plaso.containers package

Submodules

plaso.containers.analysis_results module

Analysis result attribute containers.

class plaso.containers.analysis_results.BrowserSearchAnalysisResult(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Browser search analysis plugin result container.

number_of_queries

number of times the search engine was queried.

Type:

int

search_engine

search engine that was queried.

Type:

str

search_term

term searched for.

Type:

str

CONTAINER_TYPE = 'browser_search_analysis_result'
SCHEMA = {'number_of_queries': 'int', 'search_engine': 'str', 'search_term': 'str'}
__init__(number_of_queries=None, search_engine=None, search_term=None)[source]

Initializes a browser search analysis plugin result container.

Parameters:
  • number_of_queries (Optional[int]) – number of times the search engine was queried.

  • search_engine (Optional[str]) – search engine that was queried.

  • search_term (Optional[str]) – term searched for.

class plaso.containers.analysis_results.ChromeExtensionAnalysisResult(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Chrome extension analysis plugin result container.

extension

name of the Chrome extension.

Type:

str

extension_identifier

identifier of the Chrome extension.

Type:

str

username

name of a user that has installed the Chrome extension.

Type:

str

CONTAINER_TYPE = 'chrome_extension_analysis_result'
SCHEMA = {'extension': 'str', 'extension_identifier': 'str', 'username': 'str'}
__init__(extension=None, extension_identifier=None, username=None)[source]

Initializes a Chrome extension analysis plugin result container.

Parameters:
  • extension (Optional[str]) – name of the Chrome extension.

  • extension_identifier (Optional[str]) – identifier of the Chrome extension.

  • username (Optional[str]) – name of a user that has installed the Chrome extension.

plaso.containers.analyzer_result module

Analyzer result attribute container.

class plaso.containers.analyzer_result.AnalyzerResult(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Attribute container to store results of analyzers.

Analyzers can produce results with different attribute names. For example, the ‘hashing’ analyzer could produce an attribute ‘md5_hash’, with a value of ‘d41d8cd98f00b204e9800998ecf8427e’.

analyzer_name

name of the analyzer that produce the result.

Type:

str

attribute_name

name of the attribute produced.

Type:

str

attribute_value

value of the attribute produced.

Type:

str

CONTAINER_TYPE = 'analyzer_result'
__init__()[source]

Initializes an analyzer result.

plaso.containers.artifacts module

Artifact attribute containers.

class plaso.containers.artifacts.ArtifactAttributeContainer(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Base class to represent an artifact attribute container.

class plaso.containers.artifacts.EnvironmentVariableArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Environment variable artifact attribute container.

Also see:

https://en.wikipedia.org/wiki/Environment_variable

case_sensitive

True if environment variable name is case sensitive.

Type:

bool

name

environment variable name such as “SystemRoot” as in “%SystemRoot%” or “HOME” as in “$HOME”.

Type:

str

value

environment variable value such as “C:Windows” or “/home/user”.

Type:

str

CONTAINER_TYPE = 'environment_variable'
SCHEMA = {'case_sensitive': 'bool', 'name': 'str', 'value': 'str'}
__init__(case_sensitive=True, name=None, value=None)[source]

Initializes an environment variable artifact.

Parameters:
  • case_sensitive (Optional[bool]) – True if environment variable name is case sensitive.

  • name (Optional[str]) – environment variable name.

  • value (Optional[str]) – environment variable value.

class plaso.containers.artifacts.HostnameArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Hostname artifact attribute container.

Also see:

https://en.wikipedia.org/wiki/Hostname Cybox / Stix Hostname Object

name

name of the host according to the naming schema.

Type:

str

schema

naming schema such as “DNS”, “NIS”, “SMB/NetBIOS”.

Type:

str

CONTAINER_TYPE = 'hostname'
SCHEMA = {'name': 'str', 'schema': 'str'}
__init__(name=None, schema='DNS')[source]

Initializes a hostname artifact.

Parameters:
  • name (Optional[str]) – name of the host according to the naming schema.

  • schema (Optional[str]) – naming schema.

class plaso.containers.artifacts.OperatingSystemArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Operating system artifact attribute container.

family

operating system family name, such as “Linux”, “MacOS” or “Windows”, defined in definitions.OPERATING_SYSTEM_FAMILIES. This value is used to programmatically link a parser preset to an operating system and therefore must be one of predefined values.

Type:

str

name

operating system name, such as “macOS Mojave” or “Windows XP”. This value is used to programmatically link a parser preset to an operating system and therefore must be one of predefined values.

Type:

str

product

product information, such as “macOS Mojave” or “Windows Professional XP”. This value is typically obtained from the source data.

Type:

str

version

version, such as “10.14.1” or “5.1”. This value is typically obtained from the source data.

Type:

str

CONTAINER_TYPE = 'operating_system'
IsEquivalent(other)[source]

Determines if 2 operating system artifacts are equivalent.

This function compares the operating systems based in order of: * name derived from product * family and version * family

Parameters:

other (OperatingSystemArtifact) – operating system artifact attribute container to compare with.

