plaso.parsers package¶

Subpackages¶

Submodules¶

plaso.parsers.amcache module¶

File containing a Windows Registry plugin to parse the Amcache Hive.

class plaso.parsers.amcache.AmcacheEventData[source]¶

Bases: plaso.containers.events.EventData

Amcache event data.

full_path¶

full path of file

Type: str

sha1¶

sha1 of file

Type: str

productname¶

product name file belongs to

Type: str

companyname¶

company name that created product file belongs to

Type: str

fileversion¶

version of file

Type: str

languagecode¶

language code of file

Type: int

filesize¶

size of file in bytes

Type: int

filedescription¶

description of file

Type: str

linkerts¶

unix timestamp when file was linked

Type: int

lastmodifiedts¶

filetime timestamp of last modified datetime of file

Type: int

createdtd¶

filetime timestamp of created datetime of file

Type: int

programid¶

GUID of entry under Root/Program key file belongs to

Type: str

DATA_TYPE = 'windows:registry:amcache'¶

class plaso.parsers.amcache.AmcacheParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Amcache Registry plugin for recently run programs.

DESCRIPTION = 'Parser for Amcache Registry entries.'¶

NAME = 'amcache'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an Amcache.hve file for events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

URLS = ['http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html']¶

class plaso.parsers.amcache.AmcacheProgramEventData[source]¶

Bases: plaso.containers.events.EventData

Amcache programs event data.

name¶

name of installed program

Type: str

version¶

version of program

Type: str

publisher¶

publisher of program

Type: str

languagecode¶

languagecode of program

Type: int

entrytype¶

type of entry (usually AddRemoveProgram)

Type: str

uninstallkey¶

unicode string of uninstall registry key for program

Type: str

filepath¶

file path of installed program

Type: str

productcode¶

product code of program

Type: str

packagecode¶

package code of program

Type: str

msiproductcode¶

MSI product code of program

Type: str

msipackagecode¶

MSI package code of program

Type: str

files¶

list of files belonging to program

Type: str

DATA_TYPE = 'windows:registry:amcache:programs'¶

plaso.parsers.android_app_usage module¶

Parser for the Android usage-history.xml files.

class plaso.parsers.android_app_usage.AndroidAppUsageEventData[source]¶

Bases: plaso.containers.events.EventData

Android Application event data.

package_name¶

name of the Android application.

Type: str

component_name¶

name of the individual component of the application.

Type: str

DATA_TYPE = 'android:event:last_resume_time'¶

class plaso.parsers.android_app_usage.AndroidAppUsageParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses the Android usage-history.xml file.

DESCRIPTION = 'Parser for Android usage-history.xml files.'¶

NAME = 'android_app_usage'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an Android usage-history file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.apache_access module¶

Apache access log (access.log) parser.

Parser based on the two default apache formats, common and combined log format defined in https://httpd.apache.org/docs/2.4/logs.html

class plaso.parsers.apache_access.ApacheAccessEventData[source]¶

Bases: plaso.containers.events.EventData

Apache access event data.

http_request_referer¶

http request referer header information.

Type: str

http_request¶

first line of http request.

Type: str

http_request_user_agent¶

http request user agent header information.

Type: str

http_response_bytes¶

http response bytes size without headers.

Type: int

http_response_code¶

http response code from server.

Type: int

ip_address¶

IPv4 or IPv6 addresses.

Type: str

remote_name¶

remote logname (from identd, if supplied).

Type: str

user_name¶

logged user name.

Type: str

DATA_TYPE = 'apache:access'¶

class plaso.parsers.apache_access.ApacheAccessParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Apache access log file parser

DESCRIPTION = 'Apache access Parser'¶

LINE_STRUCTURES = [('combined_log_format', {{{{{{{{{{IPv4 address | IPv6 address} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} Group:({{{{{{{{{{{{{Suppress:("[") W:(0123...)} Suppress:("/")} W:(ABCD...)} Suppress:("/")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Combine:({- | + W:(0123...)})} Suppress:("]")})} {{Suppress:(""") SkipTo:(""")} Suppress:(""")}} W:(0123...)} {"-" | W:(0123...)}} {{Suppress:(""") SkipTo:(""")} Suppress:(""")}} {{Suppress:(""") SkipTo:(""")} Suppress:(""")}} lineEnd}), ('common_log_format', {{{{{{{{IPv4 address | IPv6 address} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} Group:({{{{{{{{{{{{{Suppress:("[") W:(0123...)} Suppress:("/")} W:(ABCD...)} Suppress:("/")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Combine:({- | + W:(0123...)})} Suppress:("]")})} {{Suppress:(""") SkipTo:(""")} Suppress:(""")}} W:(0123...)} {"-" | W:(0123...)}} lineEnd})]¶

MAX_LINE_LENGTH = 2048¶

NAME = 'apache_access'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a matching entry.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – elements parsed from the file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verifies that this is an apache access log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – line from the text file.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.asl module¶

The Apple System Log Parser.

class plaso.parsers.asl.ASLEventData[source]¶

Bases: plaso.containers.events.EventData

Convenience class for an ASL event.

computer_name¶

name of the host.

Type: str

extra_information¶

extra fields associated to the event.

Type: str

facility¶

facility.

Type: str

group_id¶

group identifier (GID).

Type: int

level¶

level of criticality of the event.

Type: str

message_id¶

message identifier.

Type: int

message¶

message of the event.

Type: str

pid¶

process identifier (PID).

Type: int

read_uid¶

user identifier that can read this file, where -1 represents all.

Type: int

read_gid¶

the group identifier that can read this file, where -1 represents all.

Type: int

record_position¶

position of the event record.

Type: int

sender¶

sender or process that created the event.

Type: str

user_sid¶

user identifier (UID).

Type: str

DATA_TYPE = 'mac:asl:event'¶

class plaso.parsers.asl.ASLParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for ASL log files.

DESCRIPTION = 'Parser for ASL log files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'asl_log'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an ASL file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.bash_history module¶

Parser for bash history files.

class plaso.parsers.bash_history.BashHistoryEventData[source]¶

Bases: plaso.containers.events.EventData

Bash history log event data.

command¶

command that was executed.

Type: str

DATA_TYPE = 'bash:history:command'¶

class plaso.parsers.bash_history.BashHistoryParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parses events from Bash history files.

DESCRIPTION = 'Parser for Bash history files'¶

LINE_STRUCTURES = [('log_entry', {{{Suppress:("#") W:(0123...)} Re:('.*?(?=($|\\n#\\d{10}))')} lineEnd})]¶

NAME = 'bash'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a record and produces a Bash history event.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – elements parsed from the file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)[source]¶

Verifies that this is a bash history file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
lines (str) – one or more lines from the text file.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.bencode_parser module¶

This file contains the Bencode Parser.

Plaso’s engine calls BencodeParser when it encounters bencoded files to be processed, typically seen for BitTorrent data.

class plaso.parsers.bencode_parser.BencodeParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Deserializes bencoded file; produces a dictionary containing bencoded data.

The Plaso engine calls parsers by their Parse() method. The Parse() function deserializes bencoded files using the BitTorrent-bencode library and calls plugins (BencodePlugin) registered through the interface by their Process() to produce event objects.

Plugins are how this parser understands the content inside a bencoded file, each plugin holds logic specific to a particular bencoded file. See the bencode_plugins / directory for examples of how bencode plugins are implemented.

BENCODE_RE = re.compile(b'd[0-9]')¶

DESCRIPTION = 'Parser for bencoded files.'¶

NAME = 'bencode'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a bencoded file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.bsm module¶

Basic Security Module (BSM) event auditing file parser.

class plaso.parsers.bsm.BSMEventData[source]¶

Bases: plaso.containers.events.EventData

Basic Security Module (BSM) audit event data.

event_type¶

identifier that represents the type of the event.

Type: int

extra_tokens¶

event extra tokens, which is a list of dictionaries that contain: {token type: {token values}}

Type: list[dict[str, dict[str, str]]]

record_length¶

record length in bytes (trailer number).

Type: int

return_value¶

processed return value and exit status.

Type: str

DATA_TYPE = 'bsm:event'¶

class plaso.parsers.bsm.BSMParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for BSM files.

DESCRIPTION = 'Parser for BSM log files.'¶

NAME = 'bsm_log'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a BSM file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.chrome_cache module¶

Parser for Google Chrome and Chromium Cache files.

class plaso.parsers.chrome_cache.CacheAddress(cache_address)[source]¶

Bases: object

Chrome cache address.

block_number¶

block data file number.

Type: int

block_offset¶

offset within the block data file.

Type: int

block_size¶

block size.

Type: int

filename¶

name of the block data file.

Type: str

value¶

cache address.

Type: int

FILE_TYPE_BLOCK_1024 = 3¶

FILE_TYPE_BLOCK_256 = 2¶

FILE_TYPE_BLOCK_4096 = 4¶

FILE_TYPE_BLOCK_RANKINGS = 1¶

FILE_TYPE_SEPARATE = 0¶

class plaso.parsers.chrome_cache.CacheEntry[source]¶

Bases: object

Chrome cache entry.

creation_time¶

creation time, in number of microseconds since since January 1, 1601, 00:00:00 UTC.

Type: int

hash¶

super fast hash of the key.

Type: int

key¶

key.

Type: bytes

next¶

cache address of the next cache entry.

Type: int

original_url¶

original URL derived from the key.

Type: str

rankings_node¶

cache address of the rankings node.

Type: int

class plaso.parsers.chrome_cache.ChromeCacheDataBlockFileParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Chrome cache data block file parser.

ParseCacheEntry(file_object, block_offset)[source]¶

Parses a cache entry.

Parameters

file_object (dfvfs.FileIO) – a file-like object to read from.
block_offset (int) – block offset of the cache entry.

Returns

cache entry.

Return type

CacheEntry

Raises

ParseError – if the cache entry cannot be read.

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a file-like object.

Parameters

parser_mediator (ParserMediator) – a parser mediator.
file_object (dfvfs.FileIO) – a file-like object to parse.

Raises

ParseError – when the file cannot be parsed.

class plaso.parsers.chrome_cache.ChromeCacheEntryEventData[source]¶

Bases: plaso.containers.events.EventData

Chrome Cache event data.

original_url¶

original URL.

Type: str

DATA_TYPE = 'chrome:cache:entry'¶

class plaso.parsers.chrome_cache.ChromeCacheIndexFileParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Chrome cache index file parser.

creation_time¶

creation time, in number of number of microseconds since January 1, 1601, 00:00:00 UTC.

Type: int

index_table¶

the cache addresses which are stored in the index file.

Type: list[CacheAddress]

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a file-like object.

Parameters

parser_mediator (ParserMediator) – a parser mediator.
file_object (dfvfs.FileIO) – a file-like object to parse.

Raises

ParseError – when the file cannot be parsed.

class plaso.parsers.chrome_cache.ChromeCacheParser[source]¶

Bases: plaso.parsers.interface.FileEntryParser

Parses Chrome Cache files.

DESCRIPTION = 'Parser for Chrome Cache files.'¶

NAME = 'chrome_cache'¶

ParseFileEntry(parser_mediator, file_entry)[source]¶

Parses Chrome Cache files.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_entry (dfvfs.FileEntry) – file entry.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.chrome_preferences module¶

A parser for the Chrome preferences file.

class plaso.parsers.chrome_preferences.ChromeContentSettingsExceptionsEventData[source]¶

Bases: plaso.containers.events.EventData

Chrome content settings exceptions event data.

permission¶

permission.

Type: str

primary_url¶

primary URL.

Type: str

secondary_url¶

secondary URL.

Type: str

DATA_TYPE = 'chrome:preferences:content_settings:exceptions'¶

class plaso.parsers.chrome_preferences.ChromeExtensionInstallationEventData[source]¶

Bases: plaso.containers.events.EventData

Chrome Extension event data.

extension_id¶

extension identifier.

Type: str

extension_name¶

extension name.

Type: str

path¶

path.

Type: str

DATA_TYPE = 'chrome:preferences:extension_installation'¶

class plaso.parsers.chrome_preferences.ChromeExtensionsAutoupdaterEventData[source]¶

Bases: plaso.containers.events.EventData

Chrome Extension Autoupdater event data.

message¶

message.

Type: str

DATA_TYPE = 'chrome:preferences:extensions_autoupdater'¶

class plaso.parsers.chrome_preferences.ChromePreferencesClearHistoryEventData[source]¶

Bases: plaso.containers.events.EventData

Chrome history clearing event data.

message¶

message.

Type: str

DATA_TYPE = 'chrome:preferences:clear_history'¶

class plaso.parsers.chrome_preferences.ChromePreferencesParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses Chrome Preferences files.

DESCRIPTION = 'Parser for Chrome Preferences files.'¶

NAME = 'chrome_preferences'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Chrome preferences file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

REQUIRED_KEYS = frozenset({'browser', 'extensions'})¶

plaso.parsers.cups_ipp module¶

The CUPS IPP files parser.

CUPS IPP version 1.0: * http://tools.ietf.org/html/rfc2565 * http://tools.ietf.org/html/rfc2566 * http://tools.ietf.org/html/rfc2567 * http://tools.ietf.org/html/rfc2568 * http://tools.ietf.org/html/rfc2569 * http://tools.ietf.org/html/rfc2639

CUPS IPP version 1.1: * http://tools.ietf.org/html/rfc2910 * http://tools.ietf.org/html/rfc2911 * http://tools.ietf.org/html/rfc3196 * http://tools.ietf.org/html/rfc3510

CUPS IPP version 2.0: * N/A

class plaso.parsers.cups_ipp.CupsIppEventData[source]¶

Bases: plaso.containers.events.EventData

CUPS IPP event data.

application¶

application that prints the document.

Type: str

data_dict¶

parsed data coming from the file.

Type: dict[str, object]

computer_name¶

name of the computer.

