plaso.containers package¶

Submodules¶

plaso.containers.analyzer_result module¶

Analyzer result attribute container.

class plaso.containers.analyzer_result.AnalyzerResult[source]¶

Bases: plaso.containers.interface.AttributeContainer

Attribute container to store results of analyzers.

Analyzers can produce results with different attribute names. For example, the ‘hashing’ analyzer could produce an attribute ‘md5_hash’, with a value of ‘d41d8cd98f00b204e9800998ecf8427e’.

analyzer_name¶

name of the analyzer that produce the result.

Type: str

attribute_name¶

name of the attribute produced.

Type: str

attribute_value¶

value of the attribute produced.

Type: str

CONTAINER_TYPE = 'analyzer_result'¶

plaso.containers.artifacts module¶

Artifact attribute containers.

class plaso.containers.artifacts.ArtifactAttributeContainer[source]¶

Bases: plaso.containers.interface.AttributeContainer

Base class to represent an artifact attribute container.

class plaso.containers.artifacts.EnvironmentVariableArtifact(case_sensitive=True, name=None, value=None)[source]¶

Bases: plaso.containers.artifacts.ArtifactAttributeContainer

Environment variable artifact attribute container.

Also see:: https://en.wikipedia.org/wiki/Environment_variable

case_sensitive¶

True if environment variable name is case sensitive.

Type: bool

name¶

environment variable name e.g. ‘SystemRoot’ as in ‘%SystemRoot%’ or ‘HOME’ in ‘$HOME’.

Type: str

value¶

environment variable value e.g. ‘C:Windows’ or ‘/home/user’.

Type: str

CONTAINER_TYPE = 'environment_variable'¶

class plaso.containers.artifacts.HostnameArtifact(name=None, schema='DNS')[source]¶

Bases: plaso.containers.artifacts.ArtifactAttributeContainer

Hostname artifact attribute container.

Also see:: https://en.wikipedia.org/wiki/Hostname http://cybox.mitre.org/language/version2.1/xsddocs/objects/ Hostname_Object.html

name¶

name of the host according to the naming schema.

Type: str

schema¶

naming schema e.g. DNS, NIS, SMB/NetBIOS.

Type: str

CONTAINER_TYPE = 'hostname'¶

class plaso.containers.artifacts.OperatingSystemArtifact(family=None, product=None, version=None)[source]¶

Bases: plaso.containers.artifacts.ArtifactAttributeContainer

Operating system artifact attribute container.

family¶

operating system family name, such as “Linux”, “MacOS” or “Windows”, defined in definitions.OPERATING_SYSTEM_FAMILIES. This value is used to programmatically link a parser preset to an operating system and therefore must be one of predefined values.

Type: str

name¶

operating system name, such as “macOS Mojave” or “Windows XP”. This value is used to programmatically link a parser preset to an operating system and therefore must be one of predefined values.

Type: str

product¶

product information, such as “macOS Mojave” or “Windows Professional XP”. This value is typically obtained from the source data.

Type: str

version¶

version, such as “10.14.1” or “5.1”. This value is typically obtained from the source data.

Type: str

CONTAINER_TYPE = 'operating_system'¶

IsEquivalent(other)[source]¶

Determines if 2 operating system artifacts are equivalent.

This function compares the operating systems based in order of: * name derived from product * family and version * family

Parameters

other (OperatingSystemArtifact) – operating system artifact attribute container to compare with.

Returns

True if the operating systems are considered equivalent, False if: the most specific criteria do no match, or no criteria are available.

Return type

bool

version_tuple¶

version tuple or None if version is not set or invalid.

Type: tuple[int]

class plaso.containers.artifacts.SystemConfigurationArtifact(code_page=None, time_zone=None)[source]¶

Bases: plaso.containers.artifacts.ArtifactAttributeContainer

System configuration artifact attribute container.

The system configuration contains the configuration data of a specific system installation e.g. Windows or Linux.

code_page¶

system code page.

Type: str

hostname¶

hostname.

Type: HostnameArtifact

keyboard_layout¶

keyboard layout.

Type: str

operating_system¶

operating system for example “MacOS” or “Windows”.

Type: str

operating_system_product¶

operating system product for example “Windows XP”.

Type: str

operating_system_version¶

operating system version for example “10.9.2” or “8.1”.