Returns:

True if the operating systems are considered equivalent, False if

the most specific criteria do no match, or no criteria are available.

Return type:

bool

SCHEMA = {'family': 'str', 'name': 'str', 'product': 'str', 'version': 'str'}
__init__(family=None, product=None, version=None)[source]

Initializes an operating system artifact.

Parameters:
  • family (Optional[str]) – operating system family name, such as “Linux”, “MacOS” or “Windows”, defined in definitions.OPERATING_SYSTEM_FAMILIES. This value is used to programmatically link a parser preset to an operating system and therefore must be one of predefined values.

  • product (Optional[str]) – product information, such as “macOS Mojave” or “Windows Professional XP”. This value is typically obtained from the source data.

  • version (Optional[str]) – version, such as “10.14.1” or “5.1”. This value is typically obtained from the source data.

property version_tuple

version tuple or None if version is not set or invalid.

Type:

Tuple[int]

class plaso.containers.artifacts.PathArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Path artifact attribute container.

data_stream

name of a data stream.

Type:

str

path_segment_separator

path segment separator.

Type:

str

path_segments

path segments.

Type:

list[str]

CONTAINER_TYPE = 'path'
ContainedIn(other)[source]

Determines if the path are contained in other.

Parameters:

other (str) – path to compare against.

Returns:

True if the path is contained in other.

Return type:

bool

SCHEMA = {'data_stream': 'str', 'path_segment_separator': 'str', 'path_segments': 'List[str]'}
__eq__(other)[source]

Determines if the path is equal to other.

Parameters:

other (str) – path to compare against.

Returns:

True if the path are equal to other.

Return type:

bool

__ge__(other)[source]

Determines if the path are greater than or equal to other.

Parameters:

other (str) – path to compare against.

Returns:

True if the path are greater than or equal to other.

Return type:

bool

Raises:

ValueError – if other is not an instance of string.

__gt__(other)[source]

Determines if the path are greater than other.

Parameters:

other (str) – path to compare against.

Returns:

True if the path are greater than other.

Return type:

bool

Raises:

ValueError – if other is not an instance of string.

__init__(data_stream=None, path=None, path_segment_separator='/')[source]

Initializes a path artifact.

Parameters:
  • data_stream (Optional[str]) – name of a data stream.

  • path (Optional[str]) – a path.

  • path_segment_separator (Optional[str]) – path segment separator.

__le__(other)[source]

Determines if the path are greater than or equal to other.

Parameters:

other (str) – path to compare against.

Returns:

True if the path are greater than or equal to other.

Return type:

bool

Raises:

ValueError – if other is not an instance of string.

__lt__(other)[source]

Determines if the path are less than other.

Parameters:

other (str) – path to compare against.

Returns:

True if the path are less than other.

Return type:

bool

Raises:

ValueError – if other is not an instance of string.

__ne__(other)[source]

Determines if the path are not equal to other.

Parameters:

other (str) – path to compare against.

Returns:

True if the path are not equal to other.

Return type:

bool

class plaso.containers.artifacts.SourceConfigurationArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Source configuration artifact attribute container.

The source configuration contains the configuration data of a source that is (or going to be) processed such storage media image or a mounted directory.

path

path of the source.

Type:

str

source_type

type of source.

Type:

str

CONTAINER_TYPE = 'source_configuration'
SCHEMA = {'path': 'str', 'source_type': 'str'}
__init__(path=None, source_type=None)[source]

Initializes a source configuration artifact.

Parameters:
  • path (Optional[str]) – path of the source.

  • source_type (Optional[str]) – type of source.

class plaso.containers.artifacts.SystemConfigurationArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

System configuration artifact attribute container.

The system configuration contains the configuration data of a specific system installation such as Windows or Linux.

available_time_zones

available time zones.

Type:

list[TimeZone]

code_page

system code page.

Type:

str

environment_variables

environment variables.

Type:

list[EnvironmentVariableArtifact]

hostname

hostname.

Type:

HostnameArtifact

keyboard_layout

keyboard layout.

Type:

str

language

system language.

Type:

str

operating_system

operating system for example “MacOS” or “Windows”.

Type:

str

operating_system_product

operating system product for example “Windows XP”.

Type:

str

operating_system_version

operating system version for example “10.9.2” or “8.1”.

Type:

str

path_specs

path specifications of the file systems the system configuration was retrieved from.

Type:

list[dfvfs.PathSpec]

time_zone

system time zone.

Type:

str

user_accounts

user accounts.

Type:

list[UserAccountArtifact]

CONTAINER_TYPE = 'system_configuration'
__init__(code_page=None, language=None, time_zone=None)[source]

Initializes a system configuration artifact.

Parameters:
  • code_page (Optional[str]) – system code page.

  • language (Optional[str]) – system language.

  • time_zone (Optional[str]) – system time zone.

class plaso.containers.artifacts.TimeZoneArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Time zone artifact attribute container.

localized_name

name describing the time zone in localized language for example “Greenwich (standaardtijd)”.

