plaso.parsers package¶

Subpackages¶

Submodules¶

plaso.parsers.amcache module¶

File containing a Windows Registry plugin to parse the Amcache Hive.

class plaso.parsers.amcache.AmcacheEventData[source]¶

Bases: plaso.containers.events.EventData

Amcache event data.

full_path¶: str – full path of file

sha1¶: str – sha1 of file

productname¶: str – product name file belongs to

companyname¶: str – company name that created product file belogs to

fileversion¶: str – version of file

languagecode¶: int – language code of file

filesize¶: int – size of file in bytes

filedescription¶: str – description of file

linkerts¶: int – unix timestamp when file was linked

lastmodifiedts¶: int – filetime timestamp of last modified datetime of file

createdtd¶: int – filetime timestamp of created datetime of file

programid¶: str – GUID of entry under Root/Program key file belongs to

DATA_TYPE = 'windows:registry:amcache'¶

class plaso.parsers.amcache.AmcacheParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Amcache Registry plugin for recently run programs.

DESCRIPTION = 'Parser for Amcache Registry entries.'¶

NAME = 'amcache'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an Amcache.hve file for events.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object.

URLS = ['http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html']¶

class plaso.parsers.amcache.AmcacheProgramEventData[source]¶

Bases: plaso.containers.events.EventData

Amcache programs event data.

name¶: str – name of installed program

version¶: str – version of program

publisher¶: str – publisher of program

languagecode¶: int – languagecode of program

entrytype¶: str – type of entry (usually AddRemoveProgram)

uninstallkey¶: str – unicode string of uninstall registry key for program

filepath¶: str – file path of installed program

productcode¶: str – product code of program

packagecode¶: str – package code of program

msiproductcode¶: str – MSI product code of program

msipackagecode¶: str – MSI package code of program

files¶: str – list of files belonging to program

DATA_TYPE = 'windows:registry:amcache:programs'¶

plaso.parsers.android_app_usage module¶

Parser for the Android usage-history.xml files.

class plaso.parsers.android_app_usage.AndroidAppUsageEventData[source]¶

Bases: plaso.containers.events.EventData

Android Application event data.

package_name¶: str – name of the Android application.

component_name¶: str – name of the individual component of the application.

DATA_TYPE = 'android:event:last_resume_time'¶

class plaso.parsers.android_app_usage.AndroidAppUsageParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses the Android usage-history.xml file.

DESCRIPTION = 'Parser for Android usage-history.xml files.'¶

NAME = 'android_app_usage'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an Android usage-history file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.apache_access module¶

Apache access log (access.log) parser.

Parser based on the two default apache formats, common and combined log format defined in https://httpd.apache.org/docs/2.4/logs.html

class plaso.parsers.apache_access.ApacheAccessEventData[source]¶

Bases: plaso.containers.events.EventData

Apache access event data.

ip_address¶: str – IPv4 or IPv6 addresses.

remote_name¶: str – remote logname (from identd, if supplied).

user_name¶: str – logged user name.

http_request¶: str – first line of http request.

http_response_code¶: int – http response code from server.

http_response_bytes¶: int – http response bytes size without headers.

http_request_referer¶: str – http request referer header information.

http_request_user_agent¶: str – http request user agent header information.

DATA_TYPE = 'apache:access'¶

class plaso.parsers.apache_access.ApacheAccessParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Apache access log file parser

DESCRIPTION = 'Apache access Parser'¶

LINE_STRUCTURES = [('combined_log_format', {{{{{{{{{{{{{{{{{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {{{{{{{{{{{{{Suppress:("[") W:(0123...)} Suppress:("/")} W:(ABCD...)} Suppress:("/")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Combine:({- | + W:(0123...)})} Suppress:("]")}} Suppress:(""")} SkipTo:(""")} Suppress:(""")} W:(0123...)} W:(0123...)} Suppress:(""")} SkipTo:(""")} Suppress:(""")} Suppress:(""")} SkipTo:(""")} Suppress:(""")} lineEnd}), ('common_log_format', {{{{{{{{{{{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {{{{{{{{{{{{{Suppress:("[") W:(0123...)} Suppress:("/")} W:(ABCD...)} Suppress:("/")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Combine:({- | + W:(0123...)})} Suppress:("]")}} Suppress:(""")} SkipTo:(""")} Suppress:(""")} W:(0123...)} W:(0123...)} lineEnd})]¶

NAME = 'apache_access'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a matching entry.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – name of the parsed structure. structure (pyparsing.ParseResults) – elements parsed from the file.
Raises:	`ParseError` – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verifies that this is an apache access log file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. line (str) – line from the text file.
Returns:	True if this is the correct parser, False otherwise.
Return type:	bool

plaso.parsers.asl module¶

The Apple System Log Parser.

class plaso.parsers.asl.ASLEventData[source]¶

Bases: plaso.containers.events.EventData

Convenience class for an ASL event.

computer_name¶: str – name of the host.

extra_information¶: str – extra fields associated to the event.

facility¶: str – facility.

group_id¶: int – group identifier (GID).

level¶: str – level of criticality of the event.

message_id¶: int – message identifier.

message¶: str – message of the event.

pid¶: int – process identifier (PID).

read_uid¶: int – user identifier that can read this file, where -1 represents all.

read_gid¶: int – the group identifier that can read this file, where -1 represents all.

record_position¶: int – position of the event record.

sender¶: str – sender or process that created the event.

user_sid¶: str – user identifier (UID).

DATA_TYPE = 'mac:asl:event'¶

class plaso.parsers.asl.ASLParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for ASL log files.

DESCRIPTION = 'Parser for ASL log files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns:	format specification.
Return type:	FormatSpecification

NAME = 'asl_log'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an ASL file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.bash_history module¶

Parser for bash history files.

class plaso.parsers.bash_history.BashHistoryEventData[source]¶

Bases: plaso.containers.events.EventData

Bash history log event data.

command¶: str – command that was executed.

DATA_TYPE = 'bash:history:command'¶

class plaso.parsers.bash_history.BashHistoryParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parses events from Bash history files.

DESCRIPTION = 'Parser for Bash history files'¶

LINE_STRUCTURES = [('log_entry', {{{Suppress:("#") W:(0123...)} Re:('.*?(?=($|\\n#\\d{10}))')} lineEnd})]¶

NAME = 'bash'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a record and produces a Bash history event.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – name of the parsed structure. structure (pyparsing.ParseResults) – elements parsed from the file.
Raises:	`ParseError` – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)[source]¶

Verifies that this is a bash history file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. lines (str) – one or more lines from the text file.
Returns:	True if this is the correct parser, False otherwise.
Return type:	bool

plaso.parsers.bencode_parser module¶

This file contains the Bencode Parser.

Plaso’s engine calls BencodeParser when it encounters bencoded files to be processed, typically seen for BitTorrent data.

class plaso.parsers.bencode_parser.BencodeParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Deserializes bencoded file; produces a dictionary containing bencoded data.

The Plaso engine calls parsers by their Parse() method. The Parse() function deserializes bencoded files using the BitTorrent-bencode library and calls plugins (BencodePlugin) registered through the interface by their Process() to produce event objects.

Plugins are how this parser understands the content inside a bencoded file, each plugin holds logic specific to a particular bencoded file. See the bencode_plugins / directory for examples of how bencode plugins are implemented.

BENCODE_RE = re.compile(b'd[0-9]')¶

DESCRIPTION = 'Parser for bencoded files.'¶

NAME = 'bencode'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a bencoded file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – a file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.bsm module¶

Basic Security Module (BSM) event auditing file parser.

class plaso.parsers.bsm.BSMEventData[source]¶

Bases: plaso.containers.events.EventData

Basic Security Module (BSM) audit event data.

event_type¶: int – identifier that represents the type of the event.

extra_tokens¶: list[dict[str, dict[str, str]]] – event extra tokens, which is a list of dictionaries that contain: {token type: {token values}}

record_length¶: int – record length in bytes (trailer number).

return_value¶: str – processed return value and exit status.

DATA_TYPE = 'bsm:event'¶

class plaso.parsers.bsm.BSMParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for BSM files.

DESCRIPTION = 'Parser for BSM log files.'¶

NAME = 'bsm_log'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a BSM file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – a file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.chrome_cache module¶

Parser for Google Chrome and Chromium Cache files.

class plaso.parsers.chrome_cache.CacheAddress(cache_address)[source]¶

Bases: object

Chrome cache address.

block_number¶: int – block data file number.

block_offset¶: int – offset within the block data file.

block_size¶: int – block size.

filename¶: str – name of the block data file.

value¶: int – cache address.

FILE_TYPE_BLOCK_1024 = 3¶

FILE_TYPE_BLOCK_256 = 2¶

FILE_TYPE_BLOCK_4096 = 4¶

FILE_TYPE_BLOCK_RANKINGS = 1¶

FILE_TYPE_SEPARATE = 0¶

class plaso.parsers.chrome_cache.CacheEntry[source]¶

Bases: object

Chrome cache entry.

creation_time¶: int – creation time, in number of microseconds since since January 1, 1601, 00:00:00 UTC.

hash¶: int – super fast hash of the key.

key¶: bytes – key.

next¶: int – cache address of the next cache entry.

original_url¶: str – original URL derived from the key.

rankings_node¶: int – cache address of the rankings node.

class plaso.parsers.chrome_cache.ChromeCacheDataBlockFileParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Chrome cache data block file parser.

ParseCacheEntry(file_object, block_offset)[source]¶

Parses a cache entry.

Parameters:	file_object (dfvfs.FileIO) – a file-like object to read from. block_offset (int) – block offset of the cache entry.
Returns:	cache entry.
Return type:	CacheEntry
Raises:	`ParseError` – if the cache entry cannot be read.

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a file-like object.

Parameters:	parser_mediator (ParserMediator) – a parser mediator. file_object (dfvfs.FileIO) – a file-like object to parse.
Raises:	`ParseError` – when the file cannot be parsed.

class plaso.parsers.chrome_cache.ChromeCacheEntryEventData[source]¶

Bases: plaso.containers.events.EventData

Chrome Cache event data.

original_url¶: str – original URL.

DATA_TYPE = 'chrome:cache:entry'¶

class plaso.parsers.chrome_cache.ChromeCacheIndexFileParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Chrome cache index file parser.

creation_time¶: int – creation time, in number of number of microseconds since January 1, 1601, 00:00:00 UTC.

index_table¶: list[CacheAddress] – the cache addresses which are stored in the index file.

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a file-like object.

Parameters:	parser_mediator (ParserMediator) – a parser mediator. file_object (dfvfs.FileIO) – a file-like object to parse.
Raises:	`ParseError` – when the file cannot be parsed.

class plaso.parsers.chrome_cache.ChromeCacheParser[source]¶

Bases: plaso.parsers.interface.FileEntryParser

Parses Chrome Cache files.

DESCRIPTION = 'Parser for Chrome Cache files.'¶

NAME = 'chrome_cache'¶

ParseFileEntry(parser_mediator, file_entry)[source]¶

Parses Chrome Cache files.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_entry (dfvfs.FileEntry) – file entry.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.chrome_preferences module¶

A parser for the Chrome preferences file.

class plaso.parsers.chrome_preferences.ChromeContentSettingsExceptionsEventData[source]¶

Bases: plaso.containers.events.EventData

Chrome content settings exceptions event data.

permission¶: str – permission.

primary_url¶: str – primary URL.

secondary_url¶: str – secondary URL.

DATA_TYPE = 'chrome:preferences:content_settings:exceptions'¶

class plaso.parsers.chrome_preferences.ChromeExtensionInstallationEventData[source]¶

Bases: plaso.containers.events.EventData

Chrome Extension event data.

extension_id¶: str – extension identifier.

extension_name¶: str – extension name.

path¶: str – path.

DATA_TYPE = 'chrome:preferences:extension_installation'¶

class plaso.parsers.chrome_preferences.ChromeExtensionsAutoupdaterEventData[source]¶

Bases: plaso.containers.events.EventData

Chrome Extension Autoupdater event data.

message¶: str – message.

DATA_TYPE = 'chrome:preferences:extensions_autoupdater'¶

class plaso.parsers.chrome_preferences.ChromePreferencesClearHistoryEventData[source]¶

Bases: plaso.containers.events.EventData

Chrome history clearing event data.

message¶: str – message.

DATA_TYPE = 'chrome:preferences:clear_history'¶

class plaso.parsers.chrome_preferences.ChromePreferencesParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses Chrome Preferences files.

DESCRIPTION = 'Parser for Chrome Preferences files.'¶

NAME = 'chrome_preferences'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Chrome preferences file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

REQUIRED_KEYS = frozenset({'browser', 'extensions'})¶

plaso.parsers.cups_ipp module¶

The CUPS IPP files parser.

CUPS IPP version 1.0: * http://tools.ietf.org/html/rfc2565 * http://tools.ietf.org/html/rfc2566 * http://tools.ietf.org/html/rfc2567 * http://tools.ietf.org/html/rfc2568 * http://tools.ietf.org/html/rfc2569 * http://tools.ietf.org/html/rfc2639

CUPS IPP version 1.1: * http://tools.ietf.org/html/rfc2910 * http://tools.ietf.org/html/rfc2911 * http://tools.ietf.org/html/rfc3196 * http://tools.ietf.org/html/rfc3510

CUPS IPP version 2.0: * N/A

class plaso.parsers.cups_ipp.CupsIppEventData[source]¶

Bases: plaso.containers.events.EventData

CUPS IPP event data.

application¶: str – application that prints the document.

data_dict¶: dict[str, object] – parsed data coming from the file.

computer_name¶: str – name of the computer.

copies¶: int – number of copies.

doc_type¶: str – type of document.

job_id¶: str – job identifier.

job_name¶: str – job name.

owner¶: str – real name of the user.

printer_id¶: str – identification name of the print.

uri¶: str – URL of the CUPS service.

user¶: str – system user name.

DATA_TYPE = 'cups:ipp:event'¶

class plaso.parsers.cups_ipp.CupsIppParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for CUPS IPP files.

DESCRIPTION = 'Parser for CUPS IPP files.'¶

NAME = 'cups_ipp'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a CUPS IPP file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.custom_destinations module¶

Parser for .customDestinations-ms files.

class plaso.parsers.custom_destinations.CustomDestinationsParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses .customDestinations-ms files.

DESCRIPTION = 'Parser for *.customDestinations-ms files.'¶

NAME = 'custom_destinations'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a .customDestinations-ms file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – a file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.docker module¶

Parser for Docker configuration and log files.

class plaso.parsers.docker.DockerJSONContainerEventData[source]¶

Bases: plaso.containers.events.EventData

Docker container’s configuration file event data.

action¶: str – whether the container was created, started, or finished.

container_id¶: str – identifier of the container (SHA256).

container_name¶: str – name of the container.

DATA_TYPE = 'docker:json:container'¶

class plaso.parsers.docker.DockerJSONContainerLogEventData[source]¶

Bases: plaso.containers.events.EventData

Docker container’s log event data.

container_id¶: str – identifier of the container (sha256).

log_line¶: str – log line.

log_source¶: str – log source.

DATA_TYPE = 'docker:json:container:log'¶

class plaso.parsers.docker.DockerJSONLayerEventData[source]¶

Bases: plaso.containers.events.EventData

Docker filesystem layer configuration file event data.

command¶: the command used which made Docker create a new layer

layer_id¶: the identifier of the current Docker layer (sha1)

DATA_TYPE = 'docker:json:layer'¶

class plaso.parsers.docker.DockerJSONParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Generates various events from Docker json config and log files.

