plaso.storage.sqlite package

Submodules

plaso.storage.sqlite.merge_reader module

Merge reader for SQLite storage files.

class plaso.storage.sqlite.merge_reader.SQLiteStorageMergeReader(storage_writer, path)[source]

Bases: plaso.storage.interface.StorageMergeReader

SQLite-based storage file reader for merging.

MergeAttributeContainers(callback=None, maximum_number_of_containers=0)[source]

Reads attribute containers from a task storage file into the writer.

Parameters

  • callback (function[StorageWriter, AttributeContainer]) – function to call after each attribute container is deserialized.

  • maximum_number_of_containers (Optional[int]) – maximum number of containers to merge, where 0 represent no limit.

Returns

True if the entire task storage file has been merged.

Return type

bool

Raises

  • RuntimeError – if the add method for the active attribute container type is missing.

  • OSError – if the task storage file cannot be deleted.

  • ValueError – if the maximum number of containers is a negative value.

plaso.storage.sqlite.reader module

Reader for SQLite storage files.

class plaso.storage.sqlite.reader.SQLiteStorageFileReader(path)[source]

Bases: plaso.storage.file_interface.StorageFileReader

SQLite-based storage file reader.

plaso.storage.sqlite.sqlite_file module

SQLite-based storage.

class plaso.storage.sqlite.sqlite_file.SQLiteStorageFile(maximum_buffer_size=0, storage_type='session')[source]

Bases: plaso.storage.file_interface.BaseStorageFile

SQLite-based storage file.

compression_format

compression format.

Type

str

format_version

storage format version.

Type

int

serialization_format

serialization format.

Type

str

storage_type

storage type.

Type

str

AddEvent(event)[source]

Adds an event.

Parameters

event (EventObject) – event.

Raises

  • IOError – when the storage file is closed or read-only.

  • OSError – when the storage file is closed or read-only.

AddEventData(event_data)[source]

Adds event data.

Parameters

event_data (EventData) – event data.

Raises

  • IOError – when the storage file is closed or read-only.

  • OSError – when the storage file is closed or read-only.

AddEventTag(event_tag)[source]

Adds an event tag.

Parameters

event_tag (EventTag) – event tag.

Raises

  • IOError – when the storage file is closed or read-only or when there is an error querying the storage file.

  • OSError – when the storage file is closed or read-only or when there is an error querying the storage file.

classmethod CheckSupportedFormat(path, check_readable_only=False)[source]

Checks if the storage file format is supported.

Parameters

  • path (str) – path to the storage file.

  • check_readable_only (Optional[bool]) – whether the store should only be checked to see if it can be read. If False, the store will be checked to see if it can be read and written to.

Returns

True if the format is supported.

Return type

bool

Close()[source]

Closes the file.

Raises

  • IOError – if the storage file is already closed.

  • OSError – if the storage file is already closed.

GetEventData()[source]

Retrieves event data.

Yields

EventData – event data.

GetEventDataByIdentifier(identifier)[source]

Retrieves specific event data.

Parameters

identifier (SQLTableIdentifier) – event data identifier.

Returns

event data or None if not available.

Return type

EventData

Raises

  • IOError – if an invalid identifier is provided.

  • OSError – if an invalid identifier is provided.

GetEventSourceByIndex(index)[source]

Retrieves a specific event source.

Parameters

index (int) – event source index.

Returns

event source or None if not available.

Return type

EventSource

GetEventTagByIdentifier(identifier)[source]

Retrieves a specific event tag.

Parameters

identifier (SQLTableIdentifier) – event tag identifier.

Returns

event tag or None if not available.

Return type

EventTag

Raises

  • IOError – if an invalid identifier is provided.

  • OSError – if an invalid identifier is provided.

GetEventTags()[source]

Retrieves the event tags.

Yields

EventTag – event tag.

GetEvents()[source]

Retrieves the events.

Yields

EventObject – event.

GetNumberOfEventSources()[source]

Retrieves the number event sources.

Returns

number of event sources.

Return type

int

GetSortedEvents(time_range=None)[source]

Retrieves the events in increasing chronological order.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Yields

EventObject – event.

Open(path=None, read_only=True, **unused_kwargs)[source]

Opens the storage.

Parameters

  • path (Optional[str]) – path to the storage file.

  • read_only (Optional[bool]) – True if the file should be opened in read-only mode.

Raises

  • IOError – if the storage file is already opened or if the database cannot be connected.

  • OSError – if the storage file is already opened or if the database cannot be connected.

  • ValueError – if path is missing.

plaso.storage.sqlite.writer module

Storage writer for SQLite storage files.

class plaso.storage.sqlite.writer.SQLiteStorageFileWriter(session, output_file, storage_type='session', task=None)[source]

Bases: plaso.storage.file_interface.StorageFileWriter

SQLite-based storage file writer.

Module contents