Type:

str

mui_form

MUI form of the name describing the time zone for example “@tzres.dll,-112”.

Type:

str

name

name describing the time zone for example “Greenwich Standard Time”.

Type:

str

offset

time zone offset in number of minutes from UTC.

Type:

int

CONTAINER_TYPE = 'time_zone'
SCHEMA = {'localized_name': 'str', 'mui_form': 'str', 'name': 'str', 'offset': 'int'}
__init__(localized_name=None, mui_form=None, name=None, offset=None)[source]

Initializes a time zone artifact.

Parameters:
  • localized_name (Optional[str]) – name describing the time zone in localized language for example “Greenwich (standaardtijd)”.

  • mui_form (Optional[str]) – MUI form of the name describing the time zone for example “@tzres.dll,-112”.

  • name (Optional[str]) – name describing the time zone for example “Greenwich Standard Time”.

  • offset (Optional[int]) – time zone offset in number of minutes from UTC.

class plaso.containers.artifacts.UserAccountArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

User account artifact attribute container.

Also see:

Cybox / Stix User Account Object

full_name

name describing the user.

Type:

str

group_identifier

identifier of the primary group the user is part of.

Type:

str

identifier

user identifier.

Type:

str

user_directory

path of the user (or home or profile) directory.

Type:

str

username

name uniquely identifying the user.

Type:

str

CONTAINER_TYPE = 'user_account'
GetUserDirectoryPathSegments()[source]

Retrieves the path segments of the user directory.

Returns:

path segments of the user directory or an empty list if no

user directory is set.

Return type:

list[str]

SCHEMA = {'full_name': 'str', 'group_identifier': 'str', 'identifier': 'str', 'user_directory': 'str', 'username': 'str'}
__init__(full_name=None, group_identifier=None, identifier=None, path_separator='/', user_directory=None, username=None)[source]

Initializes a user account artifact.

Parameters:
  • full_name (Optional[str]) – name describing the user.

  • group_identifier (Optional[str]) – identifier of the primary group the user is part of.

  • identifier (Optional[str]) – user identifier.

  • path_separator (Optional[str]) – path segment separator.

  • user_directory (Optional[str]) – path of the user (or home or profile) directory.

  • username (Optional[str]) – name uniquely identifying the user.

class plaso.containers.artifacts.WindowsEventLogMessageFileArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Windows EventLog message file artifact attribute container.

path

path.

Type:

str

windows_path

path as defined by the Windows EventLog provider.

Type:

str

CONTAINER_TYPE = 'windows_eventlog_message_file'
SCHEMA = {'path': 'str', 'windows_path': 'str'}
__init__(path=None, windows_path=None)[source]

Initializes a Windows EventLog message file artifact.

Parameters:
  • path (Optional[str]) – path.

  • windows_path (Optional[str]) – path as defined by the Window EventLog provider.

class plaso.containers.artifacts.WindowsEventLogMessageStringArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Windows EventLog message string artifact attribute container.

language_identifier

language identifier.

Type:

str

message_identifier

message identifier.

Type:

int

string

string.

Type:

str

CONTAINER_TYPE = 'windows_eventlog_message_string'
GetMessageFileIdentifier()[source]

Retrieves the identifier of the associated message file.

Returns:

message file identifier or None when

not set.

Return type:

AttributeContainerIdentifier

SCHEMA = {'_message_file_identifier': 'AttributeContainerIdentifier', 'language_identifier': 'int', 'message_identifier': 'int', 'string': 'str'}
SetMessageFileIdentifier(message_file_identifier)[source]

Sets the identifier of the associated message file.

Parameters:

message_file_identifier (AttributeContainerIdentifier) – message file identifier.

__init__(language_identifier=None, message_identifier=None, string=None)[source]

Initializes a Windows EventLog message string artifact.

Parameters:
  • language_identifier (Optional[str]) – language identifier.

  • message_identifier (Optional[int]) – message identifier.

  • string (Optional[str]) – string.

class plaso.containers.artifacts.WindowsEventLogProviderArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Windows EventLog provider artifact attribute container.

additional_identifier

additional identifier of the provider, contains a GUID.

Type:

str

category_message_files

filenames of the category message files.

Type:

list[str]

event_message_files

filenames of the event message files.

Type:

list[str]

identifier

identifier of the provider, contains a GUID.

Type:

str

log_sources

names of the corresponding Event Log sources.

Type:

list[str]

log_types

Windows Event Log types.

Type:

list[str]

parameter_message_files

filenames of the parameter message files.

Type:

list[str]

CONTAINER_TYPE = 'windows_eventlog_provider'
SCHEMA = {'_system_configuration_identifier': 'AttributeContainerIdentifier', 'additional_identifier': 'str', 'category_message_files': 'List[str]', 'event_message_files': 'List[str]', 'identifier': 'str', 'log_sources': 'List[str]', 'log_types': 'List[str]', 'parameter_message_files': 'List[str]'}
__init__(category_message_files=None, event_message_files=None, identifier=None, log_source=None, log_type=None, parameter_message_files=None)[source]

Initializes a Windows EventLog provider artifact.

