plaso.output package

Submodules

plaso.output.dynamic module

Dynamic selected delimiter separated values output module.

class plaso.output.dynamic.DynamicFieldFormattingHelper[source]

Bases: FieldFormattingHelper

Dynamic output module field formatting helper.

class plaso.output.dynamic.DynamicOutputModule[source]

Bases: DSVOutputModule

Dynamic selected delimiter separated values (DSV) output module.

DESCRIPTION = 'Dynamic selection of fields for a separated value output format.'

NAME = 'dynamic'

SUPPORTS_ADDITIONAL_FIELDS = True

SUPPORTS_CUSTOM_FIELDS = True

__init__()[source]: Initializes an output module.

plaso.output.formatting_helper module

Output module field formatting helper.

class plaso.output.formatting_helper.EventFormattingHelper[source]

Bases: object

Output module event formatting helper.

abstract GetFieldValues(output_mediator, event, event_data, event_data_stream, event_tag)[source]

Retrieves the output field values.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

Returns:

output field values.

Return type:

list[str]

class plaso.output.formatting_helper.FieldFormattingHelper[source]

Bases: object

Output module field formatting helper.

GetFormattedField(output_mediator, field_name, event, event_data, event_data_stream, event_tag)[source]

Formats the specified field.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
field_name (str) – name of the field.
event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

Returns:

value of the field or None if not available.

Return type:

str

__init__()[source]: Initializes a field formatting helper.

plaso.output.interface module

This file contains the output module interface class.

class plaso.output.interface.OutputModule[source]

Bases: object

Output module interface.

Close()[source]: Closes the output.

DESCRIPTION = ''

abstract GetFieldValues(output_mediator, event, event_data, event_data_stream, event_tag)[source]

Retrieves the output field values.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

Returns:

output field values per name.

Return type:

dict[str, str]

GetMissingArguments()[source]

Retrieves arguments required by the module that have not been specified.

Returns:

names of argument that are required by the module and have: not been specified.

Return type:

list[str]

NAME = ''

Open(**kwargs)[source]: Opens the output.

SUPPORTS_ADDITIONAL_FIELDS = False

SUPPORTS_CUSTOM_FIELDS = False

WRITES_OUTPUT_FILE = False

abstract WriteFieldValues(output_mediator, field_values)[source]

Writes field values to the output.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
field_values (dict[str, str]) – output field values per name.

WriteFieldValuesOfMACBGroup(output_mediator, macb_group)[source]

Writes field values of a MACB group to the output.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
macb_group (list[tuple[event, event_data, event_data_stream, event_tag]]) – group of event, event_data, event_data_stream and event_tag objects with identical timestamps, attributes and values.

WriteFooter()[source]

Writes the footer to the output.

Can be used for post-processing or output after the last event is written, such as writing a file footer.

WriteHeader(output_mediator)[source]

Writes the header to the output.

Can be used for pre-processing or output before the first event is written, such as writing a file header.

Parameters:: output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.

plaso.output.json_line module

Output module that saves data into a JSON line format.

JSON line format is a single JSON entry or event per line instead of grouping all the output into a single JSON entity.

class plaso.output.json_line.JSONLineOutputModule[source]

Bases: SharedJSONOutputModule

Output module for the JSON line format.

DESCRIPTION = 'Saves the events into a JSON line format.'

NAME = 'json_line'

WriteFieldValues(output_mediator, field_values)[source]

Writes field values to the output.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
field_values (dict[str, str]) – output field values per name.

plaso.output.json_out module

Output module that saves data into a JSON format.

class plaso.output.json_out.JSONOutputModule[source]

Bases: SharedJSONOutputModule

Output module for the JSON format.

DESCRIPTION = 'Saves the events into a JSON format.'

NAME = 'json'

WriteFieldValues(output_mediator, field_values)[source]

Writes field values to the output.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
field_values (dict[str, str]) – output field values per name.

WriteFooter()[source]: Writes the footer to the output.

WriteHeader(output_mediator)[source]

Writes the header to the output.

Parameters:: output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.

