plaso.formatters package

Submodules

plaso.formatters.amcache module

The Windows Registry Amcache entries event formatter.

class plaso.formatters.amcache.AmcacheFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Amcache Windows Registry event.

DATA_TYPE = u'windows:registry:amcache'

FORMAT_STRING_PIECES = [u'path: {full_path}', u'sha1: {sha1}', u'productname: {productname}', u'companyname: {companyname}', u'fileversion: {fileversion}', u'languagecode: {languagecode}', u'filesize: {filesize}', u'filedescription: {filedescription}', u'linkerts: {linkerts}', u'lastmodifiedts: {lastmodifiedts}', u'createdts: {createdts}', u'programid: {programid}']

FORMAT_STRING_SHORT_PIECES = [u'path: {full_path}']

SOURCE_LONG = u'Amcache Registry Entry'

SOURCE_SHORT = u'AMCACHE'

class plaso.formatters.amcache.AmcacheProgramsFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Amcache Programs Windows Registry event.

DATA_TYPE = u'windows:registry:amcache:programs'

FORMAT_STRING_PIECES = [u'name: {name}', u'version: {version}', u'publisher: {publisher}', u'languagecode: {languagecode}', u'entrytype: {entrytype}', u'uninstallkey: {uninstallkey}', u'filepaths: {filepaths}', u'productcode: {productcode}', u'packagecode: {packagecode}', u'msiproductcode: {msiproductcode}', u'msipackagecode: {msipackagecode}', u'files: {files}']

FORMAT_STRING_SHORT_PIECES = [u'name: {name}']

SOURCE_LONG = u'Amcache Programs Registry Entry'

SOURCE_SHORT = u'AMCACHEPROGRAM'

plaso.formatters.android_app_usage module

The Android Application Usage event formatter.

class plaso.formatters.android_app_usage.AndroidApplicationFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Application Last Resumed event.

DATA_TYPE = u'android:event:last_resume_time'

FORMAT_STRING_PIECES = [u'Package: {package}', u'Component: {component}']

SOURCE_LONG = u'Android App Usage'

SOURCE_SHORT = u'LOG'

plaso.formatters.android_calls module

The Android contacts2.db database event formatter.

class plaso.formatters.android_calls.AndroidCallFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Android call history event.

DATA_TYPE = u'android:event:call'

FORMAT_STRING_PIECES = [u'{call_type}', u'Number: {number}', u'Name: {name}', u'Duration: {duration} seconds']

FORMAT_STRING_SHORT_PIECES = [u'{call_type} Call']

SOURCE_LONG = u'Android Call History'

SOURCE_SHORT = u'LOG'

plaso.formatters.android_sms module

The Android mmssms.db database event formatter.

class plaso.formatters.android_sms.AndroidSmsFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Android SMS event.

DATA_TYPE = u'android:messaging:sms'

FORMAT_STRING_PIECES = [u'Type: {sms_type}', u'Address: {address}', u'Status: {sms_read}', u'Message: {body}']

FORMAT_STRING_SHORT_PIECES = [u'{body}']

SOURCE_LONG = u'Android SMS messages'

SOURCE_SHORT = u'SMS'

plaso.formatters.android_webview module

The Android WebView database event formatter.

class plaso.formatters.android_webview.AndroidWebViewCookieEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for Android WebView Cookie event data.

DATA_TYPE = u'webview:cookie'

FORMAT_STRING_PIECES = [u'Domain: {domain}', u'Path: {path}', u'Cookie name: {name}', u'Value: {value}', u'Secure: {secure}']

FORMAT_STRING_SHORT_PIECES = [u'{domain}', u'{name}', u'{value}']

SOURCE_LONG = u'Android WebView'

SOURCE_SHORT = u'WebView'

plaso.formatters.android_webviewcache module

The Android WebViewCache database event formatter.

class plaso.formatters.android_webviewcache.AndroidWebViewCacheFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for Android WebViewCache event data.

DATA_TYPE = u'android:webviewcache'

FORMAT_STRING_PIECES = [u'URL: {url}', u'Content Length: {content_length}']

FORMAT_STRING_SHORT_PIECES = [u'{url}']

SOURCE_LONG = u'Android WebViewCache'

SOURCE_SHORT = u'WebViewCache'

plaso.formatters.appcompatcache module

The Windows Registry AppCompatCache entries event formatter.

class plaso.formatters.appcompatcache.AppCompatCacheFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an AppCompatCache Windows Registry event.

DATA_TYPE = u'windows:registry:appcompatcache'

FORMAT_STRING_PIECES = [u'[{key_path}]', u'Cached entry: {entry_index}', u'Path: {path}']

FORMAT_STRING_SHORT_PIECES = [u'Path: {path}']

SOURCE_LONG = u'AppCompatCache Registry Entry'

SOURCE_SHORT = u'REG'

plaso.formatters.appusage module

The MacOS application usage event formatter.

class plaso.formatters.appusage.ApplicationUsageFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for a MacOS Application usage event.

DATA_TYPE = u'macosx:application_usage'

FORMAT_STRING = u'{application} v.{app_version} (bundle: {bundle_id}). Launched: {count} time(s)'

FORMAT_STRING_SHORT = u'{application} ({count} time(s))'

SOURCE_LONG = u'Application Usage'

SOURCE_SHORT = u'LOG'

plaso.formatters.asl module

The Apple System Log (ASL) event formatter.

class plaso.formatters.asl.ASLFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Apple System Log (ASL) log event.

DATA_TYPE = u'mac:asl:event'

FORMAT_STRING_PIECES = [u'MessageID: {message_id}', u'Level: {level}', u'User ID: {user_sid}', u'Group ID: {group_id}', u'Read User: {read_uid}', u'Read Group: {read_gid}', u'Host: {computer_name}', u'Sender: {sender}', u'Facility: {facility}', u'Message: {message}', u'{extra_information}']

FORMAT_STRING_SHORT_PIECES = [u'Host: {host}', u'Sender: {sender}', u'Facility: {facility}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'ASL entry'

SOURCE_SHORT = u'LOG'

plaso.formatters.bash_history module

The Bash history event formatter.

class plaso.formatters.bash_history.BashHistoryEventFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for Bash history events.

DATA_TYPE = u'bash:history:command'

FORMAT_STRING = u'Command executed: {command}'

FORMAT_STRING_SHORT = u'{command}'

SOURCE_LONG = u'Bash History'

SOURCE_SHORT = u'LOG'

plaso.formatters.bencode_parser module

The bencode parser event formatters.

class plaso.formatters.bencode_parser.TransmissionEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Transmission active torrents event.

DATA_TYPE = u'p2p:bittorrent:transmission'

FORMAT_STRING_PIECES = [u'Saved to {destination}', u'Minutes seeded: {seedtime}']

FORMAT_STRING_SEPARATOR = u'; '

SOURCE_LONG = u'Transmission Active Torrents'

SOURCE_SHORT = u'TORRENT'

class plaso.formatters.bencode_parser.UTorrentEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a BitTorrent uTorrent active torrents event.

DATA_TYPE = u'p2p:bittorrent:utorrent'

FORMAT_STRING_PIECES = [u'Torrent {caption}', u'Saved to {path}', u'Minutes seeded: {seedtime}']

FORMAT_STRING_SEPARATOR = u'; '

SOURCE_LONG = u'uTorrent Active Torrents'

SOURCE_SHORT = u'TORRENT'

plaso.formatters.bsm module

The Basic Security Module (BSM) binary files event formatter.

class plaso.formatters.bsm.BSMFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a BSM log entry.

DATA_TYPE = u'bsm:event'

FORMAT_STRING_PIECES = [u'Type: {event_type}', u'Return: {return_value}', u'Information: {extra_tokens}']

FORMAT_STRING_SHORT_PIECES = [u'Type: {event_type}', u'Return: {return_value}']

SOURCE_LONG = u'BSM entry'

SOURCE_SHORT = u'LOG'

plaso.formatters.ccleaner module

The CCleaner event formatter.

class plaso.formatters.ccleaner.CCleanerUpdateEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a CCleaner update event.

DATA_TYPE = u'ccleaner:update'

FORMAT_STRING_PIECES = [u'Origin: {key_path}']

FORMAT_STRING_SHORT_PIECES = [u'Origin: {key_path}']

SOURCE_LONG = u'System'

SOURCE_SHORT = u'LOG'

plaso.formatters.chrome module

The Google Chrome history event formatters.

class plaso.formatters.chrome.ChromeFileDownloadFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome file download event.

DATA_TYPE = u'chrome:history:file_downloaded'

FORMAT_STRING_PIECES = [u'{url}', u'({full_path}).', u'Received: {received_bytes} bytes', u'out of: {total_bytes} bytes.']

FORMAT_STRING_SHORT_PIECES = [u'{full_path} downloaded', u'({received_bytes} bytes)']

SOURCE_LONG = u'Chrome History'

SOURCE_SHORT = u'WEBHIST'

class plaso.formatters.chrome.ChromePageVisitedFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome page visited event.

DATA_TYPE = u'chrome:history:page_visited'

FORMAT_STRING_PIECES = [u'{url}', u'({title})', u'[count: {typed_count}]', u'Visit from: {from_visit}', u'Visit Source: [{visit_source}]', u'Type: [{page_transition}]', u'{extra}']

FORMAT_STRING_SHORT_PIECES = [u'{url}', u'({title})']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'Chrome History'

SOURCE_SHORT = u'WEBHIST'

plaso.formatters.chrome_cache module

The Google Chrome Cache files event formatter.

class plaso.formatters.chrome_cache.ChromeCacheEntryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome Cache entry event.

DATA_TYPE = u'chrome:cache:entry'

FORMAT_STRING_PIECES = [u'Original URL: {original_url}']

SOURCE_LONG = u'Chrome Cache'

SOURCE_SHORT = u'WEBHIST'

plaso.formatters.chrome_cookies module

The Google Chrome cookies database event formatter.

class plaso.formatters.chrome_cookies.ChromeCookieFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome cookie event.

DATA_TYPE = u'chrome:cookie:entry'

FORMAT_STRING_PIECES = [u'{url}', u'({cookie_name})', u'Flags:', u'[HTTP only] = {httponly}', u'[Persistent] = {persistent}']

FORMAT_STRING_SHORT_PIECES = [u'{host}', u'({cookie_name})']

SOURCE_LONG = u'Chrome Cookies'

SOURCE_SHORT = u'WEBHIST'

plaso.formatters.chrome_extension_activity module

The Google Chrome extension activity database event formatter.

class plaso.formatters.chrome_extension_activity.ChromeExtensionActivityEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome extension activity event.

DATA_TYPE = u'chrome:extension_activity:activity_log'

FORMAT_STRING_PIECES = [u'Chrome extension: {extension_id}', u'Action type: {action_type}', u'Activity identifier: {activity_id}', u'Page URL: {page_url}', u'Page title: {page_title}', u'API name: {api_name}', u'Args: {args}', u'Other: {other}']

FORMAT_STRING_SHORT_PIECES = [u'{extension_id}', u'{api_name}', u'{args}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'Chrome Extension Activity'

SOURCE_SHORT = u'WEBHIST'

plaso.formatters.chrome_preferences module

The Google Chrome Preferences file event formatter.

class plaso.formatters.chrome_preferences.ChromeContentSettingsExceptionsFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome content_settings exceptions event.

