plaso.containers package
Submodules
plaso.containers.analysis_results module
Analysis result attribute containers.
- class plaso.containers.analysis_results.BrowserSearchAnalysisResult(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Browser search analysis plugin result container.
- number_of_queries
number of times the search engine was queried.
- Type:
int
- search_engine
search engine that was queried.
- Type:
str
- search_term
term searched for.
- Type:
str
- CONTAINER_TYPE = 'browser_search_analysis_result'
- SCHEMA = {'number_of_queries': 'int', 'search_engine': 'str', 'search_term': 'str'}
- __init__(number_of_queries=None, search_engine=None, search_term=None)[source]
Initializes a browser search analysis plugin result container.
- Parameters:
number_of_queries (Optional[int]) – number of times the search engine was queried.
search_engine (Optional[str]) – search engine that was queried.
search_term (Optional[str]) – term searched for.
- class plaso.containers.analysis_results.ChromeExtensionAnalysisResult(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Chrome extension analysis plugin result container.
- extension
name of the Chrome extension.
- Type:
str
- extension_identifier
identifier of the Chrome extension.
- Type:
str
- username
name of a user that has installed the Chrome extension.
- Type:
str
- CONTAINER_TYPE = 'chrome_extension_analysis_result'
- SCHEMA = {'extension': 'str', 'extension_identifier': 'str', 'username': 'str'}
- __init__(extension=None, extension_identifier=None, username=None)[source]
Initializes a Chrome extension analysis plugin result container.
- Parameters:
extension (Optional[str]) – name of the Chrome extension.
extension_identifier (Optional[str]) – identifier of the Chrome extension.
username (Optional[str]) – name of a user that has installed the Chrome extension.
plaso.containers.analyzer_result module
Analyzer result attribute container.
- class plaso.containers.analyzer_result.AnalyzerResult(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Attribute container to store results of analyzers.
Analyzers can produce results with different attribute names. For example, the ‘hashing’ analyzer could produce an attribute ‘md5_hash’, with a value of ‘d41d8cd98f00b204e9800998ecf8427e’.
- analyzer_name
name of the analyzer that produce the result.
- Type:
str
- attribute_name
name of the attribute produced.
- Type:
str
- attribute_value
value of the attribute produced.
- Type:
str
- CONTAINER_TYPE = 'analyzer_result'
plaso.containers.artifacts module
Artifact attribute containers.
- class plaso.containers.artifacts.ArtifactAttributeContainer(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Base class to represent an artifact attribute container.
- class plaso.containers.artifacts.EnvironmentVariableArtifact(*args: Any, **kwargs: Any)[source]
Bases:
ArtifactAttributeContainer
Environment variable artifact attribute container.
- case_sensitive
True if environment variable name is case sensitive.
- Type:
bool
- name
environment variable name such as “SystemRoot” as in “%SystemRoot%” or “HOME” as in “$HOME”.
- Type:
str
- value
environment variable value such as “C:Windows” or “/home/user”.
- Type:
str
- CONTAINER_TYPE = 'environment_variable'
- SCHEMA = {'case_sensitive': 'bool', 'name': 'str', 'value': 'str'}
- __init__(case_sensitive=True, name=None, value=None)[source]
Initializes an environment variable artifact.
- Parameters:
case_sensitive (Optional[bool]) – True if environment variable name is case sensitive.
name (Optional[str]) – environment variable name.
value (Optional[str]) – environment variable value.
- class plaso.containers.artifacts.HostnameArtifact(*args: Any, **kwargs: Any)[source]
Bases:
ArtifactAttributeContainer
Hostname artifact attribute container.
- Also see:
https://en.wikipedia.org/wiki/Hostname Cybox / Stix Hostname Object
- name
name of the host according to the naming schema.
- Type:
str
- schema
naming schema such as “DNS”, “NIS”, “SMB/NetBIOS”.
- Type:
str
- CONTAINER_TYPE = 'hostname'
- SCHEMA = {'name': 'str', 'schema': 'str'}
- class plaso.containers.artifacts.OperatingSystemArtifact(*args: Any, **kwargs: Any)[source]
Bases:
ArtifactAttributeContainer
Operating system artifact attribute container.
- family
operating system family name, such as “Linux”, “MacOS” or “Windows”, defined in definitions.OPERATING_SYSTEM_FAMILIES. This value is used to programmatically link a parser preset to an operating system and therefore must be one of predefined values.
- Type:
str
- name
operating system name, such as “macOS Mojave” or “Windows XP”. This value is used to programmatically link a parser preset to an operating system and therefore must be one of predefined values.
- Type:
str
- product
product information, such as “macOS Mojave” or “Windows Professional XP”. This value is typically obtained from the source data.
- Type:
str
- version
version, such as “10.14.1” or “5.1”. This value is typically obtained from the source data.
- Type:
str
- CONTAINER_TYPE = 'operating_system'
- IsEquivalent(other)[source]
Determines if 2 operating system artifacts are equivalent.
This function compares the operating systems based in order of: * name derived from product * family and version * family
- Parameters:
other (OperatingSystemArtifact) – operating system artifact attribute container to compare with.