__init__()[source]: Initializes an output module.

plaso.output.kml module

An output module that writes event with geography data to a KML XML file.

The Keyhole Markup Language (KML) is an XML notation for expressing geographic annotation and visualization within Internet-based, two-dimensional maps and three-dimensional Earth browsers.

class plaso.output.kml.KMLOutputModule[source]

Bases: NativePythonOutputModule

Output module for a Keyhole Markup Language (KML) XML file.

DESCRIPTION = 'Saves events with geography data into a KML format.'

NAME = 'kml'

WriteFieldValues(output_mediator, field_values)[source]

Writes field values to the output.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
field_values (dict[str, str]) – output field values per name.

WriteFooter()[source]: Writes the footer to the output.

WriteHeader(output_mediator)[source]

Writes the header to the output.

Parameters:: output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.

plaso.output.l2t_csv module

Output module for the log2timeline (L2T) CSV format.

For documentation on the L2T CSV format see:: https://forensics.wiki/l2t_csv

class plaso.output.l2t_csv.L2TCSVEventFormattingHelper(field_formatting_helper, field_names, field_delimiter=',')[source]

Bases: DSVEventFormattingHelper

L2T CSV output module event formatting helper.

GetFormattedMACBGroup(output_mediator, macb_group)[source]

Retrieves a string representation of a MACB group.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
macb_group (list[tuple[event, event_data, event_data_stream, event_tag]]) – group of event, event_data, event_data_stream and event_tag objects with identical timestamps, attributes and values.

Returns:

string representation of the MACB group.

Return type:

str

class plaso.output.l2t_csv.L2TCSVFieldFormattingHelper[source]

Bases: FieldFormattingHelper

L2T CSV output module field formatting helper.

class plaso.output.l2t_csv.L2TCSVOutputModule[source]

Bases: SortedTextFileOutputModule

CSV format used by log2timeline, with 17 fixed fields.

DESCRIPTION = 'CSV format used by legacy log2timeline, with 17 fixed fields.'

NAME = 'l2tcsv'

WriteFieldValuesOfMACBGroup(output_mediator, macb_group)[source]

Writes field values of a MACB group to the output.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
macb_group (list[tuple[event, event_data, event_data_stream, event_tag]]) – group of event, event_data, event_data_stream and event_tag objects with identical timestamps, attributes and values.

WriteHeader(output_mediator)[source]

Writes the header to the output.

Parameters:: output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.

__init__()[source]: Initializes an output module.

plaso.output.logger module

The output sub module logger.

plaso.output.manager module

Output plugin manager.

class plaso.output.manager.OutputManager[source]

Bases: object

Output module manager.

classmethod DeregisterOutput(output_class)[source]

Deregisters an output class.

The output classes are identified based on their NAME attribute.

Parameters:: output_class (type) – output module class.
Raises:: KeyError – if output class is not set for the corresponding data type.

classmethod GetDisabledOutputClasses()[source]

Retrieves the disabled output classes and its associated name.

Yields:: tuple[str, type] – output module name and class.

classmethod GetOutputClass(name)[source]

Retrieves the output class for a specific name.

Parameters:

name (str) – name of the output module.

Returns:

output module class.

Return type:

type

Raises:

KeyError – if there is no output class found with the supplied name.
ValueError – if name is not a string.

classmethod GetOutputClasses()[source]

Retrieves the available output classes its associated name.

Yields:: tuple[str, type] – output class name and type object.

classmethod HasOutputClass(name)[source]

Determines if a specific output class is registered with the manager.

Parameters:: name (str) – name of the output module.
Returns:: True if the output class is registered.
Return type:: bool

classmethod NewOutputModule(name)[source]

Creates a new output module object for the specified output format.

Parameters:

name (str) – name of the output module.

Returns:

output module.

Return type:

OutputModule

Raises:

KeyError – if there is no output class found with the supplied name.
ValueError – if name is not a string.

classmethod RegisterOutput(output_class, disabled=False)[source]

Registers an output class.

The output classes are identified based on their NAME attribute.