DATA_TYPE = u'chrome:preferences:content_settings:exceptions'

FORMAT_STRING_PIECES = [u'Permission {permission}', u'used by {subject}']

FORMAT_STRING_SHORT_PIECES = [u'Permission {permission}', u'used by {subject}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'Chrome Permission Event'

SOURCE_SHORT = u'LOG'

class plaso.formatters.chrome_preferences.ChromeExtensionInstallationEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Chrome extension installation event.

DATA_TYPE = u'chrome:preferences:extension_installation'

FORMAT_STRING_PIECES = [u'CRX ID: {extension_id}', u'CRX Name: {extension_name}', u'Path: {path}']

FORMAT_STRING_SHORT_PIECES = [u'{extension_id}', u'{path}']

SOURCE_LONG = u'Chrome Extension Installation'

SOURCE_SHORT = u'LOG'

class plaso.formatters.chrome_preferences.ChromeExtensionsAutoupdaterEvent

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for Chrome Extensions Autoupdater events.

DATA_TYPE = u'chrome:preferences:extensions_autoupdater'

FORMAT_STRING_PIECES = [u'{message}']

FORMAT_STRING_SHORT_PIECES = [u'{message}']

SOURCE_LONG = u'Chrome Extensions Autoupdater'

SOURCE_SHORT = u'LOG'

class plaso.formatters.chrome_preferences.ChromePreferencesClearHistoryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for Chrome history clearing events.

DATA_TYPE = u'chrome:preferences:clear_history'

FORMAT_STRING_PIECES = [u'{message}']

FORMAT_STRING_SHORT_PIECES = [u'{message}']

SOURCE_LONG = u'Chrome History Deletion'

SOURCE_SHORT = u'LOG'

plaso.formatters.cron module

The syslog cron formatters.

class plaso.formatters.cron.CronTaskRunEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a syslog cron task run event.

DATA_TYPE = u'syslog:cron:task_run'

FORMAT_STRING_PIECES = [u'Cron ran: {command}', u'for user: {username}', u'pid: {pid}']

FORMAT_STRING_SEPARATOR = u' '

FORMAT_STRING_SHORT = u'{body}'

SOURCE_LONG = u'Cron log'

SOURCE_SHORT = u'LOG'

plaso.formatters.cups_ipp module

The CUPS IPP file event formatter.

class plaso.formatters.cups_ipp.CupsIppFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a CUPS IPP event.

DATA_TYPE = u'cups:ipp:event'

FORMAT_STRING_PIECES = [u'Status: {status}', u'User: {user}', u'Owner: {owner}', u'Job Name: {job_name}', u'Application: {application}', u'Document type: {type_doc}', u'Printer: {printer_id}']

FORMAT_STRING_SHORT_PIECES = [u'Status: {status}', u'Job Name: {job_name}']

SOURCE_LONG = u'CUPS IPP Log'

SOURCE_SHORT = u'LOG'

plaso.formatters.default module

The default event formatter.

class plaso.formatters.default.DefaultFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for events that do not have any defined formatter.

DATA_TYPE = u'event'

FORMAT_STRING = u'<WARNING DEFAULT FORMATTER> Attributes: {attribute_driven}'

FORMAT_STRING_SHORT = u'<DEFAULT> {attribute_driven}'

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

plaso.formatters.docker module

The Docker event formatter.

class plaso.formatters.docker.DockerBaseEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Class that contains common Docker event formatter functionality.

DATA_TYPE = u'docker:json'

FORMAT_STRING_SHORT_PIECES = [u'{id}']

SOURCE_SHORT = u'DOCKER'

class plaso.formatters.docker.DockerContainerEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Docker event.

DATA_TYPE = u'docker:json:container'

FORMAT_STRING_PIECES = [u'Action: {action}', u'Container Name: {container_name}', u'Container ID: {container_id}']

FORMAT_STRING_SEPARATOR = u', '

SOURCE_LONG = u'Docker Container'

SOURCE_SHORT = u'DOCKER'

class plaso.formatters.docker.DockerContainerLogEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Docker container log event

DATA_TYPE = u'docker:json:container:log'

FORMAT_STRING_PIECES = (u'Text: {log_line}', u'Container ID: {container_id}', u'Source: {log_source}')

FORMAT_STRING_SEPARATOR = u', '

SOURCE_LONG = u'Docker Container Logs'

SOURCE_SHORT = u'DOCKER'

class plaso.formatters.docker.DockerLayerEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Docker layer event.

DATA_TYPE = u'docker:json:layer'

FORMAT_STRING_PIECES = (u'Command: {command}', u'Layer ID: {layer_id}')

FORMAT_STRING_SEPARATOR = u', '

SOURCE_LONG = u'Docker Layer'

SOURCE_SHORT = u'DOCKER'

plaso.formatters.dpkg module

The dpkg.log event formatter.

class plaso.formatters.dpkg.DpkgFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a dpkg log file event.

DATA_TYPE = u'dpkg:line'

FORMAT_STRING_PIECES = [u'{body}']

FORMAT_STRING_SEPARATOR = u''

SOURCE_LONG = u'dpkg log File'

SOURCE_SHORT = u'LOG'

plaso.formatters.file_history module

The file history ESE database event formatter.

class plaso.formatters.file_history.FileHistoryNamespaceEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a file history ESE database namespace table record.

DATA_TYPE = u'file_history:namespace:event'

FORMAT_STRING_PIECES = [u'Filename: {original_filename}', u'Identifier: {identifier}', u'Parent Identifier: {parent_identifier}', u'Attributes: {file_attribute}', u'USN number: {usn_number}']

FORMAT_STRING_SHORT_PIECES = [u'Filename: {original_filename}']

SOURCE_LONG = u'File History Namespace'

SOURCE_SHORT = u'LOG'

plaso.formatters.file_system module

The file system stat event formatter.

class plaso.formatters.file_system.FileStatEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The file system stat event formatter.

DATA_TYPE = u'fs:stat'

FORMAT_STRING_PIECES = [u'{display_name}', u'Type: {file_entry_type}', u'({unallocated})']

FORMAT_STRING_SHORT_PIECES = [u'{filename}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

GetSources(event)

Determines the the short and long source for an event object.

Parameters:event (EventObject) – event. Returns:short and long source string. Return type:tuple(str, str) Raises:WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_SHORT = u'FILE'

class plaso.formatters.file_system.NTFSFileStatEventFormatter

Bases: plaso.formatters.file_system.FileStatEventFormatter

The NTFS file system stat event formatter.

DATA_TYPE = u'fs:stat:ntfs'

FORMAT_STRING_PIECES = [u'{display_name}', u'File reference: {file_reference}', u'Attribute name: {attribute_name}', u'Name: {name}', u'Parent file reference: {parent_file_reference}', u'({unallocated})']

FORMAT_STRING_SHORT_PIECES = [u'{filename}', u'{file_reference}', u'{attribute_name}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_SHORT = u'FILE'

class plaso.formatters.file_system.NTFSUSNChangeEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The NTFS USN change event formatter.

DATA_TYPE = u'fs:ntfs:usn_change'

FORMAT_STRING_PIECES = [u'{filename}', u'File reference: {file_reference}', u'Parent file reference: {parent_file_reference}', u'Update source: {update_source}', u'Update reason: {update_reason}']

FORMAT_STRING_SHORT_PIECES = [u'{filename}', u'{file_reference}', u'{update_reason}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_SHORT = u'FILE'

plaso.formatters.firefox module

The Mozilla Firefox history event formatter.

class plaso.formatters.firefox.FirefoxBookmarkAnnotationFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox bookmark annotation event formatter.

DATA_TYPE = u'firefox:places:bookmark_annotation'

FORMAT_STRING_PIECES = [u'Bookmark Annotation: [{content}]', u'to bookmark [{title}]', u'({url})']

FORMAT_STRING_SHORT_PIECES = [u'Bookmark Annotation: {title}']

SOURCE_LONG = u'Firefox History'

SOURCE_SHORT = u'WEBHIST'

class plaso.formatters.firefox.FirefoxBookmarkFolderFormatter

Bases: plaso.formatters.interface.EventFormatter

The Firefox bookmark folder event formatter.

DATA_TYPE = u'firefox:places:bookmark_folder'

FORMAT_STRING = u'{title}'

SOURCE_LONG = u'Firefox History'

SOURCE_SHORT = u'WEBHIST'

class plaso.formatters.firefox.FirefoxBookmarkFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox URL bookmark event formatter.

DATA_TYPE = u'firefox:places:bookmark'

FORMAT_STRING_PIECES = [u'Bookmark {type}', u'{title}', u'({url})', u'[{places_title}]', u'visit count {visit_count}']

FORMAT_STRING_SHORT_PIECES = [u'Bookmarked {title}', u'({url})']

SOURCE_LONG = u'Firefox History'

SOURCE_SHORT = u'WEBHIST'

class plaso.formatters.firefox.FirefoxDowloadFormatter

Bases: plaso.formatters.interface.EventFormatter

The Firefox download event formatter.

DATA_TYPE = u'firefox:downloads:download'

FORMAT_STRING = u'{url} ({full_path}). Received: {received_bytes} bytes out of: {total_bytes} bytes.'

FORMAT_STRING_SHORT = u'{full_path} downloaded ({received_bytes} bytes)'

SOURCE_LONG = u'Firefox History'

SOURCE_SHORT = u'WEBHIST'

class plaso.formatters.firefox.FirefoxPageVisitFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox page visited event formatter.

DATA_TYPE = u'firefox:places:page_visited'

FORMAT_STRING_PIECES = [u'{url}', u'({title})', u'[count: {visit_count}]', u'Host: {host}', u'{extra_string}']

FORMAT_STRING_SHORT_PIECES = [u'URL: {url}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'Firefox History'

SOURCE_SHORT = u'WEBHIST'

plaso.formatters.firefox_cache module

The Firefox cache record event formatter.

class plaso.formatters.firefox_cache.FirefoxCacheFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox cache record event formatter.

DATA_TYPE = u'firefox:cache:record'

FORMAT_STRING_PIECES = [u'Fetched {fetch_count} time(s)', u'[{response_code}]', u'{request_method}', u'"{url}"']

FORMAT_STRING_SHORT_PIECES = [u'[{response_code}]', u'{request_method}', u'"{url}"']

SOURCE_LONG = u'Firefox Cache'

SOURCE_SHORT = u'WEBHIST'

plaso.formatters.firefox_cookies module

The Firefox cookie entry event formatter.

class plaso.formatters.firefox_cookies.FirefoxCookieFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The Firefox cookie entry event formatter.

DATA_TYPE = u'firefox:cookie:entry'

FORMAT_STRING_PIECES = [u'{url}', u'({cookie_name})', u'Flags:', u'[HTTP only]: {httponly}', u'(GA analysis: {ga_data})']

FORMAT_STRING_SHORT_PIECES = [u'{host}', u'({cookie_name})']

SOURCE_LONG = u'Firefox Cookies'

SOURCE_SHORT = u'WEBHIST'

plaso.formatters.fseventsd module

The fseventsd event formatter.

class plaso.formatters.fseventsd.FSEventsdEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The fseventsd event formatter.

DATA_TYPE = u'macos:fseventsd:record'

FORMAT_STRING_PIECES = [u'{path}', u'Flag Values:', u'{flag_values}', u'Flags:', u'{hex_flags}', u'Event Identifier:', u'{event_identifier}']

FORMAT_STRING_SHORT_PIECES = [u'{path}', u'{flag_values}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_SHORT = u'FSEVENT'

plaso.formatters.ganalytics module

The Google Analytics cookie event formatters.

class plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

The UTMA Google Analytics cookie event formatter.

