How to use plaso - 10 common examples
To help you get started, we’ve selected a few plaso examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
log2timeline / plaso / tests / parsers / sqlite_plugins / firefox_cookies.py View on Github 
for event in storage_writer.GetEvents():
event_data = self._GetEventDataOfEvent(storage_writer, event)
if event_data.data_type == 'firefox:cookie:entry':
test_events.append(event)
else:
extra_objects.append(event)
self.assertEqual(len(test_events), 90 * 3)
self.assertGreaterEqual(len(extra_objects), 25)
# Check one greenqloud.com event
event = test_events[32]
self.CheckTimestamp(event.timestamp, '2015-10-30 21:56:03.000000')
self.assertEqual(
event.timestamp_desc, definitions.TIME_DESCRIPTION_EXPIRATION)
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.host, 's.greenqloud.com')
self.assertEqual(event_data.cookie_name, '__utma')
self.assertFalse(event_data.httponly)
self.assertEqual(event_data.url, 'http://s.greenqloud.com/')
expected_message = (
'http://s.greenqloud.com/ (__utma) Flags: [HTTP only]: False')
expected_short_message = 's.greenqloud.com (__utma)'
self._TestGetMessageStrings(
event_data, expected_message, expected_short_message)
# Check one of the visits to pubmatic.com.
event = test_events[62]description_expected = 'File Hosted Date'
self.assertEqual(event.timestamp_desc, description_expected)
# Parse second event. Same metadata; different timestamp event.
event = events[1]
self.CheckTimestamp(event.timestamp, '2010-05-05 03:52:31.000000')
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.idx_version, 602)
expected_url = 'http://www.gxxxxx.com/a/java/xxz.jar'
self.assertEqual(event_data.url, expected_url)
description_expected = definitions.TIME_DESCRIPTION_FILE_DOWNLOADED
self.assertEqual(event.timestamp_desc, description_expected)profiling.ProfilingArgumentsHelper.ParseOptions(options, test_tool)
with self.assertRaises(errors.BadConfigOption):
options = cli_test_lib.TestOptions()
options.profiling_directory = '/bogus'
profiling.ProfilingArgumentsHelper.ParseOptions(options, test_tool)
with self.assertRaises(errors.BadConfigOption):
options = cli_test_lib.TestOptions()
options.profiling_sample_rate = 'a'
profiling.ProfilingArgumentsHelper.ParseOptions(options, test_tool)
with self.assertRaises(errors.BadConfigOption):
options = cli_test_lib.TestOptions()
options.profiling_sample_rate = 100
profiling.ProfilingArgumentsHelper.ParseOptions(options, test_tool)test_file_path = self._GetTestFilePath(['image.qcow2'])
self._SkipIfPathNotExists(test_file_path)
output_writer = test_lib.TestOutputWriter(encoding='utf-8')
test_tool = image_export_tool.ImageExportTool(output_writer=output_writer)
options = test_lib.TestOptions()
options.artifact_definitions_path = test_artifacts_path
options.image = test_file_path
test_tool.ParseOptions(options)
options = test_lib.TestOptions()
with self.assertRaises(errors.BadConfigOption):
test_tool.ParseOptions(options)def ParseOptions(cls, options, configuration_object):
"""Parse and validate the configuration options.
Args:
options (argparse.Namespace): parser options.
configuration_object (object): object to be configured by the argument
helper.
Raises:
BadConfigOption: when a configuration parameter fails validation.
"""
if not hasattr(options, 'correcto'):
raise errors.BadConfigOption('Correcto not set.')
if not isinstance(getattr(options, 'correcto', None), bool):
raise errors.BadConfigOption('Correcto wrongly formatted.')def testParseOptions(self):
"""Tests the ParseOptions function."""
options = cli_test_lib.TestOptions()
output_mediator = self._CreateOutputMediator()
output_module = xlsx.XLSXOutputModule(output_mediator)
with self.assertRaises(errors.BadConfigOption):
xlsx_output.XLSXOutputArgumentsHelper.ParseOptions(
options, output_module)
options.write = 'plaso.xlsx'
xlsx_output.XLSXOutputArgumentsHelper.ParseOptions(
options, output_module)
with self.assertRaises(errors.BadConfigObject):
xlsx_output.XLSXOutputArgumentsHelper.ParseOptions(
options, None)from tests import test_lib as shared_test_lib
from tests.containers import test_lib as containers_test_lib
class PfilterFakeFormatter(formatters_interface.EventFormatter):
"""A formatter for this fake class."""
DATA_TYPE = 'Weirdo:Made up Source:Last Written'
FORMAT_STRING = '{text}'
FORMAT_STRING_SHORT = '{text_short}'
SOURCE_LONG = 'Fake Parsing Source'
SOURCE_SHORT = 'REG'
formatters_manager.FormattersManager.RegisterFormatter(PfilterFakeFormatter)
class TestBinaryOperator(filters.GenericBinaryOperator):
"""Binary operator for testing.
Attributes:
values (list[str]): event values passed to the _CompareValue function.