Parameters:

output_class (type) – output module class.
disabled (Optional[bool]) – True if the output module is disabled due to the module not loading correctly or not.

Raises:

KeyError – if output class is already set for the corresponding name.

classmethod RegisterOutputs(output_classes, disabled=False)[source]

Registers output classes.

The output classes are identified based on their NAME attribute.

Parameters:

output_classes (list[type]) – output module classes.
disabled (Optional[bool]) – True if the output module is disabled due to the module not loading correctly or not.

Raises:

KeyError – if output class is already set for the corresponding name.

plaso.output.mediator module

The output mediator object.

class plaso.output.mediator.OutputMediator(storage_reader, data_location=None, dynamic_time=False, preferred_encoding='utf-8')[source]

Bases: object

Output mediator.

data_location

path of the formatter data files.

Type:: Optional[str]

GetDisplayNameForPathSpec(path_spec)[source]

Retrieves the display name for a path specification.

Parameters:: path_spec (dfvfs.PathSpec) – path specification.
Returns:: human readable version of the path specification.
Return type:: str

GetHostname(event_data, default_hostname='-')[source]

Retrieves the hostname related to the event.

Parameters:

event_data (EventData) – event data.
default_hostname (Optional[str]) – default hostname.

Returns:

hostname.

Return type:

str

GetMACBRepresentation(event, event_data)[source]

Retrieves the MACB representation.

Parameters:

event (EventObject) – event.
event_data (EventData) – event data.

Returns:

MACB representation.

Return type:

str

GetMACBRepresentationFromDescriptions(timestamp_descriptions)[source]

Determines the MACB representation from the timestamp descriptions.

MACB representation is a shorthand for representing one or more of modification, access, change, birth timestamp descriptions as the letters “MACB” or a “.” if the corresponding timestamp is not set.

Note that this is an output format shorthand and does not guarantee that the timestamps represent the same occurrence.

Parameters:: timestamp_descriptions (list[str]) – timestamp descriptions, which are defined in definitions.TIME_DESCRIPTIONS.
Returns:: MACB representation.
Return type:: str

GetMessageFormatter(data_type)[source]

Retrieves the message formatter for a specific data type.

Parameters:

data_type (str) – data type.

Returns:

corresponding message formatter or the default message: formatter if not available.

Return type:

EventFormatter

GetRelativePathForPathSpec(path_spec)[source]

Retrieves the relative path for a path specification.

Parameters:: path_spec (dfvfs.PathSpec) – path specification.
Returns:: relateive path of the path specification.
Return type:: str

GetSourceMapping(data_type)[source]

Retrieves the source mapping for a specific data type.

Parameters:

data_type (str) – data type.

Returns:

short and (long) source mappings or (None, None) if not: available.

Return type:

tuple[str, str]

GetUsername(event_data, default_username='-')[source]

Retrieves the username related to the event data.

Parameters:

event_data (EventData) – event data.
default_username (Optional[str]) – default username.

Returns:

username.

Return type:

str

GetWinevtResourcesHelper()[source]

Retrieves a Windows EventLog resources helper.

Returns:: Windows EventLog resources helper.
Return type:: WinevtResourcesHelper

ReadMessageFormattersFromDirectory(path)[source]

Reads message formatters from a directory.

Parameters:: path (str) – path of directory that contains the message formatters configuration files.
Raises:: KeyError – if the message formatter is already set for the corresponding data type.

ReadMessageFormattersFromFile(path, override_existing=False)[source]

Reads message formatters from a file.

Parameters:

path (str) – path of file that contains the message formatters configuration.
override_existing (bool) – True if existing message formatters should be overridden.

Raises:

KeyError – if the message formatter is already set for the corresponding data type.

SetPreferredLanguageIdentifier(language_tag)[source]

Sets the preferred language identifier.

Parameters:: language_tag (str) – language tag such as “en-US” for US English or “is-IS” for Icelandic.
Raises:: ValueError – if the language tag is not a string type or no LCID can be determined that corresponds with the language tag.

