plaso.formatters package¶
Submodules¶
plaso.formatters.amcache module¶
The Windows Registry Amcache entries event formatter.
-
class
plaso.formatters.amcache.
AmcacheFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an Amcache Windows Registry event.
-
DATA_TYPE
= 'windows:registry:amcache'¶
-
FORMAT_STRING_PIECES
= ['path: {full_path}', 'sha1: {sha1}', 'productname: {productname}', 'companyname: {companyname}', 'fileversion: {fileversion}', 'languagecode: {languagecode}', 'filesize: {filesize}', 'filedescription: {filedescription}', 'linkerts: {linkerts}', 'lastmodifiedts: {lastmodifiedts}', 'createdts: {createdts}', 'programid: {programid}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['path: {full_path}']¶
-
SOURCE_LONG
= 'Amcache Registry Entry'¶
-
SOURCE_SHORT
= 'AMCACHE'¶
-
-
class
plaso.formatters.amcache.
AmcacheProgramsFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an Amcache Programs Windows Registry event.
-
DATA_TYPE
= 'windows:registry:amcache:programs'¶
-
FORMAT_STRING_PIECES
= ['name: {name}', 'version: {version}', 'publisher: {publisher}', 'languagecode: {languagecode}', 'entrytype: {entrytype}', 'uninstallkey: {uninstallkey}', 'filepaths: {filepaths}', 'productcode: {productcode}', 'packagecode: {packagecode}', 'msiproductcode: {msiproductcode}', 'msipackagecode: {msipackagecode}', 'files: {files}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['name: {name}']¶
-
SOURCE_LONG
= 'Amcache Programs Registry Entry'¶
-
SOURCE_SHORT
= 'AMCACHEPROGRAM'¶
-
plaso.formatters.android_app_usage module¶
The Android Application Usage event formatter.
-
class
plaso.formatters.android_app_usage.
AndroidApplicationFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an Application Last Resumed event.
-
DATA_TYPE
= 'android:event:last_resume_time'¶
-
FORMAT_STRING_PIECES
= ['Package: {package}', 'Component: {component}']¶
-
SOURCE_LONG
= 'Android App Usage'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.android_calls module¶
The Android contacts2.db database event formatter.
-
class
plaso.formatters.android_calls.
AndroidCallFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an Android call history event.
-
DATA_TYPE
= 'android:event:call'¶
-
FORMAT_STRING_PIECES
= ['{call_type}', 'Number: {number}', 'Name: {name}', 'Duration: {duration} seconds']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{call_type} Call']¶
-
SOURCE_LONG
= 'Android Call History'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.android_sms module¶
The Android mmssms.db database event formatter.
-
class
plaso.formatters.android_sms.
AndroidSmsFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an Android SMS event.
-
DATA_TYPE
= 'android:messaging:sms'¶
-
FORMAT_STRING_PIECES
= ['Type: {sms_type}', 'Address: {address}', 'Status: {sms_read}', 'Message: {body}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{body}']¶
-
SOURCE_LONG
= 'Android SMS messages'¶
-
SOURCE_SHORT
= 'SMS'¶
-
plaso.formatters.android_webview module¶
The Android WebView database event formatter.
-
class
plaso.formatters.android_webview.
AndroidWebViewCookieEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for Android WebView Cookie event data.
-
DATA_TYPE
= 'webview:cookie'¶
-
FORMAT_STRING_PIECES
= ['Domain: {domain}', 'Path: {path}', 'Cookie name: {name}', 'Value: {value}', 'Secure: {secure}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{domain}', '{name}', '{value}']¶
-
SOURCE_LONG
= 'Android WebView'¶
-
SOURCE_SHORT
= 'WebView'¶
-
plaso.formatters.android_webviewcache module¶
The Android WebViewCache database event formatter.
-
class
plaso.formatters.android_webviewcache.
AndroidWebViewCacheFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for Android WebViewCache event data.
-
DATA_TYPE
= 'android:webviewcache'¶
-
FORMAT_STRING_PIECES
= ['URL: {url}', 'Content Length: {content_length}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{url}']¶
-
SOURCE_LONG
= 'Android WebViewCache'¶
-
SOURCE_SHORT
= 'WebViewCache'¶
-
plaso.formatters.apache_access module¶
Apache access log file event formatter.
-
class
plaso.formatters.apache_access.
ApacheAccessFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a apache access log event.
-
DATA_TYPE
= 'apache:access'¶
-
FORMAT_STRING_PIECES
= ['http_request: {http_request}', 'from: {ip_address}', 'code: {http_response_code}', 'referer: {http_request_referer}', 'user_agent: {http_request_user_agent}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{http_request}', 'from: {ip_address}']¶
-
SOURCE_LONG
= 'Apache Access'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.appcompatcache module¶
The Windows Registry AppCompatCache entries event formatter.
-
class
plaso.formatters.appcompatcache.
AppCompatCacheFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an AppCompatCache Windows Registry event.
-
DATA_TYPE
= 'windows:registry:appcompatcache'¶
-
FORMAT_STRING_PIECES
= ['[{key_path}]', 'Cached entry: {entry_index}', 'Path: {path}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Path: {path}']¶
-
SOURCE_LONG
= 'AppCompatCache Registry Entry'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.appusage module¶
The MacOS application usage event formatter.
-
class
plaso.formatters.appusage.
ApplicationUsageFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
Formatter for a MacOS Application usage event.
-
DATA_TYPE
= 'macosx:application_usage'¶
-
FORMAT_STRING
= '{application} v.{app_version} (bundle: {bundle_id}). Launched: {count} time(s)'¶
-
FORMAT_STRING_SHORT
= '{application} ({count} time(s))'¶
-
SOURCE_LONG
= 'Application Usage'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.asl module¶
The Apple System Log (ASL) event formatter.
-
class
plaso.formatters.asl.
ASLFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an Apple System Log (ASL) log event.
-
DATA_TYPE
= 'mac:asl:event'¶
-
FORMAT_STRING_PIECES
= ['MessageID: {message_id}', 'Level: {level}', 'User ID: {user_sid}', 'Group ID: {group_id}', 'Read User: {read_uid}', 'Read Group: {read_gid}', 'Host: {computer_name}', 'Sender: {sender}', 'Facility: {facility}', 'Message: {message}', '{extra_information}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Host: {host}', 'Sender: {sender}', 'Facility: {facility}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'ASL entry'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.bagmru module¶
The BagMRU event formatter.
-
class
plaso.formatters.bagmru.
BagMRUEventFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
Formatter for a BagMRU event.
-
DATA_TYPE
= 'windows:registry:bagmru'¶
-
FORMAT_STRING
= '[{key_path}] {entries}'¶
-
FORMAT_STRING_ALTERNATIVE
= '{entries}'¶
-
SOURCE_LONG
= 'Registry Key : BagMRU'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.bash_history module¶
The Bash history event formatter.
-
class
plaso.formatters.bash_history.
BashHistoryEventFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
Formatter for Bash history events.
-
DATA_TYPE
= 'bash:history:command'¶
-
FORMAT_STRING
= 'Command executed: {command}'¶
-
FORMAT_STRING_SHORT
= '{command}'¶
-
SOURCE_LONG
= 'Bash History'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.bencode_parser module¶
The bencode parser event formatters.
-
class
plaso.formatters.bencode_parser.
TransmissionEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Transmission active torrents event.
-
DATA_TYPE
= 'p2p:bittorrent:transmission'¶
-
FORMAT_STRING_PIECES
= ['Saved to {destination}', 'Minutes seeded: {seedtime}']¶
-
FORMAT_STRING_SEPARATOR
= '; '¶
-
SOURCE_LONG
= 'Transmission Active Torrents'¶
-
SOURCE_SHORT
= 'TORRENT'¶
-
-
class
plaso.formatters.bencode_parser.
UTorrentEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a BitTorrent uTorrent active torrents event.
-
DATA_TYPE
= 'p2p:bittorrent:utorrent'¶
-
FORMAT_STRING_PIECES
= ['Torrent {caption}', 'Saved to {path}', 'Minutes seeded: {seedtime}']¶
-
FORMAT_STRING_SEPARATOR
= '; '¶
-
SOURCE_LONG
= 'uTorrent Active Torrents'¶
-
SOURCE_SHORT
= 'TORRENT'¶
-
plaso.formatters.bsm module¶
The Basic Security Module (BSM) binary files event formatter.
-
class
plaso.formatters.bsm.
BSMFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a BSM log entry.
-
DATA_TYPE
= 'bsm:event'¶
-
FORMAT_STRING_PIECES
= ['Type: {event_type_string}', '({event_type})', 'Return: {return_value}', 'Information: {extra_tokens}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Type: {event_type}', 'Return: {return_value}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'BSM entry'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.ccleaner module¶
The CCleaner event formatter.
-
class
plaso.formatters.ccleaner.
CCleanerConfigurationEventFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
Formatter for a CCleaner configuration event.
-
DATA_TYPE
= 'ccleaner:configuration'¶
-
FORMAT_STRING
= '[{key_path}] {configuration}'¶
-
FORMAT_STRING_ALTERNATIVE
= '{configuration}'¶
-
SOURCE_LONG
= 'Registry Key : CCleaner Registry key'¶
-
SOURCE_SHORT
= 'REG'¶
-
-
class
plaso.formatters.ccleaner.
CCleanerUpdateEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a CCleaner update event.
-
DATA_TYPE
= 'ccleaner:update'¶
-
FORMAT_STRING_PIECES
= ['Origin: {key_path}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Origin: {key_path}']¶
-
SOURCE_LONG
= 'System'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.chrome module¶
The Google Chrome history event formatters.
-
class
plaso.formatters.chrome.
ChromeFileDownloadFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Chrome file download event.
-
DATA_TYPE
= 'chrome:history:file_downloaded'¶
-
FORMAT_STRING_PIECES
= ['{url}', '({full_path}).', 'Received: {received_bytes} bytes', 'out of: {total_bytes} bytes.']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{full_path} downloaded', '({received_bytes} bytes)']¶
-
SOURCE_LONG
= 'Chrome History'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
-
class
plaso.formatters.chrome.
ChromePageVisitedFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Chrome page visited event.
-
DATA_TYPE
= 'chrome:history:page_visited'¶
-
FORMAT_STRING_PIECES
= ['{url}', '({title})', '[count: {typed_count}]', 'Visit from: {from_visit}', 'Visit Source: [{visit_source}]', 'Type: [{page_transition}]', '{extra}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{url}', '({title})']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Chrome History'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
plaso.formatters.chrome_autofill module¶
The Google Chrome autofill database event formatter.
-
class
plaso.formatters.chrome_autofill.
ChromeAutofillFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Chrome autofill event.
-
DATA_TYPE
= 'chrome:autofill:entry'¶
-
FORMAT_STRING_PIECES
= ['Form field name: {field_name}', 'Entered value: {value}', 'Times used: {usage_count}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{field_name}:', '{value}', '({usage_count})']¶
-
SOURCE_LONG
= 'Chrome Autofill'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
plaso.formatters.chrome_cache module¶
The Google Chrome Cache files event formatter.
-
class
plaso.formatters.chrome_cache.
ChromeCacheEntryEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Chrome Cache entry event.
-
DATA_TYPE
= 'chrome:cache:entry'¶
-
FORMAT_STRING_PIECES
= ['Original URL: {original_url}']¶
-
SOURCE_LONG
= 'Chrome Cache'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
plaso.formatters.chrome_cookies module¶
The Google Chrome cookies database event formatter.
Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Chrome cookie event.
plaso.formatters.chrome_extension_activity module¶
The Google Chrome extension activity database event formatter.
-
class
plaso.formatters.chrome_extension_activity.
ChromeExtensionActivityEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Chrome extension activity event.
-
DATA_TYPE
= 'chrome:extension_activity:activity_log'¶
-
FORMAT_STRING_PIECES
= ['Chrome extension: {extension_id}', 'Action type: {action_type}', 'Activity identifier: {activity_id}', 'Page URL: {page_url}', 'Page title: {page_title}', 'API name: {api_name}', 'Args: {args}', 'Other: {other}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{extension_id}', '{api_name}', '{args}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Chrome Extension Activity'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
plaso.formatters.chrome_preferences module¶
The Google Chrome Preferences file event formatter.
-
class
plaso.formatters.chrome_preferences.
ChromeContentSettingsExceptionsFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Chrome content_settings exceptions event.
-
DATA_TYPE
= 'chrome:preferences:content_settings:exceptions'¶
-
FORMAT_STRING_PIECES
= ['Permission {permission}', 'used by {subject}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Permission {permission}', 'used by {subject}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Chrome Permission Event'¶
-
SOURCE_SHORT
= 'LOG'¶
-
-
class
plaso.formatters.chrome_preferences.
ChromeExtensionInstallationEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Chrome extension installation event.
-
DATA_TYPE
= 'chrome:preferences:extension_installation'¶
-
FORMAT_STRING_PIECES
= ['CRX ID: {extension_id}', 'CRX Name: {extension_name}', 'Path: {path}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{extension_id}', '{path}']¶
-
SOURCE_LONG
= 'Chrome Extension Installation'¶
-
SOURCE_SHORT
= 'LOG'¶
-
-
class
plaso.formatters.chrome_preferences.
ChromeExtensionsAutoupdaterEvent
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for Chrome Extensions Autoupdater events.
-
DATA_TYPE
= 'chrome:preferences:extensions_autoupdater'¶
-
FORMAT_STRING_PIECES
= ['{message}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{message}']¶
-
SOURCE_LONG
= 'Chrome Extensions Autoupdater'¶
-
SOURCE_SHORT
= 'LOG'¶
-
-
class
plaso.formatters.chrome_preferences.
ChromePreferencesClearHistoryEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for Chrome history clearing events.
-
DATA_TYPE
= 'chrome:preferences:clear_history'¶
-
FORMAT_STRING_PIECES
= ['{message}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{message}']¶
-
SOURCE_LONG
= 'Chrome History Deletion'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.cron module¶
The syslog cron formatters.
-
class
plaso.formatters.cron.
CronTaskRunEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a syslog cron task run event.
-
DATA_TYPE
= 'syslog:cron:task_run'¶
-
FORMAT_STRING_PIECES
= ['Cron ran: {command}', 'for user: {username}', 'pid: {pid}']¶
-
FORMAT_STRING_SEPARATOR
= ' '¶
-
FORMAT_STRING_SHORT
= '{body}'¶
-
SOURCE_LONG
= 'Cron log'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.cups_ipp module¶
The CUPS IPP file event formatter.
-
class
plaso.formatters.cups_ipp.
CupsIppFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a CUPS IPP event.
-
DATA_TYPE
= 'cups:ipp:event'¶
-
FORMAT_STRING_PIECES
= ['Status: {status}', 'User: {user}', 'Owner: {owner}', 'Job Name: {job_name}', 'Application: {application}', 'Document type: {type_doc}', 'Printer: {printer_id}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Status: {status}', 'Job Name: {job_name}']¶
-
SOURCE_LONG
= 'CUPS IPP Log'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.default module¶
The default event formatter.
-
class
plaso.formatters.default.
DefaultFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
Formatter for events that do not have any defined formatter.
-
DATA_TYPE
= 'event'¶
-
FORMAT_STRING
= '<WARNING DEFAULT FORMATTER> Attributes: {attribute_driven}'¶
-
FORMAT_STRING_SHORT
= '<DEFAULT> {attribute_driven}'¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
-
plaso.formatters.docker module¶
The Docker event formatter.
-
class
plaso.formatters.docker.
DockerBaseEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Class that contains common Docker event formatter functionality.
-
DATA_TYPE
= 'docker:json'¶
-
FORMAT_STRING_SHORT_PIECES
= ['{id}']¶
-
SOURCE_SHORT
= 'DOCKER'¶
-
-
class
plaso.formatters.docker.
DockerContainerEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Docker event.
-
DATA_TYPE
= 'docker:json:container'¶
-
FORMAT_STRING_PIECES
= ['Action: {action}', 'Container Name: {container_name}', 'Container ID: {container_id}']¶
-
FORMAT_STRING_SEPARATOR
= ', '¶
-
SOURCE_LONG
= 'Docker Container'¶
-
SOURCE_SHORT
= 'DOCKER'¶
-
-
class
plaso.formatters.docker.
DockerContainerLogEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Docker container log event
-
DATA_TYPE
= 'docker:json:container:log'¶
-
FORMAT_STRING_PIECES
= ('Text: {log_line}', 'Container ID: {container_id}', 'Source: {log_source}')¶
-
FORMAT_STRING_SEPARATOR
= ', '¶
-
SOURCE_LONG
= 'Docker Container Logs'¶
-
SOURCE_SHORT
= 'DOCKER'¶
-
-
class
plaso.formatters.docker.
DockerLayerEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Docker layer event.
-
DATA_TYPE
= 'docker:json:layer'¶
-
FORMAT_STRING_PIECES
= ('Command: {command}', 'Layer ID: {layer_id}')¶
-
FORMAT_STRING_SEPARATOR
= ', '¶
-
SOURCE_LONG
= 'Docker Layer'¶
-
SOURCE_SHORT
= 'DOCKER'¶
-
plaso.formatters.dpkg module¶
The dpkg.log event formatter.
plaso.formatters.file_history module¶
The file history ESE database event formatter.
-
class
plaso.formatters.file_history.
FileHistoryNamespaceEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a file history ESE database namespace table record.
-
DATA_TYPE
= 'file_history:namespace:event'¶
-
FORMAT_STRING_PIECES
= ['Filename: {original_filename}', 'Identifier: {identifier}', 'Parent Identifier: {parent_identifier}', 'Attributes: {file_attribute}', 'USN number: {usn_number}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Filename: {original_filename}']¶
-
SOURCE_LONG
= 'File History Namespace'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.file_system module¶
The file system stat event formatter.
-
class
plaso.formatters.file_system.
FileStatEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
The file system stat event formatter.
-
DATA_TYPE
= 'fs:stat'¶
-
FORMAT_STRING_PIECES
= ['{display_name}', 'Type: {file_entry_type}', '({unallocated})']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{filename}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
GetSources
(event, event_data)[source]¶ Determines the the short and long source for an event.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
- Returns
short and long source string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_SHORT
= 'FILE'¶
-
-
class
plaso.formatters.file_system.
NTFSFileStatEventFormatter
[source]¶ Bases:
plaso.formatters.file_system.FileStatEventFormatter
The NTFS file system stat event formatter.
-
DATA_TYPE
= 'fs:stat:ntfs'¶
-
FORMAT_STRING_PIECES
= ['{display_name}', 'File reference: {file_reference}', 'Attribute name: {attribute_name}', 'Name: {name}', 'Parent file reference: {parent_file_reference}', '({unallocated})']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{filename}', '{file_reference}', '{attribute_name}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_SHORT
= 'FILE'¶
-
-
class
plaso.formatters.file_system.
NTFSUSNChangeEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
The NTFS USN change event formatter.
-
DATA_TYPE
= 'fs:ntfs:usn_change'¶
-
FORMAT_STRING_PIECES
= ['{filename}', 'File reference: {file_reference}', 'Parent file reference: {parent_file_reference}', 'Update source: {update_source}', 'Update reason: {update_reason}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{filename}', '{file_reference}', '{update_reason}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_SHORT
= 'FILE'¶
-
plaso.formatters.firefox module¶
The Mozilla Firefox history event formatter.
-
class
plaso.formatters.firefox.
FirefoxBookmarkAnnotationFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
The Firefox bookmark annotation event formatter.
-
DATA_TYPE
= 'firefox:places:bookmark_annotation'¶
-
FORMAT_STRING_PIECES
= ['Bookmark Annotation: [{content}]', 'to bookmark [{title}]', '({url})']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Bookmark Annotation: {title}']¶
-
SOURCE_LONG
= 'Firefox History'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
-
class
plaso.formatters.firefox.
FirefoxBookmarkFolderFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
The Firefox bookmark folder event formatter.
-
DATA_TYPE
= 'firefox:places:bookmark_folder'¶
-
FORMAT_STRING
= '{title}'¶
-
SOURCE_LONG
= 'Firefox History'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
-
class
plaso.formatters.firefox.
FirefoxBookmarkFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
The Firefox URL bookmark event formatter.
-
DATA_TYPE
= 'firefox:places:bookmark'¶
-
FORMAT_STRING_PIECES
= ['Bookmark {type}', '{title}', '({url})', '[{places_title}]', 'visit count {visit_count}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Bookmarked {title}', '({url})']¶
-
SOURCE_LONG
= 'Firefox History'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
-
class
plaso.formatters.firefox.
FirefoxDowloadFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
The Firefox download event formatter.
-
DATA_TYPE
= 'firefox:downloads:download'¶
-
FORMAT_STRING
= '{url} ({full_path}). Received: {received_bytes} bytes out of: {total_bytes} bytes.'¶
-
FORMAT_STRING_SHORT
= '{full_path} downloaded ({received_bytes} bytes)'¶
-
SOURCE_LONG
= 'Firefox History'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
-
class
plaso.formatters.firefox.
FirefoxPageVisitFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
The Firefox page visited event formatter.
-
DATA_TYPE
= 'firefox:places:page_visited'¶
-
FORMAT_STRING_PIECES
= ['{url}', '({title})', '[count: {visit_count}]', 'Host: {host}', '{extra_string}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['URL: {url}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Firefox History'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
plaso.formatters.firefox_cache module¶
The Firefox cache record event formatter.
-
class
plaso.formatters.firefox_cache.
FirefoxCacheFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
The Firefox cache record event formatter.
-
DATA_TYPE
= 'firefox:cache:record'¶
-
FORMAT_STRING_PIECES
= ['Fetched {fetch_count} time(s)', '[{response_code}]', '{request_method}', '"{url}"']¶
-
FORMAT_STRING_SHORT_PIECES
= ['[{response_code}]', '{request_method}', '"{url}"']¶
-
SOURCE_LONG
= 'Firefox Cache'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
plaso.formatters.firefox_cookies module¶
The Firefox cookie entry event formatter.
Bases:
plaso.formatters.interface.ConditionalEventFormatter
The Firefox cookie entry event formatter.
plaso.formatters.fseventsd module¶
The fseventsd event formatter.
-
class
plaso.formatters.fseventsd.
FSEventsdEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
The fseventsd event formatter.
-
DATA_TYPE
= 'macos:fseventsd:record'¶
-
FORMAT_STRING_PIECES
= ['{path}', 'Flag Values:', '{flag_values}', 'Flags:', '{hex_flags}', 'Event Identifier:', '{event_identifier}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{path}', '{flag_values}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_SHORT
= 'FSEVENT'¶
-
plaso.formatters.ganalytics module¶
The Google Analytics cookie event formatters.
-
class
plaso.formatters.ganalytics.
AnalyticsUtmaCookieFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
The UTMA Google Analytics cookie event formatter.
-
DATA_TYPE
= 'cookie:google:analytics:utma'¶
-
FORMAT_STRING_PIECES
= ['{url}', '({cookie_name})', 'Sessions: {sessions}', 'Domain Hash: {domain_hash}', 'Visitor ID: {visitor_id}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{url}', '({cookie_name})']¶
-
SOURCE_LONG
= 'Google Analytics Cookies'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
-
class
plaso.formatters.ganalytics.
AnalyticsUtmbCookieFormatter
[source]¶ Bases:
plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter
The UTMB Google Analytics cookie event formatter.
-
DATA_TYPE
= 'cookie:google:analytics:utmb'¶
-
FORMAT_STRING_PIECES
= ['{url}', '({cookie_name})', 'Pages Viewed: {pages_viewed}', 'Domain Hash: {domain_hash}']¶
-
-
class
plaso.formatters.ganalytics.
AnalyticsUtmtCookieFormatter
[source]¶ Bases:
plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter
The UTMT Google Analytics cookie event formatter.
-
DATA_TYPE
= 'cookie:google:analytics:utmt'¶
-
FORMAT_STRING_PIECES
= ['{url}', '({cookie_name})']¶
-
-
class
plaso.formatters.ganalytics.
AnalyticsUtmzCookieFormatter
[source]¶ Bases:
plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter
The UTMZ Google Analytics cookie event formatter.
-
DATA_TYPE
= 'cookie:google:analytics:utmz'¶
-
FORMAT_STRING_PIECES
= ['{url}', '({cookie_name})', 'Sessions: {sessions}', 'Domain Hash: {domain_hash}', 'Sources: {sources}', 'Last source used to access: {utmcsr}', 'Ad campaign information: {utmccn}', 'Last type of visit: {utmcmd}', 'Keywords used to find site: {utmctr}', 'Path to the page of referring link: {utmcct}']¶
-
plaso.formatters.gdrive module¶
The Google Drive snapshots event formatter.
-
class
plaso.formatters.gdrive.
GDriveCloudEntryFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Google Drive snapshot cloud event.
-
DATA_TYPE
= 'gdrive:snapshot:cloud_entry'¶
-
FORMAT_STRING_PIECES
= ['File Path: {path}', '[{shared}]', 'Size: {size}', 'URL: {url}', 'Type: {document_type}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{path}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Google Drive (cloud entry)'¶
-
SOURCE_SHORT
= 'LOG'¶
-
-
class
plaso.formatters.gdrive.
GDriveLocalEntryFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Google Drive snapshot local event.
-
DATA_TYPE
= 'gdrive:snapshot:local_entry'¶
-
FORMAT_STRING_PIECES
= ['File Path: {path}', 'Size: {size}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{path}']¶
-
SOURCE_LONG
= 'Google Drive (local entry)'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.gdrive_synclog module¶
Google Drive Sync log event formatter.
-
class
plaso.formatters.gdrive_synclog.
GoogleDriveSyncLogFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Google Drive Sync log file event.
-
DATA_TYPE
= 'gdrive_sync:log:line'¶
-
FORMAT_STRING_PIECES
= ['[{log_level}', '{pid}', '{thread}', '{source_code}]', '{message}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{message}']¶
-
SOURCE_LONG
= 'GoogleDriveSync Log File'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.hangouts_messages module¶
The Google Hangouts messages database event formatter.
-
class
plaso.formatters.hangouts_messages.
HangoutsFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an Hangouts message event.
-
DATA_TYPE
= 'android:messaging:hangouts'¶
-
FORMAT_STRING_PIECES
= ['Sender: {sender}', 'Body: {body}', 'Status: {message_status}', 'Type: {message_type}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{body}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
If any event values have a matching formatting function in VALUE_FORMATTERS, they are run through that function; then the dictionary is passed to the superclass’s formatting method.
- Parameters
formatter_mediator (FormatterMediator) – not used.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Google Hangouts Message'¶
-
SOURCE_SHORT
= 'HANGOUTS'¶
-
VALUE_FORMATTERS
= {'message_status': <function HangoutsFormatter.<lambda>>, 'message_type': <function HangoutsFormatter.<lambda>>}¶
-
plaso.formatters.iis module¶
The Microsoft IIS log file event formatter.
-
class
plaso.formatters.iis.
IISLogFileEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Microsoft IIS log file event.