This handles : * Per container config file

DOCKER_DIR/containers/<container_id>/config.json

Per container stdout/stderr output log DOCKER_DIR/containers/<container_id>/<container_id>-json.log
Filesystem layer config files DOCKER_DIR/graph/<layer_id>/json

DESCRIPTION = 'Parser for JSON Docker files.'¶

NAME = 'dockerjson'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses various Docker configuration and log files in JSON format.

This methods checks whether the file_object points to a docker JSON config or log file, and calls the corresponding _Parse* function to generate Events.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – a file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed. `ValueError` – if the JSON file cannot be decoded.

plaso.parsers.dpkg module¶

This file contains the Debian dpkg.log file parser.

Information updated 02 September 2016.

An example:

2016-08-03 15:25:53 install base-passwd:amd64 <none> 3.5.33

Log messages are of the form:

YYYY-MM-DD HH:MM:SS startup type command Where type is:

archives (with a command of unpack or install) packages (with a command of configure, triggers-only, remove or purge)

YYYY-MM-DD HH:MM:SS status state pkg installed-version

YYYY-MM-DD HH:MM:SS action pkg installed-version available-version Where action is:

install, upgrade, configure, trigproc, disappear, remove or purge.

YYYY-MM-DD HH:MM:SS conffile filename decision Where decision is install or keep.

class plaso.parsers.dpkg.DpkgEventData[source]¶

Bases: plaso.containers.events.EventData

Dpkg event data.

body¶: str – body of the log line.

DATA_TYPE = 'dpkg:line'¶

class plaso.parsers.dpkg.DpkgParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parser for Debian dpkg.log files.

DESCRIPTION = 'Parser for Debian dpkg.log files.'¶

LINE_STRUCTURES = [('line', {Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) {Combine:({{"startup" archives | packages} unpack | install | configure | triggers-only | remove | purge}) | Combine:({{{"status" W:(0123...)} W:(0123...)} W:(0123...)}) | Combine:({{{install | upgrade | configure | trigproc | disappear | remove | purge W:(0123...)} W:(0123...)} W:(0123...)}) | Combine:({{"conffile" W:(0123...)} install | keep})}})]¶

NAME = 'dpkg'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a structure of tokens derived from a line of a text file.

Parameters:	parser_mediator (ParserMediator) – parser mediator. key (str) – identifier of the structure of tokens. structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.
Raises:	`ParseError` – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verifies if a line from a text file is in the expected format.

Parameters:	parser_mediator (ParserMediator) – parser mediator. line (str) – line from a text file.
Returns:	True if the line is in the expected format, False if not.
Return type:	bool

plaso.parsers.dsv_parser module¶

Delimiter separated values (DSV) parser interface.

class plaso.parsers.dsv_parser.DSVParser(encoding=None)[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Delimiter separated values (DSV) parser interface.

COLUMNS = []¶

DELIMITER = b','¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns:	format specification.
Return type:	FormatSpecification

NUMBER_OF_HEADER_LINES = 0¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a DSV text file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

ParseRow(parser_mediator, row_offset, row)[source]¶

Parses a line of the log file and produces events.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. row_offset (int) – offset of the row. row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

QUOTE_CHAR = b'"'¶

VerifyRow(parser_mediator, row)[source]¶

Verifies if a line of the file is in the expected format.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. row (dict[str, str]) – fields of a single row, as specified in COLUMNS.
Returns:	True if this is the correct parser, False otherwise.
Return type:	bool

plaso.parsers.dtfabric_parser module¶

Shared functionality for dtFabric-based data format parsers.

class plaso.parsers.dtfabric_parser.DtFabricBaseParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Shared functionality for dtFabric-based data format parsers.

A dtFabric-based data format parser defines its data format structures in dtFabric definition file, for example “dtfabric.yaml”:

name: int32 type: integer description: 32-bit signed integer type .. attribute:: format

signed

size¶: 4

units¶: bytes

— name: point3d aliases: [POINT] type: structure description: Point in 3 dimensional space. .. attribute:: byte_order

little-endian

members: - name: x

aliases: [XCOORD] data_type: int32

name: y data_type: int32
name: z data_type: int32

The path to the definition file is defined in the class constant “_DEFINITION_FILE” and will be read on class instantiation.

The definition files contains data type definitions such as “int32” and “point3d” in the previous example.

A data type map can be used to create a Python object that represent the data type definition mapped to a byte stream, for example if we have the following byte stream: 01 00 00 00 02 00 00 00 03 00 00 00

The corresponding “point3d” Python object would be: point3d(x=1, y=2, z=3)

A parser that wants to implement a dtFabric-based data format parser needs to: * define a definition file and override _DEFINITION_FILE; * implement the ParseFileObject method.

The _GetDataTypeMap method of this class can be used to retrieve data type maps from the “fabric”, which is the collection of the data type definitions in definition file. Data type maps are cached for reuse.

The _ReadStructure method of this class can be used to read structure data from a file-like object and create a Python object using a data type map.

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a file-like object.

Parameters:	parser_mediator (ParserMediator) – a parser mediator. file_object (dfvfs.FileIO) – a file-like object to parse.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.esedb module¶

Parser for Extensible Storage Engine (ESE) database files (EDB).

class plaso.parsers.esedb.ESEDBCache[source]¶

Bases: plaso.parsers.plugins.BasePluginCache

A cache storing query results for ESEDB plugins.

StoreDictInCache(attribute_name, dict_object)[source]¶

Store a dict object in cache.

Parameters:	attribute_name (str) – name of the attribute. dict_object (dict) – dictionary.

class plaso.parsers.esedb.ESEDBParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses Extensible Storage Engine (ESE) database files (EDB).

DESCRIPTION = 'Parser for Extensible Storage Engine (ESE) database files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns:	format specification.
Return type:	FormatSpecification

NAME = 'esedb'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an ESE database file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.filestat module¶

File system stat object parser.

class plaso.parsers.filestat.FileStatEventData[source]¶

Bases: plaso.containers.events.EventData

File system stat event data.

file_entry_type¶: int – dfVFS file entry type.

file_size¶: int – file size in bytes.

file_system_type¶: str – file system type.

is_allocated¶: bool – True if the file is allocated.

offset¶: int – the offset of the stat data in bytes.

DATA_TYPE = 'fs:stat'¶

class plaso.parsers.filestat.FileStatParser[source]¶

Bases: plaso.parsers.interface.FileEntryParser

Parses file system stat object.

DESCRIPTION = 'Parser for file system stat information.'¶

NAME = 'filestat'¶

ParseFileEntry(parser_mediator, file_entry)[source]¶

Parses a file entry.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_entry (dfvfs.FileEntry) – a file entry.

plaso.parsers.firefox_cache module¶

Implements a parser for Firefox cache 1 and 2 files.

class plaso.parsers.firefox_cache.BaseFirefoxCacheParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses Firefox cache files.

class plaso.parsers.firefox_cache.FirefoxCache2Parser[source]¶

Bases: plaso.parsers.firefox_cache.BaseFirefoxCacheParser

Parses Firefox cache version 2 files (Firefox 32 or later).

DESCRIPTION = 'Parser for Firefox Cache version 2 files (Firefox 32 or later).'¶

NAME = 'firefox_cache2'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Firefox cache file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – a file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

class plaso.parsers.firefox_cache.FirefoxCacheEventData[source]¶

Bases: plaso.containers.events.EventData

Firefox cache event data.

data_size¶: int – size of the cached data.

fetch_count¶: int – number of times the cache entry was fetched.

frequency¶: int – ???

info_size¶: int – size of the metadata.

location¶: str – ???

request_method¶: str – HTTP request method.

request_size¶: int – HTTP request byte size.

response_code¶: int – HTTP response code.

url¶: str – URL of original content.

version¶: int – cache format version.

DATA_TYPE = 'firefox:cache:record'¶

class plaso.parsers.firefox_cache.FirefoxCacheParser[source]¶

Bases: plaso.parsers.firefox_cache.BaseFirefoxCacheParser

Parses Firefox cache version 1 files (Firefox 31 or earlier).

DESCRIPTION = 'Parser for Firefox Cache version 1 files (Firefox 31 or earlier).'¶

FIREFOX_CACHE_CONFIG¶: alias of firefox_cache_config

NAME = 'firefox_cache'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Firefox cache file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – a file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.fseventsd module¶

Parsers for MacOS fseventsd files.

class plaso.parsers.fseventsd.FseventsdEventData[source]¶

Bases: plaso.containers.events.EventData

MacOS file system event (fseventsd) event data

event_identifier¶: int – the record event identifier.

flags¶: int – flags stored in the record.

node_identifier¶: int – file system node identifier related to the file system event.

path¶: str – path recorded in the fseventsd record.

DATA_TYPE = 'macos:fseventsd:record'¶

class plaso.parsers.fseventsd.FseventsdParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for fseventsd files.

This parser supports both version 1 and version 2 fseventsd files. Refer to http://nicoleibrahim.com/apple-fsevents-forensics/ for details.

DESCRIPTION = 'Parser for fseventsd files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns:	format specification.
Return type:	FormatSpecification

NAME = 'fsevents'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an fseventsd file.

Parameters:	parser_mediator (ParserMediator) – parser mediator. file_object (dfvfs.FileIO) – a file-like object.
Raises:	`UnableToParseFile` – when the header cannot be parsed.

plaso.parsers.gdrive_synclog module¶

Parser for Google Drive Sync log files.

class plaso.parsers.gdrive_synclog.GoogleDriveSyncLogEventData[source]¶

Bases: plaso.containers.events.EventData

Google Drive Sync log event data.

log_level¶: str – logging level of event such as “DEBUG”, “WARN”, “INFO”, “ERROR”.

message¶: str – log message.

pid¶: int – process identifier of process which logged event.

source_code¶: str – filename:line_number of source file which logged event.

thread¶: str – colon-separated thread identifier in the form “ID:name” which logged event.

time¶: str – date and time of the log entry event with timezone offset.

DATA_TYPE = 'gdrive_sync:log:line'¶

class plaso.parsers.gdrive_synclog.GoogleDriveSyncLogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parses events from Google Drive Sync log files.

BUFFER_SIZE = 16384¶

DESCRIPTION = 'Parser for Google Drive Sync log files.'¶

LINE_STRUCTURES = [('logline', {{{{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}} W:(0123...)} W:(ABCD...)} W:(0123...)} W:(0123...)} W:(0123...)} SkipTo:({StringEnd | {{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}} W:(0123...)}})} [lineEnd]...})]¶

NAME = 'gdrive_synclog'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – identifier of the structure of tokens. structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.
Raises:	`ParseError` – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)[source]¶

Verify that this file is a Google Drive Sync log file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. lines (str) – one or more lines from the text file.
Returns:	True if this is the correct parser, False otherwise.
Return type:	bool

plaso.parsers.hachoir module¶

Parser that uses Hachoir to extract metadata.

class plaso.parsers.hachoir.HachoirEventData[source]¶

Bases: plaso.containers.events.EventData

Hachoir event data.

metadata¶: dict[str, object] – hachoir metadata.

DATA_TYPE = 'metadata:hachoir'¶

class plaso.parsers.hachoir.HachoirParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parser that uses Hachoir.

DESCRIPTION = 'Parser that wraps Hachoir.'¶

NAME = 'hachoir'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a file-like object using Hachoir.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – a file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.iis module¶

Parser for Windows IIS Log file.

More documentation on fields can be found here: https://msdn.microsoft.com/en-us/library/ms525807(v=vs.90).aspx

class plaso.parsers.iis.IISEventData[source]¶

Bases: plaso.containers.events.EventData

IIS log event data.

Attributes:

DATA_TYPE = 'iis:log:line'¶

class plaso.parsers.iis.WinIISParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses a Microsoft IIS log file.

BLANK = "-"¶

COMMENT = {"#" {{{"Date:" {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}} | {"Fields:" SkipTo:(LineEnd)}} | SkipTo:(LineEnd)}}¶

DATE_METADATA = {"Date:" {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}}¶

DATE_TIME = {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}¶

DESCRIPTION = 'Parser for Microsoft IIS log files.'¶

FIELDS_METADATA = {"Fields:" SkipTo:(LineEnd)}¶

INTEGER = {W:(0123...) | "-"}¶

IP_ADDRESS = {{{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)} | "-"}¶

LINE_STRUCTURES = [('comment', {"#" {{{"Date:" {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}} | {"Fields:" SkipTo:(LineEnd)}} | SkipTo:(LineEnd)}}), ('logline', {{{{{{{{{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} {W:(ABCD...) | "-"}} {{{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)} | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(ABCD...) | "-"}} {{{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)} | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}})]¶

LOG_LINE_6_0 = {{{{{{{{{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} {W:(ABCD...) | "-"}} {{{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)} | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(ABCD...) | "-"}} {{{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)} | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}}¶

NAME = 'winiis'¶

PORT = {W:(0123...) | "-"}¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – name of the parsed structure. structure (pyparsing.ParseResults) – structure parsed from the log file.
Raises:	`ParseError` – when the structure type is unknown.

QUERY = {W:(ABCD...) | "-"}¶

URI = {W:(ABCD...) | "-"}¶

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is an IIS log file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. line (str) – line from a text file.
Returns:	True if the line was successfully parsed.
Return type:	bool

WORD = {W:(ABCD...) | "-"}¶

plaso.parsers.interface module¶

The parsers and plugins interface classes.

class plaso.parsers.interface.BaseFileEntryFilter[source]¶

Bases: object

File entry filter interface.

Match(file_entry)[source]¶

Determines if a file entry matches the filter.

Parameters:	file_entry (dfvfs.FileEntry) – a file entry.
Returns:	True if the file entry matches the filter.
Return type:	bool

class plaso.parsers.interface.BaseParser[source]¶

Bases: object

The parser interface.

DESCRIPTION = ''¶

classmethod DeregisterPlugin(plugin_class)[source]¶

Deregisters a plugin class.

The plugin classes are identified based on their lower case name.

Parameters:	plugin_class (type) – class of the plugin.
Raises:	`KeyError` – if plugin class is not set for the corresponding name.

EnablePlugins(plugin_includes)[source]¶

Enables parser plugins.

Parameters:	plugin_includes (list[str]) – names of the plugins to enable, where None or an empty list represents all plugins. Note the default plugin, if it exists, is always enabled and cannot be disabled.

FILTERS = frozenset()¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns:	a format specification or None if not available.
Return type:	FormatSpecification

classmethod GetPluginObjectByName(plugin_name)[source]¶

Retrieves a specific plugin object by its name.

Parameters:	plugin_name (str) – name of the plugin.
Returns:	a plugin object or None if not available.
Return type:	BasePlugin

classmethod GetPlugins()[source]¶

Retrieves the registered plugins.

Yields:	tuple[str, type] – name and class of the plugin.

NAME = 'base_parser'¶

classmethod RegisterPlugin(plugin_class)[source]¶

Registers a plugin class.

The plugin classes are identified based on their lower case name.

Parameters:	plugin_class (type) – class of the plugin.
Raises:	`KeyError` – if plugin class is already set for the corresponding name.

classmethod RegisterPlugins(plugin_classes)[source]¶

Registers plugin classes.

Parameters:	plugin_classes (list[type]) – classes of plugins.
Raises:	`KeyError` – if plugin class is already set for the corresponding name.

classmethod SupportsPlugins()[source]¶

Determines if a parser supports plugins.