SetTimeZone(time_zone)[source]

Sets the time zone.

Parameters:: time_zone (str) – time zone.
Raises:: ValueError – if the time zone is not supported.

__init__(storage_reader, data_location=None, dynamic_time=False, preferred_encoding='utf-8')[source]

Initializes an output mediator.

Parameters:

storage_reader (StorageReader) – storage reader.
data_location (Optional[str]) – path of the formatter data files.
dynamic_time (Optional[bool]) – True if date and time values should be represented in their granularity or semantically.
preferred_encoding (Optional[str]) – preferred encoding to output.

property dynamic_time

True if dynamic time should be used.

Type:: bool

property encoding

preferred encoding to output.

Type:: str

property time_zone

time zone.

Type:: datetime.tzinfo

plaso.output.null module

Null device output module.

class plaso.output.null.NullOutputModule[source]

Bases: OutputModule

Null device output module.

DESCRIPTION = 'Output module that does not output anything.'

GetFieldValues(output_mediator, event, event_data, event_data_stream, event_tag)[source]

Retrieves the output field values.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

Returns:

output field values per name.

Return type:

dict[str, str]

NAME = 'null'

WriteFieldValues(output_mediator, field_values)[source]

Writes field values to the output.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
field_values (dict[str, str]) – output field values per name.

plaso.output.opensearch module

An output module that saves events to OpenSearch.

class plaso.output.opensearch.OpenSearchOutputModule[source]

Bases: SharedOpenSearchOutputModule

Output module for OpenSearch.

DESCRIPTION = 'Saves the events into an OpenSearch database.'

MAPPINGS_FILENAME = 'opensearch.mappings'

NAME = 'opensearch'

WriteFieldValues(output_mediator, field_values)[source]

Writes field values to the output.

Events are buffered in the form of documents and inserted to OpenSearch when the flush interval (threshold) has been reached.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
field_values (dict[str, str]) – output field values per name.

WriteHeader(output_mediator)[source]

Connects to the OpenSearch server and creates the index.

Parameters:: output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.

plaso.output.opensearch_ts module

An output module that saves events to OpenSearch for Timesketch.

class plaso.output.opensearch_ts.OpenSearchTimesketchOutputModule[source]

Bases: SharedOpenSearchOutputModule

Output module for Timesketch OpenSearch.

DESCRIPTION = 'Saves the events into an OpenSearch database for use with Timesketch.'

GetMissingArguments()[source]

Retrieves a list of arguments that are missing from the input.

Returns:

names of arguments that are required by the module and have: not been specified.

Return type:

list[str]

MAPPINGS_FILENAME = 'plaso.mappings'

MAPPINGS_PATH = '/etc/timesketch'

NAME = 'opensearch_ts'

SetTimelineIdentifier(timeline_identifier)[source]

Sets the timeline identifier.

Parameters:: timeline_identifier (int) – timeline identifier.

WriteFieldValues(output_mediator, field_values)[source]

Writes field values to the output.

Events are buffered in the form of documents and inserted to OpenSearch when the flush interval (threshold) has been reached.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
field_values (dict[str, str]) – output field values per name.

WriteHeader(output_mediator)[source]

Connects to the OpenSearch server and creates the index.

Parameters:: output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.

__init__()[source]: Initializes an output module.

plaso.output.rawpy module

Output module for the native (or “raw”) Python format.

class plaso.output.rawpy.NativePythonOutputModule[source]

Bases: TextFileOutputModule

Output module for native (or “raw”) Python output format.

DESCRIPTION = 'native (or "raw") Python output.'

GetFieldValues(output_mediator, event, event_data, event_data_stream, event_tag)[source]

Retrieves the output field values.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

Returns:

output field values per name.

Return type:

dict[str, str]

NAME = 'rawpy'

WriteFieldValues(output_mediator, field_values)[source]

Writes field values to the output.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
field_values (dict[str, str]) – output field values per name.