- Returns:
- True if the operating systems are considered equivalent, False if
the most specific criteria do no match, or no criteria are available.
- Return type:
bool
- SCHEMA = {'family': 'str', 'name': 'str', 'product': 'str', 'version': 'str'}
- __init__(family=None, product=None, version=None)[source]
Initializes an operating system artifact.
- Parameters:
family (Optional[str]) – operating system family name, such as “Linux”, “MacOS” or “Windows”, defined in definitions.OPERATING_SYSTEM_FAMILIES. This value is used to programmatically link a parser preset to an operating system and therefore must be one of predefined values.
product (Optional[str]) – product information, such as “macOS Mojave” or “Windows Professional XP”. This value is typically obtained from the source data.
version (Optional[str]) – version, such as “10.14.1” or “5.1”. This value is typically obtained from the source data.
- property version_tuple
version tuple or None if version is not set or invalid.
- Type:
Tuple[int]
- class plaso.containers.artifacts.PathArtifact(*args: Any, **kwargs: Any)[source]
Bases:
ArtifactAttributeContainer
Path artifact attribute container.
- data_stream
name of a data stream.
- Type:
str
- path_segment_separator
path segment separator.
- Type:
str
- path_segments
path segments.
- Type:
list[str]
- CONTAINER_TYPE = 'path'
- ContainedIn(other)[source]
Determines if the path are contained in other.
- Parameters:
other (str) – path to compare against.
- Returns:
True if the path is contained in other.
- Return type:
bool
- SCHEMA = {'data_stream': 'str', 'path_segment_separator': 'str', 'path_segments': 'List[str]'}
- __eq__(other)[source]
Determines if the path is equal to other.
- Parameters:
other (str) – path to compare against.
- Returns:
True if the path are equal to other.
- Return type:
bool
- __ge__(other)[source]
Determines if the path are greater than or equal to other.
- Parameters:
other (str) – path to compare against.
- Returns:
True if the path are greater than or equal to other.
- Return type:
bool
- Raises:
ValueError – if other is not an instance of string.
- __gt__(other)[source]
Determines if the path are greater than other.
- Parameters:
other (str) – path to compare against.
- Returns:
True if the path are greater than other.
- Return type:
bool
- Raises:
ValueError – if other is not an instance of string.
- __init__(data_stream=None, path=None, path_segment_separator='/')[source]
Initializes a path artifact.
- Parameters:
data_stream (Optional[str]) – name of a data stream.
path (Optional[str]) – a path.
path_segment_separator (Optional[str]) – path segment separator.
- __le__(other)[source]
Determines if the path are greater than or equal to other.
- Parameters:
other (str) – path to compare against.
- Returns:
True if the path are greater than or equal to other.
- Return type:
bool
- Raises:
ValueError – if other is not an instance of string.
- class plaso.containers.artifacts.SourceConfigurationArtifact(*args: Any, **kwargs: Any)[source]
Bases:
ArtifactAttributeContainer
Source configuration artifact attribute container.
The source configuration contains the configuration data of a source that is (or going to be) processed such storage media image or a mounted directory.
- path
path of the source.
- Type:
str
- source_type
type of source.
- Type:
str
- CONTAINER_TYPE = 'source_configuration'
- SCHEMA = {'path': 'str', 'source_type': 'str'}
- class plaso.containers.artifacts.SystemConfigurationArtifact(*args: Any, **kwargs: Any)[source]
Bases:
ArtifactAttributeContainer
System configuration artifact attribute container.
The system configuration contains the configuration data of a specific system installation such as Windows or Linux.
- available_time_zones
available time zones.
- Type:
list[TimeZone]
- code_page
system code page.
- Type:
str
- environment_variables
environment variables.
- Type:
- hostname
hostname.
- Type:
- keyboard_layout
keyboard layout.
- Type:
str
- language
system language.
- Type:
str
- operating_system
operating system for example “MacOS” or “Windows”.
- Type:
str
- operating_system_product
operating system product for example “Windows XP”.
- Type:
str
- operating_system_version
operating system version for example “10.9.2” or “8.1”.
- Type:
str
- path_specs
path specifications of the file systems the system configuration was retrieved from.
- Type:
list[dfvfs.PathSpec]
- time_zone
system time zone.
- Type:
str
- user_accounts
user accounts.
- Type:
list[UserAccountArtifact]
- CONTAINER_TYPE = 'system_configuration'
- class plaso.containers.artifacts.TimeZoneArtifact(*args: Any, **kwargs: Any)[source]
Bases:
ArtifactAttributeContainer
Time zone artifact attribute container.
- localized_name
name describing the time zone in localized language for example “Greenwich (standaardtijd)”.
- Type:
str
- mui_form
MUI form of the name describing the time zone for example “@tzres.dll,-112”.
- Type:
str
- name
name describing the time zone for example “Greenwich Standard Time”.
- Type:
str
- offset
time zone offset in number of minutes from UTC.
