plaso.containers package

Submodules

plaso.containers.analyzer_result module

Analyzer result attribute container.

class plaso.containers.analyzer_result.AnalyzerResult[source]

Bases: plaso.containers.interface.AttributeContainer

Attribute container to store results of analyzers.

Analyzers can produce results with different attribute names. For example, the ‘hashing’ analyzer could produce an attribute ‘md5_hash’, with a value of ‘d41d8cd98f00b204e9800998ecf8427e’.

analyzer_name

str – name of the analyzer that produce the result.

attribute_name

str – name of the attribute produced.

attribute_value

str – value of the attribute produced.

CONTAINER_TYPE = u'analyzer_result'

plaso.containers.artifacts module

Artifact attribute containers.

class plaso.containers.artifacts.ArtifactAttributeContainer[source]

Bases: plaso.containers.interface.AttributeContainer

Base class to represent an artifact attribute container.

class plaso.containers.artifacts.EnvironmentVariableArtifact(case_sensitive=True, name=None, value=None)[source]

Bases: plaso.containers.artifacts.ArtifactAttributeContainer

Environment variable artifact attribute container.

Also see:
https://en.wikipedia.org/wiki/Environment_variable
case_sensitive

bool – True if environment variable name is case sensitive.

name

str – environment variable name e.g. ‘SystemRoot’ as in ‘%SystemRoot%’ or ‘HOME’ in ‘$HOME’.

value

str – environment variable value e.g. ‘C:Windows’ or ‘/home/user’.

CONTAINER_TYPE = u'environment_variable'
class plaso.containers.artifacts.HostnameArtifact(name=None, schema=u'DNS')[source]

Bases: plaso.containers.artifacts.ArtifactAttributeContainer

Hostname artifact attribute container.

Also see:
https://en.wikipedia.org/wiki/Hostname http://cybox.mitre.org/language/version2.1/xsddocs/objects/ Hostname_Object.html
name

str – name of the host according to the naming schema.

schema

str – naming schema e.g. DNS, NIS, SMB/NetBIOS.

CONTAINER_TYPE = u'hostname'
class plaso.containers.artifacts.OperatingSystemArtifact(family=None, product=None, version=None)[source]

Bases: plaso.containers.artifacts.ArtifactAttributeContainer

Operating system artifact attribute container.

family

str – operating system family name, such as “Linux”, “MacOS” or “Windows”, defined in definitions.OPERATING_SYSTEM_FAMILIES. This value is used to programmatically link a parser preset to an operating system and therefore must be one of predefined values.

name

str – operating system name, such as “macOS Mojave” or “Windows XP”. This value is used to programmatically link a parser preset to an operating system and therefore must be one of predefined values.

product

str – product information, such as “macOS Mojave” or “Windows Professional XP”. This value is typically obtained from the source data.

version

str – version, such as “10.14.1” or “5.1”. This value is typically obtained from the source data.

CONTAINER_TYPE = u'operating_system'
IsEquivalent(other)[source]

Determines if 2 operating system artifacts are equivalent.

This function compares the operating systems based in order of: * name derived from product * family and version * family

Parameters:other (OperatingSystemArtifact) – operating system artifact attribute container to compare with.
Returns:
True if the operating systems are considered equivalent, False if
the most specific criteria do no match, or no criteria are available.
Return type:bool
version_tuple

tuple[int] – version tuple or None if version is not set or invalid.

class plaso.containers.artifacts.SystemConfigurationArtifact(code_page=None, time_zone=None)[source]

Bases: plaso.containers.artifacts.ArtifactAttributeContainer

System configuration artifact attribute container.

The system configuration contains the configuration data of a specific system installation e.g. Windows or Linux.

code_page

str – system code page.

hostname

HostnameArtifact – hostname.

keyboard_layout

str – keyboard layout.

operating_system

str – operating system for example “MacOS” or “Windows”.

operating_system_product

str – operating system product for example “Windows XP”.

operating_system_version

str – operating system version for example “10.9.2” or “8.1”.

time_zone

str – system time zone.

user_accounts

list[UserAccountArtifact] – user accounts.

