plaso.storage package

Subpackages

• plaso.storage.fake package
  • Submodules
  • plaso.storage.fake.writer module
  • Module contents
• plaso.storage.redis package
  • Submodules
  • plaso.storage.redis.merge_reader module
  • plaso.storage.redis.reader module
  • plaso.storage.redis.redis_store module
  • plaso.storage.redis.writer module
  • Module contents
• plaso.storage.sqlite package
  • Submodules
  • plaso.storage.sqlite.merge_reader module
  • plaso.storage.sqlite.reader module
  • plaso.storage.sqlite.sqlite_file module
  • plaso.storage.sqlite.writer module
  • Module contents

Submodules

plaso.storage.event_heaps module

Heaps to sort events in chronological order.

class plaso.storage.event_heaps.EventHeap

Bases: object

Event heap.

PopEvent()

Pops an event from the heap.

Returns

event.

Return type

EventObject

PopEvents()

Pops events from the heap.

Yields

EventObject – event.

PushEvent(event, event_index)

Pushes an event onto the heap.

Parameters

• event (EventObject) – event.

• event_index (int) – index of the event in the storage.

number_of_events

number of serialized events on the heap.

Type

int

class plaso.storage.event_heaps.SerializedEventHeap

Bases: object

Serialized event heap.

data_size

total data size of the serialized events on the heap.

Type

int

Empty()

Empties the heap.

PopEvent()

Pops an event from the heap.

Returns

containing:

int: event timestamp or None if the heap is empty bytes: serialized event or None if the heap is empty

Return type

tuple

PushEvent(timestamp, event_data)

Pushes a serialized event onto the heap.

Parameters

• timestamp (int) – event timestamp, which contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

• event_data (bytes) – serialized event.

number_of_events

number of serialized events on the heap.

Type

int

plaso.storage.event_tag_index module

The event tag index.

class plaso.storage.event_tag_index.EventTagIndex

Bases: object

Event tag index.

The event tag index is used to map event tags to events.

It is necessary for the ZIP storage files since previously stored event tags cannot be altered.

GetEventTagByIdentifier(storage_file, event_identifier)

Retrieves the most recently updated event tag for an event.

Parameters

• storage_file (BaseStorageFile) – storage file.

• event_identifier (AttributeContainerIdentifier) – event attribute container identifier.

Returns

event tag or None if the event has no event tag.

Return type

EventTag

SetEventTag(event_tag)

Sets an event tag in the index.

Parameters

event_tag (EventTag) – event tag.

plaso.storage.factory module

This file contains the storage factory class.

class plaso.storage.factory.StorageFactory

Bases: object

Storage factory.

classmethod CreateStorageFile(storage_format)

Creates a storage file.

Parameters

storage_format (str) – storage format.

Returns

a storage file or None if the storage file cannot be

opened or the storage format is not supported.

Return type

StorageFile

classmethod CreateStorageReaderForFile(path)

Creates a storage reader based on the file.

Parameters

path (str) – path to the storage file.

Returns

a storage reader or None if the storage file cannot be

opened or the storage format is not supported.

Return type

StorageReader

classmethod CreateStorageWriter(storage_format, session, path)

Creates a storage writer.

Parameters

• storage_format (str) – storage format.

• session (Session) – session the storage changes are part of.

• path (str) – path to the storage file.

Returns

a storage writer or None if the storage file cannot be

opened or the storage format is not supported.

Return type

StorageWriter

classmethod CreateStorageWriterForFile(session, path)

Creates a storage writer based on the file.

Parameters

• session (Session) – session the storage changes are part of.

• path (str) – path to the storage file.

Returns

a storage writer or None if the storage file cannot be

opened or the storage format is not supported.

Return type

StorageWriter

plaso.storage.file_interface module

Storage interface classes for file-backed stores.

class plaso.storage.file_interface.BaseStorageFile

Bases: plaso.storage.interface.BaseStore

Interface for file-based stores.

class plaso.storage.file_interface.SerializedAttributeContainerList

Bases: object

Serialized attribute container list.

The list is unsorted and pops attribute containers in the same order as pushed to preserve order.

The GetAttributeContainerByIndex method should be used to read attribute containers from the list while it being filled.

data_size

total data size of the serialized attribute containers on the list.

Type

int

next_sequence_number

next attribute container sequence number.

Type

int

Empty()

Empties the list.

