plaso.storage package

Submodules

plaso.storage.event_tag_index module

The event tag index.

class plaso.storage.event_tag_index.EventTagIndex[source]

Bases: object

Event tag index.

The event tag index is used to map event tags to events.

It is necessary for the ZIP storage files since previously stored event tags cannot be altered.

GetEventTagByIdentifier(storage_reader, event_identifier)[source]

Retrieves the most recently updated event tag for an event.

Parameters
Returns

event tag or None if the event has no event tag.

Return type

EventTag

SetEventTag(event_tag)[source]

Sets an event tag in the index.

Parameters

event_tag (EventTag) – event tag.

plaso.storage.factory module

This file contains the storage factory class.

class plaso.storage.factory.StorageFactory[source]

Bases: object

Storage factory.

classmethod CheckStorageFileHasSupportedFormat(path, check_readable_only=False)[source]

Checks if the storage file format is supported.

Parameters

  • path (str) – path to the storage file.

  • check_readable_only (Optional[bool]) – whether the store should only be checked to see if it can be read. If False, the store will be checked to see if it can be read and written to.

Returns

True if the format is supported.

Return type

bool

classmethod CreateStorageFile(storage_format)[source]

Creates a storage file.

Parameters

storage_format (str) – storage format.

Returns

a storage file or None if the storage file cannot be

opened or the storage format is not supported.

Return type

StorageFile

classmethod CreateStorageReaderForFile(path)[source]

Creates a storage reader based on the file.

Parameters

path (str) – path to the storage file.

Returns

a storage reader or None if the storage file cannot be

opened or the storage format is not supported.

Return type

StorageReader

classmethod CreateStorageWriter(storage_format)[source]

Creates a storage writer.

Parameters

storage_format (str) – storage format.

Returns

a storage writer or None if the storage file cannot be

opened or the storage format is not supported.

Return type

StorageWriter

classmethod CreateStorageWriterForFile(path)[source]

Creates a storage writer based on the file.

Parameters

path (str) – path to the storage file.

Returns

a storage writer or None if the storage file cannot be

opened or the storage format is not supported.

Return type

StorageWriter

classmethod CreateTaskStorageReader(storage_format, task, path)[source]

Creates a task storage reader.

Parameters

  • storage_format (str) – storage format.

  • task (Task) – task the storage changes are part of.

  • path (str) – path to the storage file.

Returns

a storage reader or None if the storage file cannot be

opened or the storage format is not supported.

Return type

StorageReader

classmethod CreateTaskStorageWriter(storage_format)[source]

Creates a task storage writer.

Parameters

storage_format (str) – storage format.

Returns

a storage writer or None if the storage file cannot be

opened or the storage format is not supported.

Return type

StorageWriter

plaso.storage.identifiers module

Storage attribute container identifier objects.

class plaso.storage.identifiers.FakeIdentifier(sequence_number)[source]

Bases: plaso.containers.interface.AttributeContainerIdentifier

Fake attribute container identifier intended for testing.

sequence_number

sequence number of the attribute container.

Type

int

CopyToString()[source]

Copies the identifier to a string representation.

Returns

unique identifier or None.

Return type

str

class plaso.storage.identifiers.RedisKeyIdentifier(name, sequence_number)[source]

Bases: plaso.containers.interface.AttributeContainerIdentifier

Redis key attribute container identifier.

name

name of the attribute container.

Type

str

sequence_number

sequence number of the attribute container.

Type

int

CopyToString()[source]

Copies the identifier to a string representation.

Returns

unique identifier or None.

Return type

str

class plaso.storage.identifiers.SQLTableIdentifier(name, sequence_number)[source]

Bases: plaso.containers.interface.AttributeContainerIdentifier

SQL table attribute container identifier.

The identifier is used to uniquely identify attribute containers. Where for example an attribute container is stored as a JSON serialized data in a SQLite database file.

name

name of the table (attribute container).

Type

str

sequence_number

sequence number of the attribute container.

Type

int

CopyToString()[source]

Copies the identifier to a string representation.

Returns

unique identifier or None.

Return type

str

property row_identifier

unique identifier of the row in the table.

Type

int

plaso.storage.interface module

The attribute container store interface.

class plaso.storage.interface.BaseStore(storage_type='session')[source]

Bases: object

Attribute container store interface.

format_version

storage format version.

Type

int

serialization_format

serialization format.

Type

str

storage_type

storage type.

Type

str

AddAttributeContainer(container)[source]

Adds a new attribute container.

Parameters

container (AttributeContainer) – attribute container.

Raises

  • OSError – if the store cannot be written to.

  • IOError – if the store cannot be written to.

abstract Close()[source]

Closes the store.

abstract GetAttributeContainerByIdentifier(container_type, identifier)[source]

Retrieves a specific type of container with a specific identifier.

Parameters
Returns

attribute container or None if not available.

Return type

AttributeContainer

Raises

  • IOError – when the store is closed or if an unsupported identifier is provided.

