plaso.storage.sqlite package¶

Submodules¶

plaso.storage.sqlite.merge_reader module¶

Merge reader for SQLite storage files.

class plaso.storage.sqlite.merge_reader.SQLiteStorageMergeReader(storage_writer, path)[source]¶

Bases: plaso.storage.interface.StorageFileMergeReader

SQLite-based storage file reader for merging.

MergeAttributeContainers(callback=None, maximum_number_of_containers=0)[source]¶

Reads attribute containers from a task storage file into the writer.

Parameters:	callback (function[StorageWriter, AttributeContainer]) – function to call after each attribute container is deserialized. maximum_number_of_containers (Optional[int]) – maximum number of containers to merge, where 0 represent no limit.
Returns:	True if the entire task storage file has been merged.
Return type:	bool
Raises:	`OSError` – if the task storage file cannot be deleted.

plaso.storage.sqlite.reader module¶

Reader for SQLite storage files.

class plaso.storage.sqlite.reader.SQLiteStorageFileReader(path)[source]¶

Bases: plaso.storage.interface.StorageFileReader

SQLite-based storage file reader.

plaso.storage.sqlite.sqlite_file module¶

SQLite-based storage.

class plaso.storage.sqlite.sqlite_file.SQLiteStorageFile(maximum_buffer_size=0, storage_type=u'session')[source]¶

Bases: plaso.storage.interface.BaseStorageFile

SQLite-based storage file.

format_version¶: int – storage format version.

serialization_format¶: str – serialization format.

storage_type¶: str – storage type.

AddAnalysisReport(analysis_report)[source]¶

Adds an analysis report.

Parameters:	analysis_report (AnalysisReport) – analysis report.
Raises:	`IOError` – when the storage file is closed or read-only.

AddError(error)[source]¶

Adds an error.

Parameters:	error (ExtractionError) – error.
Raises:	`IOError` – when the storage file is closed or read-only.

AddEvent(event)[source]¶

Adds an event.

Parameters:	event (EventObject) – event.
Raises:	`IOError` – when the storage file is closed or read-only or if the event data identifier type is not supported.

AddEventData(event_data)[source]¶

Adds event data.

Parameters:	event_data (EventData) – event data.
Raises:	`IOError` – when the storage file is closed or read-only.

AddEventSource(event_source)[source]¶

Adds an event source.

Parameters:	event_source (EventSource) – event source.
Raises:	`IOError` – when the storage file is closed or read-only.

AddEventTag(event_tag)[source]¶

Adds an event tag.

Parameters:	event_tag (EventTag) – event tag.
Raises:	`IOError` – when the storage file is closed or read-only or if the event identifier type is not supported.

AddEventTags(event_tags)[source]¶

Adds event tags.

Parameters:	event_tags (list[EventTag]) – event tags.
Raises:	`IOError` – when the storage file is closed or read-only or if the event tags cannot be serialized.

classmethod CheckSupportedFormat(path)[source]¶

Checks if the storage file format is supported.

Parameters:	path (str) – path to the storage file.
Returns:	True if the format is supported.
Return type:	bool

Close()[source]¶

Closes the storage.

Raises:	`IOError` – if the storage file is already closed.

GetAnalysisReports()[source]¶

Retrieves the analysis reports.

Returns:	analysis report generator.
Return type:	generator(AnalysisReport)

GetErrors()[source]¶

Retrieves the errors.

Returns:	error generator.
Return type:	generator(ExtractionError)

GetEventData()[source]¶

Retrieves the event data.

Yields:	generator(EventData) – event data generator.

GetEventDataByIdentifier(identifier)[source]¶

Retrieves specific event data.

Parameters:	identifier (SQLTableIdentifier) – event data identifier.
Returns:	event data or None if not available.
Return type:	EventData

GetEventSourceByIndex(index)[source]¶

Retrieves a specific event source.

Parameters:	index (int) – event source index.
Returns:	event source or None if not available.
Return type:	EventSource

GetEventSources()[source]¶

Retrieves the event sources.

Yields:	generator(EventSource) – event source generator.

GetEventTagByIdentifier(identifier)[source]¶

Retrieves a specific event tag.

Parameters:	identifier (SQLTableIdentifier) – event tag identifier.
Returns:	event tag or None if not available.
Return type:	EventTag

GetEventTags()[source]¶

Retrieves the event tags.

Yields:	EventTag – event tag.

GetEvents()[source]¶

Retrieves the events.

Yields:	EventObject – event.

GetNumberOfAnalysisReports()[source]¶

Retrieves the number analysis reports.

Returns:	number of analysis reports.
Return type:	int

GetNumberOfEventSources()[source]¶

Retrieves the number event sources.

Returns:	number of event sources.
Return type:	int

GetSessions()[source]¶

Retrieves the sessions.

Yields:	Session – session attribute container.
Raises:	`IOError` – if a stream is missing or there is a mismatch in session identifiers between the session start and completion attribute containers.

GetSortedEvents(time_range=None)[source]¶

Retrieves the events in increasing chronological order.

Parameters:	time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period.
Yields:	EventObject – event.

HasAnalysisReports()[source]¶

Determines if a store contains analysis reports.

Returns:	True if the store contains analysis reports.
Return type:	bool

HasErrors()[source]¶

Determines if a store contains extraction errors.

Returns:	True if the store contains extraction errors.
Return type:	bool

HasEventTags()[source]¶

Determines if a store contains event tags.

Returns:	True if the store contains event tags.
Return type:	bool

Open(path=None, read_only=True, **unused_kwargs)[source]¶

Opens the storage.

Parameters:	path (Optional[str]) – path to the storage file. read_only (Optional[bool]) – True if the file should be opened in read-only mode.
Raises:	`IOError` – if the storage file is already opened or if the database cannot be connected. `ValueError` – if path is missing.

ReadPreprocessingInformation(knowledge_base)[source]¶

Reads preprocessing information.

The preprocessing information contains the system configuration which contains information about various system specific configuration data, for example the user accounts.

Parameters:	knowledge_base (KnowledgeBase) – is used to store the preprocessing information.

WritePreprocessingInformation(knowledge_base)[source]¶

Writes preprocessing information.

Parameters:	knowledge_base (KnowledgeBase) – contains the preprocessing information.
Raises:	`IOError` – if the storage type does not support writing preprocess information or the storage file is closed or read-only.

WriteSessionCompletion(session_completion)[source]¶

Writes session completion information.

Parameters:	session_completion (SessionCompletion) – session completion information.
Raises:	`IOError` – when the storage file is closed or read-only.

WriteSessionStart(session_start)[source]¶

Writes session start information.

Parameters:	session_start (SessionStart) – session start information.
Raises:	`IOError` – when the storage file is closed or read-only.

WriteTaskCompletion(task_completion)[source]¶

Writes task completion information.

Parameters:	task_completion (TaskCompletion) – task completion information.
Raises:	`IOError` – when the storage file is closed or read-only.

WriteTaskStart(task_start)[source]¶

Writes task start information.

Parameters:	task_start (TaskStart) – task start information.
Raises:	`IOError` – when the storage file is closed or read-only.

plaso.storage.sqlite.writer module¶

Storage writer for SQLite storage files.

class plaso.storage.sqlite.writer.SQLiteStorageFileWriter(session, output_file, storage_type=u'session', task=None)[source]¶

Bases: plaso.storage.interface.StorageFileWriter

SQLite-based storage file writer.