- Type:
int
- CONTAINER_TYPE = 'time_zone'
- SCHEMA = {'localized_name': 'str', 'mui_form': 'str', 'name': 'str', 'offset': 'int'}
- __init__(localized_name=None, mui_form=None, name=None, offset=None)[source]
Initializes a time zone artifact.
- Parameters:
localized_name (Optional[str]) – name describing the time zone in localized language for example “Greenwich (standaardtijd)”.
mui_form (Optional[str]) – MUI form of the name describing the time zone for example “@tzres.dll,-112”.
name (Optional[str]) – name describing the time zone for example “Greenwich Standard Time”.
offset (Optional[int]) – time zone offset in number of minutes from UTC.
- class plaso.containers.artifacts.UserAccountArtifact(*args: Any, **kwargs: Any)[source]
Bases:
ArtifactAttributeContainer
User account artifact attribute container.
- Also see:
Cybox / Stix User Account Object
- full_name
name describing the user.
- Type:
str
- group_identifier
identifier of the primary group the user is part of.
- Type:
str
- identifier
user identifier.
- Type:
str
- user_directory
path of the user (or home or profile) directory.
- Type:
str
- username
name uniquely identifying the user.
- Type:
str
- CONTAINER_TYPE = 'user_account'
- GetUserDirectoryPathSegments()[source]
Retrieves the path segments of the user directory.
- Returns:
- path segments of the user directory or an empty list if no
user directory is set.
- Return type:
list[str]
- SCHEMA = {'full_name': 'str', 'group_identifier': 'str', 'identifier': 'str', 'user_directory': 'str', 'username': 'str'}
- __init__(full_name=None, group_identifier=None, identifier=None, path_separator='/', user_directory=None, username=None)[source]
Initializes a user account artifact.
- Parameters:
full_name (Optional[str]) – name describing the user.
group_identifier (Optional[str]) – identifier of the primary group the user is part of.
identifier (Optional[str]) – user identifier.
path_separator (Optional[str]) – path segment separator.
user_directory (Optional[str]) – path of the user (or home or profile) directory.
username (Optional[str]) – name uniquely identifying the user.
- class plaso.containers.artifacts.WindowsEventLogMessageFileArtifact(*args: Any, **kwargs: Any)[source]
Bases:
ArtifactAttributeContainer
Windows EventLog message file artifact attribute container.
- path
path.
- Type:
str
- windows_path
path as defined by the Windows EventLog provider.
- Type:
str
- CONTAINER_TYPE = 'windows_eventlog_message_file'
- SCHEMA = {'path': 'str', 'windows_path': 'str'}
- class plaso.containers.artifacts.WindowsEventLogMessageStringArtifact(*args: Any, **kwargs: Any)[source]
Bases:
ArtifactAttributeContainer
Windows EventLog message string artifact attribute container.
- language_identifier
language identifier.
- Type:
str
- message_identifier
message identifier.
- Type:
int
- string
string.
- Type:
str
- CONTAINER_TYPE = 'windows_eventlog_message_string'
- GetMessageFileIdentifier()[source]
Retrieves the identifier of the associated message file.
- Returns:
- message file identifier or None when
not set.
- Return type:
AttributeContainerIdentifier
- SCHEMA = {'_message_file_identifier': 'AttributeContainerIdentifier', 'language_identifier': 'int', 'message_identifier': 'int', 'string': 'str'}
- class plaso.containers.artifacts.WindowsEventLogProviderArtifact(*args: Any, **kwargs: Any)[source]
Bases:
ArtifactAttributeContainer
Windows EventLog provider artifact attribute container.
- additional_identifier
additional identifier of the provider, contains a GUID.
- Type:
str
- category_message_files
filenames of the category message files.
- Type:
list[str]
- event_message_files
filenames of the event message files.
- Type:
list[str]
- identifier
identifier of the provider, contains a GUID.
- Type:
str
- log_sources
names of the corresponding Event Log sources.
- Type:
list[str]
- log_types
Windows Event Log types.
- Type:
list[str]
- parameter_message_files
filenames of the parameter message files.
- Type:
list[str]
- CONTAINER_TYPE = 'windows_eventlog_provider'
- SCHEMA = {'_system_configuration_identifier': 'AttributeContainerIdentifier', 'additional_identifier': 'str', 'category_message_files': 'List[str]', 'event_message_files': 'List[str]', 'identifier': 'str', 'log_sources': 'List[str]', 'log_types': 'List[str]', 'parameter_message_files': 'List[str]'}
- __init__(category_message_files=None, event_message_files=None, identifier=None, log_source=None, log_type=None, parameter_message_files=None)[source]
Initializes a Windows EventLog provider artifact.
- Parameters:
category_message_files (Optional[list[str]]) – filenames of the category message files.
event_message_files (Optional[list[str]]) – filenames of the event message files.
identifier (Optional[str]) – identifier of the provider, contains a GUID.
log_source (Optional[str]) – name of the Windows EventLog source.
log_type (Optional[str]) – Windows EventLog type.
parameter_message_files (Optional[list[str]]) – filenames of the parameter message files.