CONTAINER_TYPE = u'system_configuration'
class plaso.containers.artifacts.UserAccountArtifact(full_name=None, group_identifier=None, identifier=None, user_directory=None, username=None)[source]

Bases: plaso.containers.artifacts.ArtifactAttributeContainer

User account artifact attribute container.

Also see:
http://cybox.mitre.org/language/version2.1/xsddocs/objects/ User_Account_Object.html
full_name

str – name describing the user e.g. full name.

group_identifier

str – identifier of the primary group the user is part of.

identifier

str – user identifier.

user_directory

str – path of the user (or home or profile) directory.

username

str – name uniquely identifying the user.

CONTAINER_TYPE = u'user_account'

plaso.containers.errors module

Error attribute containers.

class plaso.containers.errors.ExtractionError(message=None, parser_chain=None, path_spec=None)[source]

Bases: plaso.containers.interface.AttributeContainer

Extraction error attribute container.

message

str – error message.

parser_chain

str – parser chain to which the error applies.

path_spec

dfvfs.PathSpec – path specification of the file entry to which the error applies.

CONTAINER_TYPE = u'extraction_error'

plaso.containers.event_sources module

Event source attribute containers.

class plaso.containers.event_sources.EventSource(path_spec=None)[source]

Bases: plaso.containers.interface.AttributeContainer

Event source attribute container.

The event source object contains information about where a specific event originates e.g. a file, the $STANDARD_INFORMATION MFT attribute, or Application Compatibility cache.

data_type

str – attribute container type indicator.

file_entry_type

str – dfVFS file entry type.

path_spec

dfvfs.PathSpec – path specification.

CONTAINER_TYPE = u'event_source'
DATA_TYPE = None
__lt__(other)[source]

Compares if the event source attribute container is less than the other.

Parameters:other (EventSource) – event source attribute container to compare to.
Returns:True if the event source attribute container is less than the other.
Return type:bool
class plaso.containers.event_sources.FileEntryEventSource(path_spec=None)[source]

Bases: plaso.containers.event_sources.EventSource

File entry event source.

The file entry event source is an event source that represents a file within a file system.

DATA_TYPE = u'file_entry'

plaso.containers.events module

Event attribute containers.

class plaso.containers.events.EventData(data_type=None)[source]

Bases: plaso.containers.interface.AttributeContainer

Event data attribute container.

data_type

str – event data type indicator.

offset

int – offset relative to the start of the data stream where the event data is stored.

query

str – query that was used to obtain the event data.

CONTAINER_TYPE = u'event_data'
class plaso.containers.events.EventObject[source]

Bases: plaso.containers.interface.AttributeContainer

Event attribute container.

The framework is designed to parse files and create events from individual records, log lines or keys extracted from files. The event object provides an extensible data store for event attributes.

data_type

str – event data type indicator.

display_name

str – display friendly version of the path specification.

filename

str – name of the file related to the event.

hostname

str – name of the host related to the event.

inode

int – inode of the file related to the event.

offset

int – offset of the event data.

pathspec

dfvfs.PathSpec – path specification of the file related to the event.

tag

EventTag – event tag.

timestamp

int – timestamp, which contains the number of microseconds since January 1, 1970, 00:00:00 UTC.

timestamp_desc

str – description of the meaning of the timestamp.

CONTAINER_TYPE = u'event'
DATA_TYPE = None
GetEventDataIdentifier()[source]

Retrieves the identifier of the event data associated with the event.

The event data identifier is a storage specific value that should not be serialized.

Returns:event identifier or None when not set.
Return type:AttributeContainerIdentifier
SetEventDataIdentifier(event_data_identifier)[source]

Sets the identifier of the event data associated with the event.

The event data identifier is a storage specific value that should not be serialized.

Parameters:event_data_identifier (AttributeContainerIdentifier) – event identifier.
__lt__(other)[source]

Compares if the event attribute container is less than the other.

Events are compared by timestamp.