Returns:	True if the parser supports plugins.
Return type:	bool

class plaso.parsers.interface.FileEntryParser[source]¶

Bases: plaso.parsers.interface.BaseParser

The file entry parser interface.

Parse(parser_mediator)[source]¶

Parsers the file entry and extracts event objects.

Parameters:	parser_mediator (ParserMediator) – a parser mediator.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

ParseFileEntry(parser_mediator, file_entry)[source]¶

Parses a file entry.

Parameters:	parser_mediator (ParserMediator) – a parser mediator. file_entry (dfvfs.FileEntry) – a file entry to parse.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

class plaso.parsers.interface.FileNameFileEntryFilter(filename)[source]¶

Bases: plaso.parsers.interface.BaseFileEntryFilter

File name file entry filter.

Match(file_entry)[source]¶

Determines if a file entry matches the filter.

Parameters:	file_entry (dfvfs.FileEntry) – a file entry.
Returns:	True if the file entry matches the filter.
Return type:	bool

class plaso.parsers.interface.FileObjectParser[source]¶

Bases: plaso.parsers.interface.BaseParser

The file-like object parser interface.

Parse(parser_mediator, file_object)[source]¶

Parses a single file-like object.

Parameters:	parser_mediator (ParserMediator) – a parser mediator. file_object (dvfvs.FileIO) – a file-like object to parse.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a file-like object.

Parameters:	parser_mediator (ParserMediator) – a parser mediator. file_object (dvfvs.FileIO) – a file-like object to parse.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.java_idx module¶

Parser for Java Cache IDX files.

class plaso.parsers.java_idx.JavaIDXEventData[source]¶

Bases: plaso.containers.events.EventData

Java IDX cache file event data.

idx_version¶: str – format version of IDX file.

ip_address¶: str – IP address of the host in the URL.

url¶: str – URL of the downloaded file.

DATA_TYPE = 'java:download:idx'¶

class plaso.parsers.java_idx.JavaIDXParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Java WebStart Cache IDX files.

There are five structures defined. 6.02 files had one generic section that retained all data. From 6.03, the file went to a multi-section format where later sections were optional and had variable-lengths. 6.03, 6.04, and 6.05 files all have their main data section (#2) begin at offset 128. The short structure is because 6.05 files deviate after the 8th byte. So, grab the first 8 bytes to ensure it’s valid, get the file version, then continue on with the correct structures.

DESCRIPTION = 'Parser for Java WebStart Cache IDX files.'¶

NAME = 'java_idx'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Java WebStart Cache IDX file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dvfvs.FileIO) – a file-like object to parse.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.logger module¶

The parsers sub module logger.

plaso.parsers.mac_appfirewall module¶

This file contains a appfirewall.log (MacOS Firewall) parser.

class plaso.parsers.mac_appfirewall.MacAppFirewallLogEventData[source]¶

Bases: plaso.containers.events.EventData

MacOS Firewall log event data.

action¶: str – action.

agent¶: str – agent that save the log.

computer_name¶: str – name of the computer.

process_name¶: str – name of the entity that tried do the action.

status¶: str – saved status action.

DATA_TYPE = 'mac:appfirewall:line'¶

class plaso.parsers.mac_appfirewall.MacAppFirewallParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse text based on appfirewall.log file.

DATE_TIME = Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}})¶

DESCRIPTION = 'Parser for appfirewall.log files.'¶

FIREWALL_LINE = {{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) W:(0123...)} W:(0123...)} Suppress:("<")} !W:(>)} Suppress:(">:")} !W:(:)} ":"} SkipTo:(lineEnd)}¶

LINE_STRUCTURES = [('logline', {{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) W:(0123...)} W:(0123...)} Suppress:("<")} !W:(>)} Suppress:(">:")} !W:(:)} ":"} SkipTo:(lineEnd)}), ('repeated', {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("---")} !W:(---)} Suppress:("---")})]¶

NAME = 'mac_appfirewall_log'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – identifier of the structure of tokens. structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.
Raises:	`ParseError` – when the structure type is unknown.

REPEATED_LINE = {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("---")} !W:(---)} Suppress:("---")}¶

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a Mac AppFirewall log file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. line (str) – line from a text file.
Returns:	True if the line is in the expected format, False if not.
Return type:	bool

plaso.parsers.mac_keychain module¶

Parser for MacOS Keychain files.

class plaso.parsers.mac_keychain.KeychainApplicationRecordEventData[source]¶

Bases: plaso.containers.events.EventData

MacOS keychain application password record event data.

account_name¶: str – name of the account.

comments¶: str – comments added by the user.

entry_name¶: str – name of the entry.

ssgp_hash¶: str – password/certificate hash formatted as an hexadecimal string.

text_description¶: str – description.

DATA_TYPE = 'mac:keychain:application'¶

class plaso.parsers.mac_keychain.KeychainDatabaseColumn[source]¶

Bases: object

MacOS keychain database column.

attribute_data_type¶: int – attribute (data) type.

attribute_identifier¶: int – attribute identifier.

attribute_name¶: str – attribute name.

class plaso.parsers.mac_keychain.KeychainDatabaseTable[source]¶

Bases: object

MacOS keychain database table.

columns¶: list[KeychainDatabaseColumn] – columns.

records¶: list[dict[str, str]] – records.

relation_identifier¶: int – relation identifier.

relation_name¶: str – relation name.

class plaso.parsers.mac_keychain.KeychainInternetRecordEventData[source]¶

Bases: plaso.containers.events.EventData

MacOS keychain internet record event data.

account_name¶: str – name of the account.

comments¶: str – comments added by the user.

entry_name¶: str – name of the entry.

protocol¶: str – internet protocol used, for example “https”.

ssgp_hash¶: str – password/certificate hash formatted as an hexadecimal string.

text_description¶: str – description.

type_protocol¶: str – sub-protocol used, for example “form”.

where¶: str – domain name or IP where the password is used.

DATA_TYPE = 'mac:keychain:internet'¶

class plaso.parsers.mac_keychain.KeychainParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Keychain files.

DESCRIPTION = 'Parser for MacOS Keychain files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns:	format specification.
Return type:	FormatSpecification

NAME = 'mac_keychain'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a MacOS keychain file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – a file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.mac_securityd module¶

This file contains the MacOS securityd log plaintext parser.

Also see:: http://opensource.apple.com/source/Security/Security-55471/sec/securityd/

class plaso.parsers.mac_securityd.MacOSSecuritydLogEventData[source]¶

Bases: plaso.containers.events.EventData

MacOS securityd log event data.

caller¶: str – caller, consists of two hex numbers.

facility¶: str – facility.

level¶: str – priority level.

message¶: str – message.

security_api¶: str – name of securityd function.

sender_pid¶: int – process identifier of the sender.

sender¶: str – name of the sender.

DATA_TYPE = 'mac:securityd:line'¶

class plaso.parsers.mac_securityd.MacOSSecuritydLogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses the securityd file that contains logs from the security daemon.

DATE_TIME = Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}})¶

DESCRIPTION = 'Parser for MacOS securityd log files.'¶

LINE_STRUCTURES = [('logline', {{{{{{{{{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) !W:([)} Suppress:("[")} W:(0123...)} Suppress:("]")} Suppress:("<")} !W:(>)} Suppress:(">")} Suppress:("[")} !W:({)} Suppress:("{")} [!W:(})]} Suppress:("}")} [!W:(]:)]} Suppress:("]:")} SkipTo:(lineEnd)}), ('repeated', {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("--- last message repeated")} W:(0123...)} Suppress:("time ---")})]¶

NAME = 'mac_securityd'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – name of the parsed structure. structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.
Raises:	`ParseError` – when the structure type is unknown.

REPEATED_LINE = {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("--- last message repeated")} W:(0123...)} Suppress:("time ---")}¶

SECURITYD_LINE = {{{{{{{{{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) !W:([)} Suppress:("[")} W:(0123...)} Suppress:("]")} Suppress:("<")} !W:(>)} Suppress:(">")} Suppress:("[")} !W:({)} Suppress:("{")} [!W:(})]} Suppress:("}")} [!W:(]:)]} Suppress:("]:")} SkipTo:(lineEnd)}¶

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a securityd log file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. line (str) – line from a text file.
Returns:	True if the line is in the expected format, False if not.
Return type:	bool

plaso.parsers.mac_wifi module¶

This file contains the wifi.log (MacOS) parser.

class plaso.parsers.mac_wifi.MacWifiLogEventData[source]¶

Bases: plaso.containers.events.EventData

Mac Wifi log event data.

action¶: str – known WiFI action, for example connected to an AP, configured, etc. If the action is not known, the value is the message of the log (text variable).

agent¶: str – name and identifier of process that generated the log message.

function¶: str – name of function that generated the log message.

text¶: str – log message

DATA_TYPE = 'mac:wifilog:line'¶

class plaso.parsers.mac_wifi.MacWifiLogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse text based on wifi.log file.

DESCRIPTION = 'Parser for MacOS wifi.log files.'¶

LINE_STRUCTURES = [('header', {Group:({{{{{W:(ABCD...) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}) "***Starting Up***"}), ('turned_over_header', {Group:({{W:(ABCD...,abcd...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Combine:({{{W:(0123...) W:(0123...)} "logfile turned over"} LineEnd})}), ('known_function_logline', {{{{Group:({{{{{W:(ABCD...) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}) {{"<" Combine:({"airportd" !W:(>)})} ">"}} airportdProcessDLILEvent | _doAutoJoin | _processSystemPSKAssoc} ":"} SkipTo:(lineEnd)}), ('logline', {{Group:({{{{{W:(ABCD...) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}) ~{{{{{"<" Combine:({"airportd" !W:(>)})} ">"} airportdProcessDLILEvent | _doAutoJoin | _processSystemPSKAssoc} ":"}}} SkipTo:(lineEnd)})]¶

NAME = 'macwifi'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – name of the parsed structure. structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.
Raises:	`ParseError` – when the structure type is unknown.

THREE_DIGITS = W:(0123...)¶

THREE_LETTERS = W:(ABCD...)¶

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a Mac Wifi log file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. line (str) – line from a text file.
Returns:	True if the line is in the expected format, False if not.
Return type:	bool

plaso.parsers.mactime module¶

Parser for the Sleuthkit (TSK) bodyfile or mactime format.

The format specifications can be read here:: http://wiki.sleuthkit.org/index.php?title=Body_file

class plaso.parsers.mactime.MactimeEventData[source]¶

Bases: plaso.containers.events.EventData

Mactime event data.

filename¶: str – name of the file.

inode¶: int – “inode” of the file. Note that inode is an overloaded term in the context of mactime and used for MFT entry index values as well.

md5¶: str – MD5 hash of the file content, formatted as a hexadecimal string.

mode_as_string¶: str – protection mode.

offset¶: int – number of the corresponding line.

size¶: int – size of the file content.

user_gid¶: int – user group identifier (GID).

user_sid¶: str – user security identifier (SID).

DATA_TYPE = 'fs:mactime:line'¶

class plaso.parsers.mactime.MactimeParser(encoding=None)[source]¶

Bases: plaso.parsers.dsv_parser.DSVParser

SleuthKit bodyfile parser.

COLUMNS = ['md5', 'name', 'inode', 'mode_as_string', 'uid', 'gid', 'size', 'atime', 'mtime', 'ctime', 'btime']¶

DELIMITER = b'|'¶

DESCRIPTION = 'Parser for SleuthKit version 3 bodyfiles.'¶

NAME = 'mactime'¶

ParseRow(parser_mediator, row_offset, row)[source]¶

Parses a line of the log file and produces events.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. row_offset (int) – number of the corresponding line. row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]¶

Verifies if a line of the file is in the expected format.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. row (dict[str, str]) – fields of a single row, as specified in COLUMNS.
Returns:	True if this is the correct parser, False otherwise.
Return type:	bool

plaso.parsers.manager module¶

The parsers and plugins manager.

class plaso.parsers.manager.ParsersManager[source]¶

Bases: object

The parsers and plugins manager.

classmethod CreateSignatureScanner(specification_store)[source]¶

Creates a signature scanner for format specifications with signatures.

Parameters:	specification_store (FormatSpecificationStore) – format specifications with signatures.
Returns:	signature scanner.
Return type:	pysigscan.scanner

classmethod DeregisterParser(parser_class)[source]¶

Deregisters a parser class.

The parser classes are identified based on their lower case name.

Parameters:	parser_class (type) – parser class (subclass of BaseParser).
Raises:	`KeyError` – if parser class is not set for the corresponding name.

classmethod GetFormatsWithSignatures(parser_filter_expression=None)[source]¶

Retrieves the format specifications that have signatures.

This method will create a specification store for parsers that define a format specification with signatures and a list of parser names for those that do not.

Parameters:	parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins.
Returns:	containing: FormatSpecificationStore: format specifications with signaures. list[str[: remaining parser names that do not have a format specification with signatures.
Return type:	tuple

classmethod GetNamesOfParsersWithPlugins()[source]¶

Retrieves the names of all parsers with plugins.

Returns:	names of all parsers with plugins.
Return type:	list[str]

classmethod GetParserAndPluginNames(parser_filter_expression=None)[source]¶

Retrieves the parser and parser plugin names.

Parameters:	parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins.
Returns:	parser and parser plugin names.
Return type:	list[str]

classmethod GetParserObjectByName(parser_name)[source]¶

Retrieves a specific parser object by its name.

Parameters:	parser_name (str) – name of the parser.
Returns:	parser object or None.
Return type:	BaseParser

classmethod GetParserObjects(parser_filter_expression=None)[source]¶

Retrieves the parser objects.

Parameters:	parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins.
Returns:	parsers per name.
Return type:	dict[str, BaseParser]

classmethod GetParserPluginsInformation(parser_filter_expression=None)[source]¶

Retrieves the parser plugins information.

Parameters:	parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins.
Returns:	pairs of parser plugin names and descriptions.
Return type:	list[tuple[str, str]]

classmethod GetParsers(parser_filter_expression=None)[source]¶

Retrieves the registered parsers and plugins.

Retrieves a dictionary of all registered parsers and associated plugins from a parser filter string. The filter string can contain direct names of parsers, presets or plugins. The filter string can also negate selection if prepended with an exclamation point, e.g.: “foo,!foo/bar” would include parser foo but not include plugin bar. A list of specific included and excluded plugins is also passed to each parser’s class.

The three types of entries in the filter string:

name of a parser: this would be the exact name of a single parser to include (or exclude), e.g. foo;
name of a preset, e.g. win7: the presets are defined in plaso/parsers/presets.py;
name of a plugin: if a plugin name is included the parent parser will be included in the list of registered parsers;

Parameters:

parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins.

Yields:

tuple – containing:

str: name of the parser:
type: parser class (subclass of BaseParser).

classmethod GetParsersInformation()[source]¶

Retrieves the parsers information.

Returns:	parser names and descriptions.
Return type:	list[tuple[str, str]]

classmethod GetPresetForOperatingSystem(operating_system, operating_system_product, operating_system_version)[source]¶

Determines the preset for a specific operating system.

Parameters:	operating_system (str) – operating system for example “Windows”. This should be one of the values in definitions.OPERATING_SYSTEMS. operating_system_product (str) – operating system product for example “Windows XP” as determined by preprocessing. operating_system_version (str) – operating system version for example “5.1” as determined by preprocessing.
Returns:	parser filter preset, where None represents all parsers and plugins.
Return type:	str

classmethod RegisterParser(parser_class)[source]¶

Registers a parser class.