DATA_TYPE = u'cookie:google:analytics:utma'

FORMAT_STRING_PIECES = [u'{url}', u'({cookie_name})', u'Sessions: {sessions}', u'Domain Hash: {domain_hash}', u'Visitor ID: {visitor_id}']

FORMAT_STRING_SHORT_PIECES = [u'{url}', u'({cookie_name})']

SOURCE_LONG = u'Google Analytics Cookies'

SOURCE_SHORT = u'WEBHIST'

class plaso.formatters.ganalytics.AnalyticsUtmbCookieFormatter

Bases: plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

The UTMB Google Analytics cookie event formatter.

DATA_TYPE = u'cookie:google:analytics:utmb'

FORMAT_STRING_PIECES = [u'{url}', u'({cookie_name})', u'Pages Viewed: {pages_viewed}', u'Domain Hash: {domain_hash}']

class plaso.formatters.ganalytics.AnalyticsUtmtCookieFormatter

Bases: plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

The UTMT Google Analytics cookie event formatter.

DATA_TYPE = u'cookie:google:analytics:utmt'

FORMAT_STRING_PIECES = [u'{url}', u'({cookie_name})']

class plaso.formatters.ganalytics.AnalyticsUtmzCookieFormatter

Bases: plaso.formatters.ganalytics.AnalyticsUtmaCookieFormatter

The UTMZ Google Analytics cookie event formatter.

DATA_TYPE = u'cookie:google:analytics:utmz'

FORMAT_STRING_PIECES = [u'{url}', u'({cookie_name})', u'Sessions: {sessions}', u'Domain Hash: {domain_hash}', u'Sources: {sources}', u'Last source used to access: {utmcsr}', u'Ad campaign information: {utmccn}', u'Last type of visit: {utmcmd}', u'Keywords used to find site: {utmctr}', u'Path to the page of referring link: {utmcct}']

plaso.formatters.gdrive module

The Google Drive snapshots event formatter.

class plaso.formatters.gdrive.GDriveCloudEntryFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive snapshot cloud event.

DATA_TYPE = u'gdrive:snapshot:cloud_entry'

FORMAT_STRING_PIECES = [u'File Path: {path}', u'[{shared}]', u'Size: {size}', u'URL: {url}', u'Type: {document_type}']

FORMAT_STRING_SHORT_PIECES = [u'{path}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'Google Drive (cloud entry)'

SOURCE_SHORT = u'LOG'

class plaso.formatters.gdrive.GDriveLocalEntryFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive snapshot local event.

DATA_TYPE = u'gdrive:snapshot:local_entry'

FORMAT_STRING_PIECES = [u'File Path: {path}', u'Size: {size}']

FORMAT_STRING_SHORT_PIECES = [u'{path}']

SOURCE_LONG = u'Google Drive (local entry)'

SOURCE_SHORT = u'LOG'

plaso.formatters.gdrive_synclog module

Google Drive Sync log event formatter.

class plaso.formatters.gdrive_synclog.GoogleDriveSyncLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Google Drive Sync log file event.

DATA_TYPE = u'gdrive_sync:log:line'

FORMAT_STRING_PIECES = [u'[{log_level}', u'{pid}', u'{thread}', u'{source_code}]', u'{message}']

FORMAT_STRING_SHORT_PIECES = [u'{message}']

SOURCE_LONG = u'GoogleDriveSync Log File'

SOURCE_SHORT = u'LOG'

plaso.formatters.hachoir module

The Hachoir event formatter.

class plaso.formatters.hachoir.HachoirFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Hachoir event.

DATA_TYPE = u'metadata:hachoir'

FORMAT_STRING = u'{data}'

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'Hachoir Metadata'

SOURCE_SHORT = u'META'

plaso.formatters.iis module

The Microsoft IIS log file event formatter.

class plaso.formatters.iis.IISLogFileEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Microsoft IIS log file event.

DATA_TYPE = u'iis:log:line'

FORMAT_STRING_PIECES = [u'{http_method}', u'{requested_uri_stem}', u'[', u'{source_ip}', u'>', u'{dest_ip}', u':', u'{dest_port}', u']', u'HTTP Status: {http_status}', u'Bytes Sent: {sent_bytes}', u'Bytes Received: {received_bytes}', u'User Agent: {user_agent}', u'Protocol Version: {protocol_version}']

FORMAT_STRING_SHORT_PIECES = [u'{http_method}', u'{requested_uri_stem}', u'[', u'{source_ip}', u'>', u'{dest_ip}', u':', u'{dest_port}', u']']

SOURCE_LONG = u'IIS Log'

SOURCE_SHORT = u'LOG'

plaso.formatters.imessage module

The iMessage chat.db (OSX) and sms.db (iOS)database event formatter.

class plaso.formatters.imessage.IMessageFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an iMessage and SMS event.

DATA_TYPE = u'imessage:event:chat'

FORMAT_STRING_PIECES = [u'Row ID: {identifier}', u'iMessage ID: {imessage_id}', u'Read Receipt: {read_receipt}', u'Message Type: {message_type}', u'Service: {service}', u'Attachment Location: {attachment_location}', u'Message Content: {text}']

FORMAT_STRING_SHORT_PIECES = [u'{text}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'Apple iMessage Application'

SOURCE_SHORT = u'iMessage'

plaso.formatters.interface module

This file contains the event formatters interface classes.

The l2t_csv and other formats are dependent on a message field, referred to as description_long and description_short in l2t_csv.

Plaso no longer stores these field explicitly.

A formatter, with a format string definition, is used to convert the event object values into a formatted string that is similar to the description_long and description_short field.

class plaso.formatters.interface.ConditionalEventFormatter

Bases: plaso.formatters.interface.EventFormatter

Base class to conditionally format event data using format string pieces.

Define the (long) format string and the short format string by defining FORMAT_STRING_PIECES and FORMAT_STRING_SHORT_PIECES. The syntax of the format strings pieces is similar to of the event formatter (EventFormatter). Every format string piece should contain a single attribute name or none.

FORMAT_STRING_SEPARATOR is used to control the string which the separate string pieces should be joined. It contains a space by default.

FORMAT_STRING_PIECES = [u'']

FORMAT_STRING_SEPARATOR = u' '

FORMAT_STRING_SHORT_PIECES = [u'']

GetFormatStringAttributeNames()

Retrieves the attribute names in the format string.

Returns:attribute names. Return type:set(str)

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

class plaso.formatters.interface.EventFormatter

Bases: object

Base class to format event type specific data using a format string.

Define the (long) format string and the short format string by defining FORMAT_STRING and FORMAT_STRING_SHORT. The syntax of the format strings is similar to that of format() where the place holder for a certain event object attribute is defined as {attribute_name}.

DATA_TYPE = u'internal'

FORMAT_STRING = u''

FORMAT_STRING_SHORT = u''

GetFormatStringAttributeNames()

Retrieves the attribute names in the format string.

Returns:attribute names. Return type:set(str)

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

GetSources(event)

Determines the the short and long source for an event object.

Parameters:event (EventObject) – event. Returns:short and long source string. Return type:tuple(str, str) Raises:WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u''

SOURCE_SHORT = u'LOG'

plaso.formatters.ipod module

The iPod device event formatter.

class plaso.formatters.ipod.IPodDeviceFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an iPod device event.

DATA_TYPE = u'ipod:device:entry'

FORMAT_STRING_PIECES = [u'Device ID: {device_id}', u'Type: {device_class}', u'[{family_id}]', u'Connected {use_count} times', u'Serial nr: {serial_number}', u'IMEI [{imei}]']

SOURCE_LONG = u'iPod Connections'

SOURCE_SHORT = u'LOG'

plaso.formatters.java_idx module

The Java WebStart Cache IDX event formatter.

class plaso.formatters.java_idx.JavaIDXFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Java WebStart Cache IDX download event.

DATA_TYPE = u'java:download:idx'

FORMAT_STRING_PIECES = [u'IDX Version: {idx_version}', u'Host IP address: ({ip_address})', u'Download URL: {url}']

SOURCE_LONG = u'Java Cache IDX'

SOURCE_SHORT = u'JAVA_IDX'

plaso.formatters.kik_ios module

The Kik kik.sqlite iOS database event formatter.

class plaso.formatters.kik_ios.KikIOSMessageFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an iOS Kik message event.

DATA_TYPE = u'ios:kik:messaging'

FORMAT_STRING_PIECES = [u'Username: {username}', u'Displayname: {displayname}', u'Status: {message_status}', u'Type: {message_type}', u'Message: {body}']

FORMAT_STRING_SHORT_PIECES = [u'{body}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'Kik iOS messages'

SOURCE_SHORT = u'Kik iOS'

plaso.formatters.ls_quarantine module

The MacOS launch services (LS) quarantine event formatter.

class plaso.formatters.ls_quarantine.LSQuarantineFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a launch services (LS) quarantine history event.

DATA_TYPE = u'macosx:lsquarantine'

FORMAT_STRING_PIECES = [u'[{agent}]', u'Downloaded: {url}', u'<{data}>']

FORMAT_STRING_SHORT_PIECES = [u'{url}']

SOURCE_LONG = u'LS Quarantine Event'

SOURCE_SHORT = u'LOG'

plaso.formatters.mac_appfirewall module

The MacOS appfirewall.log file event formatter.

class plaso.formatters.mac_appfirewall.MacAppFirewallLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for MacOS appfirewall.log file event.

DATA_TYPE = u'mac:appfirewall:line'

FORMAT_STRING_PIECES = [u'Computer: {computer_name}', u'Agent: {agent}', u'Status: {status}', u'Process name: {process_name}', u'Log: {action}']

FORMAT_STRING_SHORT_PIECES = [u'Process name: {process_name}', u'Status: {status}']

SOURCE_LONG = u'Mac AppFirewall Log'

SOURCE_SHORT = u'LOG'

plaso.formatters.mac_document_versions module

The MacOS Document Versions files event formatter.

class plaso.formatters.mac_document_versions.MacDocumentVersionsFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS Document Versions page visited event.

DATA_TYPE = u'mac:document_versions:file'

FORMAT_STRING_PIECES = [u'Version of [{name}]', u'({path})', u'stored in {version_path}', u'by {user_sid}']

FORMAT_STRING_SHORT_PIECES = [u'Stored a document version of [{name}]']

SOURCE_LONG = u'Document Versions'

SOURCE_SHORT = u'HISTORY'

plaso.formatters.mac_keychain module

The MacOS keychain password database file event formatter.

class plaso.formatters.mac_keychain.KeychainApplicationRecordFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a keychain application record event.

DATA_TYPE = u'mac:keychain:application'

FORMAT_STRING_PIECES = [u'Name: {entry_name}', u'Account: {account_name}']

FORMAT_STRING_SHORT_PIECES = [u'{entry_name}']

SOURCE_LONG = u'Keychain Application password'

SOURCE_SHORT = u'LOG'

class plaso.formatters.mac_keychain.KeychainInternetRecordFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a keychain Internet record event.

DATA_TYPE = u'mac:keychain:internet'

FORMAT_STRING_PIECES = [u'Name: {entry_name}', u'Account: {account_name}', u'Where: {where}', u'Protocol: {protocol}', u'({type_protocol})']

FORMAT_STRING_SHORT_PIECES = [u'{entry_name}']

SOURCE_LONG = u'Keychain Internet password'

SOURCE_SHORT = u'LOG'

plaso.formatters.mac_securityd module

The MacOS securityd log file event formatter.

class plaso.formatters.mac_securityd.MacOSSecuritydLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacOS securityd log event.

