plaso.storage.sqlite package

Submodules

plaso.storage.sqlite.merge_reader module

Merge reader for SQLite storage files.

class plaso.storage.sqlite.merge_reader.SQLiteStorageMergeReader(storage_writer, path)

Bases: plaso.storage.interface.StorageMergeReader

SQLite-based storage file reader for merging.

MergeAttributeContainers(callback=None, maximum_number_of_containers=0)

Reads attribute containers from a task storage file into the writer.

Parameters

• callback (function[StorageWriter, AttributeContainer]) – function to call after each attribute container is deserialized.

• maximum_number_of_containers (Optional[int]) – maximum number of containers to merge, where 0 represent no limit.

Returns

True if the entire task storage file has been merged.

Return type

bool

Raises

• RuntimeError – if the add method for the active attribute container type is missing.

• OSError – if the task storage file cannot be deleted.

• ValueError – if the maximum number of containers is a negative value.

plaso.storage.sqlite.reader module

Reader for SQLite storage files.

class plaso.storage.sqlite.reader.SQLiteStorageFileReader(path)

Bases: plaso.storage.file_interface.StorageFileReader

SQLite-based storage file reader.

plaso.storage.sqlite.sqlite_file module

SQLite-based storage.

class plaso.storage.sqlite.sqlite_file.SQLiteStorageFile(maximum_buffer_size=0, storage_type='session')

Bases: plaso.storage.file_interface.BaseStorageFile

SQLite-based storage file.

format_version

storage format version.

Type

int

serialization_format

serialization format.

Type

str

storage_type

storage type.

Type

str

AddEvent(event, serialized_data=None)

Adds an event.

Parameters

• event (EventObject) – event.

• serialized_data (Optional[bytes]) – serialized form of the event.

Raises

• IOError – when the storage file is closed or read-only or if the event data identifier type is not supported.

• OSError – when the storage file is closed or read-only or if the event data identifier type is not supported.

AddEventTag(event_tag, serialized_data=None)

Adds an event tag.

Parameters

• event_tag (EventTag) – event tag.

• serialized_data (Optional[bytes]) – serialized form of the event tag.

Raises

• IOError – when the storage file is closed or read-only or if the event identifier type is not supported.

• OSError – when the storage file is closed or read-only or if the event identifier type is not supported.

classmethod CheckSupportedFormat(path, check_readable_only=False)

Checks if the storage file format is supported.

Parameters

• path (str) – path to the storage file.

• check_readable_only (Optional[bool]) – whether the store should only be checked to see if it can be read. If False, the store will be checked to see if it can be read and written to.

Returns

True if the format is supported.

Return type

bool

Close()

Closes the file.

Raises

• IOError – if the storage file is already closed.

• OSError – if the storage file is already closed.

GetEventSourceByIndex(index)

Retrieves a specific event source.

Parameters

index (int) – event source index.

Returns

event source or None if not available.

Return type

EventSource

GetEventTagByIdentifier(identifier)

Retrieves a specific event tag.

Parameters

identifier (SQLTableIdentifier) – event tag identifier.

Returns

event tag or None if not available.

Return type

EventTag

Raises

• OSError – if an invalid identifier is provided.

• IOError – if an invalid identifier is provided.

GetEventTags()

Retrieves the event tags.

Yields

EventTag – event tag.

GetEvents()

Retrieves the events.

Yields

EventObject – event.

GetNumberOfEventSources()

Retrieves the number event sources.

Returns

number of event sources.

Return type

int

GetSessions()

Retrieves the sessions.

Yields

Session – session attribute container.

Raises

• IOError – if there is a mismatch in session identifiers between the session start and completion attribute containers.

• OSError – if there is a mismatch in session identifiers between the session start and completion attribute containers.

GetSortedEvents(time_range=None)

Retrieves the events in increasing chronological order.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Yields

EventObject – event.

GetWarnings()

Retrieves the warnings.

Returns

warning generator.

Return type

generator(ExtractionWarning)

Open(path=None, read_only=True, **unused_kwargs)

Opens the storage.

Parameters

• path (Optional[str]) – path to the storage file.

• read_only (Optional[bool]) – True if the file should be opened in read-only mode.

Raises

• IOError – if the storage file is already opened or if the database cannot be connected.

• OSError – if the storage file is already opened or if the database cannot be connected.

• ValueError – if path is missing.

plaso.storage.sqlite.writer module

Storage writer for SQLite storage files.

class plaso.storage.sqlite.writer.SQLiteStorageFileWriter(session, output_file, storage_type='session', task=None)

Bases: plaso.storage.file_interface.StorageFileWriter

SQLite-based storage file writer.

CheckTaskReadyForMerge(task)

Checks if a task is ready for merging with this session storage.

Parameters

task (Task) – task.

Returns

True if the task is ready to be merged.

Return type

bool

Raises

• IOError – if the storage type is not supported or if the temporary path for the task storage does not exist.

• OSError – if the storage type is not supported or if the temporary path for the task storage does not exist.

CreateTaskStorage(task, task_storage_format)

Creates a task storage.

The task storage is used to store attribute containers created by the task.

Parameters

• task (Task) – task.

• task_storage_format (str) – storage format used to store task results.

Returns

storage writer.

Return type

StorageWriter

Raises

• OSError – if the storage type or storage format is not supported.

• IOError – if the storage type or storage format is not supported.

Module contents