plaso.storage.sqlite package

Submodules

plaso.storage.sqlite.merge_reader module

Merge reader for SQLite storage files.

class plaso.storage.sqlite.merge_reader.SQLiteStorageMergeReader(storage_writer, path)[source]

Bases: plaso.storage.interface.StorageFileMergeReader

SQLite-based storage file reader for merging.

MergeAttributeContainers(callback=None, maximum_number_of_containers=0)[source]

Reads attribute containers from a task storage file into the writer.

Parameters:
  • callback (function[StorageWriter, AttributeContainer]) – function to call after each attribute container is deserialized.
  • maximum_number_of_containers (Optional[int]) – maximum number of containers to merge, where 0 represent no limit.
Returns:

True if the entire task storage file has been merged.
Return type:

bool
Raises:
  • RuntimeError – if the add method for the active attribute container type is missing.
  • OSError – if the task storage file cannot be deleted.
  • ValueError – if the maximum number of containers is a negative value.

plaso.storage.sqlite.reader module

Reader for SQLite storage files.

class plaso.storage.sqlite.reader.SQLiteStorageFileReader(path)[source]

Bases: plaso.storage.interface.StorageFileReader

SQLite-based storage file reader.

plaso.storage.sqlite.sqlite_file module

SQLite-based storage.

class plaso.storage.sqlite.sqlite_file.SQLiteStorageFile(maximum_buffer_size=0, storage_type=u'session')[source]

Bases: plaso.storage.interface.BaseStorageFile

SQLite-based storage file.

format_version

int – storage format version.

serialization_format

str – serialization format.

storage_type

str – storage type.

AddAnalysisReport(analysis_report)[source]

Adds an analysis report.

Parameters:

analysis_report (AnalysisReport) – analysis report.
Raises:
  • IOError – when the storage file is closed or read-only.
  • OSError – when the storage file is closed or read-only.
AddError(error)[source]

Adds an error.

Parameters:

error (ExtractionError) – error.
Raises:
  • IOError – when the storage file is closed or read-only.
  • OSError – when the storage file is closed or read-only.
AddEvent(event)[source]

Adds an event.

Parameters:

event (EventObject) – event.
Raises:
  • IOError – when the storage file is closed or read-only or if the event data identifier type is not supported.
  • OSError – when the storage file is closed or read-only or if the event data identifier type is not supported.
AddEventData(event_data)[source]

Adds event data.

Parameters:

event_data (EventData) – event data.
Raises:
  • IOError – when the storage file is closed or read-only.
  • OSError – when the storage file is closed or read-only.
AddEventSource(event_source)[source]

Adds an event source.

Parameters:

event_source (EventSource) – event source.
Raises:
  • IOError – when the storage file is closed or read-only.
  • OSError – when the storage file is closed or read-only.
AddEventTag(event_tag)[source]

Adds an event tag.

Parameters:

event_tag (EventTag) – event tag.
Raises:
  • IOError – when the storage file is closed or read-only or if the event identifier type is not supported.
  • OSError – when the storage file is closed or read-only or if the event identifier type is not supported.
AddEventTags(event_tags)[source]

Adds event tags.

Parameters:

event_tags (list[EventTag]) – event tags.
Raises:
  • IOError – when the storage file is closed or read-only or if the event tags cannot be serialized.
  • OSError – when the storage file is closed or read-only or if the event tags cannot be serialized.
classmethod CheckSupportedFormat(path)[source]

Checks if the storage file format is supported.

Parameters:path (str) – path to the storage file.
Returns:True if the format is supported.
Return type:bool
Close()[source]

Closes the storage.

Raises:
  • IOError – if the storage file is already closed.
  • OSError – if the storage file is already closed.
GetAnalysisReports()[source]

Retrieves the analysis reports.

Returns:analysis report generator.
Return type:generator(AnalysisReport)
GetErrors()[source]

Retrieves the errors.

Returns:error generator.
Return type:generator(ExtractionError)
GetEventData()[source]

Retrieves the event data.

Returns:event data generator.
Return type:generator(EventData)
GetEventDataByIdentifier(identifier)[source]

Retrieves specific event data.