The parser classes are identified based on their lower case name.

Parameters:	parser_class (type) – parser class (subclass of BaseParser).
Raises:	`KeyError` – if parser class is already set for the corresponding name.

classmethod RegisterParsers(parser_classes)[source]¶

Registers parser classes.

The parser classes are identified based on their lower case name.

Parameters:	parser_classes (list[type]) – parsers classes (subclasses of BaseParser).
Raises:	`KeyError` – if parser class is already set for the corresponding name.

plaso.parsers.mcafeeav module¶

Parser for McAfee Anti-Virus Logs.

McAfee AV uses 4 logs to track when scans were run, when virus databases were updated, and when files match the virus database.

class plaso.parsers.mcafeeav.McafeeAVEventData[source]¶

Bases: plaso.containers.events.EventData

McAfee AV Log event data.

action¶: str – action.

filename¶: str – filename.

rule¶: str – rule.

status¶: str – status.

trigger_location¶: str – trigger location.

username¶: str – username.

DATA_TYPE = 'av:mcafee:accessprotectionlog'¶

class plaso.parsers.mcafeeav.McafeeAccessProtectionParser(encoding=None)[source]¶

Bases: plaso.parsers.dsv_parser.DSVParser

Parses the McAfee AV Access Protection Log.

COLUMNS = ['date', 'time', 'status', 'username', 'filename', 'trigger_location', 'rule', 'action']¶

DELIMITER = b'\t'¶

DESCRIPTION = 'Parser for McAfee AV Access Protection log files.'¶

NAME = 'mcafee_protection'¶

ParseRow(parser_mediator, row_offset, row)[source]¶

Parses a line of the log file and produces events.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. row_offset (int) – line number of the row. row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]¶

Verifies if a line of the file is in the expected format.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. row (dict[str, str]) – fields of a single row, as specified in COLUMNS.
Returns:	True if this is the correct parser, False otherwise.
Return type:	bool

plaso.parsers.mediator module¶

The parser mediator.

class plaso.parsers.mediator.ParserMediator(storage_writer, knowledge_base, preferred_year=None, resolver_context=None, temporary_directory=None)[source]¶

Bases: object

Parser mediator.

last_activity_timestamp¶: int – timestamp received that indicates the last time activity was observed. The last activity timestamp is updated when the mediator produces an attribute container, such as an event source. This timestamp is used by the multi processing worker process to indicate the last time the worker was known to be active. This information is then used by the foreman to detect workers that are not responding (stalled).

AddEventAttribute(attribute_name, attribute_value)[source]¶

Adds an attribute that will be set on all events produced.

Setting attributes using this method will cause events produced via this mediator to have an attribute with the provided name set with the provided value.

Parameters:	attribute_name (str) – name of the attribute to add. attribute_value (str) – value of the attribute to add.
Raises:	`KeyError` – if the event attribute is already set.

AppendToParserChain(plugin_or_parser)[source]¶

Adds a parser or parser plugin to the parser chain.

Parameters:	plugin_or_parser (BaseParser) – parser or parser plugin.

ClearEventAttributes()[source]¶: Clears the extra event attributes.

ClearParserChain()[source]¶: Clears the parser chain.

GetDisplayName(file_entry=None)[source]¶

Retrieves the display name for a file entry.

Parameters:	file_entry (Optional[dfvfs.FileEntry]) – file entry object, where None will return the display name of self._file_entry.
Returns:	human readable string that describes the path to the file entry.
Return type:	str
Raises:	`ValueError` – if the file entry is missing.

GetDisplayNameForPathSpec(path_spec)[source]¶

Retrieves the display name for a path specification.

Parameters:	path_spec (dfvfs.PathSpec) – path specification.
Returns:	human readable version of the path specification.
Return type:	str

GetEstimatedYear()[source]¶

Retrieves an estimate of the year.

This function determines the year in the following manner: * see if the user provided a preferred year; * see if knowledge base defines a year e.g. derived from preprocessing; * determine the year based on the file entry metadata; * default to the current year;

Returns:	estimated year.
Return type:	int

GetFileEntry()[source]¶

Retrieves the active file entry.

Returns:	file entry.
Return type:	dfvfs.FileEntry

GetFilename()[source]¶

Retrieves the name of the active file entry.

Returns:	name of the active file entry or None.
Return type:	str

GetLatestYear()[source]¶

Retrieves the latest (newest) year for an event from a file.

This function tries to determine the year based on the file entry metadata, if that fails the current year is used.

Returns:	year of the file entry or the current year.
Return type:	int

GetParserChain()[source]¶

Retrieves the current parser chain.

Returns:	parser chain.
Return type:	str

PopFromParserChain()[source]¶: Removes the last added parser or parser plugin from the parser chain.

ProcessEvent(event, parser_chain=None, file_entry=None, query=None)[source]¶

Processes an event before it written to the storage.

Parameters:	event (EventObject\|EventData) – event or event data. parser_chain (Optional[str]) – parsing chain up to this point. file_entry (Optional[dfvfs.FileEntry]) – file entry, where None will use the current file entry set in the mediator. query (Optional[str]) – query that was used to obtain the event.
Raises:	`KeyError` – if there’s an attempt to add a duplicate attribute value to the event.

ProduceEventSource(event_source)[source]¶

Produces an event source.

Parameters:	event_source (EventSource) – an event source.
Raises:	`RuntimeError` – when storage writer is not set.

ProduceEventWithEventData(event, event_data)[source]¶

Produces an event.

Parameters:	event (EventObject) – event. event_data (EventData) – event data.
Raises:	`InvalidEvent` – if the event timestamp value is not set or out of bounds.

ProduceExtractionError(message, path_spec=None)[source]¶

Produces an extraction error.

Parameters:	message (str) – message of the error. path_spec (Optional[dfvfs.PathSpec]) – path specification, where None will use the path specification of current file entry set in the mediator.
Raises:	`RuntimeError` – when storage writer is not set.

RemoveEventAttribute(attribute_name)[source]¶

Removes an attribute from being set on all events produced.

Parameters:	attribute_name (str) – name of the attribute to remove.
Raises:	`KeyError` – if the event attribute is not set.

ResetFileEntry()[source]¶: Resets the active file entry.

SampleMemoryUsage(parser_name)[source]¶

Takes a sample of the memory usage for profiling.

Parameters:	parser_name (str) – name of the parser.

SampleStartTiming(parser_name)[source]¶

Starts timing a CPU time sample for profiling.

Parameters:	parser_name (str) – name of the parser.

SampleStopTiming(parser_name)[source]¶

Stops timing a CPU time sample for profiling.

Parameters:	parser_name (str) – name of the parser.

SetEventExtractionConfiguration(configuration)[source]¶

Sets the event extraction configuration settings.

Parameters:	configuration (EventExtractionConfiguration) – event extraction configuration.

SetFileEntry(file_entry)[source]¶

Sets the active file entry.

Parameters:	file_entry (dfvfs.FileEntry) – file entry.

SetInputSourceConfiguration(configuration)[source]¶

Sets the input source configuration settings.

Parameters:	configuration (InputSourceConfiguration) – input source configuration.

SetStorageWriter(storage_writer)[source]¶

Sets the storage writer.

Parameters:	storage_writer (StorageWriter) – storage writer.

SignalAbort()[source]¶: Signals the parsers to abort.

StartProfiling(configuration, identifier, process_information)[source]¶

Starts profiling.

Parameters:	configuration (ProfilingConfiguration) – profiling configuration. identifier (str) – identifier of the profiling session used to create the sample filename. process_information (ProcessInfo) – process information.

StopProfiling()[source]¶: Stops profiling.

abort¶: bool – True if parsing should be aborted.

codepage¶: str – codepage.

hostname¶: str – hostname.

knowledge_base¶: KnowledgeBase – knowledge base.

number_of_produced_errors¶: int – number of produced errors.

number_of_produced_event_sources¶: int – number of produced event sources.

number_of_produced_events¶: int – number of produced events.

operating_system¶: str – operating system or None if not set.

resolver_context¶: dfvfs.Context – resolver context.

temporary_directory¶: str – path of the directory for temporary files.

timezone¶: datetime.tzinfo – timezone.

year¶: int – year.

plaso.parsers.msiecf module¶

Parser for Microsoft Internet Explorer (MSIE) Cache Files (CF).

class plaso.parsers.msiecf.MSIECFLeakEventData[source]¶

Bases: plaso.containers.events.EventData

MSIECF leak event data.

cached_filename¶: str – name of the cached file.

cached_file_size¶: int – size of the cached file.

cache_directory_index¶: int – index of the cache directory.

cache_directory_name¶: str – name of the cache directory.

recovered¶: bool – True if the item was recovered.

DATA_TYPE = 'msiecf:leak'¶

class plaso.parsers.msiecf.MSIECFParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses MSIE Cache Files (MSIECF).

DESCRIPTION = 'Parser for MSIE Cache Files (MSIECF) also known as index.dat.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns:	format specification.
Return type:	FormatSpecification

NAME = 'msiecf'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a MSIE Cache File (MSIECF) file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object.

class plaso.parsers.msiecf.MSIECFRedirectedEventData[source]¶

Bases: plaso.containers.events.EventData

MSIECF redirected event data.

recovered¶: bool – True if the item was recovered.

url¶: str – location URL.

DATA_TYPE = 'msiecf:redirected'¶

class plaso.parsers.msiecf.MSIECFURLEventData[source]¶

Bases: plaso.containers.events.EventData

MSIECF URL event data.

cached_filename¶: str – name of the cached file.

cached_file_size¶: int – size of the cached file.

cache_directory_index¶: int – index of the cache directory.

cache_directory_name¶: str – name of the cache directory.

http_headers¶: str – HTTP headers.

number_of_hits¶: int – number of hits.

recovered¶: bool – True if the item was recovered.

url¶: str – location URL.

DATA_TYPE = 'msiecf:url'¶

plaso.parsers.ntfs module¶

Parser for NTFS metadata files.

class plaso.parsers.ntfs.NTFSFileStatEventData[source]¶

Bases: plaso.containers.events.EventData

NTFS file system stat event data.

attribute_type¶: int – attribute type e.g. 0x00000030 which represents $FILE_NAME.

file_attribute_flags¶: int – NTFS file attribute flags.

file_reference¶: int – NTFS file reference.

file_system_type¶: str – file system type.

is_allocated¶: bool – True if the MFT entry is allocated (marked as in use).

name¶: str – name associated with the stat event, e.g. that of a $FILE_NAME attribute or None if not available.

parent_file_reference¶: int – NTFS file reference of the parent.

DATA_TYPE = 'fs:stat:ntfs'¶

class plaso.parsers.ntfs.NTFSMFTParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses a NTFS $MFT metadata file.

DESCRIPTION = 'Parser for NTFS $MFT metadata files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns:	format specification.
Return type:	FormatSpecification

NAME = 'mft'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a NTFS $MFT metadata file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object.

class plaso.parsers.ntfs.NTFSUSNChangeEventData[source]¶

Bases: plaso.containers.events.EventData

NTFS USN change event data.

file_attribute_flags¶: int – NTFS file attribute flags.

filename¶: str – name of the file associated with the event.

file_reference¶: int – NTFS file reference.

file_system_type¶: str – file system type.

parent_file_reference¶: int – NTFS file reference of the parent.

update_reason_flags¶: int – update reason flags.

update_sequence_number¶: int – update sequence number.

update_source_flags¶: int – update source flags.

DATA_TYPE = 'fs:ntfs:usn_change'¶

class plaso.parsers.ntfs.NTFSUsnJrnlParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses a NTFS USN change journal.

DESCRIPTION = 'Parser for NTFS USN change journal ($UsnJrnl).'¶

NAME = 'usnjrnl'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a NTFS $UsnJrnl metadata file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.olecf module¶

Parser for OLE Compound Files (OLECF).

class plaso.parsers.olecf.OLECFParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses OLE Compound Files (OLECF).

DESCRIPTION = 'Parser for OLE Compound Files (OLECF).'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns:	format specification.
Return type:	FormatSpecification

NAME = 'olecf'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an OLE Compound File (OLECF) file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.opera module¶

Parsers for Opera Browser history files.

class plaso.parsers.opera.OperaGlobalHistoryEventData[source]¶

Bases: plaso.containers.events.EventData

Opera global history entry data.

description¶: str – description.

popularity_index¶: int – popularity index.

title¶: str – title.

url¶: str – URL.

DATA_TYPE = 'opera:history:entry'¶

class plaso.parsers.opera.OperaGlobalHistoryParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses the Opera global_history.dat file.

DESCRIPTION = 'Parser for Opera global_history.dat files.'¶

NAME = 'opera_global'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an Opera global history file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

class plaso.parsers.opera.OperaTypedHistoryEventData[source]¶

Bases: plaso.containers.events.EventData

Opera typed history entry data.

entry_selection¶: str – information about whether the URL was directly typed in or the result of the user choosing from the auto complete.

entry_type¶: str – information about whether the URL was directly typed in or the result of the user choosing from the auto complete.

url¶: str – typed URL or hostname.

DATA_TYPE = 'opera:history:typed_entry'¶

class plaso.parsers.opera.OperaTypedHistoryParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses the Opera typed_history.xml file.

DESCRIPTION = 'Parser for Opera typed_history.xml files.'¶

NAME = 'opera_typed_history'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an Opera typed history file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.oxml module¶

This file contains a parser for OXML files (i.e. MS Office 2007+).

class plaso.parsers.oxml.OpenXMLEventData[source]¶

Bases: plaso.containers.events.EventData

OXML event data.

app_version¶: str – version of application that created document.

author¶: str – name of author.

creating_app¶: str – name of application that created document.

doc_security¶: str – ???

hyperlinks_changed¶: bool – True if hyperlinks have changed.

i4¶: str – ???

last_saved_by¶: str – name of user that last saved the document.

links_up_to_date¶: bool – True if the links are up to date.

number_of_characters¶: int – number of characters without spaces in the document.

number_of_characters_with_spaces¶: int – number of characters including spaces in the document.

number_of_lines¶: int – number of lines in the document.

number_of_pages¶: int – number of pages in the document.

number_of_paragraphs¶: int – number of paragraphs in the document.

number_of_words¶: int – number of words in the document.

revision_number¶: int – revision number.

scale_crop¶: bool – True if crop to scale is enabled.

shared_doc¶: bool – True if document is shared.

template¶: str – name of template ???

total_time¶: str – ???

DATA_TYPE = 'metadata:openxml'¶

class plaso.parsers.oxml.OpenXMLParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parse metadata from OXML files.

DESCRIPTION = 'Parser for OpenXML (OXML) files.'¶

NAME = 'openxml'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an OXML file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – a file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.pe module¶

A parser for Portable Executable format files.

class plaso.parsers.pe.PEEventData[source]¶

Bases: plaso.containers.events.EventData

Portable Executable (PE) event data.

dll_name¶: str – name of an imported DLL.

imphash¶: str – “Import Hash” of the pe file the event relates to. Also see: https://www.mandiant.com/blog/tracking-malware-import-hashing

pe_type¶: str – type of PE file the event relates to.

section_names¶: list[str] – names of the PE file’s sections.

DATA_TYPE = 'pe'¶

class plaso.parsers.pe.PEParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parser for Portable Executable (PE) files.