"""
def __init__(self, arguments=None, **kwargs):
"""Initializes a binary operator.
Args:
arguments (Optional[object]): operands of the filter.
"""
super(TestBinaryOperator, self).__init__(arguments=arguments, **kwargs)event_identifier = test_events[0].GetIdentifier()
event_tag = events.EventTag(comment='My comment')
event_tag.SetEventIdentifier(event_identifier)
event_tags.append(event_tag)
event_identifier = test_events[1].GetIdentifier()
event_tag = events.EventTag()
event_tag.SetEventIdentifier(event_identifier)
event_tag.AddLabel('Malware')
event_tags.append(event_tag)
event_identifier = test_events[2].GetIdentifier()
event_tag = events.EventTag(comment='This is interesting')
event_tag.SetEventIdentifier(event_identifier)
event_tag.AddLabels(['Malware', 'Benign'])
event_tags.append(event_tag)
event_identifier = test_events[1].GetIdentifier()
event_tag = events.EventTag()
event_tag.SetEventIdentifier(event_identifier)
event_tag.AddLabel('Interesting')
event_tags.append(event_tag)
return event_tags_OS_PATH_SPEC = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location='{0:s}{1:s}'.format(
os.path.sep, os.path.join('cases', 'image.dd')))
_TEST_EVENTS = [
{'data_type': 'test:output',
'display_name': 'OS: /var/log/syslog.1',
'hostname': 'ubuntu',
'inode': 12345678,
'pathspec': path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK, inode=15,
location='/var/log/syslog.1', parent=_OS_PATH_SPEC),
'text': (
'Reporter PID: |8442| (pam_unix(cron:session): session\n '
'closed for user root)'),
'timestamp': timelib.Timestamp.CopyFromString('2012-06-27 18:17:01'),
'timestamp_desc': definitions.TIME_DESCRIPTION_UNKNOWN,
'username': 'root'}]
def testWriteEventBody(self):
"""Tests the WriteEventBody function."""
output_mediator = self._CreateOutputMediator()
output_writer = cli_test_lib.TestOutputWriter()
output_module = rawpy.NativePythonOutputModule(output_mediator)
output_module.SetOutputWriter(output_writer)
event, event_data = containers_test_lib.CreateEventFromValues(
self._TEST_EVENTS[0])
output_module.WriteEventBody(event, event_data, None)
if sys.platform.startswith('win'):
# The dict comparison is very picky on Windows hence weclass TaggingAnalysisPluginTest(test_lib.AnalysisPluginTestCase):
"""Tests the tagging analysis plugin."""
# pylint: disable=protected-access
_TEST_EVENTS = [
{'data_type': 'windows:prefetch',
'timestamp': timelib.Timestamp.CopyFromString('2015-05-01 15:12:00'),
'timestamp_desc': definitions.TIME_DESCRIPTION_UNKNOWN},
{'data_type': 'chrome:history:file_downloaded',
'timestamp': timelib.Timestamp.CopyFromString('2015-05-01 05:06:00'),
'timestamp_desc': definitions.TIME_DESCRIPTION_UNKNOWN},
{'data_type': 'something_else',
'timestamp': timelib.Timestamp.CopyFromString('2015-02-19 08:00:01'),
'timestamp_desc': definitions.TIME_DESCRIPTION_UNKNOWN},
{'data_type': 'windows:evt:record',
'event_identifier': 538,
'source_name': 'Security',
'timestamp': timelib.Timestamp.CopyFromString('2016-05-25 13:00:06'),
'timestamp_desc': definitions.TIME_DESCRIPTION_UNKNOWN},
{'body': 'this is a message',
'data_type': 'windows:evt:record',
'event_identifier': 16,
'timestamp': timelib.Timestamp.CopyFromString('2016-05-25 13:00:06'),
'source_name': 'Messaging',
'timestamp_desc': definitions.TIME_DESCRIPTION_UNKNOWN}]
def testExamineEventAndCompileReport(self):
"""Tests the ExamineEvent and CompileReport functions."""
test_file_path = self._GetTestFilePath(['tagging_file', 'valid.txt'])plaso
Plaso (log2timeline) - Super timeline all the things
Package Health Score
81 / 100Popular plaso functions
- plaso.containers.events
- plaso.containers.events.EventData
- plaso.containers.sessions.Session
- plaso.containers.time_events
- plaso.containers.time_events.DateTimeValuesEvent
- plaso.engine.knowledge_base.KnowledgeBase
- plaso.formatters.interface
- plaso.formatters.interface.ConditionalEventFormatter
- plaso.formatters.manager
- plaso.formatters.manager.FormattersManager
- plaso.formatters.manager.FormattersManager.RegisterFormatter
- plaso.lib.definitions
- plaso.lib.errors
- plaso.lib.errors.BadConfigObject
- plaso.lib.errors.BadConfigOption
- plaso.lib.errors.ParseError
- plaso.lib.errors.UnableToParseFile
- plaso.lib.py2to3
- plaso.lib.timelib.Timestamp.CopyFromString
- plaso.parsers.manager.ParsersManager.RegisterParser