- class plaso.containers.artifacts.WindowsMountedDeviceArtifact(*args: Any, **kwargs: Any)[source]
Bases:
ArtifactAttributeContainer
Windows mounted device artifact attribute container.
- device
device.
- Type:
str
- disk_identity
MBR disk identity.
- Type:
int
- identifier
identifier.
- Type:
str
- partition_identifier
GPT partition identifier.
- Type:
str
- partition_offset
MBR partition offset.
- Type:
int
- CONTAINER_TYPE = 'windows_mounted_device'
- SCHEMA = {'device': 'str', 'disk_identity': 'int', 'identifier': 'str', 'partition_identifier': 'str', 'partition_offset': 'int'}
- class plaso.containers.artifacts.WindowsServiceConfigurationArtifact(*args: Any, **kwargs: Any)[source]
Bases:
ArtifactAttributeContainer
Windows service (or driver) configuration artifact attribute container.
- error_control
error control value of the service (or driver) executable.
- Type:
int
- image_path
path of the service (or driver) executable.
- Type:
str
- name
name of the service (or driver).
- Type:
str
- object_name
service object name.
- Type:
str
- service_dll
service DLL.
- Type:
str
- service_type
service (or driver) type.
- Type:
int
- start_type
service (or driver) start type.
- Type:
int
- CONTAINER_TYPE = 'windows_service_configuration'
- SCHEMA = {'error_control': 'int', 'image_path': 'str', 'name': 'str', 'object_name': 'str', 'service_dll': 'str', 'service_type': 'int', 'start_type': 'int'}
- __init__(name=None, service_type=None, start_type=None)[source]
Initializes a Windows service (or driver) configuration artifact.
- Parameters:
name (Optional[str]) – name of the service (or driver).
service_type (Optional[int]) – service (or driver) type.
start_type (Optional[int]) – service (or driver) start type.
- class plaso.containers.artifacts.WindowsWevtTemplateEvent(*args: Any, **kwargs: Any)[source]
Bases:
ArtifactAttributeContainer
Windows WEVT_TEMPLATE event definition.
- identifier
event identifier.
- Type:
int
- message_identifier
identifier of the event message.
- Type:
int
- provider_identifier
identifier of the EventLog provider, contains a GUID.
- Type:
str
- version
event version.
- Type:
int
- CONTAINER_TYPE = 'windows_wevt_template_event'
- GetMessageFileIdentifier()[source]
Retrieves the identifier of the associated message file.
- Returns:
- message file identifier or None when
not set.
- Return type:
AttributeContainerIdentifier
- SCHEMA = {'_message_file_identifier': 'AttributeContainerIdentifier', 'identifier': 'int', 'message_identifier': 'int', 'provider_identifier': 'str', 'version': 'int'}
- SetMessageFileIdentifier(message_file_identifier)[source]
Sets the identifier of the associated message file.
- Parameters:
message_file_identifier (AttributeContainerIdentifier) – message file identifier.
- __init__(identifier=None, message_identifier=None, provider_identifier=None, version=None)[source]
Initializes a Windows WEVT_TEMPLATE event definition artifact.
- Parameters:
identifier (Optional[int]) – event identifier.
message_identifier (Optional[int]) – identifier of the event message.
provider_identifier (Optional[str]) – identifier of the EventLog provider, contains a GUID.
version (Optional[int]) – event version.
plaso.containers.counts module
Count related attribute container definitions.
- class plaso.containers.counts.EventLabelCount(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Event label count attribute container.
- label
event label.
- Type:
str
- number_of_events
number of events with label.
- Type:
int
- CONTAINER_TYPE = 'event_label_count'
- SCHEMA = {'label': 'str', 'number_of_events': 'int'}
- class plaso.containers.counts.ParserCount(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Parser count attribute container.
- name
name of the parser or parser plugin.
- Type:
str
- number_of_events
number of events generated by the parser or parser plugin.
- Type:
int
- CONTAINER_TYPE = 'parser_count'
- SCHEMA = {'name': 'str', 'number_of_events': 'int'}
plaso.containers.event_sources module
Event source attribute containers.
- class plaso.containers.event_sources.EventSource(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Event source attribute container.
The event source object contains information about where a specific event originates e.g. a file, the $STANDARD_INFORMATION MFT attribute, or Application Compatibility cache.
- data_type
attribute container type indicator.
- Type:
str
- file_entry_type
dfVFS file entry type.
- Type:
str
- path_spec
path specification.
- Type:
dfvfs.PathSpec
- CONTAINER_TYPE = 'event_source'
- DATA_TYPE = None
- SCHEMA = {'data_type': 'str', 'file_entry_type': 'str', 'path_spec': 'dfvfs.PathSpec'}
- __init__(file_entry_type=None, path_spec=None)[source]
Initializes an event source.
- Parameters:
file_entry_type (Optional[str]) – dfVFS file entry type.
path_spec (Optional[dfvfs.PathSpec]) – path specification.
- __lt__(other)[source]
Compares if the event source attribute container is less than the other.
- Parameters:
other (EventSource) – event source attribute container to compare to.
- Returns:
True if the event source attribute container is less than the other.