DESCRIPTION = 'Parser for Portable Executable (PE) files.'¶

classmethod GetFormatSpecification()[source]¶: Retrieves the format specification.

NAME = 'pe'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Portable Executable (PE) file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – a file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.plist module¶

This file contains the Property List (Plist) Parser.

Plaso’s engine calls PlistParser when it encounters Plist files to be processed.

class plaso.parsers.plist.PlistParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses binary and text plist plist files.

The Plaso engine calls parsers by their Parse() method. This parser’s Parse() has GetTopLevel() which deserializes plist files using the biplist library and calls plugins (PlistPlugin) registered through the interface by their Process() to produce event objects.

Plugins are how this parser understands the content inside a plist file, each plugin holds logic specific to a particular plist file. See the interface and plist_plugins/ directory for examples of how plist plugins are implemented.

DESCRIPTION = 'Parser for binary and text plist files.'¶

GetTopLevel(file_object)[source]¶

Returns the deserialized content of a plist as a dictionary object.

Parameters:	file_object (dfvfs.FileIO) – a file-like object to parse.
Returns:	contents of the plist.
Return type:	dict[str, object]
Raises:	`UnableToParseFile` – when the file cannot be parsed.

NAME = 'plist'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a plist file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – a file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.pls_recall module¶

Parser for PL/SQL Developer Recall files.

class plaso.parsers.pls_recall.PlsRecallEventData[source]¶

Bases: plaso.containers.events.EventData

PL/SQL Recall event data.

database_name¶: str – name of the database.

query¶: str – PL/SQL query.

sequence_number¶: int – sequence number.

username¶: str – username used to query.

DATA_TYPE = 'PLSRecall:event'¶

class plaso.parsers.pls_recall.PlsRecallParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parse PL/SQL Recall files.

This parser is based on the Delphi definition of the data type:

TRecallRecord = packed record

Sequence: Integer; TimeStamp: TDateTime; Username: array[0..30] of Char; Database: array[0..80] of Char; Text: array[0..4000] of Char;

end;

Delphi TDateTime is a little-endian 64-bit floating-point value without time zone information.

DESCRIPTION = 'Parser for PL/SQL Recall files.'¶

NAME = 'pls_recall'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a PLSRecall.dat file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – a file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.plugins module¶

This file contains basic interface for plugins within Plaso.

This library serves a basis for all plugins in Plaso, whether that are Windows registry plugins, SQLite plugins or any other parsing plugins.

This is provided as a separate file to make it easier to inherit in other projects that may want to use the Plaso plugin system.

class plaso.parsers.plugins.BasePlugin[source]¶

Bases: object

A plugin is a lightweight parser that makes use of a common data structure.

When a data structure is common amongst several artifacts or files a plugin infrastructure can be written to make writing parsers simpler. The goal of a plugin is have only a single parser that understands the data structure that can call plugins that have specialized knowledge of certain structures.

An example of this is a SQLite database. A plugin can be written that has knowledge of certain database, such as Chrome history, or Skype history, etc. This can be done without needing to write a full fledged parser that needs to re-implement the data structure knowledge. A single parser can be created that calls the plugins to see if it knows that particular database.

Another example is Windows registry, there a single parser that can parse the registry can be made and the job of a single plugin is to parse a particular registry key. The parser can then read a registry key and compare it to a list of available plugins to see if it can be parsed.

DESCRIPTION = ''¶

NAME = 'base_plugin'¶

Process(parser_mediator, **kwargs)[source]¶

Evaluates if this is the correct plugin and processes data accordingly.

The purpose of the process function is to evaluate if this particular plugin is the correct one for the particular data structure at hand. This function accepts one value to use for evaluation, that could be a registry key, list of table names for a database or any other criteria that can be used to evaluate if the plugin should be run or not.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. kwargs (dict[str, object]) – Depending on the plugin they may require different sets of arguments to be able to evaluate whether or not this is the correct plugin.
Raises:	`ValueError` – when there are unused keyword arguments.

URLS = []¶

UpdateChainAndProcess(parser_mediator, **kwargs)[source]¶

Wrapper for Process() to synchronize the parser chain.

This convenience method updates the parser chain object held by the mediator, transfers control to the plugin-specific Process() method, and updates the chain again once the processing is complete. It provides a simpler parser API in most cases.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

plugin_name¶: Return the name of the plugin.

class plaso.parsers.plugins.BasePluginCache[source]¶

Bases: object

A generic cache for parser plugins.

GetResults(attribute, default_value=None)[source]¶

Retrieves a cached attribute.

Parameters:

attribute (str) – name of the cached attribute.
default_value (Optional[object]) – default value.

Returns:

value of the cached attribute or default value if the cache: does not contain the attribute.

Return type:

object

plaso.parsers.popcontest module¶

This file contains the Popularity Contest log file parser in plaso.

Information updated 20 january 2014. From Debian Package Popularity Contest Avery Pennarun <apenwarr@debian.org>

From ‘http://www.unix.com/man-page/Linux/8/popularity-contest/’:

The popularity-contest command gathers information about Debian pack- ages installed on the system, and prints the name of the most recently used executable program in that package as well as its last-accessed time (atime) and last-attribute-changed time (ctime) to stdout.

When aggregated with the output of popularity-contest from many other systems, this information is valuable because it can be used to deter- mine which Debian packages are commonly installed, used, or installed and never used. This helps Debian maintainers make decisions such as which packages should be installed by default on new systems.

The resulting statistic is available from the project home page http://popcon.debian.org/.

Normally, popularity-contest is run from a cron(8) job, /etc/cron.daily/popularity-contest, which automatically submits the results to Debian package maintainers (only once a week) according to the settings in /etc/popularity-contest.conf and /usr/share/popularity- contest/default.conf.

From ‘http://popcon.ubuntu.com/README’:

The popularity-contest output looks like this:

POPULARITY-CONTEST-0 TIME:914183330 ID:b92a5fc1809d8a95a12eb3a3c8445 914183333 909868335 grep /bin/fgrep 914183333 909868280 findutils /usr/bin/find 914183330 909885698 dpkg-awk /usr/bin/dpkg-awk 914183330 909868577 gawk /usr/bin/gawk […more lines…] END-POPULARITY-CONTEST-0 TIME:914183335

The first and last lines allow you to put more than one set of popularity-contest results into a single file and then split them up easily later.

The rest of the lines are package entries, one line for each package installed on your system. They have the format:

<atime> <ctime> <package-name> <mru-program> <tag>

<package-name> is the name of the Debian package that contains <mru-program>. <mru-program> is the most recently used program, static library, or header (.h) file in the package.

<atime> and <ctime> are the access time and creation time of the <mru-program> on your disk, respectively, represented as the number of seconds since midnight GMT on January 1, 1970 (i.e. in Unix time_t format). Linux updates <atime> whenever you open the file; <ctime> was set when you first installed the package.

<tag> is determined by popularity-contest depending on <atime>, <ctime>, and the current date. <tag> can be RECENT-CTIME, OLD, or NOFILES.

RECENT-CTIME means that atime is very close to ctime; it’s impossible to tell whether the package was used recently or not, since <atime> is also updated when <ctime> is set. Normally, this happens because you have recently upgraded the package to a new version, resetting the <ctime>.

OLD means that the <atime> is more than a month ago; you haven’t used the package for more than a month.

NOFILES means that no files in the package seemed to be programs, so <atime>, <ctime>, and <mru-program> are invalid.’

REMARKS. The parser will generate events solely based on the <atime> field and not using <ctime>, to reduce the generation of (possibly many) useless events all with the same <ctime>. Indeed, that <ctime> will be probably get from file system and/or package management logs. The <ctime> will be reported in the log line.

class plaso.parsers.popcontest.PopularityContestEventData[source]¶

Bases: plaso.containers.events.EventData

Popularity Contest event data.

mru¶: str – recently used app/library from package.

package¶: str – installed packaged name, which the mru belongs to.

record_tag¶: str – popularity context tag.

DATA_TYPE = 'popularity_contest:log:event'¶

class plaso.parsers.popcontest.PopularityContestParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse popularity contest log files.

DESCRIPTION = 'Parser for popularity contest log files.'¶

FOOTER = {{{Suppress:("END-POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)}¶

HEADER = {{{{{{Suppress:("POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)} Suppress:("ID:")} W:(ABCD...)} SkipTo:(LineEnd)}¶

LINE_STRUCTURES = [('logline', {{W:(0123...) W:(0123...)} {{W:(0123...) quoted string, starting with < ending with >} | {{W:(0123...) W:(...)} [quoted string, starting with < ending with >]}}}), ('header', {{{{{{Suppress:("POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)} Suppress:("ID:")} W:(ABCD...)} SkipTo:(LineEnd)}), ('footer', {{{Suppress:("END-POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)})]¶

LOG_LINE = {{W:(0123...) W:(0123...)} {{W:(0123...) quoted string, starting with < ending with >} | {{W:(0123...) W:(...)} [quoted string, starting with < ending with >]}}}¶

MRU = W:(...)¶

NAME = 'popularity_contest'¶

PACKAGE = W:(0123...)¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – name of the parsed structure. structure (pyparsing.ParseResults) – structure parsed from the log file.
Raises:	`ParseError` – when the structure type is unknown.

TAG = quoted string, starting with < ending with >¶

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a Popularity Contest log file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. line (str) – line from a text file.
Returns:	True if the line was successfully parsed.
Return type:	bool

class plaso.parsers.popcontest.PopularityContestSessionEventData[source]¶

Bases: plaso.containers.events.EventData

Popularity Contest session event data.

details¶: str – version and host architecture.

hostid¶: str – host uuid.

session¶: int – session number.

status¶: str – session status, either “start” or “end”.

DATA_TYPE = 'popularity_contest:session:event'¶

plaso.parsers.presets module¶

The parser preset categories.

plaso.parsers.recycler module¶

Parser for Windows Recycle files, INFO2 and $I/$R pairs.

class plaso.parsers.recycler.WinRecycleBinEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Recycle Bin event data.

drive_number¶: int – drive number.

file_size¶: int – file size.

original_filename¶: str – filename.

record_index¶: int – index of the record on which the event is based.

short_filename¶: str – short filename.

DATA_TYPE = 'windows:metadata:deleted_item'¶

class plaso.parsers.recycler.WinRecycleBinParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses the Windows $Recycle.Bin $I files.

DESCRIPTION = 'Parser for Windows $Recycle.Bin $I files.'¶

NAME = 'recycle_bin'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows Recycle.Bin metadata ($I) file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

class plaso.parsers.recycler.WinRecyclerInfo2Parser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses the Windows Recycler INFO2 file.

DESCRIPTION = 'Parser for Windows Recycler INFO2 files.'¶

NAME = 'recycle_bin_info2'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows Recycler INFO2 file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.safari_cookies module¶

Parser for Safari Binary Cookie files.

class plaso.parsers.safari_cookies.BinaryCookieParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Safari Binary Cookie files.

DESCRIPTION = 'Parser for Safari Binary Cookie files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification for parser selection.

Returns:	format specification.
Return type:	FormatSpecification

NAME = 'binary_cookies'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Safari binary cookie file-like object.

Parameters:	parser_mediator (ParserMediator) – parser mediator. file_object (dfvfs.FileIO) – file-like object to be parsed.
Raises:	`UnableToParseFile` – when the file cannot be parsed, this will signal the event extractor to apply other parsers.

class plaso.parsers.safari_cookies.SafariBinaryCookieEventData[source]¶

Bases: plaso.containers.events.EventData

Safari binary cookie event data.

cookie_name¶: str – cookie name.

cookie_value¶: str – cookie value.

flags¶: int – cookie flags.

path¶: str – path of the cookie.

url¶: str – URL where this cookie is valid.

DATA_TYPE = 'safari:cookie:entry'¶

plaso.parsers.santa module¶

Santa log (santa.log) parser.

class plaso.parsers.santa.SantaExecutionEventData[source]¶

Bases: plaso.containers.events.EventData

Santa execution event data.

action¶: str – action recorded by Santa.

decision¶: str – if the process was allowed or blocked.

reason¶: str – reason behind santa decision to execute or block a process.

process_hash¶: str – SHA256 hash for the executed process.

certificate_hash¶: str – SHA256 hash for the certificate associated with the executed process.

certificate_common_name¶: str – certificate common name.

pid¶: str – process id for the process.

ppid¶: str – parent process id for the executed process.

uid¶: str – user id associated with the executed process.

user¶: str – user name associated with the executed process.

gid¶: str – group id associated with the executed process.

group¶: str – group name associated with the executed process.

mode¶: str – Santa execution mode, for example Monitor or Lockdown.

process_path¶: str – process file path.

process_arguments¶: str – executed process with its arguments.

DATA_TYPE = 'santa:execution'¶

class plaso.parsers.santa.SantaFileSystemEventData[source]¶

Bases: plaso.containers.events.EventData

Santa file system event data.

action¶: str – event type recorded by Santa.

file_path¶: str – file path and name for WRITE/DELETE events.

file_new_path¶: str – new file path and name for RENAME events.

pid¶: str – process id for the process.

ppid¶: str – parent process id for the executed process.

process¶: str – process name.

process_path¶: str – process file path.

uid¶: str – user id associated with the executed process.

user¶: str – user name associated with the executed process.

gid¶: str – group id associated with the executed process.

group¶: str – group name associated with the executed process.

DATA_TYPE = 'santa:file_system_event'¶

class plaso.parsers.santa.SantaMountEventData[source]¶

Bases: plaso.containers.events.EventData

Santa mount event data.

action¶: str – event type recorded by Santa.

mount¶: str – disk mount point.

volume¶: str – disk volume name.

bsd_name¶: str – disk BSD name.

fs¶: str – disk volume kind.

model¶: str – disk model.

serial¶: str – disk serial.

bus¶: str – device protocol.

dmg_path¶: str – DMG file path.

appearance¶: str – disk appearance date.

DATA_TYPE = 'santa:diskmount'¶

class plaso.parsers.santa.SantaParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses santa log files

DESCRIPTION = 'Santa Parser'¶

LINE_STRUCTURES = [('execution_line', {{{{{{{{{{{{{{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} "EXEC"} Suppress:("|")} {{Suppress:("decision=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("reason=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("sha256=") SkipTo:("|")} Suppress:("|")}} [{{Suppress:("cert_sha256=") SkipTo:("|")} Suppress:("|")}]} [{{Suppress:("cert_cn=") SkipTo:("|")} Suppress:("|")}]} [{{Suppress:("quarantine_url=") SkipTo:("|")} Suppress:("|")}]} {{Suppress:("pid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("ppid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("uid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("user=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("gid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("group=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} {{Suppress:("mode=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("path=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} [{Suppress:("args=") SkipTo:(lineEnd)}]}), ('file_system_event_line', {{{{{{{{{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} {{"WRITE" ^ "RENAME"} ^ "DELETE"}} Suppress:("|")} {{Suppress:("path=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} [{{Suppress:("newpath=") SkipTo:("|")} Suppress:("|")}]} {{Suppress:("pid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("ppid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("process=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("processpath=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("uid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("user=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("gid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("group=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}}), ('mount_line', {{{{{{{{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} "DISKAPPEAR"} Suppress:("|")} {{Suppress:("mount=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("volume=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("bsdname=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} {{Suppress:("fs=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("model=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("serial=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("bus=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("dmgpath=") SkipTo:("|")} Suppress:("|")}} {Suppress:("appearance=") SkipTo:(lineEnd)}}), ('umount_line', {{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} "DISKDISAPPEAR"} Suppress:("|")} {{Suppress:("mount=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("volume=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("bsdname=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}}), ('quota_exceeded_line', {Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) "*** LOG MESSAGE QUOTA EXCEEDED - SOME MESSAGES FROM THIS PROCESS HAVE BEEN DISCARDED ***"})]¶

MAX_LINE_LENGTH = 16384¶

NAME = 'santa'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a matching entry.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – name of the parsed structure. structure (pyparsing.ParseResults) – elements parsed from the file.
Raises:	`ParseError` – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verifies that this is a santa log file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. line (str) – line from the text file.
Returns:	True if this is the correct parser, False otherwise.
Return type:	bool

plaso.parsers.sccm module¶

Parser for SCCM Logs.

class plaso.parsers.sccm.SCCMLogEventData[source]¶

Bases: plaso.containers.events.EventData

SCCM log event data.

component¶: str – component.

text¶: str – text.