Type: str

copies¶

number of copies.

Type: int

doc_type¶

type of document.

Type: str

job_id¶

job identifier.

Type: str

job_name¶

job name.

Type: str

owner¶

real name of the user.

Type: str

printer_id¶

identification name of the print.

Type: str

uri¶

URL of the CUPS service.

Type: str

user¶

system user name.

Type: str

DATA_TYPE = 'cups:ipp:event'¶

class plaso.parsers.cups_ipp.CupsIppParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for CUPS IPP files.

DESCRIPTION = 'Parser for CUPS IPP files.'¶

NAME = 'cups_ipp'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a CUPS IPP file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.custom_destinations module¶

Parser for .customDestinations-ms files.

class plaso.parsers.custom_destinations.CustomDestinationsParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses .customDestinations-ms files.

DESCRIPTION = 'Parser for *.customDestinations-ms files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'custom_destinations'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a .customDestinations-ms file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.czip module¶

This file contains a parser for compound ZIP files.

class plaso.parsers.czip.CompoundZIPParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Shared functionality for parsing compound zip files.

Compound zip files are zip files used as containers to create another file format, as opposed to archives of unrelated files.

DESCRIPTION = 'Parser for compound ZIP files.'¶

NAME = 'czip'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a compound ZIP file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.docker module¶

Parser for Docker configuration and log files.

class plaso.parsers.docker.DockerJSONContainerEventData[source]¶

Bases: plaso.containers.events.EventData

Docker container’s configuration file event data.

action¶

whether the container was created, started, or finished.

Type: str

container_id¶

identifier of the container (SHA256).

Type: str

container_name¶

name of the container.

Type: str

DATA_TYPE = 'docker:json:container'¶

class plaso.parsers.docker.DockerJSONContainerLogEventData[source]¶

Bases: plaso.containers.events.EventData

Docker container’s log event data.

container_id¶

identifier of the container (sha256).

Type: str

log_line¶

log line.

Type: str

log_source¶

log source.

Type: str

DATA_TYPE = 'docker:json:container:log'¶

class plaso.parsers.docker.DockerJSONLayerEventData[source]¶

Bases: plaso.containers.events.EventData

Docker filesystem layer configuration file event data.

command¶: the command used which made Docker create a new layer

layer_id¶: the identifier of the current Docker layer (sha1)

DATA_TYPE = 'docker:json:layer'¶

class plaso.parsers.docker.DockerJSONParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Generates various events from Docker json config and log files.

This handles : * Per container config file

DOCKER_DIR/containers/<container_id>/config.json

Per container stdout/stderr output log DOCKER_DIR/containers/<container_id>/<container_id>-json.log
Filesystem layer config files DOCKER_DIR/graph/<layer_id>/json

DESCRIPTION = 'Parser for JSON Docker files.'¶

NAME = 'dockerjson'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses various Docker configuration and log files in JSON format.

This methods checks whether the file_object points to a docker JSON config or log file, and calls the corresponding _Parse* function to generate Events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.
ValueError – if the JSON file cannot be decoded.

plaso.parsers.dpkg module¶

This file contains the Debian dpkg.log file parser.

Information updated 02 September 2016.

An example:

2016-08-03 15:25:53 install base-passwd:amd64 <none> 3.5.33

Log messages are of the form:

YYYY-MM-DD HH:MM:SS startup type command Where type is:

archives (with a command of unpack or install) packages (with a command of configure, triggers-only, remove or purge)

YYYY-MM-DD HH:MM:SS status state pkg installed-version

YYYY-MM-DD HH:MM:SS action pkg installed-version available-version Where action is:

install, upgrade, configure, trigproc, disappear, remove or purge.

YYYY-MM-DD HH:MM:SS conffile filename decision Where decision is install or keep.

class plaso.parsers.dpkg.DpkgEventData[source]¶

Bases: plaso.containers.events.EventData

Dpkg event data.

body¶

body of the log line.

Type: str

DATA_TYPE = 'dpkg:line'¶

class plaso.parsers.dpkg.DpkgParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parser for Debian dpkg.log files.

DESCRIPTION = 'Parser for Debian dpkg.log files.'¶

LINE_STRUCTURES = [('line', {Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) {Combine:({{"startup" archives | packages} unpack | install | configure | triggers-only | remove | purge}) | Combine:({{{"status" W:(0123...)} W:(0123...)} W:(0123...)}) | Combine:({{{install | upgrade | configure | trigproc | disappear | remove | purge W:(0123...)} W:(0123...)} W:(0123...)}) | Combine:({{"conffile" W:(0123...)} install | keep})}})]¶

NAME = 'dpkg'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a structure of tokens derived from a line of a text file.

Parameters

parser_mediator (ParserMediator) – parser mediator.
key (str) – identifier of the structure of tokens.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verifies if a line from a text file is in the expected format.

Parameters

parser_mediator (ParserMediator) – parser mediator.
line (str) – line from a text file.

Returns

True if the line is in the expected format, False if not.

Return type

bool

plaso.parsers.dsv_parser module¶

Delimiter separated values (DSV) parser interface.

class plaso.parsers.dsv_parser.DSVParser(encoding=None)[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Delimiter separated values (DSV) parser interface.

COLUMNS = []¶

DELIMITER = b','¶

FIELD_SIZE_LIMIT = 131072¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NUMBER_OF_HEADER_LINES = 0¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a DSV text file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

ParseRow(parser_mediator, row_offset, row)[source]¶

Parses a line of the log file and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row_offset (int) – offset of the row.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

QUOTE_CHAR = b'"'¶

VerifyRow(parser_mediator, row)[source]¶

Verifies if a line of the file is in the expected format.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.dtfabric_parser module¶

Shared functionality for dtFabric-based data format parsers.

class plaso.parsers.dtfabric_parser.DtFabricBaseParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Shared functionality for dtFabric-based data format parsers.

A dtFabric-based data format parser defines its data format structures in dtFabric definition file, for example “dtfabric.yaml”:

name: int32 type: integer description: 32-bit signed integer type .. attribute:: format

signed

size¶: 4

units¶: bytes

— name: point3d aliases: [POINT] type: structure description: Point in 3 dimensional space. .. attribute:: byte_order

little-endian

members: - name: x

aliases: [XCOORD] data_type: int32

name: y data_type: int32
name: z data_type: int32

The path to the definition file is defined in the class constant “_DEFINITION_FILE” and will be read on class instantiation.

The definition files contains data type definitions such as “int32” and “point3d” in the previous example.

A data type map can be used to create a Python object that represent the data type definition mapped to a byte stream, for example if we have the following byte stream: 01 00 00 00 02 00 00 00 03 00 00 00

The corresponding “point3d” Python object would be: point3d(x=1, y=2, z=3)

A parser that wants to implement a dtFabric-based data format parser needs to: * define a definition file and override _DEFINITION_FILE; * implement the ParseFileObject method.

The _GetDataTypeMap method of this class can be used to retrieve data type maps from the “fabric”, which is the collection of the data type definitions in definition file. Data type maps are cached for reuse.

The _ReadStructure method of this class can be used to read structure data from a file-like object and create a Python object using a data type map.

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a file-like object.

Parameters

parser_mediator (ParserMediator) – a parser mediator.
file_object (dfvfs.FileIO) – a file-like object to parse.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.esedb module¶

Parser for Extensible Storage Engine (ESE) database files (EDB).

class plaso.parsers.esedb.ESEDBCache[source]¶

Bases: plaso.parsers.plugins.BasePluginCache

A cache storing query results for ESEDB plugins.

StoreDictInCache(attribute_name, dict_object)[source]¶

Store a dict object in cache.

Parameters

attribute_name (str) – name of the attribute.
dict_object (dict) – dictionary.

class plaso.parsers.esedb.ESEDBParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses Extensible Storage Engine (ESE) database files (EDB).

DESCRIPTION = 'Parser for Extensible Storage Engine (ESE) database files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'esedb'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an ESE database file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.filestat module¶

File system stat object parser.

class plaso.parsers.filestat.FileStatEventData[source]¶

Bases: plaso.containers.events.EventData

File system stat event data.

file_entry_type¶

dfVFS file entry type.

Type: int

file_size¶

file size in bytes.

Type: int

file_system_type¶

file system type.

Type: str

is_allocated¶

True if the file is allocated.

Type: bool

offset¶

the offset of the stat data in bytes.

Type: int

DATA_TYPE = 'fs:stat'¶

class plaso.parsers.filestat.FileStatParser[source]¶

Bases: plaso.parsers.interface.FileEntryParser

Parses file system stat object.

DESCRIPTION = 'Parser for file system stat information.'¶

NAME = 'filestat'¶

ParseFileEntry(parser_mediator, file_entry)[source]¶

Parses a file entry.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_entry (dfvfs.FileEntry) – a file entry.

plaso.parsers.firefox_cache module¶

Implements a parser for Firefox cache 1 and 2 files.

class plaso.parsers.firefox_cache.BaseFirefoxCacheParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses Firefox cache files.

class plaso.parsers.firefox_cache.FirefoxCache2Parser[source]¶

Bases: plaso.parsers.firefox_cache.BaseFirefoxCacheParser

Parses Firefox cache version 2 files (Firefox 32 or later).

DESCRIPTION = 'Parser for Firefox Cache version 2 files (Firefox 32 or later).'¶

NAME = 'firefox_cache2'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Firefox cache file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

class plaso.parsers.firefox_cache.FirefoxCacheEventData[source]¶

Bases: plaso.containers.events.EventData

Firefox cache event data.

data_size¶

size of the cached data.

Type: int

fetch_count¶

number of times the cache entry was fetched.

Type: int

frequency¶

???

Type: int

info_size¶

size of the metadata.

Type: int

location¶

???

Type: str

request_method¶

HTTP request method.

Type: str

request_size¶

HTTP request byte size.

Type: int

response_code¶

HTTP response code.

Type: int

url¶

URL of original content.

Type: str

version¶

cache format version.

Type: int

DATA_TYPE = 'firefox:cache:record'¶

class plaso.parsers.firefox_cache.FirefoxCacheParser[source]¶

Bases: plaso.parsers.firefox_cache.BaseFirefoxCacheParser

Parses Firefox cache version 1 files (Firefox 31 or earlier).

DESCRIPTION = 'Parser for Firefox Cache version 1 files (Firefox 31 or earlier).'¶

FIREFOX_CACHE_CONFIG¶: alias of firefox_cache_config

NAME = 'firefox_cache'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Firefox cache file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.fseventsd module¶

Parsers for MacOS fseventsd files.

class plaso.parsers.fseventsd.FseventsdEventData[source]¶

Bases: plaso.containers.events.EventData

MacOS file system event (fseventsd) event data

event_identifier¶

the record event identifier.

Type: int

flags¶

flags stored in the record.

Type: int

node_identifier¶

file system node identifier related to the file system event.

Type: int

path¶

path recorded in the fseventsd record.

Type: str

DATA_TYPE = 'macos:fseventsd:record'¶

class plaso.parsers.fseventsd.FseventsdParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for fseventsd files.

This parser supports both version 1 and version 2 fseventsd files. Refer to http://nicoleibrahim.com/apple-fsevents-forensics/ for details.

DESCRIPTION = 'Parser for fseventsd files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'fsevents'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an fseventsd file.

Parameters

parser_mediator (ParserMediator) – parser mediator.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the header cannot be parsed.

plaso.parsers.gdrive_synclog module¶

Parser for Google Drive Sync log files.

class plaso.parsers.gdrive_synclog.GoogleDriveSyncLogEventData[source]¶

Bases: plaso.containers.events.EventData

Google Drive Sync log event data.

log_level¶

logging level of event such as “DEBUG”, “WARN”, “INFO”, “ERROR”.

Type: str

message¶

log message.

Type: str

pid¶

process identifier of process which logged event.

Type: int

source_code¶

filename:line_number of source file which logged event.

Type: str

thread¶

colon-separated thread identifier in the form “ID:name” which logged event.

Type: str

time¶

date and time of the log entry event with timezone offset.

Type: str

DATA_TYPE = 'gdrive_sync:log:line'¶

class plaso.parsers.gdrive_synclog.GoogleDriveSyncLogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parses events from Google Drive Sync log files.

BUFFER_SIZE = 16384¶

DESCRIPTION = 'Parser for Google Drive Sync log files.'¶

LINE_STRUCTURES = [('logline', {{{{{{Group:({{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}} W:(0123...)}) W:(ABCD...)} W:(0123...)} W:(0123...)} W:(0123...)} SkipTo:({StringEnd | Group:({{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}} W:(0123...)})})} [lineEnd]...})]¶

NAME = 'gdrive_synclog'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – identifier of the structure of tokens.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)[source]¶

Verify that this file is a Google Drive Sync log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
lines (str) – one or more lines from the text file.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.iis module¶

Parser for Windows IIS Log file.

More documentation on fields can be found here: https://msdn.microsoft.com/en-us/library/ms525807(v=vs.90).aspx

class plaso.parsers.iis.IISEventData[source]¶

Bases: plaso.containers.events.EventData

IIS log event data.

Attributes:

DATA_TYPE = 'iis:log:line'¶

class plaso.parsers.iis.WinIISParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses a Microsoft IIS log file.

