plaso.storage package

Subpackages

• plaso.storage.fake package
  • Submodules
  • plaso.storage.fake.event_heap module
    • EventHeap
      • EventHeap.PopEvent()
      • EventHeap.PopEvents()
      • EventHeap.PushEvent()
      • EventHeap.__init__()
      • EventHeap.number_of_events
  • plaso.storage.fake.fake_store module
    • FakeStore
      • FakeStore.serialization_format
      • FakeStore.GetSortedEvents()
      • FakeStore.SetSerializersProfiler()
      • FakeStore.__init__()
  • plaso.storage.fake.writer module
    • FakeStorageWriter
      • FakeStorageWriter.task_completion
      • FakeStorageWriter.task_start
      • FakeStorageWriter.GetFirstWrittenEventData()
      • FakeStorageWriter.GetFirstWrittenEventSource()
      • FakeStorageWriter.GetNextWrittenEventData()
      • FakeStorageWriter.GetNextWrittenEventSource()
      • FakeStorageWriter.Open()
      • FakeStorageWriter.__init__()
  • Module contents
• plaso.storage.redis package
  • Submodules
  • plaso.storage.redis.reader module
    • RedisStorageReader
      • RedisStorageReader.__init__()
  • plaso.storage.redis.redis_store module
    • BaseRedisAttributeContainerStore
      • BaseRedisAttributeContainerStore.format_version
      • BaseRedisAttributeContainerStore.serialization_format
      • BaseRedisAttributeContainerStore.Close()
      • BaseRedisAttributeContainerStore.DEFAULT_REDIS_URL
      • BaseRedisAttributeContainerStore.GetAttributeContainerByIdentifier()
      • BaseRedisAttributeContainerStore.GetAttributeContainerByIndex()
      • BaseRedisAttributeContainerStore.GetAttributeContainers()
      • BaseRedisAttributeContainerStore.GetNumberOfAttributeContainers()
      • BaseRedisAttributeContainerStore.HasAttributeContainers()
      • BaseRedisAttributeContainerStore.Open()
      • BaseRedisAttributeContainerStore.__init__()
    • RedisAttributeContainerStore
      • RedisAttributeContainerStore.GetAttributeContainerByIndex()
      • RedisAttributeContainerStore.GetAttributeContainers()
      • RedisAttributeContainerStore.GetSortedEvents()
      • RedisAttributeContainerStore.SetSerializersProfiler()
      • RedisAttributeContainerStore.__init__()
  • plaso.storage.redis.writer module
    • RedisStorageWriter
      • RedisStorageWriter.GetFirstWrittenEventData()
      • RedisStorageWriter.GetFirstWrittenEventSource()
      • RedisStorageWriter.GetNextWrittenEventData()
      • RedisStorageWriter.GetNextWrittenEventSource()
      • RedisStorageWriter.Open()
  • Module contents
• plaso.storage.sqlite package
  • Submodules
  • plaso.storage.sqlite.reader module
    • SQLiteStorageReader
      • SQLiteStorageReader.__init__()
  • plaso.storage.sqlite.sqlite_file module
    • SQLiteStorageFile
      • SQLiteStorageFile.compression_format
      • SQLiteStorageFile.GetAttributeContainerByIndex()
      • SQLiteStorageFile.GetAttributeContainers()
      • SQLiteStorageFile.GetSortedEvents()
      • SQLiteStorageFile.SetSerializersProfiler()
      • SQLiteStorageFile.__init__()
  • plaso.storage.sqlite.writer module
    • SQLiteStorageWriter
      • SQLiteStorageWriter.GetFirstWrittenEventData()
      • SQLiteStorageWriter.GetFirstWrittenEventSource()
      • SQLiteStorageWriter.GetNextWrittenEventData()
      • SQLiteStorageWriter.GetNextWrittenEventSource()
      • SQLiteStorageWriter.Open()
      • SQLiteStorageWriter.__init__()
  • Module contents

Submodules

plaso.storage.factory module

This file contains the storage factory class.

class plaso.storage.factory.StorageFactory

Bases: object

Storage factory.

classmethod CreateStorageFile(storage_format)

Creates a storage file.

Parameters:

storage_format (str) – storage format.

