plaso.formatters package
Submodules
plaso.formatters.chrome module
Google Chrome history custom event formatter helpers.
- class plaso.formatters.chrome.ChromeHistoryTypedCountFormatterHelper[source]
Bases:
CustomEventFormatterHelper
Google Chrome history typed count formatter helper.
- FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- IDENTIFIER = 'chrome_history_typed_count'
plaso.formatters.chrome_preferences module
Google Chrome preferences custom event formatter helpers.
- class plaso.formatters.chrome_preferences.ChromePreferencesPrimaryURLFormatterHelper[source]
Bases:
CustomEventFormatterHelper
Google Chrome preferences primary URL formatter helper.
- FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- IDENTIFIER = 'chrome_preferences_primary_url'
- class plaso.formatters.chrome_preferences.ChromePreferencesSecondaryURLFormatterHelper[source]
Bases:
CustomEventFormatterHelper
Google Chrome preferences secondary URL formatter helper.
- FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- IDENTIFIER = 'chrome_preferences_secondary_url'
plaso.formatters.default module
The default event formatter.
- class plaso.formatters.default.DefaultEventFormatter[source]
Bases:
BasicEventFormatter
Formatter for events that do not have any defined formatter.
- DATA_TYPE = 'event'
- FORMAT_STRING = '<WARNING DEFAULT FORMATTER> Attributes: {attribute_values}'
- FORMAT_STRING_SHORT = '<DEFAULT> {attribute_values}'
plaso.formatters.file_system module
File system custom event formatter helpers.
- class plaso.formatters.file_system.NTFSFileReferenceFormatterHelper[source]
Bases:
CustomEventFormatterHelper
NTFS file reference formatter helper.
- FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- IDENTIFIER = 'ntfs_file_reference'
- class plaso.formatters.file_system.NTFSParentFileReferenceFormatterHelper[source]
Bases:
CustomEventFormatterHelper
NTFS parent file reference formatter helper.
- FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- IDENTIFIER = 'ntfs_parent_file_reference'
- class plaso.formatters.file_system.NTFSPathHintsFormatterHelper[source]
Bases:
CustomEventFormatterHelper
NTFS path hints formatter helper.
- FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- IDENTIFIER = 'ntfs_path_hints'
plaso.formatters.firefox module
Mozilla Firefox history custom event formatter helpers.
- class plaso.formatters.firefox.FirefoxHistoryTypedCountFormatterHelper[source]
Bases:
CustomEventFormatterHelper
Mozilla Firefox history typed count formatter helper.
- FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- IDENTIFIER = 'firefox_history_typed_count'
- class plaso.formatters.firefox.FirefoxHistoryURLHiddenFormatterHelper[source]
Bases:
CustomEventFormatterHelper
Mozilla Firefox history URL hidden formatter helper.
- FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- IDENTIFIER = 'firefox_history_url_hidden'
plaso.formatters.interface module
This file contains the event formatters interface classes.
The l2t_csv and other formats are dependent on a message field, referred to as description_long and description_short in l2t_csv.
Plaso no longer stores these field explicitly.
A formatter, with a format string definition, is used to convert the event object values into a formatted string that is similar to the description_long and description_short field.
- class plaso.formatters.interface.BasicEventFormatter(data_type='basic', format_string=None, format_string_short=None)[source]
Bases:
EventFormatter
Format event values using a message format string.
- custom_helpers
identifiers of custom event formatter helpers.
- Type:
list[str]
- helpers
event formatter helpers.
- Type:
list[EventFormatterHelper]
- GetFormatStringAttributeNames()[source]
Retrieves the attribute names in the format string.
- Returns:
attribute names.
- Return type:
set(str)
- GetMessage(event_values)[source]
Determines the message.
- Parameters:
event_values (dict[str, object]) – event values.
- Returns:
message.
- Return type:
str
- GetMessageShort(event_values)[source]
Determines the short message.
- Parameters:
event_values (dict[str, object]) – event values.
- Returns:
short message.
- Return type:
str
- __init__(data_type='basic', format_string=None, format_string_short=None)[source]
Initializes a basic event formatter.
The syntax of the format strings is similar to that of format() where the place holder for a certain event object attribute is defined as {attribute_name}.
- Parameters:
data_type (Optional[str]) – unique identifier for the event data supported by the formatter.
format_string (Optional[str]) – (long) message format string.
format_string_short (Optional[str]) – short message format string.
- class plaso.formatters.interface.BooleanEventFormatterHelper(input_attribute=None, output_attribute=None, value_if_false=None, value_if_true=None)[source]
Bases:
EventFormatterHelper
Helper for formatting boolean event data.
- input_attribute
name of the attribute that contains the boolean input value.
- Type:
str
- output_attribute
name of the attribute where the boolean output value should be stored.
- Type:
str
- value_if_false
output value if the boolean input value is False.
- Type:
str
- value_if_true
output value if the boolean input value is True.
- Type:
str
- FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- __init__(input_attribute=None, output_attribute=None, value_if_false=None, value_if_true=None)[source]
Initialized a helper for formatting boolean event data.