Parameters:
  • category_message_files (Optional[list[str]]) – filenames of the category message files.

  • event_message_files (Optional[list[str]]) – filenames of the event message files.

  • identifier (Optional[str]) – identifier of the provider, contains a GUID.

  • log_source (Optional[str]) – name of the Windows EventLog source.

  • log_type (Optional[str]) – Windows EventLog type.

  • parameter_message_files (Optional[list[str]]) – filenames of the parameter message files.

class plaso.containers.artifacts.WindowsMountedDeviceArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Windows mounted device artifact attribute container.

device

device.

Type:

str

disk_identity

MBR disk identity.

Type:

int

identifier

identifier.

Type:

str

partition_identifier

GPT partition identifier.

Type:

str

partition_offset

MBR partition offset.

Type:

int

CONTAINER_TYPE = 'windows_mounted_device'
SCHEMA = {'device': 'str', 'disk_identity': 'int', 'identifier': 'str', 'partition_identifier': 'str', 'partition_offset': 'int'}
__init__(identifier=None)[source]

Initializes a Windows mounted device artifact.

Parameters:

identifier (Optional[str]) – identifier.

class plaso.containers.artifacts.WindowsServiceConfigurationArtifact(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Windows service (or driver) configuration artifact attribute container.

error_control

error control value of the service (or driver) executable.

Type:

int

image_path

path of the service (or driver) executable.

Type:

str

name

name of the service (or driver).

Type:

str

object_name

service object name.

Type:

str

service_dll

service DLL.

Type:

str

service_type

service (or driver) type.

Type:

int

start_type

service (or driver) start type.

Type:

int

CONTAINER_TYPE = 'windows_service_configuration'
SCHEMA = {'error_control': 'int', 'image_path': 'str', 'name': 'str', 'object_name': 'str', 'service_dll': 'str', 'service_type': 'int', 'start_type': 'int'}
__init__(name=None, service_type=None, start_type=None)[source]

Initializes a Windows service (or driver) configuration artifact.

Parameters:
  • name (Optional[str]) – name of the service (or driver).

  • service_type (Optional[int]) – service (or driver) type.

  • start_type (Optional[int]) – service (or driver) start type.

class plaso.containers.artifacts.WindowsWevtTemplateEvent(*args: Any, **kwargs: Any)[source]

Bases: ArtifactAttributeContainer

Windows WEVT_TEMPLATE event definition.

identifier

event identifier.

Type:

int

message_identifier

identifier of the event message.

Type:

int

provider_identifier

identifier of the EventLog provider, contains a GUID.

Type:

str

version

event version.

Type:

int

CONTAINER_TYPE = 'windows_wevt_template_event'
GetMessageFileIdentifier()[source]

Retrieves the identifier of the associated message file.

Returns:

message file identifier or None when

not set.

Return type:

AttributeContainerIdentifier

SCHEMA = {'_message_file_identifier': 'AttributeContainerIdentifier', 'identifier': 'int', 'message_identifier': 'int', 'provider_identifier': 'str', 'version': 'int'}
SetMessageFileIdentifier(message_file_identifier)[source]

Sets the identifier of the associated message file.

Parameters:

message_file_identifier (AttributeContainerIdentifier) – message file identifier.

__init__(identifier=None, message_identifier=None, provider_identifier=None, version=None)[source]

Initializes a Windows WEVT_TEMPLATE event definition artifact.

Parameters:
  • identifier (Optional[int]) – event identifier.

  • message_identifier (Optional[int]) – identifier of the event message.

  • provider_identifier (Optional[str]) – identifier of the EventLog provider, contains a GUID.

  • version (Optional[int]) – event version.

plaso.containers.counts module

Count related attribute container definitions.

class plaso.containers.counts.EventLabelCount(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Event label count attribute container.

label

event label.

Type:

str

number_of_events

number of events with label.

Type:

int

CONTAINER_TYPE = 'event_label_count'
SCHEMA = {'label': 'str', 'number_of_events': 'int'}
__init__(label=None, number_of_events=None)[source]

Initializes an event label count attribute container.

Parameters:
  • label (Optional[str]) – event label.

  • number_of_events (Optional[int]) – number of events with label. the parser or parser plugin.

class plaso.containers.counts.ParserCount(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Parser count attribute container.

name

name of the parser or parser plugin.

Type:

str

number_of_events

number of events generated by the parser or parser plugin.

Type:

int

CONTAINER_TYPE = 'parser_count'
SCHEMA = {'name': 'str', 'number_of_events': 'int'}
__init__(name=None, number_of_events=None)[source]

Initializes a parser count attribute container.

Parameters:
  • name (Optional[str]) – name of the parser or parser plugin.

  • number_of_events (Optional[int]) – number of events generated by the parser or parser plugin.

plaso.containers.event_sources module

Event source attribute containers.

class plaso.containers.event_sources.EventSource(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Event source attribute container.