- Return type:
bool
- class plaso.containers.event_sources.FileEntryEventSource(*args: Any, **kwargs: Any)[source]
Bases:
EventSource
File entry event source.
The file entry event source is an event source that represents a file within a file system.
- DATA_TYPE = 'file_entry'
plaso.containers.events module
Event attribute containers.
- plaso.containers.events.CalculateEventValuesHash(event_data, event_data_stream)[source]
Calculates a digest hash of the event values.
- Parameters:
event_data (EventData) – event data.
event_data_stream (EventDataStream) – an event data stream or None if not available.
- Returns:
digest hash of the event values content.
- Return type:
str
- Raises:
RuntimeError – if the event values hash cannot be determined.
- class plaso.containers.events.DateLessLogHelper(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Attribute container to assist with logs without full dates.
- earliest_date
earliest possible date the event data stream was created. The date is a tuple of year, month and day of month.
- Type:
list[int, int, int]
- granularity
granularity of the date-less log format.
- Type:
str
- last_relative_date
last relative date determined by the date-less log helper. The date is a tuple of year, month and day of month.
- Type:
list[int, int, int]
- latest_date
latest possible date the event data stream was created. The date is a tuple of year, month and day of month.
- Type:
List[int]
- CONTAINER_TYPE = 'date_less_log_helper'
- CopyFromYearLessLogHelper(year_less_log_helper)[source]
Copy the values of a year-less log helper.
- Parameters:
year_less_log_helper (YearLessLogHelper) – year-less log helper.
- GRANULARITY_NO_DATE = 'd'
- GRANULARITY_NO_YEAR = 'y'
- GetEarliestDate()[source]
Retrieves the earliest date adjusted to the granularity.
- Returns:
- earliest date as tuple of year, month and day of
month or None if not available.
- Return type:
tuple[int, int, int]
- GetEventDataStreamIdentifier()[source]
Retrieves the identifier of the associated event data stream.
The event data stream identifier is a storage specific value that requires special handling during serialization.
- Returns:
event data stream or None when not set.
- Return type:
AttributeContainerIdentifier
- GetLastRelativeDate()[source]
Retrieves the last relative date adjusted to the granularity.
- Returns:
- last relative date as tuple of year, month and day
of month or None if not available.
- Return type:
tuple[int, int, int]
- GetLatestDate()[source]
Retrieves the latest date adjusted to the granularity.
- Returns:
- latest date as tuple of year, month and day of
month or None if not available.
- Return type:
tuple[int, int, int]
- SCHEMA = {'_event_data_stream_identifier': 'AttributeContainerIdentifier', 'earliest_date': 'List[int]', 'granularity': 'str', 'last_relative_date': 'List[int]', 'latest_date': 'List[int]'}
- SetEventDataStreamIdentifier(event_data_stream_identifier)[source]
Sets the identifier of the associated event data stream.
The event data stream identifier is a storage specific value that requires special handling during serialization.
- Parameters:
event_data_stream_identifier (AttributeContainerIdentifier) – event data stream identifier.
- class plaso.containers.events.EventData(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Event data attribute container.
The event data attribute container represents the attributes of an entity, such as a database record or log line.
- data_type
event data type indicator.
- Type:
str
- CONTAINER_TYPE = 'event_data'
- GetAttributeValuesString()[source]
Retrieves a comparable string of the attribute values.
- Returns:
comparable string of the attribute values.
- Return type:
str
- Raises:
TypeError – if the attribute value type is not supported.
- GetEventDataStreamIdentifier()[source]
Retrieves the identifier of the associated event data stream.
The event data stream identifier is a storage specific value that requires special handling during serialization.
- Returns:
event data stream or None when not set.
- Return type:
AttributeContainerIdentifier
- SetEventDataStreamIdentifier(event_data_stream_identifier)[source]
Sets the identifier of the associated event data stream.
The event data stream identifier is a storage specific value that requires special handling during serialization.
- Parameters:
event_data_stream_identifier (AttributeContainerIdentifier) – event data stream identifier.
- class plaso.containers.events.EventDataStream(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Event data stream attribute container.
The event data stream attribute container represents the attributes of a data stream, such as the content of a file or extended attribute.
- file_entropy
byte entropy value of the data stream.
- Type:
str
- md5_hash
MD5 digest hash of the data stream.
- Type:
str
- path_spec
path specification of the data stream.
- Type:
dfvfs.PathSpec
- sha1_hash
SHA-1 digest hash of the data stream.
- Type:
str
- sha256_hash
SHA-256 digest hash of the data stream.
- Type:
str
- yara_match
names of the Yara rules that matched the data stream.
- Type:
list[str]
- CONTAINER_TYPE = 'event_data_stream'
- SCHEMA = {'file_entropy': 'str', 'md5_hash': 'str', 'path_spec': 'dfvfs.PathSpec', 'sha1_hash': 'str', 'sha256_hash': 'str', 'yara_match': 'List[str]'}
- class plaso.containers.events.EventObject(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Event attribute container.