DATA_TYPE = u'mac:securityd:line'

FORMAT_STRING_PIECES = [u'Sender: {sender}', u'({sender_pid})', u'Level: {level}', u'Facility: {facility}', u'Text: {message}']

FORMAT_STRING_SHORT_PIECES = [u'Text: {message}']

SOURCE_LONG = u'Mac Securityd Log'

SOURCE_SHORT = u'LOG'

plaso.formatters.mac_wifi module

The MacOS wifi.log file event formatter.

class plaso.formatters.mac_wifi.MacWifiLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a wifi.log file event.

DATA_TYPE = u'mac:wifilog:line'

FORMAT_STRING_PIECES = [u'Action: {action}', u'Agent: {agent}', u'({function})', u'Log: {text}']

FORMAT_STRING_SHORT_PIECES = [u'Action: {action}']

SOURCE_LONG = u'Mac Wifi Log'

SOURCE_SHORT = u'LOG'

plaso.formatters.mackeeper_cache module

The MacKeeper Cache event formatter.

class plaso.formatters.mackeeper_cache.MacKeeperCacheFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MacKeeper Cache event.

DATA_TYPE = u'mackeeper:cache'

FORMAT_STRING_PIECES = [u'{description}', u'<{event_type}>', u':', u'{text}', u'[', u'URL: {url}', u'Event ID: {record_id}', u'Room: {room}', u']']

FORMAT_STRING_SHORT_PIECES = [u'<{event_type}>', u'{text}']

SOURCE_LONG = u'MacKeeper Cache'

SOURCE_SHORT = u'LOG'

plaso.formatters.mactime module

The Sleuthkit (TSK) bodyfile (or mactime) event formatter.

class plaso.formatters.mactime.MactimeFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for a mactime event.

DATA_TYPE = u'fs:mactime:line'

FORMAT_STRING = u'{filename}'

SOURCE_LONG = u'Mactime Bodyfile'

SOURCE_SHORT = u'FILE'

plaso.formatters.manager module

This file contains the event formatters manager class.

class plaso.formatters.manager.FormattersManager

Bases: object

Class that implements the formatters manager.

classmethod DeregisterFormatter(formatter_class)

Deregisters a formatter class.

The formatter classes are identified based on their lower case data type.

Parameters:formatter_class (type) – class of the formatter. Raises:KeyError – if formatter class is not set for the corresponding data type.

classmethod GetFormatterObject(data_type)

Retrieves the formatter object for a specific data type.

Parameters:data_type (str) – data type. Returns:

corresponding formatter or the default formatter if

not available.

Return type:EventFormatter

classmethod GetMessageStrings(formatter_mediator, event)

Retrieves the formatted message strings for a specific event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

long and short version of the message string.

Return type:

list[str, str]

classmethod GetSourceStrings(event)

Retrieves the formatted source strings for a specific event object.

Parameters:event (EventObject) – event. Returns:short and long version of the source of the event. Return type:list[str, str]

classmethod RegisterFormatter(formatter_class)

Registers a formatter class.

The formatter classes are identified based on their lower case data type.

Parameters:formatter_class (type) – class of the formatter. Raises:KeyError – if formatter class is already set for the corresponding data type.

classmethod RegisterFormatters(formatter_classes)

Registers formatter classes.

The formatter classes are identified based on their lower case data type.

Parameters:formatter_classes (list[type]) – classes of the formatters. Raises:KeyError – if formatter class is already set for the corresponding data type.

plaso.formatters.mcafeeav module

The McAfee AV Logs file event formatter.

class plaso.formatters.mcafeeav.McafeeAccessProtectionLogEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a McAfee Access Protection Log event.

DATA_TYPE = u'av:mcafee:accessprotectionlog'

FORMAT_STRING_PIECES = [u'File Name: {filename}', u'User: {username}', u'{trigger_location}', u'{status}', u'{rule}', u'{action}']

FORMAT_STRING_SHORT_PIECES = [u'{filename}', u'{action}']

SOURCE_LONG = u'McAfee Access Protection Log'

SOURCE_SHORT = u'LOG'

plaso.formatters.mediator module

The formatter mediator object.

class plaso.formatters.mediator.FormatterMediator(data_location=None)

Bases: object

Class that implements the formatter mediator.

DEFAULT_LANGUAGE_IDENTIFIER = u'en-US'

DEFAULT_LCID = 1033

GetWindowsEventMessage(log_source, message_identifier)

Retrieves the message string for a specific Windows Event Log source.

Parameters:

• log_source (str) – Event Log source, such as “Application Error”.
• message_identifier (int) – message identifier.

Returns:

message string or None if not available.

Return type:

str

SetPreferredLanguageIdentifier(language_identifier)

Sets the preferred language identifier.

Parameters:

language_identifier (str) – language identifier string such as “en-US” for US English or “is-IS” for Icelandic.

Raises:

• KeyError – if the language identifier is not defined.
• TypeError – if the language identifier is not a string type.

lcid

int – preferred Language Code identifier (LCID).

plaso.formatters.msie_webcache module

The MSIE WebCache ESE database event formatters.

class plaso.formatters.msie_webcache.MsieWebCacheContainerEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database Container_# table record.

DATA_TYPE = u'msie:webcache:container'

FORMAT_STRING_PIECES = [u'URL: {url}', u'Redirect URL: {redirect_url}', u'Access count: {access_count}', u'Sync count: {sync_count}', u'Filename: {cached_filename}', u'File extension: {file_extension}', u'Cached file size: {cached_file_size}', u'Request headers: {request_headers}', u'Response headers: {response_headers}', u'Entry identifier: {entry_identifier}', u'Container identifier: {container_identifier}', u'Cache identifier: {cache_identifier}']

FORMAT_STRING_SHORT_PIECES = [u'URL: {url}']

SOURCE_LONG = u'MSIE WebCache container record'

SOURCE_SHORT = u'WEBHIST'

class plaso.formatters.msie_webcache.MsieWebCacheContainersEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database Containers table record.

DATA_TYPE = u'msie:webcache:containers'

FORMAT_STRING_PIECES = [u'Name: {name}', u'Directory: {directory}', u'Table: Container_{container_identifier}', u'Container identifier: {container_identifier}', u'Set identifier: {set_identifier}']

FORMAT_STRING_SHORT_PIECES = [u'Directory: {directory}']

SOURCE_LONG = u'MSIE WebCache containers record'

SOURCE_SHORT = u'WEBHIST'

class plaso.formatters.msie_webcache.MsieWebCacheLeakFilesEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database LeakFiles table record.

DATA_TYPE = u'msie:webcache:leak_file'

FORMAT_STRING_PIECES = [u'Filename: {cached_filename}', u'Leak identifier: {leak_identifier}']

FORMAT_STRING_SHORT_PIECES = [u'Filename: {cached_filename}']

SOURCE_LONG = u'MSIE WebCache partitions record'

SOURCE_SHORT = u'WEBHIST'

class plaso.formatters.msie_webcache.MsieWebCachePartitionsEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIE WebCache ESE database Partitions table record.

DATA_TYPE = u'msie:webcache:partitions'

FORMAT_STRING_PIECES = [u'Partition identifier: {partition_identifier}', u'Partition type: {partition_type}', u'Directory: {directory}', u'Table identifier: {table_identifier}']

FORMAT_STRING_SHORT_PIECES = [u'Directory: {directory}']

SOURCE_LONG = u'MSIE WebCache partitions record'

SOURCE_SHORT = u'WEBHIST'

plaso.formatters.msiecf module

The Microsoft Internet Explorer (MSIE) Cache Files (CF) event formatters.

class plaso.formatters.msiecf.MsiecfItemFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a MSIECF item event.

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

class plaso.formatters.msiecf.MsiecfLeakFormatter

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF leak item event.

DATA_TYPE = u'msiecf:leak'

FORMAT_STRING_PIECES = [u'Cached file: {cached_file_path}', u'Cached file size: {cached_file_size}', u'{recovered_string}']

FORMAT_STRING_SHORT_PIECES = [u'Cached file: {cached_file_path}']

SOURCE_LONG = u'MSIE Cache File leak record'

SOURCE_SHORT = u'WEBHIST'

class plaso.formatters.msiecf.MsiecfRedirectedFormatter

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF leak redirected event.

DATA_TYPE = u'msiecf:redirected'

FORMAT_STRING_PIECES = [u'Location: {url}', u'{recovered_string}']

FORMAT_STRING_SHORT_PIECES = [u'Location: {url}']

SOURCE_LONG = u'MSIE Cache File redirected record'

SOURCE_SHORT = u'WEBHIST'

class plaso.formatters.msiecf.MsiecfUrlFormatter

Bases: plaso.formatters.msiecf.MsiecfItemFormatter

Formatter for a MSIECF URL item event.

DATA_TYPE = u'msiecf:url'

FORMAT_STRING_PIECES = [u'Location: {url}', u'Number of hits: {number_of_hits}', u'Cached file: {cached_file_path}', u'Cached file size: {cached_file_size}', u'HTTP headers: {http_headers}', u'{recovered_string}']

FORMAT_STRING_SHORT_PIECES = [u'Location: {url}', u'Cached file: {cached_file_path}']

SOURCE_LONG = u'MSIE Cache File URL record'

SOURCE_SHORT = u'WEBHIST'

plaso.formatters.officemru module

The Microsoft Office MRU Windows Registry event formatter.

class plaso.formatters.officemru.OfficeMRUWindowsRegistryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Microsoft Office MRU Windows Registry event.

DATA_TYPE = u'windows:registry:office_mru'

FORMAT_STRING_PIECES = [u'[{key_path}]', u'Value: {value_string}']

FORMAT_STRING_SHORT_PIECES = [u'{value_string}']

SOURCE_LONG = u'Registry Key: Microsoft Office MRU'

SOURCE_SHORT = u'REG'

plaso.formatters.olecf module

The OLE Compound File (OLECF) event formatters.

class plaso.formatters.olecf.OLECFDestListEntryFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF DestList stream event.

DATA_TYPE = u'olecf:dest_list:entry'

FORMAT_STRING_PIECES = [u'Entry: {entry_number}', u'Pin status: {pin_status}', u'Hostname: {hostname}', u'Path: {path}', u'Droid volume identifier: {droid_volume_identifier}', u'Droid file identifier: {droid_file_identifier}', u'Birth droid volume identifier: {birth_droid_volume_identifier}', u'Birth droid file identifier: {birth_droid_file_identifier}']

FORMAT_STRING_SHORT_PIECES = [u'Entry: {entry_number}', u'Pin status: {pin_status}', u'Path: {path}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

class plaso.formatters.olecf.OLECFDocumentSummaryInfoFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF Document Summary Info property set stream event.

DATA_TYPE = u'olecf:document_summary_info'

FORMAT_STRING_PIECES = [u'Number of bytes: {number_of_bytes}', u'Number of lines: {number_of_lines}', u'Number of paragraphs: {number_of_paragraphs}', u'Number of slides: {number_of_slides}', u'Number of notes: {number_of_notes}', u'Number of hidden slides: {number_of_hidden_slides}', u'Number of multi-media clips: {number_of_clips}', u'Company: {company}', u'Manager: {manager}', u'Shared document: {shared_document}', u'Application version: {application_version}', u'Content type: {content_type}', u'Content status: {content_status}', u'Language: {language}', u'Document version: {document_version}']

FORMAT_STRING_SHORT_PIECES = [u'Company: {company}']

SOURCE_LONG = u'OLECF Document Summary Info'

SOURCE_SHORT = u'OLECF'

class plaso.formatters.olecf.OLECFItemFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for an OLECF item event.