  • OSError – when the store is closed or if an unsupported identifier is provided.

abstract GetAttributeContainers(container_type)[source]

Retrieves a specific type of attribute containers.

Parameters

container_type (str) – attribute container type.

Returns

attribute container generator.

Return type

generator(AttributeContainers)

Raises

  • IOError – when the store is closed.

  • OSError – when the store is closed.

abstract GetEventTagByEventIdentifier(event_identifier)[source]

Retrieves the event tag related to a specific event identifier.

Parameters

event_identifier (AttributeContainerIdentifier) – event.

Returns

event tag or None if not available.

Return type

EventTag

Raises

  • IOError – when the store is closed.

  • OSError – when the store is closed.

abstract GetNumberOfAttributeContainers(container_type)[source]

Retrieves the number of a specific type of attribute containers.

Parameters

container_type (str) – attribute container type.

Returns

the number of containers of a specified type.

Return type

int

GetSessions()[source]

Retrieves the sessions.

Yields

Session – session attribute container.

Raises

  • IOError – if there is a mismatch in session identifiers between the session start and completion attribute containers.

  • OSError – if there is a mismatch in session identifiers between the session start and completion attribute containers.

abstract GetSortedEvents(time_range=None)[source]

Retrieves the events in increasing chronological order.

This includes all events written to the store including those pending being flushed (written) to the store.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Yields

EventObject – event.

abstract HasAttributeContainers(container_type)[source]

Determines if a store contains a specific type of attribute container.

Parameters

container_type (str) – attribute container type.

Returns

True if the store contains the specified type of attribute

containers.

Return type

bool

abstract Open(**kwargs)[source]

Opens the store.

SetSerializersProfiler(serializers_profiler)[source]

Sets the serializers profiler.

Parameters

serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)[source]

Sets the storage profiler.

Parameters

storage_profiler (StorageProfiler) – storage profiler.

UpdateAttributeContainer(container)[source]

Updates an existing attribute container.

Parameters

container (AttributeContainer) – attribute container.

Raises

  • OSError – if the store cannot be written to.

  • IOError – if the store cannot be written to.

WriteTaskCompletion(task_completion)[source]

Writes task completion information.

Parameters

task_completion (TaskCompletion) – task completion information.

Raises

  • IOError – if the storage type does not support writing a task completion or if the store cannot be written to.

  • OSError – if the storage type does not support writing a task completion or if the store cannot be written to.

WriteTaskStart(task_start)[source]

Writes task start information.

Parameters

task_start (TaskStart) – task start information.

Raises

  • IOError – if the storage type does not support writing a task start or if the store cannot be written to.

  • OSError – if the storage type does not support writing a task start or if the store cannot be written to.

plaso.storage.logger module

The storage sub module logger.

plaso.storage.merge_reader module

The storage merge reader.

class plaso.storage.merge_reader.StorageMergeReader(session, storage_writer, task_storage_reader)[source]

Bases: object

Storage reader for merging.

number_of_containers

number of containers merged in last call to MergeAttributeContainers.

Type

int

AddAttributeContainer(container)[source]

Adds an attribute container.

Parameters

container (AttributeContainer) – attribute container.

Close()[source]

Closes the merge reader.

MergeAttributeContainers(maximum_number_of_containers=0)[source]

Reads attribute containers from a task store into the writer.

Parameters

maximum_number_of_containers (Optional[int]) – maximum number of containers to merge, where 0 represent no limit.

Returns

True if the entire task storage file has been merged.

Return type

bool

plaso.storage.reader module

The storage reader.

class plaso.storage.reader.StorageReader[source]

Bases: object

Storage reader interface.

Close()[source]

Closes the storage reader.

GetAttributeContainerByIdentifier(container_type, identifier)[source]

Retrieves a specific type of container with a specific identifier.

Parameters
Returns

attribute container or None if not available.

Return type

AttributeContainer

GetAttributeContainers(container_type)[source]

Retrieves a specific type of attribute containers.

Parameters

container_type (str) – attribute container type.

Returns

attribute container generator.

Return type

generator(AttributeContainers)

GetFormatVersion()[source]

Retrieves the format version of the underlying storage file.

Returns

the format version.

Return type

int

GetNumberOfAttributeContainers(container_type)[source]

Retrieves the number of a specific type of attribute containers.

Parameters

container_type (str) – attribute container type.

Returns

the number of containers of a specified type.

Return type

int

GetSerializationFormat()[source]

Retrieves the serialization format of the underlying storage file.

Returns

the serialization format.

Return type

str

GetSessions()[source]

Retrieves the sessions.

Returns

session generator.

Return type

generator(Session)

GetSortedEvents(time_range=None)[source]

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Returns

event generator.

Return type

generator(EventObject)

GetStorageType()[source]

Retrieves the storage type of the underlying storage file.

Returns

the storage type.

