plaso.storage.sqlite package

Submodules

plaso.storage.sqlite.reader module

SQLite-based storage reader.

class plaso.storage.sqlite.reader.SQLiteStorageReader(path)[source]

Bases: StorageReader

SQLite-based storage reader.

__init__(path)[source]

Initializes a storage reader.

Parameters:

path (str) – path to the input SQLite database.

plaso.storage.sqlite.sqlite_file module

SQLite-based storage file.

class plaso.storage.sqlite.sqlite_file.SQLiteStorageFile(*args: Any, **kwargs: Any)[source]

Bases: SQLiteAttributeContainerStore

SQLite-based storage file.

compression_format

compression format.

Type:

str

GetAttributeContainerByIndex(container_type, index)[source]

Retrieves a specific attribute container.

Parameters:
  • container_type (str) – attribute container type.

  • index (int) – attribute container index.

Returns:

attribute container or None if not available.

Return type:

AttributeContainer

Raises:
  • IOError – when the store is closed or when there is an error querying the storage file.

  • OSError – when the store is closed or when there is an error querying the storage file.

GetAttributeContainers(container_type, filter_expression=None)[source]

Retrieves a specific type of stored attribute containers.

Parameters:
  • container_type (str) – attribute container type.

  • filter_expression (Optional[str]) – expression to filter the resulting attribute containers by.

Yields:

AttributeContainer – attribute container.

Raises:
  • IOError – when there is an error querying the storage file.

  • OSError – when there is an error querying the storage file.

GetSortedEvents(time_range=None)[source]

Retrieves the events in increasing chronological order.

Parameters:

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Returns:

event generator.

Return type:

generator(EventObject)

SetSerializersProfiler(serializers_profiler)[source]

Sets the serializers profiler.

Parameters:

serializers_profiler (SerializersProfiler) – serializers profiler.

__init__()[source]

Initializes a SQLite-based storage file.

plaso.storage.sqlite.writer module

SQLite-based storage writer.

class plaso.storage.sqlite.writer.SQLiteStorageWriter(storage_type='session')[source]

Bases: StorageWriter

SQLite-based storage writer.

GetFirstWrittenEventData()[source]

Retrieves the first event data that was written after open.

Using GetFirstWrittenEventData and GetNextWrittenEventData newly added event data can be retrieved in order of addition.

Returns:

event data or None if there are no newly written ones.

Return type:

EventData

Raises:
  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

GetFirstWrittenEventSource()[source]

Retrieves the first event source that was written after open.

Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition.

Returns:

event source or None if there are no newly written ones.

Return type:

EventSource

Raises:
  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

GetNextWrittenEventData()[source]

Retrieves the next event data that was written after open.

Returns:

event data or None if there are no newly written ones.

Return type:

EventData

Raises:
  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

GetNextWrittenEventSource()[source]

Retrieves the next event source that was written after open.

Returns:

event source or None if there are no newly written ones.

Return type:

EventSource

Raises:
  • IOError – when the storage writer is closed.

  • OSError – when the storage writer is closed.

Open(path=None, **unused_kwargs)[source]

Opens the storage writer.

Parameters:

path (Optional[str]) – path to the output SQLite database.

Raises:
  • IOError – if the storage writer is already opened.

  • OSError – if the storage writer is already opened.

__init__(storage_type='session')[source]

Initializes a storage writer.

Parameters:

storage_type (Optional[str]) – storage type.

Module contents