-
DATA_TYPE
= 'iis:log:line'¶
-
FORMAT_STRING_PIECES
= ['{http_method}', '{requested_uri_stem}', '[', '{source_ip}', '>', '{dest_ip}', ':', '{dest_port}', ']', 'HTTP Status: {http_status}', 'Bytes Sent: {sent_bytes}', 'Bytes Received: {received_bytes}', 'User Agent: {user_agent}', 'Protocol Version: {protocol_version}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{http_method}', '{requested_uri_stem}', '[', '{source_ip}', '>', '{dest_ip}', ':', '{dest_port}', ']']¶
-
SOURCE_LONG
= 'IIS Log'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.imessage module¶
The iMessage chat.db (OSX) and sms.db (iOS)database event formatter.
-
class
plaso.formatters.imessage.
IMessageFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an iMessage and SMS event.
-
DATA_TYPE
= 'imessage:event:chat'¶
-
FORMAT_STRING_PIECES
= ['Row ID: {identifier}', 'iMessage ID: {imessage_id}', 'Read Receipt: {read_receipt}', 'Message Type: {message_type}', 'Service: {service}', 'Attachment Location: {attachment_location}', 'Message Content: {text}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{text}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Apple iMessage Application'¶
-
SOURCE_SHORT
= 'iMessage'¶
-
plaso.formatters.interface module¶
This file contains the event formatters interface classes.
The l2t_csv and other formats are dependent on a message field, referred to as description_long and description_short in l2t_csv.
Plaso no longer stores these field explicitly.
A formatter, with a format string definition, is used to convert the event object values into a formatted string that is similar to the description_long and description_short field.
-
class
plaso.formatters.interface.
ConditionalEventFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
Base class to conditionally format event data using format string pieces.
Define the (long) format string and the short format string by defining FORMAT_STRING_PIECES and FORMAT_STRING_SHORT_PIECES. The syntax of the format strings pieces is similar to of the event formatter (EventFormatter). Every format string piece should contain a single attribute name or none.
FORMAT_STRING_SEPARATOR is used to control the string which the separate string pieces should be joined. It contains a space by default.
-
FORMAT_STRING_PIECES
= ['']¶
-
FORMAT_STRING_SEPARATOR
= ' '¶
-
FORMAT_STRING_SHORT_PIECES
= ['']¶
-
GetFormatStringAttributeNames
()[source]¶ Retrieves the attribute names in the format string.
- Returns
attribute names.
- Return type
set(str)
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
-
class
plaso.formatters.interface.
EventFormatter
[source]¶ Bases:
object
Base class to format event type specific data using a format string.
Define the (long) format string and the short format string by defining FORMAT_STRING and FORMAT_STRING_SHORT. The syntax of the format strings is similar to that of format() where the place holder for a certain event object attribute is defined as {attribute_name}.
-
DATA_TYPE
= 'internal'¶
-
FORMAT_STRING
= ''¶
-
FORMAT_STRING_SHORT
= ''¶
-
GetFormatStringAttributeNames
()[source]¶ Retrieves the attribute names in the format string.
- Returns
attribute names.
- Return type
set(str)
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
GetSources
(event, event_data)[source]¶ Determines the the short and long source for an event.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
- Returns
short and long source string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= ''¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.ipod module¶
The iPod device event formatter.
-
class
plaso.formatters.ipod.
IPodDeviceFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an iPod device event.
-
DATA_TYPE
= 'ipod:device:entry'¶
-
FORMAT_STRING_PIECES
= ['Device ID: {device_id}', 'Type: {device_class}', '[{family_id}]', 'Connected {use_count} times', 'Serial nr: {serial_number}', 'IMEI [{imei}]']¶
-
SOURCE_LONG
= 'iPod Connections'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.java_idx module¶
The Java WebStart Cache IDX event formatter.
-
class
plaso.formatters.java_idx.
JavaIDXFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an Java WebStart Cache IDX download event.
-
DATA_TYPE
= 'java:download:idx'¶
-
FORMAT_STRING_PIECES
= ['IDX Version: {idx_version}', 'Host IP address: ({ip_address})', 'Download URL: {url}']¶
-
SOURCE_LONG
= 'Java Cache IDX'¶
-
SOURCE_SHORT
= 'JAVA_IDX'¶
-
plaso.formatters.kik_ios module¶
The Kik kik.sqlite iOS database event formatter.
-
class
plaso.formatters.kik_ios.
KikIOSMessageFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an iOS Kik message event.
-
DATA_TYPE
= 'ios:kik:messaging'¶
-
FORMAT_STRING_PIECES
= ['Username: {username}', 'Displayname: {displayname}', 'Status: {message_status}', 'Type: {message_type}', 'Message: {body}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{body}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Kik iOS messages'¶
-
SOURCE_SHORT
= 'Kik iOS'¶
-
plaso.formatters.kodi module¶
The Kodi MyVideos database event formatter.
-
class
plaso.formatters.kodi.
KodiFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an Kodi Video event.
-
DATA_TYPE
= 'kodi:videos:viewing'¶
-
FORMAT_STRING_PIECES
= ['Video: {filename}', 'Play Count: {play_count}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{filename}']¶
-
SOURCE_LONG
= 'Kodi Video Viewed'¶
-
SOURCE_SHORT
= 'KODI'¶
-
plaso.formatters.lfu module¶
Event formatters for the Less Frequently Used Keys.
-
class
plaso.formatters.lfu.
WindowsBootExecuteFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
Formatter for a Windows Boot Execute event.
-
DATA_TYPE
= 'windows:registry:boot_execute'¶
-
FORMAT_STRING
= '[{key_path}] BootExecute: {value}'¶
-
FORMAT_STRING_ALTERNATIVE
= 'BootExecute: {value}'¶
-
SOURCE_LONG
= 'Registry Key'¶
-
SOURCE_SHORT
= 'REG'¶
-
-
class
plaso.formatters.lfu.
WindowsBootVerificationFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
Formatter for a Windows Boot Verification event.
-
DATA_TYPE
= 'windows:registry:boot_verification'¶
-
FORMAT_STRING
= '[{key_path}] ImagePath: {image_path}'¶
-
FORMAT_STRING_ALTERNATIVE
= 'ImagePath: {image_path}'¶
-
SOURCE_LONG
= 'Registry Key'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.logger module¶
The formatters sub module logger.
plaso.formatters.ls_quarantine module¶
The MacOS launch services (LS) quarantine event formatter.
-
class
plaso.formatters.ls_quarantine.
LSQuarantineFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a launch services (LS) quarantine history event.
-
DATA_TYPE
= 'macosx:lsquarantine'¶
-
FORMAT_STRING_PIECES
= ['[{agent}]', 'Downloaded: {url}', '<{data}>']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{url}']¶
-
SOURCE_LONG
= 'LS Quarantine Event'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.mac_appfirewall module¶
The MacOS appfirewall.log file event formatter.
-
class
plaso.formatters.mac_appfirewall.
MacAppFirewallLogFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for MacOS appfirewall.log file event.
-
DATA_TYPE
= 'mac:appfirewall:line'¶
-
FORMAT_STRING_PIECES
= ['Computer: {computer_name}', 'Agent: {agent}', 'Status: {status}', 'Process name: {process_name}', 'Log: {action}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Process name: {process_name}', 'Status: {status}']¶
-
SOURCE_LONG
= 'Mac AppFirewall Log'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.mac_document_versions module¶
The MacOS Document Versions files event formatter.
-
class
plaso.formatters.mac_document_versions.
MacDocumentVersionsFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a MacOS Document Versions page visited event.
-
DATA_TYPE
= 'mac:document_versions:file'¶
-
FORMAT_STRING_PIECES
= ['Version of [{name}]', '({path})', 'stored in {version_path}', 'by {user_sid}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Stored a document version of [{name}]']¶
-
SOURCE_LONG
= 'Document Versions'¶
-
SOURCE_SHORT
= 'HISTORY'¶
-
plaso.formatters.mac_keychain module¶
The MacOS keychain password database file event formatter.
-
class
plaso.formatters.mac_keychain.
KeychainApplicationRecordFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a keychain application record event.
-
DATA_TYPE
= 'mac:keychain:application'¶
-
FORMAT_STRING_PIECES
= ['Name: {entry_name}', 'Account: {account_name}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{entry_name}']¶
-
SOURCE_LONG
= 'Keychain Application password'¶
-
SOURCE_SHORT
= 'LOG'¶
-
-
class
plaso.formatters.mac_keychain.
KeychainInternetRecordFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a keychain Internet record event.
-
DATA_TYPE
= 'mac:keychain:internet'¶
-
FORMAT_STRING_PIECES
= ['Name: {entry_name}', 'Account: {account_name}', 'Where: {where}', 'Protocol: {protocol}', '({type_protocol})']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{entry_name}']¶
-
SOURCE_LONG
= 'Keychain Internet password'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.mac_knowledgec module¶
The MacOS KnowledgeC datbase event formatters.
-
class
plaso.formatters.mac_knowledgec.
MacKnowledgeCApplicationFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a MacOS KnowledgeC application event.
-
DATA_TYPE
= 'mac:knowledgec:application'¶
-
FORMAT_STRING_PIECES
= ['Application {bundle_identifier} executed', 'for {duration} seconds']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Application {bundle_identifier}']¶
-
SOURCE_LONG
= 'KnowledgeC Application'¶
-
SOURCE_SHORT
= 'LOG'¶
-
-
class
plaso.formatters.mac_knowledgec.
MacKnowledgeCSafariFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a MacOS KnowledgeC Safari event.
-
DATA_TYPE
= 'mac:knowledgec:safari'¶
-
FORMAT_STRING_PIECES
= ['Visited: {url}', '({title})', 'Duration: {duration}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Safari: {url}']¶
-
SOURCE_LONG
= 'KnowledgeC Safari'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
plaso.formatters.mac_notes module¶
The Mac Notes event formatter.
-
class
plaso.formatters.mac_notes.
MacNotesNotesFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Mac Notes record
-
DATA_TYPE
= 'mac:notes:note'¶
-
FORMAT_STRING_PIECES
= ['title:{title}', 'note_text:{text}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['title:{title}']¶
-
SOURCE_LONG
= 'Mac Notes'¶
-
SOURCE_SHORT
= 'Mac Note'¶
-
plaso.formatters.mac_notificationcenter module¶
The MacOS Notification Center event formatter.
-
class
plaso.formatters.mac_notificationcenter.
MacNotificationCenterFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a MacOS Notification Center event.
-
DATA_TYPE
= 'mac:notificationcenter:db'¶
-
FORMAT_STRING_PIECES
= ['Title: {title}', '(, subtitle: {subtitle}),', 'registered by: {bundle_name}.', 'Presented: {presented},', 'Content: {body}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Title: {title},', 'Content: {body}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Notification Center'¶
-
SOURCE_SHORT
= 'NOTIFICATION'¶
-
plaso.formatters.mac_securityd module¶
The MacOS securityd log file event formatter.
-
class
plaso.formatters.mac_securityd.
MacOSSecuritydLogFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a MacOS securityd log event.
-
DATA_TYPE
= 'mac:securityd:line'¶
-
FORMAT_STRING_PIECES
= ['Sender: {sender}', '({sender_pid})', 'Level: {level}', 'Facility: {facility}', 'Text: {message}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Text: {message}']¶
-
SOURCE_LONG
= 'Mac Securityd Log'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.mac_wifi module¶
The MacOS wifi.log file event formatter.
-
class
plaso.formatters.mac_wifi.
MacWifiLogFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a wifi.log file event.
-
DATA_TYPE
= 'mac:wifilog:line'¶
-
FORMAT_STRING_PIECES
= ['Action: {action}', 'Agent: {agent}', '({function})', 'Log: {text}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Action: {action}']¶
-
SOURCE_LONG
= 'Mac Wifi Log'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.mackeeper_cache module¶
The MacKeeper Cache event formatter.
-
class
plaso.formatters.mackeeper_cache.
MacKeeperCacheFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a MacKeeper Cache event.
-
DATA_TYPE
= 'mackeeper:cache'¶
-
FORMAT_STRING_PIECES
= ['{description}', '<{event_type}>', ':', '{text}', '[', 'URL: {url}', 'Event ID: {record_id}', 'Room: {room}', ']']¶
-
FORMAT_STRING_SHORT_PIECES
= ['<{event_type}>', '{text}']¶
-
SOURCE_LONG
= 'MacKeeper Cache'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.mactime module¶
The Sleuthkit (TSK) bodyfile (or mactime) event formatter.
plaso.formatters.manager module¶
This file contains the event formatters manager class.
-
class
plaso.formatters.manager.
FormattersManager
[source]¶ Bases:
object
Class that implements the formatters manager.
-
classmethod
DeregisterFormatter
(formatter_class)[source]¶ Deregisters a formatter class.
The formatter classes are identified based on their lower case data type.
- Parameters
formatter_class (type) – class of the formatter.
- Raises
KeyError – if formatter class is not set for the corresponding data type.
-
classmethod
GetFormatterObject
(data_type)[source]¶ Retrieves the formatter object for a specific data type.
- Parameters
data_type (str) – data type.
- Returns
- corresponding formatter or the default formatter if
not available.
- Return type
-
classmethod
GetMessageStrings
(formatter_mediator, event_data)[source]¶ Retrieves the formatted message strings for a specific event.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
long and short version of the message string.
- Return type
list[str, str]
-
classmethod
GetSourceStrings
(event, event_data)[source]¶ Retrieves the formatted source strings for a specific event.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
- Returns
short and long version of the source of the event.
- Return type
list[str, str]
-
classmethod
GetUnformattedAttributes
(event_data)[source]¶ Retrieves names of the event data attributes that are not formatted.