__init__()[source]: Initializes an output module.

plaso.output.shared_dsv module

Shared functionality for delimiter separated values output modules.

class plaso.output.shared_dsv.DSVEventFormattingHelper(field_formatting_helper, field_names, field_delimiter=',')[source]

Bases: EventFormattingHelper

Delimiter separated values output module event formatting helper.

field_delimiter

field delimiter.

Type:: str

GetFieldValues(output_mediator, event, event_data, event_data_stream, event_tag)[source]

Retrieves the output field values.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

Returns:

output field values per name.

Return type:

dict[str, str]

GetFormattedFieldNames()[source]

Retrieves a string representation of the field names.

Returns:: string representation of the field names.
Return type:: str

SetAdditionalFields(field_names)[source]

Sets the names of additional fields to output.

Parameters:: field_names (list[str]) – names of additional fields to output.

SetCustomFields(field_names_and_values)[source]

Sets the names and values of custom fields to output.

Parameters:: field_names_and_values (list[tuple[str, str]]) – names and values of custom fields to output.

SetFieldDelimiter(field_delimiter)[source]

Sets the field delimiter.

Parameters:: field_delimiter (str) – field delimiter.

SetFields(field_names)[source]

Sets the names of the fields to output.

Parameters:: field_names (list[str]) – names of the fields to output.

__init__(field_formatting_helper, field_names, field_delimiter=',')[source]

Initializes a delimiter separated values event formatting helper.

Parameters:

field_formatting_helper (FieldFormattingHelper) – field formatting helper.
field_names (list[str]) – names of the fields to output.
field_delimiter (Optional[str]) – field delimiter.

class plaso.output.shared_dsv.DSVOutputModule(field_formatting_helper, names, delimiter=',', header=None)[source]

Bases: SortedTextFileOutputModule

Shared functionality for delimiter separated values output modules.

SetAdditionalFields(field_names)[source]

Sets the names of additional fields to output.

Parameters:: field_names (list[str]) – names of additional fields to output.

SetCustomFields(field_names_and_values)[source]

Sets the names and values of custom fields to output.

Parameters:: field_names_and_values (list[tuple[str, str]]) – names and values of custom fields to output.

SetFieldDelimiter(field_delimiter)[source]

Sets the field delimiter.

Parameters:: field_delimiter (str) – field delimiter.

SetFields(field_names)[source]

Sets the names of the fields to output.

Parameters:: field_names (list[str]) – names of the fields to output.

WriteHeader(output_mediator)[source]

Writes the header to the output.

Parameters:: output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.

__init__(field_formatting_helper, names, delimiter=',', header=None)[source]

Initializes a delimiter separated values output module.

Parameters:

field_formatting_helper (FieldFormattingHelper) – field formatting helper.
names (list[str]) – names of the fields to output.
delimiter (Optional[str]) – field delimiter.
header (Optional[str]) – header, where None will have WriteHeader generate a header from the field names.

plaso.output.shared_json module

Shared functionality for JSON based output modules.

class plaso.output.shared_json.JSONFieldFormattingHelper[source]

Bases: FieldFormattingHelper

JSON output module field formatting helper.

GetFormattedField(output_mediator, field_name, event, event_data, event_data_stream, event_tag)[source]

Formats the specified field.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
field_name (str) – name of the field.
event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

Returns:

value of the field or None if not available.

Return type:

object

class plaso.output.shared_json.SharedJSONOutputModule[source]

Bases: TextFileOutputModule

Shared functionality for JSON based output modules.

GetFieldValues(output_mediator, event, event_data, event_data_stream, event_tag)[source]

Retrieves the output field values.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

Returns:

output field values per name.

Return type:

dict[str, str]

abstract WriteFieldValues(output_mediator, field_values)[source]

Writes field values to the output.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
field_values (dict[str, str]) – output field values per name.

__init__()[source]: Initializes an output module.

plaso.output.shared_opensearch module

Shared functionality for OpenSearch output modules.

class plaso.output.shared_opensearch.SharedOpenSearchFieldFormattingHelper[source]

Bases: FieldFormattingHelper

Shared OpenSearch output module field formatting helper.

