plaso.parsers.esedb_plugins package¶

Submodules¶

plaso.parsers.esedb_plugins.file_history module¶

Parser for the Microsoft File History ESE database.

class plaso.parsers.esedb_plugins.file_history.FileHistoryESEDBPlugin[source]¶

Bases: plaso.parsers.esedb_plugins.interface.ESEDBPlugin

Parses a File History ESE database file.

DESCRIPTION = 'Parser for File History ESE database files.'¶

NAME = 'file_history'¶

ParseNameSpace(parser_mediator, cache=None, database=None, table=None, **unused_kwargs)[source]¶

Parses the namespace table.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. cache (Optional[ESEDBCache]) – cache. database (Optional[pyesedb.file]) – ESE database. table (Optional[pyesedb.table]) – table.
Raises:	`ValueError` – if the database or table value is missing.

REQUIRED_TABLES = {'backupset': '', 'file': '', 'library': '', 'namespace': 'ParseNameSpace'}¶

class plaso.parsers.esedb_plugins.file_history.FileHistoryNamespaceEventData[source]¶

Bases: plaso.containers.events.EventData

File history namespace table event data.

file_attribute¶: int – file attribute.

identifier¶: str – identifier.

original_filename¶: str – original file name.

parent_identifier¶: str – parent identifier.

usn_number¶: int – USN number.

DATA_TYPE = 'file_history:namespace:event'¶

plaso.parsers.esedb_plugins.interface module¶

This file contains the interface for ESE database plugins.

class plaso.parsers.esedb_plugins.interface.ESEDBPlugin[source]¶

Bases: plaso.parsers.plugins.BasePlugin

The ESE database plugin interface.

BINARY_DATA_COLUMN_TYPES = frozenset({<Mock id='140083890484000'>, <Mock id='140083890484168'>})¶

FLOATING_POINT_COLUMN_TYPES = frozenset({<Mock id='140083890484504'>, <Mock id='140083890484336'>})¶

GetEntries(parser_mediator, cache=None, database=None, **kwargs)[source]¶

Extracts event objects from the database.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. cache (Optional[ESEDBCache]) – cache. database (Optional[pyesedb.file]) – ESE database.
Raises:	`ValueError` – If the database attribute is not valid.

INTEGER_COLUMN_TYPES = frozenset({<Mock id='140083890485680'>, <Mock id='140083890485848'>, <Mock id='140083890484840'>, <Mock id='140083890485344'>, <Mock id='140083890485512'>, <Mock id='140083890485008'>, <Mock id='140083890485176'>, <Mock id='140083890484672'>})¶

NAME = 'esedb'¶

OPTIONAL_TABLES = {}¶

Process(parser_mediator, cache=None, database=None, **kwargs)[source]¶

Determines if this is the appropriate plugin for the database.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. cache (Optional[ESEDBCache]) – cache. database (Optional[pyesedb.file]) – ESE database.
Raises:	`ValueError` – If the database attribute is not valid.

REQUIRED_TABLES = {}¶

STRING_COLUMN_TYPES = frozenset({<Mock id='140083890486016'>, <Mock id='140083890486184'>})¶

required_tables¶: set[str] – required table names.

plaso.parsers.esedb_plugins.msie_webcache module¶

Parser for the Microsoft Internet Explorer WebCache ESE database.

The WebCache database (WebCacheV01.dat or WebCacheV24.dat) are used by MSIE as of version 10.

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventData[source]¶

Bases: plaso.containers.events.EventData

MSIE WebCache Container table event data.

access_count¶: int – access count.

cached_filename¶: str – name of the cached file.

cached_file_size¶: int – size of the cached file.

cache_identifier¶: int – cache identifier.

container_identifier¶: int – container identifier.

entry_identifier¶: int – entry identifier.

file_extension¶: str – file extension.

redirect_url¶: str – URL from which the request was redirected.

request_headers¶: str – request headers.

response_headers¶: str – response headers.

sync_count¶: int – sync count.

url¶: str – URL.

DATA_TYPE = 'msie:webcache:container'¶

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainersEventData[source]¶

Bases: plaso.containers.events.EventData

MSIE WebCache Containers table event data.

container_identifier¶: int – container identifier.

directory¶: str – name of the cache directory.

name¶: str – name of the cache container.

set_identifier¶: int – set identifier.

DATA_TYPE = 'msie:webcache:containers'¶

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheESEDBPlugin[source]¶

Bases: plaso.parsers.esedb_plugins.interface.ESEDBPlugin

Parses a MSIE WebCache ESE database file.

DESCRIPTION = 'Parser for MSIE WebCache ESE database files.'¶

NAME = 'msie_webcache'¶

ParseContainersTable(parser_mediator, database=None, table=None, **unused_kwargs)[source]¶

Parses the Containers table.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. database (Optional[pyesedb.file]) – ESE database. table (Optional[pyesedb.table]) – table.
Raises:	`ValueError` – if the database or table value is missing.

ParseLeakFilesTable(parser_mediator, database=None, table=None, **unused_kwargs)[source]¶

Parses the LeakFiles table.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. database (Optional[pyesedb.file]) – ESE database. table (Optional[pyesedb.table]) – table.
Raises:	`ValueError` – if the database or table value is missing.

ParsePartitionsTable(parser_mediator, database=None, table=None, **unused_kwargs)[source]¶

Parses the Partitions table.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. database (Optional[pyesedb.file]) – ESE database. table (Optional[pyesedb.table]) – table.
Raises:	`ValueError` – if the database or table value is missing.