- Parameters
event_data (EventData) – event data.
- Returns
names of the event data attributes that are not formatted.
- Return type
list[str]
-
classmethod
RegisterFormatter
(formatter_class)[source]¶ Registers a formatter class.
The formatter classes are identified based on their lower case data type.
- Parameters
formatter_class (type) – class of the formatter.
- Raises
KeyError – if formatter class is already set for the corresponding data type.
-
classmethod
RegisterFormatters
(formatter_classes)[source]¶ Registers formatter classes.
The formatter classes are identified based on their lower case data type.
- Parameters
formatter_classes (list[type]) – classes of the formatters.
- Raises
KeyError – if formatter class is already set for the corresponding data type.
-
classmethod
plaso.formatters.mcafeeav module¶
The McAfee AV Logs file event formatter.
-
class
plaso.formatters.mcafeeav.
McafeeAccessProtectionLogEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a McAfee Access Protection Log event.
-
DATA_TYPE
= 'av:mcafee:accessprotectionlog'¶
-
FORMAT_STRING_PIECES
= ['File Name: {filename}', 'User: {username}', '{trigger_location}', '{status}', '{rule}', '{action}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{filename}', '{action}']¶
-
SOURCE_LONG
= 'McAfee Access Protection Log'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.mediator module¶
The formatter mediator object.
-
class
plaso.formatters.mediator.
FormatterMediator
(data_location=None)[source]¶ Bases:
object
Class that implements the formatter mediator.
-
DEFAULT_LANGUAGE_IDENTIFIER
= 'en-US'¶
-
DEFAULT_LCID
= 1033¶
-
GetWindowsEventMessage
(log_source, message_identifier)[source]¶ Retrieves the message string for a specific Windows Event Log source.
- Parameters
log_source (str) – Event Log source, such as “Application Error”.
message_identifier (int) – message identifier.
- Returns
message string or None if not available.
- Return type
str
-
SetPreferredLanguageIdentifier
(language_identifier)[source]¶ Sets the preferred language identifier.
- Parameters
language_identifier (str) – language identifier string such as “en-US” for US English or “is-IS” for Icelandic.
- Raises
KeyError – if the language identifier is not defined.
ValueError – if the language identifier is not a string type.
-
lcid
¶ preferred Language Code identifier (LCID).
- Type
int
-
plaso.formatters.mountpoints module¶
Event formatter for the MountPoints2 key.
-
class
plaso.formatters.mountpoints.
MountPoints2Formatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Windows Boot Execute event.
-
DATA_TYPE
= 'windows:registry:mount_points2'¶
-
FORMAT_STRING_PIECES
= ['[{key_path}]', 'Label: {label}', 'Remote_Server: {server_name}', 'Share_Name: {share_name}', 'Type: {type}', 'Volume: {name}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['[{key_path}]', 'Label: {label}', 'Remote_Server: {server_name}', 'Share_Name: {share_name}', 'Type: {type}', 'Volume: {name}']¶
-
SOURCE_LONG
= 'Registry Key'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.mrulist module¶
The MRUList event formatter.
-
class
plaso.formatters.mrulist.
MRUListEventFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
Formatter for a MRUList event.
-
DATA_TYPE
= 'windows:registry:mrulist'¶
-
FORMAT_STRING
= '[{key_path}] {entries}'¶
-
FORMAT_STRING_ALTERNATIVE
= '{entries}'¶
-
SOURCE_LONG
= 'Registry Key : MRU List'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.mrulistex module¶
The MRUListEx event formatter.
-
class
plaso.formatters.mrulistex.
MRUListExEventFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
Formatter for a MRUListEx event.
-
DATA_TYPE
= 'windows:registry:mrulistex'¶
-
FORMAT_STRING
= '[{key_path}] {entries}'¶
-
FORMAT_STRING_ALTERNATIVE
= '{entries}'¶
-
SOURCE_LONG
= 'Registry Key : MRUListEx'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.msie_webcache module¶
The MSIE WebCache ESE database event formatters.
-
class
plaso.formatters.msie_webcache.
MsieWebCacheContainerEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a MSIE WebCache ESE database Container_# table record.
-
DATA_TYPE
= 'msie:webcache:container'¶
-
FORMAT_STRING_PIECES
= ['URL: {url}', 'Redirect URL: {redirect_url}', 'Access count: {access_count}', 'Sync count: {sync_count}', 'Filename: {cached_filename}', 'File extension: {file_extension}', 'Cached file size: {cached_file_size}', 'Request headers: {request_headers}', 'Response headers: {response_headers}', 'Entry identifier: {entry_identifier}', 'Container identifier: {container_identifier}', 'Cache identifier: {cache_identifier}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['URL: {url}']¶
-
SOURCE_LONG
= 'MSIE WebCache container record'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
-
class
plaso.formatters.msie_webcache.
MsieWebCacheContainersEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a MSIE WebCache ESE database Containers table record.
-
DATA_TYPE
= 'msie:webcache:containers'¶
-
FORMAT_STRING_PIECES
= ['Name: {name}', 'Directory: {directory}', 'Table: Container_{container_identifier}', 'Container identifier: {container_identifier}', 'Set identifier: {set_identifier}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Directory: {directory}']¶
-
SOURCE_LONG
= 'MSIE WebCache containers record'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
-
class
plaso.formatters.msie_webcache.
MsieWebCacheLeakFilesEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a MSIE WebCache ESE database LeakFiles table record.
-
DATA_TYPE
= 'msie:webcache:leak_file'¶
-
FORMAT_STRING_PIECES
= ['Filename: {cached_filename}', 'Leak identifier: {leak_identifier}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Filename: {cached_filename}']¶
-
SOURCE_LONG
= 'MSIE WebCache partitions record'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
-
class
plaso.formatters.msie_webcache.
MsieWebCachePartitionsEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a MSIE WebCache ESE database Partitions table record.
-
DATA_TYPE
= 'msie:webcache:partitions'¶
-
FORMAT_STRING_PIECES
= ['Partition identifier: {partition_identifier}', 'Partition type: {partition_type}', 'Directory: {directory}', 'Table identifier: {table_identifier}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Directory: {directory}']¶
-
SOURCE_LONG
= 'MSIE WebCache partitions record'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
plaso.formatters.msie_zones module¶
The MSIE zone settings event formatter.
-
class
plaso.formatters.msie_zones.
MSIEZoneSettingsEventFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
Formatter for a MSIE zone settings event.
-
DATA_TYPE
= 'windows:registry:msie_zone_settings'¶
-
FORMAT_STRING
= '[{key_path}] {settings}'¶
-
FORMAT_STRING_ALTERNATIVE
= '{settings}'¶
-
SOURCE_LONG
= 'Registry Key'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.msiecf module¶
The Microsoft Internet Explorer (MSIE) Cache Files (CF) event formatters.
-
class
plaso.formatters.msiecf.
MsiecfItemFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a MSIECF item event.
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
-
class
plaso.formatters.msiecf.
MsiecfLeakFormatter
[source]¶ Bases:
plaso.formatters.msiecf.MsiecfItemFormatter
Formatter for a MSIECF leak item event.
-
DATA_TYPE
= 'msiecf:leak'¶
-
FORMAT_STRING_PIECES
= ['Cached file: {cached_file_path}', 'Cached file size: {cached_file_size}', '{recovered_string}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Cached file: {cached_file_path}']¶
-
SOURCE_LONG
= 'MSIE Cache File leak record'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
-
class
plaso.formatters.msiecf.
MsiecfRedirectedFormatter
[source]¶ Bases:
plaso.formatters.msiecf.MsiecfItemFormatter
Formatter for a MSIECF leak redirected event.
-
DATA_TYPE
= 'msiecf:redirected'¶
-
FORMAT_STRING_PIECES
= ['Location: {url}', '{recovered_string}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Location: {url}']¶
-
SOURCE_LONG
= 'MSIE Cache File redirected record'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
-
class
plaso.formatters.msiecf.
MsiecfUrlFormatter
[source]¶ Bases:
plaso.formatters.msiecf.MsiecfItemFormatter
Formatter for a MSIECF URL item event.
-
DATA_TYPE
= 'msiecf:url'¶
-
FORMAT_STRING_PIECES
= ['Location: {url}', 'Number of hits: {number_of_hits}', 'Cached file: {cached_file_path}', 'Cached file size: {cached_file_size}', 'HTTP headers: {http_headers}', '{recovered_string}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Location: {url}', 'Cached file: {cached_file_path}']¶
-
SOURCE_LONG
= 'MSIE Cache File URL record'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
plaso.formatters.network_drives module¶
The Network drive event formatter.
-
class
plaso.formatters.network_drives.
NetworkDriveEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Network drive event.
-
DATA_TYPE
= 'windows:registry:network_drive'¶
-
FORMAT_STRING_PIECES
= ['[{key_path}]', 'DriveLetter: {drive_letter}', 'RemoteServer: {server_name}', 'ShareName: {share_name}', 'Type: Mapped Drive']¶
-
SOURCE_LONG
= 'Registry Key : Network Drive'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.officemru module¶
The Microsoft Office MRU Windows Registry event formatter.
-
class
plaso.formatters.officemru.
OfficeMRUListWindowsRegistryEventFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
Formatter for a BagMRU event.
-
DATA_TYPE
= 'windows:registry:office_mru_list'¶
-
FORMAT_STRING
= '[{key_path}] {entries}'¶
-
FORMAT_STRING_ALTERNATIVE
= '{entries}'¶
-
SOURCE_LONG
= 'Registry Key : Microsoft Office MRU'¶
-
SOURCE_SHORT
= 'REG'¶
-
-
class
plaso.formatters.officemru.
OfficeMRUWindowsRegistryEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Microsoft Office MRU Windows Registry event.
-
DATA_TYPE
= 'windows:registry:office_mru'¶
-
FORMAT_STRING_PIECES
= ['[{key_path}]', 'Value: {value_string}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{value_string}']¶
-
SOURCE_LONG
= 'Registry Key: Microsoft Office MRU'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.olecf module¶
The OLE Compound File (OLECF) event formatters.
-
class
plaso.formatters.olecf.
OLECFDestListEntryFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an OLECF DestList stream event.
-
DATA_TYPE
= 'olecf:dest_list:entry'¶
-
FORMAT_STRING_PIECES
= ['Entry: {entry_number}', 'Pin status: {pin_status}', 'Hostname: {hostname}', 'Path: {path}', 'Droid volume identifier: {droid_volume_identifier}', 'Droid file identifier: {droid_file_identifier}', 'Birth droid volume identifier: {birth_droid_volume_identifier}', 'Birth droid file identifier: {birth_droid_file_identifier}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Entry: {entry_number}', 'Pin status: {pin_status}', 'Path: {path}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
-
class
plaso.formatters.olecf.
OLECFDocumentSummaryInfoFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an OLECF Document Summary Info property set stream event.
-
DATA_TYPE
= 'olecf:document_summary_info'¶
-
FORMAT_STRING_PIECES
= ['Number of bytes: {number_of_bytes}', 'Number of lines: {number_of_lines}', 'Number of paragraphs: {number_of_paragraphs}', 'Number of slides: {number_of_slides}', 'Number of notes: {number_of_notes}', 'Number of hidden slides: {number_of_hidden_slides}', 'Number of multi-media clips: {number_of_clips}', 'Company: {company}', 'Manager: {manager}', 'Shared document: {shared_document}', 'Application version: {application_version}', 'Content type: {content_type}', 'Content status: {content_status}', 'Language: {language}', 'Document version: {document_version}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Company: {company}']¶
-
SOURCE_LONG
= 'OLECF Document Summary Info'¶
-
SOURCE_SHORT
= 'OLECF'¶
-
-
class
plaso.formatters.olecf.
OLECFItemFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
Formatter for an OLECF item event.
-
DATA_TYPE
= 'olecf:item'¶
-
FORMAT_STRING
= 'Name: {name}'¶
-
FORMAT_STRING_SHORT
= 'Name: {name}'¶
-
SOURCE_LONG
= 'OLECF Item'¶
-
SOURCE_SHORT
= 'OLECF'¶
-
-
class
plaso.formatters.olecf.
OLECFSummaryInfoFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an OLECF Summary Info property set stream event.
-
DATA_TYPE
= 'olecf:summary_info'¶
-
FORMAT_STRING_PIECES
= ['Title: {title}', 'Subject: {subject}', 'Author: {author}', 'Keywords: {keywords}', 'Comments: {comments}', 'Template: {template}', 'Revision number: {revision_number}', 'Last saved by: {last_saved_by}', 'Total edit time: {total_edit_time}', 'Number of pages: {number_of_pages}', 'Number of words: {number_of_words}', 'Number of characters: {number_of_characters}', 'Application: {application}', 'Security: {security}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Title: {title}', 'Subject: {subject}', 'Author: {author}', 'Revision number: {revision_number}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'OLECF Summary Info'¶
-
SOURCE_SHORT
= 'OLECF'¶
-
plaso.formatters.opera module¶
The Opera history event formatters.
-
class
plaso.formatters.opera.
OperaGlobalHistoryFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an Opera global history event.
-
DATA_TYPE
= 'opera:history:entry'¶
-
FORMAT_STRING_PIECES
= ['{url}', '({title})', '[{description}]']¶
-
SOURCE_LONG
= 'Opera Browser History'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
-
class
plaso.formatters.opera.
OperaTypedHistoryFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an Opera typed history event.
-
DATA_TYPE
= 'opera:history:typed_entry'¶
-
FORMAT_STRING_PIECES
= ['{url}', '({entry_selection})']¶
-
SOURCE_LONG
= 'Opera Browser History'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
plaso.formatters.outlook module¶
The Outlook search MRU event formatter.