GetFormattedField(output_mediator, field_name, event, event_data, event_data_stream, event_tag)[source]

Formats the specified field.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
field_name (str) – name of the field.
event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

Returns:

value of the field or None if not set.

Return type:

object

class plaso.output.shared_opensearch.SharedOpenSearchOutputModule[source]

Bases: OutputModule

Shared functionality for an OpenSearch output module.

Close()[source]

Closes connection to OpenSearch.

Inserts any remaining buffered event documents.

GetFieldValues(output_mediator, event, event_data, event_data_stream, event_tag)[source]

Retrieves the output field values.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

Returns:

output field values per name.

Return type:

dict[str, str]

NAME = 'opensearch_shared'

SUPPORTS_ADDITIONAL_FIELDS = True

SUPPORTS_CUSTOM_FIELDS = True

SetAdditionalFields(field_names)[source]

Sets the names of additional fields to output.

Parameters:: field_names (list[str]) – names of additional fields to output.

SetCACertificatesPath(ca_certificates_path)[source]

Sets the path to the CA certificates.

Parameters:: ca_certificates_path (str) – path to file containing a list of root certificates to trust.
Raises:: BadConfigOption – if the CA certificates file does not exist.

SetCustomFields(field_names_and_values)[source]

Sets the names and values of custom fields to output.

Parameters:: field_names_and_values (list[tuple[str, str]]) – names and values of custom fields to output.

SetFlushInterval(flush_interval)[source]

Sets the flush interval.

Parameters:: flush_interval (int) – number of events to buffer before doing a bulk insert.

SetIndexName(index_name)[source]

Sets the index name.

Parameters:: index_name (str) – name of the index.

SetMappings(mappings)[source]

Sets the mappings.

Parameters:: mappings (dict[str, object]) – mappings of the index.

SetPassword(password)[source]

Sets the password.

Parameters:: password (str) – password to authenticate with.

SetServerInformation(server, port)[source]

Sets the server information.

Parameters:

server (str) – IP address or hostname of the server.
port (int) – Port number of the server.

SetURLPrefix(url_prefix)[source]

Sets the URL prefix.

Parameters:: url_prefix (str) – URL prefix.

SetUseSSL(use_ssl)[source]

Sets the use of ssl.

Parameters:: use_ssl (bool) – enforces use of ssl.

SetUsername(username)[source]

Sets the username.

Parameters:: username (str) – username to authenticate with.

__init__()[source]: Initializes an output module.

plaso.output.text_file module

Shared functionality for text file based output modules.

class plaso.output.text_file.SortedStringHeap[source]

Bases: object

Heap to sort output strings.

IsFull()[source]

Determines if the heap is full.

Returns:: True if the heap is full.
Return type:: bool

PopString()[source]

Pops a string from the heap.

Returns:: string.
Return type:: str

PopStrings()[source]

Pops strings from the heap.

Yields:: str – string.

PushString(sort_key, string)[source]

Pushes a string onto the heap.

Parameters:

sort_key (str) – key for the sort order.
string (str) – string.

__init__()[source]: Initializes a heap.

class plaso.output.text_file.SortedTextFileOutputModule(event_formatting_helper)[source]

Bases: TextFileOutputModule

Shared functionality of an output module that writes to a text file.

GetFieldValues(output_mediator, event, event_data, event_data_stream, event_tag)[source]

Retrieves the output field values.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

Returns:

output field values per name.

Return type:

dict[str, str]

WriteFieldValues(output_mediator, field_values)[source]

Writes field values to the output.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
field_values (dict[str, str]) – output field values per name.

WriteFooter()[source]

Writes the footer to the output.

Can be used for post-processing or output after the last event is written, such as writing a file footer.

__init__(event_formatting_helper)[source]

Initializes an output module that writes to a text file.

Parameters:: event_formatting_helper (EventFormattingHelper) – event formatting helper.

class plaso.output.text_file.TextFileOutputModule[source]

Bases: OutputModule

Shared functionality of an output module that writes to a text file.