REQUIRED_TABLES = {'Containers': 'ParseContainersTable', 'LeakFiles': 'ParseLeakFilesTable', 'Partitions': 'ParsePartitionsTable'}¶

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheLeakFilesEventData[source]¶

Bases: plaso.containers.events.EventData

MSIE WebCache LeakFiles event data.

cached_filename¶: str – name of the cached file.

leak_identifier¶: int – leak identifier.

DATA_TYPE = 'msie:webcache:leak_file'¶

class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCachePartitionsEventData[source]¶

Bases: plaso.containers.events.EventData

MSIE WebCache Partitions table event data.

directory¶: str – directory.

partition_identifier¶: int – partition identifier.

partition_type¶: int – partition type.

table_identifier¶: int – table identifier.

DATA_TYPE = 'msie:webcache:partitions'¶

plaso.parsers.esedb_plugins.srum module¶

Parser for the System Resource Usage Monitor (SRUM) ESE database.

For more information about the database format see: https://github.com/libyal/esedb-kb/blob/master/documentation/

System%20Resource%20Usage%20Monitor%20(SRUM).asciidoc

class plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventData[source]¶

Bases: plaso.containers.events.EventData

SRUM application resource usage event data.

Note that the interpretation of some of these values is undocumented as far as currently known.

application¶: str – application.

background_bytes_read¶: int – background number of bytes read.

background_bytes_written¶: int – background number of bytes written.

background_context_switches¶: int – number of background context switches.

background_cycle_time¶: int – background cycle time.

background_number_for_flushes¶: int – background number of flushes.

background_number_for_read_operations¶: int – background number of read operations.

background_number_for_write_operations¶: int – background number of write operations.

face_time¶: int – face time.

foreground_bytes_read¶: int – foreground number of bytes read.

foreground_bytes_written¶: int – foreground number of bytes written.

foreground_context_switches¶: int – number of foreground context switches.

foreground_cycle_time¶: int – foreground cycle time.

foreground_number_for_flushes¶: int – foreground number of flushes.

foreground_number_for_read_operations¶: int – foreground number of read operations.

foreground_number_for_write_operations¶: int – foreground number of write operations.

identifier¶: int – record identifier.

user_identifier¶: str – user identifier, which is a Windows NT security identifier.

DATA_TYPE = 'windows:srum:application_usage'¶

class plaso.parsers.esedb_plugins.srum.SRUMNetworkConnectivityUsageEventData[source]¶

Bases: plaso.containers.events.EventData

SRUM network connectivity usage event data.

Note that the interpretation of some of these values is undocumented as far as currently known.

application¶: str – application.

identifier¶: int – record identifier.

interface_luid¶: int – interface locally unique identifier (LUID).

l2_profile_flags¶: int – L2 profile flags.

l2_profile_identifier¶: int – L2 profile identifier.

user_identifier¶: str – user identifier, which is a Windows NT security identifier.

DATA_TYPE = 'windows:srum:network_connectivity'¶

class plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventData[source]¶

Bases: plaso.containers.events.EventData

SRUM network data usage event data.

Note that the interpretation of some of these values is undocumented as far as currently known.

application¶: str – application.

bytes_received¶: int – number of bytes received.

bytes_sent¶: int – number of bytes sent.

identifier¶: int – record identifier.

interface_luid¶: int – interface locally unique identifier (LUID).

l2_profile_flags¶: int – L2 profile flags.

l2_profile_identifier¶: int – L2 profile identifier.

user_identifier¶: str – user identifier, which is a Windows NT security identifier.

DATA_TYPE = 'windows:srum:network_usage'¶

class plaso.parsers.esedb_plugins.srum.SystemResourceUsageMonitorESEDBPlugin[source]¶

Bases: plaso.parsers.esedb_plugins.interface.ESEDBPlugin

Parses a System Resource Usage Monitor (SRUM) ESE database file.

DESCRIPTION = 'Parser for System Resource Usage Monitor (SRUM) ESE database files.'¶

NAME = 'srum'¶

OPTIONAL_TABLES = {'{973F5D5C-1D90-4944-BE8E-24B94231A174}': 'ParseNetworkDataUsage', '{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}': 'ParseApplicationResourceUsage', '{DD6636C4-8929-4683-974E-22C046A43763}': 'ParseNetworkConnectivityUsage'}¶

ParseApplicationResourceUsage(parser_mediator, cache=None, database=None, table=None, **unused_kwargs)[source]¶

Parses the application resource usage table.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. cache (Optional[ESEDBCache]) – cache, which contains information about the identifiers stored in the SruDbIdMapTable table. database (Optional[pyesedb.file]) – ESE database. table (Optional[pyesedb.table]) – table.

ParseNetworkConnectivityUsage(parser_mediator, cache=None, database=None, table=None, **unused_kwargs)[source]¶

Parses the network connectivity usage monitor table.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. cache (Optional[ESEDBCache]) – cache, which contains information about the identifiers stored in the SruDbIdMapTable table. database (Optional[pyesedb.file]) – ESE database. table (Optional[pyesedb.table]) – table.

ParseNetworkDataUsage(parser_mediator, cache=None, database=None, table=None, **unused_kwargs)[source]¶

Parses the network data usage monitor table.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. cache (Optional[ESEDBCache]) – cache, which contains information about the identifiers stored in the SruDbIdMapTable table. database (Optional[pyesedb.file]) – ESE database. table (Optional[pyesedb.table]) – table.

REQUIRED_TABLES = {'SruDbIdMapTable': ''}¶

Module contents¶

Imports for the ESE database parser.