The framework is designed to parse files and create events from individual records, log lines or keys extracted from files. The event object provides an extensible data store for event attributes.
- date_time
date and time values.
- Type:
dfdatetime.DateTimeValues
- timestamp
timestamp, which contains the number of microseconds since January 1, 1970, 00:00:00 UTC.
- Type:
int
- timestamp_desc
description of the meaning of the timestamp.
- Type:
str
- CONTAINER_TYPE = 'event'
- GetEventDataIdentifier()[source]
Retrieves the identifier of the associated event data.
The event data identifier is a storage specific value that requires special handling during serialization.
- Returns:
event data identifier or None when not set.
- Return type:
AttributeContainerIdentifier
- SCHEMA = {'_event_data_identifier': 'AttributeContainerIdentifier', 'date_time': 'dfdatetime.DateTimeValues', 'timestamp': 'int', 'timestamp_desc': 'str'}
- SetEventDataIdentifier(event_data_identifier)[source]
Sets the identifier of the associated event data.
The event data identifier is a storage specific value that requires special handling during serialization.
- Parameters:
event_data_identifier (AttributeContainerIdentifier) – event data identifier.
- __lt__(other)[source]
Compares if the event attribute container is less than the other.
Events are compared by timestamp.
- Parameters:
other (EventObject) – event attribute container to compare to.
- Returns:
True if the event attribute container is less than the other.
- Return type:
bool
- class plaso.containers.events.EventTag(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Event tag attribute container.
- labels
labels, such as “malware”, “application_execution”.
- Type:
list[str]
- AddLabel(label)[source]
Adds a label to the event tag.
- Parameters:
label (str) – label.
- Raises:
TypeError – if the label provided is not a string.
ValueError – if a label is malformed.
- AddLabels(labels)[source]
Adds labels to the event tag.
- Parameters:
labels (list[str]) – labels.
- Raises:
ValueError – if a label is malformed.
- CONTAINER_TYPE = 'event_tag'
- classmethod CopyTextToLabel(text, prefix='')[source]
Copies a string to a label.
A label only supports a limited set of characters therefore unsupported characters are replaced with an underscore.
- Parameters:
text (str) – label text.
prefix (Optional[str]) – label prefix.
- Returns:
label.
- Return type:
str
- GetEventIdentifier()[source]
Retrieves the identifier of the associated event.
The event identifier is a storage specific value that requires special handling during serialization.
- Returns:
event identifier or None when not set.
- Return type:
AttributeContainerIdentifier
- SCHEMA = {'_event_identifier': 'AttributeContainerIdentifier', 'labels': 'List[str]'}
- class plaso.containers.events.YearLessLogHelper(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Year-less log helper attribute container.
- earliest_year
earliest possible year the event data stream was created.
- Type:
int
- last_relative_year
last relative year determined by the year-less log helper.
- Type:
int
- latest_year
latest possible year the event data stream was created.
- Type:
int
- CONTAINER_TYPE = 'year_less_log_helper'
- GetEventDataStreamIdentifier()[source]
Retrieves the identifier of the associated event data stream.
The event data stream identifier is a storage specific value that requires special handling during serialization.
- Returns:
event data stream or None when not set.
- Return type:
AttributeContainerIdentifier
- SCHEMA = {'_event_data_stream_identifier': 'AttributeContainerIdentifier', 'earliest_year': 'int', 'last_relative_year': 'int', 'latest_year': 'int'}
- SetEventDataStreamIdentifier(event_data_stream_identifier)[source]
Sets the identifier of the associated event data stream.
The event data stream identifier is a storage specific value that requires special handling during serialization.
- Parameters:
event_data_stream_identifier (AttributeContainerIdentifier) – event data stream identifier.
plaso.containers.plist_event module
Plist event attribute containers.
- class plaso.containers.plist_event.PlistTimeEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Plist event data attribute container.
- key
name of plist key.
- Type:
str
- root
path from the root to this plist key.
- Type:
str
- written_time
entry written date and time.
- Type:
dfdatetime.DateTimeValues
- DATA_TYPE = 'plist:key'
plaso.containers.reports module
Report related attribute container definitions.
- class plaso.containers.reports.AnalysisReport(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Analysis report attribute container.
- analysis_counter
counter of analysis results, for example number of events analyzed and tagged.
- Type:
collections.Counter
- event_filter
event filter expression that was used when the analysis plugin was run.
- Type:
str
- plugin_name
name of the analysis plugin that generated the report.
- Type:
str
- text
report text.
- Type:
str
- time_compiled
timestamp of the date and time the report was compiled.
- Type:
int
- CONTAINER_TYPE = 'analysis_report'
plaso.containers.sessions module
Session related attribute container definitions.
- class plaso.containers.sessions.Session(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Session attribute container.
- aborted
True if the session was aborted.
- Type:
bool
- artifact_filters
Names of artifact definitions that are used for filtering file system and Windows Registry key paths.
- Type:
list[str]
- command_line_arguments
command line arguments.
- Type:
str
- completion_time
time that the session was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.
- Type:
int
- debug_mode
True if debug mode was enabled.