BLANK = "-"¶

COMMENT = {"#" {{{"Date:" {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}} | {"Fields:" SkipTo:(LineEnd)}} | SkipTo:(LineEnd)}}¶

DATE_METADATA = {"Date:" {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}}¶

DATE_TIME = {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}¶

DESCRIPTION = 'Parser for Microsoft IIS log files.'¶

FIELDS_METADATA = {"Fields:" SkipTo:(LineEnd)}¶

INTEGER = {W:(0123...) | "-"}¶

IP_ADDRESS = {{IPv4 address | IPv6 address} | "-"}¶

LINE_STRUCTURES = [('comment', {"#" {{{"Date:" {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}} | {"Fields:" SkipTo:(LineEnd)}} | SkipTo:(LineEnd)}}), ('logline', {{{{{{{{{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} {W:(ABCD...) | "-"}} {{IPv4 address | IPv6 address} | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(ABCD...) | "-"}} {{IPv4 address | IPv6 address} | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}})]¶

LOG_LINE_6_0 = {{{{{{{{{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} {W:(ABCD...) | "-"}} {{IPv4 address | IPv6 address} | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(ABCD...) | "-"}} {{IPv4 address | IPv6 address} | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}}¶

NAME = 'winiis'¶

PORT = {W:(0123...) | "-"}¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – structure parsed from the log file.

Raises

ParseError – when the structure type is unknown.

QUERY = {W:(ABCD...) | "-"}¶

URI = {W:(ABCD...) | "-"}¶

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is an IIS log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – line from a text file.

Returns

True if the line was successfully parsed.

Return type

bool

WORD = {W:(ABCD...) | "-"}¶

plaso.parsers.interface module¶

The parsers and plugins interface classes.

class plaso.parsers.interface.BaseFileEntryFilter[source]¶

Bases: object

File entry filter interface.

Match(file_entry)[source]¶

Determines if a file entry matches the filter.

Parameters: file_entry (dfvfs.FileEntry) – a file entry.
Returns: True if the file entry matches the filter.
Return type: bool

class plaso.parsers.interface.BaseParser[source]¶

Bases: object

The parser interface.

DESCRIPTION = ''¶

classmethod DeregisterPlugin(plugin_class)[source]¶

Deregisters a plugin class.

The plugin classes are identified based on their lower case name.

Parameters: plugin_class (type) – class of the plugin.
Raises: KeyError – if plugin class is not set for the corresponding name.

EnablePlugins(plugin_includes)[source]¶

Enables parser plugins.

Parameters: plugin_includes (list[str]) – names of the plugins to enable, where None or an empty list represents all plugins. Note the default plugin, if it exists, is always enabled and cannot be disabled.

FILTERS = frozenset({})¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: a format specification or None if not available.
Return type: FormatSpecification

classmethod GetPluginObjectByName(plugin_name)[source]¶

Retrieves a specific plugin object by its name.

Parameters: plugin_name (str) – name of the plugin.
Returns: a plugin object or None if not available.
Return type: BasePlugin

classmethod GetPlugins()[source]¶

Retrieves the registered plugins.

Yields: tuple[str, type] – name and class of the plugin.

NAME = 'base_parser'¶

classmethod RegisterPlugin(plugin_class)[source]¶

Registers a plugin class.

The plugin classes are identified based on their lower case name.

Parameters: plugin_class (type) – class of the plugin.
Raises: KeyError – if plugin class is already set for the corresponding name.

classmethod RegisterPlugins(plugin_classes)[source]¶

Registers plugin classes.

Parameters: plugin_classes (list[type]) – classes of plugins.
Raises: KeyError – if plugin class is already set for the corresponding name.

classmethod SupportsPlugins()[source]¶

Determines if a parser supports plugins.

Returns: True if the parser supports plugins.
Return type: bool

class plaso.parsers.interface.FileEntryParser[source]¶

Bases: plaso.parsers.interface.BaseParser

The file entry parser interface.

Parse(parser_mediator)[source]¶

Parsers the file entry and extracts event objects.

Parameters: parser_mediator (ParserMediator) – a parser mediator.
Raises: UnableToParseFile – when the file cannot be parsed.

ParseFileEntry(parser_mediator, file_entry)[source]¶

Parses a file entry.

Parameters

parser_mediator (ParserMediator) – a parser mediator.
file_entry (dfvfs.FileEntry) – a file entry to parse.

Raises

UnableToParseFile – when the file cannot be parsed.

class plaso.parsers.interface.FileNameFileEntryFilter(filename)[source]¶

Bases: plaso.parsers.interface.BaseFileEntryFilter

File name file entry filter.

Match(file_entry)[source]¶

Determines if a file entry matches the filter.

Parameters: file_entry (dfvfs.FileEntry) – a file entry.
Returns: True if the file entry matches the filter.
Return type: bool

class plaso.parsers.interface.FileObjectParser[source]¶

Bases: plaso.parsers.interface.BaseParser

The file-like object parser interface.

Parse(parser_mediator, file_object)[source]¶

Parses a single file-like object.

Parameters

parser_mediator (ParserMediator) – a parser mediator.
file_object (dvfvs.FileIO) – a file-like object to parse.

Raises

UnableToParseFile – when the file cannot be parsed.

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a file-like object.

Parameters

parser_mediator (ParserMediator) – a parser mediator.
file_object (dvfvs.FileIO) – a file-like object to parse.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.java_idx module¶

Parser for Java Cache IDX files.

class plaso.parsers.java_idx.JavaIDXEventData[source]¶

Bases: plaso.containers.events.EventData

Java IDX cache file event data.

idx_version¶

format version of IDX file.

Type: str

ip_address¶

IP address of the host in the URL.

Type: str

url¶

URL of the downloaded file.

Type: str

DATA_TYPE = 'java:download:idx'¶

class plaso.parsers.java_idx.JavaIDXParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Java WebStart Cache IDX files.

There are five structures defined. 6.02 files had one generic section that retained all data. From 6.03, the file went to a multi-section format where later sections were optional and had variable-lengths. 6.03, 6.04, and 6.05 files all have their main data section (#2) begin at offset 128. The short structure is because 6.05 files deviate after the 8th byte. So, grab the first 8 bytes to ensure it’s valid, get the file version, then continue on with the correct structures.

DESCRIPTION = 'Parser for Java WebStart Cache IDX files.'¶

NAME = 'java_idx'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Java WebStart Cache IDX file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dvfvs.FileIO) – a file-like object to parse.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.logger module¶

The parsers sub module logger.

plaso.parsers.mac_appfirewall module¶

This file contains a appfirewall.log (MacOS Firewall) parser.

class plaso.parsers.mac_appfirewall.MacAppFirewallLogEventData[source]¶

Bases: plaso.containers.events.EventData

MacOS Firewall log event data.

action¶

action.

Type: str

agent¶

agent that save the log.

Type: str

computer_name¶

name of the computer.

Type: str

process_name¶

name of the entity that tried do the action.

Type: str

status¶

saved status action.

Type: str

DATA_TYPE = 'mac:appfirewall:line'¶

class plaso.parsers.mac_appfirewall.MacAppFirewallParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse text based on appfirewall.log file.

DATE_TIME = Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}})¶

DESCRIPTION = 'Parser for appfirewall.log files.'¶

FIREWALL_LINE = {{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) W:(0123...)} W:(0123...)} Suppress:("<")} !W:(>)} Suppress:(">:")} !W:(:)} ":"} SkipTo:(lineEnd)}¶

LINE_STRUCTURES = [('logline', {{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) W:(0123...)} W:(0123...)} Suppress:("<")} !W:(>)} Suppress:(">:")} !W:(:)} ":"} SkipTo:(lineEnd)}), ('repeated', {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("---")} !W:(---)} Suppress:("---")})]¶

NAME = 'mac_appfirewall_log'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – identifier of the structure of tokens.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

REPEATED_LINE = {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("---")} !W:(---)} Suppress:("---")}¶

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a Mac AppFirewall log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – line from a text file.

Returns

True if the line is in the expected format, False if not.

Return type

bool

plaso.parsers.mac_keychain module¶

Parser for MacOS Keychain files.

class plaso.parsers.mac_keychain.KeychainApplicationRecordEventData[source]¶

Bases: plaso.containers.events.EventData

MacOS keychain application password record event data.

account_name¶

name of the account.

Type: str

comments¶

comments added by the user.

Type: str

entry_name¶

name of the entry.

Type: str

ssgp_hash¶

password/certificate hash formatted as an hexadecimal string.

Type: str

text_description¶

description.

Type: str

DATA_TYPE = 'mac:keychain:application'¶

class plaso.parsers.mac_keychain.KeychainDatabaseColumn[source]¶

Bases: object

MacOS keychain database column.

attribute_data_type¶

attribute (data) type.

Type: int

attribute_identifier¶

attribute identifier.

Type: int

attribute_name¶

attribute name.

Type: str

class plaso.parsers.mac_keychain.KeychainDatabaseTable[source]¶

Bases: object

MacOS keychain database table.

columns¶

columns.

Type: list[KeychainDatabaseColumn]

records¶

records.

Type: list[dict[str, str]]

relation_identifier¶

relation identifier.

Type: int

relation_name¶

relation name.

Type: str

class plaso.parsers.mac_keychain.KeychainInternetRecordEventData[source]¶

Bases: plaso.containers.events.EventData

MacOS keychain internet record event data.

account_name¶

name of the account.

Type: str

comments¶

comments added by the user.

Type: str

entry_name¶

name of the entry.

Type: str

protocol¶

internet protocol used, for example “https”.

Type: str

ssgp_hash¶

password/certificate hash formatted as an hexadecimal string.

Type: str

text_description¶

description.

Type: str

type_protocol¶

sub-protocol used, for example “form”.

Type: str

where¶

domain name or IP where the password is used.

Type: str

DATA_TYPE = 'mac:keychain:internet'¶

class plaso.parsers.mac_keychain.KeychainParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Keychain files.

DESCRIPTION = 'Parser for MacOS Keychain files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'mac_keychain'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a MacOS keychain file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.mac_securityd module¶

This file contains the MacOS securityd log plaintext parser.

Also see:: http://opensource.apple.com/source/Security/Security-55471/sec/securityd/

class plaso.parsers.mac_securityd.MacOSSecuritydLogEventData[source]¶

Bases: plaso.containers.events.EventData

MacOS securityd log event data.

caller¶

caller, consists of two hex numbers.

Type: str

facility¶

facility.

Type: str

level¶

priority level.

Type: str

message¶

message.

Type: str

security_api¶

name of securityd function.

Type: str

sender_pid¶

process identifier of the sender.

Type: int

sender¶

name of the sender.

Type: str

DATA_TYPE = 'mac:securityd:line'¶

class plaso.parsers.mac_securityd.MacOSSecuritydLogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses the securityd file that contains logs from the security daemon.

DATE_TIME = Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}})¶

DESCRIPTION = 'Parser for MacOS securityd log files.'¶

LINE_STRUCTURES = [('logline', {{{{{{{{{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) !W:([)} Suppress:("[")} W:(0123...)} Suppress:("]")} Suppress:("<")} !W:(>)} Suppress:(">")} Suppress:("[")} !W:({)} Suppress:("{")} [!W:(})]} Suppress:("}")} [!W:(]:)]} Suppress:("]:")} SkipTo:(lineEnd)}), ('repeated', {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("--- last message repeated")} W:(0123...)} Suppress:("time ---")})]¶

NAME = 'mac_securityd'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

REPEATED_LINE = {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("--- last message repeated")} W:(0123...)} Suppress:("time ---")}¶

SECURITYD_LINE = {{{{{{{{{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) !W:([)} Suppress:("[")} W:(0123...)} Suppress:("]")} Suppress:("<")} !W:(>)} Suppress:(">")} Suppress:("[")} !W:({)} Suppress:("{")} [!W:(})]} Suppress:("}")} [!W:(]:)]} Suppress:("]:")} SkipTo:(lineEnd)}¶

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a securityd log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – line from a text file.

Returns

True if the line is in the expected format, False if not.

Return type

bool

plaso.parsers.mac_wifi module¶

This file contains the wifi.log (MacOS) parser.

class plaso.parsers.mac_wifi.MacWifiLogEventData[source]¶

Bases: plaso.containers.events.EventData

Mac Wifi log event data.

action¶

known WiFI action, for example connected to an AP, configured, etc. If the action is not known, the value is the message of the log (text variable).

Type: str

agent¶

name and identifier of process that generated the log message.

Type: str

function¶

name of function that generated the log message.

Type: str

text¶

log message

Type: str

DATA_TYPE = 'mac:wifilog:line'¶

class plaso.parsers.mac_wifi.MacWifiLogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse text based on wifi.log file.

DESCRIPTION = 'Parser for MacOS wifi.log files.'¶

LINE_STRUCTURES = [('header', {Group:({{{{{W:(ABCD...) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}) "***Starting Up***"}), ('turned_over_header', {Group:({{W:(ABCD...,abcd...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Combine:({{{W:(0123...) W:(0123...)} "logfile turned over"} LineEnd})}), ('known_function_logline', {{{{Group:({{{{{W:(ABCD...) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}) {{"<" Combine:({"airportd" !W:(>)})} ">"}} airportdProcessDLILEvent | _doAutoJoin | _processSystemPSKAssoc} ":"} SkipTo:(lineEnd)}), ('logline', {{Group:({{{{{W:(ABCD...) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}) ~{{{{{"<" Combine:({"airportd" !W:(>)})} ">"} airportdProcessDLILEvent | _doAutoJoin | _processSystemPSKAssoc} ":"}}} SkipTo:(lineEnd)})]¶

NAME = 'macwifi'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

THREE_DIGITS = W:(0123...)¶

THREE_LETTERS = W:(ABCD...)¶

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a Mac Wifi log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – line from a text file.

Returns

True if the line is in the expected format, False if not.

Return type

bool

plaso.parsers.mactime module¶

Parser for the Sleuthkit (TSK) bodyfile or mactime format.

The format specifications can be read here:: http://wiki.sleuthkit.org/index.php?title=Body_file

class plaso.parsers.mactime.MactimeEventData[source]¶

Bases: plaso.containers.events.EventData

Mactime event data.

filename¶

name of the file.

Type: str

inode¶

“inode” of the file. Note that inode is an overloaded term in the context of mactime and used for MFT entry index values as well.

Type: int

md5¶

MD5 hash of the file content, formatted as a hexadecimal string.

