plaso.storage.sqlite package

Submodules

plaso.storage.sqlite.merge_reader module

Merge reader for SQLite storage files.

class plaso.storage.sqlite.merge_reader.SQLiteStorageMergeReader(storage_writer, path)[source]

Bases: plaso.storage.file_interface.StorageFileMergeReader

SQLite-based storage file reader for merging.

MergeAttributeContainers(callback=None, maximum_number_of_containers=0)[source]

Reads attribute containers from a task storage file into the writer.

Parameters

  • callback (function[StorageWriter, AttributeContainer]) – function to call after each attribute container is deserialized.

  • maximum_number_of_containers (Optional[int]) – maximum number of containers to merge, where 0 represent no limit.

Returns

True if the entire task storage file has been merged.

Return type

bool

Raises

  • RuntimeError – if the add method for the active attribute container type is missing.

  • OSError – if the task storage file cannot be deleted.

  • ValueError – if the maximum number of containers is a negative value.

plaso.storage.sqlite.reader module

Reader for SQLite storage files.

class plaso.storage.sqlite.reader.SQLiteStorageFileReader(path)[source]

Bases: plaso.storage.file_interface.StorageFileReader

SQLite-based storage file reader.

plaso.storage.sqlite.sqlite_file module

SQLite-based storage.

class plaso.storage.sqlite.sqlite_file.SQLiteStorageFile(maximum_buffer_size=0, storage_type='session')[source]

Bases: plaso.storage.file_interface.BaseStorageFile

SQLite-based storage file.

format_version

storage format version.

Type

int

serialization_format

serialization format.

Type

str

storage_type

storage type.

Type

str

AddAnalysisReport(analysis_report)[source]

Adds an analysis report.

Parameters

analysis_report (AnalysisReport) – analysis report.

Raises

  • IOError – when the storage file is closed or read-only.

  • OSError – when the storage file is closed or read-only.

AddEvent(event)[source]

Adds an event.

Parameters

event (EventObject) – event.

Raises

  • IOError – when the storage file is closed or read-only or if the event data identifier type is not supported.

  • OSError – when the storage file is closed or read-only or if the event data identifier type is not supported.

AddEventData(event_data)[source]

Adds event data.

Parameters

event_data (EventData) – event data.

Raises

  • IOError – when the storage file is closed or read-only.

  • OSError – when the storage file is closed or read-only.

AddEventSource(event_source)[source]

Adds an event source.

Parameters

event_source (EventSource) – event source.

Raises

  • IOError – when the storage file is closed or read-only.

  • OSError – when the storage file is closed or read-only.

AddEventTag(event_tag)[source]

Adds an event tag.

Parameters

event_tag (EventTag) – event tag.

Raises

  • IOError – when the storage file is closed or read-only or if the event identifier type is not supported.

  • OSError – when the storage file is closed or read-only or if the event identifier type is not supported.

AddEventTags(event_tags)[source]

Adds event tags.

Parameters

event_tags (list[EventTag]) – event tags.

Raises

  • IOError – when the storage file is closed or read-only or if the event tags cannot be serialized.

  • OSError – when the storage file is closed or read-only or if the event tags cannot be serialized.

AddWarning(warning)[source]

Adds an warning.

Parameters

warning (ExtractionWarning) – warning.

Raises

  • IOError – when the storage file is closed or read-only.

  • OSError – when the storage file is closed or read-only.

classmethod CheckSupportedFormat(path, check_readable_only=False)[source]

Checks if the storage file format is supported.

Parameters

  • path (str) – path to the storage file.

  • check_readable_only (Optional[bool]) – whether the store should only be checked to see if it can be read. If False, the store will be checked to see if it can be read and written to.

Returns

True if the format is supported.

Return type

bool

Close()[source]

Closes the storage.

Raises

  • IOError – if the storage file is already closed.

  • OSError – if the storage file is already closed.

GetAnalysisReports()[source]

Retrieves the analysis reports.

Returns

analysis report generator.

Return type

generator(AnalysisReport)

GetEventData()[source]

Retrieves the event data.

Returns

event data generator.

Return type

generator(EventData)

GetEventDataByIdentifier(identifier)[source]

Retrieves specific event data.

