

analysis_report (AnalysisReport) – analysis report.

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

AddEvent(event)[source]

Adds an event.

Parameters

event (EventObject) – an event.

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

AddEventData(event_data)[source]

Adds event data.

Parameters

event_data (EventData) – event data.

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

AddEventSource(event_source)[source]

Adds an event source.

Parameters

event_source (EventSource) – an event source.

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

AddEventTag(event_tag)[source]

Adds an event tag.

Parameters

event_tag (EventTag) – an event tag.

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

AddWarning(warning)[source]

Adds an warning.

Parameters

warning (ExtractionWarning) – an extraction warning.

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

CheckTaskReadyForMerge(task)[source]

Checks if a task is ready for merging with this session storage.

If the task is ready to be merged, this method also sets the task’s storage file size.

Parameters

task (Task) – task.

Returns

True if the task is ready to be merged.

Return type

bool

Raises

  • IOError – if the storage type is not supported or

  • OSError – if the storage type is not supported or if the temporary path for the task storage does not exist.

Close()[source]

Closes the storage writer.

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

CreateTaskStorage(task)[source]

Creates a task storage.

The task storage is used to store attributes created by the task.

Parameters

task (Task) – task.

Returns

storage writer.

Return type

StorageWriter

Raises

  • IOError – if the storage type is not supported.

  • OSError – if the storage type is not supported.

FinalizeTaskStorage(task)[source]

Finalizes a processed task storage.

Moves the task storage file from its temporary directory to the processed directory.

Parameters

task (Task) – task.

Raises

  • IOError – if the storage type is not supported or if the storage file cannot be renamed.

  • OSError – if the storage type is not supported or if the storage file cannot be renamed.

GetEventDataByIdentifier(identifier)[source]

Retrieves specific event data.

Parameters

identifier (AttributeContainerIdentifier) – event data identifier.

Returns

event data or None if not available.

Return type

EventData

GetEventTagByIdentifier(identifier)[source]

Retrieves a specific event tag.

Parameters

identifier (AttributeContainerIdentifier) – event tag identifier.

Returns

event tag or None if not available.

Return type

EventTag

GetEventTags()[source]

Retrieves the event tags.

Returns

event tag generator.

Return type

generator(EventTag)

GetEvents()[source]

Retrieves the events.

Returns

event generator.

Return type

generator(EventObject)

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

GetFirstWrittenEventSource()[source]

Retrieves the first event source that was written after open.

Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition.

Returns

event source or None if there are no newly written ones.

Return type

EventSource

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

GetNextWrittenEventSource()[source]

Retrieves the next event source that was written after open.

Returns

event source or None if there are no newly written ones.

Return type

EventSource

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

GetProcessedTaskIdentifiers()[source]

Identifiers for tasks which have been processed.

Returns

task identifiers that are processed.

Return type

list[str]

Raises

  • IOError – if the storage type is not supported or if the temporary path for the task storage does not exist.

  • OSError – if the storage type is not supported or if the temporary path for the task storage does not exist.

GetSortedEvents(time_range=None)[source]

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Returns

event generator.

Return type

generator(EventObject)

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

Open()[source]

Opens the storage writer.

Raises

  • IOError – if the storage writer is already opened.

  • OSError – if the storage writer is already opened.

PrepareMergeTaskStorage(task)[source]

Prepares a task storage for merging.

Moves the task storage file from the processed directory to the merge directory.

Parameters

task (Task) – task.

Raises

  • IOError – if the storage type is not supported or if the storage file cannot be renamed.

  • OSError – if the storage type is not supported or if the storage file cannot be renamed.

ReadPreprocessingInformation(knowledge_base)[source]

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters

knowledge_base (KnowledgeBase) – is used to store the preprocessing information.

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

RemoveProcessedTaskStorage(task)[source]

Removes a processed task storage.

Parameters

task (Task) – task.

Raises

  • IOError – if the storage type is not supported or if the storage file cannot be removed.

  • OSError – if the storage type is not supported or if the storage file cannot be removed.

SetSerializersProfiler(serializers_profiler)[source]

Sets the serializers profiler.

Parameters

serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)[source]

Sets the storage profiler.

Parameters

storage_profiler (StorageProfiler) – storage profiler.

StartMergeTaskStorage(task)[source]

Starts a merge of a task storage with the session storage.

Parameters

task (Task) – task.

Returns

storage merge reader of the task storage.