-
class
plaso.formatters.outlook.
OutlookSearchMRUEventFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
Formatter for a Outlook search MRU event.
-
DATA_TYPE
= 'windows:registry:outlook_search_mru'¶
-
FORMAT_STRING
= '[{key_path}] {entries}'¶
-
FORMAT_STRING_ALTERNATIVE
= '{entries}'¶
-
SOURCE_LONG
= 'Registry Key : PST Paths'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.oxml module¶
The OpenXML event formatter.
-
class
plaso.formatters.oxml.
OpenXMLParserFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an OXML event.
-
DATA_TYPE
= 'metadata:openxml'¶
-
FORMAT_STRING_PIECES
= ['Creating App: {creating_app}', 'App version: {app_version}', 'Title: {title}', 'Subject: {subject}', 'Last saved by: {last_saved_by}', 'Author: {author}', 'Total edit time (secs): {total_edit_time}', 'Keywords: {keywords}', 'Comments: {comments}', 'Revision number: {revision_number}', 'Template: {template}', 'Number of pages: {number_of_pages}', 'Number of words: {number_of_words}', 'Number of characters: {number_of_characters}', 'Number of characters with spaces: {number_of_characters_with_spaces}', 'Number of lines: {number_of_lines}', 'Company: {company}', 'Manager: {manager}', 'Shared: {shared}', 'Security: {security}', 'Hyperlinks changed: {hyperlinks_changed}', 'Links up to date: {links_up_to_date}', 'Scale crop: {scale_crop}', 'Digital signature: {dig_sig}', 'Slides: {slides}', 'Hidden slides: {hidden_slides}', 'Presentation format: {presentation_format}', 'MM clips: {mm_clips}', 'Notes: {notes}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Title: {title}', 'Subject: {subject}', 'Author: {author}']¶
-
SOURCE_LONG
= 'Open XML Metadata'¶
-
SOURCE_SHORT
= 'META'¶
-
plaso.formatters.pe module¶
The PE event formatter.
-
class
plaso.formatters.pe.
PECompilationFormatter
[source]¶ Bases:
plaso.formatters.pe.PEEventFormatter
Formatter for a PE compilation event.
-
DATA_TYPE
= 'pe:compilation:compilation_time'¶
-
SOURCE_LONG
= 'PE Compilation time'¶
-
-
class
plaso.formatters.pe.
PEDelayImportFormatter
[source]¶ Bases:
plaso.formatters.pe.PEEventFormatter
Formatter for a PE delay import section event.
-
DATA_TYPE
= 'pe:delay_import:import_time'¶
-
FORMAT_STRING_PIECES
= ['DLL name: {dll_name}', 'PE Type: {pe_type}', 'Import hash: {imphash}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{dll_name}']¶
-
SOURCE_LONG
= 'PE Delay Import Time'¶
-
-
class
plaso.formatters.pe.
PEEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Parent class for PE event formatters.
-
DATA_TYPE
= 'pe'¶
-
FORMAT_STRING_PIECES
= ['PE Type: {pe_type}', 'Import hash: {imphash}']¶
-
FORMAT_STRING_SEPARATOR
= ' '¶
-
FORMAT_STRING_SHORT_PIECES
= ['pe_type']¶
-
SOURCE_LONG
= 'PE Event'¶
-
SOURCE_SHORT
= 'PE'¶
-
-
class
plaso.formatters.pe.
PEImportFormatter
[source]¶ Bases:
plaso.formatters.pe.PEEventFormatter
Formatter for a PE import section event.
-
DATA_TYPE
= 'pe:import:import_time'¶
-
FORMAT_STRING_PIECES
= ['DLL name: {dll_name}', 'PE Type: {pe_type}', 'Import hash: {imphash}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{dll_name}']¶
-
SOURCE_LONG
= 'PE Import Time'¶
-
-
class
plaso.formatters.pe.
PELoadConfigModificationEvent
[source]¶ Bases:
plaso.formatters.pe.PEEventFormatter
Formatter for a PE load configuration table event.
-
DATA_TYPE
= 'pe:load_config:modification_time'¶
-
SOURCE_LONG
= 'PE Load Configuration Table Time'¶
-
-
class
plaso.formatters.pe.
PEResourceCreationFormatter
[source]¶ Bases:
plaso.formatters.pe.PEEventFormatter
Formatter for a PE resource creation event.
-
DATA_TYPE
= 'pe:resource:creation_time'¶
-
SOURCE_LONG
= 'PE Resource Creation Time'¶
-
plaso.formatters.plist module¶
The plist event formatter.
-
class
plaso.formatters.plist.
PlistFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a plist key event.
-
DATA_TYPE
= 'plist:key'¶
-
FORMAT_STRING_PIECES
= ['{root}/', '{key}', ' {desc}']¶
-
FORMAT_STRING_SEPARATOR
= ''¶
-
SOURCE_LONG
= 'Plist Entry'¶
-
SOURCE_SHORT
= 'PLIST'¶
-
plaso.formatters.pls_recall module¶
The PL/SQL Recall event formatter.
-
class
plaso.formatters.pls_recall.
PlsRecallFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a PL/SQL Recall file container event.
-
DATA_TYPE
= 'PLSRecall:event'¶
-
FORMAT_STRING_PIECES
= ['Sequence number: {sequence_number}', 'Username: {username}', 'Database name: {database_name}', 'Query: {query}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{sequence_number}', '{username}', '{database_name}', '{query}']¶
-
SOURCE_LONG
= 'PL/SQL Developer Recall file'¶
-
SOURCE_SHORT
= 'PLSRecall'¶
-
plaso.formatters.popcontest module¶
The Popularity Contest event formatters.
-
class
plaso.formatters.popcontest.
PopularityContestLogFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Popularity Contest Log event.
-
DATA_TYPE
= 'popularity_contest:log:event'¶
-
FORMAT_STRING_PIECES
= ['mru [{mru}]', 'package [{package}]', 'tag [{record_tag}]']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{mru}']¶
-
SOURCE_LONG
= 'Popularity Contest Log'¶
-
SOURCE_SHORT
= 'LOG'¶
-
-
class
plaso.formatters.popcontest.
PopularityContestSessionFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Popularity Contest Session information event.
-
DATA_TYPE
= 'popularity_contest:session:event'¶
-
FORMAT_STRING_PIECES
= ['Session {session}', '{status}', 'ID {hostid}', '[{details}]']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Session {session}', '{status}']¶
-
SOURCE_LONG
= 'Popularity Contest Session'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.programscache module¶
The Explorer ProgramsCache event formatter.
-
class
plaso.formatters.programscache.
ExplorerProgramsCacheEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an Explorer ProgramsCache event.
-
DATA_TYPE
= 'windows:registry:explorer:programcache'¶
-
FORMAT_STRING_PIECES
= ['Key: {key_path}', 'Value: {value_name}', 'Entries: [{entries}]']¶
-
SOURCE_LONG
= 'Registry Key'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.recycler module¶
The Windows Recycler/Recycle Bin formatter.
-
class
plaso.formatters.recycler.
WinRecyclerFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Windows Recycler/Recycle Bin file event.
-
DATA_TYPE
= 'windows:metadata:deleted_item'¶
-
FORMAT_STRING_PIECES
= ['DC{record_index} ->', '{original_filename}', '[{short_filename}]', '(from drive: {drive_letter})']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Deleted file: {original_filename}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Recycle Bin'¶
-
SOURCE_SHORT
= 'RECBIN'¶
-
plaso.formatters.run module¶
The Run/RunOnce key event formatter.
-
class
plaso.formatters.run.
RunKeyEventFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
Formatter for a Run/RunOnce key event.
-
DATA_TYPE
= 'windows:registry:run'¶
-
FORMAT_STRING
= '[{key_path}] {entries}'¶
-
FORMAT_STRING_ALTERNATIVE
= '{entries}'¶
-
SOURCE_LONG
= 'Registry Key : Run Key'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.safari module¶
The Safari history event formatter.
-
class
plaso.formatters.safari.
SafariHistoryFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Safari history event.
-
DATA_TYPE
= 'safari:history:visit'¶
-
FORMAT_STRING_PIECES
= ['Visited: {url}', '({title}', '- {display_title}', ')', 'Visit Count: {visit_count}']¶
-
SOURCE_LONG
= 'Safari History'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
-
class
plaso.formatters.safari.
SafariHistoryFormatterSqlite
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Safari history event from Sqlite History.db
-
DATA_TYPE
= 'safari:history:visit_sqlite'¶
-
FORMAT_STRING_PIECES
= ['URL: {url}', 'Title: ({title})', '[count: {visit_count}]', 'http_non_get: {was_http_non_get}']¶
-
SOURCE_LONG
= 'Safari History'¶
-
SOURCE_SHORT
= 'WEBHIST'¶
-
plaso.formatters.safari_cookies module¶
The Safari Binary cookie event formatter.
Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Safari Binary Cookie file entry event.
Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
plaso.formatters.sam_users module¶
The SAM users Windows Registry event formatter.
-
class
plaso.formatters.sam_users.
SAMUsersWindowsRegistryEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a SAM users Windows Registry event.
-
DATA_TYPE
= 'windows:registry:sam_users'¶
-
FORMAT_STRING_PIECES
= ['[{key_path}]', 'Username: {username}', 'Full name: {fullname}', 'Comments: {comments}', 'RID: {account_rid}', 'Login count: {login_count}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{username}', 'RID: {account_rid}', 'Login count: {login_count}']¶
-
SOURCE_LONG
= 'Registry Key: User Account Information'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.santa module¶
Santa log file event formatter.
-
class
plaso.formatters.santa.
SantaDiskMountsFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a santa disk mount event.
-
DATA_TYPE
= 'santa:diskmount'¶
-
FORMAT_STRING_PIECES
= ['Santa {action}', 'on ({mount})', 'serial: ({serial})', 'for ({dmg_path})']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{action}', '{volume}']¶
-
SOURCE_LONG
= 'Santa disk mount'¶
-
SOURCE_SHORT
= 'LOG'¶
-
-
class
plaso.formatters.santa.
SantaExecutionFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a santa execution event.
-
DATA_TYPE
= 'santa:execution'¶
-
FORMAT_STRING_PIECES
= ['Santa {decision}', 'process: {process_path}', 'hash: {process_hash}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{decision}', 'process: {process_path}']¶
-
SOURCE_LONG
= 'Santa Execution'¶
-
SOURCE_SHORT
= 'LOG'¶
-
-
class
plaso.formatters.santa.
SantaFileSystemFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a santa file system event.
-
DATA_TYPE
= 'santa:file_system_event'¶
-
FORMAT_STRING_PIECES
= ['Santa {action} event', '{file_path}', 'by process: {process_path}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['File {action}', 'on: {file_path}']¶
-
SOURCE_LONG
= 'Santa FSEvent'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.sccm module¶
The SCCM log formatter.
-
class
plaso.formatters.sccm.
SCCMEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Class for SCCM event formatter.
-
DATA_TYPE
= 'software_management:sccm:log'¶
-
FORMAT_STRING_PIECES
= ['{component}', '{text}']¶
-
FORMAT_STRING_SEPARATOR
= ' '¶
-
FORMAT_STRING_SHORT_PIECES
= ['{text}']¶
-
SOURCE_LONG
= 'SCCM Event'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.selinux module¶
The selinux event formatter.
-
class
plaso.formatters.selinux.
SELinuxFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a selinux log file event.
-
DATA_TYPE
= 'selinux:line'¶
-
FORMAT_STRING_PIECES
= ['[', 'audit_type: {audit_type}', ', pid: {pid}', ']', ' {body}']¶
-
FORMAT_STRING_SEPARATOR
= ''¶
-
SOURCE_LONG
= 'Audit log File'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.services module¶
The Windows services event formatter.
The Windows services are derived from Windows Registry files.
-
class
plaso.formatters.services.
WinRegistryServiceFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Windows service event.
-
DATA_TYPE
= 'windows:registry:service'¶
-
FORMAT_STRING_PIECES
= ['[{key_path}]', 'Type: {service_type}', 'Start: {start_type}', 'Image path: {image_path}', 'Error control: {error_control}', '{values}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['[{key_path}]', 'Type: {service_type}', 'Start: {start_type}', 'Image path: {image_path}', 'Error control: {error_control}', '{values}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
plaso.formatters.shell_items module¶
The shell item event formatter.
-
class
plaso.formatters.shell_items.
ShellItemFileEntryEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a shell item file entry event.
-
DATA_TYPE
= 'windows:shell_item:file_entry'¶
-
FORMAT_STRING_PIECES
= ['Name: {name}', 'Long name: {long_name}', 'Localized name: {localized_name}', 'NTFS file reference: {file_reference}', 'Shell item path: {shell_item_path}', 'Origin: {origin}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Name: {file_entry_name}', 'NTFS file reference: {file_reference}', 'Origin: {origin}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'File entry shell item'¶
-
SOURCE_SHORT
= 'FILE'¶
-
plaso.formatters.shutdown module¶
The shutdown Windows Registry event formatter.
-
class
plaso.formatters.shutdown.
ShutdownWindowsRegistryEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a shutdown Windows Registry event.
-
DATA_TYPE
= 'windows:registry:shutdown'¶
-
FORMAT_STRING_PIECES
= ['[{key_path}]', 'Description: {value_name}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{value_name}']¶
-
SOURCE_LONG
= 'Registry Key Shutdown Entry'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.skydrivelog module¶
The SkyDrive log event formatter.
-
class
plaso.formatters.skydrivelog.
SkyDriveLogFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a SkyDrive log file event.
