plaso.storage.sqlite package

Submodules

plaso.storage.sqlite.reader module

SQLite-based storage file reader.

class plaso.storage.sqlite.reader.SQLiteStorageFileReader(path)[source]

Bases: StorageReader

SQLite-based storage file reader.

plaso.storage.sqlite.sqlite_file module

SQLite-based storage file.

plaso.storage.sqlite.sqlite_file.PythonAST2SQL(ast_node)[source]

Converts a Python AST to SQL.

Parameters

ast_node (ast.Node) – node of the Python AST.

Returns

SQL statement that represents the node.

Return type

str

Raises

TypeError – if the type of node is not supported.

class plaso.storage.sqlite.sqlite_file.SQLiteStorageFile[source]

Bases: BaseStore

SQLite-based storage file.

compression_format

compression format.

Type

str

format_version

storage format version.

Type

int

serialization_format

serialization format.

Type

str

classmethod CheckSupportedFormat(path)[source]

Checks if the storage file format is supported.

Parameters

path (str) – path to the storage file.

Returns

True if the format is supported.

Return type

bool

Close()[source]

Closes the file.

Raises

  • IOError – if the storage file is already closed.

  • OSError – if the storage file is already closed.

GetAttributeContainerByIdentifier(container_type, identifier)[source]

Retrieves a specific type of container with a specific identifier.

Parameters

  • container_type (str) – container type.

  • identifier (SQLTableIdentifier) – attribute container identifier.

Returns

attribute container or None if not available.

Return type

AttributeContainer

Raises

  • IOError – when the store is closed or if an unsupported identifier is provided.

  • OSError – when the store is closed or if an unsupported identifier is provided.

GetAttributeContainerByIndex(container_type, index)[source]

Retrieves a specific attribute container.

Parameters

  • container_type (str) – attribute container type.

  • index (int) – attribute container index.

Returns

attribute container or None if not available.

Return type

AttributeContainer

Raises

  • IOError – when the store is closed or when there is an error querying the storage file.

  • OSError – when the store is closed or when there is an error querying the storage file.

GetAttributeContainers(container_type, filter_expression=None)[source]

Retrieves a specific type of stored attribute containers.

Parameters

  • container_type (str) – attribute container type.

  • filter_expression (Optional[str]) – expression to filter the resulting attribute containers by.

Returns

attribute container generator.

Return type

generator(AttributeContainer)

Raises

  • IOError – when there is an error querying the storage file.

  • OSError – when there is an error querying the storage file.

GetNumberOfAttributeContainers(container_type)[source]

Retrieves the number of a specific type of attribute containers.

Parameters

container_type (str) – attribute container type.

Returns

the number of containers of a specified type.

Return type

int

Raises

  • IOError – when there is an error querying the storage file.

  • OSError – when there is an error querying the storage file.

GetSortedEvents(time_range=None)[source]

Retrieves the events in increasing chronological order.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Returns

event generator.

Return type

generator(EventObject)

HasAttributeContainers(container_type)[source]

Determines if store contains a specific type of attribute containers.

Parameters

container_type (str) – attribute container type.

Returns

True if the store contains the specified type of attribute

containers.

Return type

bool

Raises

  • IOError – when there is an error querying the storage file.

  • OSError – when there is an error querying the storage file.

Open(path=None, read_only=True, **unused_kwargs)[source]

Opens the store.

Parameters

  • path (Optional[str]) – path to the storage file.

  • read_only (Optional[bool]) – True if the file should be opened in read-only mode.

Raises

  • IOError – if the storage file is already opened or if the database cannot be connected.

  • OSError – if the storage file is already opened or if the database cannot be connected.

  • ValueError – if path is missing.

plaso.storage.sqlite.writer module

Storage writer for SQLite storage files.

class plaso.storage.sqlite.writer.SQLiteStorageFileWriter(storage_type='session')[source]

Bases: StorageWriter

SQLite-based storage file writer.

GetFirstWrittenEventSource()[source]

Retrieves the first event source that was written after open.

Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition.

Returns

event source or None if there are no newly written ones.

Return type

EventSource

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

GetNextWrittenEventSource()[source]

Retrieves the next event source that was written after open.

Returns

event source or None if there are no newly written ones.

Return type

EventSource

Raises

  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

Open(path=None, **unused_kwargs)[source]

Opens the storage writer.

Parameters

path (Optional[str]) – path to the output file.

Raises

  • IOError – if the storage writer is already opened.

  • OSError – if the storage writer is already opened.

Module contents