DATA_TYPE = u'olecf:item'

FORMAT_STRING = u'Name: {name}'

FORMAT_STRING_SHORT = u'Name: {name}'

SOURCE_LONG = u'OLECF Item'

SOURCE_SHORT = u'OLECF'

class plaso.formatters.olecf.OLECFSummaryInfoFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OLECF Summary Info property set stream event.

DATA_TYPE = u'olecf:summary_info'

FORMAT_STRING_PIECES = [u'Title: {title}', u'Subject: {subject}', u'Author: {author}', u'Keywords: {keywords}', u'Comments: {comments}', u'Template: {template}', u'Revision number: {revision_number}', u'Last saved by: {last_saved_by}', u'Total edit time: {total_edit_time}', u'Number of pages: {number_of_pages}', u'Number of words: {number_of_words}', u'Number of characters: {number_of_characters}', u'Application: {application}', u'Security: {security}']

FORMAT_STRING_SHORT_PIECES = [u'Title: {title}', u'Subject: {subject}', u'Author: {author}', u'Revision number: {revision_number}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'OLECF Summary Info'

SOURCE_SHORT = u'OLECF'

plaso.formatters.opera module

The Opera history event formatters.

class plaso.formatters.opera.OperaGlobalHistoryFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Opera global history event.

DATA_TYPE = u'opera:history:entry'

FORMAT_STRING_PIECES = [u'{url}', u'({title})', u'[{description}]']

SOURCE_LONG = u'Opera Browser History'

SOURCE_SHORT = u'WEBHIST'

class plaso.formatters.opera.OperaTypedHistoryFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an Opera typed history event.

DATA_TYPE = u'opera:history:typed_entry'

FORMAT_STRING_PIECES = [u'{url}', u'({entry_selection})']

SOURCE_LONG = u'Opera Browser History'

SOURCE_SHORT = u'WEBHIST'

plaso.formatters.oxml module

The OpenXML event formatter.

class plaso.formatters.oxml.OpenXMLParserFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an OXML event.

DATA_TYPE = u'metadata:openxml'

FORMAT_STRING_PIECES = [u'Creating App: {creating_app}', u'App version: {app_version}', u'Title: {title}', u'Subject: {subject}', u'Last saved by: {last_saved_by}', u'Author: {author}', u'Total edit time (secs): {total_edit_time}', u'Keywords: {keywords}', u'Comments: {comments}', u'Revision number: {revision_number}', u'Template: {template}', u'Number of pages: {number_of_pages}', u'Number of words: {number_of_words}', u'Number of characters: {number_of_characters}', u'Number of characters with spaces: {number_of_characters_with_spaces}', u'Number of lines: {number_of_lines}', u'Company: {company}', u'Manager: {manager}', u'Shared: {shared}', u'Security: {security}', u'Hyperlinks changed: {hyperlinks_changed}', u'Links up to date: {links_up_to_date}', u'Scale crop: {scale_crop}', u'Digital signature: {dig_sig}', u'Slides: {slides}', u'Hidden slides: {hidden_slides}', u'Presentation format: {presentation_format}', u'MM clips: {mm_clips}', u'Notes: {notes}']

FORMAT_STRING_SHORT_PIECES = [u'Title: {title}', u'Subject: {subject}', u'Author: {author}']

SOURCE_LONG = u'Open XML Metadata'

SOURCE_SHORT = u'META'

plaso.formatters.pcap module

The PCAP event formatter.

class plaso.formatters.pcap.PCAPFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a PCAP event.

DATA_TYPE = u'metadata:pcap'

FORMAT_STRING_PIECES = [u'Source IP: {source_ip}', u'Destination IP: {dest_ip}', u'Source Port: {source_port}', u'Destination Port: {dest_port}', u'Protocol: {protocol}', u'Type: {stream_type}', u'Size: {size}', u'Protocol Data: {protocol_data}', u'Stream Data: {stream_data}', u'First Packet ID: {first_packet_id}', u'Last Packet ID: {last_packet_id}', u'Packet Count: {packet_count}']

FORMAT_STRING_SHORT_PIECES = [u'Type: {stream_type}', u'First Packet ID: {first_packet_id}']

SOURCE_LONG = u'Packet Capture File (pcap)'

SOURCE_SHORT = u'PCAP'

plaso.formatters.pe module

The PE event formatter.

class plaso.formatters.pe.PECompilationFormatter

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE compilation event.

DATA_TYPE = u'pe:compilation:compilation_time'

SOURCE_LONG = u'PE Compilation time'

class plaso.formatters.pe.PEDelayImportFormatter

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE delay import section event.

DATA_TYPE = u'pe:delay_import:import_time'

FORMAT_STRING_PIECES = [u'DLL name: {dll_name}', u'PE Type: {pe_type}', u'Import hash: {imphash}']

FORMAT_STRING_SHORT_PIECES = [u'{dll_name}']

SOURCE_LONG = u'PE Delay Import Time'

class plaso.formatters.pe.PEEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Parent class for PE event formatters.

DATA_TYPE = u'pe'

FORMAT_STRING_PIECES = [u'PE Type: {pe_type}', u'Import hash: {imphash}']

FORMAT_STRING_SEPARATOR = u' '

FORMAT_STRING_SHORT_PIECES = [u'pe_type']

SOURCE_LONG = u'PE Event'

SOURCE_SHORT = u'PE'

class plaso.formatters.pe.PEImportFormatter

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE import section event.

DATA_TYPE = u'pe:import:import_time'

FORMAT_STRING_PIECES = [u'DLL name: {dll_name}', u'PE Type: {pe_type}', u'Import hash: {imphash}']

FORMAT_STRING_SHORT_PIECES = [u'{dll_name}']

SOURCE_LONG = u'PE Import Time'

class plaso.formatters.pe.PELoadConfigModificationEvent

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE load configuration table event.

DATA_TYPE = u'pe:load_config:modification_time'

SOURCE_LONG = u'PE Load Configuration Table Time'

class plaso.formatters.pe.PEResourceCreationFormatter

Bases: plaso.formatters.pe.PEEventFormatter

Formatter for a PE resource creation event.

DATA_TYPE = u'pe:resource:creation_time'

SOURCE_LONG = u'PE Resource Creation Time'

plaso.formatters.plist module

The plist event formatter.

class plaso.formatters.plist.PlistFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a plist key event.

DATA_TYPE = u'plist:key'

FORMAT_STRING_PIECES = [u'{root}/', u'{key}', u' {desc}']

FORMAT_STRING_SEPARATOR = u''

SOURCE_LONG = u'Plist Entry'

SOURCE_SHORT = u'PLIST'

plaso.formatters.pls_recall module

The PL/SQL Recall event formatter.

class plaso.formatters.pls_recall.PlsRecallFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a PL/SQL Recall file container event.

DATA_TYPE = u'PLSRecall:event'

FORMAT_STRING_PIECES = [u'Sequence number: {sequence_number}', u'Username: {username}', u'Database name: {database_name}', u'Query: {query}']

FORMAT_STRING_SHORT_PIECES = [u'{sequence_number}', u'{username}', u'{database_name}', u'{query}']

SOURCE_LONG = u'PL/SQL Developer Recall file'

SOURCE_SHORT = u'PLSRecall'

plaso.formatters.popcontest module

The Popularity Contest event formatters.

class plaso.formatters.popcontest.PopularityContestLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Popularity Contest Log event.

DATA_TYPE = u'popularity_contest:log:event'

FORMAT_STRING_PIECES = [u'mru [{mru}]', u'package [{package}]', u'tag [{record_tag}]']

FORMAT_STRING_SHORT_PIECES = [u'{mru}']

SOURCE_LONG = u'Popularity Contest Log'

SOURCE_SHORT = u'LOG'

class plaso.formatters.popcontest.PopularityContestSessionFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Popularity Contest Session information event.

DATA_TYPE = u'popularity_contest:session:event'

FORMAT_STRING_PIECES = [u'Session {session}', u'{status}', u'ID {hostid}', u'[{details}]']

FORMAT_STRING_SHORT_PIECES = [u'Session {session}', u'{status}']

SOURCE_LONG = u'Popularity Contest Session'

SOURCE_SHORT = u'LOG'

plaso.formatters.recycler module

The Windows Recycler/Recycle Bin formatter.

class plaso.formatters.recycler.WinRecyclerFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Recycler/Recycle Bin file event.

DATA_TYPE = u'windows:metadata:deleted_item'

FORMAT_STRING_PIECES = [u'DC{record_index} ->', u'{original_filename}', u'[{short_filename}]', u'(from drive: {drive_letter})']

FORMAT_STRING_SHORT_PIECES = [u'Deleted file: {original_filename}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'Recycle Bin'

SOURCE_SHORT = u'RECBIN'

plaso.formatters.safari module

The Safari history event formatter.

class plaso.formatters.safari.SafariHistoryFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Safari history event.

DATA_TYPE = u'safari:history:visit'

FORMAT_STRING_PIECES = [u'Visited: {url}', u'({title}', u'- {display_title}', u')', u'Visit Count: {visit_count}']

SOURCE_LONG = u'Safari History'

SOURCE_SHORT = u'WEBHIST'

class plaso.formatters.safari.SafariHistoryFormatterSqlite

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Safari history event from Sqlite History.db

DATA_TYPE = u'safari:history:visit_sqlite'

FORMAT_STRING_PIECES = [u'URL: {url}', u'Title: ({title})', u'[count: {visit_count}]', u'http_non_get: {was_http_non_get}']

SOURCE_LONG = u'Safari History'

SOURCE_SHORT = u'WEBHIST'

plaso.formatters.safari_cookies module

The Safari Binary cookie event formatter.

class plaso.formatters.safari_cookies.SafaryCookieFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Safari Binary Cookie file entry event.

DATA_TYPE = u'safari:cookie:entry'

FORMAT_STRING_PIECES = [u'{url}', u'<{path}>', u'({cookie_name})', u'Flags: {flags}']

FORMAT_STRING_SHORT_PIECES = [u'{url}', u'({cookie_name})']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'Safari Cookies'

SOURCE_SHORT = u'WEBHIST'

plaso.formatters.sam_users module

The SAM users Windows Registry event formatter.

class plaso.formatters.sam_users.SAMUsersWindowsRegistryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SAM users Windows Registry event.

DATA_TYPE = u'windows:registry:sam_users'

FORMAT_STRING_PIECES = [u'[{key_path}]', u'Username: {username}', u'Full name: {fullname}', u'Comments: {comments}', u'RID: {account_rid}', u'Login count: {login_count}']

FORMAT_STRING_SHORT_PIECES = [u'{username}', u'RID: {account_rid}', u'Login count: {login_count}']

SOURCE_LONG = u'Registry Key: User Account Information'

SOURCE_SHORT = u'REG'

plaso.formatters.sccm module

The SCCM log formatter.

class plaso.formatters.sccm.SCCMEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Class for SCCM event formatter.

DATA_TYPE = u'software_management:sccm:log'

FORMAT_STRING_PIECES = [u'{component}', u'{text}']

FORMAT_STRING_SEPARATOR = u' '

FORMAT_STRING_SHORT_PIECES = [u'{text}']

SOURCE_LONG = u'SCCM Event'

SOURCE_SHORT = u'LOG'

plaso.formatters.selinux module

The selinux event formatter.

class plaso.formatters.selinux.SELinuxFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a selinux log file event.