-
DATA_TYPE
= 'skydrive:log:line'¶
-
FORMAT_STRING_PIECES
= ['[{module}', '{source_code}', '{log_level}]', '{detail}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{detail}']¶
-
SOURCE_LONG
= 'SkyDrive Log File'¶
-
SOURCE_SHORT
= 'LOG'¶
-
-
class
plaso.formatters.skydrivelog.
SkyDriveOldLogFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a SkyDrive old log file event.
-
DATA_TYPE
= 'skydrive:log:old:line'¶
-
FORMAT_STRING_PIECES
= ['[{source_code}]', '({log_level})', '{text}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{text}']¶
-
SOURCE_LONG
= 'SkyDrive Log File'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.skype module¶
The Skype main database event formatter.
-
class
plaso.formatters.skype.
SkypeAccountFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Skype account event.
-
DATA_TYPE
= 'skype:event:account'¶
-
FORMAT_STRING_PIECES
= ['{username}', '[{email}]', 'Country: {country}']¶
-
SOURCE_LONG
= 'Skype Account'¶
-
SOURCE_SHORT
= 'LOG'¶
-
-
class
plaso.formatters.skype.
SkypeCallFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Skype call event.
-
DATA_TYPE
= 'skype:event:call'¶
-
FORMAT_STRING_PIECES
= ['From: {src_call}', 'To: {dst_call}', '[{call_type}]']¶
-
SOURCE_LONG
= 'Skype Call'¶
-
SOURCE_SHORT
= 'LOG'¶
-
-
class
plaso.formatters.skype.
SkypeChatFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Skype chat message event.
-
DATA_TYPE
= 'skype:event:chat'¶
-
FORMAT_STRING_PIECES
= ['From: {from_account}', 'To: {to_account}', '[{title}]', 'Message: [{text}]']¶
-
FORMAT_STRING_SHORT_PIECES
= ['From: {from_account}', 'To: {to_account}']¶
-
SOURCE_LONG
= 'Skype Chat MSG'¶
-
SOURCE_SHORT
= 'LOG'¶
-
-
class
plaso.formatters.skype.
SkypeSMSFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Skype SMS event.
-
DATA_TYPE
= 'skype:event:sms'¶
-
FORMAT_STRING_PIECES
= ['To: {number}', '[{text}]']¶
-
SOURCE_LONG
= 'Skype SMS'¶
-
SOURCE_SHORT
= 'LOG'¶
-
-
class
plaso.formatters.skype.
SkypeTransferFileFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Skype transfer file event.
-
DATA_TYPE
= 'skype:event:transferfile'¶
-
FORMAT_STRING_PIECES
= ['Source: {source}', 'Destination: {destination}', 'File: {transferred_filename}', '[{action_type}]']¶
-
SOURCE_LONG
= 'Skype Transfer Files'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.sophos_av module¶
The Sophos Anti-Virus log (SAV.txt) file event formatter.
-
class
plaso.formatters.sophos_av.
SophosAVLogFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Sophos Anti-Virus log (SAV.txt) event data.
-
DATA_TYPE
= 'sophos:av:log'¶
-
FORMAT_STRING_PIECES
= ['{text}']¶
-
SOURCE_LONG
= 'Sophos Anti-Virus log'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.srum module¶
The System Resource Usage Monitor (SRUM) ESE database event formatters.
-
class
plaso.formatters.srum.
SRUMApplicationResourceUsageEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a SRUM application resource usage event.
-
DATA_TYPE
= 'windows:srum:application_usage'¶
-
FORMAT_STRING_PIECES
= ['Application: {application}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{application}']¶
-
-
class
plaso.formatters.srum.
SRUMNetworkConnectivityUsageEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a SRUM network connectivity usage event.
-
DATA_TYPE
= 'windows:srum:network_connectivity'¶
-
FORMAT_STRING_PIECES
= ['Application: {application}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{application}']¶
-
-
class
plaso.formatters.srum.
SRUMNetworkDataUsageEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a SRUM network data usage event.
-
DATA_TYPE
= 'windows:srum:network_usage'¶
-
FORMAT_STRING_PIECES
= ['Application: {application}', 'Bytes received: {bytes_received}', 'Bytes sent: {bytes_sent}', 'Interface LUID: {interface_luid}', 'User identifier: {user_identifier}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{application}']¶
-
plaso.formatters.ssh module¶
The syslog SSH file event formatter.
-
class
plaso.formatters.ssh.
SSHFailedConnectionEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a SSH failed connection event.
-
DATA_TYPE
= 'syslog:ssh:failed_connection'¶
-
FORMAT_STRING_PIECES
= ['Unsuccessful connection of user: {username}', 'from {address}:', '{port}', 'using authentication method: {authentication_method}', 'ssh pid: {pid}']¶
-
FORMAT_STRING_SEPARATOR
= ''¶
-
FORMAT_STRING_SHORT
= '{body}'¶
-
SOURCE_LONG
= 'SSH log'¶
-
SOURCE_SHORT
= 'LOG'¶
-
-
class
plaso.formatters.ssh.
SSHLoginEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a SSH successful login event.
-
DATA_TYPE
= 'syslog:ssh:login'¶
-
FORMAT_STRING_PIECES
= ['Successful login of user: {username}', 'from {address}:', '{port}', 'using authentication method: {authentication_method}', 'ssh pid: {pid}']¶
-
FORMAT_STRING_SEPARATOR
= ''¶
-
FORMAT_STRING_SHORT
= '{body}'¶
-
SOURCE_LONG
= 'SSH log'¶
-
SOURCE_SHORT
= 'LOG'¶
-
-
class
plaso.formatters.ssh.
SSHOpenedConnectionEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a SSH opened connection event.
-
DATA_TYPE
= 'syslog:ssh:opened_connection'¶
-
FORMAT_STRING_PIECES
= ['Connection opened {address}:', '{port}', 'ssh pid: {pid}']¶
-
FORMAT_STRING_SEPARATOR
= ''¶
-
FORMAT_STRING_SHORT
= '{body}'¶
-
SOURCE_LONG
= 'SSH log'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.symantec module¶
The Symantec AV log file event formatter.
-
class
plaso.formatters.symantec.
SymantecAVFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Symantec AV log file event.
-
ACTION_0_NAMES
= {'1': 'Quarantined', '10': 'Renamed backup file', '11': 'Undo action in Quarantine View', '12': 'Write protected or lack of permissions - Unable to act on file', '13': 'Backed up file', '2': 'Renamed', '3': 'Deleted', '4': 'Left alone', '5': 'Cleaned', '6': 'Cleaned or macros deleted (no longer used as of Symantec AntiVirus 9.x)', '7': 'Saved file as...', '8': 'Sent to Intel (AMS)', '9': 'Moved to backup location'}¶
-
ACTION_1_2_NAMES
= {'1': 'Quarantine infected file', '2': 'Rename infected file', '3': 'Delete infected file', '4': 'Leave alone (log only)', '5': 'Clean virus from file', '6': 'Clean or delete macros'}¶
-
CATEGORY_NAMES
= {'1': 'GL_CAT_INFECTION', '2': 'GL_CAT_SUMMARY', '3': 'GL_CAT_PATTERN', '4': 'GL_CAT_SECURITY'}¶
-
DATA_TYPE
= 'av:symantec:scanlog'¶
-
EVENT_NAMES
= {'1': 'GL_EVENT_IS_ALERT', '10': 'GL_EVENT_CHECKSUM', '11': 'GL_EVENT_TRAP', '12': 'GL_EVENT_CONFIG_CHANGE', '13': 'GL_EVENT_SHUTDOWN', '14': 'GL_EVENT_STARTUP', '16': 'GL_EVENT_PATTERN_DOWNLOAD', '17': 'GL_EVENT_TOO_MANY_VIRUSES', '18': 'GL_EVENT_FWD_TO_QSERVER', '19': 'GL_EVENT_SCANDLVR', '2': 'GL_EVENT_SCAN_STOP', '20': 'GL_EVENT_BACKUP', '21': 'GL_EVENT_SCAN_ABORT', '22': 'GL_EVENT_RTS_LOAD_ERROR', '23': 'GL_EVENT_RTS_LOAD', '24': 'GL_EVENT_RTS_UNLOAD', '25': 'GL_EVENT_REMOVE_CLIENT', '26': 'GL_EVENT_SCAN_DELAYED', '27': 'GL_EVENT_SCAN_RESTART', '28': 'GL_EVENT_ADD_SAVROAMCLIENT_TOSERVER', '29': 'GL_EVENT_REMOVE_SAVROAMCLIENT_FROMSERVER', '3': 'GL_EVENT_SCAN_START', '30': 'GL_EVENT_LICENSE_WARNING', '31': 'GL_EVENT_LICENSE_ERROR', '32': 'GL_EVENT_LICENSE_GRACE', '33': 'GL_EVENT_UNAUTHORIZED_COMM', '34': 'GL_EVENT_LOG_FWD_THRD_ERR', '35': 'GL_EVENT_LICENSE_INSTALLED', '36': 'GL_EVENT_LICENSE_ALLOCATED', '37': 'GL_EVENT_LICENSE_OK', '38': 'GL_EVENT_LICENSE_DEALLOCATED', '39': 'GL_EVENT_BAD_DEFS_ROLLBACK', '4': 'GL_EVENT_PATTERN_UPDATE', '40': 'GL_EVENT_BAD_DEFS_UNPROTECTED', '41': 'GL_EVENT_SAV_PROVIDER_PARSING_ERROR', '42': 'GL_EVENT_RTS_ERROR', '43': 'GL_EVENT_COMPLIANCE_FAIL', '44': 'GL_EVENT_COMPLIANCE_SUCCESS', '45': 'GL_EVENT_SECURITY_SYMPROTECT_POLICYVIOLATION', '46': 'GL_EVENT_ANOMALY_START', '47': 'GL_EVENT_DETECTION_ACTION_TAKEN', '48': 'GL_EVENT_REMEDIATION_ACTION_PENDING', '49': 'GL_EVENT_REMEDIATION_ACTION_FAILED', '5': 'GL_EVENT_INFECTION', '50': 'GL_EVENT_REMEDIATION_ACTION_SUCCESSFUL', '51': 'GL_EVENT_ANOMALY_FINISH', '52': 'GL_EVENT_COMMS_LOGIN_FAILED', '53': 'GL_EVENT_COMMS_LOGIN_SUCCESS', '54': 'GL_EVENT_COMMS_UNAUTHORIZED_COMM', '55': 'GL_EVENT_CLIENT_INSTALL_AV', '56': 'GL_EVENT_CLIENT_INSTALL_FW', '57': 'GL_EVENT_CLIENT_UNINSTALL', '58': 'GL_EVENT_CLIENT_UNINSTALL_ROLLBACK', '59': 'GL_EVENT_COMMS_SERVER_GROUP_ROOT_CERT_ISSUE', '6': 'GL_EVENT_FILE_NOT_OPEN', '60': 'GL_EVENT_COMMS_SERVER_CERT_ISSUE', '61': 'GL_EVENT_COMMS_TRUSTED_ROOT_CHANGE', '62': 'GL_EVENT_COMMS_SERVER_CERT_STARTUP_FAILED', '63': 'GL_EVENT_CLIENT_CHECKIN', '64': 'GL_EVENT_CLIENT_NO_CHECKIN', '65': 'GL_EVENT_SCAN_SUSPENDED', '66': 'GL_EVENT_SCAN_RESUMED', '67': 'GL_EVENT_SCAN_DURATION_INSUFFICIENT', '68': 'GL_EVENT_CLIENT_MOVE', '69': 'GL_EVENT_SCAN_FAILED_ENHANCED', '7': 'GL_EVENT_LOAD_PATTERN', '70': 'GL_EVENT_MAX_event_name', '71': 'GL_EVENT_HEUR_THREAT_NOW_WHITELISTED', '72': 'GL_EVENT_INTERESTING_PROCESS_DETECTED_START', '73': 'GL_EVENT_LOAD_ERROR_COH', '74': 'GL_EVENT_LOAD_ERROR_SYKNAPPS', '75': 'GL_EVENT_INTERESTING_PROCESS_DETECTED_FINISH', '76': 'GL_EVENT_HPP_SCAN_NOT_SUPPORTED_FOR_OS', '77': 'GL_EVENT_HEUR_THREAT_NOW_KNOWN', '8': 'GL_STD_MESSAGE_INFO', '9': 'GL_STD_MESSAGE_ERROR'}¶
-
FORMAT_STRING_PIECES
= ['Event Name: {event_map}', 'Category Name: {category_map}', 'Malware Name: {virus}', 'Malware Path: {file}', 'Action0: {action0_map}', 'Action1: {action1_map}', 'Action2: {action2_map}', 'Description: {description}', 'Scan ID: {scanid}', 'Event Data: {event_data}', 'Remote Machine: {remote_machine}', 'Remote IP: {remote_machine_ip}']¶
-
FORMAT_STRING_SEPARATOR
= '; '¶
-
FORMAT_STRING_SHORT_PIECES
= ['{file}', '{virus}', '{action0_map}', '{action1_map}', '{action2_map}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Symantec AV Log'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.syslog module¶
The syslog file event formatter.
-
class
plaso.formatters.syslog.
SyslogCommentFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a syslog comment
-
DATA_TYPE
= 'syslog:comment'¶
-
FORMAT_STRING_PIECES
= ['{body}']¶
-
FORMAT_STRING_SEPARATOR
= ''¶
-
SOURCE_LONG
= 'Log File'¶
-
SOURCE_SHORT
= 'LOG'¶
-
-
class
plaso.formatters.syslog.
SyslogLineFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a syslog line event.
