plaso.output package¶

Submodules¶

plaso.output.dynamic module¶

Contains a formatter for a dynamic output module for plaso.

class plaso.output.dynamic.DynamicFieldsHelper(output_mediator)[source]¶

Bases: object

Helper for outputting a dynamic selection of fields.

GetFormattedField(event, field_name)[source]¶

Formats the specified field.

Parameters:	event (EventObject) – event. field_name (str) – name of the field.
Returns:	value of the field.
Return type:	str

class plaso.output.dynamic.DynamicOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.LinearOutputModule

Dynamic selection of fields for a separated value output format.

DESCRIPTION = 'Dynamic selection of fields for a separated value output format.'¶

NAME = 'dynamic'¶

SetFieldDelimiter(field_delimiter)[source]¶

Sets the field delimiter.

Parameters:	field_delimiter (str) – field delimiter.

SetFields(fields)[source]¶

Sets the fields to output.

Parameters:	fields (list[str]) – names of the fields to output.

WriteEventBody(event)[source]¶

Writes the body of an event to the output.

Parameters:	event (EventObject) – event.

WriteHeader()[source]¶: Writes the header to the output.

plaso.output.elastic module¶

An output module that saves events to Elasticsearch.

class plaso.output.elastic.Elasticsearch5OutputModule(output_mediator)[source]¶

Bases: plaso.output.shared_elastic.SharedElasticsearch5OutputModule

Output module for Elasticsearch 5.

DESCRIPTION = 'Saves the events into an Elasticsearch5 database.'¶

NAME = 'elastic5'¶

SetRawFields(raw_fields)[source]¶

Set raw (non-analyzed) fields.

This is used for sorting and aggregations in Elasticsearch. https://www.elastic.co/guide/en/elasticsearch/reference/5.6/ mapping-types.html#_multi_fields

Parameters:	raw_fields (bool) – True if raw (non-analyzed) fields should be added.

WriteHeader()[source]¶: Connects to the Elasticsearch server and creates the index.

class plaso.output.elastic.ElasticsearchOutputModule(output_mediator)[source]¶

Bases: plaso.output.shared_elastic.SharedElasticsearchOutputModule

Output module for Elasticsearch.

DESCRIPTION = 'Saves the events into an Elasticsearch database.'¶

NAME = 'elastic'¶

SetRawFields(raw_fields)[source]¶

Set raw (non-analyzed) fields.

This is used for sorting and aggregations in Elasticsearch. https://www.elastic.co/guide/en/elasticsearch/guide/current/ multi-fields.html

Parameters:	raw_fields (bool) – True if raw (non-analyzed) fields should be added.

WriteHeader()[source]¶: Connects to the Elasticsearch server and creates the index.

plaso.output.interface module¶

This file contains the output module interface classes.

class plaso.output.interface.LinearOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.OutputModule

Linear output module.

Close()[source]¶: Closes the output.

SetOutputWriter(output_writer)[source]¶

Set the output writer.

Parameters:	output_writer (CLIOutputWriter) – output writer.

class plaso.output.interface.OutputModule(output_mediator)[source]¶

Bases: object

Output module interface.

Close()[source]¶: Closes the output.

DESCRIPTION = ''¶

GetMissingArguments()[source]¶

Retrieves arguments required by the module that have not been specified.

Returns:	names of argument that are required by the module and have not been specified.
Return type:	list[str]

NAME = ''¶

Open()[source]¶: Opens the output.

WriteEvent(event)[source]¶

Writes the event to the output.

Parameters:	event (EventObject) – event.

WriteEventBody(event)[source]¶

Writes event values to the output.

Parameters:	event (EventObject) – event that contains the event values.

WriteEventEnd()[source]¶

Writes the end of an event to the output.

Can be used for post-processing or output after an individual event has been written, such as writing closing XML tags, etc.

WriteEventMACBGroup(event_macb_group)[source]¶

Writes an event MACB group to the output.

An event MACB group is a group of events that have the same timestamp and event data (attributes and values), where the timestamp description (or usage) is one or more of MACB (modification, access, change, birth).

This function is called if the psort engine detected an event MACB group so that the output module, if supported, can represent the group as such. If not overridden this function will output every event individually.

Parameters:	event_macb_group (list[EventObject]) – group of events with identical timestamps, attributes and values.

WriteEventStart()[source]¶

Writes the start of an event to the output.

Can be used for pre-processing or output before an individual event has been written, such as writing opening XML tags, etc.

