plaso.storage.sqlite package¶
Submodules¶
plaso.storage.sqlite.merge_reader module¶
Merge reader for SQLite storage files.
-
class
plaso.storage.sqlite.merge_reader.SQLiteStorageMergeReader(storage_writer, path)[source]¶ Bases:
plaso.storage.interface.StorageMergeReaderSQLite-based storage file reader for merging.
-
MergeAttributeContainers(callback=None, maximum_number_of_containers=0)[source]¶ Reads attribute containers from a task storage file into the writer.
- Parameters
callback (function[StorageWriter, AttributeContainer]) – function to call after each attribute container is deserialized.
maximum_number_of_containers (Optional[int]) – maximum number of containers to merge, where 0 represent no limit.
- Returns
True if the entire task storage file has been merged.
- Return type
bool
- Raises
RuntimeError – if the add method for the active attribute container type is missing.
OSError – if the task storage file cannot be deleted.
ValueError – if the maximum number of containers is a negative value.
-
plaso.storage.sqlite.reader module¶
Reader for SQLite storage files.
-
class
plaso.storage.sqlite.reader.SQLiteStorageFileReader(path)[source]¶ Bases:
plaso.storage.file_interface.StorageFileReaderSQLite-based storage file reader.
plaso.storage.sqlite.sqlite_file module¶
SQLite-based storage.
-
class
plaso.storage.sqlite.sqlite_file.SQLiteStorageFile(maximum_buffer_size=0, storage_type='session')[source]¶ Bases:
plaso.storage.file_interface.BaseStorageFileSQLite-based storage file.
-
format_version¶ storage format version.
- Type
int
-
serialization_format¶ serialization format.
- Type
str
-
storage_type¶ storage type.
- Type
str
-
AddEvent(event, serialized_data=None)[source]¶ Adds an event.
- Parameters
event (EventObject) – event.
serialized_data (Optional[bytes]) – serialized form of the event.
- Raises
IOError – when the storage file is closed or read-only.
OSError – when the storage file is closed or read-only.
-
AddEventData(event_data, serialized_data=None)[source]¶ Adds event data.
- Parameters
event_data (EventData) – event data.
serialized_data (Optional[bytes]) – serialized form of the event data.
- Raises
IOError – when the storage file is closed or read-only.
OSError – when the storage file is closed or read-only.
-
AddEventTag(event_tag, serialized_data=None)[source]¶ Adds an event tag.
- Parameters
event_tag (EventTag) – event tag.
serialized_data (Optional[bytes]) – serialized form of the event tag.
- Raises
IOError – when the storage file is closed or read-only.
OSError – when the storage file is closed or read-only.
-
classmethod
CheckSupportedFormat(path, check_readable_only=False)[source]¶ Checks if the storage file format is supported.
- Parameters
path (str) – path to the storage file.
check_readable_only (Optional[bool]) – whether the store should only be checked to see if it can be read. If False, the store will be checked to see if it can be read and written to.
- Returns
True if the format is supported.
- Return type
bool
-
Close()[source]¶ Closes the file.
- Raises
IOError – if the storage file is already closed.
OSError – if the storage file is already closed.
-
GetEventDataByIdentifier(identifier)[source]¶ Retrieves specific event data.
- Parameters
identifier (SQLTableIdentifier) – event data identifier.
- Returns
event data or None if not available.
- Return type
- Raises
OSError – if an invalid identifier is provided.
IOError – if an invalid identifier is provided.
-
GetEventSourceByIndex(index)[source]¶ Retrieves a specific event source.
- Parameters
index (int) – event source index.
- Returns
event source or None if not available.
- Return type
-
GetEventTagByIdentifier(identifier)[source]¶ Retrieves a specific event tag.
- Parameters
identifier (SQLTableIdentifier) – event tag identifier.
- Returns
event tag or None if not available.
- Return type
- Raises
OSError – if an invalid identifier is provided.
IOError – if an invalid identifier is provided.
-
GetNumberOfEventSources()[source]¶ Retrieves the number event sources.
- Returns
number of event sources.
- Return type
int
-
GetSortedEvents(time_range=None)[source]¶ Retrieves the events in increasing chronological order.
- Parameters
time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.
- Yields
EventObject – event.
-
GetWarnings()[source]¶ Retrieves the warnings.
- Returns
warning generator.
- Return type
generator(ExtractionWarning)
-
Open(path=None, read_only=True, **unused_kwargs)[source]¶ Opens the storage.
- Parameters
path (Optional[str]) – path to the storage file.
read_only (Optional[bool]) – True if the file should be opened in read-only mode.
- Raises
IOError – if the storage file is already opened or if the database cannot be connected.
OSError – if the storage file is already opened or if the database cannot be connected.
ValueError – if path is missing.
-
plaso.storage.sqlite.writer module¶
Storage writer for SQLite storage files.
-
class
plaso.storage.sqlite.writer.SQLiteStorageFileWriter(session, output_file, storage_type='session', task=None)[source]¶ Bases:
plaso.storage.file_interface.StorageFileWriterSQLite-based storage file writer.
-
CheckTaskReadyForMerge(task)[source]¶ Checks if a task is ready for merging with this session storage.
- Parameters
task (Task) – task.
- Returns
True if the task is ready to be merged.
- Return type
bool
- Raises
IOError – if the storage type is not supported or if the temporary path for the task storage does not exist.
OSError – if the storage type is not supported or if the temporary path for the task storage does not exist.
-
CreateTaskStorage(task, task_storage_format)[source]¶ Creates a task storage.
The task storage is used to store attribute containers created by the task.
- Parameters
task (Task) – task.
task_storage_format (str) – storage format used to store task results.
- Returns
storage writer.
- Return type
- Raises
OSError – if the storage type or storage format is not supported.
IOError – if the storage type or storage format is not supported.
-