Return type

str

HasAttributeContainers(container_type)[source]

Determines if a store contains a specific type of attribute container.

Parameters

container_type (str) – attribute container type.

Returns

True if the store contains the specified type of attribute

containers.

Return type

bool

SetSerializersProfiler(serializers_profiler)[source]

Sets the serializers profiler.

Parameters

serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)[source]

Sets the storage profiler.

Parameters

storage_profiler (StorageProfiler) – storage profiler.

__enter__()[source]

Make usable with “with” statement.

__exit__(exception_type, value, traceback)[source]

Make usable with “with” statement.

plaso.storage.time_range module

Storage time range objects.

class plaso.storage.time_range.TimeRange(start_timestamp, end_timestamp)[source]

Bases: object

Date and time range.

The timestamp are integers containing the number of microseconds since January 1, 1970, 00:00:00 UTC.

duration

duration of the range in microseconds.

Type

int

end_timestamp

timestamp that marks the end of the range.

Type

int

start_timestamp

timestamp that marks the start of the range.

Type

int

plaso.storage.writer module

The storage writer.

class plaso.storage.writer.StorageWriter(storage_type='session')[source]

Bases: object

Storage writer interface.

AddAttributeContainer(container)[source]

Adds an attribute container.

Parameters

container (AttributeContainer) – attribute container.

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

AddOrUpdateEventTag(event_tag)[source]

Adds a new or updates an existing event tag.

Parameters

event_tag (EventTag) – event tag.

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

Close()[source]

Closes the storage writer.

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

GetAttributeContainerByIdentifier(container_type, identifier)[source]

Retrieves a specific type of container with a specific identifier.

Parameters
Returns

attribute container or None if not available.

Return type

AttributeContainer

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

GetAttributeContainerByIndex(container_type, index)[source]

Retrieves a specific attribute container.

Parameters

  • container_type (str) – attribute container type.

  • index (int) – attribute container index.

Returns

attribute container or None if not available.

Return type

AttributeContainer

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

GetAttributeContainers(container_type)[source]

Retrieves a specific type of attribute containers.

Parameters

container_type (str) – attribute container type.

Returns

attribute container generator.

Return type

generator(AttributeContainers)

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

GetEvents()[source]

Retrieves the events.

Returns

event generator.

Return type

generator(EventObject)

abstract GetFirstWrittenEventSource()[source]

Retrieves the first event source that was written after open.

Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition.

Returns

event source or None if there are no newly written ones.

Return type

EventSource

abstract GetNextWrittenEventSource()[source]

Retrieves the next event source that was written after open.

Returns

event source or None if there are no newly written ones.

Return type

EventSource

GetSessions()[source]

Retrieves the sessions.

Returns

session generator.

Return type

generator(Session)

GetSortedEvents(time_range=None)[source]

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Returns

event generator.

Return type

generator(EventObject)

abstract Open(**kwargs)[source]

Opens the storage writer.

SetSerializersProfiler(serializers_profiler)[source]

Sets the serializers profiler.

Parameters

serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)[source]

Sets the storage profiler.

Parameters

storage_profiler (StorageProfiler) – storage profiler.

WriteSessionCompletion(session)[source]

Writes session completion information.

Parameters

session (Session) – session the storage changes are part of.

Raises

  • IOError – when the storage writer is closed or if the storage type is not supported.

  • OSError – when the storage writer is closed or if the storage type is not supported.

WriteSessionConfiguration(session)[source]

Writes session configuration information.

Parameters

session (Session) – session the storage changes are part of.

Raises

  • IOError – when the storage writer is closed or if the storage type is not supported.

  • OSError – when the storage writer is closed or if the storage type is not supported.

WriteSessionStart(session)[source]

Writes session start information.

Parameters

session (Session) – session the storage changes are part of.

Raises

  • IOError – when the storage writer is closed or if the storage type is not supported.

  • OSError – when the storage writer is closed or if the storage type is not supported.

WriteTaskCompletion(task)[source]

Writes task completion information.

Parameters

task (Task) – task.

Raises

  • IOError – when the storage writer is closed or if the storage type is not supported.

  • OSError – when the storage writer is closed or if the storage type is not supported.

WriteTaskStart(task)[source]

Writes task start information.

Parameters

task (Task) – task.

Raises

  • IOError – when the storage writer is closed or if the storage type is not supported.

  • OSError – when the storage writer is closed or if the storage type is not supported.

property number_of_analysis_reports

number of analysis reports warnings written.

Type

int

property number_of_analysis_warnings

number of analysis warnings written.

Type

int

property number_of_event_sources

number of event sources written.

Type

int

property number_of_event_tags

number of event tags written.

Type

int

property number_of_events

number of events written.

Type

int

property number_of_extraction_warnings

number of extraction warnings written.

Type

int

property number_of_preprocessing_warnings

number of preprocessing warnings written.

Type

int

property number_of_recovery_warnings

number of recovery warnings written.

Type

int

Module contents