Type: str

time_zone¶

system time zone.

Type: str

user_accounts¶

user accounts.

Type: list[UserAccountArtifact]

CONTAINER_TYPE = 'system_configuration'¶

class plaso.containers.artifacts.UserAccountArtifact(full_name=None, group_identifier=None, identifier=None, path_separator='/', user_directory=None, username=None)[source]¶

Bases: plaso.containers.artifacts.ArtifactAttributeContainer

User account artifact attribute container.

Also see:: http://cybox.mitre.org/language/version2.1/xsddocs/objects/ User_Account_Object.html

full_name¶

name describing the user e.g. full name.

Type: str

group_identifier¶

identifier of the primary group the user is part of.

Type: str

identifier¶

user identifier.

Type: str

user_directory¶

path of the user (or home or profile) directory.

Type: str

username¶

name uniquely identifying the user.

Type: str

CONTAINER_TYPE = 'user_account'¶

GetUserDirectoryPathSegments()[source]¶

Retrieves the path segments of the user directory.

Returns

path segments of the user directory or an empty list if no: user directory is set.

Return type

list[str]

plaso.containers.event_sources module¶

Event source attribute containers.

class plaso.containers.event_sources.EventSource(path_spec=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Event source attribute container.

The event source object contains information about where a specific event originates e.g. a file, the $STANDARD_INFORMATION MFT attribute, or Application Compatibility cache.

data_type¶

attribute container type indicator.

Type: str

file_entry_type¶

dfVFS file entry type.

Type: str

path_spec¶

path specification.

Type: dfvfs.PathSpec

CONTAINER_TYPE = 'event_source'¶

DATA_TYPE = None¶

__lt__(other)[source]¶

Compares if the event source attribute container is less than the other.

Parameters: other (EventSource) – event source attribute container to compare to.
Returns: True if the event source attribute container is less than the other.
Return type: bool

class plaso.containers.event_sources.FileEntryEventSource(path_spec=None)[source]¶

Bases: plaso.containers.event_sources.EventSource

File entry event source.

The file entry event source is an event source that represents a file within a file system.

DATA_TYPE = 'file_entry'¶

plaso.containers.events module¶

Event attribute containers.

class plaso.containers.events.EventData(data_type=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Event data attribute container.

data_type¶

event data type indicator.

Type: str

offset¶

offset relative to the start of the data stream where the event data is stored.

Type: int

query¶

query that was used to obtain the event data.

Type: str

CONTAINER_TYPE = 'event_data'¶

class plaso.containers.events.EventObject[source]¶

Bases: plaso.containers.interface.AttributeContainer

Event attribute container.

The framework is designed to parse files and create events from individual records, log lines or keys extracted from files. The event object provides an extensible data store for event attributes.

data_type¶

event data type indicator.

Type: str

display_name¶

display friendly version of the path specification.

Type: str

filename¶

name of the file related to the event.

Type: str

hostname¶

name of the host related to the event.

Type: str

inode¶

inode of the file related to the event.

Type: int

offset¶

offset of the event data.

Type: int

pathspec¶

path specification of the file related to the event.

Type: dfvfs.PathSpec

tag¶

event tag.

Type: EventTag

timestamp¶

timestamp, which contains the number of microseconds since January 1, 1970, 00:00:00 UTC.

Type: int

timestamp_desc¶

description of the meaning of the timestamp.

Type: str

CONTAINER_TYPE = 'event'¶

DATA_TYPE = None¶

GetEventDataIdentifier()[source]¶

Retrieves the identifier of the event data associated with the event.

The event data identifier is a storage specific value that should not be serialized.

Returns: event identifier or None when not set.
Return type: AttributeContainerIdentifier

SetEventDataIdentifier(event_data_identifier)[source]¶

Sets the identifier of the event data associated with the event.

The event data identifier is a storage specific value that should not be serialized.

Parameters: event_data_identifier (AttributeContainerIdentifier) – event identifier.

__lt__(other)[source]¶

Compares if the event attribute container is less than the other.

Events are compared by timestamp.

Parameters: other (EventObject) – event attribute container to compare to.
Returns: True if the event attribute container is less than the other.
Return type: bool

class plaso.containers.events.EventTag(comment=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Event tag attribute container.

comment¶

comments.