Type: str

mode_as_string¶

protection mode.

Type: str

offset¶

number of the corresponding line.

Type: int

size¶

size of the file content.

Type: int

user_gid¶

user group identifier (GID).

Type: int

user_sid¶

user security identifier (SID).

Type: str

DATA_TYPE = 'fs:mactime:line'¶

class plaso.parsers.mactime.MactimeParser(encoding=None)[source]¶

Bases: plaso.parsers.dsv_parser.DSVParser

SleuthKit bodyfile parser.

COLUMNS = ['md5', 'name', 'inode', 'mode_as_string', 'uid', 'gid', 'size', 'atime', 'mtime', 'ctime', 'btime']¶

DELIMITER = b'|'¶

DESCRIPTION = 'Parser for SleuthKit version 3 bodyfiles.'¶

NAME = 'mactime'¶

ParseRow(parser_mediator, row_offset, row)[source]¶

Parses a line of the log file and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row_offset (int) – number of the corresponding line.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]¶

Verifies if a line of the file is in the expected format.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.manager module¶

The parsers and plugins manager.

class plaso.parsers.manager.ParsersManager[source]¶

Bases: object

The parsers and plugins manager.

classmethod CreateSignatureScanner(specification_store)[source]¶

Creates a signature scanner for format specifications with signatures.

Parameters: specification_store (FormatSpecificationStore) – format specifications with signatures.
Returns: signature scanner.
Return type: pysigscan.scanner

classmethod DeregisterParser(parser_class)[source]¶

Deregisters a parser class.

The parser classes are identified based on their lower case name.

Parameters: parser_class (type) – parser class (subclass of BaseParser).
Raises: KeyError – if parser class is not set for the corresponding name.

classmethod GetFormatsWithSignatures(parser_filter_expression=None)[source]¶

Retrieves the format specifications that have signatures.

This method will create a specification store for parsers that define a format specification with signatures and a list of parser names for those that do not.

Parameters

parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins.

Returns

containing:

FormatSpecificationStore: format specifications with signatures.
list[str]: names of parsers that do not have format specifications with
signatures, or have signatures but also need to be applied ‘brute force’.

Return type

tuple

classmethod GetNamesOfParsersWithPlugins()[source]¶

Retrieves the names of all parsers with plugins.

Returns: names of all parsers with plugins.
Return type: list[str]

classmethod GetParserAndPluginNames(parser_filter_expression=None)[source]¶

Retrieves the parser and parser plugin names.

Parameters: parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins.
Returns: parser and parser plugin names.
Return type: list[str]

classmethod GetParserObjectByName(parser_name)[source]¶

Retrieves a specific parser object by its name.

Parameters: parser_name (str) – name of the parser.
Returns: parser object or None.
Return type: BaseParser

classmethod GetParserObjects(parser_filter_expression=None)[source]¶

Retrieves the parser objects.

Parameters: parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins.
Returns: parsers per name.
Return type: dict[str, BaseParser]

classmethod GetParserPluginsInformation(parser_filter_expression=None)[source]¶

Retrieves the parser plugins information.

Parameters: parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins.
Returns: pairs of parser plugin names and descriptions.
Return type: list[tuple[str, str]]

classmethod GetParsers(parser_filter_expression=None)[source]¶

Retrieves the registered parsers and plugins.

Retrieves a dictionary of all registered parsers and associated plugins from a parser filter string. The filter string can contain direct names of parsers, presets or plugins. The filter string can also negate selection if prepended with an exclamation point, e.g.: “foo,!foo/bar” would include parser foo but not include plugin bar. A list of specific included and excluded plugins is also passed to each parser’s class.

The three types of entries in the filter string:

name of a parser: this would be the exact name of a single parser to include (or exclude), e.g. foo;
name of a preset, e.g. win7: the presets are defined in plaso/parsers/presets.py;
name of a plugin: if a plugin name is included the parent parser will be included in the list of registered parsers;

Parameters

parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins.

Yields

tuple – containing:

str: name of the parser:
type: parser class (subclass of BaseParser).

classmethod GetParsersInformation()[source]¶

Retrieves the parsers information.

Returns: parser names and descriptions.
Return type: list[tuple[str, str]]

classmethod GetPresets()[source]¶

Retrieves the preset definitions.

Returns

preset definition generator in alphabetical: order by name.

Return type

generator[PresetDefinition]

classmethod GetPresetsForOperatingSystem(operating_system, operating_system_product, operating_system_version)[source]¶

Determines the presets for a specific operating system.

Parameters

operating_system (str) – operating system for example “Windows”. This should be one of the values in definitions.OPERATING_SYSTEM_FAMILIES.
operating_system_product (str) – operating system product for example “Windows XP” as determined by preprocessing.
operating_system_version (str) – operating system version for example “5.1” as determined by preprocessing.

Returns

preset definitions, where an empty list: represents all parsers and parser plugins (no preset).

Return type

list[PresetDefinition]

classmethod GetPresetsInformation()[source]¶

Retrieves the presets information.

Returns

containing:

str: preset name str: comma separated parser names that are defined by the preset

Return type

list[tuple]

classmethod ReadPresetsFromFile(path)[source]¶

Reads parser and parser plugin presets from a file.

Parameters: path (str) – path of file that contains the the parser and parser plugin presets configuration.
Raises: MalformedPresetError – if one or more plugin preset definitions are malformed.

classmethod RegisterParser(parser_class)[source]¶

Registers a parser class.

The parser classes are identified based on their lower case name.

Parameters: parser_class (type) – parser class (subclass of BaseParser).
Raises: KeyError – if parser class is already set for the corresponding name.

classmethod RegisterParsers(parser_classes)[source]¶

Registers parser classes.

The parser classes are identified based on their lower case name.

Parameters: parser_classes (list[type]) – parsers classes (subclasses of BaseParser).
Raises: KeyError – if parser class is already set for the corresponding name.

plaso.parsers.mcafeeav module¶

Parser for McAfee Anti-Virus Logs.

McAfee AV uses 4 logs to track when scans were run, when virus databases were updated, and when files match the virus database.

class plaso.parsers.mcafeeav.McafeeAVEventData[source]¶

Bases: plaso.containers.events.EventData

McAfee AV Log event data.

action¶

action.

Type: str

filename¶

filename.

Type: str

rule¶

rule.

Type: str

status¶

status.

Type: str

trigger_location¶

trigger location.

Type: str

username¶

username.

Type: str

DATA_TYPE = 'av:mcafee:accessprotectionlog'¶

class plaso.parsers.mcafeeav.McafeeAccessProtectionParser(encoding=None)[source]¶

Bases: plaso.parsers.dsv_parser.DSVParser

Parses the McAfee AV Access Protection Log.

COLUMNS = ['date', 'time', 'status', 'username', 'filename', 'trigger_location', 'rule', 'action']¶

DELIMITER = b'\t'¶

DESCRIPTION = 'Parser for McAfee AV Access Protection log files.'¶

NAME = 'mcafee_protection'¶

ParseRow(parser_mediator, row_offset, row)[source]¶

Parses a line of the log file and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row_offset (int) – line number of the row.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]¶

Verifies if a line of the file is in the expected format.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.mediator module¶

plaso.parsers.msiecf module¶

Parser for Microsoft Internet Explorer (MSIE) Cache Files (CF).

class plaso.parsers.msiecf.MSIECFLeakEventData[source]¶

Bases: plaso.containers.events.EventData

MSIECF leak event data.

cached_filename¶

name of the cached file.

Type: str

cached_file_size¶

size of the cached file.

Type: int

cache_directory_index¶

index of the cache directory.

Type: int

cache_directory_name¶

name of the cache directory.

Type: str

recovered¶

True if the item was recovered.

Type: bool

DATA_TYPE = 'msiecf:leak'¶

class plaso.parsers.msiecf.MSIECFParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses MSIE Cache Files (MSIECF).

DESCRIPTION = 'Parser for MSIE Cache Files (MSIECF) also known as index.dat.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'msiecf'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a MSIE Cache File (MSIECF) file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

class plaso.parsers.msiecf.MSIECFRedirectedEventData[source]¶

Bases: plaso.containers.events.EventData

MSIECF redirected event data.

recovered¶

True if the item was recovered.

Type: bool

url¶

location URL.

Type: str

DATA_TYPE = 'msiecf:redirected'¶

class plaso.parsers.msiecf.MSIECFURLEventData[source]¶

Bases: plaso.containers.events.EventData

MSIECF URL event data.

cached_filename¶

name of the cached file.

Type: str

cached_file_size¶

size of the cached file.

Type: int

cache_directory_index¶

index of the cache directory.

Type: int

cache_directory_name¶

name of the cache directory.

Type: str

http_headers¶

HTTP headers.

Type: str

number_of_hits¶

number of hits.

Type: int

recovered¶

True if the item was recovered.

Type: bool

url¶

location URL.

Type: str

DATA_TYPE = 'msiecf:url'¶

plaso.parsers.ntfs module¶

Parser for NTFS metadata files.

class plaso.parsers.ntfs.NTFSFileStatEventData[source]¶

Bases: plaso.containers.events.EventData

NTFS file system stat event data.

attribute_type¶

attribute type e.g. 0x00000030 which represents $FILE_NAME.

Type: int

file_attribute_flags¶

NTFS file attribute flags.

Type: int

file_reference¶

NTFS file reference.

Type: int

file_system_type¶

file system type.

Type: str

is_allocated¶

True if the MFT entry is allocated (marked as in use).

Type: bool

name¶

name associated with the stat event, e.g. that of a $FILE_NAME attribute or None if not available.

Type: str

parent_file_reference¶

NTFS file reference of the parent.

Type: int

DATA_TYPE = 'fs:stat:ntfs'¶

class plaso.parsers.ntfs.NTFSMFTParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses a NTFS $MFT metadata file.

DESCRIPTION = 'Parser for NTFS $MFT metadata files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'mft'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a NTFS $MFT metadata file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

class plaso.parsers.ntfs.NTFSUSNChangeEventData[source]¶

Bases: plaso.containers.events.EventData

NTFS USN change event data.

file_attribute_flags¶

NTFS file attribute flags.

Type: int

filename¶

name of the file associated with the event.

Type: str

file_reference¶

NTFS file reference.

Type: int

file_system_type¶

file system type.

Type: str

parent_file_reference¶

NTFS file reference of the parent.

Type: int

update_reason_flags¶

update reason flags.

Type: int

update_sequence_number¶

update sequence number.

Type: int

update_source_flags¶

update source flags.

Type: int

DATA_TYPE = 'fs:ntfs:usn_change'¶

class plaso.parsers.ntfs.NTFSUsnJrnlParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses a NTFS USN change journal.

DESCRIPTION = 'Parser for NTFS USN change journal ($UsnJrnl).'¶

NAME = 'usnjrnl'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a NTFS $UsnJrnl metadata file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.olecf module¶

Parser for OLE Compound Files (OLECF).

class plaso.parsers.olecf.OLECFParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses OLE Compound Files (OLECF).

DESCRIPTION = 'Parser for OLE Compound Files (OLECF).'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'olecf'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an OLE Compound File (OLECF) file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.opera module¶

Parsers for Opera Browser history files.

class plaso.parsers.opera.OperaGlobalHistoryEventData[source]¶

Bases: plaso.containers.events.EventData

Opera global history entry data.

description¶

description.

Type: str

popularity_index¶

popularity index.

Type: int

title¶

title.

Type: str

url¶

URL.

Type: str

DATA_TYPE = 'opera:history:entry'¶

class plaso.parsers.opera.OperaGlobalHistoryParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses the Opera global_history.dat file.

DESCRIPTION = 'Parser for Opera global_history.dat files.'¶

NAME = 'opera_global'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an Opera global history file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

class plaso.parsers.opera.OperaTypedHistoryEventData[source]¶

Bases: plaso.containers.events.EventData

Opera typed history entry data.

entry_selection¶

information about whether the URL was directly typed in or the result of the user choosing from the auto complete.

Type: str

entry_type¶

information about whether the URL was directly typed in or the result of the user choosing from the auto complete.

Type: str

url¶

typed URL or hostname.

Type: str

DATA_TYPE = 'opera:history:typed_entry'¶

class plaso.parsers.opera.OperaTypedHistoryParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses the Opera typed_history.xml file.

DESCRIPTION = 'Parser for Opera typed_history.xml files.'¶

NAME = 'opera_typed_history'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an Opera typed history file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.pe module¶

A parser for Portable Executable format files.

class plaso.parsers.pe.PEEventData[source]¶

Bases: plaso.containers.events.EventData

Portable Executable (PE) event data.

dll_name¶

name of an imported DLL.

Type: str

imphash¶

“Import Hash” of the pe file the event relates to. Also see: https://www.mandiant.com/blog/tracking-malware-import-hashing

Type: str

pe_type¶

type of PE file the event relates to.

Type: str

section_names¶

names of the PE file’s sections.

Type: list[str]

DATA_TYPE = 'pe'¶

class plaso.parsers.pe.PEParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parser for Portable Executable (PE) files.

DESCRIPTION = 'Parser for Portable Executable (PE) files.'¶

classmethod GetFormatSpecification()[source]¶: Retrieves the format specification.

NAME = 'pe'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Portable Executable (PE) file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.plist module¶

This file contains the Property List (Plist) Parser.

Plaso’s engine calls PlistParser when it encounters Plist files to be processed.

class plaso.parsers.plist.PlistParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses binary and text plist plist files.

The Plaso engine calls parsers by their Parse() method. This parser’s Parse() has GetTopLevel() which deserializes plist files using the biplist library and calls plugins (PlistPlugin) registered through the interface by their Process() to produce event objects.

Plugins are how this parser understands the content inside a plist file, each plugin holds logic specific to a particular plist file. See the interface and plist_plugins/ directory for examples of how plist plugins are implemented.