DATA_TYPE = 'software_management:sccm:log'¶

class plaso.parsers.sccm.SCCMParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parser for Windows System Center Configuration Manager (SCCM) logs.

BUFFER_SIZE = 16384¶

DESCRIPTION = 'Parser for SCCM logs files.'¶

LINE_GRAMMAR_BASE = {{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)}¶

LINE_GRAMMAR_OFFSET = {{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} Re:('[-+]\\d{2,3}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)}¶

LINE_STRUCTURES = [('log_entry', {{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)} Re:('.*?(?=(\\<!\\[LOG\\[))')}), ('log_entry_at_end', {{{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)} rest of line} lineEnd}), ('log_entry_offset', {{{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} Re:('[-+]\\d{2,3}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)} Re:('.*?(?=(\\<!\\[LOG\\[))')}), ('log_entry_offset_at_end', {{{{{{{{{{{{{{{{{{{{"<![LOG[" Re:('.*?(?=(]LOG]!><time="))')} "]LOG]!><time=""} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(".")} Re:('\\d{3,7}')} Re:('[-+]\\d{2,3}')} "" date=""} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} "" component=""} W:(ABCD...)} rest of line} lineEnd})]¶

NAME = 'sccm'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parse the record and return an SCCM log event object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – name of the parsed structure. structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.
Raises:	`ParseError` – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)[source]¶

Verifies whether content corresponds to an SCCM log file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. lines (str) – one or more lines from the text file.
Returns:	True if this is the correct parser, False otherwise.
Return type:	bool

plaso.parsers.selinux module¶

This file contains SELinux audit.log file parser.

Information updated 16 january 2013.

An example:

type=AVC msg=audit(1105758604.519:420): avc: denied { getattr } for pid=5962 comm=”httpd” path=”/home/auser/public_html” dev=sdb2 ino=921135

Where msg=audit(1105758604.519:420) contains the number of seconds since January 1, 1970 00:00:00 UTC and the number of milliseconds after the dot e.g. seconds: 1105758604, milliseconds: 519.

The number after the timestamp (420 in the example) is a ‘serial number’ that can be used to correlate multiple logs generated from the same event.

References:

taste_of_training/Summit_2010_SELinux.pdf

class plaso.parsers.selinux.SELinuxLogEventData[source]¶

Bases: plaso.containers.events.EventData

SELinux log event data.

audit_type¶: str – audit type.

body¶: str – body of the log line.

pid¶: int – process identifier (PID) that created the SELinux log line.

DATA_TYPE = 'selinux:line'¶

class plaso.parsers.selinux.SELinuxParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parser for SELinux audit.log files.

DESCRIPTION = 'Parser for SELinux audit.log files.'¶

LINE_STRUCTURES = [('line', Dict:({{Group:({{"type" Suppress:("=")} {W:(ABCD...) ^ Re:('UNKNOWN\\[[0-9]+\\]')}}) Group:({{{{{{{"msg" Suppress:("=audit(")} W:(0123...)} Suppress:(".")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:("):")})} Group:({Empty rest of line})}))]¶

NAME = 'selinux'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a structure of tokens derived from a line of a text file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – name of the parsed structure. structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.
Raises:	`ParseError` – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verifies if a line from a text file is in the expected format.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. line (str) – line from a text file.
Returns:	True if the line is in the expected format, False if not.
Return type:	bool

plaso.parsers.skydrivelog module¶

This file contains SkyDrive log file parser in plaso.

class plaso.parsers.skydrivelog.SkyDriveLogEventData[source]¶

Bases: plaso.containers.events.EventData

SkyDrive log event data.

detail¶: str – details.

log_level¶: str – log level.

module¶: str – name of the module that generated the log messsage.

source_code¶: str – source file and line number that generated the log message.

DATA_TYPE = 'skydrive:log:line'¶

class plaso.parsers.skydrivelog.SkyDriveLogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parses SkyDrive log files.

DESCRIPTION = 'Parser for OneDrive (or SkyDrive) log files.'¶

IGNORE_FIELD = Suppress:(!W:(,))¶

LINE_STRUCTURES = [('logline', {{{{{{{{{{{{{{{{{{{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:(",")} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} !W:(,)} Suppress:(",")} !W:(,)} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} !W:(,)} Suppress:(",")} SkipTo:({{StringEnd | {Suppress:("######") "Logging started."}} | {{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:(",")} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}})} [lineEnd]...}), ('header', {{{{{{{{Suppress:("######") "Logging started."} "Version="} W:(0123...)} Suppress:("StartSystemTime:")} Group:({{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} W:(0123...)} W:(0123...)} Suppress:(".")} W:(0123...)})} "StartLocalTime:"} SkipTo:(lineEnd)} lineEnd})]¶

MSEC = W:(0123...)¶

NAME = 'skydrive_log'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parse each record structure and return an EventObject if applicable.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – identifier of the structure of tokens. structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.
Raises:	`ParseError` – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)[source]¶

Verify that this file is a SkyDrive log file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. lines (str) – one or more lines from the text file.
Returns:	True if this is the correct parser, False otherwise.
Return type:	bool

class plaso.parsers.skydrivelog.SkyDriveOldLogEventData[source]¶

Bases: plaso.containers.events.EventData

SkyDrive old log event data.

log_level¶: str – log level.

source_code¶: str – source file and line number that generated the log message.

text¶: str – log message.

DATA_TYPE = 'skydrive:log:old:line'¶

class plaso.parsers.skydrivelog.SkyDriveOldLogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse SkyDrive old log files.

DESCRIPTION = 'Parser for OneDrive (or SkyDrive) old log files.'¶

LINE_STRUCTURES = [('logline', {{{{Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}}) Combine:({{{{!W:(:) ":"} W:(0123...)} "!"} W:(0123...)})} {{Suppress:("(") SkipTo:(")")} Suppress:(")")}} ":"} SkipTo:(lineEnd)}), ('no_header_single_line', {{~{Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}})} [Suppress:("->")]} SkipTo:(lineEnd)})]¶

NAME = 'skydrive_log_old'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parse each record structure and return an EventObject if applicable.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – identifier of the structure of tokens. structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.
Raises:	`ParseError` – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a SkyDrive old log file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. line (str) – line from a text file.
Returns:	True if the line is in the expected format, False if not.
Return type:	bool

plaso.parsers.sophos_av module¶

Sophos Anti-Virus log (SAV.txt) parser.

References https://community.sophos.com/kb/en-us/110923

class plaso.parsers.sophos_av.SophosAVLogEventData[source]¶

Bases: plaso.containers.events.EventData

Sophos Anti-Virus log event data.

text¶: str – Sophos Anti-Virus log message.

DATA_TYPE = 'sophos:av:log'¶

class plaso.parsers.sophos_av.SophosAVLogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses Anti-Virus logs (SAV.txt) files.

DESCRIPTION = 'Parser for Anti-Virus log (SAV.txt) files.'¶

LINE_STRUCTURES = [('logline', {Group:({{{W:(0123...) W:(0123...)} W:(0123...)} {{W:(0123...) W:(0123...)} W:(0123...)}}) SkipTo:(lineEnd)})]¶

MAX_LINE_LENGTH = 4096¶

NAME = 'sophos_av'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – identifier of the structure of tokens. structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.
Raises:	`ParseError` – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a Sophos Anti-Virus log file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS. line (str) – line from a text file.
Returns:	True if the line is in the expected format, False if not.
Return type:	bool

plaso.parsers.sqlite module¶

SQLite parser.

class plaso.parsers.sqlite.SQLiteCache[source]¶

Bases: plaso.parsers.plugins.BasePluginCache

Cache for storing results of SQL queries.

CacheQueryResults(sql_results, attribute_name, key_name, column_names)[source]¶

Build a dictionary object based on a SQL command.

This function will take a SQL command, execute it and for each resulting row it will store a key in a dictionary.

An example:

sql_results = A SQL result object after executing the
              SQL command: 'SELECT foo, bla, bar FROM my_table'
attribute_name = 'all_the_things'
key_name = 'foo'
column_names = ['bla', 'bar']

Results from running this against the database: ‘first’, ‘stuff’, ‘things’ ‘second’, ‘another stuff’, ‘another thing’

This will result in a dictionary object being created in the cache, called ‘all_the_things’ and it will contain the following value:

all_the_things = {
    'first': ['stuff', 'things'],
    'second': ['another_stuff', 'another_thing'],
    'third': ['single_thing']}

Parameters:

sql_results (sqlite3.Cursor) – result after executing a SQL command on a database.
attribute_name (str) – attribute name in the cache to store results to. This will be the name of the dictionary attribute.
key_name (str) – name of the result field that should be used as a key in the resulting dictionary that is created.
column_names (list[str]) – of column names that are stored as values to the dictionary. If this list has only one value in it the value will be stored directly, otherwise the value will be a list containing the extracted results based on the names provided in this list.

GetRowCache(query)[source]¶

Retrieves the row cache for a specific query.

The row cache is a set that contains hashes of values in a row. The row cache is used to find duplicate row when a database and a database with a WAL file is parsed.

Parameters:	query (str) – query.
Returns:	hashes of the rows that have been parsed.
Return type:	set

class plaso.parsers.sqlite.SQLiteDatabase(filename, temporary_directory=None)[source]¶

Bases: object

SQLite database.

schema¶: dict[str, str] – schema as an SQL query per table name, for example {‘Users’: ‘CREATE TABLE Users (“id” INTEGER PRIMARY KEY, …)’}.

Close()[source]¶: Closes the database connection and cleans up the temporary file.

Open(file_object, wal_file_object=None)[source]¶

Opens a SQLite database file.

Since pysqlite cannot read directly from a file-like object a temporary copy of the file is made. After creating a copy the database file this function sets up a connection with the database and determines the names of the tables.

Parameters:	file_object (dfvfs.FileIO) – file-like object. wal_file_object (Optional[dfvfs.FileIO]) – file-like object for the Write-Ahead Log (WAL) file.
Raises:	`IOError` – if the file-like object cannot be read. `sqlite3.DatabaseError` – if the database cannot be parsed. `ValueError` – if the file-like object is missing.

Query(query)[source]¶

Queries the database.

Parameters:	query (str) – SQL query.
Returns:	results.
Return type:	sqlite3.Cursor
Raises:	`sqlite3.DatabaseError` – if querying the database fails.

SCHEMA_QUERY = 'SELECT tbl_name, sql FROM sqlite_master WHERE type = "table" AND tbl_name != "xp_proc" AND tbl_name != "sqlite_sequence"'¶

tables¶: list[str] – names of all the tables.

class plaso.parsers.sqlite.SQLiteParser[source]¶

Bases: plaso.parsers.interface.FileEntryParser

Parses SQLite database files.

DESCRIPTION = 'Parser for SQLite database files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns:	a format specification or None if not available.
Return type:	FormatSpecification

NAME = 'sqlite'¶

ParseFileEntry(parser_mediator, file_entry)[source]¶

Parses a SQLite database file entry.

Parameters:	parser_mediator (ParserMediator) – parser mediator. file_entry (dfvfs.FileEntry) – file entry to be parsed.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.symantec module¶

This file contains a Symantec parser in plaso.

class plaso.parsers.symantec.SymantecEventData[source]¶

Bases: plaso.containers.events.EventData

Symantec event data.

access¶: str – access.

action0¶: str – action0.

action1¶: str – action1.

action1_status¶: str – action1 status.

action2¶: str – action2.

action2_status¶: str – action2 status.

address¶: str – address.

backup_id¶: str – backup identifier.

cat¶: str – category.

cleaninfo¶: str – clean information.

clientgroup¶: str – client group.

compressed¶: str – compressed.

computer¶: str – computer.

definfo¶: str – definfo.

defseqnumber¶: str – def sequence number.

deleteinfo¶: str – delete information.

depth¶: str – depth.

description¶: str – description.

domain_guid¶: str – domain identifier (GUID).

domainname¶: str – domain name.

err_code¶: str – error code.

event_data¶: str – event data.

event¶: str – event.

extra¶: str – extra.

file¶: str – file.

flags¶: str – flags.

groupid¶: str – group identifier.

guid¶: str – guid.

license_expiration_dt¶: str – license expiration date.

license_feature_name¶: str – license feature name.

license_feature_ver¶: str – license feature ver.

license_fulfillment_id¶: str – license fulfillment identifier.

license_lifecycle¶: str – license lifecycle.

license_seats_delta¶: str – license seats delta.

license_seats¶: str – license seats.

license_seats_total¶: str – license seats total.

license_serial_num¶: str – license serial number.

license_start_dt¶: str – license start date.

logger¶: str – logger.

login_domain¶: str – login domain.

log_session_guid¶: str – log session identifier (GUID).

macaddr¶: str – MAC address.

new_ext¶: str – new ext.

ntdomain¶: str – ntdomain.

offset¶: str – offset.

parent¶: str – parent.

quarfwd_status¶: str – quarfwd status.

remote_machine_ip¶: str – remote machine IP address.

remote_machine¶: str – remote machine.

scanid¶: str – scan identifier.

snd_status¶: str – snd status.

status¶: str – status.

still_infected¶: str – still infected.

time¶: str – time.

user¶: str – user.

vbin_id¶: str – vbin identifier.

vbin_session_id¶: str – vbin session identifier.

version¶: str – version.

virus_id¶: str – virus identifier.

virus¶: str – virus.

virustype¶: str – virustype.

DATA_TYPE = 'av:symantec:scanlog'¶

class plaso.parsers.symantec.SymantecParser(encoding=None)[source]¶

Bases: plaso.parsers.dsv_parser.DSVParser

Parses Symantec AV Corporate Edition and Endpoint Protection log files.

