plaso.storage.sqlite package

Submodules

plaso.storage.sqlite.merge_reader module

Merge reader for SQLite storage files.

class plaso.storage.sqlite.merge_reader.SQLiteStorageMergeReader(storage_writer, path)[source]

Bases: plaso.storage.interface.StorageFileMergeReader

SQLite-based storage file reader for merging.

MergeAttributeContainers(callback=None, maximum_number_of_containers=0)[source]

Reads attribute containers from a task storage file into the writer.

Parameters:
  • callback (function[StorageWriter, AttributeContainer]) – function to call after each attribute container is deserialized.
  • maximum_number_of_containers (Optional[int]) – maximum number of containers to merge, where 0 represent no limit.
Returns:

True if the entire task storage file has been merged.
Return type:

bool
Raises:
  • RuntimeError – if the add method for the active attribute container type is missing.
  • OSError – if the task storage file cannot be deleted.
  • ValueError – if the maximum number of containers is a negative value.

plaso.storage.sqlite.reader module

Reader for SQLite storage files.

class plaso.storage.sqlite.reader.SQLiteStorageFileReader(path)[source]

Bases: plaso.storage.interface.StorageFileReader

SQLite-based storage file reader.

plaso.storage.sqlite.sqlite_file module

SQLite-based storage.

class plaso.storage.sqlite.sqlite_file.SQLiteStorageFile(maximum_buffer_size=0, storage_type='session')[source]

Bases: plaso.storage.interface.BaseStorageFile

SQLite-based storage file.

format_version

int – storage format version.

serialization_format

str – serialization format.

storage_type

str – storage type.

AddAnalysisReport(analysis_report)[source]

Adds an analysis report.

Parameters:

analysis_report (AnalysisReport) – analysis report.
Raises:
  • IOError – when the storage file is closed or read-only.
  • OSError – when the storage file is closed or read-only.
AddEvent(event)[source]

Adds an event.

Parameters:

event (EventObject) – event.
Raises:
  • IOError – when the storage file is closed or read-only or if the event data identifier type is not supported.
  • OSError – when the storage file is closed or read-only or if the event data identifier type is not supported.
AddEventData(event_data)[source]

Adds event data.

Parameters:

event_data (EventData) – event data.
Raises:
  • IOError – when the storage file is closed or read-only.
  • OSError – when the storage file is closed or read-only.
AddEventSource(event_source)[source]

Adds an event source.

Parameters:

event_source (EventSource) – event source.
Raises:
  • IOError – when the storage file is closed or read-only.
  • OSError – when the storage file is closed or read-only.
AddEventTag(event_tag)[source]

Adds an event tag.

Parameters:

event_tag (EventTag) – event tag.
Raises:
  • IOError – when the storage file is closed or read-only or if the event identifier type is not supported.
  • OSError – when the storage file is closed or read-only or if the event identifier type is not supported.
AddEventTags(event_tags)[source]

Adds event tags.

Parameters:

event_tags (list[EventTag]) – event tags.
Raises:
  • IOError – when the storage file is closed or read-only or if the event tags cannot be serialized.
  • OSError – when the storage file is closed or read-only or if the event tags cannot be serialized.
AddWarning(warning)[source]

Adds an warning.

Parameters:

warning (ExtractionWarning) – warning.
Raises:
  • IOError – when the storage file is closed or read-only.
  • OSError – when the storage file is closed or read-only.
classmethod CheckSupportedFormat(path, check_readable_only=False)[source]

Checks if the storage file format is supported.

Parameters:
  • path (str) – path to the storage file.
  • check_readable_only (Optional[bool]) – whether the store should only be checked to see if it can be read. If False, the store will be checked to see if it can be read and written to.
Returns:

True if the format is supported.
Return type:

bool
Close()[source]

Closes the storage.

Raises:
  • IOError – if the storage file is already closed.
  • OSError – if the storage file is already closed.
GetAnalysisReports()[source]

Retrieves the analysis reports.

Returns:analysis report generator.
Return type:generator(AnalysisReport)
GetEventData()[source]

Retrieves the event data.

Returns:event data generator.
Return type:generator(EventData)
GetEventDataByIdentifier(identifier)[source]

Retrieves specific event data.