Type: str

event_entry_index¶

serialized data stream entry index of the event, this attribute is used by the ZIP and GZIP storage files to uniquely identify the event linked to the tag.

Type: int

event_stream_number¶

number of the serialized event stream, this attribute is used by the ZIP and GZIP storage files to uniquely identify the event linked to the tag.

Type: int

labels¶

labels, such as “malware”, “application_execution”.

Type: list[str]

AddComment(comment)[source]¶

Adds a comment to the event tag.

Parameters: comment (str) – comment.

AddLabel(label)[source]¶

Adds a label to the event tag.

Parameters

label (str) – label.

Raises

TypeError – if the label provided is not a string.
ValueError – if a label is malformed.

AddLabels(labels)[source]¶

Adds labels to the event tag.

Parameters: labels (list[str]) – labels.
Raises: ValueError – if a label is malformed.

CONTAINER_TYPE = 'event_tag'¶

classmethod CopyTextToLabel(text, prefix='')[source]¶

Copies a string to a label.

A label only supports a limited set of characters therefore unsupported characters are replaced with an underscore.

Parameters

text (str) – label text.
prefix (Optional[str]) – label prefix.

Returns

label.

Return type

str

CopyToDict()[source]¶

Copies the event tag to a dictionary.

Returns: event tag attributes.
Return type: dict[str, object]

GetEventIdentifier()[source]¶

Retrieves the identifier of the event associated with the event tag.

The event identifier is a storage specific value that should not be serialized.

Returns: event identifier or None when not set.
Return type: AttributeContainerIdentifier

SetEventIdentifier(event_identifier)[source]¶

Sets the identifier of the event associated with the event tag.

The event identifier is a storage specific value that should not be serialized.

Parameters: event_identifier (AttributeContainerIdentifier) – event identifier.

plaso.containers.interface module¶

The attribute container interface.

class plaso.containers.interface.AttributeContainer[source]¶

Bases: object

The attribute container interface.

This is the the base class for those object that exists primarily as a container of attributes with basic accessors and mutators.

The CONTAINER_TYPE class attribute contains a string that identifies the container type e.g. the container type “event” identifiers an event object.

Attributes are public class members of an serializable type. Protected and private class members are not to be serialized.

CONTAINER_TYPE = None¶

CopyFromDict(attributes)[source]¶

Copies the attribute container from a dictionary.

Parameters: attributes (dict[str, object]) – attribute values per name.

CopyToDict()[source]¶

Copies the attribute container to a dictionary.

Returns: attribute values per name.
Return type: dict[str, object]

GetAttributeNames()[source]¶

Retrieves the names of all attributes.

Returns: attribute names.
Return type: list[str]

GetAttributeValuesHash()[source]¶

Retrieves a comparable string of the attribute values.

Returns: hash of comparable string of the attribute values.
Return type: int

GetAttributeValuesString()[source]¶

Retrieves a comparable string of the attribute values.

Returns: comparable string of the attribute values.
Return type: str

GetAttributes()[source]¶

Retrieves the attribute names and values.

Attributes that are set to None are ignored.

Yields: tuple[str, object] – attribute name and value.

GetIdentifier()[source]¶

Retrieves the identifier.

The identifier is a storage specific value that should not be serialized.

Returns: an unique identifier for the container.
Return type: AttributeContainerIdentifier

GetSessionIdentifier()[source]¶

Retrieves the session identifier.

The session identifier is a storage specific value that should not be serialized.

Returns: session identifier.
Return type: str

SetIdentifier(identifier)[source]¶

Sets the identifier.

The identifier is a storage specific value that should not be serialized.

Parameters: identifier (AttributeContainerIdentifier) – identifier.

SetSessionIdentifier(session_identifier)[source]¶

Sets the session identifier.

The session identifier is a storage specific value that should not be serialized.

Parameters: session_identifier (str) – session identifier.

class plaso.containers.interface.AttributeContainerIdentifier[source]¶

Bases: object

The attribute container identifier.

The identifier is used to uniquely identify attribute containers. The value should be unique at runtime and in storage.

CopyToString()[source]¶

Copies the identifier to a string representation.

Returns: unique identifier or None.
Return type: str

plaso.containers.manager module¶

This file contains the attribute container manager class.

class plaso.containers.manager.AttributeContainersManager[source]¶

Bases: object

Class that implements the attribute container manager.

classmethod DeregisterAttributeContainer(attribute_container_class)[source]¶

Deregisters an attribute container class.

