plaso.lib package
Submodules
plaso.lib.bufferlib module
Circular buffer for storing event objects.
- class plaso.lib.bufferlib.CircularBuffer(size)[source]
Bases:
object
Class that defines a circular buffer for storing event objects.
- GetCurrent()[source]
Retrieves the current item that index points to.
- Returns:
item.
- Return type:
object
- __init__(size)[source]
Initializes a circular buffer object.
- Parameters:
size (int) – number of elements in the buffer.
- property size
number of elements in the buffer.
- Type:
int
plaso.lib.dateless_helper module
The date-less log format helper mix-in.
plaso.lib.decorators module
Function decorators.
plaso.lib.definitions module
The definitions.
plaso.lib.dtfabric_helper module
The dtFabric helper mix-in.
- class plaso.lib.dtfabric_helper.DtFabricHelper[source]
Bases:
object
dtFabric format definition helper mix-in.
dtFabric defines its data format structures in dtFabric definition file, for example “dtfabric.yaml”:
name: int32 type: integer description: 32-bit signed integer type .. attribute:: format
signed
- size
4
- units
bytes
— name: point3d aliases: [POINT] type: structure description: Point in 3 dimensional space. .. attribute:: byte_order
little-endian
members: - name: x
aliases: [XCOORD] data_type: int32
name: y data_type: int32
name: z data_type: int32
The path to the definition file is defined in the class constant “_DEFINITION_FILE” and will be read on class instantiation.
The definition files contains data type definitions such as “int32” and “point3d” in the previous example.
A data type map can be used to create a Python object that represent the data type definition mapped to a byte stream, for example if we have the following byte stream: 01 00 00 00 02 00 00 00 03 00 00 00
The corresponding “point3d” Python object would be: point3d(x=1, y=2, z=3)
plaso.lib.errors module
This file contains the error classes.
- exception plaso.lib.errors.BadConfigObject[source]
Bases:
Error
Raised when the configuration object is of the wrong type.
- exception plaso.lib.errors.BadConfigOption[source]
Bases:
Error
Raised when a faulty configuration option is encountered.
- exception plaso.lib.errors.InvalidEvent[source]
Bases:
Error
Error indicating an event is malformed.
- exception plaso.lib.errors.InvalidFilter[source]
Bases:
Error
Error indicating an invalid filter was specified.
- exception plaso.lib.errors.InvalidNumberOfOperands[source]
Bases:
Error
The number of operands provided to an objectfilter operator is wrong.
- exception plaso.lib.errors.MalformedPresetError[source]
Bases:
Error
Raised when a parser preset definition is malformed.
- exception plaso.lib.errors.MaximumRecursionDepth[source]
Bases:
Error
Raised when the maximum recursion depth is reached.
- exception plaso.lib.errors.PreProcessFail[source]
Bases:
Error
Raised when a preprocess module is unable to gather information.
- exception plaso.lib.errors.QueueAlreadyClosed[source]
Bases:
Error
Raised when an attempt is made to close a queue that is already closed.
- exception plaso.lib.errors.QueueAlreadyStarted[source]
Bases:
Error
Raised when an attempt is made to start queue that is already started.
- exception plaso.lib.errors.QueueClose[source]
Bases:
Error
Class that implements a queue close exception.
- exception plaso.lib.errors.QueueEmpty[source]
Bases:
Error
Class that implements a queue empty exception.
- exception plaso.lib.errors.QueueFull[source]
Bases:
Error
Class that implements a queue full exception.
- exception plaso.lib.errors.SerializationError[source]
Bases:
Error
Class that defines serialization errors.
- exception plaso.lib.errors.SourceScannerError[source]
Bases:
Error
Class that defines source scanner errors.
- exception plaso.lib.errors.TaggingFileError[source]
Bases:
Error
Raised when the tagging file is invalid.
- exception plaso.lib.errors.UnableToLoadRegistryHelper[source]
Bases:
Error
Raised when unable to load a Registry helper object.
- exception plaso.lib.errors.UserAbort[source]
Bases:
Error
Class that defines an user initiated abort exception.
- exception plaso.lib.errors.WrongParser[source]
Bases:
Error
Raised when a parser is not designed to parse a file.
plaso.lib.line_reader_file module
Binary line reader file-like object.
- class plaso.lib.line_reader_file.BinaryDSVReader(binary_line_reader, delimiter)[source]
Bases:
object
Basic reader for delimiter separated text files of unknown encoding.
This is used for reading data from text files where the content is unknown, or possibly using a mixed encoding.
- __init__(binary_line_reader, delimiter)[source]
Initializes the delimited separated values reader.
- Parameters:
binary_line_reader (BinaryLineReader) – a binary file reader
delimiter (bytes) – field delimiter.
- class plaso.lib.line_reader_file.BinaryLineReader(file_object, end_of_line=b'\n')[source]
Bases:
object
Line reader for binary file-like objects.