DATA_TYPE = u'selinux:line'

FORMAT_STRING_PIECES = [u'[', u'audit_type: {audit_type}', u', pid: {pid}', u']', u' {body}']

FORMAT_STRING_SEPARATOR = u''

SOURCE_LONG = u'Audit log File'

SOURCE_SHORT = u'LOG'

plaso.formatters.shell_items module

The shell item event formatter.

class plaso.formatters.shell_items.ShellItemFileEntryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a shell item file entry event.

DATA_TYPE = u'windows:shell_item:file_entry'

FORMAT_STRING_PIECES = [u'Name: {name}', u'Long name: {long_name}', u'Localized name: {localized_name}', u'NTFS file reference: {file_reference}', u'Shell item path: {shell_item_path}', u'Origin: {origin}']

FORMAT_STRING_SHORT_PIECES = [u'Name: {file_entry_name}', u'NTFS file reference: {file_reference}', u'Origin: {origin}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'File entry shell item'

SOURCE_SHORT = u'FILE'

plaso.formatters.shutdown module

The shutdown Windows Registry event formatter.

class plaso.formatters.shutdown.ShutdownWindowsRegistryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a shutdown Windows Registry event.

DATA_TYPE = u'windows:registry:shutdown'

FORMAT_STRING_PIECES = [u'[{key_path}]', u'Description: {value_name}']

FORMAT_STRING_SHORT_PIECES = [u'{value_name}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'Registry Key Shutdown Entry'

SOURCE_SHORT = u'REG'

plaso.formatters.skydrivelog module

The SkyDrive log event formatter.

class plaso.formatters.skydrivelog.SkyDriveLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SkyDrive log file event.

DATA_TYPE = u'skydrive:log:line'

FORMAT_STRING_PIECES = [u'[{module}', u'{source_code}', u'{log_level}]', u'{detail}']

FORMAT_STRING_SHORT_PIECES = [u'{detail}']

SOURCE_LONG = u'SkyDrive Log File'

SOURCE_SHORT = u'LOG'

class plaso.formatters.skydrivelog.SkyDriveOldLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SkyDrive old log file event.

DATA_TYPE = u'skydrive:log:old:line'

FORMAT_STRING_PIECES = [u'[{source_code}]', u'({log_level})', u'{text}']

FORMAT_STRING_SHORT_PIECES = [u'{text}']

SOURCE_LONG = u'SkyDrive Log File'

SOURCE_SHORT = u'LOG'

plaso.formatters.skype module

The Skype main database event formatter.

class plaso.formatters.skype.SkypeAccountFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype account event.

DATA_TYPE = u'skype:event:account'

FORMAT_STRING_PIECES = [u'{username}', u'[{email}]', u'Country: {country}']

SOURCE_LONG = u'Skype Account'

SOURCE_SHORT = u'LOG'

class plaso.formatters.skype.SkypeCallFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype call event.

DATA_TYPE = u'skype:event:call'

FORMAT_STRING_PIECES = [u'From: {src_call}', u'To: {dst_call}', u'[{call_type}]']

SOURCE_LONG = u'Skype Call'

SOURCE_SHORT = u'LOG'

class plaso.formatters.skype.SkypeChatFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype chat message event.

DATA_TYPE = u'skype:event:chat'

FORMAT_STRING_PIECES = [u'From: {from_account}', u'To: {to_account}', u'[{title}]', u'Message: [{text}]']

FORMAT_STRING_SHORT_PIECES = [u'From: {from_account}', u'To: {to_account}']

SOURCE_LONG = u'Skype Chat MSG'

SOURCE_SHORT = u'LOG'

class plaso.formatters.skype.SkypeSMSFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype SMS event.

DATA_TYPE = u'skype:event:sms'

FORMAT_STRING_PIECES = [u'To: {number}', u'[{text}]']

SOURCE_LONG = u'Skype SMS'

SOURCE_SHORT = u'LOG'

class plaso.formatters.skype.SkypeTransferFileFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Skype transfer file event.

DATA_TYPE = u'skype:event:transferfile'

FORMAT_STRING_PIECES = [u'Source: {source}', u'Destination: {destination}', u'File: {transferred_filename}', u'[{action_type}]']

SOURCE_LONG = u'Skype Transfer Files'

SOURCE_SHORT = u'LOG'

plaso.formatters.sophos_av module

The Sophos Anti-Virus log (SAV.txt) file event formatter.

class plaso.formatters.sophos_av.SophosAVLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Sophos Anti-Virus log (SAV.txt) event data.

DATA_TYPE = u'sophos:av:log'

FORMAT_STRING_PIECES = [u'{text}']

SOURCE_LONG = u'Sophos Anti-Virus log'

SOURCE_SHORT = u'LOG'

plaso.formatters.srum module

The System Resource Usage Monitor (SRUM) ESE database event formatters.

class plaso.formatters.srum.SRUMApplicationResourceUsageEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SRUM application resource usage event.

DATA_TYPE = u'windows:srum:application_usage'

FORMAT_STRING_PIECES = [u'Application: {application}']

FORMAT_STRING_SHORT_PIECES = [u'{application}']

class plaso.formatters.srum.SRUMNetworkConnectivityUsageEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SRUM network connectivity usage event.

DATA_TYPE = u'windows:srum:network_connectivity'

FORMAT_STRING_PIECES = [u'Application: {application}']

FORMAT_STRING_SHORT_PIECES = [u'{application}']

class plaso.formatters.srum.SRUMNetworkDataUsageEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SRUM network data usage event.

DATA_TYPE = u'windows:srum:network_usage'

FORMAT_STRING_PIECES = [u'Application: {application}', u'Bytes received: {bytes_received}', u'Bytes sent: {bytes_sent}', u'Interface LUID: {interface_luid}', u'User identifer: {user_identifier}']

FORMAT_STRING_SHORT_PIECES = [u'{application}']

plaso.formatters.ssh module

The syslog SSH file event formatter.

class plaso.formatters.ssh.SSHFailedConnectionEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SSH failed connection event.

DATA_TYPE = u'syslog:ssh:failed_connection'

FORMAT_STRING_PIECES = [u'Unsuccessful connection of user: {username}', u'from {address}:', u'{port}', u'using authentication method: {authentication_method}', u'ssh pid: {pid}']

FORMAT_STRING_SEPARATOR = u''

FORMAT_STRING_SHORT = u'{body}'

SOURCE_LONG = u'SSH log'

SOURCE_SHORT = u'LOG'

class plaso.formatters.ssh.SSHLoginEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SSH successful login event.

DATA_TYPE = u'syslog:ssh:login'

FORMAT_STRING_PIECES = [u'Successful login of user: {username}', u'from {address}:', u'{port}', u'using authentication method: {authentication_method}', u'ssh pid: {pid}']

FORMAT_STRING_SEPARATOR = u''

FORMAT_STRING_SHORT = u'{body}'

SOURCE_LONG = u'SSH log'

SOURCE_SHORT = u'LOG'

class plaso.formatters.ssh.SSHOpenedConnectionEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a SSH opened connection event.

DATA_TYPE = u'syslog:ssh:opened_connection'

FORMAT_STRING_PIECES = [u'Connection opened {address}:', u'{port}', u'ssh pid: {pid}']

FORMAT_STRING_SEPARATOR = u''

FORMAT_STRING_SHORT = u'{body}'

SOURCE_LONG = u'SSH log'

SOURCE_SHORT = u'LOG'

plaso.formatters.symantec module

The Symantec AV log file event formatter.

class plaso.formatters.symantec.SymantecAVFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Symantec AV log file event.

ACTION_0_NAMES = {u'11': u'Undo action in Quarantine View', u'10': u'Renamed backup file', u'13': u'Backed up file', u'12': u'Write protected or lack of permissions - Unable to act on file', u'1': u'Quarantined', u'3': u'Deleted', u'2': u'Renamed', u'5': u'Cleaned', u'4': u'Left alone', u'7': u'Saved file as...', u'6': u'Cleaned or macros deleted (no longer used as of Symantec AntiVirus 9.x)', u'9': u'Moved to backup location', u'8': u'Sent to Intel (AMS)'}

ACTION_1_2_NAMES = {u'1': u'Quarantine infected file', u'3': u'Delete infected file', u'2': u'Rename infected file', u'5': u'Clean virus from file', u'4': u'Leave alone (log only)', u'6': u'Clean or delete macros'}

CATEGORY_NAMES = {u'1': u'GL_CAT_INFECTION', u'3': u'GL_CAT_PATTERN', u'2': u'GL_CAT_SUMMARY', u'4': u'GL_CAT_SECURITY'}

DATA_TYPE = u'av:symantec:scanlog'

EVENT_NAMES = {u'56': u'GL_EVENT_CLIENT_INSTALL_FW', u'77': u'GL_EVENT_HEUR_THREAT_NOW_KNOWN', u'54': u'GL_EVENT_COMMS_UNAUTHORIZED_COMM', u'42': u'GL_EVENT_RTS_ERROR', u'48': u'GL_EVENT_REMEDIATION_ACTION_PENDING', u'43': u'GL_EVENT_COMPLIANCE_FAIL', u'60': u'GL_EVENT_COMMS_SERVER_CERT_ISSUE', u'61': u'GL_EVENT_COMMS_TRUSTED_ROOT_CHANGE', u'62': u'GL_EVENT_COMMS_SERVER_CERT_STARTUP_FAILED', u'63': u'GL_EVENT_CLIENT_CHECKIN', u'64': u'GL_EVENT_CLIENT_NO_CHECKIN', u'49': u'GL_EVENT_REMEDIATION_ACTION_FAILED', u'66': u'GL_EVENT_SCAN_RESUMED', u'67': u'GL_EVENT_SCAN_DURATION_INSUFFICIENT', u'68': u'GL_EVENT_CLIENT_MOVE', u'69': u'GL_EVENT_SCAN_FAILED_ENHANCED', u'52': u'GL_EVENT_COMMS_LOGIN_FAILED', u'53': u'GL_EVENT_COMMS_LOGIN_SUCCESS', u'24': u'GL_EVENT_RTS_UNLOAD', u'25': u'GL_EVENT_REMOVE_CLIENT', u'26': u'GL_EVENT_SCAN_DELAYED', u'27': u'GL_EVENT_SCAN_RESTART', u'20': u'GL_EVENT_BACKUP', u'21': u'GL_EVENT_SCAN_ABORT', u'22': u'GL_EVENT_RTS_LOAD_ERROR', u'23': u'GL_EVENT_RTS_LOAD', u'46': u'GL_EVENT_ANOMALY_START', u'47': u'GL_EVENT_DETECTION_ACTION_TAKEN', u'44': u'GL_EVENT_COMPLIANCE_SUCCESS', u'45': u'GL_EVENT_SECURITY_SYMPROTECT_POLICYVIOLATION', u'28': u'GL_EVENT_ADD_SAVROAMCLIENT_TOSERVER', u'29': u'GL_EVENT_REMOVE_SAVROAMCLIENT_FROMSERVER', u'40': u'GL_EVENT_BAD_DEFS_UNPROTECTED', u'41': u'GL_EVENT_SAV_PROVIDER_PARSING_ERROR', u'1': u'GL_EVENT_IS_ALERT', u'3': u'GL_EVENT_SCAN_START', u'2': u'GL_EVENT_SCAN_STOP', u'5': u'GL_EVENT_INFECTION', u'4': u'GL_EVENT_PATTERN_UPDATE', u'7': u'GL_EVENT_LOAD_PATTERN', u'6': u'GL_EVENT_FILE_NOT_OPEN', u'9': u'GL_STD_MESSAGE_ERROR', u'8': u'GL_STD_MESSAGE_INFO', u'51': u'GL_EVENT_ANOMALY_FINISH', u'39': u'GL_EVENT_BAD_DEFS_ROLLBACK', u'65': u'GL_EVENT_SCAN_SUSPENDED', u'76': u'GL_EVENT_HPP_SCAN_NOT_SUPPORTED_FOR_OS', u'75': u'GL_EVENT_INTERESTING_PROCESS_DETECTED_FINISH', u'38': u'GL_EVENT_LICENSE_DEALLOCATED', u'73': u'GL_EVENT_LOAD_ERROR_COH', u'72': u'GL_EVENT_INTERESTING_PROCESS_DETECTED_START', u'71': u'GL_EVENT_HEUR_THREAT_NOW_WHITELISTED', u'70': u'GL_EVENT_MAX_event_name', u'58': u'GL_EVENT_CLIENT_UNINSTALL_ROLLBACK', u'11': u'GL_EVENT_TRAP', u'10': u'GL_EVENT_CHECKSUM', u'13': u'GL_EVENT_SHUTDOWN', u'12': u'GL_EVENT_CONFIG_CHANGE', u'59': u'GL_EVENT_COMMS_SERVER_GROUP_ROOT_CERT_ISSUE', u'14': u'GL_EVENT_STARTUP', u'17': u'GL_EVENT_TOO_MANY_VIRUSES', u'16': u'GL_EVENT_PATTERN_DOWNLOAD', u'19': u'GL_EVENT_SCANDLVR', u'18': u'GL_EVENT_FWD_TO_QSERVER', u'31': u'GL_EVENT_LICENSE_ERROR', u'30': u'GL_EVENT_LICENSE_WARNING', u'37': u'GL_EVENT_LICENSE_OK', u'36': u'GL_EVENT_LICENSE_ALLOCATED', u'35': u'GL_EVENT_LICENSE_INSTALLED', u'34': u'GL_EVENT_LOG_FWD_THRD_ERR', u'33': u'GL_EVENT_UNAUTHORIZED_COMM', u'55': u'GL_EVENT_CLIENT_INSTALL_AV', u'74': u'GL_EVENT_LOAD_ERROR_SYKNAPPS', u'32': u'GL_EVENT_LICENSE_GRACE', u'57': u'GL_EVENT_CLIENT_UNINSTALL', u'50': u'GL_EVENT_REMEDIATION_ACTION_SUCCESSFUL'}