The event source object contains information about where a specific event originates e.g. a file, the $STANDARD_INFORMATION MFT attribute, or Application Compatibility cache.

data_type

attribute container type indicator.

Type:

str

file_entry_type

dfVFS file entry type.

Type:

str

path_spec

path specification.

Type:

dfvfs.PathSpec

CONTAINER_TYPE = 'event_source'
DATA_TYPE = None
SCHEMA = {'data_type': 'str', 'file_entry_type': 'str', 'path_spec': 'dfvfs.PathSpec'}
__init__(file_entry_type=None, path_spec=None)[source]

Initializes an event source.

Parameters:
  • file_entry_type (Optional[str]) – dfVFS file entry type.

  • path_spec (Optional[dfvfs.PathSpec]) – path specification.

__lt__(other)[source]

Compares if the event source attribute container is less than the other.

Parameters:

other (EventSource) – event source attribute container to compare to.

Returns:

True if the event source attribute container is less than the other.

Return type:

bool

class plaso.containers.event_sources.FileEntryEventSource(*args: Any, **kwargs: Any)[source]

Bases: EventSource

File entry event source.

The file entry event source is an event source that represents a file within a file system.

DATA_TYPE = 'file_entry'

plaso.containers.events module

Event attribute containers.

plaso.containers.events.CalculateEventValuesHash(event_data, event_data_stream)[source]

Calculates a digest hash of the event values.

Parameters:
  • event_data (EventData) – event data.

  • event_data_stream (EventDataStream) – an event data stream or None if not available.

Returns:

digest hash of the event values content.

Return type:

str

Raises:

RuntimeError – if the event values hash cannot be determined.

class plaso.containers.events.EventData(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Event data attribute container.

The event data attribute container represents the attributes of an entity, such as a database record or log line.

data_type

event data type indicator.

Type:

str

CONTAINER_TYPE = 'event_data'
GetAttributeValuesString()[source]

Retrieves a comparable string of the attribute values.

Returns:

comparable string of the attribute values.

Return type:

str

Raises:

TypeError – if the attribute value type is not supported.

GetEventDataStreamIdentifier()[source]

Retrieves the identifier of the associated event data stream.

The event data stream identifier is a storage specific value that requires special handling during serialization.

Returns:

event data stream or None when not set.

Return type:

AttributeContainerIdentifier

SetEventDataStreamIdentifier(event_data_stream_identifier)[source]

Sets the identifier of the associated event data stream.

The event data stream identifier is a storage specific value that requires special handling during serialization.

Parameters:

event_data_stream_identifier (AttributeContainerIdentifier) – event data stream identifier.

__init__(data_type=None)[source]

Initializes an event data attribute container.

Parameters:

data_type (Optional[str]) – event data type indicator.

class plaso.containers.events.EventDataStream(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Event data stream attribute container.

The event data stream attribute container represents the attributes of a data stream, such as the content of a file or extended attribute.

file_entropy

byte entropy value of the data stream.

Type:

str

md5_hash

MD5 digest hash of the data stream.

Type:

str

path_spec

path specification of the data stream.

Type:

dfvfs.PathSpec

sha1_hash

SHA-1 digest hash of the data stream.

Type:

str

sha256_hash

SHA-256 digest hash of the data stream.

Type:

str

yara_match

names of the Yara rules that matched the data stream.

Type:

list[str]

CONTAINER_TYPE = 'event_data_stream'
SCHEMA = {'file_entropy': 'str', 'md5_hash': 'str', 'path_spec': 'dfvfs.PathSpec', 'sha1_hash': 'str', 'sha256_hash': 'str', 'yara_match': 'List[str]'}
__init__()[source]

Initializes an event data attribute container.

class plaso.containers.events.EventObject(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Event attribute container.

The framework is designed to parse files and create events from individual records, log lines or keys extracted from files. The event object provides an extensible data store for event attributes.

date_time

date and time values.

Type:

dfdatetime.DateTimeValues

timestamp

timestamp, which contains the number of microseconds since January 1, 1970, 00:00:00 UTC.

Type:

int

timestamp_desc

description of the meaning of the timestamp.

Type:

str

CONTAINER_TYPE = 'event'
GetEventDataIdentifier()[source]

Retrieves the identifier of the associated event data.

The event data identifier is a storage specific value that requires special handling during serialization.

Returns:

event data identifier or None when not set.

Return type:

AttributeContainerIdentifier

SCHEMA = {'_event_data_identifier': 'AttributeContainerIdentifier', 'date_time': 'dfdatetime.DateTimeValues', 'timestamp': 'int', 'timestamp_desc': 'str'}
SetEventDataIdentifier(event_data_identifier)[source]

Sets the identifier of the associated event data.

The event data identifier is a storage specific value that requires special handling during serialization.

Parameters:

event_data_identifier (AttributeContainerIdentifier) – event data identifier.

__init__()[source]

Initializes an event attribute container.

__lt__(other)[source]

Compares if the event attribute container is less than the other.