WriteFooter()[source]¶

Writes the footer to the output.

Can be used for post-processing or output after the last event is written, such as writing a file footer.

WriteHeader()[source]¶

Writes the header to the output.

Can be used for pre-processing or output before the first event is written, such as writing a file header.

plaso.output.json_line module¶

Output module that saves data into a JSON line format.

JSON line format is a single JSON entry or event per line instead of grouping all the output into a single JSON entity.

class plaso.output.json_line.JSONLineOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.LinearOutputModule

Output module for the JSON line format.

DESCRIPTION = 'Saves the events into a JSON line format.'¶

NAME = 'json_line'¶

WriteEventBody(event)[source]¶

Writes the body of an event object to the output.

Parameters:	event (EventObject) – event.

plaso.output.json_out module¶

Output module that saves data into a JSON format.

class plaso.output.json_out.JSONOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.LinearOutputModule

Output module for the JSON format.

DESCRIPTION = 'Saves the events into a JSON format.'¶

NAME = 'json'¶

WriteEventBody(event)[source]¶

Writes the body of an event object to the output.

Parameters:	event (EventObject) – event.

WriteFooter()[source]¶: Writes the footer to the output.

WriteHeader()[source]¶: Writes the header to the output.

plaso.output.kml module¶

An output module that writes event with geography data to a KML XML file.

The Keyhole Markup Language (KML) is an XML notation for expressing geographic annotation and visualization within Internet-based, two-dimensional maps and three-dimensional Earth browsers.

class plaso.output.kml.KMLOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.LinearOutputModule

Output module for a Keyhole Markup Language (KML) XML file.

DESCRIPTION = 'Saves events with geography data into a KML format.'¶

NAME = 'kml'¶

WriteEventBody(event)[source]¶

Writes the body of an event to the output.

Parameters:	event (EventObject) – event.

WriteFooter()[source]¶: Writes the footer to the output.

WriteHeader()[source]¶: Writes the header to the output.

plaso.output.l2t_csv module¶

Output module for the log2timeline (L2T) CSV format.

For documentation on the L2T CSV format see: http://forensicswiki.org/wiki/L2T_CSV

class plaso.output.l2t_csv.L2TCSVOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.LinearOutputModule

CSV format used by log2timeline, with 17 fixed fields.

DESCRIPTION = 'CSV format used by legacy log2timeline, with 17 fixed fields.'¶

NAME = 'l2tcsv'¶

WriteEventBody(event)[source]¶

Writes the body of an event object to the output.

Parameters:	event (EventObject) – event.
Raises:	`NoFormatterFound` – If no event formatter can be found to match the data type in the event object.

WriteEventMACBGroup(event_macb_group)[source]¶

Writes an event MACB group to the output.

Parameters:	event_macb_group (list[EventObject]) – event MACB group.

WriteHeader()[source]¶: Writes the header to the output.

plaso.output.logger module¶

The output sub module logger.

plaso.output.manager module¶

Output plugin manager.

class plaso.output.manager.OutputManager[source]¶

Bases: object

Output module manager.

classmethod DeregisterOutput(output_class)[source]¶

Deregisters an output class.

The output classes are identified based on their NAME attribute.

Parameters:	output_class (type) – output module class.
Raises:	`KeyError` – if output class is not set for the corresponding data type.

classmethod GetDisabledOutputClasses()[source]¶

Retrieves the disabled output classes and its associated name.

Yields:	tuple[str, type] – output module name and class.

classmethod GetOutputClass(name)[source]¶

Retrieves the output class for a specific name.

Parameters:	name (str) – name of the output module.
Returns:	output module class.
Return type:	type
Raises:	`KeyError` – if there is no output class found with the supplied name. `ValueError` – if name is not a string.

classmethod GetOutputClasses()[source]¶

Retrieves the available output classes its associated name.

Yields:	tuple[str, type] – output class name and type object.

classmethod HasOutputClass(name)[source]¶

Determines if a specific output class is registered with the manager.

Parameters:	name (str) – name of the output module.
Returns:	True if the output class is registered.
Return type:	bool

classmethod IsLinearOutputModule(name)[source]¶

Determines if a specific output class is a linear output module.

Parameters:	name (str) – name of the output module.
Returns:	if the output module is linear.
Return type:	True

classmethod NewOutputModule(name, output_mediator)[source]¶

Creates a new output module object for the specified output format.