COLUMNS = ['time', 'event', 'cat', 'logger', 'computer', 'user', 'virus', 'file', 'action1', 'action2', 'action0', 'virustype', 'flags', 'description', 'scanid', 'new_ext', 'groupid', 'event_data', 'vbin_id', 'virus_id', 'quarfwd_status', 'access', 'snd_status', 'compressed', 'depth', 'still_infected', 'definfo', 'defseqnumber', 'cleaninfo', 'deleteinfo', 'backup_id', 'parent', 'guid', 'clientgroup', 'address', 'domainname', 'ntdomain', 'macaddr', 'version:', 'remote_machine', 'remote_machine_ip', 'action1_status', 'action2_status', 'license_feature_name', 'license_feature_ver', 'license_serial_num', 'license_fulfillment_id', 'license_start_dt', 'license_expiration_dt', 'license_lifecycle', 'license_seats_total', 'license_seats', 'err_code', 'license_seats_delta', 'status', 'domain_guid', 'log_session_guid', 'vbin_session_id', 'login_domain', 'extra']¶

DESCRIPTION = 'Parser for Symantec Anti-Virus log files.'¶

NAME = 'symantec_scanlog'¶

ParseRow(parser_mediator, row_offset, row)[source]¶

Parses a line of the log file and produces events.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. row_offset (int) – line number of the row. row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]¶

Verifies if a line of the file is in the expected format.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. row (dict[str, str]) – fields of a single row, as specified in COLUMNS.
Returns:	True if this is the correct parser, False otherwise.
Return type:	bool

plaso.parsers.syslog module¶

Parser for syslog formatted log files

class plaso.parsers.syslog.SyslogCommentEventData[source]¶

Bases: plaso.containers.events.EventData

Syslog comment event data.

body¶: str – message body.

DATA_TYPE = 'syslog:comment'¶

class plaso.parsers.syslog.SyslogLineEventData(data_type='syslog:line')[source]¶

Bases: plaso.containers.events.EventData

Syslog line event data.

body¶: str – message body.

hostname¶: str – hostname of the reporter.

pid¶: str – process identifier of the reporter.

reporter¶: str – reporter.

severity¶: str – severity.

DATA_TYPE = 'syslog:line'¶

class plaso.parsers.syslog.SyslogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parses syslog formatted log files

DESCRIPTION = 'Syslog Parser'¶

EnablePlugins(plugin_includes)[source]¶

Enables parser plugins.

Parameters:	plugin_includes (list[str]) – names of the plugins to enable, where None or an empty list represents all plugins. Note that the default plugin is handled separately.

LINE_STRUCTURES = [('syslog_line', {{{{{{{{{{{{{{W:(ABCD...,abcd...) W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} [{Suppress:(".") W:(0123...)}]} W:(0123...)} W:(0123...)} [{{Suppress:("[") W:(0123...)} Suppress:("]")}]} [{{Suppress:("<") W:(0123...)} Suppress:(">")}]} [Suppress:(":")]} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd}), ('syslog_line', {{{{{{{{{{{W:(ABCD...,abcd...) W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} [{Suppress:(".") W:(0123...)}]} "kernel"} Suppress:(":")} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd}), ('syslog_comment', {{{{{{{{{{{{W:(ABCD...,abcd...) W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} [{Suppress:(".") W:(0123...)}]} Suppress:(":")} Suppress:("---")} SkipTo:(" ---")} Suppress:("---")} LineEnd}), ('chromeos_syslog_line', {{{{{{{Combine:({{{{{{{{{{{{{{{W:(0123...) "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} - | +} W:(0123...)} [{":" W:(0123...)}]}) EMERG | ALERT | CRIT | ERR | WARNING | NOTICE | INFO | DEBUG} W:(0123...)} [Suppress:(":")]} [{{Suppress:("[") W:(0123...)} Suppress:("]")}]} [Suppress:(":")]} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd})]¶

NAME = 'syslog'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a matching entry.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – name of the parsed structure. structure (pyparsing.ParseResults) – elements parsed from the file.
Raises:	`ParseError` – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)[source]¶

Verifies that this is a syslog-formatted file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. lines (str) – one or more lines from the text file.
Returns:	True if this is the correct parser, False otherwise.
Return type:	bool

plaso.parsers.systemd_journal module¶

Parser for Systemd journal files.

class plaso.parsers.systemd_journal.SystemdJournalEventData[source]¶

Bases: plaso.containers.events.EventData

Systemd journal event data.

body¶: str – message body.

hostname¶: str – hostname.

pid¶: int – process identifier (PID).

reporter¶: str – reporter.

DATA_TYPE = 'systemd:journal'¶

class plaso.parsers.systemd_journal.SystemdJournalParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parses Systemd Journal files.

DESCRIPTION = 'Parser for Systemd Journal files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns:	format specification.
Return type:	FormatSpecification

NAME = 'systemd_journal'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Systemd journal file-like object.

Parameters:	parser_mediator (ParserMediator) – parser mediator. file_object (dfvfs.FileIO) – a file-like object.
Raises:	`UnableToParseFile` – when the header cannot be parsed.

plaso.parsers.text_parser module¶

This file contains a class to provide a parsing framework to plaso.

This class contains a base framework class for parsing file-like objects, and also some implementations that extend it to provide a more comprehensive parser.

plaso.parsers.text_parser.ConvertTokenToInteger(string, location, tokens)[source]¶

Pyparsing parse action callback to convert a token into an integer value.

Parameters:	string (str) – original string. location (int) – location in the string where the token was found. tokens (list[str]) – tokens.
Returns:	integer value or None.
Return type:	int

class plaso.parsers.text_parser.EncodedTextReader(encoding, buffer_size=2048)[source]¶

Bases: object

Encoded text reader.

ReadLine(file_object)[source]¶

Reads a line.

Parameters:	file_object (dfvfs.FileIO) – file-like object.
Returns:	line read from the lines buffer.
Return type:	str

ReadLines(file_object)[source]¶

Reads lines into the lines buffer.

Parameters:	file_object (dfvfs.FileIO) – file-like object.

Reset()[source]¶: Resets the encoded text reader.

SkipAhead(file_object, number_of_characters)[source]¶

Skips ahead a number of characters.

Parameters:	file_object (dfvfs.FileIO) – file-like object. number_of_characters (int) – number of characters.

plaso.parsers.text_parser.PyParseIntCast(string, location, tokens)[source]¶

Return an integer from a string.

This is a pyparsing callback method that converts the matched string into an integer.

The method modifies the content of the tokens list and converts them all to an integer value.

Parameters:	string (str) – original string. location (int) – location in the string where the match was made. tokens (list[str]) – extracted tokens, where the string to be converted is stored.

plaso.parsers.text_parser.PyParseJoinList(string, location, tokens)[source]¶

Return a joined token from a list of tokens.

This is a callback method for pyparsing setParseAction that modifies the returned token list to join all the elements in the list to a single token.

Parameters:	string (str) – original string. location (int) – location in the string where the match was made. tokens (list[str]) – extracted tokens, where the string to be converted is stored.

plaso.parsers.text_parser.PyParseRangeCheck(lower_bound, upper_bound)[source]¶

Verify that a number is within a defined range.

This is a callback method for pyparsing setParseAction that verifies that a read number is within a certain range.

To use this method it needs to be defined as a callback method in setParseAction with the upper and lower bound set as parameters.

Parameters:	lower_bound (int) – lower bound of the range. upper_bound (int) – upper bound of the range.
Returns:	callback method that can be used by pyparsing setParseAction.
Return type:	Function

class plaso.parsers.text_parser.PyparsingConstants[source]¶

Bases: object

Constants for pyparsing-based parsers.

COMMENT_LINE_HASH = {"#" SkipTo:(LineEnd)}¶

DATE = Group:({{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)})¶

DATE_ELEMENTS = {{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)}¶

DATE_TIME = Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}})¶

DATE_TIME_MSEC = Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}})¶

FOUR_DIGITS = W:(0123...)¶

HYPHEN = Suppress:("-")¶

INTEGER = W:(0123...)¶

IPV4_ADDRESS = {W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}}¶

IPV4_OCTET = W:(0123...)¶

IPV6_ADDRESS = W:(:012...)¶

IP_ADDRESS = {{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)}¶

MONTH = W:(ABCD...,abcd...)¶

ONE_OR_TWO_DIGITS = W:(0123...)¶

PID = W:(0123...)¶

THREE_DIGITS = W:(0123...)¶

THREE_LETTERS = W:(ABCD...)¶

TIME = Group:({{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)})¶

TIME_ELEMENTS = {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}¶

TIME_MSEC = {{Group:({{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}) Suppress:(".")} W:(0123...)}¶

TIME_MSEC_ELEMENTS = {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}¶

TWO_DIGITS = W:(0123...)¶

class plaso.parsers.text_parser.PyparsingMultiLineTextParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Multi line text parser interface based on pyparsing.

BUFFER_SIZE = 2048¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a text file-like object using a pyparsing definition.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

This function takes as an input a parsed pyparsing structure and produces an EventObject if possible from that structure.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – name of the parsed structure. structure (pyparsing.ParseResults) – tokens from a parsed log line.
Returns:	event or None.
Return type:	EventObject

VerifyStructure(parser_mediator, lines)[source]¶

Verify the structure of the file and return boolean based on that check.

This function should read enough text from the text file to confirm that the file is the correct one for this particular parser.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. lines (str) – one or more lines from the text file.
Returns:	True if this is the correct parser, False otherwise.
Return type:	bool

class plaso.parsers.text_parser.PyparsingSingleLineTextParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Single line text parser interface based on pyparsing.

LINE_STRUCTURES = []¶

MAXIMUM_CONSECUTIVE_LINE_FAILURES = 20¶

MAX_LINE_LENGTH = 400¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a text file-like object using a pyparsing definition.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

This function takes as an input a parsed pyparsing structure and produces an EventObject if possible from that structure.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – name of the parsed structure. structure (pyparsing.ParseResults) – tokens from a parsed log line.

VerifyStructure(parser_mediator, line)[source]¶

Verify the structure of the file and return boolean based on that check.

This function should read enough text from the text file to confirm that the file is the correct one for this particular parser.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. line (str) – single line from the text file.
Returns:	True if this is the correct parser, False otherwise.
Return type:	bool

plaso.parsers.trendmicroav module¶

Parser for Trend Micro Antivirus logs.

Trend Micro uses two log files to track the scans (both manual/scheduled and real-time) and the web reputation (network scan/filtering).

Currently only the first log is supported.

class plaso.parsers.trendmicroav.OfficeScanVirusDetectionParser(encoding='cp1252')[source]¶

Bases: plaso.parsers.trendmicroav.TrendMicroBaseParser

Parses the Trend Micro Office Scan Virus Detection Log.

COLUMNS = ['date', 'time', 'threat', 'action', 'scan_type', 'unused1', 'path', 'filename', 'unused2', 'timestamp', 'unused3', 'unused4']¶

DESCRIPTION = 'Parser for Trend Micro Office Scan Virus Detection log files.'¶

MIN_COLUMNS = 8¶

NAME = 'trendmicro_vd'¶

ParseRow(parser_mediator, row_offset, row)[source]¶

Parses a line of the log file and produces events.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. row_offset (int) – line number of the row. row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]¶

Verifies if a line of the file is in the expected format.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. row (dict[str, str]) – fields of a single row, as specified in COLUMNS.
Returns:	True if this is the correct parser, False otherwise.
Return type:	bool

class plaso.parsers.trendmicroav.OfficeScanWebReputationParser(encoding='cp1252')[source]¶

Bases: plaso.parsers.trendmicroav.TrendMicroBaseParser

Parses the Trend Micro Office Scan Web Reputation detection log.

COLUMNS = ('date', 'time', 'block_mode', 'url', 'group_code', 'group_name', 'credibility_rating', 'policy_identifier', 'application_name', 'credibility_score', 'ip', 'threshold', 'timestamp', 'unused')¶

DESCRIPTION = 'Parser for Trend Micro Office Web Reputation log files.'¶

MIN_COLUMNS = 12¶

NAME = 'trendmicro_url'¶

ParseRow(parser_mediator, row_offset, row)[source]¶

Parses a line of the log file and produces events.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. row_offset (int) – line number of the row. row (dict[str, str]) – fields of a single row, as specified in COLUMNS.

VerifyRow(parser_mediator, row)[source]¶

Verifies if a line of the file is in the expected format.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. row (dict[str, str]) – fields of a single row, as specified in COLUMNS.
Returns:	True if this is the correct parser, False otherwise.
Return type:	bool

class plaso.parsers.trendmicroav.TrendMicroAVEventData[source]¶

Bases: plaso.containers.events.EventData

Trend Micro AV Log event data.

action¶: str – action.

filename¶: str – filename.

path¶: str – path.

scan_type¶: str – scan_type.

threat¶: str – threat.

DATA_TYPE = 'av:trendmicro:scan'¶

class plaso.parsers.trendmicroav.TrendMicroBaseParser(encoding='cp1252')[source]¶

Bases: plaso.parsers.dsv_parser.DSVParser

Common code for parsing Trend Micro log files.

The file format is reminiscent of CSV, but is not quite the same; the delimiter is a three-character sequence and there is no provision for quoting or escaping.

COLUMNS = ()¶

DELIMITER = '<;>'¶

MIN_COLUMNS = None¶

class plaso.parsers.trendmicroav.TrendMicroUrlEventData[source]¶

Bases: plaso.containers.events.EventData

Trend Micro Web Reputation Log event data.

block_mode¶: str – operation mode.

url¶: str – accessed URL.

group_code¶: str – group code.

group_name¶: str – group name.

credibility_rating¶: int – credibility rating.

credibility_score¶: int – credibility score.

policy_identifier¶: int – policy identifier.

application_name¶: str – application name.

ip¶: str – IP address.

threshold¶: int – threshold value.

DATA_TYPE = 'av:trendmicro:webrep'¶

plaso.parsers.utmp module¶

Parser for Linux utmp files.

class plaso.parsers.utmp.UtmpEventData[source]¶

Bases: plaso.containers.events.EventData

utmp event data.

exit_status¶: int – exit status.

hostname¶: str – hostname or IP address.

ip_address¶: str – IP address from the connection.

pid¶: int – process identifier (PID).

terminal_identifier¶: int – inittab identifier.

terminal¶: str – type of terminal.

type¶: int – type of login.

username¶: str – user name.

DATA_TYPE = 'linux:utmp:event'¶

class plaso.parsers.utmp.UtmpParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Linux libc6 utmp files.

DESCRIPTION = 'Parser for Linux libc6 utmp files.'¶

NAME = 'utmp'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an utmp file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – a file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.utmpx module¶

Parser for utmpx files.

class plaso.parsers.utmpx.UtmpxMacOSEventData[source]¶

Bases: plaso.containers.events.EventData

MacOS utmpx event data.

hostname¶: str – hostname or IP address.

pid¶: int – process identifier (PID).

terminal¶: str – name of the terminal.

terminal_identifier¶: int – inittab identifier.

type¶: int – type of login.

username¶: str – user name.

DATA_TYPE = 'mac:utmpx:event'¶

class plaso.parsers.utmpx.UtmpxParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parser for Mac OS X 10.5 utmpx files.

DESCRIPTION = 'Parser for Mac OS X 10.5 utmpx files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns:	format specification.
Return type:	FormatSpecification

NAME = 'utmpx'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses an UTMPX file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – a file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.winevt module¶

Parser for Windows EventLog (EVT) files.

class plaso.parsers.winevt.WinEvtParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses Windows EventLog (EVT) files.

DESCRIPTION = 'Parser for Windows EventLog (EVT) files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns:	format specification.
Return type:	FormatSpecification

NAME = 'winevt'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows EventLog (EVT) file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – a file-like object.

class plaso.parsers.winevt.WinEvtRecordEventData[source]¶

Bases: plaso.containers.events.EventData

Windows EventLog (EVT) record event data.

computer_name¶: str – computer name stored in the event record.

event_category¶: int – event category.

event_identifier¶: int – event identifier.

event_type¶: int – event type.

facility¶: int – event facility.

message_identifier¶: int – event message identifier.

record_number¶: int – event record number.

recovered¶: bool – True if the record was recovered.

severity¶: int – event severity.

source_name¶: str – name of the event source.

strings¶: list[str] – event strings.

user_sid¶: str – user security identifier (SID) stored in the event record.