Events are compared by timestamp.

Parameters:

other (EventObject) – event attribute container to compare to.

Returns:

True if the event attribute container is less than the other.

Return type:

bool

class plaso.containers.events.EventTag(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Event tag attribute container.

labels

labels, such as “malware”, “application_execution”.

Type:

list[str]

AddLabel(label)[source]

Adds a label to the event tag.

Parameters:

label (str) – label.

Raises:
  • TypeError – if the label provided is not a string.

  • ValueError – if a label is malformed.

AddLabels(labels)[source]

Adds labels to the event tag.

Parameters:

labels (list[str]) – labels.

Raises:

ValueError – if a label is malformed.

CONTAINER_TYPE = 'event_tag'
classmethod CopyTextToLabel(text, prefix='')[source]

Copies a string to a label.

A label only supports a limited set of characters therefore unsupported characters are replaced with an underscore.

Parameters:
  • text (str) – label text.

  • prefix (Optional[str]) – label prefix.

Returns:

label.

Return type:

str

GetEventIdentifier()[source]

Retrieves the identifier of the associated event.

The event identifier is a storage specific value that requires special handling during serialization.

Returns:

event identifier or None when not set.

Return type:

AttributeContainerIdentifier

SCHEMA = {'_event_identifier': 'AttributeContainerIdentifier', 'labels': 'List[str]'}
SetEventIdentifier(event_identifier)[source]

Sets the identifier of the associated event.

The event identifier is a storage specific value that requires special handling during serialization.

Parameters:

event_identifier (AttributeContainerIdentifier) – event identifier.

__init__()[source]

Initializes an event tag attribute container.

class plaso.containers.events.YearLessLogHelper(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Year-less log helper attribute container.

earliest_year

earliest possible year the event data stream was created.

Type:

int

last_relative_year

last relative year determined by the year-less log helper.

Type:

int

latest_year

latest possible year the event data stream was created.

Type:

int

CONTAINER_TYPE = 'year_less_log_helper'
GetEventDataStreamIdentifier()[source]

Retrieves the identifier of the associated event data stream.

The event data stream identifier is a storage specific value that requires special handling during serialization.

Returns:

event data stream or None when not set.

Return type:

AttributeContainerIdentifier

SCHEMA = {'_event_data_stream_identifier': 'AttributeContainerIdentifier', 'earliest_year': 'int', 'last_relative_year': 'int', 'latest_year': 'int'}
SetEventDataStreamIdentifier(event_data_stream_identifier)[source]

Sets the identifier of the associated event data stream.

The event data stream identifier is a storage specific value that requires special handling during serialization.

Parameters:

event_data_stream_identifier (AttributeContainerIdentifier) – event data stream identifier.

__init__()[source]

Initializes a year-less log helper attribute container.

plaso.containers.plist_event module

Plist event attribute containers.

class plaso.containers.plist_event.PlistTimeEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Plist event data attribute container.

key

name of plist key.

Type:

str

root

path from the root to this plist key.

Type:

str

written_time

entry written date and time.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'plist:key'
__init__()[source]

Initializes event data.

plaso.containers.reports module

Report related attribute container definitions.

class plaso.containers.reports.AnalysisReport(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Analysis report attribute container.

analysis_counter

counter of analysis results, for example number of events analyzed and tagged.

Type:

collections.Counter

event_filter

event filter expression that was used when the analysis plugin was run.

Type:

str

plugin_name

name of the analysis plugin that generated the report.

Type:

str

text

report text.

Type:

str

time_compiled

timestamp of the date and time the report was compiled.

Type:

int

CONTAINER_TYPE = 'analysis_report'
CopyToDict()[source]

Copies the attribute container to a dictionary.

Returns:

attribute values per name.

Return type:

dict[str, object]

__init__(plugin_name=None, text=None)[source]

Initializes the analysis report.

Parameters:
  • plugin_name (Optional[str]) – name of the analysis plugin that generated the report.

  • text (Optional[str]) – report text.

plaso.containers.sessions module

Session related attribute container definitions.

class plaso.containers.sessions.Session(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Session attribute container.

aborted

True if the session was aborted.

Type:

bool

artifact_filters

Names of artifact definitions that are used for filtering file system and Windows Registry key paths.

Type:

list[str]

command_line_arguments

command line arguments.

Type:

str

completion_time

time that the session was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type:

int

debug_mode

True if debug mode was enabled.

Type:

bool

enabled_parser_names

parser and parser plugin names that were enabled.

Type:

list[str]

filter_file

path to a file with find specifications.

Type:

str

identifier

unique identifier of the session.

Type:

str

parser_filter_expression

parser filter expression.

Type:

str

preferred_codepage

preferred codepage.

Type:

str

preferred_encoding

preferred encoding.

Type:

str

preferred_language

preferred language.

Type:

str

preferred_time_zone

preferred time zone.

Type:

str

preferred_year

preferred year.

Type:

int

product_name

name of the product that created the session for example “log2timeline”.