GetAttributeContainerByIndex(index)

Retrieves a specific serialized attribute container from the list.

Parameters

index (int) – attribute container index.

Returns

serialized attribute container data or None if not available.

Return type

bytes

Raises

IndexError – if the index is less than zero.

PopAttributeContainer()

Pops a serialized attribute container from the list.

Returns

serialized attribute container data or None if the list is empty.

Return type

bytes

PushAttributeContainer(serialized_data)

Pushes a serialized attribute container onto the list.

Parameters

serialized_data (bytes) – serialized attribute container data.

number_of_attribute_containers

number of serialized attribute containers on the list.

Type

int

class plaso.storage.file_interface.StorageFileMergeReader(storage_writer)

Bases: plaso.storage.interface.StorageMergeReader

Storage reader interface for merging file-based stores.

class plaso.storage.file_interface.StorageFileReader(path)

Bases: plaso.storage.interface.StorageReader

File-based storage reader interface.

Close()

Closes the storage reader.

GetAnalysisReports()

Retrieves the analysis reports.

Returns

analysis report generator.

Return type

generator(AnalysisReport)

GetEventData()

Retrieves the event data.

Returns

event data generator.

Return type

generator(EventData)

GetEventDataByIdentifier(identifier)

Retrieves specific event data.

Parameters

identifier (AttributeContainerIdentifier) – event data identifier.

Returns

event data or None if not available.

Return type

EventData

GetEventSources()

Retrieves the event sources.

Returns

event source generator.

Return type

generator(EventSource)

GetEventTagByIdentifier(identifier)

Retrieves a specific event tag.

Parameters

identifier (AttributeContainerIdentifier) – event tag identifier.

Returns

event tag or None if not available.

Return type

EventTag

GetEventTags()

Retrieves the event tags.

Returns

event tag generator.

Return type

generator(EventTag)

GetEvents()

Retrieves the events.

Returns

event generator.

Return type

generator(EventObject)

GetFormatVersion()

Retrieves the format version of the underlying storage file.

Returns

the format version, or None if not available.

Return type

int

GetNumberOfAnalysisReports()

Retrieves the number analysis reports.

Returns

number of analysis reports.

Return type

int

GetNumberOfEventSources()

Retrieves the number of event sources.

Returns

number of event sources.

Return type

int

GetSerializationFormat()

Retrieves the serialization format of the underlying storage file.

Returns

the serialization format, or None if not available.

Return type

str

GetSessions()

Retrieves the sessions.

Returns

session generator.

Return type

generator(Session)

GetSortedEvents(time_range=None)

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Returns

event generator.

Return type

generator(EventObject)

GetStorageType()

Retrieves the storage type of the underlying storage file.

Returns

the storage type, or None if not available.

Return type

str

GetWarnings()

Retrieves the warnings.

Returns

warning generator.

Return type

generator(ExtractionWarning)

HasAnalysisReports()

Determines if a store contains analysis reports.

Returns

True if the store contains analysis reports.

Return type

bool

HasEventTags()

Determines if a store contains event tags.

Returns

True if the store contains event tags.

Return type

bool

HasWarnings()

Determines if a store contains extraction warnings.

Returns

True if the store contains extraction warnings.

Return type

bool

ReadSystemConfiguration(knowledge_base)

Reads system configuration information.

The system configuration contains information about various system specific configuration data, for example the user accounts.

Parameters

knowledge_base (KnowledgeBase) – is used to store the system configuration.

SetSerializersProfiler(serializers_profiler)

Sets the serializers profiler.

Parameters

serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)

Sets the storage profiler.

Parameters

storage_profiler (StorageProfiler) – storage profiler.

class plaso.storage.file_interface.StorageFileWriter(session, output_file, storage_type='session', task=None)

Bases: plaso.storage.interface.StorageWriter

Defines an interface for a file-backed storage writer.

AddAnalysisReport(analysis_report, serialized_data=None)

Adds an analysis report.

Parameters

• analysis_report (AnalysisReport) – analysis report.

• serialized_data (Optional[bytes]) – serialized form of the analysis report.

Raises

• IOError – when the storage writer is closed.

• OSError – when the storage writer is closed.

AddEvent(event, serialized_data=None)

Adds an event.

Parameters

• event (EventObject) – an event.

• serialized_data (Optional[bytes]) – serialized form of the event.

Raises

• IOError – when the storage writer is closed.

• OSError – when the storage writer is closed.