DATA_TYPE = 'windows:evt:record'¶

plaso.parsers.winevtx module¶

Parser for Windows XML EventLog (EVTX) files.

class plaso.parsers.winevtx.WinEvtxParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses Windows XML EventLog (EVTX) files.

DESCRIPTION = 'Parser for Windows XML EventLog (EVTX) files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns:	format specification.
Return type:	FormatSpecification

NAME = 'winevtx'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows XML EventLog (EVTX) file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – a file-like object.

class Rule(index, name)¶

Bases: tuple

__getnewargs__()¶: Return self as a plain tuple. Used by copy and pickle.

static __new__(index, name)¶: Create new instance of Rule(index, name)

__repr__()¶: Return a nicely formatted representation string

index¶: Alias for field number 0

name¶: Alias for field number 1

class plaso.parsers.winevtx.WinEvtxRecordEventData[source]¶

Bases: plaso.containers.events.EventData

Windows XML EventLog (EVTX) record event data.

computer_name¶: str – computer name stored in the event record.

event_identifier¶: int – event identifier.

event_level¶: int – event level.

message_identifier¶: int – event message identifier.

record_number¶: int – event record number.

recovered¶: bool – True if the record was recovered.

source_name¶: str – name of the event source.

strings¶: list[str] – event strings.

strings_parsed¶: [dict] – parsed information from event strings.

user_sid¶: str – user security identifier (SID) stored in the event record.

xml_string¶: str – XML representation of the event.

DATA_TYPE = 'windows:evtx:record'¶

plaso.parsers.winfirewall module¶

Parser for Windows Firewall Log file.

class plaso.parsers.winfirewall.WinFirewallEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Firewall event data.

action¶: str – action taken.

protocol¶: str – IP protocol.

source_ip¶: str – source IP address.

dest_ip¶: str – destination IP address.

source_port¶: int – TCP or UDP source port.

dest_port¶: int – TCP or UDP destination port.

size¶: int – size of ???

flags¶: str – TCP flags.

tcp_seq¶: int – TCP sequence number.

tcp_ack¶: int – TCP ACK ???

tcp_win¶: int – TCP window size ???

icmp_type¶: int – ICMP type.

icmp_code¶: int – ICMP code.

info¶: str – ???

path¶: str – ???

DATA_TYPE = 'windows:firewall:log_entry'¶

class plaso.parsers.winfirewall.WinFirewallParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses the Windows Firewall Log file.

DESCRIPTION = 'Parser for Windows Firewall Log files.'¶

LINE_STRUCTURES = [('comment', {"#" SkipTo:(LineEnd)}), ('logline', {{{{{{{{{{{{{{{Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {{{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)} | Suppress:("-")}} {{{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)} | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}})]¶

NAME = 'winfirewall'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – identifier of the structure of tokens. structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.
Raises:	`ParseError` – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a firewall log file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. line (str) – line from a text file.
Returns:	True if the line is in the expected format, False if not.
Return type:	bool

plaso.parsers.winjob module¶

Parser for Windows Scheduled Task job files.

class plaso.parsers.winjob.WinJobEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Scheduled Task event data.

application¶: str – path to job executable.

description¶: str – description of the scheduled task.

parameters¶: str – application command line parameters.

trigger_type¶: int – trigger type.

username¶: str – username that scheduled the task.

working_directory¶: str – working directory of the scheduled task.

DATA_TYPE = 'windows:tasks:job'¶

class plaso.parsers.winjob.WinJobParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

Parse Windows Scheduled Task files for job events.

DESCRIPTION = 'Parser for Windows Scheduled Task job (or At-job) files.'¶

NAME = 'winjob'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows job file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – a file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.winlnk module¶

Parser for Windows Shortcut (LNK) files.

class plaso.parsers.winlnk.WinLnkLinkEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Shortcut (LNK) link event data.

birth_droid_file_identifier¶: str – distributed link tracking brith droid file identifier.

birth_droid_volume_identifier¶: str – distributed link tracking brith droid volume identifier.

command_line_arguments¶: str – command line arguments.

description¶: str – description of the linked item.

drive_serial_number¶: int – drive serial number where the linked item resides.

drive_type¶: str – drive type where the linked item resided.

droid_file_identifier¶: str – distributed link tracking droid file identifier.

droid_volume_identifier¶: str – distributed link tracking droid volume identifier.

env_var_location¶: str – evironment variables loction.

file_attribute_flags¶: int – file attribute flags of the linked item.

file_size¶: int – size of the linked item.

icon_location¶: str – icon location.

link_target¶: str – shell item list of the link target.

local_path¶: str – local path of the linked item.

network_path¶: str – local path of the linked item.

relative_path¶: str – relative path.

volume_label¶: str – volume label where the linked item resided.

working_directory¶: str – working directory.

DATA_TYPE = 'windows:lnk:link'¶

class plaso.parsers.winlnk.WinLnkParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses Windows Shortcut (LNK) files.

DESCRIPTION = 'Parser for Windows Shortcut (LNK) files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns:	format specification.
Return type:	FormatSpecification

NAME = 'lnk'¶

ParseFileLNKFile(parser_mediator, file_object, display_name)[source]¶

Parses a Windows Shortcut (LNK) file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object. display_name (str) – display name.

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows Shortcut (LNK) file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.winprefetch module¶

Parser for Windows Prefetch files.

class plaso.parsers.winprefetch.WinPrefetchExecutionEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Prefetch event data.

executable¶: str – executable filename.

format_version¶: int – format version.

mapped_files¶: list[str] – mapped filenames.

number_of_volumes¶: int – number of volumes.

path¶: str – path to the executable.

prefetch_hash¶: int – prefetch hash.

run_count¶: int – run count.

volume_device_paths¶: list[str] – volume device paths.

volume_serial_numbers¶: list[int] – volume serial numbers.

DATA_TYPE = 'windows:prefetch:execution'¶

class plaso.parsers.winprefetch.WinPrefetchParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

A parser for Windows Prefetch files.

DESCRIPTION = 'Parser for Windows Prefetch files.'¶

classmethod GetFormatSpecification()[source]¶

Retrieves the format specification.

Returns:	format specification.
Return type:	FormatSpecification

NAME = 'prefetch'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows Prefetch file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object.

plaso.parsers.winreg module¶

Parser for Windows NT Registry (REGF) files.

class plaso.parsers.winreg.WinRegistryParser[source]¶

Bases: plaso.parsers.interface.FileObjectParser

Parses Windows NT Registry (REGF) files.

DESCRIPTION = 'Parser for Windows NT Registry (REGF) files.'¶

classmethod GetFormatSpecification()[source]¶: Retrieves the format specification.

NAME = 'winreg'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows Registry file-like object.

Parameters:	parser_mediator (ParserMediator) – parser mediator. file_object (dfvfs.FileIO) – a file-like object.

plaso.parsers.winrestore module¶

Parser for Windows Restore Point (rp.log) files.

class plaso.parsers.winrestore.RestorePointEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Restore Point event data.

description¶: str – description.

restore_point_event_type¶: str – restore point event type.

restore_point_type¶: str – restore point type.

sequence_number¶: str – sequence number.

DATA_TYPE = 'windows:restore_point:info'¶

class plaso.parsers.winrestore.RestorePointLogParser[source]¶

Bases: plaso.parsers.dtfabric_parser.DtFabricBaseParser

A parser for Windows Restore Point (rp.log) files.

DESCRIPTION = 'Parser for Windows Restore Point (rp.log) files.'¶

FILTERS = frozenset({<plaso.parsers.interface.FileNameFileEntryFilter object>})¶

NAME = 'rplog'¶

ParseFileObject(parser_mediator, file_object)[source]¶

Parses a Windows Restore Point (rp.log) log file-like object.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO) – file-like object.
Raises:	`UnableToParseFile` – when the file cannot be parsed.

plaso.parsers.xchatlog module¶

This file contains XChat log file parser in plaso.

Information updated 24 July 2013.

The parser applies to XChat log files. Despite their apparent simplicity it’s not straightforward to manage every possible case. XChat tool allows users to specify how timestamp will be encoded (using the strftime function), by letting them to specify additional separators. This parser will accept only the simplest default English form of an XChat log file, as the following:

**** BEGIN LOGGING AT Mon Dec 31 21:11:55 2001
dec 31 21:11:55 --> You are now talking on #gugle
dec 31 21:11:55 --- Topic for #gugle is plaso, nobody knows what it means
dec 31 21:11:55 Topic for #gugle set by Kristinn
dec 31 21:11:55 --- Joachim gives voice to fpi
dec 31 21:11:55 *   XChat here
dec 31 21:11:58 <fpi> ola plas-ing guys!
dec 31 21:12:00 <Kristinn> ftw!

It could be managed the missing month/day case too, by extracting the month/day information from the header. But the parser logic would become intricate, since it would need to manage day transition, chat lines crossing the midnight. From there derives the last day of the year bug, since the parser will not manage that transition.

Moreover the strftime is locale-dependant, so month names, footer and headers can change, even inside the same log file. Being said that, the following will be the main logic used to parse the log files (note that the first header must be ‘**** BEGIN …’ otherwise file will be skipped).

1) Check for ‘****’ 1.1) If ‘BEGIN LOGGING AT’ (English) 1.1.1) Extract the YEAR 1.1.2) Generate new event start logging 1.1.3) set parsing = True 1.2) If ‘END LOGGING’ 1.2.1) If parsing, set parsing=False 1.2.2) If not parsing, log debug 1.2.3) Generate new event end logging 1.3) If not BEGIN|END we are facing a different language and we don’t now which language! If parsing is True, set parsing=False and log debug 2) Not ‘****’ so we are parsing a line 2.1) If parsing = True, try to parse line and generate event 2.2) If parsing = False, skip until next good header is found

References http://xchat.org

class plaso.parsers.xchatlog.XChatLogEventData[source]¶

Bases: plaso.containers.events.EventData

XChat Log event data.

nickname¶: str – nickname.

text¶: str – text sent by nickname or other text (server, messages, etc.).

DATA_TYPE = 'xchat:log:line'¶

class plaso.parsers.xchatlog.XChatLogParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parse XChat log files.

DESCRIPTION = 'Parser for XChat log files.'¶

LINE_STRUCTURES = [('logline', {{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) [quoted string, starting with < ending with >]} SkipTo:(lineEnd)}), ('header', {{Suppress:("****") Group:({{W:(0123...) W:(0123...)} W:(0123...)})} Group:({{{{Group:({{{{{{"Sun" | "Mon"} | "Tue"} | "Wed"} | "Thu"} | "Fri"} | "Sat"}) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} W:(0123...)})}), ('header_signature', "****")]¶

NAME = 'xchatlog'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure and produces events.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – identifier of the structure of tokens. structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.
Raises:	`ParseError` – when the structure type is unknown.

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a XChat log file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. line (str) – line from a text file.
Returns:	True if the line is in the expected format, False if not.
Return type:	bool

plaso.parsers.xchatscrollback module¶

This file contains XChat scrollback log file parser in plaso.

Information updated 06 September 2013.

Besides the logging capability, the XChat IRC client has the option to record the text for opened tabs. So, when rejoining a particular channel and/or a particular conversation, XChat will display the last messages exchanged. This artifact could be present, if not disabled, even if normal logging is disabled.

From the XChat FAQ (http://xchatdata.net/Using/FAQ):

Q: ‘How do I keep text from previous sessions from being displayed when I join a channel?’ R: ‘Starting in XChat 2.8.4, XChat implemented the Scrollback feature which displays text from the last time you had a particular tab open. To disable this setting for all channels, Go to Settings -> Preferences -> Logging and uncheck Display scrollback from previous session. In XChat 2.8.6, XChat implemented both Per Channel Logging, and Per Channel Scrollbacks. If you are on 2.8.6 or newer, you can disable loading scrollback for just one particular tab name by right clicking on the tab name, selecting Settings, and then unchecking Reload scrollback’

The log file format differs from logging format, but it’s quite simple ‘T 1232315916 Python interface unloaded’ <T><space><decimal timestamp><space><text>< >

The time reported in the log is the number of seconds since January 1, 1970 00:00:00 UTC (from source code, time(0)). The <text> part could contain some ‘decorators’ (bold, underline, colors indication, etc.), so the parser should strip those control fields.

References http://xchat.org

class plaso.parsers.xchatscrollback.XChatScrollbackEventData[source]¶

Bases: plaso.containers.events.EventData

XChat Scrollback line event data.

nickname¶: str – nickname.

text¶: str – text sent by nickname service messages.

DATA_TYPE = 'xchat:scrollback:line'¶

class plaso.parsers.xchatscrollback.XChatScrollbackParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser

Parses XChat scrollback log files.

DESCRIPTION = 'Parser for XChat scrollback log files.'¶

LINE_STRUCTURES = [('logline', {{Suppress:("T") W:(0123...)} SkipTo:(LineEnd)})]¶

LOG_LINE = {{Suppress:("T") W:(0123...)} SkipTo:(LineEnd)}¶

MSG_ENTRY = {[{{"<" SkipTo:(">")} ">"}] SkipTo:(LineEnd)}¶

MSG_ENTRY_NICK = [{{"<" SkipTo:(">")} ">"}]¶

MSG_ENTRY_TEXT = SkipTo:(LineEnd)¶

MSG_NICK = SkipTo:(">")¶

MSG_NICK_END = ">"¶

MSG_NICK_START = "<"¶

NAME = 'xchatscrollback'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a log record structure.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – name of the parsed structure. structure (pyparsing.ParseResults) – structure parsed from the log file.

STRIPPER = {Suppress:(W:(,0123...)) | Suppress:(W:(...))}¶

VerifyStructure(parser_mediator, line)[source]¶

Verify that this file is a XChat scrollback log file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. line (str) – line from a text file.
Returns:	True if the line was successfully parsed.
Return type:	bool

plaso.parsers.zsh_extended_history module¶

Parser for Zsh extended_history files.

The file format is described here: http://zsh.sourceforge.net/Doc/Release/Options.html#index-EXTENDEDHISTORY

class plaso.parsers.zsh_extended_history.ZshExtendedHistoryParser[source]¶

Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser

Parser for Zsh extended_history files

DESCRIPTION = 'Parser for ZSH extended history files'¶

LINE_STRUCTURES = [('command', {{{{{{":" W:(0123...)} ":"} W:(0123...)} ";"} Re:('.+?(?=($|\\n:\\s\\d+:\\d+;))')} LineEnd})]¶

NAME = 'zsh_extended_history'¶

ParseRecord(parser_mediator, key, structure)[source]¶

Parses a record and produces a Zsh history event.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. key (str) – name of the parsed structure. structure (pyparsing.ParseResults) – structure parsed from the log file.
Raises:	`ParseError` – when the structure type is unknown.

VerifyStructure(parser_mediator, lines)[source]¶

Verifies whether content corresponds to a Zsh extended_history file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. lines (str) – one or more lines from the text file.
Returns:	True if the line was successfully parsed.
Return type:	bool

class plaso.parsers.zsh_extended_history.ZshHistoryEventData[source]¶

Bases: plaso.containers.events.EventData

Zsh history event data.

command¶: str – command that was run.

elapsed_seconds¶: int – number of seconds that the command took to execute.

DATA_TYPE = 'shell:zsh:history'¶

Module contents¶

This file imports Python modules that register parsers.