FORMAT_STRING_PIECES = [u'Event Name: {event_map}', u'Category Name: {category_map}', u'Malware Name: {virus}', u'Malware Path: {file}', u'Action0: {action0_map}', u'Action1: {action1_map}', u'Action2: {action2_map}', u'Description: {description}', u'Scan ID: {scanid}', u'Event Data: {event_data}', u'Remote Machine: {remote_machine}', u'Remote IP: {remote_machine_ip}']

FORMAT_STRING_SEPARATOR = u'; '

FORMAT_STRING_SHORT_PIECES = [u'{file}', u'{virus}', u'{action0_map}', u'{action1_map}', u'{action2_map}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'Symantec AV Log'

SOURCE_SHORT = u'LOG'

plaso.formatters.syslog module

The syslog file event formatter.

class plaso.formatters.syslog.SyslogCommentFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a syslog comment

DATA_TYPE = u'syslog:comment'

FORMAT_STRING_PIECES = [u'{body}']

FORMAT_STRING_SEPARATOR = u''

SOURCE_LONG = u'Log File'

SOURCE_SHORT = u'LOG'

class plaso.formatters.syslog.SyslogLineFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a syslog line event.

DATA_TYPE = u'syslog:line'

FORMAT_STRING_PIECES = [u'{severity} ', u'[', u'{reporter}', u', pid: {pid}', u'] {body}']

FORMAT_STRING_SEPARATOR = u''

SOURCE_LONG = u'Log File'

SOURCE_SHORT = u'LOG'

plaso.formatters.systemd_journal module

The Systemd journal file event formatter.

class plaso.formatters.systemd_journal.SystemdJournalEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Systemd journal event.

DATA_TYPE = u'systemd:journal'

FORMAT_STRING_PIECES = [u'{hostname} ', u'[', u'{reporter}', u', pid: {pid}', u'] {body}']

FORMAT_STRING_SEPARATOR = u''

SOURCE_LONG = u'systemd-journal'

SOURCE_SHORT = u'LOG'

plaso.formatters.task_scheduler module

The Task Scheduler event formatter.

class plaso.formatters.task_scheduler.TaskCacheEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Task Scheduler Cache event.

DATA_TYPE = u'task_scheduler:task_cache:entry'

FORMAT_STRING_PIECES = [u'Task: {task_name}', u'[Identifier: {task_identifier}]']

FORMAT_STRING_SHORT_PIECES = [u'Task: {task_name}']

SOURCE_LONG = u'Task Cache'

SOURCE_SHORT = u'REG'

plaso.formatters.text module

The text file event formatter.

class plaso.formatters.text.TextEntryFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for a text file entry event.

DATA_TYPE = u'text:entry'

FORMAT_STRING = u'{text}'

SOURCE_LONG = u'Text File'

SOURCE_SHORT = u'LOG'

plaso.formatters.trendmicroav module

The Trend Micro AV Logs file event formatter.

class plaso.formatters.trendmicroav.OfficeScanVirusDetectionLogEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Trend Micro Office Scan Virus Detection Log event.

DATA_TYPE = u'av:trendmicro:scan'

FORMAT_STRING_PIECES = [u'Path: {path}', u'File name: {filename}', u'{threat}', u': {action}', u'({scan_type})']

FORMAT_STRING_SHORT_PIECES = [u'{path}', u'{filename}', u'{action}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

If any event values have a matching formatting function in VALUE_FORMATTERS, they are run through that function; then the dictionary is passed to the superclass’s formatting method.

Parameters:

• unused_formatter_mediator (FormatterMediator) – not used.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'Trend Micro Office Scan Virus Detection Log'

SOURCE_SHORT = u'LOG'

VALUE_FORMATTERS = {u'action': <function <lambda>>, u'scan_type': <function <lambda>>}

plaso.formatters.twitter_ios module

Twitter on iOS 8+ database formatter.

class plaso.formatters.twitter_ios.TwitterIOSContactFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter on iOS 8+ contact event formatter.

DATA_TYPE = u'twitter:ios:contact'

FORMAT_STRING_PIECES = [u'Screen name: {screen_name}', u'Profile picture URL: {profile_url}', u'Name: {name}', u'Location: {location}', u'Description: {description}', u'URL: {url}', u'Following: {following}', u'Number of followers: {followers_count}', u'Number of following: {following_count}']

FORMAT_STRING_SHORT_PIECES = [u'Screen name: {screen_name}', u'Description: {description}', u'URL: {url}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'Twitter iOS Contacts'

SOURCE_SHORT = u'Twitter iOS'

class plaso.formatters.twitter_ios.TwitterIOSStatusFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Twitter on iOS 8+ status event formatter.

DATA_TYPE = u'twitter:ios:status'

FORMAT_STRING_PIECES = [u'Name: {name}', u'User Id: {user_id}', u'Message: {text}', u'Favorite: {favorited}', u'Retweet Count: {retweet_count}', u'Favorite Count: {favorite_count}']

FORMAT_STRING_SHORT_PIECES = [u'Name: {name}', u'Message: {text}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'Twitter iOS Status'

SOURCE_SHORT = u'Twitter iOS'

plaso.formatters.userassist module

The UserAssist Windows Registry event formatter.

class plaso.formatters.userassist.UserAssistWindowsRegistryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an UserAssist Windows Registry event.

DATA_TYPE = u'windows:registry:userassist'

FORMAT_STRING_PIECES = [u'[{key_path}]', u'UserAssist entry: {entry_index}', u'Value name: {value_name}', u'Count: {number_of_executions}', u'Application focus count: {application_focus_count}', u'Application focus duration: {application_focus_duration}']

FORMAT_STRING_SHORT_PIECES = [u'{value_name}', u'Count: {number_of_executions}']

SOURCE_LONG = u'Registry Key: UserAssist'

SOURCE_SHORT = u'REG'

plaso.formatters.utmp module

The UTMP binary file event formatter.

class plaso.formatters.utmp.UtmpSessionFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an UTMP session event.

DATA_TYPE = u'linux:utmp:event'

FORMAT_STRING_PIECES = [u'User: {user}', u'Computer Name: {computer_name}', u'Terminal: {terminal}', u'PID: {pid}', u'Terminal_ID: {terminal_id}', u'Status: {status}', u'IP Address: {ip_address}', u'Exit: {exit}']

FORMAT_STRING_SHORT_PIECES = [u'User: {user}']

SOURCE_LONG = u'UTMP session'

SOURCE_SHORT = u'LOG'

plaso.formatters.utmpx module

The UTMPX binary file event formatter.

class plaso.formatters.utmpx.UtmpxSessionFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for an UTMPX session event.

DATA_TYPE = u'mac:utmpx:event'

FORMAT_STRING_PIECES = [u'User: {user}', u'Status: {status}', u'Computer Name: {computer_name}', u'Terminal: {terminal}']

FORMAT_STRING_SHORT_PIECES = [u'User: {user}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'UTMPX session'

SOURCE_SHORT = u'LOG'

plaso.formatters.windows module

The Windows event formatter.

class plaso.formatters.windows.WindowsDistributedLinkTrackingCreationEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows distributed link creation event.

DATA_TYPE = u'windows:distributed_link_tracking:creation'

FORMAT_STRING_PIECES = [u'{uuid}', u'MAC address: {mac_address}', u'Origin: {origin}']

FORMAT_STRING_SHORT_PIECES = [u'{uuid}', u'Origin: {origin}']

SOURCE_LONG = u'System'

SOURCE_SHORT = u'LOG'

class plaso.formatters.windows.WindowsRegistryInstallationEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows installation event.

DATA_TYPE = u'windows:registry:installation'

FORMAT_STRING_PIECES = [u'{product_name}', u'{version}', u'{service_pack}', u'Owner: owner', u'Origin: {key_path}']

FORMAT_STRING_SHORT_PIECES = [u'{product_name}', u'{version}', u'{service_pack}', u'Origin: {key_path}']

SOURCE_LONG = u'System'

SOURCE_SHORT = u'LOG'

class plaso.formatters.windows.WindowsRegistryListEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows list event e.g. MRU or Jump list.

DATA_TYPE = u'windows:registry:list'

FORMAT_STRING_PIECES = [u'Key: {key_path}', u'Value: {value_name}', u'List: {list_name}', u'[{list_values}]']

SOURCE_LONG = u'System'

SOURCE_SHORT = u'LOG'

class plaso.formatters.windows.WindowsRegistryNetworkEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows network event.

DATA_TYPE = u'windows:registry:network'

FORMAT_STRING_PIECES = [u'SSID: {ssid}', u'Description: {description}', u'Connection Type: {connection_type}', u'Default Gateway Mac: {default_gateway_mac}', u'DNS Suffix: {dns_suffix}']

SOURCE_LONG = u'System: Network Connection'

SOURCE_SHORT = u'LOG'

class plaso.formatters.windows.WindowsVolumeCreationEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows volume creation event.