Return type

StorageMergeReader

Raises

  • IOError – if the storage file cannot be opened or if the storage type is not supported or if the temporary path for the task storage does not exist or if the temporary path for the task storage doe not refers to a file.

  • OSError – if the storage file cannot be opened or if the storage type is not supported or if the temporary path for the task storage does not exist or if the temporary path for the task storage doe not refers to a file.

StartTaskStorage()[source]

Creates a temporary path for the task storage.

Raises

  • IOError – if the storage type is not supported or if the temporary path for the task storage already exists.

  • OSError – if the storage type is not supported or if the temporary path for the task storage already exists.

StopTaskStorage(abort=False)[source]

Removes the temporary path for the task storage.

The results of tasks will be lost on abort.

Parameters

abort (bool) – True to indicate the stop is issued on abort.

Raises

  • IOError – if the storage type is not supported.

  • OSError – if the storage type is not supported.

WritePreprocessingInformation(knowledge_base)[source]

Writes preprocessing information.

Parameters

knowledge_base (KnowledgeBase) – contains the preprocessing information.

Raises

  • IOError – if the storage type does not support writing preprocessing information or when the storage writer is closed.

  • OSError – if the storage type does not support writing preprocessing information or when the storage writer is closed.

WriteSessionCompletion(aborted=False)[source]

Writes session completion information.

Parameters

aborted (Optional[bool]) – True if the session was aborted.

Raises

  • IOError – if the storage type is not supported or when the storage writer is closed.

  • OSError – if the storage type is not supported or when the storage writer is closed.

WriteSessionStart()[source]

Writes session start information.

Raises

  • IOError – if the storage type is not supported or when the storage writer is closed.

  • OSError – if the storage type is not supported or when the storage writer is closed.

WriteTaskCompletion(aborted=False)[source]

Writes task completion information.

Parameters

aborted (Optional[bool]) – True if the session was aborted.

Raises

  • IOError – if the storage type is not supported or when the storage writer is closed.

  • OSError – if the storage type is not supported or when the storage writer is closed.

WriteTaskStart()[source]

Writes task start information.

Raises

  • IOError – if the storage type is not supported or when the storage writer is closed.

  • OSError – if the storage type is not supported or when the storage writer is closed.

class plaso.storage.interface.StorageMergeReader(storage_writer)[source]

Bases: object

Storage reader interface for merging.

MergeAttributeContainers(callback=None, maximum_number_of_containers=0)[source]

Reads attribute containers from a task storage file into the writer.

Parameters

  • callback (function[StorageWriter, AttributeContainer]) – function to call after each attribute container is deserialized.

  • maximum_number_of_containers (Optional[int]) – maximum number of containers to merge, where 0 represent no limit.

Returns

True if the entire task storage file has been merged.

Return type

bool

class plaso.storage.interface.StorageReader[source]

Bases: object

Storage reader interface.

Close()[source]

Closes the storage reader.

GetAnalysisReports()[source]

Retrieves the analysis reports.

Yields

AnalysisReport – analysis report.

GetEventData()[source]

Retrieves the event data.

Yields

EventData – event data.

GetEventDataByIdentifier(identifier)[source]

Retrieves specific event data.

Parameters

identifier (AttributeContainerIdentifier) – event data identifier.

Returns

event data or None if not available.

Return type

EventData

GetEventSources()[source]

Retrieves event sources.

Yields

EventSourceObject – event source.

GetEventTagByIdentifier(identifier)[source]

Retrieves a specific event tag.

Parameters

identifier (AttributeContainerIdentifier) – event tag identifier.

Returns

event tag or None if not available.

Return type

EventTag

GetEventTags()[source]

Retrieves the event tags.

Yields

EventTag – event tag.

GetEvents()[source]

Retrieves the events.

Yields

EventObject – event.

GetNumberOfAnalysisReports()[source]

Retrieves the number analysis reports.

Returns

number of analysis reports.

Return type

int

GetSessions()[source]

Retrieves the sessions.

Yields

Session – session.

GetSortedEvents(time_range=None)[source]

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Yields

EventObject – event.

GetWarnings()[source]

Retrieves the warnings.

Yields

ExtractionWarning – warning.

HasAnalysisReports()[source]

Determines if a store contains analysis reports.

Returns

True if the store contains analysis reports.

Return type

bool

HasEventTags()[source]

Determines if a store contains event tags.

Returns

True if the store contains event tags.

Return type

bool

HasWarnings()[source]

Determines if a store contains extraction warnings.

Returns

True if the store contains extraction warnings.