The attribute container classes are identified based on their lower case container type.

Parameters: attribute_container_class (type) – attribute container class.
Raises: KeyError – if attribute container class is not set for the corresponding container type.

classmethod GetAttributeContainer(container_type)[source]¶

Retrieves the attribute container for a specific container type.

Parameters: container_type (str) – container type.
Returns: attribute container.
Return type: AttributeContainer

classmethod RegisterAttributeContainer(attribute_container_class)[source]¶

Registers a attribute container class.

The attribute container classes are identified based on their lower case container type.

Parameters: attribute_container_class (type) – attribute container class.
Raises: KeyError – if attribute container class is already set for the corresponding container type.

classmethod RegisterAttributeContainers(attribute_container_classes)[source]¶

Registers attribute container classes.

The attribute container classes are identified based on their lower case container type.

Parameters: attribute_container_classes (list[type]) – attribute container classes.
Raises: KeyError – if attribute container class is already set for the corresponding container type.

plaso.containers.plist_event module¶

Plist event attribute containers.

class plaso.containers.plist_event.PlistTimeEventData[source]¶

Bases: plaso.containers.events.EventData

Plist event data attribute container.

desc¶

description.

Type: str

hostname¶

hostname.

Type: str

key¶

name of plist key.

Type: str

root¶

path from the root to this plist key.

Type: str

username¶

unique username.

Type: str

DATA_TYPE = 'plist:key'¶

plaso.containers.reports module¶

Report related attribute container definitions.

class plaso.containers.reports.AnalysisReport(plugin_name=None, text=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Analysis report attribute container.

filter_string¶

event filter expression.

Type: str

plugin_name¶

name of the analysis plugin that generated the report.

Type: str

report_array¶

???

Type: array[str]

report_dict¶

???

Type: dict[str]

text¶

report text.

Type: str

time_compiled¶

timestamp of the date and time the report was compiled.

Type: int

CONTAINER_TYPE = 'analysis_report'¶

CopyToDict()[source]¶

Copies the attribute container to a dictionary.

Returns: attribute values per name.
Return type: dict[str, object]

GetString()[source]¶

Retrieves a string representation of the report.

Returns: string representation of the report.
Return type: str

plaso.containers.sessions module¶

Session related attribute container definitions.

class plaso.containers.sessions.Session[source]¶

Bases: plaso.containers.interface.AttributeContainer

Session attribute container.

aborted¶

True if the session was aborted.

Type: bool

analysis_reports_counter¶

number of analysis reports per analysis plugin.

Type: collections.Counter

artifact_filters¶

Names of artifact definitions that are used for filtering file system and Windows Registry key paths.

Type: list[str]

command_line_arguments¶

command line arguments.

Type: str

completion_time¶

time that the session was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

debug_mode¶

True if debug mode was enabled.

Type: bool

enabled_parser_names¶

parser and parser plugin names that were enabled.

Type: list[str]

event_labels_counter¶

number of event tags per label.

Type: collections.Counter

filter_file¶

path to a file with find specifications.

Type: str

identifier¶

unique identifier of the session.

Type: str

parser_filter_expression¶

parser filter expression.

Type: str

parsers_counter¶

number of events per parser or parser plugin.

Type: collections.Counter

preferred_encoding¶

preferred encoding.

Type: str

preferred_time_zone¶

preferred time zone.

Type: str

preferred_year¶

preferred year.

Type: int

product_name¶

name of the product that created the session e.g. ‘log2timeline’.

Type: str

product_version¶

version of the product that created the session.

Type: str

start_time¶

time that the session was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

CONTAINER_TYPE = 'session'¶

CopyAttributesFromSessionCompletion(session_completion)[source]¶

Copies attributes from a session completion.

Parameters: session_completion (SessionCompletion) – session completion attribute container.
Raises: ValueError – if the identifier of the session completion does not match that of the session.

CopyAttributesFromSessionStart(session_start)[source]¶

Copies attributes from a session start.

Parameters: session_start (SessionStart) – session start attribute container.

CreateSessionCompletion()[source]¶

Creates a session completion.

Returns: session completion attribute container.
Return type: SessionCompletion

CreateSessionStart()[source]¶

Creates a session start.