- Type:
bool
- enabled_parser_names
parser and parser plugin names that were enabled.
- Type:
list[str]
- filter_file
path to a file with find specifications.
- Type:
str
- identifier
unique identifier of the session.
- Type:
str
- parser_filter_expression
parser filter expression.
- Type:
str
- preferred_codepage
preferred codepage.
- Type:
str
- preferred_encoding
preferred encoding.
- Type:
str
- preferred_language
preferred language.
- Type:
str
- preferred_time_zone
preferred time zone.
- Type:
str
- preferred_year
preferred year.
- Type:
int
- product_name
name of the product that created the session for example “log2timeline”.
- Type:
str
- product_version
version of the product that created the session.
- Type:
str
- start_time
time that the session was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.
- Type:
int
- CONTAINER_TYPE = 'session'
- SCHEMA = {'aborted': 'bool', 'artifact_filters': 'List[str]', 'command_line_arguments': 'str', 'completion_time': 'int', 'debug_mode': 'bool', 'enabled_parser_names': 'List[str]', 'file_entropy': 'str', 'filter_file': 'str', 'identifier': 'str', 'parser_filter_expression': 'str', 'preferred_codepage': 'str', 'preferred_encoding': 'str', 'preferred_language': 'str', 'preferred_time_zone': 'str', 'preferred_year': 'int', 'product_name': 'str', 'product_version': 'str', 'start_time': 'int'}
plaso.containers.tasks module
Task attribute container definition.
- class plaso.containers.tasks.Task(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Task attribute container.
A task describes a piece of work for a multi processing worker process for example a task to process a path specification or to analyze an event.
- aborted
True if the task was aborted.
- Type:
bool
- completion_time
time that the task was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.
- Type:
int
- file_entry_type
dfVFS type of the file entry the path specification is referencing.
- Type:
str
- has_retry
True if the task was previously abandoned and a retry task was created, False otherwise.
- Type:
bool
- identifier
unique identifier of the task.
- Type:
str
- last_processing_time
the last time the task was marked as being processed as number of milliseconds since January 1, 1970, 00:00:00 UTC.
- Type:
int
- merge_priority
priority used for the task storage file merge, where a lower value indicates a higher priority to merge.
- Type:
int
- path_spec
path specification.
- Type:
dfvfs.PathSpec
- session_identifier
the identifier of the session the task is part of.
- Type:
str
- start_time
time that the task was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.
- Type:
int
- storage_file_size
size of the storage file in bytes.
- Type:
int
- storage_format
the format the task results are to be stored in.
- Type:
str
- CONTAINER_TYPE = 'task'
- CreateRetryTask()[source]
Creates a new task to retry a previously abandoned task.
The retry task will have a new identifier but most of the attributes will be a copy of the previously abandoned task.
- Returns:
a task to retry a previously abandoned task.
- Return type:
- SCHEMA = {'aborted': 'bool', 'completion_time': 'int', 'file_entry_type': 'str', 'has_retry': 'bool', 'identifier': 'str', 'last_processing_time': 'int', 'merge_priority': 'int', 'path_spec': 'dfvfs.PathSpec', 'session_identifier': 'str', 'start_time': 'int', 'storage_file_size': 'int', 'storage_format': 'str'}
plaso.containers.warnings module
Warning attribute containers.
- class plaso.containers.warnings.AnalysisWarning(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Analysis warning attribute container.
Analysis warnings are produced by analysis plugins when they encounter situations that should be brought to the users’ attention but are not analysis results.
- message
warning message.
- Type:
str
- plugin_name
name of the analysis plugin to which the warning applies.
- Type:
str
- CONTAINER_TYPE = 'analysis_warning'
- SCHEMA = {'message': 'str', 'plugin_name': 'str'}
- class plaso.containers.warnings.ExtractionWarning(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Extraction warning attribute container.
Extraction warnings are produced by parsers/plugins when they encounter situations that should be brought to the users’ attention but are not event data derived from the data being processed.
- message
warning message.
- Type:
str
- parser_chain
parser chain to which the warning applies.
- Type:
str
- path_spec
path specification of the file entry to which the warning applies.
- Type:
dfvfs.PathSpec
- CONTAINER_TYPE = 'extraction_warning'
- SCHEMA = {'message': 'str', 'parser_chain': 'str', 'path_spec': 'dfvfs.PathSpec'}
- __init__(message=None, parser_chain=None, path_spec=None)[source]
Initializes an extraction warning.
- Parameters:
message (Optional[str]) – warning message.
parser_chain (Optional[str]) – parser chain to which the warning applies.
path_spec (Optional[dfvfs.PathSpec]) – path specification of the file entry to which the warning applies.
- class plaso.containers.warnings.PreprocessingWarning(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Preprocessing warning attribute container.
Preprocessing warnings are produced by preprocessing plugins when they encounter situations that should be brought to the users’ attention but are not preprocessing results.
- message
warning message.
- Type:
str
- path_spec
path specification of the file entry to which the warning applies.
- Type:
dfvfs.PathSpec
- plugin_name
name of the preprocessing plugin to which the warning applies.