AddEventData(event_data, serialized_data=None)

Adds event data.

Parameters

• event_data (EventData) – event data.

• serialized_data (Optional[bytes]) – serialized form of the event data.

Raises

• IOError – when the storage writer is closed.

• OSError – when the storage writer is closed.

AddEventSource(event_source, serialized_data=None)

Adds an event source.

Parameters

• event_source (EventSource) – an event source.

• serialized_data (Optional[bytes]) – serialized form of the event source.

Raises

• IOError – when the storage writer is closed.

• OSError – when the storage writer is closed.

AddEventTag(event_tag, serialized_data=None)

Adds an event tag.

Parameters

• event_tag (EventTag) – an event tag.

• serialized_data (Optional[bytes]) – serialized form of the event tag.

Raises

• IOError – when the storage writer is closed.

• OSError – when the storage writer is closed.

AddWarning(warning, serialized_data=None)

Adds an warning.

Parameters

• warning (ExtractionWarning) – an extraction warning.

• serialized_data (Optional[bytes]) – serialized form of the warning.

Raises

• IOError – when the storage writer is closed.

• OSError – when the storage writer is closed.

Close()

Closes the storage writer.

Raises

• IOError – when the storage writer is closed.

• OSError – when the storage writer is closed.

FinalizeTaskStorage(task)

Finalizes a processed task storage.

Moves the task storage file from its temporary directory to the processed directory.

Parameters

task (Task) – task.

Raises

• IOError – if the storage type or format is not supported or if the storage file cannot be renamed.

• OSError – if the storage type or format is not supported or if the storage file cannot be renamed.

GetEventDataByIdentifier(identifier)

Retrieves specific event data.

Parameters

identifier (AttributeContainerIdentifier) – event data identifier.

Returns

event data or None if not available.

Return type

EventData

GetEventTagByIdentifier(identifier)

Retrieves a specific event tag.

Parameters

identifier (AttributeContainerIdentifier) – event tag identifier.

Returns

event tag or None if not available.

Return type

EventTag

GetEventTags()

Retrieves the event tags.

Returns

event tag generator.

Return type

generator(EventTag)

GetEvents()

Retrieves the events.

Returns

event generator.

Return type

generator(EventObject)

Raises

• IOError – when the storage writer is closed.

• OSError – when the storage writer is closed.

GetFirstWrittenEventSource()

Retrieves the first event source that was written after open.

Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition.

Returns

event source or None if there are no newly written ones.

Return type

EventSource

Raises

• IOError – when the storage writer is closed.

• OSError – when the storage writer is closed.

GetNextWrittenEventSource()

Retrieves the next event source that was written after open.

Returns

event source or None if there are no newly written ones.

Return type

EventSource

Raises

• IOError – when the storage writer is closed.

• OSError – when the storage writer is closed.

GetProcessedTaskIdentifiers()

Identifiers for tasks which have been processed.

Returns

task identifiers that are processed.

Return type

list[str]

Raises

• IOError – if the storage type is not supported or if the temporary path for the task storage does not exist.

• OSError – if the storage type is not supported or if the temporary path for the task storage does not exist.

GetSortedEvents(time_range=None)

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Returns

event generator.

Return type

generator(EventObject)

Raises

• IOError – when the storage writer is closed.

• OSError – when the storage writer is closed.

Open(**unused_kwargs)

Opens the storage writer.

Raises

• IOError – if the storage writer is already opened.

• OSError – if the storage writer is already opened.

PrepareMergeTaskStorage(task)

Prepares a task storage for merging.

Moves the task storage file from the processed directory to the merge directory.

Parameters

task (Task) – task.

Raises

• IOError – if the storage type or format is not supported or if the storage file cannot be renamed.

• OSError – if the storage type or format is not supported or if the storage file cannot be renamed.

ReadSystemConfiguration(knowledge_base)

Reads system configuration information.

The system configuration contains information about various system specific configuration data, for example the user accounts.

Parameters

knowledge_base (KnowledgeBase) – is used to store the system configuration.

Raises

• IOError – when the storage writer is closed.

• OSError – when the storage writer is closed.

RemoveProcessedTaskStorage(task)

Removes a processed task storage.

Parameters

task (Task) – task.

Raises

• IOError – if the storage type or format is not supported or if the storage file cannot be removed.

• OSError – if the storage type or format is not supported or if the storage file cannot be removed.

