plaso.parsers.czip_plugins package

Submodules

plaso.parsers.czip_plugins.interface module

Interface for compound ZIP file plugins.

class plaso.parsers.czip_plugins.interface.CompoundZIPPlugin[source]

Bases: BasePlugin

Compound ZIP parser plugin.

CheckRequiredPaths(zip_file)[source]

Checks if the ZIP file has the minimal structure required by the plugin.

Parameters:

zip_file (zipfile.ZipFile) – the ZIP file. It should not be closed in this method, but will be closed by the parser logic in czip.py.

Returns:

True if the ZIP file has the minimum paths defined by the plugin,: or False if it does not or no required paths are defined. The ZIP file can have more paths than specified by the plugin and still return True.

Return type:

bool

DATA_FORMAT = 'Compound ZIP file'

NAME = 'czip_plugin'

Process(parser_mediator, zip_file=None, **kwargs)[source]

Extracts events from the ZIP file.

Parameters:

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
zip_file (Optional[zipfile.ZipFile]) – the ZIP file. It should not be closed in this method, but will be closed by the parser logic in czip.py.

Raises:

ValueError – If the ZIP file argument is not valid.

REQUIRED_PATHS = frozenset({})

plaso.parsers.czip_plugins.oxml module

Compound ZIP parser plugin for OpenXML files.

class plaso.parsers.czip_plugins.oxml.OpenXMLEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

OXML event data.

application

name of application that created document.

Type:: str

application_version

version of application that created document.

Type:: str

author

name of author.

Type:: str

creation_time

creation date and time of the document.

Type:: dfdatetime.DateTimeValues

digital_signature

digital signature.

Type:: str

edit_duration

total editing time.

Type:: int

hyperlinks_changed

True if hyperlinks have changed.

Type:: bool

last_printed_time

date and time the document was last printed.

Type:: dfdatetime.DateTimeValues

last_saved_by

name of user that last saved the document.

Type:: str

links_up_to_date

True if the links are up to date.

Type:: bool

modification_time

modification date and time of the document.

Type:: dfdatetime.DateTimeValues

number_of_characters

number of characters without spaces in the document.

Type:: int

number_of_characters_with_spaces

number of characters including spaces in the document.

Type:: int

number_of_clips

number of multi-media clips in the document.

Type:: int

number_of_hidden_slides

number of hidden slides in the document.

Type:: int

number_of_lines

number of lines in the document.

Type:: int

number_of_pages

number of pages in the document.

Type:: int

number_of_paragraphs

number of paragraphs in the document.

Type:: int

number_of_slides

number of slides in the document.

Type:: int

number_of_words

number of words in the document.

Type:: int

revision_number

revision number.

Type:: int

scale

True if scaling of the thumbnail is desired or false if cropping is desired.

Type:: bool

security_flags

security flags.

Type:: int

shared_doc

True if document is shared.

Type:: bool

template

name of the template used to created the document.

Type:: str

DATA_TYPE = 'openxml:metadata'

__init__()[source]: Initializes event data.

class plaso.parsers.czip_plugins.oxml.OpenXMLPlugin[source]

Bases: CompoundZIPPlugin

Parse metadata from OXML files.

DATA_FORMAT = 'OpenXML (OXML) file'

NAME = 'oxml'

REQUIRED_PATHS = frozenset({'[Content_Types].xml', '_rels/.rels', 'docProps/core.xml'})

Module contents

Imports for the compound ZIP parser.