Parameters

identifier (SQLTableIdentifier) – event data identifier.

Returns

event data or None if not available.

Return type

EventData

GetEventSourceByIndex(index)[source]

Retrieves a specific event source.

Parameters

index (int) – event source index.

Returns

event source or None if not available.

Return type

EventSource

GetEventSources()[source]

Retrieves the event sources.

Returns

event source generator.

Return type

generator(EventSource)

GetEventTagByIdentifier(identifier)[source]

Retrieves a specific event tag.

Parameters

identifier (SQLTableIdentifier) – event tag identifier.

Returns

event tag or None if not available.

Return type

EventTag

GetEventTags()[source]

Retrieves the event tags.

Yields

EventTag – event tag.

GetEvents()[source]

Retrieves the events.

Yields

EventObject – event.

GetNumberOfAnalysisReports()[source]

Retrieves the number analysis reports.

Returns

number of analysis reports.

Return type

int

GetNumberOfEventSources()[source]

Retrieves the number event sources.

Returns

number of event sources.

Return type

int

GetSessions()[source]

Retrieves the sessions.

Yields

Session – session attribute container.

Raises

  • IOError – if there is a mismatch in session identifiers between the session start and completion attribute containers.

  • OSError – if there is a mismatch in session identifiers between the session start and completion attribute containers.

GetSortedEvents(time_range=None)[source]

Retrieves the events in increasing chronological order.

Parameters

time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.

Yields

EventObject – event.

GetWarnings()[source]

Retrieves the warnings.

Returns

warning generator.

Return type

generator(ExtractionWarning)

HasAnalysisReports()[source]

Determines if a store contains analysis reports.

Returns

True if the store contains analysis reports.

Return type

bool

HasEventTags()[source]

Determines if a store contains event tags.

Returns

True if the store contains event tags.

Return type

bool

HasWarnings()[source]

Determines if a store contains extraction warnings.

Returns

True if the store contains extraction warnings.

Return type

bool

Open(path=None, read_only=True, **unused_kwargs)[source]

Opens the storage.

Parameters

  • path (Optional[str]) – path to the storage file.

  • read_only (Optional[bool]) – True if the file should be opened in read-only mode.

Raises

  • IOError – if the storage file is already opened or if the database cannot be connected.

  • OSError – if the storage file is already opened or if the database cannot be connected.

  • ValueError – if path is missing.

ReadPreprocessingInformation(knowledge_base)[source]

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters

knowledge_base (KnowledgeBase) – is used to store the preprocessing information.

WritePreprocessingInformation(knowledge_base)[source]

Writes preprocessing information.

Parameters

knowledge_base (KnowledgeBase) – contains the preprocessing information.

Raises

  • IOError – if the storage type does not support writing preprocess information or the storage file is closed or read-only.

  • OSError – if the storage type does not support writing preprocess information or the storage file is closed or read-only.

WriteSessionCompletion(session_completion)[source]

Writes session completion information.

Parameters

session_completion (SessionCompletion) – session completion information.

Raises

  • IOError – when the storage file is closed or read-only.

  • OSError – when the storage file is closed or read-only.

WriteSessionStart(session_start)[source]

Writes session start information.

Parameters

session_start (SessionStart) – session start information.

Raises

  • IOError – when the storage file is closed or read-only.

  • OSError – when the storage file is closed or read-only.

WriteTaskCompletion(task_completion)[source]

Writes task completion information.

Parameters

task_completion (TaskCompletion) – task completion information.

Raises

  • IOError – when the storage file is closed or read-only.

  • OSError – when the storage file is closed or read-only.

WriteTaskStart(task_start)[source]

Writes task start information.

Parameters

task_start (TaskStart) – task start information.

Raises

  • IOError – when the storage file is closed or read-only.

  • OSError – when the storage file is closed or read-only.

plaso.storage.sqlite.writer module

Storage writer for SQLite storage files.

class plaso.storage.sqlite.writer.SQLiteStorageFileWriter(session, output_file, storage_type='session', task=None)[source]

Bases: plaso.storage.file_interface.StorageFileWriter

SQLite-based storage file writer.

Module contents