Close()[source]: Closes the output file.

abstract GetFieldValues(output_mediator, event, event_data, event_data_stream, event_tag)[source]

Retrieves the output field values.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

Returns:

output field values per name.

Return type:

dict[str, str]

Open(path=None, **kwargs)[source]

Opens the output file.

Parameters:

path (Optional[str]) – path of the output file.

Raises:

IOError – if the specified output file already exists.
OSError – if the specified output file already exists.
ValueError – if path is not set.

WRITES_OUTPUT_FILE = True

abstract WriteFieldValues(output_mediator, field_values)[source]

Writes field values to the output.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
field_values (dict[str, str]) – output field values per name.

WriteLine(text)[source]

Writes a line of text to the output file.

Parameters:: text (str) – text to output.

WriteText(text)[source]

Writes text to the output file.

Parameters:: text (str) – text to output.

__init__()[source]: Initializes an output module that writes to a text file.

plaso.output.tln module

Output module for the TLN format.

For documentation on the TLN format see:: https://forensics.wiki/tln

class plaso.output.tln.L2TTLNOutputModule[source]

Bases: DSVOutputModule

Output module for the log2timeline extended variant of the TLN format.

l2tTLN is an extended variant of TLN introduced log2timeline.pl 0.65.

l2tTLN extends basic TLN to 7 | separated fields, namely: * Time - 32-bit POSIX (or Unix) epoch timestamp. * Source - The name of the parser or plugin that produced the event. * Host - The source host system. * User - The user associated with the data. * Description - Message string describing the data. * TZ - L2T 0.65 field. Timezone of the event. * Notes - L2T 0.65 field. Optional notes field or filename and inode.

DESCRIPTION = 'Extended TLN 7 field | delimited output.'

NAME = 'l2ttln'

__init__()[source]: Initializes an output module.

class plaso.output.tln.TLNFieldFormattingHelper[source]

Bases: FieldFormattingHelper

TLN output module field formatting helper.

class plaso.output.tln.TLNOutputModule[source]

Bases: DSVOutputModule

Output module for the TLN format.

TLN defines 5 | separated fields, namely: * Time - 32-bit POSIX (or Unix) epoch timestamp. * Source - The name of the parser or plugin that produced the event. * Host - The source host system. * User - The user associated with the data. * Description - Message string describing the data.

DESCRIPTION = 'TLN 5 field | delimited output.'

NAME = 'tln'

__init__()[source]: Initializes an output module.

plaso.output.winevt_rc module

Windows EventLog resources database reader.

class plaso.output.winevt_rc.Sqlite3DatabaseFile[source]

Bases: object

Class that defines a sqlite3 database file.

Close()[source]

Closes the database file.

Raises:: RuntimeError – if the database is not opened.

GetValues(table_names, column_names, condition)[source]

Retrieves values from a table.

Parameters:

table_names (list[str]) – table names.
column_names (list[str]) – column names.
condition (str) – query condition such as “log_source == ‘Application Error’”.

Yields:

sqlite3.row – row.

Raises:

RuntimeError – if the database is not opened.

HasTable(table_name)[source]

Determines if a specific table exists.

Parameters:: table_name (str) – table name.
Returns:: True if the table exists.
Return type:: bool
Raises:: RuntimeError – if the database is not opened.

Open(filename, read_only=False)[source]

Opens the database file.

Parameters:

filename (str) – filename of the database.
read_only (Optional[bool]) – True if the database should be opened in read-only mode. Since sqlite3 does not support a real read-only mode we fake it by only permitting SELECT queries.

Returns:

True if successful.

Return type:

bool

Raises:

RuntimeError – if the database is already opened.

__init__()[source]: Initializes the database file object.

class plaso.output.winevt_rc.WinevtResourcesHelper(storage_reader, data_location, lcid)[source]

Bases: object

Windows EventLog resources helper.

DEFAULT_LCID = 1033

GetMessageString(provider_identifier, log_source, message_identifier, event_version)[source]

Retrieves a specific Windows EventLog message string.

Parameters:

provider_identifier (str) – EventLog provider identifier.
log_source (str) – EventLog source, such as “Application Error”.
message_identifier (int) – message identifier.
event_version (int) – event version or None if not set.