Parameters:other (EventObject) – event attribute container to compare to.
Returns:True if the event attribute container is less than the other.
Return type:bool
class plaso.containers.events.EventTag(comment=None)[source]

Bases: plaso.containers.interface.AttributeContainer

Event tag attribute container.

comment

str – comments.

event_entry_index

int – serialized data stream entry index of the event, this attribute is used by the ZIP and GZIP storage files to uniquely identify the event linked to the tag.

event_stream_number

int – number of the serialized event stream, this attribute is used by the ZIP and GZIP storage files to uniquely identify the event linked to the tag.

labels

list[str] – labels, such as “malware”, “application_execution”.

AddComment(comment)[source]

Adds a comment to the event tag.

Parameters:comment (str) – comment.
AddLabel(label)[source]

Adds a label to the event tag.

Parameters:

label (str) – label.

Raises:
  • TypeError – if the label provided is not a string.
  • ValueError – if a label is malformed.
AddLabels(labels)[source]

Adds labels to the event tag.

Parameters:labels (list[str]) – labels.
Raises:ValueError – if a label is malformed.
CONTAINER_TYPE = u'event_tag'
classmethod CopyTextToLabel(text, prefix=u'')[source]

Copies a string to a label.

A label only supports a limited set of characters therefore unsupported characters are replaced with an underscore.

Parameters:
  • text (str) – label text.
  • prefix (Optional[str]) – label prefix.
Returns:

label.

Return type:

str

CopyToDict()[source]

Copies the event tag to a dictionary.

Returns:event tag attributes.
Return type:dict[str, object]
GetEventIdentifier()[source]

Retrieves the identifier of the event associated with the event tag.

The event identifier is a storage specific value that should not be serialized.

Returns:event identifier or None when not set.
Return type:AttributeContainerIdentifier
SetEventIdentifier(event_identifier)[source]

Sets the identifier of the event associated with the event tag.

The event identifier is a storage specific value that should not be serialized.

Parameters:event_identifier (AttributeContainerIdentifier) – event identifier.

plaso.containers.interface module

The attribute container interface.

class plaso.containers.interface.AttributeContainer[source]

Bases: object

The attribute container interface.

This is the the base class for those object that exists primarily as a container of attributes with basic accessors and mutators.

The CONTAINER_TYPE class attribute contains a string that identifies the container type e.g. the container type “event” identifiers an event object.

Attributes are public class members of an serializable type. Protected and private class members are not to be serialized.

CONTAINER_TYPE = None
CopyFromDict(attributes)[source]

Copies the attribute container from a dictionary.

Parameters:attributes (dict[str, object]) – attribute values per name.
CopyToDict()[source]

Copies the attribute container to a dictionary.

Returns:attribute values per name.
Return type:dict[str, object]
GetAttributeNames()[source]

Retrieves the names of all attributes.

Returns:attribute names.
Return type:list[str]
GetAttributeValuesHash()[source]

Retrieves a comparable string of the attribute values.

Returns:hash of comparable string of the attribute values.
Return type:int
GetAttributeValuesString()[source]

Retrieves a comparable string of the attribute values.

Returns:comparable string of the attribute values.
Return type:str
GetAttributes()[source]

Retrieves the attribute names and values.

Attributes that are set to None are ignored.

Yields:tuple[str, object] – attribute name and value.
GetIdentifier()[source]

Retrieves the identifier.

The identifier is a storage specific value that should not be serialized.

Returns:an unique identifier for the container.
Return type:AttributeContainerIdentifier
GetSessionIdentifier()[source]

Retrieves the session identifier.

The session identifier is a storage specific value that should not be serialized.

Returns:session identifier.
Return type:str
SetIdentifier(identifier)[source]

Sets the identifier.

The identifier is a storage specific value that should not be serialized.

Parameters:identifier (AttributeContainerIdentifier) – identifier.
SetSessionIdentifier(session_identifier)[source]

Sets the session identifier.

The session identifier is a storage specific value that should not be serialized.

Parameters:session_identifier (str) – session identifier.
class plaso.containers.interface.AttributeContainerIdentifier[source]

Bases: object

The attribute container identifier.

The identifier is used to uniquely identify attribute containers. The value should be unique at runtime and in storage.

CopyToString()[source]

Copies the identifier to a string representation.