- Parameters:
input_attribute (Optional[str]) – name of the attribute that contains the boolean input value.
output_attribute (Optional[str]) – name of the attribute where the boolean output value should be stored.
value_if_false (str) – output value if the boolean input value is False.
value_if_true (str) – output value if the boolean input value is True.
- class plaso.formatters.interface.ConditionalEventFormatter(data_type='conditional', format_string_pieces=None, format_string_separator=None, format_string_short_pieces=None)[source]
Bases:
EventFormatter
Conditionally format event values using format string pieces.
- GetFormatStringAttributeNames()[source]
Retrieves the attribute names in the format string.
- Returns:
attribute names.
- Return type:
set(str)
- GetMessage(event_values)[source]
Determines the message.
- Parameters:
event_values (dict[str, object]) – event values.
- Returns:
message.
- Return type:
str
- GetMessageShort(event_values)[source]
Determines the short message.
- Parameters:
event_values (dict[str, object]) – event values.
- Returns:
short message.
- Return type:
str
- __init__(data_type='conditional', format_string_pieces=None, format_string_separator=None, format_string_short_pieces=None)[source]
Initializes a conditional event formatter.
The syntax of the format strings pieces is similar to of the basic event formatter (BasicEventFormatter). Every format string piece should contain at maximum one unique attribute name. Format string pieces without an attribute name are supported.
- Parameters:
data_type (Optional[str]) – unique identifier for the event data supported by the formatter.
format_string_pieces (Optional[list[str]]) – (long) message format string pieces.
format_string_separator (Optional[str]) – string by which separate format string pieces should be joined.
format_string_short_pieces (Optional[list[str]]) – short message format string pieces.
- class plaso.formatters.interface.CustomEventFormatterHelper[source]
Bases:
EventFormatterHelper
Base class for a helper for custom formatting of event data.
- DATA_TYPE = ''
- abstract FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- IDENTIFIER = ''
- class plaso.formatters.interface.EnumerationEventFormatterHelper(default=None, input_attribute=None, output_attribute=None, values=None)[source]
Bases:
EventFormatterHelper
Helper for formatting enumeration event data.
- default
default value.
- Type:
str
- input_attribute
name of the attribute that contains the enumeration input value.
- Type:
str
- output_attribute
name of the attribute where the enumeration output value should be stored.
- Type:
str
- values
mapping of enumeration input and output values.
- Type:
dict[str, str]
- FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
If default value is None and there is no corresponding enumeration value then the original value is used.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- __init__(default=None, input_attribute=None, output_attribute=None, values=None)[source]
Initialized a helper for formatting enumeration event data.
- Parameters:
default (Optional[str]) – default value.
input_attribute (Optional[str]) – name of the attribute that contains the enumeration input value.
output_attribute (Optional[str]) – name of the attribute where the enumeration output value should be stored.
values (Optional[dict[str, str]]) – mapping of enumeration input and output values.
- class plaso.formatters.interface.EventFormatter(data_type='internal')[source]
Bases:
object
Base class to format event values.
- custom_helpers
identifiers of custom event formatter helpers.
- Type:
list[str]
- helpers
event formatter helpers.
- Type:
list[EventFormatterHelper]
- source_mapping
short and (long) source mapping.
- Type:
tuple[str, str]
- AddCustomHelper(identifier, input_attribute=None, output_attribute=None)[source]
Adds a custom event formatter helper.
- Parameters:
identifier (str) – identifier.
input_attribute (Optional[str]) – name of the attribute that contains the input value.
output_attribute (Optional[str]) – name of the attribute where the output value should be stored.
- AddHelper(helper)[source]
Adds an event formatter helper.
- Parameters:
helper (EventFormatterHelper) – event formatter helper to add.
- FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- abstract GetFormatStringAttributeNames()[source]
Retrieves the attribute names in the format string.
- Returns:
attribute names.
- Return type:
set(str)
- abstract GetMessage(event_values)[source]
Determines the message.
- Parameters:
event_values (dict[str, object]) – event values.
- Returns:
message.
- Return type:
str
- abstract GetMessageShort(event_values)[source]
Determines the short message.
- Parameters:
event_values (dict[str, object]) – event values.
- Returns:
short message.
- Return type:
str
- __init__(data_type='internal')[source]
Initializes an event formatter.
- Parameters:
data_type (Optional[str]) – unique identifier for the event data supported by the formatter.
- property data_type
unique identifier for the event data supported by the formatter.
- Type:
str
- class plaso.formatters.interface.EventFormatterHelper[source]
Bases:
object
Base class of helper for formatting event data.
- abstract FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- class plaso.formatters.interface.FlagsEventFormatterHelper(input_attribute=None, output_attribute=None, values=None)[source]
Bases:
EventFormatterHelper
Helper for formatting flags event data.
- input_attribute
name of the attribute that contains the flags input value.
- Type:
str
- output_attribute
name of the attribute where the flags output value should be stored.
- Type:
str
- values
mapping of flags input and output values.
- Type:
dict[str, str]
- FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- __init__(input_attribute=None, output_attribute=None, values=None)[source]
Initialized a helper for formatting flags event data.