- Type:
str
- CONTAINER_TYPE = 'preprocessing_warning'
- SCHEMA = {'message': 'str', 'path_spec': 'dfvfs.PathSpec', 'plugin_name': 'str'}
- __init__(message=None, path_spec=None, plugin_name=None)[source]
Initializes an extraction warning.
- Parameters:
message (Optional[str]) – warning message.
path_spec (Optional[dfvfs.PathSpec]) – path specification of the file entry to which the warning applies.
plugin_name (Optional[str]) – name of the preprocessing plugin to which the warning applies.
- class plaso.containers.warnings.RecoveryWarning(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Recovery warning attribute container.
Recovery warnings are warning encountered during recovery. They are typically produced by parsers/plugins when they are unable to recover event data.
- message
warning message.
- Type:
str
- parser_chain
parser chain to which the warning applies.
- Type:
str
- path_spec
path specification of the file entry to which the warning applies.
- Type:
dfvfs.PathSpec
- CONTAINER_TYPE = 'recovery_warning'
- SCHEMA = {'message': 'str', 'parser_chain': 'str', 'path_spec': 'dfvfs.PathSpec'}
- __init__(message=None, parser_chain=None, path_spec=None)[source]
Initializes a recovery warning.
- Parameters:
message (Optional[str]) – warning message.
parser_chain (Optional[str]) – parser chain to which the warning applies.
path_spec (Optional[dfvfs.PathSpec]) – path specification of the file entry to which the warning applies.
- class plaso.containers.warnings.TimeliningWarning(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Timelining warning attribute container.
Timelining warnings are produced by the timeliner when it encounters situations that should be brought to the users’ attention but are not events derived from the event data being processed.
- message
warning message.
- Type:
str
- parser_chain
parser chain to which the warning applies.
- Type:
str
- path_spec
path specification of the file entry to which the warning applies.
- Type:
dfvfs.PathSpec
- CONTAINER_TYPE = 'timelining_warning'
- SCHEMA = {'message': 'str', 'parser_chain': 'str', 'path_spec': 'dfvfs.PathSpec'}
- __init__(message=None, parser_chain=None, path_spec=None)[source]
Initializes a timelining warning.
- Parameters:
message (Optional[str]) – warning message.
parser_chain (Optional[str]) – parser chain to which the warning applies.
path_spec (Optional[dfvfs.PathSpec]) – path specification of the file entry to which the warning applies.
plaso.containers.windows_events module
Windows event data attribute containers.
- class plaso.containers.windows_events.WindowsDistributedLinkTrackingEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Windows distributed link event data attribute container.
- creation_time
file entry creation date and time.
- Type:
dfdatetime.DateTimeValues
- mac_address
MAC address stored in the UUID.
- Type:
str
- origin
origin of the event (event source). E.g. the path of the corresponding LNK file or file reference MFT entry with the corresponding NTFS $OBJECT_ID attribute.
- Type:
str
- uuid
UUID.
- Type:
str
- DATA_TYPE = 'windows:distributed_link_tracking:creation'
- __init__(uuid, origin)[source]
Initializes an event object.
- Parameters:
uuid (uuid.UUID) – UUID.
origin (str) – origin of the event (event source). E.g. the path of the corresponding LNK file or file reference MFT entry with the corresponding NTFS $OBJECT_ID attribute.
- Raises:
ValueError – if the UUID version is not supported.
- class plaso.containers.windows_events.WindowsRegistryEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Windows Registry event data attribute container.
- key_path
Windows Registry key path.
- Type:
str
- last_written_time
key last written date and time.
- Type:
dfdatetime.DateTimeValues
- values
name, data type and data of the values in the key.
- Type:
list[tuple[str, str, str]]
- DATA_TYPE = 'windows:registry:key_value'
- class plaso.containers.windows_events.WindowsShellItemFileEntryEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Windows shell item file entry event data attribute container.
- access_time
file entry last access date and time.
- Type:
dfdatetime.DateTimeValues
- creation_time
file entry creation date and time.
- Type:
dfdatetime.DateTimeValues
- file_reference
NTFS file reference, in the format: “MTF entry - sequence number”.
- Type:
str
- localized_name
localized name of the file entry shell item.
- Type:
str
- long_name
long name of the file entry shell item.
- Type:
str
- modification_time
file entry last modification date and time.
- Type:
dfdatetime.DateTimeValues
- name
name of the file entry shell item.
- Type:
str
- origin
origin of the event.
- Type:
str
- shell_item_path
shell item path.
- Type:
str
- DATA_TYPE = 'windows:shell_item:file_entry'
- class plaso.containers.windows_events.WindowsVolumeEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Windows volume event data attribute container.
- creation_time
volume creation date and time.
- Type:
dfdatetime.DateTimeValues
- device_path
volume device path.
- Type:
str
- origin
origin of the event (event source), for example the corresponding Prefetch file name.
- Type:
str
- serial_number
volume serial number.
- Type:
str
- DATA_TYPE = 'windows:volume:creation'
Module contents
This file imports Python modules that register attribute container types.