SetSerializersProfiler(serializers_profiler)

Sets the serializers profiler.

Parameters

serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)

Sets the storage profiler.

Parameters

storage_profiler (StorageProfiler) – storage profiler.

StartMergeTaskStorage(task)

Starts a merge of a task store with the session storage.

Parameters

task (Task) – task.

Returns

storage merge reader of the task storage.

Return type

StorageMergeReader

Raises

• IOError – if the storage file cannot be opened or if the storage type is not supported or if the temporary path for the task storage does not exist or if the temporary path for the task storage doe not refers to a file.

• OSError – if the storage file cannot be opened or if the storage type is not supported or if the temporary path for the task storage does not exist or if the temporary path for the task storage doe not refers to a file.

StartTaskStorage()

Creates a temporary path for the task storage.

Raises

• IOError – if the storage type is not supported or if the temporary path for the task storage already exists.

• OSError – if the storage type is not supported or if the temporary path for the task storage already exists.

StopTaskStorage(abort=False)

Removes the temporary path for the task storage.

The results of tasks will be lost on abort.

Parameters

abort (bool) – True to indicate the stop is issued on abort.

Raises

• IOError – if the storage type is not supported.

• OSError – if the storage type is not supported.

WritePreprocessingInformation(knowledge_base)

Writes preprocessing information.

Parameters

knowledge_base (KnowledgeBase) – contains the preprocessing information.

Raises

• IOError – if the storage type does not support writing preprocessing information or when the storage writer is closed.

• OSError – if the storage type does not support writing preprocessing information or when the storage writer is closed.

WriteSessionCompletion(aborted=False)

Writes session completion information.

Parameters

aborted (Optional[bool]) – True if the session was aborted.

Raises

• IOError – if the storage type is not supported or when the storage writer is closed.

• OSError – if the storage type is not supported or when the storage writer is closed.

WriteSessionStart()

Writes session start information.

Raises

• IOError – if the storage type is not supported or when the storage writer is closed.

• OSError – if the storage type is not supported or when the storage writer is closed.

WriteTaskCompletion(aborted=False)

Writes task completion information.

Parameters

aborted (Optional[bool]) – True if the session was aborted.

Raises

• IOError – if the storage type is not supported or when the storage writer is closed.

• OSError – if the storage type is not supported or when the storage writer is closed.

WriteTaskStart()

Writes task start information.

Raises

• IOError – if the storage type is not supported or when the storage writer is closed.

• OSError – if the storage type is not supported or when the storage writer is closed.

plaso.storage.identifiers module

Storage attribute container identifier objects.

class plaso.storage.identifiers.FakeIdentifier(attribute_values_hash)

Bases: plaso.containers.interface.AttributeContainerIdentifier

Fake attribute container identifier intended for testing.

attribute_values_hash

hash value of the attribute values.

Type

int

CopyToString()

Copies the identifier to a string representation.

Returns

unique identifier or None.

Return type

str

class plaso.storage.identifiers.RedisKeyIdentifier(identifier=None)

Bases: plaso.containers.interface.AttributeContainerIdentifier

Redis key attribute container identifier.

The identifier is used to uniquely identify attribute containers. Where for example an attribute container is stored as a JSON serialized data in a Redis instance.

identifier

unique identifier of a container.

Type

UUID

CopyToString()

Copies the identifier to a string representation.

Returns

unique identifier or None.

Return type

str

class plaso.storage.identifiers.SQLTableIdentifier(name, row_identifier)

Bases: plaso.containers.interface.AttributeContainerIdentifier

SQL table attribute container identifier.

The identifier is used to uniquely identify attribute containers. Where for example an attribute container is stored as a JSON serialized data in a SQLite database file.

name

name of the table.

Type

str

row_identifier

unique identifier of the row in the table.

Type

int

CopyToString()

Copies the identifier to a string representation.

Returns

unique identifier or None.

Return type

str

class plaso.storage.identifiers.SerializedStreamIdentifier(stream_number, entry_index)

Bases: plaso.containers.interface.AttributeContainerIdentifier

Serialized stream attribute container identifier.

The identifier is used to uniquely identify attribute containers. Where for example an attribute container is stored as a JSON serialized data in a ZIP file.

stream_number

number of the serialized attribute container stream.

Type

int

entry_index

number of the serialized event within the stream.

Type

int

CopyToString()

Copies the identifier to a string representation.

Returns

unique identifier or None.