- Parameters:
input_attribute (Optional[str]) – name of the attribute that contains the flags input value.
output_attribute (Optional[str]) – name of the attribute where the flags output value should be stored.
values (Optional[dict[str, str]]) – mapping of flags input and output values.
plaso.formatters.logger module
The formatters sub module logger.
plaso.formatters.manager module
Manages custom event formatter helpers.
- class plaso.formatters.manager.FormattersManager[source]
Bases:
object
Custom event formatter helpers manager.
- classmethod GetEventFormatterHelper(identifier)[source]
Retrieves a custom event formatter helper.
- Parameters:
identifier (str) – identifier.
- Returns:
- custom event formatter or None if not
available.
- Return type:
- classmethod RegisterEventFormatterHelper(formatter_helper_class)[source]
Registers a custom event formatter helper.
The custom event formatter helpers are identified based on their lower case identifier.
- Parameters:
formatter_helper_class (type) – class of the custom event formatter helper.
- Raises:
KeyError – if a custom formatter helper is already set for the corresponding identifier.
- classmethod RegisterEventFormatterHelpers(formatter_helper_classes)[source]
Registers custom event formatter helpers.
The formatter classes are identified based on their lower case data type.
- Parameters:
formatter_helper_classes (list[type]) – classes of the custom event formatter helpers.
- Raises:
KeyError – if a custom formatter helper is already set for the corresponding data type.
plaso.formatters.msiecf module
MSIE cache file custom event formatter helpers.
- class plaso.formatters.msiecf.MSIECFCachedPathFormatterHelper[source]
Bases:
CustomEventFormatterHelper
MSIE cache file cached path formatter helper.
- FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- IDENTIFIER = 'msiecf_cached_path'
- class plaso.formatters.msiecf.MSIECFHTTPHeadersventFormatterHelper[source]
Bases:
CustomEventFormatterHelper
MSIE cache file HTTP headers formatter helper.
- FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- IDENTIFIER = 'msiecf_http_headers'
plaso.formatters.shell_items module
Windows shell item custom event formatter helpers.
- class plaso.formatters.shell_items.ShellItemFileEntryNameFormatterHelper[source]
Bases:
CustomEventFormatterHelper
Windows shell item file entry formatter helper.
- FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- IDENTIFIER = 'shell_item_file_entry_name'
plaso.formatters.winevt module
Windows EventLog custom event formatter helpers.
- class plaso.formatters.winevt.WindowsEventLogMessageFormatterHelper[source]
Bases:
CustomEventFormatterHelper
Windows EventLog message formatter helper.
- FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- IDENTIFIER = 'windows_eventlog_message'
plaso.formatters.winlnk module
Windows Shortcut (LNK) custom event formatter helpers.
- class plaso.formatters.winlnk.WindowsShortcutLinkedPathFormatterHelper[source]
Bases:
CustomEventFormatterHelper
Windows Shortcut (LNK) linked path formatter helper.
- FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- IDENTIFIER = 'windows_shortcut_linked_path'
plaso.formatters.winprefetch module
Windows Prefetch custom event formatter helpers.
- class plaso.formatters.winprefetch.WindowsPrefetchPathHintsFormatterHelper[source]
Bases:
CustomEventFormatterHelper
Windows Prefetch path hints formatter helper.
- FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- IDENTIFIER = 'windows_prefetch_path_hints'
- class plaso.formatters.winprefetch.WindowsPrefetchVolumesStringFormatterHelper[source]
Bases:
CustomEventFormatterHelper
Windows Prefetch volumes string formatter helper.
- FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- IDENTIFIER = 'windows_prefetch_volumes_string'
plaso.formatters.winreg module
Windows Registry custom event formatter helpers.
- class plaso.formatters.winreg.WindowsRegistryValuesFormatterHelper[source]
Bases:
CustomEventFormatterHelper
Windows Registry values formatter helper.
- FormatEventValues(output_mediator, event_values)[source]
Formats event values using the helper.
- Parameters:
output_mediator (OutputMediator) – output mediator.
event_values (dict[str, object]) – event values.
- IDENTIFIER = 'windows_registry_values'
plaso.formatters.yaml_formatters_file module
YAML-based formatters file.
- class plaso.formatters.yaml_formatters_file.YAMLFormattersFile[source]
Bases:
object
YAML-based formatters file.
A YAML-based formatters file contains one or more event formatter definitions. An event formatter definition consists of:
type: ‘conditional’ data_type: ‘fs:stat’ message: - ‘{display_name}’ - ‘Type: {file_entry_type}’ - ‘({unallocated})’ short_message: - ‘{filename}’ short_source: ‘FILE’ source: ‘File stat’
Where: * type, defines the formatter data type, which can be “basic” or
“conditional”;
data_type, defines the corresponding event data type;
message, defines a list of message string pieces;
separator, defines the message and short message string pieces separator;
short_message, defines the short message string pieces;
short_source, defines the short source description;
source, defines the source description.
Module contents
This file contains an import statement for each formatter.