Returns: session start attribute container.
Return type: SessionStart

class plaso.containers.sessions.SessionCompletion(identifier=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Session completion attribute container.

aborted¶

True if the session was aborted.

Type: bool

analysis_reports_counter¶

number of analysis reports per analysis plugin.

Type: collections.Counter

event_labels_counter¶

number of event tags per label.

Type: collections.Counter

identifier¶

unique identifier of the session.

Type: str

parsers_counter¶

number of events per parser or parser plugin.

Type: collections.Counter

timestamp¶

time that the session was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

CONTAINER_TYPE = 'session_completion'¶

class plaso.containers.sessions.SessionStart(identifier=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Session start attribute container.

artifact_filters¶

names of artifact definitions that are used for filtering file system and Windows Registry key paths.

Type: list[str]

command_line_arguments¶

command line arguments.

Type: str

debug_mode¶

True if debug mode was enabled.

Type: bool

enabled_parser_names¶

parser and parser plugin names that were enabled.

Type: list[str]

filter_file¶

path to a file with find specifications.

Type: str

identifier¶

unique identifier of the session.

Type: str

parser_filter_expression¶

parser filter expression.

Type: str

preferred_encoding¶

preferred encoding.

Type: str

preferred_time_zone¶

preferred time zone.

Type: str

preferred_year¶

preferred year.

Type: int

product_name¶

name of the product that created the session e.g. ‘log2timeline’.

Type: str

product_version¶

version of the product that created the session.

Type: str

timestamp¶

time that the session was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

CONTAINER_TYPE = 'session_start'¶

plaso.containers.shell_item_events module¶

Shell item event attribute container.

class plaso.containers.shell_item_events.ShellItemFileEntryEventData[source]¶

Bases: plaso.containers.events.EventData

Shell item file entry event data attribute container.

name¶

name of the file entry shell item.

Type: str

long_name¶

long name of the file entry shell item.

Type: str

localized_name¶

localized name of the file entry shell item.

Type: str

file_reference¶

NTFS file reference, in the format: “MTF entry - sequence number”.

Type: str

shell_item_path¶

shell item path.

Type: str

origin¶

origin of the event.

Type: str

DATA_TYPE = 'windows:shell_item:file_entry'¶

plaso.containers.storage_media module¶

Storage media related attribute container definitions.

class plaso.containers.storage_media.MountPoint(mount_path=None, path_specification=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Mount point attribute container.

mount_path¶

path where the path specification is mounted, such as “/mnt/image” or “C:”.

Type: str

path_spec¶

path specification.

Type: dfvfs.PathSpec

CONTAINER_TYPE = 'mount_point'¶

plaso.containers.tasks module¶

Task related attribute container definitions.

class plaso.containers.tasks.Task(session_identifier=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Task attribute container.

A task describes a piece of work for a multi processing worker process e.g. to process a path specification or to analyze an event.

aborted¶

True if the session was aborted.

Type: bool

completion_time¶

time that the task was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

file_entry_type¶

dfVFS type of the file entry the path specification is referencing.

Type: str

has_retry¶

True if the task was previously abandoned and a retry task was created, False otherwise.

Type: bool

identifier¶

unique identifier of the task.

Type: str

last_processing_time¶

the last time the task was marked as being processed as number of milliseconds since January 1, 1970, 00:00:00 UTC.

Type: int

merge_priority¶

priority used for the task storage file merge, where a lower value indicates a higher priority to merge.

Type: int

path_spec¶

path specification.

Type: dfvfs.PathSpec

session_identifier¶

the identifier of the session the task is part of.

Type: str

start_time¶

time that the task was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

storage_file_size¶

size of the storage file in bytes.

Type: int

CONTAINER_TYPE = 'task'¶

CreateRetryTask()[source]¶

Creates a new task to retry a previously abandoned task.

The retry task will have a new identifier but most of the attributes will be a copy of the previously abandoned task.

Returns: a task to retry a previously abandoned task.
Return type: Task

CreateTaskCompletion()[source]¶

Creates a task completion.

Returns: task completion attribute container.
Return type: TaskCompletion

CreateTaskStart()[source]¶

Creates a task start.

Returns: task start attribute container.
Return type: TaskStart

UpdateProcessingTime()[source]¶: Updates the processing time to now.

__lt__(other)[source]¶

Compares if the task attribute container is less than the other.