DESCRIPTION = 'Parser for binary and text plist files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: a format specification or None if not available.
Return type: FormatSpecification

GetTopLevel(file_object)[source]¶

Returns the deserialized content of a plist as a dictionary object.

Parameters: file_object (dfvfs.FileIO) – a file-like object to parse.
Returns: contents of the plist.
Return type: dict[str, object]
Raises: UnableToParseFile – when the file cannot be parsed.

NAME = 'plist'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a plist file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.pls_recall module¶

Parser for PL/SQL Developer Recall files.

class plaso.parsers.pls_recall.PlsRecallEventData[source]¶

Bases: plaso.containers.events.EventData

PL/SQL Recall event data.

database_name¶

name of the database.

Type: str

query¶

PL/SQL query.

Type: str

sequence_number¶

sequence number.

Type: int

username¶

username used to query.

Type: str

DATA_TYPE = 'PLSRecall:event'¶

class plaso.parsers.pls_recall.PlsRecallParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parse PL/SQL Recall files.

This parser is based on the Delphi definition of the data type:

TRecallRecord = packed record
Sequence: Integer; TimeStamp: TDateTime; Username: array[0..30] of Char; Database: array[0..80] of Char; Text: array[0..4000] of Char;

end;

Delphi TDateTime is a little-endian 64-bit floating-point value without time zone information.

DESCRIPTION = 'Parser for PL/SQL Recall files.'¶

NAME = 'pls_recall'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a PLSRecall.dat file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.plugins module¶

This file contains basic interface for plugins within Plaso.

This library serves a basis for all plugins in Plaso, whether that are Windows registry plugins, SQLite plugins or any other parsing plugins.

This is provided as a separate file to make it easier to inherit in other projects that may want to use the Plaso plugin system.

class plaso.parsers.plugins.BasePlugin[source]¶

Bases: object

A plugin is a lightweight parser that makes use of a common data structure.

When a data structure is common among several artifacts or files a plugin infrastructure can be written to make writing parsers simpler. The goal of a plugin is have only a single parser that understands the data structure that can call plugins that have specialized knowledge of certain structures.

An example of this is a SQLite database. A plugin can be written that has knowledge of certain database, such as Chrome history, or Skype history, etc. This can be done without needing to write a full fledged parser that needs to re-implement the data structure knowledge. A single parser can be created that calls the plugins to see if it knows that particular database.

Another example is Windows registry, there a single parser that can parse the registry can be made and the job of a single plugin is to parse a particular registry key. The parser can then read a registry key and compare it to a list of available plugins to see if it can be parsed.

DESCRIPTION = ''¶

NAME = 'base_plugin'¶

Process(parser_mediator, **kwargs)[source]¶

Evaluates if this is the correct plugin and processes data accordingly.

The purpose of the process function is to evaluate if this particular plugin is the correct one for the particular data structure at hand. This function accepts one value to use for evaluation, that could be a registry key, list of table names for a database or any other criteria that can be used to evaluate if the plugin should be run or not.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
kwargs (dict[str, object]) – Depending on the plugin they may require different sets of arguments to be able to evaluate whether or not this is the correct plugin.

Raises

ValueError – when there are unused keyword arguments.

URLS = []¶

UpdateChainAndProcess(parser_mediator, **kwargs)[source]¶

Wrapper for Process() to synchronize the parser chain.

This convenience method updates the parser chain object held by the mediator, transfers control to the plugin-specific Process() method, and updates the chain again once the processing is complete. It provides a simpler parser API in most cases.

Parameters: parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

plugin_name¶: Return the name of the plugin.

class plaso.parsers.plugins.BasePluginCache[source]¶

Bases: object

A generic cache for parser plugins.

GetResults(attribute, default_value=None)[source]¶

Retrieves a cached attribute.

Parameters

attribute (str) – name of the cached attribute.
default_value (Optional[object]) – default value.

Returns

value of the cached attribute or default value if the cache: does not contain the attribute.

Return type

object

plaso.parsers.popcontest module¶

This file contains the Popularity Contest log file parser in plaso.

Information updated 20 january 2014. From Debian Package Popularity Contest Avery Pennarun <apenwarr@debian.org>

From ‘http://www.unix.com/man-page/Linux/8/popularity-contest/’:

The popularity-contest command gathers information about Debian pack- ages installed on the system, and prints the name of the most recently used executable program in that package as well as its last-accessed time (atime) and last-attribute-changed time (ctime) to stdout.

When aggregated with the output of popularity-contest from many other systems, this information is valuable because it can be used to deter- mine which Debian packages are commonly installed, used, or installed and never used. This helps Debian maintainers make decisions such as which packages should be installed by default on new systems.

The resulting statistic is available from the project home page http://popcon.debian.org/.

Normally, popularity-contest is run from a cron(8) job, /etc/cron.daily/popularity-contest, which automatically submits the results to Debian package maintainers (only once a week) according to the settings in /etc/popularity-contest.conf and /usr/share/popularity- contest/default.conf.

From ‘http://popcon.ubuntu.com/README’:

The popularity-contest output looks like this:

POPULARITY-CONTEST-0 TIME:914183330 ID:b92a5fc1809d8a95a12eb3a3c8445 914183333 909868335 grep /bin/fgrep 914183333 909868280 findutils /usr/bin/find 914183330 909885698 dpkg-awk /usr/bin/dpkg-awk 914183330 909868577 gawk /usr/bin/gawk […more lines…] END-POPULARITY-CONTEST-0 TIME:914183335

The first and last lines allow you to put more than one set of popularity-contest results into a single file and then split them up easily later.

The rest of the lines are package entries, one line for each package installed on your system. They have the format:

<atime> <ctime> <package-name> <mru-program> <tag>

<package-name> is the name of the Debian package that contains <mru-program>. <mru-program> is the most recently used program, static library, or header (.h) file in the package.

<atime> and <ctime> are the access time and creation time of the <mru-program> on your disk, respectively, represented as the number of seconds since midnight GMT on January 1, 1970 (i.e. in Unix time_t format). Linux updates <atime> whenever you open the file; <ctime> was set when you first installed the package.

<tag> is determined by popularity-contest depending on <atime>, <ctime>, and the current date. <tag> can be RECENT-CTIME, OLD, or NOFILES.

RECENT-CTIME means that atime is very close to ctime; it’s impossible to tell whether the package was used recently or not, since <atime> is also updated when <ctime> is set. Normally, this happens because you have recently upgraded the package to a new version, resetting the <ctime>.

OLD means that the <atime> is more than a month ago; you haven’t used the package for more than a month.

NOFILES means that no files in the package seemed to be programs, so <atime>, <ctime>, and <mru-program> are invalid.’

REMARKS. The parser will generate events solely based on the <atime> field and not using <ctime>, to reduce the generation of (possibly many) useless events all with the same <ctime>. Indeed, that <ctime> will be probably get from file system and/or package management logs. The <ctime> will be reported in the log line.

class plaso.parsers.popcontest.PopularityContestEventData[source]¶

Bases: plaso.containers.events.EventData

Popularity Contest event data.

mru¶

recently used app/library from package.

Type: str

package¶

installed packaged name, which the mru belongs to.

Type: str

record_tag¶

popularity context tag.

Type: str

DATA_TYPE = 'popularity_contest:log:event'¶

class plaso.parsers.popcontest.PopularityContestParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse popularity contest log files.

DESCRIPTION = 'Parser for popularity contest log files.'¶

FOOTER = {{{Suppress:("END-POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)}¶

HEADER = {{{{{{Suppress:("POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)} Suppress:("ID:")} W:(ABCD...)} SkipTo:(LineEnd)}¶

LINE_STRUCTURES = [('logline', {{W:(0123...) W:(0123...)} {{W:(0123...) quoted string, starting with < ending with >} | {{W:(0123...) W:(...)} [quoted string, starting with < ending with >]}}}), ('header', {{{{{{Suppress:("POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)} Suppress:("ID:")} W:(ABCD...)} SkipTo:(LineEnd)}), ('footer', {{{Suppress:("END-POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)})]¶

LOG_LINE = {{W:(0123...) W:(0123...)} {{W:(0123...) quoted string, starting with < ending with >} | {{W:(0123...) W:(...)} [quoted string, starting with < ending with >]}}}¶

MRU = W:(...)¶

NAME = 'popularity_contest'¶

PACKAGE = W:(0123...)¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – structure parsed from the log file.

Raises

ParseError – when the structure type is unknown.

TAG = quoted string, starting with < ending with >¶

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a Popularity Contest log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – line from a text file.

Returns

True if the line was successfully parsed.

Return type

bool

class plaso.parsers.popcontest.PopularityContestSessionEventData[source]¶

Bases: plaso.containers.events.EventData

Popularity Contest session event data.

details¶

version and host architecture.

Type: str

hostid¶

host uuid.

Type: str

session¶

session number.

Type: int

status¶

session status, either “start” or “end”.

Type: str

DATA_TYPE = 'popularity_contest:session:event'¶

plaso.parsers.presets module¶

The parser and parser plugin presets.

class plaso.parsers.presets.ParserPreset(name, parsers)[source]¶

Bases: object

Parser and parser plugin preset.

name¶

name of the preset.

Type: str

operating_systems¶

operating system artifact attribute containers, that specify to which operating systems the preset applies.

Type: list[OperatingSystemArtifact]

parsers¶

names of parser and parser plugins.

Type: list[str]

class plaso.parsers.presets.ParserPresetsManager[source]¶

Bases: object

The parsers and plugin presets manager.

GetNames()[source]¶

Retrieves the preset names.

Returns: preset names in alphabetical order.
Return type: list[str]

GetPresetByName(name)[source]¶

Retrieves a specific preset definition by name.

Parameters: name (str) – name of the preset.
Returns: a parser preset or None if not available.
Return type: ParserPreset

GetPresets()[source]¶

Retrieves the preset definitions.

Yields: ParserPreset – parser presets in alphabetical order by name.

GetPresetsByOperatingSystem(operating_system)[source]¶

Retrieves preset definitions for a specific operating system.

Parameters

operating_system (OperatingSystemArtifact) – an operating system artifact attribute container.

Returns

preset definition that correspond with the: operating system.

Return type

list[PresetDefinition]

ReadFromFile(path)[source]¶

Reads parser and parser plugin presets from a file.

Parameters: path (str) – path of file that contains the the parser and parser plugin presets configuration.
Raises: MalformedPresetError – if one or more plugin preset definitions are malformed.

plaso.parsers.recycler module¶

Parser for Windows Recycle files, INFO2 and $I/$R pairs.

class plaso.parsers.recycler.WinRecycleBinEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Recycle Bin event data.

drive_number¶

drive number.

Type: int

file_size¶

file size.

Type: int

original_filename¶

filename.

Type: str

record_index¶

index of the record on which the event is based.

Type: int

short_filename¶

short filename.

Type: str

DATA_TYPE = 'windows:metadata:deleted_item'¶

class plaso.parsers.recycler.WinRecycleBinParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses the Windows $Recycle.Bin $I files.

DESCRIPTION = 'Parser for Windows $Recycle.Bin $I files.'¶

NAME = 'recycle_bin'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows Recycle.Bin metadata ($I) file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

class plaso.parsers.recycler.WinRecyclerInfo2Parser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses the Windows Recycler INFO2 file.

DESCRIPTION = 'Parser for Windows Recycler INFO2 files.'¶

NAME = 'recycle_bin_info2'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows Recycler INFO2 file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.safari_cookies module¶

Parser for Safari Binary Cookie files.

class plaso.parsers.safari_cookies.BinaryCookieParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Safari Binary Cookie files.

DESCRIPTION = 'Parser for Safari Binary Cookie files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification for parser selection.

Returns: format specification.
Return type: FormatSpecification

NAME = 'binary_cookies'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Safari binary cookie file-like object.

Parameters

parser_mediator (ParserMediator) – parser mediator.
file_object (dfvfs.FileIO) – file-like object to be parsed.

Raises

UnableToParseFile – when the file cannot be parsed, this will signal the event extractor to apply other parsers.

class plaso.parsers.safari_cookies.SafariBinaryCookieEventData[source]¶

Bases: plaso.containers.events.EventData

Safari binary cookie event data.

cookie_name¶

cookie name.

Type: str

cookie_value¶

cookie value.

Type: str

flags¶

cookie flags.

Type: int

path¶

path of the cookie.

Type: str

url¶

URL where this cookie is valid.

Type: str

DATA_TYPE = 'safari:cookie:entry'¶

plaso.parsers.santa module¶

Santa log (santa.log) parser.

class plaso.parsers.santa.SantaExecutionEventData[source]¶

Bases: plaso.containers.events.EventData

Santa execution event data.

action¶

action recorded by Santa.

Type: str

decision¶

if the process was allowed or blocked.

Type: str

reason¶

reason behind santa decision to execute or block a process.

Type: str

process_hash¶

SHA256 hash for the executed process.

Type: str

certificate_hash¶

SHA256 hash for the certificate associated with the executed process.

Type: str

certificate_common_name¶

certificate common name.

Type: str

pid¶

process id for the process.

Type: str

ppid¶

parent process id for the executed process.

Type: str

uid¶

user id associated with the executed process.

Type: str

user¶

user name associated with the executed process.

Type: str

gid¶

group id associated with the executed process.

Type: str

group¶

group name associated with the executed process.

Type: str

mode¶

Santa execution mode, for example Monitor or Lockdown.

Type: str

process_path¶

process file path.

Type: str

process_arguments¶

executed process with its arguments.

Type: str

DATA_TYPE = 'santa:execution'¶

class plaso.parsers.santa.SantaFileSystemEventData[source]¶

Bases: plaso.containers.events.EventData

Santa file system event data.

action¶

event type recorded by Santa.

Type: str

file_path¶

file path and name for WRITE/DELETE events.