-
DATA_TYPE
= 'syslog:line'¶
-
FORMAT_STRING_PIECES
= ['{severity} ', '[', '{reporter}', ', pid: {pid}', '] {body}']¶
-
FORMAT_STRING_SEPARATOR
= ''¶
-
SOURCE_LONG
= 'Log File'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.systemd_journal module¶
The Systemd journal file event formatter.
-
class
plaso.formatters.systemd_journal.
SystemdJournalDirtyEventFormatter
[source]¶ Bases:
plaso.formatters.systemd_journal.SystemdJournalEventFormatter
Formatter for a Systemd journal dirty event.
-
DATA_TYPE
= 'systemd:journal:dirty'¶
-
SOURCE_LONG
= 'systemd-journal-dirty'¶
-
-
class
plaso.formatters.systemd_journal.
SystemdJournalEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Systemd journal event.
-
DATA_TYPE
= 'systemd:journal'¶
-
FORMAT_STRING_PIECES
= ['{hostname} ', '[', '{reporter}', ', pid: {pid}', '] {body}']¶
-
FORMAT_STRING_SEPARATOR
= ''¶
-
SOURCE_LONG
= 'systemd-journal'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.tango_android module¶
Tango on Android databases formatter.
-
class
plaso.formatters.tango_android.
TangoAndroidContactFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Tango on Android contact event formatter.
-
DATA_TYPE
= 'tango:android:contact'¶
-
FORMAT_STRING_PIECES
= ['{first_name}', '{last_name}', '{gender}', 'birthday: {birthday}', 'Status: {status}', 'Friend: {is_friend}', 'Request type: {friend_request_type}', 'Request message: {friend_request_message}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{first_name}', '{last_name}', 'Status: {status}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple[str, str]
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Tango Android Contact'¶
-
SOURCE_SHORT
= 'Tango Android'¶
-
-
class
plaso.formatters.tango_android.
TangoAndroidConversationFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Tango on Android conversation event formatter.
-
DATA_TYPE
= 'tango:android:conversation'¶
-
FORMAT_STRING_PIECES
= ['Conversation ({conversation_identifier})']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Conversation ({conversation_identifier})']¶
-
SOURCE_LONG
= 'Tango Android Conversation'¶
-
SOURCE_SHORT
= 'Tango Android'¶
-
-
class
plaso.formatters.tango_android.
TangoAndroidMessageFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Tango on Android message event formatter.
-
DATA_TYPE
= 'tango:android:message'¶
-
FORMAT_STRING_PIECES
= ['{direction}', 'Message ({message_identifier})']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{direction}', 'Message ({message_identifier})']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple[str, str]
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Tango Android Message'¶
-
SOURCE_SHORT
= 'Tango Android'¶
-
plaso.formatters.task_scheduler module¶
The Task Scheduler event formatter.
-
class
plaso.formatters.task_scheduler.
TaskCacheEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Task Scheduler Cache event.
-
DATA_TYPE
= 'task_scheduler:task_cache:entry'¶
-
FORMAT_STRING_PIECES
= ['[{key_path}]', 'Task: {task_name}', '[Identifier: {task_identifier}]']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Task: {task_name}']¶
-
SOURCE_LONG
= 'Task Cache'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.terminal_server module¶
The Terminal Server client event formatters.
-
class
plaso.formatters.terminal_server.
TerminalServerClientConnectionEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Terminal Server client connection event.
-
DATA_TYPE
= 'windows:registry:mstsc:connection'¶
-
FORMAT_STRING_PIECES
= ['[{key_path}]', 'Username hint: {username}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['[{key_path}]']¶
-
SOURCE_LONG
= 'Registry Key : RDP Connection'¶
-
SOURCE_SHORT
= 'REG'¶
-
-
class
plaso.formatters.terminal_server.
TerminalServerClientMRUEventFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
Formatter for a Terminal Server client MRU event.
-
DATA_TYPE
= 'windows:registry:mstsc:mru'¶
-
FORMAT_STRING
= '[{key_path}] {entries}'¶
-
FORMAT_STRING_ALTERNATIVE
= '{entries}'¶
-
SOURCE_LONG
= 'Registry Key : RDP Connection'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.text module¶
The text file event formatter.
plaso.formatters.timezone module¶
The Windows timezone settings event formatter.
-
class
plaso.formatters.timezone.
WindowsTimezoneSettingsEventFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
Formatter for a Windows timezone settings event.
-
DATA_TYPE
= 'windows:registry:timezone'¶
-
FORMAT_STRING
= '[{key_path}] {configuration}'¶
-
FORMAT_STRING_ALTERNATIVE
= '{configuration}'¶
-
SOURCE_LONG
= 'Registry Key'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.trendmicroav module¶
The Trend Micro AV Logs file event formatter.
-
class
plaso.formatters.trendmicroav.
OfficeScanVirusDetectionLogEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Trend Micro Office Scan Virus Detection Log event.
-
DATA_TYPE
= 'av:trendmicro:scan'¶
-
FORMAT_STRING_PIECES
= ['Path: {path}', 'File name: {filename}', '{threat}', ': {action}', '({scan_type})']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{path}', '{filename}', '{action}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
If any event values have a matching formatting function in VALUE_FORMATTERS, they are run through that function; then the dictionary is passed to the superclass’s formatting method.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Trend Micro Office Scan Virus Detection Log'¶
-
SOURCE_SHORT
= 'LOG'¶
-
VALUE_FORMATTERS
= {'action': <function OfficeScanVirusDetectionLogEventFormatter.<lambda>>, 'scan_type': <function OfficeScanVirusDetectionLogEventFormatter.<lambda>>}¶
-
-
class
plaso.formatters.trendmicroav.
OfficeScanWebReputationLogEventFormatter
[source]¶ Bases:
plaso.formatters.trendmicroav.OfficeScanVirusDetectionLogEventFormatter
Formatter for a Trend Micro Office Scan Virus Detection Log event.
-
DATA_TYPE
= 'av:trendmicro:webrep'¶
-
FORMAT_STRING_PIECES
= ['{url}', '{ip}', 'Group: {group_name}', '{group_code}', 'Mode: {block_mode}', 'Policy ID: {policy_identifier}', 'Credibility rating: {credibility_rating}', 'Credibility score: {credibility_score}', 'Threshold value: {threshold}', 'Accessed by: {application_name}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{url}', '{group_name}']¶
-
SOURCE_LONG
= 'Trend Micro Office Scan Virus Detection Log'¶
-
SOURCE_SHORT
= 'LOG'¶
-
VALUE_FORMATTERS
= {'block_mode': <function OfficeScanWebReputationLogEventFormatter.<lambda>>}¶
-
plaso.formatters.twitter_android module¶
Twitter on android database formatter.
-
class
plaso.formatters.twitter_android.
TwitterAndroidContactFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Twitter for android contact event formatter.
-
DATA_TYPE
= 'twitter:android:contact'¶
-
FORMAT_STRING_PIECES
= ['Screen name: {username}', 'Profile picture URL: {image_url}', 'Name: {name}', 'Location: {location}', 'Description: {description}', 'URL: {web_url}', 'Number of followers: {followers}', 'Number of following: {friend}', 'Number of tweets: {statuses}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Screen name: {username}', 'Description: {description}', 'URL: {web_url}']¶
-
SOURCE_LONG
= 'Twitter Android Contacts'¶
-
SOURCE_SHORT
= 'Twitter Android'¶
-
-
class
plaso.formatters.twitter_android.
TwitterAndroidSearchFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Twitter for android search event formatter.
-
DATA_TYPE
= 'twitter:android:search'¶
-
FORMAT_STRING_PIECES
= ['Name: {name}', 'Query: {search_query}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Query: {search_query}']¶
-
SOURCE_LONG
= 'Twitter Android Search'¶
-
SOURCE_SHORT
= 'Twitter Android'¶
-
-
class
plaso.formatters.twitter_android.
TwitterAndroidStatusFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Twitter for android status event formatter.
-
DATA_TYPE
= 'twitter:android:status'¶
-
FORMAT_STRING_PIECES
= ['User: {username}', 'Status: {content}', 'Favorited: {favorited}', 'Retweeted: {retweeted}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['User: {username}', 'Status: {content}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Twitter Android Status'¶
-
SOURCE_SHORT
= 'Twitter Android'¶
-
plaso.formatters.twitter_ios module¶
Twitter on iOS 8+ database formatter.
-
class
plaso.formatters.twitter_ios.
TwitterIOSContactFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Twitter on iOS 8+ contact event formatter.
-
DATA_TYPE
= 'twitter:ios:contact'¶
-
FORMAT_STRING_PIECES
= ['Screen name: {screen_name}', 'Profile picture URL: {profile_url}', 'Name: {name}', 'Location: {location}', 'Description: {description}', 'URL: {url}', 'Following: {following}', 'Number of followers: {followers_count}', 'Number of following: {following_count}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Screen name: {screen_name}', 'Description: {description}', 'URL: {url}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Twitter iOS Contacts'¶
-
SOURCE_SHORT
= 'Twitter iOS'¶
-
-
class
plaso.formatters.twitter_ios.
TwitterIOSStatusFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Twitter on iOS 8+ status event formatter.
-
DATA_TYPE
= 'twitter:ios:status'¶
-
FORMAT_STRING_PIECES
= ['Name: {name}', 'User Id: {user_id}', 'Message: {text}', 'Favorite: {favorited}', 'Retweet Count: {retweet_count}', 'Favorite Count: {favorite_count}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['Name: {name}', 'Message: {text}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Twitter iOS Status'¶
-
SOURCE_SHORT
= 'Twitter iOS'¶
-
plaso.formatters.typedurls module¶
The typed URLs event formatter.
-
class
plaso.formatters.typedurls.
TypedURLsFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
Formatter for a typed URLs event.
-
DATA_TYPE
= 'windows:registry:typedurls'¶
-
FORMAT_STRING
= '[{key_path}] {entries}'¶
-
FORMAT_STRING_ALTERNATIVE
= '{entries}'¶
-
SOURCE_LONG
= 'Registry Key : Typed URLs'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.usb module¶
The Windows USB device event formatter.
-
class
plaso.formatters.usb.
WindowsUSBDeviceEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Windows USB device event.
-
DATA_TYPE
= 'windows:registry:usb'¶
-
FORMAT_STRING_PIECES
= ['[{key_path}]', 'Product: {product}', 'Serial: {serial}', 'Subkey name: {subkey_name}', 'Vendor: {vendor}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['[{key_path}]', 'Product: {product}', 'Serial: {serial}', 'Subkey name: {subkey_name}', 'Vendor: {vendor}']¶
-
SOURCE_LONG
= 'Registry Key : USB Entries'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.usbstor module¶
The USBStor event formatter.
-
class
plaso.formatters.usbstor.
USBStorEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a USBStor event.
-
DATA_TYPE
= 'windows:registry:usbstor'¶
-
FORMAT_STRING_PIECES
= ['[{key_path}]', 'Device type: {device_type}', 'Display name: {display_name}', 'Product: {product}', 'Revision: {revision}', 'Serial: {serial}', 'Subkey name: {subkey_name}', 'Vendor: {vendor}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['[{key_path}]', 'Device type: {device_type}', 'Display name: {display_name}', 'Product: {product}', 'Revision: {revision}', 'Serial: {serial}', 'Subkey name: {subkey_name}', 'Vendor: {vendor}']¶
-
SOURCE_LONG
= 'Registry Key : USBStor Entries'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.userassist module¶
The UserAssist Windows Registry event formatter.
-
class
plaso.formatters.userassist.
UserAssistWindowsRegistryEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an UserAssist Windows Registry event.
-
DATA_TYPE
= 'windows:registry:userassist'¶
-
FORMAT_STRING_PIECES
= ['[{key_path}]', 'UserAssist entry: {entry_index}', 'Value name: {value_name}', 'Count: {number_of_executions}', 'Application focus count: {application_focus_count}', 'Application focus duration: {application_focus_duration}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{value_name}', 'Count: {number_of_executions}']¶
-
SOURCE_LONG
= 'Registry Key: UserAssist'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.utmp module¶
The UTMP binary file event formatter.
-
class
plaso.formatters.utmp.
UtmpSessionFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an UTMP session event.
-
DATA_TYPE
= 'linux:utmp:event'¶
-
FORMAT_STRING_PIECES
= ['User: {username}', 'Hostname: {hostname}', 'Terminal: {terminal}', 'PID: {pid}', 'Terminal identifier: {terminal_identifier}', 'Status: {status}', 'IP Address: {ip_address}', 'Exit status: {exit_status}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['User: {username}', 'PID: {pid}', 'Status: {status}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'UTMP session'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.utmpx module¶
The UTMPX binary file event formatter.
-
class
plaso.formatters.utmpx.
UtmpxSessionFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for an UTMPX session event.
-
DATA_TYPE
= 'mac:utmpx:event'¶
-
FORMAT_STRING_PIECES
= ['User: {username}', 'Status: {status}', 'Hostname: {hostname}', 'Terminal: {terminal}', 'PID: {pid}', 'Terminal identifier: {terminal_identifier}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['User: {username}', 'PID: {pid}', 'Status: {status}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'UTMPX session'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.windows module¶
The Windows event formatter.
-
class
plaso.formatters.windows.
WindowsDistributedLinkTrackingCreationEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Windows distributed link creation event.
-
DATA_TYPE
= 'windows:distributed_link_tracking:creation'¶
-
FORMAT_STRING_PIECES
= ['{uuid}', 'MAC address: {mac_address}', 'Origin: {origin}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{uuid}', 'Origin: {origin}']¶
-
SOURCE_LONG
= 'System'¶
-
SOURCE_SHORT
= 'LOG'¶
-
-
class
plaso.formatters.windows.
WindowsRegistryNetworkEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Windows NetworkList event formatter.
-
DATA_TYPE
= 'windows:registry:network'¶
-
FORMAT_STRING_PIECES
= ['SSID: {ssid}', 'Description: {description}', 'Connection Type: {connection_type}', 'Default Gateway Mac: {default_gateway_mac}', 'DNS Suffix: {dns_suffix}']¶
-
SOURCE_LONG
= 'System: Network Connection'¶
-
SOURCE_SHORT
= 'LOG'¶
-
-
class
plaso.formatters.windows.
WindowsVolumeCreationEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Windows volume creation event.
-
DATA_TYPE
= 'windows:volume:creation'¶
-
FORMAT_STRING_PIECES
= ['{device_path}', 'Serial number: 0x{serial_number:08X}', 'Origin: {origin}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{device_path}', 'Origin: {origin}']¶
-
SOURCE_LONG
= 'System'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.windows_timeline module¶
The Windows Timeline event formatter.
-
class
plaso.formatters.windows_timeline.
WindowsTimelineGenericEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for generic Windows Timeline events.
-
DATA_TYPE
= 'windows:timeline:generic'¶
-
FORMAT_STRING_PIECES
= ['Application Display Name: {application_display_name}', 'Package Identifier: {package_identifier}', 'Description: {description}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{package_identifier}']¶
-
SOURCE_LONG
= 'Windows Timeline - Generic'¶
-
SOURCE_SHORT
= 'Windows Timeline'¶
-
-
class
plaso.formatters.windows_timeline.
WindowsTimelineUserEngagedEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for User Engaged Windows Timeline events
-
DATA_TYPE
= 'windows:timeline:user_engaged'¶
-
FORMAT_STRING_PIECES
= ['Package Identifier: {package_identifier}', 'Active Duration (seconds): {active_duration_seconds}', 'Reporting App: {reporting_app}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{package_identifier}']¶
-
SOURCE_LONG
= 'Windows Timeline - User Engaged'¶
-
SOURCE_SHORT
= 'Windows Timeline'¶
-
plaso.formatters.windows_version module¶
The Windows installation event formatter.
-
class
plaso.formatters.windows_version.
WindowsRegistryInstallationEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Windows installation event.
-
DATA_TYPE
= 'windows:registry:installation'¶
-
FORMAT_STRING_PIECES
= ['{product_name}', '{version}', '{build_number}', '{service_pack}', 'Owner: {owner}', 'Origin: {key_path}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{product_name}', '{version}', '{build_number}', '{service_pack}', 'Origin: {key_path}']¶
-
SOURCE_LONG
= 'System'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.winevt module¶
The Windows EventLog (EVT) file event formatter.
-
class
plaso.formatters.winevt.
WinEVTFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Windows EventLog (EVT) record event.
-
DATA_TYPE
= 'windows:evt:record'¶
-
FORMAT_STRING_PIECES
= ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Source Name: {source_name}', 'Message string: {message_string}', 'Strings: {strings}', 'Computer Name: {computer_name}', 'Severity: {severity}', 'Record Number: {record_number}', 'Event Type: {event_type}', 'Event Category: {event_category}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Strings: {strings}']¶
-
GetEventTypeString
(event_type)[source]¶ Retrieves a string representation of the event type.
- Parameters
event_type (int) – event type.
- Returns
description of the event type.
- Return type
str
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
GetSeverityString
(severity)[source]¶ Retrieves a string representation of the severity.
- Parameters
severity (int) – severity.
- Returns
description of the event severity.
- Return type
str
-
SOURCE_LONG
= 'WinEVT'¶
-
SOURCE_SHORT
= 'EVT'¶
-
plaso.formatters.winevt_rc module¶
Windows Event Log resources database reader.
-
class
plaso.formatters.winevt_rc.
Sqlite3DatabaseFile
[source]¶ Bases:
object
Class that defines a sqlite3 database file.
-
GetValues
(table_names, column_names, condition)[source]¶ Retrieves values from a table.
- Parameters
table_names (list[str]) – table names.
column_names (list[str]) – column names.
condition (str) – query condition such as “log_source == ‘Application Error’”.
- Yields
sqlite3.row – row.
- Raises
RuntimeError – if the database is not opened.
-
HasTable
(table_name)[source]¶ Determines if a specific table exists.
- Parameters
table_name (str) – table name.
- Returns
True if the table exists.
- Return type
bool
- Raises
RuntimeError – if the database is not opened.
-
Open
(filename, read_only=False)[source]¶ Opens the database file.
- Parameters
filename (str) – filename of the database.
read_only (Optional[bool]) – True if the database should be opened in read-only mode. Since sqlite3 does not support a real read-only mode we fake it by only permitting SELECT queries.
- Returns
True if successful.
- Return type
bool
- Raises
RuntimeError – if the database is already opened.
-
-
class
plaso.formatters.winevt_rc.
Sqlite3DatabaseReader
[source]¶ Bases:
object
Class to represent a sqlite3 database reader.
-
class
plaso.formatters.winevt_rc.
WinevtResourcesSqlite3DatabaseReader
[source]¶ Bases:
plaso.formatters.winevt_rc.Sqlite3DatabaseReader
Class to represent a sqlite3 Event Log resources database reader.
-
GetMessage
(log_source, lcid, message_identifier)[source]¶ Retrieves a specific message for a specific Event Log source.
- Parameters
log_source (str) – Event Log source.
lcid (int) – language code identifier (LCID).
message_identifier (int) – message identifier.
- Returns
message string or None if not available.
- Return type
str
-
plaso.formatters.winevtx module¶
The Windows XML EventLog (EVTX) file event formatter.
-
class
plaso.formatters.winevtx.
WinEVTXFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Windows XML EventLog (EVTX) record event.
-
DATA_TYPE
= 'windows:evtx:record'¶
-
FORMAT_STRING_PIECES
= ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Source Name: {source_name}', 'Message string: {message_string}', 'Strings: {strings}', 'Computer Name: {computer_name}', 'Record Number: {record_number}', 'Event Level: {event_level}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['[{event_identifier} /', '0x{event_identifier:04x}]', 'Strings: {strings}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'WinEVTX'¶
-
SOURCE_SHORT
= 'EVT'¶
-
plaso.formatters.winfirewall module¶
The Windows firewall log file event formatter.
-
class
plaso.formatters.winfirewall.
WinFirewallFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Windows firewall log entry event.
-
DATA_TYPE
= 'windows:firewall:log_entry'¶
-
FORMAT_STRING_PIECES
= ['{action}', '[', '{protocol}', '{path}', ']', 'From: {source_ip}', ':{source_port}', '>', '{dest_ip}', ':{dest_port}', 'Size (bytes): {size}', 'Flags [{flags}]', 'TCP Seq Number: {tcp_seq}', 'TCP ACK Number: {tcp_ack}', 'TCP Window Size (bytes): {tcp_win}', 'ICMP type: {icmp_type}', 'ICMP code: {icmp_code}', 'Additional info: {info}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{action}', '[{protocol}]', '{source_ip}', ': {source_port}', '>', '{dest_ip}', ': {dest_port}']¶
-
SOURCE_LONG
= 'Windows Firewall Log'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.winjob module¶
The Windows Scheduled Task (job) event formatter.
-
class
plaso.formatters.winjob.
WinJobFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Windows Scheduled Task (job) event.
-
DATA_TYPE
= 'windows:tasks:job'¶
-
FORMAT_STRING_PIECES
= ['Application: {application}', '{parameters}', 'Scheduled by: {username}', 'Working directory: {working_directory}', 'Trigger type: {trigger_type}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Windows Scheduled Task Job'¶
-
SOURCE_SHORT
= 'JOB'¶
-
plaso.formatters.winlnk module¶
The Windows Shortcut (LNK) event formatter.
-
class
plaso.formatters.winlnk.
WinLnkLinkFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Windows Shortcut (LNK) link event.
-
DATA_TYPE
= 'windows:lnk:link'¶
-
FORMAT_STRING_PIECES
= ['[{description}]', 'File size: {file_size}', 'File attribute flags: 0x{file_attribute_flags:08x}', 'Drive type: {drive_type}', 'Drive serial number: 0x{drive_serial_number:08x}', 'Volume label: {volume_label}', 'Local path: {local_path}', 'Network path: {network_path}', 'cmd arguments: {command_line_arguments}', 'env location: {env_var_location}', 'Relative path: {relative_path}', 'Working dir: {working_directory}', 'Icon location: {icon_location}', 'Link target: {link_target}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['[{description}]', '{linked_path}', '{command_line_arguments}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Windows Shortcut'¶
-
SOURCE_SHORT
= 'LNK'¶
-
plaso.formatters.winlogon module¶
The Winlogon key event formatter.
-
class
plaso.formatters.winlogon.
WinlogonEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Winlogon event.
-
DATA_TYPE
= 'windows:registry:winlogon'¶
-
FORMAT_STRING_PIECES
= ['[{key_path}]', 'Application: {application}', 'Command: {command}', 'Handler: {handler}', 'Trigger: {trigger}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['[{key_path}]', 'Application: {application}', 'Command: {command}', 'Handler: {handler}', 'Trigger: {trigger}']¶
-
SOURCE_LONG
= 'Registry Key : Winlogon'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.winprefetch module¶
The Windows Prefetch event formatter.
-
class
plaso.formatters.winprefetch.
WinPrefetchExecutionFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Windows Prefetch execution event.
-
DATA_TYPE
= 'windows:prefetch:execution'¶
-
FORMAT_STRING_PIECES
= ['Prefetch', '[{executable}] was executed -', 'run count {run_count}', 'path: {path}', 'hash: 0x{prefetch_hash:08X}', '{volumes_string}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{executable} was run', '{run_count} time(s)']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'WinPrefetch'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.winrar module¶
The WinRAR history event formatter.
-
class
plaso.formatters.winrar.
WinRARHistoryEventFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
Formatter for a WinRAR history event.
-
DATA_TYPE
= 'winrar:history'¶
-
FORMAT_STRING
= '[{key_path}] {entries}'¶
-
FORMAT_STRING_ALTERNATIVE
= '{entries}'¶
-
SOURCE_LONG
= 'Registry Key : WinRAR History'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.winreg module¶
The Windows Registry key or value event formatter.
-
class
plaso.formatters.winreg.
WinRegistryGenericFormatter
[source]¶ Bases:
plaso.formatters.interface.EventFormatter
Formatter for a Windows Registry key or value event.
-
DATA_TYPE
= 'windows:registry:key_value'¶
-
FORMAT_STRING
= '[{key_path}] {values}'¶
-
FORMAT_STRING_ALTERNATIVE
= '{values}'¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
GetSources
(event, event_data)[source]¶ Determines the the short and long source for an event.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
- Returns
short and long source string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Registry Key'¶
-
SOURCE_SHORT
= 'REG'¶
-
plaso.formatters.winrestore module¶
The Windows Restore Point (rp.log) file event formatter.
-
class
plaso.formatters.winrestore.
RestorePointInfoFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a Windows Windows Restore Point information event.
-
DATA_TYPE
= 'windows:restore_point:info'¶
-
FORMAT_STRING_PIECES
= ['{description}', 'Event type: {restore_point_event_type}', 'Restore point type: {restore_point_type}']¶
-
FORMAT_STRING_SHORT_PIECES
= ['{description}']¶
-
GetMessages
(formatter_mediator, event_data)[source]¶ Determines the formatted message strings for the event data.
- Parameters
formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
event_data (EventData) – event data.
- Returns
formatted message string and short message string.
- Return type
tuple(str, str)
- Raises
WrongFormatter – if the event data cannot be formatted by the formatter.
-
SOURCE_LONG
= 'Windows Restore Point'¶
-
SOURCE_SHORT
= 'RP'¶
-
plaso.formatters.xchatlog module¶
The XChat log file event formatter.
-
class
plaso.formatters.xchatlog.
XChatLogFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a XChat log file entry event.
-
DATA_TYPE
= 'xchat:log:line'¶
-
FORMAT_STRING_PIECES
= ['[nickname: {nickname}]', '{text}']¶
-
SOURCE_LONG
= 'XChat Log File'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.xchatscrollback module¶
The XChat scrollback file event formatter.
-
class
plaso.formatters.xchatscrollback.
XChatScrollbackFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Formatter for a XChat scrollback file entry event.
-
DATA_TYPE
= 'xchat:scrollback:line'¶
-
FORMAT_STRING_PIECES
= ['[', 'nickname: {nickname}', ']', ' {text}']¶
-
FORMAT_STRING_SEPARATOR
= ''¶
-
SOURCE_LONG
= 'XChat Scrollback File'¶
-
SOURCE_SHORT
= 'LOG'¶
-
plaso.formatters.zeitgeist module¶
The Zeitgeist event formatter.
plaso.formatters.zsh_extended_history module¶
The Zsh extended_history formatter.
-
class
plaso.formatters.zsh_extended_history.
ZshExtendedHistoryEventFormatter
[source]¶ Bases:
plaso.formatters.interface.ConditionalEventFormatter
Class for the Zsh event formatter.
-
DATA_TYPE
= 'shell:zsh:history'¶
-
FORMAT_STRING_PIECES
= ['{command}', 'Time elapsed: {elapsed_seconds} seconds']¶
-
FORMAT_STRING_SEPARATOR
= ' '¶
-
FORMAT_STRING_SHORT_PIECES
= ['{command}']¶
-
SOURCE_LONG
= 'Zsh Extended History'¶
-
SOURCE_SHORT
= 'HIST'¶
-
Module contents¶
This file contains an import statement for each formatter.