Return type

str

plaso.storage.interface module

The storage interface classes.

class plaso.storage.interface.BaseStore

Bases: object

Storage interface.

format_version

storage format version.

Type

int

serialization_format

serialization format.

Type

str

storage_type

storage type.

Type

str

AddAnalysisReport(analysis_report, serialized_data=None)

Adds an analysis report.

Parameters

• analysis_report (AnalysisReport) – analysis report.

• serialized_data (Optional[bytes]) – serialized form of the analysis report.

AddEvent(event, serialized_data=None)

Adds an event.

Parameters

• event (EventObject) – event.

• serialized_data (Optional[bytes]) – serialized form of the event.

AddEventData(event_data, serialized_data=None)

Adds event data.

Parameters

• event_data (EventData) – event data.

• serialized_data (Optional[bytes]) – serialized form of the event data.

AddEventSource(event_source, serialized_data=None)

Adds an event source.

Parameters

• event_source (EventSource) – event source.

• serialized_data (Optional[bytes]) – serialized form of the event source.

AddEventTag(event_tag, serialized_data=None)

Adds an event tag.

Parameters

• event_tag (EventTag) – event tag.

• serialized_data (Optional[bytes]) – serialized form of the event tag.

AddWarning(warning, serialized_data=None)

Adds a warning.

Parameters

• warning (ExtractionWarning) – warning.

• serialized_data (Optional[bytes]) – serialized form of the event tag.

Close()

Closes the store.

GetAnalysisReports()

Retrieves the analysis reports.

Returns

analysis report generator.

Return type

generator(AnalysisReport)

GetEventData()

Retrieves the event data.

Returns

event data generator.

Return type

generator(EventData)

GetEventDataByIdentifier(identifier)

Retrieves specific event data.

Parameters

identifier (AttributeContainerIdentifier) – event data identifier.

Returns

event data or None if not available.

Return type

EventData

GetEventSources()

Retrieves the event sources.

Returns

event source generator.

Return type

generator(EventSource)

GetEventTagByIdentifier(identifier)

Retrieves a specific event tag.

Parameters

identifier (AttributeContainerIdentifier) – event tag identifier.

Returns

event tag or None if not available.

Return type

EventTag

Raises

• OSError – if an invalid identifier is provided.

• IOError – if an invalid identifier is provided.

GetEventTags()

Retrieves the event tags.

Returns

event tag generator.

Return type

generator(EventTag)

GetEvents()

Retrieves the events.

Returns

event generator.

Return type

generator(Event)

GetNumberOfAnalysisReports()

Retrieves the number analysis reports.

Returns

number of analysis reports.

Return type

int

GetNumberOfEventSources()

Retrieves the number event sources.

Returns

number of event sources.

Return type

int

GetSessions()

Retrieves the sessions.

Yields

Session – session attribute container.

Raises

• IOError – if there is a mismatch in session identifiers between the session start and completion attribute containers.

• OSError – if there is a mismatch in session identifiers between the session start and completion attribute containers.

GetSortedEvents(time_range=None)

Retrieves the events in increasing chronological order.

This includes all events written to the store including those pending being flushed (written) to the store.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Yields

EventObject – event.

GetWarnings()

Retrieves the warnings.

Returns

warning generator.

Return type

generator(ExtractionWarning)

HasAnalysisReports()

Determines if a store contains analysis reports.

Returns

True if the store contains analysis reports.

Return type

bool

HasEventTags()

Determines if a store contains event tags.

Returns

True if the store contains event tags.

Return type

bool

HasWarnings()

Determines if a store contains extraction warnings.

Returns

True if the store contains extraction warnings.

Return type

bool

Open(**kwargs)

Opens the storage.

ReadSystemConfiguration(knowledge_base)

Reads system configuration information.

The system configuration contains information about various system specific configuration data, for example the user accounts.

Parameters

knowledge_base (KnowledgeBase) – is used to store the system configuration.

SetSerializersProfiler(serializers_profiler)

Sets the serializers profiler.

Parameters

serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)

Sets the storage profiler.

Parameters

storage_profiler (StorageProfiler) – storage profiler.

WritePreprocessingInformation(knowledge_base)

Writes preprocessing information.

Parameters

knowledge_base (KnowledgeBase) – contains the preprocessing information.

Raises

• IOError – if the storage type does not support writing preprocess information or the storage file is closed or read-only.