Type: str

file_new_path¶

new file path and name for RENAME events.

Type: str

pid¶

process id for the process.

Type: str

ppid¶

parent process id for the executed process.

Type: str

process¶

process name.

Type: str

process_path¶

process file path.

Type: str

uid¶

user id associated with the executed process.

Type: str

user¶

user name associated with the executed process.

Type: str

gid¶

group id associated with the executed process.

Type: str

group¶

group name associated with the executed process.

Type: str

DATA_TYPE = 'santa:file_system_event'¶

class plaso.parsers.santa.SantaMountEventData[source]¶

Bases: plaso.containers.events.EventData

Santa mount event data.

action¶

event type recorded by Santa.

Type: str

mount¶

disk mount point.

Type: str

volume¶

disk volume name.

Type: str

bsd_name¶

disk BSD name.

Type: str

fs¶

disk volume kind.

Type: str

model¶

disk model.

Type: str

serial¶

disk serial.

Type: str

bus¶

device protocol.

Type: str

dmg_path¶

DMG file path.

Type: str

appearance¶

disk appearance date.

Type: str

DATA_TYPE = 'santa:diskmount'¶

class plaso.parsers.santa.SantaParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses santa log files

DESCRIPTION = 'Santa Parser'¶

LINE_STRUCTURES = [('execution_line', {{{{{{{{{{{{{{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} "EXEC"} Suppress:("|")} {{Suppress:("decision=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("reason=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("sha256=") SkipTo:("|")} Suppress:("|")}} [{{Suppress:("cert_sha256=") SkipTo:("|")} Suppress:("|")}]} [{{Suppress:("cert_cn=") SkipTo:("|")} Suppress:("|")}]} [{{Suppress:("quarantine_url=") SkipTo:("|")} Suppress:("|")}]} {{Suppress:("pid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("ppid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("uid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("user=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("gid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("group=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} {{Suppress:("mode=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("path=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} [{Suppress:("args=") SkipTo:(lineEnd)}]}), ('file_system_event_line', {{{{{{{{{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} {{"WRITE" ^ "RENAME"} ^ "DELETE"}} Suppress:("|")} {{Suppress:("path=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} [{{Suppress:("newpath=") SkipTo:("|")} Suppress:("|")}]} {{Suppress:("pid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("ppid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("process=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("processpath=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("uid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("user=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("gid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("group=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}}), ('mount_line', {{{{{{{{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} "DISKAPPEAR"} Suppress:("|")} {{Suppress:("mount=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("volume=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("bsdname=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} {{Suppress:("fs=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("model=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("serial=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("bus=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("dmgpath=") SkipTo:("|")} Suppress:("|")}} {Suppress:("appearance=") SkipTo:(lineEnd)}}), ('umount_line', {{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} "DISKDISAPPEAR"} Suppress:("|")} {{Suppress:("mount=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("volume=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("bsdname=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}}), ('quota_exceeded_line', {Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) "*** LOG MESSAGE QUOTA EXCEEDED - SOME MESSAGES FROM THIS PROCESS HAVE BEEN DISCARDED ***"})]¶

MAX_LINE_LENGTH = 16384¶

NAME = 'santa'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a matching entry.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – elements parsed from the file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verifies that this is a santa log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – line from the text file.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.sccm module¶

Parser for SCCM Logs.

class plaso.parsers.sccm.SCCMLogEventData[source]¶

Bases: plaso.containers.events.EventData

SCCM log event data.

component¶

component.

Type: str

text¶

text.

Type: str

DATA_TYPE = 'software_management:sccm:log'¶

class plaso.parsers.sccm.SCCMParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parser for Windows System Center Configuration Manager (SCCM) logs.

BUFFER_SIZE = 16384¶

DESCRIPTION = 'Parser for SCCM logs files.'¶

LINE_GRAMMAR_BASE = {{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)}¶

LINE_GRAMMAR_OFFSET = {{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} Re:('[-+]\\d{2,3}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)}¶

LINE_STRUCTURES = [('log_entry', {{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)} Re:('.*?(?=(\\<!\\[LOG\\[))')}), ('log_entry_at_end', {{{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)} rest of line} lineEnd}), ('log_entry_offset', {{{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} Re:('[-+]\\d{2,3}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)} Re:('.*?(?=(\\<!\\[LOG\\[))')}), ('log_entry_offset_at_end', {{{{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} Re:('[-+]\\d{2,3}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)} rest of line} lineEnd})]¶

NAME = 'sccm'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parse the record and return an SCCM log event object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)[source]¶

Verifies whether content corresponds to an SCCM log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
lines (str) – one or more lines from the text file.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.selinux module¶

This file contains SELinux audit.log file parser.

Information updated 16 january 2013.

An example:

type=AVC msg=audit(1105758604.519:420): avc: denied { getattr } for pid=5962 comm=”httpd” path=”/home/auser/public_html” dev=sdb2 ino=921135

Where msg=audit(1105758604.519:420) contains the number of seconds since January 1, 1970 00:00:00 UTC and the number of milliseconds after the dot e.g. seconds: 1105758604, milliseconds: 519.

The number after the timestamp (420 in the example) is a ‘serial number’ that can be used to correlate multiple logs generated from the same event.

References:

taste_of_training/Summit_2010_SELinux.pdf

class plaso.parsers.selinux.SELinuxLogEventData[source]¶

Bases: plaso.containers.events.EventData

SELinux log event data.

audit_type¶

audit type.

Type: str

body¶

body of the log line.

Type: str

pid¶

process identifier (PID) that created the SELinux log line.

Type: int

DATA_TYPE = 'selinux:line'¶

class plaso.parsers.selinux.SELinuxParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parser for SELinux audit.log files.

DESCRIPTION = 'Parser for SELinux audit.log files.'¶

LINE_STRUCTURES = [('line', Dict:({{Group:({{"type" Suppress:("=")} {W:(ABCD...) ^ Re:('UNKNOWN\\[[0-9]+\\]')}}) Group:({{{{{{{"msg" Suppress:("=audit(")} W:(0123...)} Suppress:(".")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:("):")})} Group:({Empty rest of line})}))]¶

NAME = 'selinux'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a structure of tokens derived from a line of a text file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verifies if a line from a text file is in the expected format.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – line from a text file.

Returns

True if the line is in the expected format, False if not.

Return type

bool

plaso.parsers.skydrivelog module¶

This file contains SkyDrive log file parser in plaso.

class plaso.parsers.skydrivelog.SkyDriveLogEventData[source]¶

Bases: plaso.containers.events.EventData

SkyDrive log event data.

detail¶

details.

Type: str

log_level¶

log level.

Type: str

module¶

name of the module that generated the log message.

Type: str

source_code¶

source file and line number that generated the log message.

Type: str

DATA_TYPE = 'skydrive:log:line'¶

class plaso.parsers.skydrivelog.SkyDriveLogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parses SkyDrive log files.

DESCRIPTION = 'Parser for OneDrive (or SkyDrive) log files.'¶

IGNORE_FIELD = Suppress:(!W:(,))¶

LINE_STRUCTURES = [('logline', {{{{{{{{{{{{{{{{{{{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:(",")} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} !W:(,)} Suppress:(",")} !W:(,)} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} !W:(,)} Suppress:(",")} SkipTo:({{StringEnd | {Suppress:("######") "Logging started."}} | {{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:(",")} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}})} [lineEnd]...}), ('header', {{{{{{{{Suppress:("######") "Logging started."} "Version="} W:(0123...)} Suppress:("StartSystemTime:")} Group:({{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} W:(0123...)} W:(0123...)} Suppress:(".")} W:(0123...)})} "StartLocalTime:"} SkipTo:(lineEnd)} lineEnd})]¶

MSEC = W:(0123...)¶

NAME = 'skydrive_log'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parse each record structure and return an EventObject if applicable.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – identifier of the structure of tokens.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)[source]¶

Verify that this file is a SkyDrive log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
lines (str) – one or more lines from the text file.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

class plaso.parsers.skydrivelog.SkyDriveOldLogEventData[source]¶

Bases: plaso.containers.events.EventData

SkyDrive old log event data.

log_level¶

log level.

Type: str

source_code¶

source file and line number that generated the log message.

Type: str

text¶

log message.

Type: str

DATA_TYPE = 'skydrive:log:old:line'¶

class plaso.parsers.skydrivelog.SkyDriveOldLogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse SkyDrive old log files.

DESCRIPTION = 'Parser for OneDrive (or SkyDrive) old log files.'¶

LINE_STRUCTURES = [('logline', {{{{Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}}) Combine:({{{{!W:(:) ":"} W:(0123...)} "!"} W:(0123...)})} {{Suppress:("(") SkipTo:(")")} Suppress:(")")}} ":"} SkipTo:(lineEnd)}), ('no_header_single_line', {{~{Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}})} [Suppress:("->")]} SkipTo:(lineEnd)})]¶

NAME = 'skydrive_log_old'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parse each record structure and return an EventObject if applicable.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – identifier of the structure of tokens.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a SkyDrive old log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – line from a text file.

Returns

True if the line is in the expected format, False if not.

Return type

bool

plaso.parsers.sophos_av module¶

Sophos Anti-Virus log (SAV.txt) parser.

References https://community.sophos.com/kb/en-us/110923

class plaso.parsers.sophos_av.SophosAVLogEventData[source]¶

Bases: plaso.containers.events.EventData

Sophos Anti-Virus log event data.

text¶

Sophos Anti-Virus log message.

Type: str

DATA_TYPE = 'sophos:av:log'¶

class plaso.parsers.sophos_av.SophosAVLogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses Anti-Virus logs (SAV.txt) files.

DESCRIPTION = 'Parser for Anti-Virus log (SAV.txt) files.'¶

LINE_STRUCTURES = [('logline', {Group:({{{W:(0123...) W:(0123...)} W:(0123...)} {{W:(0123...) W:(0123...)} W:(0123...)}}) SkipTo:(lineEnd)})]¶

MAX_LINE_LENGTH = 4096¶

NAME = 'sophos_av'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – identifier of the structure of tokens.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a Sophos Anti-Virus log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
line (str) – line from a text file.

Returns

True if the line is in the expected format, False if not.

Return type

bool

plaso.parsers.sqlite module¶

SQLite parser.

class plaso.parsers.sqlite.SQLiteCache[source]¶

Bases: plaso.parsers.plugins.BasePluginCache

Cache for storing results of SQL queries.

CacheQueryResults(sql_results, attribute_name, key_name, column_names)[source]¶

Build a dictionary object based on a SQL command.

This function will take a SQL command, execute it and for each resulting row it will store a key in a dictionary.

An example:

sql_results = A SQL result object after executing the
              SQL command: 'SELECT foo, bla, bar FROM my_table'
attribute_name = 'all_the_things'
key_name = 'foo'
column_names = ['bla', 'bar']

Results from running this against the database: ‘first’, ‘stuff’, ‘things’ ‘second’, ‘another stuff’, ‘another thing’

This will result in a dictionary object being created in the cache, called ‘all_the_things’ and it will contain the following value:

all_the_things = {
    'first': ['stuff', 'things'],
    'second': ['another_stuff', 'another_thing'],
    'third': ['single_thing']}

Parameters

sql_results (sqlite3.Cursor) – result after executing a SQL command on a database.
attribute_name (str) – attribute name in the cache to store results to. This will be the name of the dictionary attribute.
key_name (str) – name of the result field that should be used as a key in the resulting dictionary that is created.
column_names (list[str]) – of column names that are stored as values to the dictionary. If this list has only one value in it the value will be stored directly, otherwise the value will be a list containing the extracted results based on the names provided in this list.

GetRowCache(query)[source]¶

Retrieves the row cache for a specific query.

The row cache is a set that contains hashes of values in a row. The row cache is used to find duplicate row when a database and a database with a WAL file is parsed.

Parameters: query (str) – query.
Returns: hashes of the rows that have been parsed.
Return type: set

class plaso.parsers.sqlite.SQLiteDatabase(filename, temporary_directory=None)[source]¶

Bases: object

SQLite database.

schema¶

schema as an SQL query per table name, for example {‘Users’: ‘CREATE TABLE Users (“id” INTEGER PRIMARY KEY, …)’}.

Type: dict[str, str]

Close()[source]¶: Closes the database connection and cleans up the temporary file.

Open(file_object, wal_file_object=None)[source]¶

Opens a SQLite database file.

Since pysqlite cannot read directly from a file-like object a temporary copy of the file is made. After creating a copy the database file this function sets up a connection with the database and determines the names of the tables.

Parameters

file_object (dfvfs.FileIO) – file-like object.
wal_file_object (Optional[dfvfs.FileIO]) – file-like object for the Write-Ahead Log (WAL) file.

Raises

IOError – if the file-like object cannot be read.
OSError – if the file-like object cannot be read.
sqlite3.DatabaseError – if the database cannot be parsed.
ValueError – if the file-like object is missing.

Query(query)[source]¶

Queries the database.

Parameters: query (str) – SQL query.
Returns: results.
Return type: sqlite3.Cursor
Raises: sqlite3.DatabaseError – if querying the database fails.

SCHEMA_QUERY = 'SELECT tbl_name, sql FROM sqlite_master WHERE type = "table" AND tbl_name != "xp_proc" AND tbl_name != "sqlite_sequence"'¶

tables¶

names of all the tables.

Type: list[str]

class plaso.parsers.sqlite.SQLiteParser[source]¶

Bases: plaso.parsers.interface.FileEntryParser

Parses SQLite database files.

DESCRIPTION = 'Parser for SQLite database files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: a format specification or None if not available.
Return type: FormatSpecification

NAME = 'sqlite'¶

ParseFileEntry(parser_mediator, file_entry)[source]¶

Parses a SQLite database file entry.

