plaso.parsers.olecf_plugins package¶

Submodules¶

plaso.parsers.olecf_plugins.automatic_destinations module¶

Plugin to parse .automaticDestinations-ms OLECF files.

class plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventData[source]¶

Bases: plaso.containers.events.EventData

.automaticDestinations-ms DestList entry event data.

birth_droid_file_identifier¶: str – birth droid file identifier.

birth_droid_volume_identifier¶: str – birth droid volume identifier.

droid_file_identifier¶: str – droid file identifier.

droid_volume_identifier¶: str – droid volume identifier.

entry_number¶: int – DestList entry number.

path¶: str – path.

pin_status¶: int – pin status.

offset¶: int – offset of the DestList entry relative to the start of the DestList stream.

DATA_TYPE = 'olecf:dest_list:entry'¶

class plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsOLECFPlugin[source]¶

Bases: plaso.parsers.olecf_plugins.dtfabric_plugin.DtFabricBaseOLECFPlugin

Plugin that parses an .automaticDestinations-ms OLECF file.

DESCRIPTION = 'Parser for *.automaticDestinations-ms OLECF files.'¶

NAME = 'olecf_automatic_destinations'¶

ParseDestList(parser_mediator, olecf_item)[source]¶

Parses the DestList OLECF item.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. olecf_item (pyolecf.item) – OLECF item.
Raises:	`UnableToParseFile` – if the DestList cannot be parsed.

Process(parser_mediator, root_item=None, **kwargs)[source]¶

Parses an OLECF file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. root_item (Optional[pyolecf.item]) – root item of the OLECF file.
Raises:	`ValueError` – If the root_item is not set.

REQUIRED_ITEMS = frozenset({'DestList'})¶

plaso.parsers.olecf_plugins.default module¶

The default plugin for parsing OLE Compound Files (OLECF).

class plaso.parsers.olecf_plugins.default.DefaultOLECFPlugin[source]¶

Bases: plaso.parsers.olecf_plugins.interface.OLECFPlugin

Class to define the default OLECF file plugin.

DESCRIPTION = 'Parser for a generic OLECF item.'¶

NAME = 'olecf_default'¶

Process(parser_mediator, root_item=None, **kwargs)[source]¶

Parses an OLECF file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. root_item (Optional[pyolecf.item]) – root item of the OLECF file.
Raises:	`ValueError` – If the root item is not set.

class plaso.parsers.olecf_plugins.default.OLECFItemEventData[source]¶

Bases: plaso.containers.events.EventData

OLECF item event data.

name¶: str – name of the OLE Compound File item.

size¶: int – data size of the OLE Compound File item.

DATA_TYPE = 'olecf:item'¶

plaso.parsers.olecf_plugins.dtfabric_plugin module¶

Shared functionality for dtFabric-based data format OLE CF plugins.

class plaso.parsers.olecf_plugins.dtfabric_plugin.DtFabricBaseOLECFPlugin[source]¶

Bases: plaso.parsers.olecf_plugins.interface.OLECFPlugin

Shared functionality for dtFabric-based data format OLE CF plugins.

A dtFabric-based data format Windows Registry parser plugin defines its data format structures in dtFabric definition file, for example “dtfabric.yaml”:

name: int32 type: integer description: 32-bit signed integer type .. attribute:: format

signed

size¶: 4

units¶: bytes

— name: point3d aliases: [POINT] type: structure description: Point in 3 dimensional space. .. attribute:: byte_order

little-endian

members: - name: x

aliases: [XCOORD] data_type: int32

name: y data_type: int32
name: z data_type: int32

The path to the definition file is defined in the class constant “_DEFINITION_FILE” and will be read on class instantiation.

The definition files contains data type definitions such as “int32” and “point3d” in the previous example.

A data type map can be used to create a Python object that represent the data type definition mapped to a byte stream, for example if we have the following byte stream: 01 00 00 00 02 00 00 00 03 00 00 00

The corresponding “point3d” Python object would be: point3d(x=1, y=2, z=3)

A parser that wants to implement a dtFabric-based data format parser needs to: * define a definition file and override _DEFINITION_FILE; * implement the ParseFileObject method.