DATA_TYPE = u'windows:volume:creation'

FORMAT_STRING_PIECES = [u'{device_path}', u'Serial number: 0x{serial_number:08X}', u'Origin: {origin}']

FORMAT_STRING_SHORT_PIECES = [u'{device_path}', u'Origin: {origin}']

SOURCE_LONG = u'System'

SOURCE_SHORT = u'LOG'

plaso.formatters.winevt module

The Windows EventLog (EVT) file event formatter.

class plaso.formatters.winevt.WinEVTFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows EventLog (EVT) record event.

DATA_TYPE = u'windows:evt:record'

FORMAT_STRING_PIECES = [u'[{event_identifier} /', u'0x{event_identifier:04x}]', u'Source Name: {source_name}', u'Message string: {message_string}', u'Strings: {strings}', u'Computer Name: {computer_name}', u'Severity: {severity}', u'Record Number: {record_number}', u'Event Type: {event_type}', u'Event Category: {event_category}']

FORMAT_STRING_SHORT_PIECES = [u'[{event_identifier} /', u'0x{event_identifier:04x}]', u'Strings: {strings}']

GetEventTypeString(event_type)

Retrieves a string representation of the event type.

Parameters:event_type (int) – event type. Returns:description of the event type. Return type:str

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

GetSeverityString(severity)

Retrieves a string representation of the severity.

Parameters:severity (int) – severity. Returns:description of the event severity. Return type:str

SOURCE_LONG = u'WinEVT'

SOURCE_SHORT = u'EVT'

plaso.formatters.winevt_rc module

Windows Event Log resources database reader.

class plaso.formatters.winevt_rc.Sqlite3DatabaseFile

Bases: object

Class that defines a sqlite3 database file.

Close()

Closes the database file.

Raises:RuntimeError – if the database is not opened.

GetValues(table_names, column_names, condition)

Retrieves values from a table.

Parameters:

• table_names (list[str]) – table names.
• column_names (list[str]) – column names.
• condition (str) – query condition such as “log_source == ‘Application Error’”.

Yields:

sqlite3.row – row.

Raises:

RuntimeError – if the database is not opened.

HasTable(table_name)

Determines if a specific table exists.

Parameters:table_name (str) – table name. Returns:True if the table exists. Return type:bool Raises:RuntimeError – if the database is not opened.

Open(filename, read_only=False)

Opens the database file.

Parameters:

• filename (str) – filename of the database.
• read_only (Optional[bool]) – True if the database should be opened in read-only mode. Since sqlite3 does not support a real read-only mode we fake it by only permitting SELECT queries.

Returns:

True if successful.

Return type:

bool

Raises:

RuntimeError – if the database is already opened.

class plaso.formatters.winevt_rc.Sqlite3DatabaseReader

Bases: object

Class to represent a sqlite3 database reader.

Close()

Closes the database reader object.

Open(filename)

Opens the database reader object.

Parameters:filename (str) – filename of the database. Returns:True if successful. Return type:bool

class plaso.formatters.winevt_rc.WinevtResourcesSqlite3DatabaseReader

Bases: plaso.formatters.winevt_rc.Sqlite3DatabaseReader

Class to represent a sqlite3 Event Log resources database reader.

GetMessage(log_source, lcid, message_identifier)

Retrieves a specific message for a specific Event Log source.

Parameters:

• log_source (str) – Event Log source.
• lcid (int) – language code identifier (LCID).
• message_identifier (int) – message identifier.

Returns:

message string or None if not available.

Return type:

str

GetMetadataAttribute(attribute_name)

Retrieves the metadata attribute.

Parameters:attribute_name (str) – name of the metadata attribute. Returns:the metadata attribute or None. Return type:str Raises:RuntimeError – if more than one value is found in the database.

Open(filename)

Opens the database reader object.

Parameters:filename (str) – filename of the database. Returns:True if successful. Return type:bool Raises:RuntimeError – if the version or string format of the database is not supported.

plaso.formatters.winevtx module

The Windows XML EventLog (EVTX) file event formatter.

class plaso.formatters.winevtx.WinEVTXFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows XML EventLog (EVTX) record event.

DATA_TYPE = u'windows:evtx:record'

FORMAT_STRING_PIECES = [u'[{event_identifier} /', u'0x{event_identifier:04x}]', u'Source Name: {source_name}', u'Message string: {message_string}', u'Strings: {strings}', u'Computer Name: {computer_name}', u'Record Number: {record_number}', u'Event Level: {event_level}']

FORMAT_STRING_SHORT_PIECES = [u'[{event_identifier} /', u'0x{event_identifier:04x}]', u'Strings: {strings}']

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'WinEVTX'

SOURCE_SHORT = u'EVT'

plaso.formatters.winfirewall module

The Windows firewall log file event formatter.

class plaso.formatters.winfirewall.WinFirewallFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows firewall log entry event.

DATA_TYPE = u'windows:firewall:log_entry'

FORMAT_STRING_PIECES = [u'{action}', u'[', u'{protocol}', u'{path}', u']', u'From: {source_ip}', u':{source_port}', u'>', u'{dest_ip}', u':{dest_port}', u'Size (bytes): {size}', u'Flags [{flags}]', u'TCP Seq Number: {tcp_seq}', u'TCP ACK Number: {tcp_ack}', u'TCP Window Size (bytes): {tcp_win}', u'ICMP type: {icmp_type}', u'ICMP code: {icmp_code}', u'Additional info: {info}']

FORMAT_STRING_SHORT_PIECES = [u'{action}', u'[{protocol}]', u'{source_ip}', u': {source_port}', u'>', u'{dest_ip}', u': {dest_port}']

SOURCE_LONG = u'Windows Firewall Log'

SOURCE_SHORT = u'LOG'

plaso.formatters.winjob module

The Windows Scheduled Task (job) event formatter.

class plaso.formatters.winjob.WinJobFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Scheduled Task (job) event.

DATA_TYPE = u'windows:tasks:job'

FORMAT_STRING_PIECES = [u'Application: {application}', u'{parameters}', u'Scheduled by: {username}', u'Working directory: {working_directory}', u'Trigger type: {trigger_type}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'Windows Scheduled Task Job'

SOURCE_SHORT = u'JOB'

plaso.formatters.winlnk module

The Windows Shortcut (LNK) event formatter.

class plaso.formatters.winlnk.WinLnkLinkFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Shortcut (LNK) link event.

DATA_TYPE = u'windows:lnk:link'

FORMAT_STRING_PIECES = [u'[{description}]', u'File size: {file_size}', u'File attribute flags: 0x{file_attribute_flags:08x}', u'Drive type: {drive_type}', u'Drive serial number: 0x{drive_serial_number:08x}', u'Volume label: {volume_label}', u'Local path: {local_path}', u'Network path: {network_path}', u'cmd arguments: {command_line_arguments}', u'env location: {env_var_location}', u'Relative path: {relative_path}', u'Working dir: {working_directory}', u'Icon location: {icon_location}', u'Link target: {link_target}']

FORMAT_STRING_SHORT_PIECES = [u'[{description}]', u'{linked_path}', u'{command_line_arguments}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'Windows Shortcut'

SOURCE_SHORT = u'LNK'

plaso.formatters.winprefetch module

The Windows Prefetch event formatter.

class plaso.formatters.winprefetch.WinPrefetchExecutionFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Prefetch execution event.

DATA_TYPE = u'windows:prefetch:execution'

FORMAT_STRING_PIECES = [u'Prefetch', u'[{executable}] was executed -', u'run count {run_count}', u'path: {path}', u'hash: 0x{prefetch_hash:08X}', u'{volumes_string}']

FORMAT_STRING_SHORT_PIECES = [u'{executable} was run', u'{run_count} time(s)']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'WinPrefetch'

SOURCE_SHORT = u'LOG'

plaso.formatters.winreg module

The Windows Registry key or value event formatter.

class plaso.formatters.winreg.WinRegistryGenericFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Windows Registry key or value event.

DATA_TYPE = u'windows:registry:key_value'

FORMAT_STRING = u'[{key_path}] {text}'

FORMAT_STRING_ALTERNATIVE = u'{text}'

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

GetSources(event)

Determines the the short and long source for an event object.

Parameters:event (EventObject) – event. Returns:short and long source string. Return type:tuple(str, str) Raises:WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'Registry Key'

SOURCE_SHORT = u'REG'

plaso.formatters.winregservice module

The Windows services event formatter.

The Windows services are derived from Windows Registry files.

class plaso.formatters.winregservice.WinRegistryServiceFormatter

Bases: plaso.formatters.winreg.WinRegistryGenericFormatter

Formatter for a Windows service event.

DATA_TYPE = u'windows:registry:service'

GetMessages(formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

plaso.formatters.winrestore module

The Windows Restore Point (rp.log) file event formatter.

class plaso.formatters.winrestore.RestorePointInfoFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a Windows Windows Restore Point information event.

DATA_TYPE = u'windows:restore_point:info'

FORMAT_STRING_PIECES = [u'{description}', u'Event type: {restore_point_event_type}', u'Restore point type: {restore_point_type}']

FORMAT_STRING_SHORT_PIECES = [u'{description}']

GetMessages(unused_formatter_mediator, event)

Determines the formatted message strings for an event object.

Parameters:

• formatter_mediator (FormatterMediator) – mediates the interactions between formatters and other components, such as storage and Windows EventLog resources.
• event (EventObject) – event.

Returns:

formatted message string and short message string.

Return type:

tuple(str, str)

Raises:

WrongFormatter – if the event object cannot be formatted by the formatter.

SOURCE_LONG = u'Windows Restore Point'

SOURCE_SHORT = u'RP'

plaso.formatters.xchatlog module

The XChat log file event formatter.

class plaso.formatters.xchatlog.XChatLogFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a XChat log file entry event.

DATA_TYPE = u'xchat:log:line'

FORMAT_STRING_PIECES = [u'[nickname: {nickname}]', u'{text}']

SOURCE_LONG = u'XChat Log File'

SOURCE_SHORT = u'LOG'

plaso.formatters.xchatscrollback module

The XChat scrollback file event formatter.

class plaso.formatters.xchatscrollback.XChatScrollbackFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Formatter for a XChat scrollback file entry event.

DATA_TYPE = u'xchat:scrollback:line'

FORMAT_STRING_PIECES = [u'[', u'nickname: {nickname}', u']', u' {text}']

FORMAT_STRING_SEPARATOR = u''

SOURCE_LONG = u'XChat Scrollback File'

SOURCE_SHORT = u'LOG'

plaso.formatters.zeitgeist module

The Zeitgeist event formatter.

class plaso.formatters.zeitgeist.ZeitgeistFormatter

Bases: plaso.formatters.interface.EventFormatter

Formatter for a Zeitgeist activity database event.

DATA_TYPE = u'zeitgeist:activity'

FORMAT_STRING = u'{subject_uri}'

SOURCE_LONG = u'Zeitgeist activity log'

SOURCE_SHORT = u'LOG'

plaso.formatters.zsh_extended_history module

The Zsh extended_history formatter.

class plaso.formatters.zsh_extended_history.ZshExtendedHistoryEventFormatter

Bases: plaso.formatters.interface.ConditionalEventFormatter

Class for the Zsh event formatter.

DATA_TYPE = u'shell:zsh:history'

FORMAT_STRING_PIECES = [u'{command}', u'Time elapsed: {elapsed_seconds} seconds']

FORMAT_STRING_SEPARATOR = u' '

FORMAT_STRING_SHORT_PIECES = [u'{command}']

SOURCE_LONG = u'Zsh Extended History'

SOURCE_SHORT = u'HIST'

Module contents

This file contains an import statement for each formatter.