Return type

bool

ReadPreprocessingInformation(knowledge_base)[source]

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters

knowledge_base (KnowledgeBase) – is used to store the preprocessing information.

SetSerializersProfiler(serializers_profiler)[source]

Sets the serializers profiler.

Parameters

serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)[source]

Sets the storage profiler.

Parameters

storage_profiler (StorageProfiler) – storage profile.

__enter__()[source]

Make usable with “with” statement.

__exit__(exception_type, value, traceback)[source]

Make usable with “with” statement.

format_version

format version

Type

int

serialization_format

serialization format.

Type

str

storage_type

storage type.

Type

str

class plaso.storage.interface.StorageWriter(session, storage_type='session', task=None)[source]

Bases: object

Storage writer interface.

number_of_analysis_reports

number of analysis reports written.

Type

int

number_of_event_sources

number of event sources written.

Type

int

number_of_event_tags

number of event tags written.

Type

int

number_of_events

number of events written.

Type

int

number_of_warnings

number of warnings written.

Type

int

AddAnalysisReport(analysis_report)[source]

Adds an analysis report.

Parameters

analysis_report (AnalysisReport) – a report.

AddEvent(event)[source]

Adds an event.

Parameters

event (EventObject) – an event.

AddEventSource(event_source)[source]

Adds an event source.

Parameters

event_source (EventSource) – an event source.

AddEventTag(event_tag)[source]

Adds an event tag.

Parameters

event_tag (EventTag) – an event tag.

AddWarning(warning)[source]

Adds an warning.

Parameters

warning (ExtractionWarning) – a warning.

Close()[source]

Closes the storage writer.

CreateTaskStorage(task)[source]

Creates a task storage.

Parameters

task (Task) – task.

Returns

storage writer.

Return type

StorageWriter

Raises

NotImplementedError – since there is no implementation.

FinalizeTaskStorage(task)[source]

Finalizes a processed task storage.

Parameters

task (Task) – task.

Raises

NotImplementedError – since there is no implementation.

GetEventDataByIdentifier(identifier)[source]

Retrieves specific event data.

Parameters

identifier (AttributeContainerIdentifier) – event data identifier.

Returns

event data or None if not available.

Return type

EventData

GetEvents()[source]

Retrieves the events.

Yields

EventObject – event.

GetFirstWrittenEventSource()[source]

Retrieves the first event source that was written after open.

Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition.

Returns

event source or None if there are no newly written ones.

Return type

EventSource

GetNextWrittenEventSource()[source]

Retrieves the next event source that was written after open.

Returns

event source or None if there are no newly written ones.

Return type

EventSource

GetSortedEvents(time_range=None)[source]

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Yields

EventObject – event.

Open()[source]

Opens the storage writer.

PrepareMergeTaskStorage(task)[source]

Prepares a task storage for merging.

Parameters

task (Task) – task.

Raises

NotImplementedError – since there is no implementation.

ReadPreprocessingInformation(knowledge_base)[source]

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters

knowledge_base (KnowledgeBase) – is used to store the preprocessing information.

RemoveProcessedTaskStorage(task)[source]

Removes a processed task storage.

Parameters

task (Task) – task.

Raises

NotImplementedError – since there is no implementation.

SetSerializersProfiler(serializers_profiler)[source]

Sets the serializers profiler.

Parameters

serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)[source]

Sets the storage profiler.

Parameters

storage_profiler (StorageProfiler) – storage profiler.

WritePreprocessingInformation(knowledge_base)[source]

Writes preprocessing information.

Parameters

knowledge_base (KnowledgeBase) – contains the preprocessing information.

WriteSessionCompletion(aborted=False)[source]

Writes session completion information.

Parameters

aborted (Optional[bool]) – True if the session was aborted.

WriteSessionStart()[source]

Writes session start information.

WriteTaskCompletion(aborted=False)[source]

Writes task completion information.

Parameters

aborted (Optional[bool]) – True if the session was aborted.

WriteTaskStart()[source]

Writes task start information.

plaso.storage.logger module

The storage sub module logger.

plaso.storage.time_range module

Storage time range objects.

class plaso.storage.time_range.TimeRange(start_timestamp, end_timestamp)[source]

Bases: object

Date and time range.

The timestamp are integers containing the number of microseconds since January 1, 1970, 00:00:00 UTC.

duration

duration of the range in microseconds.

Type

int

end_timestamp

timestamp that marks the end of the range.

Type

int

start_timestamp

timestamp that marks the start of the range.

Type

int

Module contents