Parameters:	name (str) – name of the output module. output_mediator (OutputMediator) – output mediator.
Returns:	output module.
Return type:	OutputModule
Raises:	`KeyError` – if there is no output class found with the supplied name. `ValueError` – if name is not a string.

classmethod RegisterOutput(output_class, disabled=False)[source]¶

Registers an output class.

The output classes are identified based on their NAME attribute.

Parameters:	output_class (type) – output module class. disabled (Optional[bool]) – True if the output module is disabled due to the module not loading correctly or not.
Raises:	`KeyError` – if output class is already set for the corresponding name.

classmethod RegisterOutputs(output_classes, disabled=False)[source]¶

Registers output classes.

The output classes are identified based on their NAME attribute.

Parameters:	output_classes (list[type]) – output module classes. disabled (Optional[bool]) – True if the output module is disabled due to the module not loading correctly or not.
Raises:	`KeyError` – if output class is already set for the corresponding name.

plaso.output.mediator module¶

The output mediator object.

class plaso.output.mediator.OutputMediator(knowledge_base, formatter_mediator, fields_filter=None, preferred_encoding='utf-8')[source]¶

Bases: object

Output mediator.

fields_filter¶: FilterObject – filter object that indicates which fields to output.

GetEventFormatter(event)[source]¶

Retrieves the event formatter for a specific event type.

Parameters:	event (EventObject) – event.
Returns:	event formatter or None.
Return type:	EventFormatter

GetFormatStringAttributeNames(event)[source]¶

Retrieves the attribute names in the format string.

Parameters:	event (EventObject) – event.
Returns:	list containing the attribute names. If no event formatter to match the event can be found the function returns None.
Return type:	list[str]

GetFormattedMessages(event)[source]¶

Retrieves the formatted messages related to the event.

Parameters:	event (EventObject) – event.
Returns:	containing: str: full message string or None if no event formatter was found. str: short message string or None if no event formatter was found.
Return type:	tuple

GetFormattedSources(event)[source]¶

Retrieves the formatted sources related to the event.

Parameters:	event (EventObject) – event.
Returns:	containing: str: full source string or None if no event formatter was found. str: short source string or None if no event formatter was found.
Return type:	tuple

GetHostname(event, default_hostname='-')[source]¶

Retrieves the hostname related to the event.

Parameters:	event (EventObject) – event. default_hostname (Optional[str]) – default hostname.
Returns:	hostname.
Return type:	str

GetMACBRepresentation(event)[source]¶

Retrieves the MACB representation.

Parameters:	event (EventObject) – event.
Returns:	MACB representation.
Return type:	str

GetMACBRepresentationFromDescriptions(timestamp_descriptions)[source]¶

Determines the MACB representation from the timestamp descriptions.

MACB representation is a shorthand for representing one or more of modification, access, change, birth timestamp descriptions as the letters “MACB” or a “.” if the corresponding timestamp is not set.

Note that this is an output format shorthand and does not guarantee that the timestamps represent the same occurrence.

Parameters:	timestamp_descriptions (list[str]) – timestamp descriptions, which are defined in definitions.TIME_DESCRIPTIONS.
Returns:	MACB representation.
Return type:	str

GetStoredHostname()[source]¶

Retrieves the stored hostname.

Returns:	hostname.
Return type:	str

GetUsername(event, default_username='-')[source]¶

Retrieves the username related to the event.

Parameters:	event (EventObject) – event. default_username (Optional[str]) – default username.
Returns:	username.
Return type:	str

SetTimezone(timezone)[source]¶

Sets the timezone.

Parameters:	timezone (str) – timezone.
Raises:	`ValueError` – if the timezone is not supported.

encoding¶: str – preferred encoding.

filter_expression¶: str – filter expression if a filter is set, None otherwise.

timezone¶: The timezone.

plaso.output.mysql_4n6time module¶

Defines the output module for the MySQL database used by 4n6time.

class plaso.output.mysql_4n6time.MySQL4n6TimeOutputModule(output_mediator)[source]¶

Bases: plaso.output.shared_4n6time.Shared4n6TimeOutputModule

Class defining the MySQL database output module for 4n6time.

Close()[source]¶

Disconnects from the database.

This method will create the necessary indices and commit outstanding transactions before disconnecting.

DESCRIPTION = 'MySQL database output for the 4n6time tool.'¶

NAME = '4n6time_mysql'¶

Open()[source]¶

Connects to the database and creates the required tables.

Raises:	`IOError` – If Unable to insert into database. `ValueError` – If no database name given.

SetCredentials(password=None, username=None)[source]¶

Sets the database credentials.