Type:

str

product_version

version of the product that created the session.

Type:

str

start_time

time that the session was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type:

int

CONTAINER_TYPE = 'session'
SCHEMA = {'aborted': 'bool', 'artifact_filters': 'List[str]', 'command_line_arguments': 'str', 'completion_time': 'int', 'debug_mode': 'bool', 'enabled_parser_names': 'List[str]', 'file_entropy': 'str', 'filter_file': 'str', 'identifier': 'str', 'parser_filter_expression': 'str', 'preferred_codepage': 'str', 'preferred_encoding': 'str', 'preferred_language': 'str', 'preferred_time_zone': 'str', 'preferred_year': 'int', 'product_name': 'str', 'product_version': 'str', 'start_time': 'int'}
__init__()[source]

Initializes a session attribute container.

plaso.containers.tasks module

Task attribute container definition.

class plaso.containers.tasks.Task(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Task attribute container.

A task describes a piece of work for a multi processing worker process for example a task to process a path specification or to analyze an event.

aborted

True if the task was aborted.

Type:

bool

completion_time

time that the task was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type:

int

file_entry_type

dfVFS type of the file entry the path specification is referencing.

Type:

str

has_retry

True if the task was previously abandoned and a retry task was created, False otherwise.

Type:

bool

identifier

unique identifier of the task.

Type:

str

last_processing_time

the last time the task was marked as being processed as number of milliseconds since January 1, 1970, 00:00:00 UTC.

Type:

int

merge_priority

priority used for the task storage file merge, where a lower value indicates a higher priority to merge.

Type:

int

path_spec

path specification.

Type:

dfvfs.PathSpec

session_identifier

the identifier of the session the task is part of.

Type:

str

start_time

time that the task was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type:

int

storage_file_size

size of the storage file in bytes.

Type:

int

storage_format

the format the task results are to be stored in.

Type:

str

CONTAINER_TYPE = 'task'
CreateRetryTask()[source]

Creates a new task to retry a previously abandoned task.

The retry task will have a new identifier but most of the attributes will be a copy of the previously abandoned task.

Returns:

a task to retry a previously abandoned task.

Return type:

Task

SCHEMA = {'aborted': 'bool', 'completion_time': 'int', 'file_entry_type': 'str', 'has_retry': 'bool', 'identifier': 'str', 'last_processing_time': 'int', 'merge_priority': 'int', 'path_spec': 'dfvfs.PathSpec', 'session_identifier': 'str', 'start_time': 'int', 'storage_file_size': 'int', 'storage_format': 'str'}
UpdateProcessingTime()[source]

Updates the processing time to now.

__init__(session_identifier=None)[source]

Initializes a task attribute container.

Parameters:

session_identifier (Optional[str]) – identifier of the session the task is part of.

__lt__(other)[source]

Compares if the task attribute container is less than the other.

Parameters:

other (Task) – task attribute container to compare to.

Returns:

True if the task attribute container is less than the other.

Return type:

bool

plaso.containers.warnings module

Warning attribute containers.

class plaso.containers.warnings.AnalysisWarning(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Analysis warning attribute container.

Analysis warnings are produced by analysis plugins when they encounter situations that should be brought to the users’ attention but are not analysis results.

message

warning message.

Type:

str

plugin_name

name of the analysis plugin to which the warning applies.

Type:

str

CONTAINER_TYPE = 'analysis_warning'
SCHEMA = {'message': 'str', 'plugin_name': 'str'}
__init__(message=None, plugin_name=None)[source]

Initializes an analysis warning.

Parameters:
  • message (Optional[str]) – warning message.

  • plugin_name (Optional[str]) – name of the analysis plugin to which the warning applies.

class plaso.containers.warnings.ExtractionWarning(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Extraction warning attribute container.

Extraction warnings are produced by parsers/plugins when they encounter situations that should be brought to the users’ attention but are not event data derived from the data being processed.

message

warning message.

Type:

str

parser_chain

parser chain to which the warning applies.

Type:

str

path_spec

path specification of the file entry to which the warning applies.

Type:

dfvfs.PathSpec

CONTAINER_TYPE = 'extraction_warning'
SCHEMA = {'message': 'str', 'parser_chain': 'str', 'path_spec': 'dfvfs.PathSpec'}
__init__(message=None, parser_chain=None, path_spec=None)[source]

Initializes an extraction warning.

Parameters:
  • message (Optional[str]) – warning message.

  • parser_chain (Optional[str]) – parser chain to which the warning applies.

  • path_spec (Optional[dfvfs.PathSpec]) – path specification of the file entry to which the warning applies.

class plaso.containers.warnings.PreprocessingWarning(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Preprocessing warning attribute container.

Preprocessing warnings are produced by preprocessing plugins when they encounter situations that should be brought to the users’ attention but are not preprocessing results.

message

warning message.

Type:

str

path_spec

path specification of the file entry to which the warning applies.

Type:

dfvfs.PathSpec

plugin_name

name of the preprocessing plugin to which the warning applies.

