plaso.storage.sqlite package
Submodules
plaso.storage.sqlite.reader module
SQLite-based storage file reader.
- class plaso.storage.sqlite.reader.SQLiteStorageFileReader(path)[source]
Bases:
StorageReaderSQLite-based storage file reader.
plaso.storage.sqlite.sqlite_file module
SQLite-based storage file.
- plaso.storage.sqlite.sqlite_file.PythonAST2SQL(ast_node)[source]
Converts a Python AST to SQL.
- Parameters
ast_node (ast.Node) – node of the Python AST.
- Returns
SQL statement that represents the node.
- Return type
str
- Raises
TypeError – if the type of node is not supported.
- class plaso.storage.sqlite.sqlite_file.SQLiteStorageFile[source]
Bases:
BaseStoreSQLite-based storage file.
- compression_format
compression format.
- Type
str
- format_version
storage format version.
- Type
int
- serialization_format
serialization format.
- Type
str
- classmethod CheckSupportedFormat(path)[source]
Checks if the storage file format is supported.
- Parameters
path (str) – path to the storage file.
- Returns
True if the format is supported.
- Return type
bool
- Close()[source]
Closes the file.
- Raises
IOError – if the storage file is already closed.
OSError – if the storage file is already closed.
- GetAttributeContainerByIdentifier(container_type, identifier)[source]
Retrieves a specific type of container with a specific identifier.
- Parameters
container_type (str) – container type.
identifier (SQLTableIdentifier) – attribute container identifier.
- Returns
attribute container or None if not available.
- Return type
- Raises
IOError – when the store is closed or if an unsupported identifier is provided.
OSError – when the store is closed or if an unsupported identifier is provided.
- GetAttributeContainerByIndex(container_type, index)[source]
Retrieves a specific attribute container.
- Parameters
container_type (str) – attribute container type.
index (int) – attribute container index.
- Returns
attribute container or None if not available.
- Return type
- Raises
IOError – when the store is closed or when there is an error querying the storage file.
OSError – when the store is closed or when there is an error querying the storage file.
- GetAttributeContainers(container_type, filter_expression=None)[source]
Retrieves a specific type of stored attribute containers.
- Parameters
container_type (str) – attribute container type.
filter_expression (Optional[str]) – expression to filter the resulting attribute containers by.
- Returns
attribute container generator.
- Return type
generator(AttributeContainer)
- Raises
IOError – when there is an error querying the storage file.
OSError – when there is an error querying the storage file.
- GetNumberOfAttributeContainers(container_type)[source]
Retrieves the number of a specific type of attribute containers.
- Parameters
container_type (str) – attribute container type.
- Returns
the number of containers of a specified type.
- Return type
int
- Raises
IOError – when there is an error querying the storage file.
OSError – when there is an error querying the storage file.
- GetSortedEvents(time_range=None)[source]
Retrieves the events in increasing chronological order.
- Parameters
time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.
- Returns
event generator.
- Return type
generator(EventObject)
- HasAttributeContainers(container_type)[source]
Determines if store contains a specific type of attribute containers.
- Parameters
container_type (str) – attribute container type.
- Returns
- True if the store contains the specified type of attribute
containers.
- Return type
bool
- Raises
IOError – when there is an error querying the storage file.
OSError – when there is an error querying the storage file.
- Open(path=None, read_only=True, **unused_kwargs)[source]
Opens the store.
- Parameters
path (Optional[str]) – path to the storage file.
read_only (Optional[bool]) – True if the file should be opened in read-only mode.
- Raises
IOError – if the storage file is already opened or if the database cannot be connected.
OSError – if the storage file is already opened or if the database cannot be connected.
ValueError – if path is missing.
plaso.storage.sqlite.writer module
Storage writer for SQLite storage files.
- class plaso.storage.sqlite.writer.SQLiteStorageFileWriter(storage_type='session')[source]
Bases:
StorageWriterSQLite-based storage file writer.
- GetFirstWrittenEventData()[source]
Retrieves the first event data that was written after open.
Using GetFirstWrittenEventData and GetNextWrittenEventData newly added event data can be retrieved in order of addition.
- Returns
event data or None if there are no newly written ones.
- Return type
- Raises
IOError – when the storage writer is closed.
OSError – when the storage writer is closed.
- GetFirstWrittenEventSource()[source]
Retrieves the first event source that was written after open.
Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition.
- Returns
event source or None if there are no newly written ones.
- Return type
- Raises
IOError – when the storage writer is closed.
OSError – when the storage writer is closed.
- GetNextWrittenEventData()[source]
Retrieves the next event data that was written after open.
- Returns
event data or None if there are no newly written ones.
- Return type
- Raises
IOError – when the storage writer is closed.
OSError – when the storage writer is closed.