Parameters:	password (Optional[str]) – password to access the database. username (Optional[str]) – username to access the database.

SetDatabaseName(name)[source]¶

Sets the database name.

Parameters:	name (str) – name of the database.

SetServerInformation(server, port)[source]¶

Sets the server information.

Parameters:	server (str) – hostname or IP address of the database server. port (int) – port number of the database server.

WriteEventBody(event)[source]¶

Writes the body of an event object to the output.

Parameters:	event (EventObject) – event.

plaso.output.null module¶

Null device output module.

class plaso.output.null.NullOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.OutputModule

Null device output module.

DESCRIPTION = 'Output module that does not output anything.'¶

NAME = 'null'¶

WriteEventBody(event)[source]¶

Writes the event object to the output.

Since this is the null output module nothing is actually written.

Parameters:	event (EventObject) – event.

plaso.output.rawpy module¶

Output module for the “raw” (or native) Python format.

class plaso.output.rawpy.NativePythonFormatterHelper[source]¶

Bases: object

Helper for outputting as “raw” (or native) Python.

classmethod GetFormattedEventObject(event)[source]¶

Retrieves a string representation of the event.

Parameters:	event (EventObject) – event.
Returns:	string representation of the event.
Return type:	str

class plaso.output.rawpy.NativePythonOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.LinearOutputModule

Output module for the “raw” (or native) Python output format.

DESCRIPTION = '"raw" (or native) Python output.'¶

NAME = 'rawpy'¶

WriteEventBody(event)[source]¶

Writes the body of an event to the output.

Parameters:	event (EventObject) – event.

plaso.output.shared_4n6time module¶

Shared functionality for 4n6time output modules.

class plaso.output.shared_4n6time.Shared4n6TimeOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.OutputModule

Shared functionality for an 4n6time output module.

NAME = '4n6time_shared'¶

SetAppendMode(append)[source]¶

Set the append status.

Parameters:	append (bool) – True if the events should be added to the database.

SetEvidence(evidence)[source]¶

Set the evidence field.

Parameters:	evidence (str) – the evidence field.

SetFields(fields)[source]¶

Set the fields that will be indexed in the database.

Parameters:	fields (list[str]) – a list of fields that should be indexed.

SetStatusObject(status_object)[source]¶

Set the status object.

Parameters:	status_object (object) – status object provided by the 4n6time tool.

plaso.output.shared_elastic module¶

Shared code for Elasticsearch based output modules.

class plaso.output.shared_elastic.SharedElasticsearch5OutputModule(output_mediator)[source]¶

Bases: plaso.output.shared_elastic.SharedElasticsearchOutputModule

Shared output module for Elasticsearch 5.

class plaso.output.shared_elastic.SharedElasticsearchOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.OutputModule

Shared functionality for an Elasticsearch output module.

Close()[source]¶

Closes connection to Elasticsearch.

Inserts any remaining buffered event documents.

NAME = 'elastic_shared'¶

SetDocumentType(document_type)[source]¶

Sets the document type.

Parameters:	document_type (str) – document type.

SetFlushInterval(flush_interval)[source]¶

Set the flush interval.

Parameters:	flush_interval (int) – number of events to buffer before doing a bulk insert.

SetIndexName(index_name)[source]¶

Set the index name.

Parameters:	index_name (str) – name of the index.

SetPassword(password)[source]¶

Set the password.

Parameters:	password (str) – password to authenticate with.

SetServerInformation(server, port)[source]¶

Set the server information.

Parameters:	server (str) – IP address or hostname of the server. port (int) – Port number of the server.

SetUsername(username)[source]¶

Sets the username.

Parameters:	username (str) – username to authenticate with.

WriteEventBody(event)[source]¶

Writes an event to the output.

Parameters:	event (EventObject) – event.

plaso.output.sqlite_4n6time module¶

Defines the output module for the SQLite database used by 4n6time.

class plaso.output.sqlite_4n6time.SQLite4n6TimeOutputModule(output_mediator)[source]¶

Bases: plaso.output.shared_4n6time.Shared4n6TimeOutputModule

Saves the data in a SQLite database, used by the tool 4n6time.

Close()[source]¶

Disconnects from the database.

This method will create the necessary indices and commit outstanding transactions before disconnecting.

DESCRIPTION = 'Saves the data in a SQLite database, used by the tool 4n6time.'¶

NAME = '4n6time_sqlite'¶

Open()[source]¶

Connects to the database and creates the required tables.