Returns:unique identifier or None.
Return type:str

plaso.containers.manager module

This file contains the attribute container manager class.

class plaso.containers.manager.AttributeContainersManager[source]

Bases: object

Class that implements the attribute container manager.

classmethod DeregisterAttributeContainer(attribute_container_class)[source]

Deregisters an attribute container class.

The attribute container classes are identified based on their lower case container type.

Parameters:attribute_container_class (type) – attribute container class.
Raises:KeyError – if attribute container class is not set for the corresponding container type.
classmethod GetAttributeContainer(container_type)[source]

Retrieves the attribute container for a specific container type.

Parameters:container_type (str) – container type.
Returns:attribute container.
Return type:AttributeContainer
classmethod RegisterAttributeContainer(attribute_container_class)[source]

Registers a attribute container class.

The attribute container classes are identified based on their lower case container type.

Parameters:attribute_container_class (type) – attribute container class.
Raises:KeyError – if attribute container class is already set for the corresponding container type.
classmethod RegisterAttributeContainers(attribute_container_classes)[source]

Registers attribute container classes.

The attribute container classes are identified based on their lower case container type.

Parameters:attribute_container_classes (list[type]) – attribute container classes.
Raises:KeyError – if attribute container class is already set for the corresponding container type.

plaso.containers.plist_event module

Plist event attribute containers.

class plaso.containers.plist_event.PlistTimeEventData[source]

Bases: plaso.containers.events.EventData

Plist event data attribute container.

desc

str – description.

hostname

str – hostname.

key

str – name of plist key.

root

str – path from the root to this plist key.

username

str – unique username.

DATA_TYPE = u'plist:key'

plaso.containers.reports module

Report related attribute container definitions.

class plaso.containers.reports.AnalysisReport(plugin_name=None, text=None)[source]

Bases: plaso.containers.interface.AttributeContainer

Analysis report attribute container.

filter_string

str – event filter expression.

plugin_name

str – name of the analysis plugin that generated the report.

report_array

array[str] – ???

report_dict

dict[str] – ???

text

str – report text.

time_compiled

int – timestamp of the date and time the report was compiled.

CONTAINER_TYPE = u'analysis_report'
CopyToDict()[source]

Copies the attribute container to a dictionary.

Returns:attribute values per name.
Return type:dict[str, object]
GetString()[source]

Retrieves a string representation of the report.

Returns:string representation of the report.
Return type:str

plaso.containers.sessions module

Session related attribute container definitions.

class plaso.containers.sessions.Session[source]

Bases: plaso.containers.interface.AttributeContainer

Session attribute container.

aborted

bool – True if the session was aborted.

analysis_reports_counter

collections.Counter – number of analysis reports per analysis plugin.

artifact_filters

list[str] – Names of artifact definitions that are used for filtering file system and Windows Registry key paths.

command_line_arguments

str – command line arguments.

completion_time

int – time that the session was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

debug_mode

bool – True if debug mode was enabled.

enabled_parser_names

list[str] – parser and parser plugin names that were enabled.

event_labels_counter

collections.Counter – number of event tags per label.

filter_file

str – path to a file with find specifications.

identifier

str – unique identifier of the session.

parser_filter_expression

str – parser filter expression.

parsers_counter

collections.Counter – number of events per parser or parser plugin.

preferred_encoding

str – preferred encoding.

preferred_time_zone

str – preferred time zone.

preferred_year

int – preferred year.

product_name

str – name of the product that created the session e.g. ‘log2timeline’.

product_version

str – version of the product that created the session.

start_time

int – time that the session was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

CONTAINER_TYPE = u'session'
CopyAttributesFromSessionCompletion(session_completion)[source]

Copies attributes from a session completion.

Parameters:session_completion (SessionCompletion) – session completion attribute container.
Raises:ValueError – if the identifier of the session completion does not match that of the session.
CopyAttributesFromSessionStart(session_start)[source]

Copies attributes from a session start.

Parameters:session_start (SessionStart) – session start attribute container.
CreateSessionCompletion()[source]

Creates a session completion.

Returns:session completion attribute container.
Return type:SessionCompletion
CreateSessionStart()[source]

Creates a session start.