Parameters

parser_mediator (ParserMediator) – parser mediator.
file_entry (dfvfs.FileEntry) – file entry to be parsed.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.symantec module¶

This file contains a Symantec parser in plaso.

class plaso.parsers.symantec.SymantecEventData[source]¶

Bases: plaso.containers.events.EventData

Symantec event data.

access¶

access.

Type: str

action0¶

action0.

Type: str

action1¶

action1.

Type: str

action1_status¶

action1 status.

Type: str

action2¶

action2.

Type: str

action2_status¶

action2 status.

Type: str

address¶

address.

Type: str

backup_id¶

backup identifier.

Type: str

cat¶

category.

Type: str

cleaninfo¶

clean information.

Type: str

clientgroup¶

client group.

Type: str

compressed¶

compressed.

Type: str

computer¶

computer.

Type: str

definfo¶

definfo.

Type: str

defseqnumber¶

def sequence number.

Type: str

deleteinfo¶

delete information.

Type: str

depth¶

depth.

Type: str

description¶

description.

Type: str

domain_guid¶

domain identifier (GUID).

Type: str

domainname¶

domain name.

Type: str

err_code¶

error code.

Type: str

event_data¶

event data.

Type: str

event¶

event.

Type: str

extra¶

extra.

Type: str

file¶

file.

Type: str

flags¶

flags.

Type: str

groupid¶

group identifier.

Type: str

guid¶

guid.

Type: str

license_expiration_dt¶

license expiration date.

Type: str

license_feature_name¶

license feature name.

Type: str

license_feature_ver¶

license feature ver.

Type: str

license_fulfillment_id¶

license fulfillment identifier.

Type: str

license_lifecycle¶

license lifecycle.

Type: str

license_seats_delta¶

license seats delta.

Type: str

license_seats¶

license seats.

Type: str

license_seats_total¶

license seats total.

Type: str

license_serial_num¶

license serial number.

Type: str

license_start_dt¶

license start date.

Type: str

logger¶

logger.

Type: str

login_domain¶

login domain.

Type: str

log_session_guid¶

log session identifier (GUID).

Type: str

macaddr¶

MAC address.

Type: str

new_ext¶

new ext.

Type: str

ntdomain¶

ntdomain.

Type: str

offset¶

offset.

Type: str

parent¶

parent.

Type: str

quarfwd_status¶

quarfwd status.

Type: str

remote_machine_ip¶

remote machine IP address.

Type: str

remote_machine¶

remote machine.

Type: str

scanid¶

scan identifier.

Type: str

snd_status¶

snd status.

Type: str

status¶

status.

Type: str

still_infected¶

still infected.

Type: str

time¶

time.

Type: str

user¶

user.

Type: str

vbin_id¶

vbin identifier.

Type: str

vbin_session_id¶

vbin session identifier.

Type: str

version¶

version.

Type: str

virus_id¶

virus identifier.

Type: str

virus¶

virus.

Type: str

virustype¶

virustype.

Type: str

DATA_TYPE = 'av:symantec:scanlog'¶

class plaso.parsers.symantec.SymantecParser(encoding=None)[source]¶

Bases: plaso.parsers.dsv_parser.DSVParser

Parses Symantec AV Corporate Edition and Endpoint Protection log files.

COLUMNS = ['time', 'event', 'cat', 'logger', 'computer', 'user', 'virus', 'file', 'action1', 'action2', 'action0', 'virustype', 'flags', 'description', 'scanid', 'new_ext', 'groupid', 'event_data', 'vbin_id', 'virus_id', 'quarfwd_status', 'access', 'snd_status', 'compressed', 'depth', 'still_infected', 'definfo', 'defseqnumber', 'cleaninfo', 'deleteinfo', 'backup_id', 'parent', 'guid', 'clientgroup', 'address', 'domainname', 'ntdomain', 'macaddr', 'version:', 'remote_machine', 'remote_machine_ip', 'action1_status', 'action2_status', 'license_feature_name', 'license_feature_ver', 'license_serial_num', 'license_fulfillment_id', 'license_start_dt', 'license_expiration_dt', 'license_lifecycle', 'license_seats_total', 'license_seats', 'err_code', 'license_seats_delta', 'status', 'domain_guid', 'log_session_guid', 'vbin_session_id', 'login_domain', 'extra']¶

DESCRIPTION = 'Parser for Symantec Anti-Virus log files.'¶

NAME = 'symantec_scanlog'¶

ParseRow(parser_mediator, row_offset, row)[source]¶

Parses a line of the log file and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row_offset (int) – line number of the row.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]¶

Verifies if a line of the file is in the expected format.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.syslog module¶

Parser for syslog formatted log files

class plaso.parsers.syslog.SyslogCommentEventData[source]¶

Bases: plaso.containers.events.EventData

Syslog comment event data.

body¶

message body.

Type: str

DATA_TYPE = 'syslog:comment'¶

class plaso.parsers.syslog.SyslogLineEventData(data_type='syslog:line')[source]¶

Bases: plaso.containers.events.EventData

Syslog line event data.

body¶

message body.

Type: str

hostname¶

hostname of the reporter.

Type: str

pid¶

process identifier of the reporter.

Type: str

reporter¶

reporter.

Type: str

severity¶

severity.

Type: str

DATA_TYPE = 'syslog:line'¶

class plaso.parsers.syslog.SyslogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parses syslog formatted log files

DESCRIPTION = 'Syslog Parser'¶

EnablePlugins(plugin_includes)[source]¶

Enables parser plugins.

Parameters: plugin_includes (list[str]) – names of the plugins to enable, where None or an empty list represents all plugins. Note that the default plugin is handled separately.

LINE_STRUCTURES = [('syslog_line', {{{{{{{{{{{{{{W:(ABCD...,abcd...) W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} [{Suppress:(".") W:(0123...)}]} W:(0123...)} W:(0123...)} [{{Suppress:("[") W:(0123...)} Suppress:("]")}]} [{{Suppress:("<") W:(0123...)} Suppress:(">")}]} [Suppress:(":")]} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd}), ('syslog_line', {{{{{{{{{{{W:(ABCD...,abcd...) W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} [{Suppress:(".") W:(0123...)}]} "kernel"} Suppress:(":")} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd}), ('syslog_comment', {{{{{{{{{{{{W:(ABCD...,abcd...) W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} [{Suppress:(".") W:(0123...)}]} Suppress:(":")} Suppress:("---")} SkipTo:(" ---")} Suppress:("---")} LineEnd}), ('chromeos_syslog_line', {{{{{{{Combine:({{{{{{{{{{{{{{{W:(0123...) "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} - | +} W:(0123...)} [{":" W:(0123...)}]}) EMERG | ALERT | CRIT | ERR | WARNING | NOTICE | INFO | DEBUG} W:(0123...)} [Suppress:(":")]} [{{Suppress:("[") W:(0123...)} Suppress:("]")}]} [Suppress:(":")]} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd})]¶

NAME = 'syslog'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a matching entry.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – elements parsed from the file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)[source]¶

Verifies that this is a syslog-formatted file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
lines (str) – one or more lines from the text file.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.systemd_journal module¶

Parser for Systemd journal files.

class plaso.parsers.systemd_journal.SystemdJournalEventData[source]¶

Bases: plaso.containers.events.EventData

Systemd journal event data.

body¶

message body.

Type: str

hostname¶

hostname.

Type: str

pid¶

process identifier (PID).

Type: int

reporter¶

reporter.

Type: str

DATA_TYPE = 'systemd:journal'¶

class plaso.parsers.systemd_journal.SystemdJournalParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses Systemd Journal files.

DESCRIPTION = 'Parser for Systemd Journal files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'systemd_journal'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Systemd journal file-like object.

Parameters

parser_mediator (ParserMediator) – parser mediator.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the header cannot be parsed.

plaso.parsers.text_parser module¶

This file contains a class to provide a parsing framework to plaso.

This class contains a base framework class for parsing file-like objects, and also some implementations that extend it to provide a more comprehensive parser.

plaso.parsers.text_parser.ConvertTokenToInteger(string, location, tokens)[source]¶

Pyparsing parse action callback to convert a token into an integer value.

Parameters

string (str) – original string.
location (int) – location in the string where the token was found.
tokens (list[str]) – tokens.

Returns

integer value or None.

Return type

int

class plaso.parsers.text_parser.EncodedTextReader(encoding, buffer_size=2048)[source]¶

Bases: object

Encoded text reader.

ReadLine(file_object)[source]¶

Reads a line.

Parameters: file_object (dfvfs.FileIO) – file-like object.
Returns: line read from the lines buffer.
Return type: str

ReadLines(file_object)[source]¶

Reads lines into the lines buffer.

Parameters: file_object (dfvfs.FileIO) – file-like object.

Reset()[source]¶: Resets the encoded text reader.

SkipAhead(file_object, number_of_characters)[source]¶

Skips ahead a number of characters.

Parameters

file_object (dfvfs.FileIO) – file-like object.
number_of_characters (int) – number of characters.

plaso.parsers.text_parser.PyParseIntCast(string, location, tokens)[source]¶

Return an integer from a string.

This is a pyparsing callback method that converts the matched string into an integer.

The method modifies the content of the tokens list and converts them all to an integer value.

Parameters

string (str) – original string.
location (int) – location in the string where the match was made.
tokens (list[str]) – extracted tokens, where the string to be converted is stored.

plaso.parsers.text_parser.PyParseJoinList(string, location, tokens)[source]¶

Return a joined token from a list of tokens.

This is a callback method for pyparsing setParseAction that modifies the returned token list to join all the elements in the list to a single token.

Parameters

string (str) – original string.
location (int) – location in the string where the match was made.
tokens (list[str]) – extracted tokens, where the string to be converted is stored.

plaso.parsers.text_parser.PyParseRangeCheck(lower_bound, upper_bound)[source]¶

Verify that a number is within a defined range.

This is a callback method for pyparsing setParseAction that verifies that a read number is within a certain range.

To use this method it needs to be defined as a callback method in setParseAction with the upper and lower bound set as parameters.

Parameters

lower_bound (int) – lower bound of the range.
upper_bound (int) – upper bound of the range.

Returns

callback method that can be used by pyparsing setParseAction.

Return type

Function

class plaso.parsers.text_parser.PyparsingConstants[source]¶

Bases: object

Constants for pyparsing-based parsers.

COMMENT_LINE_HASH = {"#" SkipTo:(LineEnd)}¶

DATE = Group:({{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)})¶

DATE_ELEMENTS = {{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)}¶

DATE_TIME = Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}})¶

DATE_TIME_MSEC = Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}})¶

FOUR_DIGITS = W:(0123...)¶

HYPHEN = Suppress:("-")¶

INTEGER = W:(0123...)¶

IPV4_ADDRESS = IPv4 address¶

IPV6_ADDRESS = IPv6 address¶

IP_ADDRESS = {IPv4 address | IPv6 address}¶

MONTH = W:(ABCD...,abcd...)¶

ONE_OR_TWO_DIGITS = W:(0123...)¶

PID = W:(0123...)¶

THREE_DIGITS = W:(0123...)¶

THREE_LETTERS = W:(ABCD...)¶

TIME = Group:({{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)})¶

TIME_ELEMENTS = {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}¶

TIME_MSEC = {{Group:({{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}) Suppress:(".")} W:(0123...)}¶

TIME_MSEC_ELEMENTS = {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}¶

TWO_DIGITS = W:(0123...)¶

class plaso.parsers.text_parser.PyparsingMultiLineTextParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Multi line text parser interface based on pyparsing.

BUFFER_SIZE = 2048¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a text file-like object using a pyparsing definition.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

This function takes as an input a parsed pyparsing structure and produces an EventObject if possible from that structure.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – tokens from a parsed log line.

Returns

event or None.

Return type

EventObject

VerifyStructure(parser_mediator, lines)[source]¶

Verify the structure of the file and return boolean based on that check.

This function should read enough text from the text file to confirm that the file is the correct one for this particular parser.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
lines (str) – one or more lines from the text file.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

class plaso.parsers.text_parser.PyparsingSingleLineTextParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Single line text parser interface based on pyparsing.

LINE_STRUCTURES = []¶

MAXIMUM_CONSECUTIVE_LINE_FAILURES = 20¶

MAX_LINE_LENGTH = 400¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a text file-like object using a pyparsing definition.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

This function takes as an input a parsed pyparsing structure and produces an EventObject if possible from that structure.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – name of the parsed structure.
structure (pyparsing.ParseResults) – tokens from a parsed log line.

VerifyStructure(parser_mediator, line)[source]¶

Verify the structure of the file and return boolean based on that check.

This function should read enough text from the text file to confirm that the file is the correct one for this particular parser.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – single line from the text file.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

plaso.parsers.trendmicroav module¶

Parser for Trend Micro Antivirus logs.

Trend Micro uses two log files to track the scans (both manual/scheduled and real-time) and the web reputation (network scan/filtering).

Currently only the first log is supported.

class plaso.parsers.trendmicroav.OfficeScanVirusDetectionParser(encoding='cp1252')[source]¶

Bases: plaso.parsers.trendmicroav.TrendMicroBaseParser

Parses the Trend Micro Office Scan Virus Detection Log.

COLUMNS = ['date', 'time', 'threat', 'action', 'scan_type', 'unused1', 'path', 'filename', 'unused2', 'timestamp', 'unused3', 'unused4']¶

DESCRIPTION = 'Parser for Trend Micro Office Scan Virus Detection log files.'¶

MIN_COLUMNS = 8¶

NAME = 'trendmicro_vd'¶

ParseRow(parser_mediator, row_offset, row)[source]¶

Parses a line of the log file and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row_offset (int) – line number of the row.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]¶

Verifies if a line of the file is in the expected format.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

class plaso.parsers.trendmicroav.OfficeScanWebReputationParser(encoding='cp1252')[source]¶

Bases: plaso.parsers.trendmicroav.TrendMicroBaseParser

Parses the Trend Micro Office Scan Web Reputation detection log.