- end_of_line
byte sequence that separates lines from each other.
- Type:
bytes
- MAXIMUM_READ_BUFFER_SIZE = 16777216
- __init__(file_object, end_of_line=b'\n')[source]
Initializes the line reader.
- Parameters:
file_object (FileIO) – a file-like object to read from.
end_of_line (Optional[bytes]) – end of line indicator.
- readline(size=None)[source]
Reads a single line of text.
The functions reads one entire line from the file-like object. A trailing end-of-line indicator (newline by default) is kept in the byte string (but may be absent when a file ends with an incomplete line). An empty byte string is returned only when end-of-file is encountered immediately.
- Parameters:
size (Optional[int]) – maximum byte size to read. If present and non-negative, it is a maximum byte count (including the trailing end-of-line) and an incomplete line may be returned.
- Returns:
line of text.
- Return type:
bytes
- Raises:
ValueError – if the specified size is less than zero or greater than the maximum size allowed.
- readlines(sizehint=None)[source]
Reads lines of text.
The function reads until EOF using readline() and return a list containing the lines read.
- Parameters:
sizehint (Optional[int]) – maximum byte size to read. If present, instead of reading up to EOF, whole lines totalling sizehint bytes are read.
- Returns:
lines of text.
- Return type:
list[bytes]
plaso.lib.loggers module
Logging related classes and functions.
- class plaso.lib.loggers.CompressedFileHandler(filename, mode='a', encoding='utf-8')[source]
Bases:
FileHandler
Compressed file handler for logging.
- plaso.lib.loggers.ConfigureLogging(debug_output=False, filename=None, mode='w', quiet_mode=False)[source]
Configures the logging root logger.
- Parameters:
debug_output (Optional[bool]) – True if the logging should include debug output.
filename (Optional[str]) – log filename.
mode (Optional[str]) – log file access mode.
quiet_mode (Optional[bool]) – True if the logging should not include information output. Note that debug_output takes precedence over quiet_mode.
plaso.lib.plist module
The plist file object.
- class plaso.lib.plist.PlistFile[source]
Bases:
object
Class that defines a plist file.
- root_key
the plist root key.
- Type:
dict
- GetValueByPath(path_segments)[source]
Retrieves a plist value by path.
- Parameters:
path_segments (list[str]) – path segment strings relative to the root of the plist.
- Returns:
The value of the key specified by the path or None.
- Return type:
object
plaso.lib.specification module
The format specification classes.
- class plaso.lib.specification.FormatSpecification(identifier, text_format=False)[source]
Bases:
object
The format specification.
- AddNewSignature(pattern, offset=None)[source]
Adds a signature.
- Parameters:
pattern (bytes) – pattern of the signature.
offset (int) – offset of the signature. None is used to indicate the signature has no offset. A positive offset is relative from the start of the data a negative offset is relative from the end of the data.
- class plaso.lib.specification.FormatSpecificationStore[source]
Bases:
object
The store for format specifications.
- AddNewSpecification(identifier)[source]
Adds a new format specification.
- Parameters:
identifier (str) – format identifier, which should be unique for the store.
- Returns:
format specification.
- Return type:
- Raises:
KeyError – if the store already contains a specification with the same identifier.
- AddSpecification(specification)[source]
Adds a format specification.
- Parameters:
specification (FormatSpecification) – format specification.
- Raises:
KeyError – if the store already contains a specification with the same identifier.
- GetSpecificationBySignature(signature_identifier)[source]
Retrieves a specification mapped to a signature identifier.
- Parameters:
signature_identifier (str) – unique signature identifier for a specification store.
- Returns:
- format specification or None if the signature
identifier does not exist within the specification store.
- Return type:
- property specifications
specifications iterator.
- Type:
iterator
- class plaso.lib.specification.Signature(pattern, offset=None)[source]
Bases:
object
The format specification signature.
The signature consists of a byte string pattern, an optional offset relative to the start of the data, and a value to indicate if the pattern is bound to the offset.
- SetIdentifier(identifier)[source]
Sets the identifier of the signature in the specification store.
- Parameters:
identifier (str) – unique signature identifier for a specification store.
- __init__(pattern, offset=None)[source]
Initializes a format specification signature.
The signatures can be defined in 3 different “modes”: * where offset >= 0, which represents that the signature is bound to the
start of the data and only the relevant part is scanned;
where offset < 0, which represents that the signature is bound to the end of the data and only the relevant part is scanned;
offset == None, which represents that the signature is not offset bound and that all of the data is scanned.
- Parameters:
pattern (bytes) – pattern of the signature. Wildcards or regular expressions (regexp) are not supported.
offset (int) – offset of the signature. None is used to indicate the signature has no offset. A positive offset is relative from the start of the data a negative offset is relative from the end of the data.