Parameters:identifier (SQLTableIdentifier) – event data identifier.
Returns:event data or None if not available.
Return type:EventData
GetEventSourceByIndex(index)[source]

Retrieves a specific event source.

Parameters:index (int) – event source index.
Returns:event source or None if not available.
Return type:EventSource
GetEventSources()[source]

Retrieves the event sources.

Returns:event source generator.
Return type:generator(EventSource)
GetEventTagByIdentifier(identifier)[source]

Retrieves a specific event tag.

Parameters:identifier (SQLTableIdentifier) – event tag identifier.
Returns:event tag or None if not available.
Return type:EventTag
GetEventTags()[source]

Retrieves the event tags.

Yields:EventTag – event tag.
GetEvents()[source]

Retrieves the events.

Yields:EventObject – event.
GetNumberOfAnalysisReports()[source]

Retrieves the number analysis reports.

Returns:number of analysis reports.
Return type:int
GetNumberOfEventSources()[source]

Retrieves the number event sources.

Returns:number of event sources.
Return type:int
GetSessions()[source]

Retrieves the sessions.

Yields:

Session – session attribute container.
Raises:
  • IOError – if there is a mismatch in session identifiers between the session start and completion attribute containers.
  • OSError – if there is a mismatch in session identifiers between the session start and completion attribute containers.
GetSortedEvents(time_range=None)[source]

Retrieves the events in increasing chronological order.

Parameters:time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.
Yields:EventObject – event.
GetWarnings()[source]

Retrieves the warnings.

Returns:warning generator.
Return type:generator(ExtractionWarning)
HasAnalysisReports()[source]

Determines if a store contains analysis reports.

Returns:True if the store contains analysis reports.
Return type:bool
HasEventTags()[source]

Determines if a store contains event tags.

Returns:True if the store contains event tags.
Return type:bool
HasWarnings()[source]

Determines if a store contains extraction warnings.

Returns:True if the store contains extraction warnings.
Return type:bool
Open(path=None, read_only=True, **unused_kwargs)[source]

Opens the storage.

Parameters:
  • path (Optional[str]) – path to the storage file.
  • read_only (Optional[bool]) – True if the file should be opened in read-only mode.
Raises:
  • IOError – if the storage file is already opened or if the database cannot be connected.
  • OSError – if the storage file is already opened or if the database cannot be connected.
  • ValueError – if path is missing.
ReadPreprocessingInformation(knowledge_base)[source]

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters:knowledge_base (KnowledgeBase) – is used to store the preprocessing information.
WritePreprocessingInformation(knowledge_base)[source]

Writes preprocessing information.

Parameters:

knowledge_base (KnowledgeBase) – contains the preprocessing information.
Raises:
  • IOError – if the storage type does not support writing preprocess information or the storage file is closed or read-only.
  • OSError – if the storage type does not support writing preprocess information or the storage file is closed or read-only.
WriteSessionCompletion(session_completion)[source]

Writes session completion information.

Parameters:

session_completion (SessionCompletion) – session completion information.
Raises:
  • IOError – when the storage file is closed or read-only.
  • OSError – when the storage file is closed or read-only.
WriteSessionStart(session_start)[source]

Writes session start information.

Parameters:

session_start (SessionStart) – session start information.
Raises:
  • IOError – when the storage file is closed or read-only.
  • OSError – when the storage file is closed or read-only.
WriteTaskCompletion(task_completion)[source]

Writes task completion information.

Parameters:

task_completion (TaskCompletion) – task completion information.
Raises:
  • IOError – when the storage file is closed or read-only.
  • OSError – when the storage file is closed or read-only.
WriteTaskStart(task_start)[source]

Writes task start information.

Parameters:

task_start (TaskStart) – task start information.
Raises:
  • IOError – when the storage file is closed or read-only.
  • OSError – when the storage file is closed or read-only.

plaso.storage.sqlite.writer module

Storage writer for SQLite storage files.

class plaso.storage.sqlite.writer.SQLiteStorageFileWriter(session, output_file, storage_type='session', task=None)[source]

Bases: plaso.storage.interface.StorageFileWriter

SQLite-based storage file writer.

Module contents