Type:

str

CONTAINER_TYPE = 'preprocessing_warning'
SCHEMA = {'message': 'str', 'path_spec': 'dfvfs.PathSpec', 'plugin_name': 'str'}
__init__(message=None, path_spec=None, plugin_name=None)[source]

Initializes an extraction warning.

Parameters:
  • message (Optional[str]) – warning message.

  • path_spec (Optional[dfvfs.PathSpec]) – path specification of the file entry to which the warning applies.

  • plugin_name (Optional[str]) – name of the preprocessing plugin to which the warning applies.

class plaso.containers.warnings.RecoveryWarning(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Recovery warning attribute container.

Recovery warnings are warning encountered during recovery. They are typically produced by parsers/plugins when they are unable to recover event data.

message

warning message.

Type:

str

parser_chain

parser chain to which the warning applies.

Type:

str

path_spec

path specification of the file entry to which the warning applies.

Type:

dfvfs.PathSpec

CONTAINER_TYPE = 'recovery_warning'
SCHEMA = {'message': 'str', 'parser_chain': 'str', 'path_spec': 'dfvfs.PathSpec'}
__init__(message=None, parser_chain=None, path_spec=None)[source]

Initializes a recovery warning.

Parameters:
  • message (Optional[str]) – warning message.

  • parser_chain (Optional[str]) – parser chain to which the warning applies.

  • path_spec (Optional[dfvfs.PathSpec]) – path specification of the file entry to which the warning applies.

class plaso.containers.warnings.TimeliningWarning(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Timelining warning attribute container.

Timelining warnings are produced by the timeliner when it encounters situations that should be brought to the users’ attention but are not events derived from the event data being processed.

message

warning message.

Type:

str

parser_chain

parser chain to which the warning applies.

Type:

str

path_spec

path specification of the file entry to which the warning applies.

Type:

dfvfs.PathSpec

CONTAINER_TYPE = 'timelining_warning'
SCHEMA = {'message': 'str', 'parser_chain': 'str', 'path_spec': 'dfvfs.PathSpec'}
__init__(message=None, parser_chain=None, path_spec=None)[source]

Initializes a timelining warning.

Parameters:
  • message (Optional[str]) – warning message.

  • parser_chain (Optional[str]) – parser chain to which the warning applies.

  • path_spec (Optional[dfvfs.PathSpec]) – path specification of the file entry to which the warning applies.

plaso.containers.windows_events module

Windows event data attribute containers.

class plaso.containers.windows_events.WindowsDistributedLinkTrackingEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows distributed link event data attribute container.

creation_time

file entry creation date and time.

Type:

dfdatetime.DateTimeValues

mac_address

MAC address stored in the UUID.

Type:

str

origin

origin of the event (event source). E.g. the path of the corresponding LNK file or file reference MFT entry with the corresponding NTFS $OBJECT_ID attribute.

Type:

str

uuid

UUID.

Type:

str

DATA_TYPE = 'windows:distributed_link_tracking:creation'
__init__(uuid, origin)[source]

Initializes an event object.

Parameters:
  • uuid (uuid.UUID) – UUID.

  • origin (str) – origin of the event (event source). E.g. the path of the corresponding LNK file or file reference MFT entry with the corresponding NTFS $OBJECT_ID attribute.

Raises:

ValueError – if the UUID version is not supported.

class plaso.containers.windows_events.WindowsRegistryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows Registry event data attribute container.

key_path

Windows Registry key path.

Type:

str

last_written_time

key last written date and time.

Type:

dfdatetime.DateTimeValues

values

name, data type and data of the values in the key.

Type:

list[tuple[str, str, str]]

DATA_TYPE = 'windows:registry:key_value'
__init__()[source]

Initializes event data.

class plaso.containers.windows_events.WindowsShellItemFileEntryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows shell item file entry event data attribute container.

access_time

file entry last access date and time.

Type:

dfdatetime.DateTimeValues

creation_time

file entry creation date and time.

Type:

dfdatetime.DateTimeValues

file_reference

NTFS file reference, in the format: “MTF entry - sequence number”.

Type:

str

localized_name

localized name of the file entry shell item.

Type:

str

long_name

long name of the file entry shell item.

Type:

str

modification_time

file entry last modification date and time.

Type:

dfdatetime.DateTimeValues

name

name of the file entry shell item.

Type:

str

origin

origin of the event.

Type:

str

shell_item_path

shell item path.

Type:

str

DATA_TYPE = 'windows:shell_item:file_entry'
__init__()[source]

Initializes event data.

class plaso.containers.windows_events.WindowsVolumeEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows volume event data attribute container.

creation_time

volume creation date and time.

Type:

dfdatetime.DateTimeValues

device_path

volume device path.

Type:

str

origin

origin of the event (event source), for example the corresponding Prefetch file name.

Type:

str

serial_number

volume serial number.

Type:

str

DATA_TYPE = 'windows:volume:creation'
__init__()[source]

Initializes event data.

Module contents

This file imports Python modules that register attribute container types.