Parameters:identifier (SQLTableIdentifier) – event data identifier.
Returns:event data or None if not available.
Return type:EventData
GetEventSourceByIndex(index)[source]

Retrieves a specific event source.

Parameters:index (int) – event source index.
Returns:event source or None if not available.
Return type:EventSource
GetEventSources()[source]

Retrieves the event sources.

Returns:event source generator.
Return type:generator(EventSource)
GetEventTagByIdentifier(identifier)[source]

Retrieves a specific event tag.

Parameters:identifier (SQLTableIdentifier) – event tag identifier.
Returns:event tag or None if not available.
Return type:EventTag
GetEventTags()[source]

Retrieves the event tags.

Yields:EventTag – event tag.
GetEvents()[source]

Retrieves the events.

Yields:EventObject – event.
GetNumberOfAnalysisReports()[source]

Retrieves the number analysis reports.

Returns:number of analysis reports.
Return type:int
GetNumberOfEventSources()[source]

Retrieves the number event sources.

Returns:number of event sources.
Return type:int
GetSessions()[source]

Retrieves the sessions.

Yields:

Session – session attribute container.
Raises:
  • IOError – if a stream is missing or there is a mismatch in session identifiers between the session start and completion attribute containers.
  • OSError – if a stream is missing or there is a mismatch in session identifiers between the session start and completion attribute containers.
GetSortedEvents(time_range=None)[source]

Retrieves the events in increasing chronological order.

Parameters:time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.
Yields:EventObject – event.
HasAnalysisReports()[source]

Determines if a store contains analysis reports.

Returns:True if the store contains analysis reports.
Return type:bool
HasErrors()[source]

Determines if a store contains extraction errors.

Returns:True if the store contains extraction errors.
Return type:bool
HasEventTags()[source]

Determines if a store contains event tags.

Returns:True if the store contains event tags.
Return type:bool
Open(path=None, read_only=True, **unused_kwargs)[source]

Opens the storage.

Parameters:
  • path (Optional[str]) – path to the storage file.
  • read_only (Optional[bool]) – True if the file should be opened in read-only mode.
Raises:
  • IOError – if the storage file is already opened or if the database cannot be connected.
  • OSError – if the storage file is already opened or if the database cannot be connected.
  • ValueError – if path is missing.
ReadPreprocessingInformation(knowledge_base)[source]

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters:knowledge_base (KnowledgeBase) – is used to store the preprocessing information.
WritePreprocessingInformation(knowledge_base)[source]

Writes preprocessing information.

Parameters:

knowledge_base (KnowledgeBase) – contains the preprocessing information.
Raises:
  • IOError – if the storage type does not support writing preprocess information or the storage file is closed or read-only.
  • OSError – if the storage type does not support writing preprocess information or the storage file is closed or read-only.
WriteSessionCompletion(session_completion)[source]

Writes session completion information.

Parameters:

session_completion (SessionCompletion) – session completion information.
Raises:
  • IOError – when the storage file is closed or read-only.
  • OSError – when the storage file is closed or read-only.
WriteSessionStart(session_start)[source]

Writes session start information.

Parameters:

session_start (SessionStart) – session start information.
Raises:
  • IOError – when the storage file is closed or read-only.
  • OSError – when the storage file is closed or read-only.
WriteTaskCompletion(task_completion)[source]

Writes task completion information.

Parameters:

task_completion (TaskCompletion) – task completion information.
Raises:
  • IOError – when the storage file is closed or read-only.
  • OSError – when the storage file is closed or read-only.
WriteTaskStart(task_start)[source]

Writes task start information.

Parameters:

task_start (TaskStart) – task start information.
Raises:
  • IOError – when the storage file is closed or read-only.
  • OSError – when the storage file is closed or read-only.

plaso.storage.sqlite.writer module

Storage writer for SQLite storage files.

class plaso.storage.sqlite.writer.SQLiteStorageFileWriter(session, output_file, storage_type=u'session', task=None)[source]

Bases: plaso.storage.interface.StorageFileWriter

SQLite-based storage file writer.

Module contents