plaso.storage.sqlite package

Submodules

plaso.storage.sqlite.reader module

SQLite-based storage file reader.

class plaso.storage.sqlite.reader.SQLiteStorageFileReader(path)[source]

Bases: plaso.storage.reader.StorageReader

SQLite-based storage file reader.

plaso.storage.sqlite.sqlite_file module

SQLite-based storage file.

class plaso.storage.sqlite.sqlite_file.SQLiteStorageFile(storage_type='session')[source]

Bases: plaso.storage.interface.BaseStore

SQLite-based storage file.

compression_format

compression format.

Type

str

format_version

storage format version.

Type

int

serialization_format

serialization format.

Type

str

storage_type

storage type.

Type

str

classmethod CheckSupportedFormat(path, check_readable_only=False)[source]

Checks if the storage file format is supported.

Parameters

  • path (str) – path to the storage file.

  • check_readable_only (Optional[bool]) – whether the store should only be checked to see if it can be read. If False, the store will be checked to see if it can be read and written to.

Returns

True if the format is supported.

Return type

bool

Close()[source]

Closes the file.

Raises

  • IOError – if the storage file is already closed.

  • OSError – if the storage file is already closed.

GetAttributeContainerByIdentifier(container_type, identifier)[source]

Retrieves a specific type of container with a specific identifier.

Parameters

  • container_type (str) – container type.

  • identifier (SQLTableIdentifier) – attribute container identifier.

Returns

attribute container or None if not available.

Return type

AttributeContainer

Raises

  • IOError – when the store is closed or if an unsupported identifier is provided.

  • OSError – when the store is closed or if an unsupported identifier is provided.

GetAttributeContainerByIndex(container_type, index)[source]

Retrieves a specific attribute container.

Parameters

  • container_type (str) – attribute container type.

  • index (int) – attribute container index.

Returns

attribute container or None if not available.

Return type

AttributeContainer

Raises

  • IOError – when the store is closed or when there is an error querying the storage file.

  • OSError – when the store is closed or when there is an error querying the storage file.

GetAttributeContainers(container_type)[source]

Retrieves a specific type of stored attribute containers.

Parameters

container_type (str) – attribute container type.

Returns

attribute container generator.

Return type

generator(AttributeContainer)

Raises

  • IOError – when there is an error querying the storage file.

  • OSError – when there is an error querying the storage file.

GetEventTagByEventIdentifier(event_identifier)[source]

Retrieves the event tag related to a specific event identifier.

Parameters

event_identifier (SQLTableIdentifier) – event.

Returns

event tag or None if not available.

Return type

EventTag

Raises

  • IOError – when the store is closed or when there is an error querying the storage file.

  • OSError – when the store is closed or when there is an error querying the storage file.

GetNumberOfAttributeContainers(container_type)[source]

Retrieves the number of a specific type of attribute containers.

Parameters

container_type (str) – attribute container type.

Returns

the number of containers of a specified type.

Return type

int

Raises

  • IOError – when there is an error querying the storage file.

  • OSError – when there is an error querying the storage file.

  • ValueError – if an unsupported container type is provided.

GetSortedEvents(time_range=None)[source]

Retrieves the events in increasing chronological order.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Returns

event generator.

Return type

generator(EventObject)

HasAttributeContainers(container_type)[source]

Determines if store contains a specific type of attribute containers.

Parameters

container_type (str) – attribute container type.

Returns

True if the store contains the specified type of attribute

containers.

Return type

bool

Open(path=None, read_only=True, **unused_kwargs)[source]

Opens the store.

Parameters

  • path (Optional[str]) – path to the storage file.

  • read_only (Optional[bool]) – True if the file should be opened in read-only mode.

Raises

  • IOError – if the storage file is already opened or if the database cannot be connected.

  • OSError – if the storage file is already opened or if the database cannot be connected.

  • ValueError – if path is missing.

plaso.storage.sqlite.writer module

Storage writer for SQLite storage files.

class plaso.storage.sqlite.writer.SQLiteStorageFileWriter(storage_type='session')[source]

Bases: plaso.storage.writer.StorageWriter

SQLite-based storage file writer.

GetFirstWrittenEventSource()[source]

Retrieves the first event source that was written after open.

Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition.

Returns

event source or None if there are no newly written ones.

Return type

EventSource

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

GetNextWrittenEventSource()[source]

Retrieves the next event source that was written after open.

Returns

event source or None if there are no newly written ones.

Return type

EventSource

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

Open(path=None, **unused_kwargs)[source]

Opens the storage writer.

Parameters

path (Optional[str]) – path to the output file.

Raises

  • IOError – if the storage writer is already opened.

  • OSError – if the storage writer is already opened.

Module contents