Returns:

message string or None if not available.

Return type:

str

GetParameterString(provider_identifier, log_source, message_identifier)[source]

Retrieves a specific Windows EventLog parameter string.

Parameters:

provider_identifier (str) – EventLog provider identifier.
log_source (str) – EventLog source, such as “Application Error”.
message_identifier (int) – parameter identifier.

Returns:

parameter string or None if not available.

Return type:

str

__init__(storage_reader, data_location, lcid)[source]

Initializes Windows EventLog resources helper.

Parameters:

storage_reader (StorageReader) – storage reader.
data_location (str) – data location of the winevt-rc database.
lcid (int) – Windows Language Code Identifier (LCID).

class plaso.output.winevt_rc.WinevtResourcesSqlite3DatabaseReader[source]

Bases: object

Windows EventLog resources SQLite database reader.

Close()[source]: Closes the database reader object.

GetMessage(log_source, lcid, message_identifier)[source]

Retrieves a specific message for a specific EventLog source.

Parameters:

log_source (str) – EventLog source.
lcid (int) – language code identifier (LCID).
message_identifier (int) – message identifier.

Returns:

message string or None if not available.

Return type:

str

GetMetadataAttribute(attribute_name)[source]

Retrieves the metadata attribute.

Parameters:: attribute_name (str) – name of the metadata attribute.
Returns:: the metadata attribute or None.
Return type:: str
Raises:: RuntimeError – if more than one value is found in the database.

Open(filename)[source]

Opens the database reader object.

Parameters:: filename (str) – filename of the database.
Returns:: True if successful.
Return type:: bool
Raises:: RuntimeError – if the version or string format of the database is not supported.

__init__()[source]: Initializes a Windows EventLog resources SQLite database reader.

plaso.output.xlsx module

Output module for the Excel Spreadsheet (XLSX) output format.

class plaso.output.xlsx.XLSXOutputModule[source]

Bases: OutputModule

Output module for the Excel Spreadsheet (XLSX) output format.

Close()[source]: Closes the workbook.

DESCRIPTION = 'Excel Spreadsheet (XLSX) output'

GetFieldValues(output_mediator, event, event_data, event_data_stream, event_tag)[source]

Retrieves the output field values.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
event (EventObject) – event.
event_data (EventData) – event data.
event_data_stream (EventDataStream) – event data stream.
event_tag (EventTag) – event tag.

Returns:

output field values per name.

Return type:

dict[str, str]

NAME = 'xlsx'

Open(path=None, **kwargs)[source]

Creates a new workbook.

Parameters:

path (Optional[str]) – path of the output file.

Raises:

IOError – if the specified output file already exists.
OSError – if the specified output file already exists.
ValueError – if path is not set.

SUPPORTS_ADDITIONAL_FIELDS = True

SUPPORTS_CUSTOM_FIELDS = True

SetAdditionalFields(field_names)[source]

Sets the names of additional fields to output.

Parameters:: field_names (list[str]) – names of additional fields to output.

SetCustomFields(field_names_and_values)[source]

Sets the names and values of custom fields to output.

Parameters:: field_names_and_values (list[tuple[str, str]]) – names and values of custom fields to output.

SetFields(field_names)[source]

Sets the names of the fields to output.

Parameters:: field_names (list[str]) – names of the fields to output.

SetTimestampFormat(timestamp_format)[source]

Set the timestamp format to use for the datetime column.

Parameters:: timestamp_format (str) – format string of date and time values.

WRITES_OUTPUT_FILE = True

WriteFieldValues(output_mediator, field_values)[source]

Writes field values to the output.

Parameters:

output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.
field_values (dict[str, str]) – output field values per name.

WriteHeader(output_mediator)[source]

Writes the header to the spreadsheet.

Parameters:: output_mediator (OutputMediator) – mediates interactions between output modules and other components, such as storage and dfVFS.

__init__()[source]: Initializes an output module.

Module contents

This file imports Python modules that register output modules.