Parameters: other (Task) – task attribute container to compare to.
Returns: True if the task attribute container is less than the other.
Return type: bool

class plaso.containers.tasks.TaskCompletion(identifier=None, session_identifier=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Task completion attribute container.

aborted¶

True if the session was aborted.

Type: bool

identifier¶

unique identifier of the task.

Type: str

session_identifier¶

the identifier of the session the task is part of.

Type: str

timestamp¶

time that the task was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

CONTAINER_TYPE = 'task_completion'¶

class plaso.containers.tasks.TaskStart(identifier=None, session_identifier=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Task start attribute container.

identifier¶

unique identifier of the task.

Type: str

session_identifier¶

the identifier of the session the task is part of.

Type: str

timestamp¶

time that the task was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC.

Type: int

CONTAINER_TYPE = 'task_start'¶

plaso.containers.time_events module¶

Time-based event attribute containers.

class plaso.containers.time_events.DateTimeValuesEvent(date_time, date_time_description, data_type=None, time_zone=None)[source]¶

Bases: plaso.containers.time_events.TimestampEvent

dfDateTime date time values-based event attribute container.

class plaso.containers.time_events.PythonDatetimeEvent(datetime_value, date_time_description, data_type=None, time_zone=None)[source]¶

Bases: plaso.containers.time_events.DateTimeValuesEvent

Python datetime-based event attribute container.

class plaso.containers.time_events.TimestampEvent(timestamp, timestamp_description, data_type=None)[source]¶

Bases: plaso.containers.events.EventObject

Plaso timestamp-based event attribute container.

data_type¶

event data type.

Type: str

timestamp¶

timestamp, which contains the number of microseconds since January 1, 1970, 00:00:00 UTC.

Type: int

timestamp_desc¶

description of the meaning of the timestamp.

Type: str

plaso.containers.warnings module¶

Warning attribute containers.

class plaso.containers.warnings.ExtractionError(message=None, parser_chain=None, path_spec=None)[source]¶

Bases: plaso.containers.warnings.ExtractionWarning

Extraction error attribute container.

This class is provided for backwards compatiblity only, all new code must use ExtractionWarning.

message¶

warning message.

Type: str

parser_chain¶

parser chain to which the warning applies.

Type: str

path_spec¶

path specification of the file entry to which the warning applies.

Type: dfvfs.PathSpec

CONTAINER_TYPE = 'extraction_error'¶

class plaso.containers.warnings.ExtractionWarning(message=None, parser_chain=None, path_spec=None)[source]¶

Bases: plaso.containers.interface.AttributeContainer

Extraction warning attribute container.

Extraction warnings are produced by parsers/plugins as well the Plaso engine when they encounter situations that should be brought to the users’ attention but are not events derived from the data being processed.

message¶

warning message.

Type: str

parser_chain¶

parser chain to which the warning applies.

Type: str

path_spec¶

path specification of the file entry to which the warning applies.

Type: dfvfs.PathSpec

CONTAINER_TYPE = 'extraction_warning'¶

plaso.containers.windows_events module¶

Windows event data attribute containers.

class plaso.containers.windows_events.WindowsDistributedLinkTrackingEventData(uuid, origin)[source]¶

Bases: plaso.containers.events.EventData

Windows distributed link event data attribute container.

mac_address¶

MAC address stored in the UUID.

Type: str

origin¶

origin of the event (event source). E.g. the path of the corresponding LNK file or file reference MFT entry with the corresponding NTFS $OBJECT_ID attribute.

Type: str

uuid¶

UUID.

Type: str

DATA_TYPE = 'windows:distributed_link_tracking:creation'¶

class plaso.containers.windows_events.WindowsRegistryEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Registry event data attribute container.

key_path¶

Windows Registry key path.

Type: str

values¶

names and data of the values in the key.

Type: str

DATA_TYPE = 'windows:registry:key_value'¶

class plaso.containers.windows_events.WindowsVolumeEventData[source]¶

Bases: plaso.containers.events.EventData

Windows volume event data attribute container.

device_path¶

volume device path.

Type: str

origin¶

origin of the event (event source), for example the corresponding Prefetch file name.

Type: str

serial_number¶

volume serial number.

Type: str

DATA_TYPE = 'windows:volume:creation'¶

Module contents¶

This file imports Python modules that register attribute container types.