plaso.filters package

Submodules

plaso.filters.dynamic_filter module

The dynamic event object filter.

class plaso.filters.dynamic_filter.DynamicFilter[source]

Bases: plaso.filters.event_filter.EventObjectFilter

Event filter that supports selective output fields.

This filter is essentially the same as the event object filter except it wraps it in a selection of which fields should be included by an output module that supports selective fields, e.g.

SELECT field_a, field_b WHERE attribute contains ‘text’

Will use the event object filter “attribute contains ‘text’” and at the same time indicate to the appropriate output module that the user wants only the fields field_a and field_b to be used in the output.

CompileFilter(filter_expression)[source]

Compiles the filter expression.

The filter expression contains an object filter expression extended with selective field selection.

Parameters:filter_expression (str) – filter expression.
Raises:WrongPlugin – if the filter could not be compiled.
fields

list[str] – output fields.

limit

int – row limit.

separator

str – output field separator.

class plaso.filters.dynamic_filter.SelectiveLexer(data=u'')[source]

Bases: plaso.lib.lexer.Lexer

Selective filter lexer implementation.

The selective (or dynamic) filter allow to construct filter expressions like:

SELECT field_a, field_b WHERE attribute contains ‘text’
SetFields(match, **unused_kwargs)[source]

Sets the output fields.

The output fields is the part of the filter expression directly following the SELECT statement.

Parameters:match (re.MatchObject) – a match that contains the output field names.
SetFilter(match, **unused_kwargs)[source]

Set the filter query.

The filter query is the part of the filter expression directly following the WHERE statement.

Parameters:match (re.MatchObject) – a match that contains the filter query.
SetLimit(match, **unused_kwargs)[source]

Sets the row limit.

Parameters:match (re.MatchObject) – a match that contains the row limit.
SetSeparator(match, **unused_kwargs)[source]

Sets the output field separator.

Parameters:match (re.MatchObject) – a match contains the output field separate. Note that only the first character is used.
tokens = [<plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>]

plaso.filters.event_filter module

The event filter.

class plaso.filters.event_filter.EventObjectFilter[source]

Bases: plaso.filters.interface.FilterObject

Event filter.

CompileFilter(filter_expression)[source]

Compiles the filter expression.

The filter expression contains an object filter expression.

Parameters:filter_expression (str) – filter expression.
Raises:WrongPlugin – if the filter could not be compiled.
Match(event)[source]

Determines if an event matches the filter.

Parameters:event (EventObject) – an event.
Returns:True if the event matches the filter.
Return type:bool

plaso.filters.file_entry module

File entry filters.

class plaso.filters.file_entry.DateTimeFileEntryFilter[source]

Bases: plaso.filters.file_entry.FileEntryFilter

Date and time-based file entry filter.

AddDateTimeRange(time_value, start_time_string=None, end_time_string=None)[source]

Adds a date time filter range.

The time strings are formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and timezone offset are optional. The default timezone is UTC.

Parameters:
  • time_value (str) – time value, such as, atime, ctime, crtime, dtime, bkup and mtime.
  • start_time_string (str) – start date and time value string.
  • end_time_string (str) – end date and time value string.
Raises:

ValueError – If the filter is badly formed.

Matches(file_entry)[source]

Compares the file entry against the filter.

Parameters:file_entry (dfvfs.FileEntry) – file entry to compare.
Returns:
True if the file entry matches the filter, False if not or
None if the filter does not apply.
Return type:bool
Print(output_writer)[source]

Prints a human readable version of the filter.

Parameters:output_writer (CLIOutputWriter) – output writer.
class plaso.filters.file_entry.ExtensionsFileEntryFilter(extensions)[source]

Bases: plaso.filters.file_entry.FileEntryFilter

Extensions-based file entry filter.

Matches(file_entry)[source]

Compares the file entry against the filter.

Parameters:file_entry (dfvfs.FileEntry) – file entry to compare.
Returns:
True if the file entry matches the filter, False if not or
None if the filter does not apply.
Return type:bool
Print(output_writer)[source]

Prints a human readable version of the filter.

Parameters:output_writer (CLIOutputWriter) – output writer.
class plaso.filters.file_entry.FileEntryFilter[source]

Bases: object

File entry filter interface.

Matches(file_entry)[source]

Compares the file entry against the filter.

Parameters:file_entry (dfvfs.FileEntry) – file entry to compare.
Returns:
True if the file entry matches the filter, False if not or
None if the filter does not apply.
Return type:bool
Print(output_writer)[source]

Prints a human readable version of the filter.

Parameters:output_writer (CLIOutputWriter) – output writer.
class plaso.filters.file_entry.FileEntryFilterCollection[source]

Bases: object

Collection of file entry filters.

AddFilter(file_entry_filter)[source]

Adds a file entry filter to the collection.

Parameters:file_entry_filter (FileEntryFilter) – file entry filter.
HasFilters()[source]

Determines if filters are defined.

Returns:True if filters are defined.
Return type:bool
Matches(file_entry)[source]

Compares the file entry against the filter collection.

Parameters:file_entry (dfvfs.FileEntry) – file entry to compare.
Returns:
True if the file entry matches one of the filters. If no filters
are provided or applicable the result will be True.
Return type:bool
Print(output_writer)[source]

Prints a human readable version of the filter.

Parameters:output_writer (CLIOutputWriter) – output writer.
class plaso.filters.file_entry.NamesFileEntryFilter(names)[source]

Bases: plaso.filters.file_entry.FileEntryFilter

Names-based file entry filter.

Matches(file_entry)[source]

Compares the file entry against the filter.

Parameters:file_entry (dfvfs.FileEntry) – file entry to compare.
Returns:True if the file entry matches the filter.
Return type:bool
Print(output_writer)[source]

Prints a human readable version of the filter.