Returns:session start attribute container.
Return type:SessionStart
class plaso.containers.sessions.SessionCompletion(identifier=None)[source]

Bases: plaso.containers.interface.AttributeContainer

Session completion attribute container.

aborted

bool – True if the session was aborted.

analysis_reports_counter

collections.Counter – number of analysis reports per analysis plugin.

event_labels_counter

collections.Counter – number of event tags per label.

identifier

str – unique identifier of the session.

parsers_counter

collections.Counter – number of events per parser or parser plugin.

timestamp

int – time that the session was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

CONTAINER_TYPE = u'session_completion'
class plaso.containers.sessions.SessionStart(identifier=None)[source]

Bases: plaso.containers.interface.AttributeContainer

Session start attribute container.

artifact_filters

list[str] – names of artifact definitions that are used for filtering file system and Windows Registry key paths.

command_line_arguments

str – command line arguments.

debug_mode

bool – True if debug mode was enabled.

enabled_parser_names

list[str] – parser and parser plugin names that were enabled.

filter_file

str – path to a file with find specifications.

identifier

str – unique identifier of the session.

parser_filter_expression

str – parser filter expression.

preferred_encoding

str – preferred encoding.

preferred_time_zone

str – preferred time zone.

preferred_year

int – preferred year.

product_name

str – name of the product that created the session e.g. ‘log2timeline’.

product_version

str – version of the product that created the session.

timestamp

int – time that the session was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

CONTAINER_TYPE = u'session_start'

plaso.containers.shell_item_events module

Shell item event attribute container.

class plaso.containers.shell_item_events.ShellItemFileEntryEventData[source]

Bases: plaso.containers.events.EventData

Shell item file entry event data attribute container.

name

str – name of the file entry shell item.

long_name

str – long name of the file entry shell item.

localized_name

str – localized name of the file entry shell item.

file_reference

str – NTFS file reference, in the format: “MTF entry - sequence number”.

shell_item_path

str – shell item path.

origin

str – origin of the event.

DATA_TYPE = u'windows:shell_item:file_entry'

plaso.containers.storage_media module

Storage media related attribute container definitions.

class plaso.containers.storage_media.MountPoint(mount_path=None, path_specification=None)[source]

Bases: plaso.containers.interface.AttributeContainer

Mount point attribute container.

mount_path

str – path where the path specification is mounted, such as “/mnt/image” or “C:”.

path_spec

dfvfs.PathSpec – path specification.

CONTAINER_TYPE = u'mount_point'

plaso.containers.tasks module

Task related attribute container definitions.

class plaso.containers.tasks.Task(session_identifier=None)[source]

Bases: plaso.containers.interface.AttributeContainer

Task attribute container.

A task describes a piece of work for a multi processing worker process e.g. to process a path specification or to analyze an event.

aborted

bool – True if the session was aborted.

completion_time

int – time that the task was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

file_entry_type

str – dfVFS type of the file entry the path specification is referencing.

has_retry

bool – True if the task was previously abandoned and a retry task was created, False otherwise.

identifier

str – unique identifier of the task.

last_processing_time

int – the last time the task was marked as being processed as number of milliseconds since January 1, 1970, 00:00:00 UTC.

merge_priority

int – priority used for the task storage file merge, where a lower value indicates a higher priority to merge.

path_spec

dfvfs.PathSpec – path specification.

session_identifier

str – the identifier of the session the task is part of.

start_time

int – time that the task was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

storage_file_size

int – size of the storage file in bytes.

CONTAINER_TYPE = u'task'
CreateRetryTask()[source]

Creates a new task to retry a previously abandoned task.

The retry task will have a new identifier but most of the attributes will be a copy of the previously abandoned task.

Returns:a task to retry a previously abandoned task.
Return type:Task
CreateTaskCompletion()[source]

Creates a task completion.

Returns:task completion attribute container.
Return type:TaskCompletion
CreateTaskStart()[source]

Creates a task start.

Returns:task start attribute container.
Return type:TaskStart
UpdateProcessingTime()[source]

Updates the processing time to now.

__lt__(other)[source]

Compares if the task attribute container is less than the other.