Raises:	`IOError` – if the specified output file already exists. `ValueError` – if the filename is not set.

SetFilename(filename)[source]¶

Sets the filename.

Parameters:	filename (str) – the filename.

WriteEventBody(event)[source]¶

Writes the body of an event to the output.

Parameters:	event (EventObject) – event.

plaso.output.timesketch_out module¶

Timesketch output module.

class plaso.output.timesketch_out.TimesketchOutputModule(output_mediator)[source]¶

Bases: plaso.output.shared_elastic.SharedElasticsearch5OutputModule

Output module for Timesketch.

Close()[source]¶

Closes the connection to TimeSketch Elasticsearch database.

Sends the remaining events for indexing and removes the processing status on the Timesketch search index object.

DESCRIPTION = 'Create a Timesketch timeline.'¶

GetMissingArguments()[source]¶

Retrieves a list of arguments that are missing from the input.

Returns:	names of arguments that are required by the module and have not been specified.
Return type:	list[str]

NAME = 'timesketch'¶

SetTimelineName(timeline_name)[source]¶

Sets the timeline name.

Parameters:	timeline_name (str) – timeline name.

SetTimelineOwner(username)[source]¶

Sets the username of the user that should own the timeline.

Parameters:	username (str) – username.

WriteHeader()[source]¶

Sets up the Elasticsearch index and the Timesketch database object.

Creates the Elasticsearch index with Timesketch specific settings and the Timesketch SearchIndex database object.

plaso.output.tln module¶

Output module for the TLN format.

For documentation on the TLN format see: http://forensicswiki.org/wiki/TLN

class plaso.output.tln.L2TTLNOutputModule(output_mediator)[source]¶

Bases: plaso.output.tln.TLNBaseOutputModule

Output module for the log2timeline extended variant of the TLN format.

l2tTLN is an extended variant of TLN introduced log2timeline 0.65.

l2tTLN extends basic TLN to 7 | separated fields, namely: * Time - 32-bit POSIX (or Unix) epoch timestamp. * Source - The name of the parser or plugin that produced the event. * Host - The source host system. * User - The user associated with the data. * Description - Message string describing the data. * TZ - L2T 0.65 field. Timezone of the event. * Notes - L2T 0.65 field. Optional notes field or filename and inode.

DESCRIPTION = 'Extended TLN 7 field | delimited output.'¶

NAME = 'l2ttln'¶

WriteEventBody(event)[source]¶

Writes the body of an event object to the output.

Parameters:	event (EventObject) – event.

class plaso.output.tln.TLNBaseOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.LinearOutputModule

Base class for a TLN output module.

WriteHeader()[source]¶: Writes the header to the output.

class plaso.output.tln.TLNOutputModule(output_mediator)[source]¶

Bases: plaso.output.tln.TLNBaseOutputModule

Output module for the TLN format.

TLN defines 5 | separated fields, namely: * Time - 32-bit POSIX (or Unix) epoch timestamp. * Source - The name of the parser or plugin that produced the event. * Host - The source host system. * User - The user associated with the data. * Description - Message string describing the data.

DESCRIPTION = 'TLN 5 field | delimited output.'¶

NAME = 'tln'¶

WriteEventBody(event)[source]¶

Writes event values to the output.

Parameters:	event (EventObject) – event that contains the event values.

plaso.output.xlsx module¶

Output module for the Excel Spreadsheet (XLSX) output format.

class plaso.output.xlsx.XLSXOutputModule(output_mediator)[source]¶

Bases: plaso.output.interface.OutputModule

Output module for the Excel Spreadsheet (XLSX) output format.

Close()[source]¶: Closes the output.

DESCRIPTION = 'Excel Spreadsheet (XLSX) output'¶

NAME = 'xlsx'¶

Open()[source]¶

Creates a new workbook.

Raises:	`IOError` – if the specified output file already exists. `ValueError` – if the filename is not set.

SetFields(fields)[source]¶

Sets the fields to output.

Parameters:	fields (list[str]) – names of the fields to output.

SetFilename(filename)[source]¶

Sets the filename.

Parameters:	filename (str) – filename.

SetTimestampFormat(timestamp_format)[source]¶

Set the timestamp format to use for the datetime column.

Parameters:	timestamp_format (str) – format string of date and time values.

WriteEventBody(event)[source]¶

Writes the body of an event object to the spreadsheet.

Parameters:	event (EventObject) – event.

WriteHeader()[source]¶: Writes the header to the spreadsheet.

Module contents¶

This file imports Python modules that register output modules.