Parameters:output_writer (CLIOutputWriter) – output writer.
class plaso.filters.file_entry.SignaturesFileEntryFilter(specification_store, signature_identifiers)[source]

Bases: plaso.filters.file_entry.FileEntryFilter

Signature-based file entry filter.

Matches(file_entry)[source]

Compares the file entry against the filter.

Parameters:file_entry (dfvfs.FileEntry) – file entry to compare.
Returns:
True if the file entry matches the filter, False if not or
None if the filter does not apply.
Return type:bool
Print(output_writer)[source]

Prints a human readable version of the filter.

Parameters:output_writer (CLIOutputWriter) – output writer.

plaso.filters.filter_list module

List of object-filters.

class plaso.filters.filter_list.ObjectFilterList[source]

Bases: plaso.filters.interface.FilterObject

A list of object-filters with additional metadata.

CompileFilter(filter_expression)[source]

Compiles the filter expression.

The filter expression contains the name of a YAML file.

Parameters:filter_expression (str) – filter expression.
Raises:WrongPlugin – if the filter could not be compiled.
Match(event)[source]

Determines if an event object matches the filter.

Parameters:event (EventObject) – event.
Returns:True if the filter matched.
Return type:bool

plaso.filters.interface module

Filter interface.

class plaso.filters.interface.FilterObject[source]

Bases: object

Filter object interface.

CompileFilter(filter_expression)[source]

Compiles the filter expression.

Parameters:filter_expression (str) – filter expression.
Raises:WrongPlugin – if the filter could not be compiled.
Match(event)[source]

Determines if an event matches the filter.

Parameters:event (EventObject) – event.
Returns:True if the there is a match.
Return type:bool
fields

list[str] – name of the fields.

filter_expression

object – compiled filter expression or None.

filter_name

str – name of the filter.

limit

int – row limit.

separator

str – output field separator.

plaso.filters.manager module

This file contains the event filters manager class.

class plaso.filters.manager.FiltersManager[source]

Bases: object

Filters manager.

classmethod DeregisterFilter(filter_class)[source]

Deregisters a filter class.

The filter classes are identified based on their lower case filter name.

Parameters:filter_class (type) – class object of the filter.
Raises:KeyError – if filter class is not set for the corresponding filter name.
classmethod GetFilterObject(filter_expression)[source]

Creates instances of specific filters.

Parameters:filter_expression (str) – filter expression.
Returns:
the first filter found matching the filter string or
None if no corresponding filter is available.
Return type:FilterObject
classmethod GetFilterObjects()[source]

Creates instances of the available filters.

Returns:available filters.
Return type:list[FilterObject]
classmethod RegisterFilter(filter_class)[source]

Registers a filter class.

The filter classes are identified based on their lower case filter name.

Parameters:filter_class (type) – class object of the filter.
Raises:KeyError – if filter class is already set for the corresponding filter name.
classmethod RegisterFilters(filter_classes)[source]

Registers filter classes.

The filter classes are identified based on their lower case filter name.

Parameters:filter_classes (list[type]) – class objects of the filters.
Raises:KeyError – if filter class is already set for the corresponding filter name.

plaso.filters.path_filter module

A scan tree-based path filter implementation.

The scan tree is a tree based on multiple paths that contains the path segments per node. The most significant path segment is at the root and therefore compared first. More information can be found here: https://github.com/libyal/libsigscan/wiki/Internals #scanning-tree-based-signature-scanning

The scan tree is used in the filter to filter provided paths.

class plaso.filters.path_filter.PathFilterScanTree(paths, case_sensitive=True, path_segment_separator=u'/')[source]

Bases: object

Class that implements a path filter scan tree.

CheckPath(path, path_segment_separator=None)[source]

Checks if a path matches the scan tree-based path filter.

Parameters:
  • path – a string containing the path.
  • path_segment_separator – optional string containing the path segment separator. None defaults to the path segment separator that was set when the path filter scan tree was initialized.
Returns:

A boolean indicating if the path matches the filter.

class plaso.filters.path_filter.PathFilterScanTreeNode(path_segment_index)[source]

Bases: object

Class that implements a path filter scan tree node.

The path filter scan tree node defines the path segments for a specific path segment index to filter. Each path segment will point to a scan object that indicates the next part of the path filter. A default value indicates the scan object to use next when there was no match.

default_value

the default scan object, either a scan tree sub node (instance of PathFilterScanTreeNode) or a string containing a path.

parent

the parent path filter scan tree node or None.

path_segment_index

an integer containing the path segment index represented by the node.

AddPathSegment(path_segment, scan_object)[source]

Adds a path segment.

Parameters:
  • path_segment – a string containing the path segment.
  • scan_object – a scan object, either a scan tree sub node (instance of PathFilterScanTreeNode) or a string containing a path.
Raises:

ValueError – if the node already contains a scan object for the path segment.

GetScanObject(path_segment)[source]

Retrieves the scan object for a specific path segment.

Parameters:path_segment – a string containing the path segment.
Returns:A scan object, which can be a scan tree sub node (instance of PathFilterScanTreeNode), a path or the default value.
SetDefaultValue(scan_object)[source]

Sets the default (non-match) value.

Parameters:

scan_object – a scan object, either a scan tree sub node (instance of PathFilterScanTreeNode) or a string containing a path.

Raises:
  • TypeError – if the scan object is of an unsupported type.
  • ValueError – if the default value is already set.
ToDebugString(indentation_level=1)[source]

Converts the path filter scan tree node into a debug string.

Parameters:indentation_level – an integer containing the text indentation level.
Returns:A string containing a debug representation of the path filter scan tree node.
path_segments

A list of strings containing the path segments.

Module contents

This file imports Python modules that register filters.