Parameters:other (Task) – task attribute container to compare to.
Returns:True if the task attribute container is less than the other.
Return type:bool
class plaso.containers.tasks.TaskCompletion(identifier=None, session_identifier=None)[source]

Bases: plaso.containers.interface.AttributeContainer

Task completion attribute container.

aborted

bool – True if the session was aborted.

identifier

str – unique identifier of the task.

session_identifier

str – the identifier of the session the task is part of.

timestamp

int – time that the task was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

CONTAINER_TYPE = u'task_completion'
class plaso.containers.tasks.TaskStart(identifier=None, session_identifier=None)[source]

Bases: plaso.containers.interface.AttributeContainer

Task start attribute container.

identifier

str – unique identifier of the task.

session_identifier

str – the identifier of the session the task is part of.

timestamp

int – time that the task was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

CONTAINER_TYPE = u'task_start'

plaso.containers.time_events module

Time-based event attribute containers.

class plaso.containers.time_events.DateTimeValuesEvent(date_time, date_time_description, data_type=None, time_zone=None)[source]

Bases: plaso.containers.time_events.TimestampEvent

dfDateTime date time values-based event attribute container.

class plaso.containers.time_events.PythonDatetimeEvent(datetime_value, date_time_description, data_type=None, time_zone=None)[source]

Bases: plaso.containers.time_events.DateTimeValuesEvent

Python datetime-based event attribute container.

class plaso.containers.time_events.TimestampEvent(timestamp, timestamp_description, data_type=None)[source]

Bases: plaso.containers.events.EventObject

Plaso timestamp-based event attribute container.

data_type

str – event data type.

timestamp

int – timestamp, which contains the number of microseconds since January 1, 1970, 00:00:00 UTC.

timestamp_desc

str – description of the meaning of the timestamp.

plaso.containers.windows_events module

Windows event data attribute containers.

class plaso.containers.windows_events.WindowsDistributedLinkTrackingEventData(uuid, origin)[source]

Bases: plaso.containers.events.EventData

Windows distributed link event data attribute container.

mac_address

str – MAC address stored in the UUID.

origin

str – origin of the event (event source). E.g. the path of the corresponding LNK file or file reference MFT entry with the corresponding NTFS $OBJECT_ID attribute.

uuid

str – UUID.

DATA_TYPE = u'windows:distributed_link_tracking:creation'
class plaso.containers.windows_events.WindowsRegistryEventData[source]

Bases: plaso.containers.events.EventData

Windows Registry event data attribute container.

key_path

str – Windows Registry key path.

regvalue

dict[str, object] – values in the key.

source_append

str – text to append to the source_long of the event.

urls

list[str] – URLs.

DATA_TYPE = u'windows:registry:key_value'
class plaso.containers.windows_events.WindowsRegistryInstallationEventData[source]

Bases: plaso.containers.events.EventData

Windows installation event data attribute container.

key_path

str – Windows Registry key path.

owner

str – owner.

product_name

str – product name.

service_pack

str – service pack.

version

str – version.

DATA_TYPE = u'windows:registry:installation'
class plaso.containers.windows_events.WindowsRegistryListEventData[source]

Bases: plaso.containers.events.EventData

Windows Registry list event data attribute container.

Windows Registry list event data is used to store a MRU.

key_path

str – Windows Registry key path.

known_folder_identifier

str – known folder identifier.

list_name

str – name of the list.

list_values

str – values in the list.

value_name

str – Windows Registry value name.

DATA_TYPE = u'windows:registry:list'
class plaso.containers.windows_events.WindowsRegistryServiceEventData[source]

Bases: plaso.containers.events.EventData

Windows Registry service event data attribute container.

key_path

str – Windows Registry key path.

offset

int – data offset of the Windows Registry key or value.

regvalue

dict[str, str] – values of a key.

urls

Optional[list[str]] – URLs.

DATA_TYPE = u'windows:registry:service'
class plaso.containers.windows_events.WindowsVolumeEventData[source]

Bases: plaso.containers.events.EventData

Windows volume event data attribute container.

device_path

str – volume device path.

origin

str – origin of the event (event source), for example the corresponding Prefetch file name.

serial_number

str – volume serial number.

DATA_TYPE = u'windows:volume:creation'

Module contents

This file imports Python modules that register attribute container types.