Returns:

a storage file or None if the storage file cannot be

opened or the storage format is not supported.

Return type:

StorageFile

classmethod CreateStorageReaderForFile(path)

Creates a storage reader based on the file.

Parameters:

path (str) – path to the storage file.

Returns:

a storage reader or None if the storage file cannot be

opened or the storage format is not supported.

Return type:

StorageReader

classmethod CreateStorageWriter(storage_format)

Creates a storage writer.

Parameters:

storage_format (str) – storage format.

Returns:

a storage writer or None if the storage file cannot be

opened or the storage format is not supported.

Return type:

StorageWriter

classmethod CreateStorageWriterForFile(path)

Creates a storage writer based on the file.

Parameters:

path (str) – path to the storage file.

Returns:

a storage writer or None if the storage file cannot be

opened or the storage format is not supported.

Return type:

StorageWriter

classmethod CreateTaskStorageReader(storage_format, task, path)

Creates a task storage reader.

Parameters:

• storage_format (str) – storage format.

• task (Task) – task the storage changes are part of.

• path (str) – path to the storage file.

Returns:

a storage reader or None if the storage file cannot be

opened or the storage format is not supported.

Return type:

StorageReader

classmethod CreateTaskStorageWriter(storage_format)

Creates a task storage writer.

Parameters:

storage_format (str) – storage format.

Returns:

a storage writer or None if the storage file cannot be

opened or the storage format is not supported.

Return type:

StorageWriter

plaso.storage.logger module

The storage sub module logger.

plaso.storage.reader module

The storage reader.

class plaso.storage.reader.StorageReader

Bases: object

Storage reader interface.

Close()

Closes the storage reader.

GetAttributeContainerByIdentifier(container_type, identifier)

Retrieves a specific type of container with a specific identifier.

Parameters:

• container_type (str) – container type.

• identifier (AttributeContainerIdentifier) – attribute container identifier.

Returns:

attribute container or None if not available.

Return type:

AttributeContainer

GetAttributeContainerByIndex(container_type, index)

Retrieves a specific attribute container.

Parameters:

• container_type (str) – attribute container type.

• index (int) – attribute container index.

Returns:

attribute container or None if not available.

Return type:

AttributeContainer

GetAttributeContainers(container_type, filter_expression=None)

Retrieves a specific type of attribute containers.

Parameters:

• container_type (str) – attribute container type.

• filter_expression (Optional[str]) – expression to filter the resulting attribute containers by.

Returns:

attribute container generator.

Return type:

generator(AttributeContainers)

GetEventTagByEventIdentifer(event_identifier)

Retrieves the event tag of a specific event.

Parameters:

event_identifier (AttributeContainerIdentifier) – event attribute container identifier.

Returns:

event tag or None if the event has no event tag.

Return type:

EventTag

GetFormatVersion()

Retrieves the format version of the underlying storage file.

Returns:

the format version.

Return type:

int

GetNumberOfAttributeContainers(container_type)

Retrieves the number of a specific type of attribute containers.

Parameters:

container_type (str) – attribute container type.

Returns:

the number of containers of a specified type.

Return type:

int

GetSerializationFormat()

Retrieves the serialization format of the underlying storage file.

Returns:

the serialization format.

Return type:

str

GetSessions()

Retrieves the sessions.

Yields:

Session – session attribute container.

GetSortedEvents(time_range=None)

Retrieves the events in increasing chronological order.

This includes all events written to the storage including those pending being flushed (written) to the storage.

Parameters:

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Returns:

event generator.

Return type:

generator(EventObject)

HasAttributeContainers(container_type)

Determines if a store contains a specific type of attribute container.

Parameters:

container_type (str) – attribute container type.

Returns:

True if the store contains the specified type of attribute

containers.

Return type:

bool

SetSerializersProfiler(serializers_profiler)

Sets the serializers profiler.

Parameters:

serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)

Sets the storage profiler.

Parameters:

storage_profiler (StorageProfiler) – storage profiler.

__enter__()

Make usable with “with” statement.

__exit__(exception_type, value, traceback)

Make usable with “with” statement.

__init__()

Initializes a storage reader.

plaso.storage.serializers module

This file contains the attribute container store serializers.

class plaso.storage.serializers.JSONDateTimeAttributeSerializer(*args: Any, **kwargs: Any)

Bases: AttributeSerializer

JSON date time values attribute serializer.