The _GetDataTypeMap method of this class can be used to retrieve data type maps from the “fabric”, which is the collection of the data type definitions in definition file. Data type maps are cached for reuse.

The _ReadStructure method of this class can be used to read structure data from a file-like object and create a Python object using a data type map.

Process(parser_mediator, root_item=None, **kwargs)[source]¶

Parses an OLECF file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. root_item (Optional[pyolecf.item]) – root item of the OLECF file.

plaso.parsers.olecf_plugins.interface module¶

This file contains the necessary interface for OLECF plugins.

class plaso.parsers.olecf_plugins.interface.OLECFPlugin[source]¶

Bases: plaso.parsers.plugins.BasePlugin

The OLECF parser plugin interface.

NAME = 'olecf'¶

Process(parser_mediator, root_item=None, **kwargs)[source]¶

Parses an OLECF file.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. root_item (Optional[pyolecf.item]) – root item of the OLECF file.

REQUIRED_ITEMS = frozenset()¶

plaso.parsers.olecf_plugins.summary module¶

Plugin to parse the OLECF summary/document summary information items.

class plaso.parsers.olecf_plugins.summary.DocumentSummaryInformationOLECFPlugin[source]¶

Bases: plaso.parsers.olecf_plugins.interface.OLECFPlugin

Plugin that parses DocumentSummaryInformation item from an OLECF file.

DESCRIPTION = 'Parser for a DocumentSummaryInformation OLECF stream.'¶

NAME = 'olecf_document_summary'¶

Process(parser_mediator, root_item=None, **kwargs)[source]¶

Parses a document summary information OLECF item.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. root_item (Optional[pyolecf.item]) – root item of the OLECF file.
Raises:	`ValueError` – If the root item is not set.

REQUIRED_ITEMS = frozenset({'\x05DocumentSummaryInformation'})¶

class plaso.parsers.olecf_plugins.summary.OLECFDocumentSummaryInformation(olecf_item)[source]¶

Bases: plaso.parsers.olecf_plugins.summary.OLECFPropertySetStream

OLECF Document Summary information property set.

class plaso.parsers.olecf_plugins.summary.OLECFDocumentSummaryInformationEvent(date_time, date_time_description)[source]¶

Bases: plaso.containers.time_events.DateTimeValuesEvent

Convenience class for an OLECF Document summary information event.

name¶: str – name of the OLECF item.

DATA_TYPE = 'olecf:document_summary_info'¶

class plaso.parsers.olecf_plugins.summary.OLECFPropertySetStream(olecf_item)[source]¶

Bases: object

OLECF property set stream.

date_time_properties¶: dict[str, dfdatetime.DateTimeValues] – date and time properties and values.

GetEventData(data_type)[source]¶

Retrieves the properties as event data.

Parameters:	data_type (str) – event data type.
Returns:	event data.
Return type:	EventData

class plaso.parsers.olecf_plugins.summary.OLECFSummaryInformation(olecf_item)[source]¶

Bases: plaso.parsers.olecf_plugins.summary.OLECFPropertySetStream

OLECF Summary information property set.

class plaso.parsers.olecf_plugins.summary.OLECFSummaryInformationEvent(date_time, date_time_description)[source]¶

Bases: plaso.containers.time_events.DateTimeValuesEvent

Convenience class for an OLECF Summary information event.

name¶: str – name of the OLECF item.

DATA_TYPE = 'olecf:summary_info'¶

class plaso.parsers.olecf_plugins.summary.SummaryInformationOLECFPlugin[source]¶

Bases: plaso.parsers.olecf_plugins.interface.OLECFPlugin

Plugin that parses the SummaryInformation item from an OLECF file.

DESCRIPTION = 'Parser for a SummaryInformation OLECF stream.'¶

NAME = 'olecf_summary'¶

Process(parser_mediator, root_item=None, **kwargs)[source]¶

Parses a summary information OLECF item.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. root_item (Optional[pyolecf.item]) – root item of the OLECF file.
Raises:	`ValueError` – If the root item is not set.

REQUIRED_ITEMS = frozenset({'\x05SummaryInformation'})¶

Module contents¶

This file contains an import statement for each OLECF plugin.