COLUMNS = ('date', 'time', 'block_mode', 'url', 'group_code', 'group_name', 'credibility_rating', 'policy_identifier', 'application_name', 'credibility_score', 'ip', 'threshold', 'timestamp', 'unused')¶

DESCRIPTION = 'Parser for Trend Micro Office Web Reputation log files.'¶

MIN_COLUMNS = 12¶

NAME = 'trendmicro_url'¶

ParseRow(parser_mediator, row_offset, row)[source]¶

Parses a line of the log file and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row_offset (int) – line number of the row.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]¶

Verifies if a line of the file is in the expected format.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

class plaso.parsers.trendmicroav.TrendMicroAVEventData[source]¶

Bases: plaso.containers.events.EventData

Trend Micro AV Log event data.

action¶

action.

Type: str

filename¶

filename.

Type: str

path¶

path.

Type: str

scan_type¶

scan_type.

Type: str

threat¶

threat.

Type: str

DATA_TYPE = 'av:trendmicro:scan'¶

class plaso.parsers.trendmicroav.TrendMicroBaseParser(encoding='cp1252')[source]¶

Bases: plaso.parsers.dsv_parser.DSVParser

Common code for parsing Trend Micro log files.

The file format is reminiscent of CSV, but is not quite the same; the delimiter is a three-character sequence and there is no provision for quoting or escaping.

COLUMNS = ()¶

DELIMITER = '<;>'¶

MIN_COLUMNS = None¶

class plaso.parsers.trendmicroav.TrendMicroUrlEventData[source]¶

Bases: plaso.containers.events.EventData

Trend Micro Web Reputation Log event data.

block_mode¶

operation mode.

Type: str

url¶

accessed URL.

Type: str

group_code¶

group code.

Type: str

group_name¶

group name.

Type: str

credibility_rating¶

credibility rating.

Type: int

credibility_score¶

credibility score.

Type: int

policy_identifier¶

policy identifier.

Type: int

application_name¶

application name.

Type: str

ip¶

IP address.

Type: str

threshold¶

threshold value.

Type: int

DATA_TYPE = 'av:trendmicro:webrep'¶

plaso.parsers.utmp module¶

Parser for Linux utmp files.

class plaso.parsers.utmp.UtmpEventData[source]¶

Bases: plaso.containers.events.EventData

utmp event data.

exit_status¶

exit status.

Type: int

hostname¶

hostname or IP address.

Type: str

ip_address¶

IP address from the connection.

Type: str

pid¶

process identifier (PID).

Type: int

terminal_identifier¶

inittab identifier.

Type: int

terminal¶

type of terminal.

Type: str

type¶

type of login.

Type: int

username¶

user name.

Type: str

DATA_TYPE = 'linux:utmp:event'¶

class plaso.parsers.utmp.UtmpParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Linux libc6 utmp files.

DESCRIPTION = 'Parser for Linux libc6 utmp files.'¶

NAME = 'utmp'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an utmp file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.utmpx module¶

Parser for utmpx files.

class plaso.parsers.utmpx.UtmpxMacOSEventData[source]¶

Bases: plaso.containers.events.EventData

MacOS utmpx event data.

hostname¶

hostname or IP address.

Type: str

pid¶

process identifier (PID).

Type: int

terminal¶

name of the terminal.

Type: str

terminal_identifier¶

inittab identifier.

Type: int

type¶

type of login.

Type: int

username¶

user name.

Type: str

DATA_TYPE = 'mac:utmpx:event'¶

class plaso.parsers.utmpx.UtmpxParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Mac OS X 10.5 utmpx files.

DESCRIPTION = 'Parser for Mac OS X 10.5 utmpx files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'utmpx'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an UTMPX file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.winevt module¶

Parser for Windows EventLog (EVT) files.

class plaso.parsers.winevt.WinEvtParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses Windows EventLog (EVT) files.

DESCRIPTION = 'Parser for Windows EventLog (EVT) files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'winevt'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows EventLog (EVT) file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

class plaso.parsers.winevt.WinEvtRecordEventData[source]¶

Bases: plaso.containers.events.EventData

Windows EventLog (EVT) record event data.

computer_name¶

computer name stored in the event record.

Type: str

event_category¶

event category.

Type: int

event_identifier¶

event identifier.

Type: int

event_type¶

event type.

Type: int

facility¶

event facility.

Type: int

message_identifier¶

event message identifier.

Type: int

record_number¶

event record number.

Type: int

recovered¶

True if the record was recovered.

Type: bool

severity¶

event severity.

Type: int

source_name¶

name of the event source.

Type: str

strings¶

event strings.

Type: list[str]

user_sid¶

user security identifier (SID) stored in the event record.

Type: str

DATA_TYPE = 'windows:evt:record'¶

plaso.parsers.winevtx module¶

Parser for Windows XML EventLog (EVTX) files.

class plaso.parsers.winevtx.WinEvtxParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses Windows XML EventLog (EVTX) files.

DESCRIPTION = 'Parser for Windows XML EventLog (EVTX) files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'winevtx'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows XML EventLog (EVTX) file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

class Rule(index, name)¶

Bases: tuple

index¶: Alias for field number 0

name¶: Alias for field number 1

class plaso.parsers.winevtx.WinEvtxRecordEventData[source]¶

Bases: plaso.containers.events.EventData

Windows XML EventLog (EVTX) record event data.

computer_name¶

computer name stored in the event record.

Type: str

event_identifier¶

event identifier.

Type: int

event_level¶

event level.

Type: int

message_identifier¶

event message identifier.

Type: int

record_number¶

event record number.

Type: int

recovered¶

True if the record was recovered.

Type: bool

source_name¶

name of the event source.

Type: str

strings¶

event strings.

Type: list[str]

strings_parsed¶

parsed information from event strings.

Type: [dict]

user_sid¶

user security identifier (SID) stored in the event record.

Type: str

xml_string¶

XML representation of the event.

Type: str

DATA_TYPE = 'windows:evtx:record'¶

plaso.parsers.winfirewall module¶

Parser for Windows Firewall Log file.

class plaso.parsers.winfirewall.WinFirewallEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Firewall event data.

action¶

action taken.

Type: str

protocol¶

IP protocol.

Type: str

source_ip¶

source IP address.

Type: str

dest_ip¶

destination IP address.

Type: str

source_port¶

TCP or UDP source port.

Type: int

dest_port¶

TCP or UDP destination port.

Type: int

size¶

size of ???

Type: int

flags¶

TCP flags.

Type: str

tcp_seq¶

TCP sequence number.

Type: int

tcp_ack¶

TCP ACK ???

Type: int

tcp_win¶

TCP window size ???

Type: int

icmp_type¶

ICMP type.

Type: int

icmp_code¶

ICMP code.

Type: int

info¶

???

Type: str

path¶

???

Type: str

DATA_TYPE = 'windows:firewall:log_entry'¶

class plaso.parsers.winfirewall.WinFirewallParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses the Windows Firewall Log file.

DESCRIPTION = 'Parser for Windows Firewall Log files.'¶

LINE_STRUCTURES = [('comment', {"#" SkipTo:(LineEnd)}), ('logline', {{{{{{{{{{{{{{{Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {{IPv4 address | IPv6 address} | Suppress:("-")}} {{IPv4 address | IPv6 address} | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}})]¶

NAME = 'winfirewall'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
key (str) – identifier of the structure of tokens.
structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

Raises

ParseError – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a firewall log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
line (str) – line from a text file.

Returns

True if the line is in the expected format, False if not.

Return type

bool

plaso.parsers.winjob module¶

Parser for Windows Scheduled Task job files.

class plaso.parsers.winjob.WinJobEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Scheduled Task event data.

application¶

path to job executable.

Type: str

description¶

description of the scheduled task.

Type: str

parameters¶

application command line parameters.

Type: str

trigger_type¶

trigger type.

Type: int

username¶

username that scheduled the task.

Type: str

working_directory¶

working directory of the scheduled task.

Type: str

DATA_TYPE = 'windows:tasks:job'¶

class plaso.parsers.winjob.WinJobParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parse Windows Scheduled Task files for job events.

DESCRIPTION = 'Parser for Windows Scheduled Task job (or At-job) files.'¶

NAME = 'winjob'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows job file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – a file-like object.

Raises

UnableToParseFile – when the file cannot be parsed.

plaso.parsers.winlnk module¶

Parser for Windows Shortcut (LNK) files.

class plaso.parsers.winlnk.WinLnkLinkEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Shortcut (LNK) link event data.

birth_droid_file_identifier¶

distributed link tracking birth droid file identifier.

Type: str

birth_droid_volume_identifier¶

distributed link tracking birth droid volume identifier.

Type: str

command_line_arguments¶

command line arguments.

Type: str

description¶

description of the linked item.

Type: str

drive_serial_number¶

drive serial number where the linked item resides.

Type: int

drive_type¶

drive type where the linked item resided.

Type: str

droid_file_identifier¶

distributed link tracking droid file identifier.

Type: str

droid_volume_identifier¶

distributed link tracking droid volume identifier.

Type: str

env_var_location¶

environment variables loction.

Type: str

file_attribute_flags¶

file attribute flags of the linked item.

Type: int

file_size¶

size of the linked item.

Type: int

icon_location¶

icon location.

Type: str

link_target¶

shell item list of the link target.

Type: str

local_path¶

local path of the linked item.

Type: str

network_path¶

local path of the linked item.

Type: str

relative_path¶

relative path.

Type: str

volume_label¶

volume label where the linked item resided.

Type: str

working_directory¶

working directory.

Type: str

DATA_TYPE = 'windows:lnk:link'¶

class plaso.parsers.winlnk.WinLnkParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses Windows Shortcut (LNK) files.

DESCRIPTION = 'Parser for Windows Shortcut (LNK) files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'lnk'¶

ParseFileLNKFile(parser_mediator, file_object, display_name)[source]¶

Parses a Windows Shortcut (LNK) file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.
display_name (str) – display name.

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows Shortcut (LNK) file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.winprefetch module¶

Parser for Windows Prefetch files.

class plaso.parsers.winprefetch.WinPrefetchExecutionEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Prefetch event data.

executable¶

executable filename.

Type: str

format_version¶

format version.

Type: int

mapped_files¶

mapped filenames.

Type: list[str]

number_of_volumes¶

number of volumes.

Type: int

path¶

path to the executable.

Type: str

prefetch_hash¶

prefetch hash.

Type: int

run_count¶

run count.

Type: int

volume_device_paths¶

volume device paths.

Type: list[str]

volume_serial_numbers¶

volume serial numbers.

Type: list[int]

DATA_TYPE = 'windows:prefetch:execution'¶

class plaso.parsers.winprefetch.WinPrefetchParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

A parser for Windows Prefetch files.

DESCRIPTION = 'Parser for Windows Prefetch files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns: format specification.
Return type: FormatSpecification

NAME = 'prefetch'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows Prefetch file-like object.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO) – file-like object.

plaso.parsers package¶

Subpackages¶

Submodules¶

plaso.parsers.amcache module¶

plaso.parsers.android_app_usage module¶

plaso.parsers.apache_access module¶

plaso.parsers.asl module¶

plaso.parsers.bash_history module¶

plaso.parsers.bencode_parser module¶

plaso.parsers.bsm module¶

plaso.parsers.chrome_cache module¶

plaso.parsers.chrome_preferences module¶

plaso.parsers.cups_ipp module¶

plaso.parsers.custom_destinations module¶

plaso.parsers.czip module¶

plaso.parsers.docker module¶

plaso.parsers.dpkg module¶

plaso.parsers.dsv_parser module¶

plaso.parsers.dtfabric_parser module¶

plaso.parsers.esedb module¶

plaso.parsers.filestat module¶

plaso.parsers.firefox_cache module¶

plaso.parsers.fseventsd module¶

plaso.parsers.gdrive_synclog module¶

plaso.parsers.iis module¶

plaso.parsers.interface module¶

plaso.parsers.java_idx module¶

plaso.parsers.logger module¶

plaso.parsers.mac_appfirewall module¶

plaso.parsers.mac_keychain module¶

plaso.parsers.mac_securityd module¶

plaso.parsers.mac_wifi module¶

plaso.parsers.mactime module¶

plaso.parsers.manager module¶

plaso.parsers.mcafeeav module¶

plaso.parsers.mediator module¶

plaso.parsers.msiecf module¶

plaso.parsers.ntfs module¶

plaso.parsers.olecf module¶

plaso.parsers.opera module¶

plaso.parsers.pe module¶

plaso.parsers.plist module¶

plaso.parsers.pls_recall module¶

plaso.parsers.plugins module¶

plaso.parsers.popcontest module¶

plaso.parsers.presets module¶

plaso.parsers.recycler module¶

plaso.parsers.safari_cookies module¶

plaso.parsers.santa module¶

plaso.parsers.sccm module¶

plaso.parsers.selinux module¶

plaso.parsers.skydrivelog module¶

plaso.parsers.sophos_av module¶

plaso.parsers.sqlite module¶

plaso.parsers.symantec module¶

plaso.parsers.syslog module¶

plaso.parsers.systemd_journal module¶

plaso.parsers.text_parser module¶

plaso.parsers.trendmicroav module¶

plaso.parsers.utmp module¶

plaso.parsers.utmpx module¶

plaso.parsers.winevt module¶

plaso.parsers.winevtx module¶

plaso.parsers.winfirewall module¶

plaso.parsers.winjob module¶

plaso.parsers.winlnk module¶

plaso.parsers.winprefetch module¶

plaso.parsers.winreg module¶

plaso.parsers.winrestore module¶

plaso.parsers.xchatlog module¶

plaso.parsers.xchatscrollback module¶

plaso.parsers.zsh_extended_history module¶

Module contents¶