• OSError – if the storage type does not support writing preprocess information or the storage file is closed or read-only.

WriteSessionCompletion(session_completion)

Writes session completion information.

Parameters

session_completion (SessionCompletion) – session completion information.

Raises

• IOError – if the storage type does not support writing a session completion or the storage file is closed or read-only.

• OSError – if the storage type does not support writing a session completion or the storage file is closed or read-only.

WriteSessionStart(session_start)

Writes session start information.

Parameters

session_start (SessionStart) – session start information.

Raises

• IOError – if the storage type does not support writing a session start or the storage file is closed or read-only.

• OSError – if the storage type does not support writing a session start or the storage file is closed or read-only.

WriteTaskCompletion(task_completion)

Writes task completion information.

Parameters

task_completion (TaskCompletion) – task completion information.

Raises

• IOError – if the storage type does not support writing a task completion or the storage file is closed or read-only.

• OSError – if the storage type does not support writing a task completion or the storage file is closed or read-only.

WriteTaskStart(task_start)

Writes task start information.

Parameters

task_start (TaskStart) – task start information.

Raises

• IOError – if the storage type does not support writing a task start or the storage file is closed or read-only.

• OSError – if the storage type does not support writing a task start or the storage file is closed or read-only.

class plaso.storage.interface.StorageMergeReader(storage_writer)

Bases: object

Storage reader interface for merging.

MergeAttributeContainers(callback=None, maximum_number_of_containers=0)

Reads attribute containers from a task store into the writer.

Parameters

• callback (function[StorageWriter, AttributeContainer]) – function to call after each attribute container is deserialized.

• maximum_number_of_containers (Optional[int]) – maximum number of containers to merge, where 0 represent no limit.

Returns

True if the entire task storage file has been merged.

Return type

bool

class plaso.storage.interface.StorageReader

Bases: object

Storage reader interface.

Close()

Closes the storage reader.

GetAnalysisReports()

Retrieves the analysis reports.

Yields

AnalysisReport – analysis report.

GetEventData()

Retrieves the event data.

Yields

EventData – event data.

GetEventDataByIdentifier(identifier)

Retrieves specific event data.

Parameters

identifier (AttributeContainerIdentifier) – event data identifier.

Returns

event data or None if not available.

Return type

EventData

GetEventSources()

Retrieves event sources.

Yields

EventSourceObject – event source.

GetEventTagByIdentifier(identifier)

Retrieves a specific event tag.

Parameters

identifier (AttributeContainerIdentifier) – event tag identifier.

Returns

event tag or None if not available.

Return type

EventTag

GetEventTags()

Retrieves the event tags.

Yields

EventTag – event tag.

GetEvents()

Retrieves the events.

Yields

EventObject – event.

GetNumberOfAnalysisReports()

Retrieves the number analysis reports.

Returns

number of analysis reports.

Return type

int

GetNumberOfEventSources()

Retrieves the number of event sources.

Returns

number of event sources.

Return type

int

GetSessions()

Retrieves the sessions.

Yields

Session – session.

GetSortedEvents(time_range=None)

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Yields

EventObject – event.

GetWarnings()

Retrieves the warnings.

Yields

ExtractionWarning – warning.

HasAnalysisReports()

Determines if a store contains analysis reports.

Returns

True if the store contains analysis reports.

Return type

bool

HasEventTags()

Determines if a store contains event tags.

Returns

True if the store contains event tags.

Return type

bool

HasWarnings()

Determines if a store contains extraction warnings.

Returns

True if the store contains extraction warnings.

Return type

bool

ReadSystemConfiguration(knowledge_base)

Reads system configuration information.

The system configuration contains information about various system specific configuration data, for example the user accounts.

Parameters

knowledge_base (KnowledgeBase) – is used to store the system configuration.

SetSerializersProfiler(serializers_profiler)

Sets the serializers profiler.

Parameters

serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)

Sets the storage profiler.

Parameters

storage_profiler (StorageProfiler) – storage profile.

__enter__()

Make usable with “with” statement.

__exit__(exception_type, value, traceback)

Make usable with “with” statement.

class plaso.storage.interface.StorageWriter(session, storage_type='session', task=None)

Bases: object

Storage writer interface.

number_of_analysis_reports

number of analysis reports written.

Type

int

number_of_event_sources

number of event sources written.

Type

int

number_of_event_tags

number of event tags written.

Type

int

number_of_events

number of events written.