DeserializeValue(value)

Deserializes a value.

Parameters:

value (dict[str, object]) – serialized value.

Returns:

runtime value.

Return type:

dfdatetime.DateTimeValues

SerializeValue(value)

Serializes a value.

Parameters:

value (dfdatetime.DateTimeValues) – runtime value.

Returns:

serialized value.

Return type:

dict[str, object]

class plaso.storage.serializers.JSONPathSpecAttributeSerializer(*args: Any, **kwargs: Any)

Bases: AttributeSerializer

JSON path specification attribute serializer.

DeserializeValue(value)

Deserializes a value.

Parameters:

value (dict[str, object]) – serialized value.

Returns:

runtime value.

Return type:

dfvfs.PathSpec

SerializeValue(value)

Serializes a value.

Parameters:

value (dfvfs.PathSpec) – runtime value.

Returns:

serialized value.

Return type:

str

class plaso.storage.serializers.JSONValueListAttributeSerializer(*args: Any, **kwargs: Any)

Bases: AttributeSerializer

JSON value list attribute serializer.

DeserializeValue(value)

Deserializes a value.

Parameters:

value (list[int|str]) – serialized value.

Returns:

runtime value.

Return type:

list[int|str]

SerializeValue(value)

Serializes a value.

Parameters:

value (list[int|str]) – runtime value.

Returns:

serialized value.

Return type:

list[int|str]

plaso.storage.time_range module

Storage time range objects.

class plaso.storage.time_range.TimeRange(start_timestamp, end_timestamp)

Bases: object

Date and time range.

The timestamp are integers containing the number of microseconds since January 1, 1970, 00:00:00 UTC.

duration

duration of the range in microseconds.

Type:

int

end_timestamp

timestamp that marks the end of the range.

Type:

int

start_timestamp

timestamp that marks the start of the range.

Type:

int

__init__(start_timestamp, end_timestamp)

Initializes a date and time range.

The timestamp are integers containing the number of microseconds since January 1, 1970, 00:00:00 UTC.

Parameters:

• start_timestamp (int) – timestamp that marks the start of the range.

• end_timestamp (int) – timestamp that marks the end of the range.

Raises:

ValueError – If the time range is badly formed.

plaso.storage.writer module

The storage writer.

class plaso.storage.writer.StorageWriter(storage_type='session')

Bases: StorageReader

Storage writer interface.

AddAttributeContainer(container)

Adds an attribute container.

Parameters:

container (AttributeContainer) – attribute container.

Raises:

• IOError – when the storage writer is closed.

• OSError – when the storage writer is closed.

AddOrUpdateEventTag(event_tag)

Adds a new or updates an existing event tag.

Parameters:

event_tag (EventTag) – event tag.

Raises:

• IOError – when the storage writer is closed.

• OSError – when the storage writer is closed.

Close()

Closes the storage writer.

Raises:

• IOError – when the storage writer is closed.

• OSError – when the storage writer is closed.

abstract GetFirstWrittenEventData()

Retrieves the first event data that was written after open.

Using GetFirstWrittenEventData and GetNextWrittenEventData newly added event data can be retrieved in order of addition.

Returns:

event data or None if there are no newly written ones.

Return type:

EventData

abstract GetFirstWrittenEventSource()

Retrieves the first event source that was written after open.

Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition.

Returns:

event source or None if there are no newly written ones.

Return type:

EventSource

abstract GetNextWrittenEventData()

Retrieves the next event data that was written after open.

Returns:

event data or None if there are no newly written ones.

Return type:

EventData

abstract GetNextWrittenEventSource()

Retrieves the next event source that was written after open.

Returns:

event source or None if there are no newly written ones.

Return type:

EventSource

abstract Open(**kwargs)

Opens the storage writer.

UpdateAttributeContainer(container)

Updates an existing attribute container.

Parameters:

container (AttributeContainer) – attribute container.

Raises:

• IOError – when the storage writer is closed.

• OSError – when the storage writer is closed.

__init__(storage_type='session')

Initializes a storage writer.

Parameters:

storage_type (Optional[str]) – storage type.

Module contents