Type

int

number_of_warnings

number of warnings written.

Type

int

AddAnalysisReport(analysis_report, serialized_data=None)

Adds an analysis report.

Parameters

• analysis_report (AnalysisReport) – a report.

• serialized_data (Optional[bytes]) – serialized form of the analysis report.

AddEvent(event, serialized_data=None)

Adds an event.

Parameters

• event (EventObject) – an event.

• serialized_data (Optional[bytes]) – serialized form of the event.

AddEventData(event_data, serialized_data=None)

Adds event data.

Parameters

• event_data (EventData) – event data.

• serialized_data (Optional[bytes]) – serialized form of the event data.

AddEventSource(event_source, serialized_data=None)

Adds an event source.

Parameters

• event_source (EventSource) – an event source.

• serialized_data (Optional[bytes]) – serialized form of the event source.

AddEventTag(event_tag, serialized_data=None)

Adds an event tag.

Parameters

• event_tag (EventTag) – an event tag.

• serialized_data (Optional[bytes]) – serialized form of the event tag.

AddWarning(warning, serialized_data=None)

Adds an warning.

Parameters

• warning (ExtractionWarning) – a warning.

• serialized_data (Optional[bytes]) – serialized form of the warning.

CheckTaskReadyForMerge(task)

Checks if a task is ready for merging into the store.

Parameters

task (Task) – task.

Returns

True if the task is ready to be merged.

Return type

bool

Close()

Closes the storage writer.

CreateTaskStorage(task, task_storage_format)

Creates a task store.

Parameters

• task (Task) – task.

• task_storage_format (str) – storage format to store task results.

Returns

storage writer for the task store.

Return type

StorageWriter

Raises

NotImplementedError – since there is no implementation.

FinalizeTaskStorage(task)

Finalizes a processed task storage.

Parameters

task (Task) – task.

Raises

NotImplementedError – since there is no implementation.

GetEventDataByIdentifier(identifier)

Retrieves specific event data.

Parameters

identifier (AttributeContainerIdentifier) – event data identifier.

Returns

event data or None if not available.

Return type

EventData

GetEvents()

Retrieves the events.

Yields

EventObject – event.

GetFirstWrittenEventSource()

Retrieves the first event source that was written after open.

Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition.

Returns

event source or None if there are no newly written ones.

Return type

EventSource

GetNextWrittenEventSource()

Retrieves the next event source that was written after open.

Returns

event source or None if there are no newly written ones.

Return type

EventSource

GetSortedEvents(time_range=None)

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Yields

EventObject – event.

Open(**kwargs)

Opens the storage writer.

PrepareMergeTaskStorage(task)

Prepares a task storage for merging.

Parameters

task (Task) – task.

Raises

NotImplementedError – since there is no implementation.

ReadSystemConfiguration(knowledge_base)

Reads system configuration information.

The system configuration contains information about various system specific configuration data, for example the user accounts.

Parameters

knowledge_base (KnowledgeBase) – is used to store the system configuration.

RemoveProcessedTaskStorage(task)

Removes a processed task storage.

Parameters

task (Task) – task.

Raises

NotImplementedError – since there is no implementation.

SetSerializersProfiler(serializers_profiler)

Sets the serializers profiler.

Parameters

serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)

Sets the storage profiler.

Parameters

storage_profiler (StorageProfiler) – storage profiler.

WritePreprocessingInformation(knowledge_base)

Writes preprocessing information.

Parameters

knowledge_base (KnowledgeBase) – contains the preprocessing information.

WriteSessionCompletion(aborted=False)

Writes session completion information.

Parameters

aborted (Optional[bool]) – True if the session was aborted.

WriteSessionStart()

Writes session start information.

WriteTaskCompletion(aborted=False)

Writes task completion information.

Parameters

aborted (Optional[bool]) – True if the session was aborted.

WriteTaskStart()

Writes task start information.

plaso.storage.logger module

The storage sub module logger.

plaso.storage.time_range module

Storage time range objects.

class plaso.storage.time_range.TimeRange(start_timestamp, end_timestamp)

Bases: object

Date and time range.

The timestamp are integers containing the number of microseconds since January 1, 1970, 00:00:00 UTC.

duration

duration of the range in microseconds.

Type

int

end_timestamp

timestamp that marks the end of the range.

Type

int

start_timestamp

timestamp that marks the start of the range.

Type

int

Module contents