How to use the plaso.lib.definitions function in plaso
To help you get started, we’ve selected a few plaso examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
log2timeline / plaso / tests / parsers / sqlite_plugins / firefox_cookies.py View on Github 
for event in storage_writer.GetEvents():
event_data = self._GetEventDataOfEvent(storage_writer, event)
if event_data.data_type == 'firefox:cookie:entry':
test_events.append(event)
else:
extra_objects.append(event)
self.assertEqual(len(test_events), 90 * 3)
self.assertGreaterEqual(len(extra_objects), 25)
# Check one greenqloud.com event
event = test_events[32]
self.CheckTimestamp(event.timestamp, '2015-10-30 21:56:03.000000')
self.assertEqual(
event.timestamp_desc, definitions.TIME_DESCRIPTION_EXPIRATION)
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.host, 's.greenqloud.com')
self.assertEqual(event_data.cookie_name, '__utma')
self.assertFalse(event_data.httponly)
self.assertEqual(event_data.url, 'http://s.greenqloud.com/')
expected_message = (
'http://s.greenqloud.com/ (__utma) Flags: [HTTP only]: False')
expected_short_message = 's.greenqloud.com (__utma)'
self._TestGetMessageStrings(
event_data, expected_message, expected_short_message)
# Check one of the visits to pubmatic.com.
event = test_events[62]description_expected = 'File Hosted Date'
self.assertEqual(event.timestamp_desc, description_expected)
# Parse second event. Same metadata; different timestamp event.
event = events[1]
self.CheckTimestamp(event.timestamp, '2010-05-05 03:52:31.000000')
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.idx_version, 602)
expected_url = 'http://www.gxxxxx.com/a/java/xxz.jar'
self.assertEqual(event_data.url, expected_url)
description_expected = definitions.TIME_DESCRIPTION_FILE_DOWNLOADED
self.assertEqual(event.timestamp_desc, description_expected)'text_prepend', 'yara_rules']
helpers_manager.ArgumentHelperManager.ParseOptions(
options, self, names=argument_helper_names)
self._ParseLogFileOptions(options)
self._ParseStorageMediaOptions(options)
self._ParsePerformanceOptions(options)
self._ParseProcessingOptions(options)
if not self._storage_file_path:
raise errors.BadConfigOption('Missing storage file option.')
serializer_format = getattr(
options, 'serializer_format', definitions.SERIALIZER_FORMAT_JSON)
if serializer_format not in definitions.SERIALIZER_FORMATS:
raise errors.BadConfigOption(
'Unsupported storage serializer format: {0:s}.'.format(
serializer_format))
self._storage_serializer_format = serializer_format
# TODO: where is this defined?
self._operating_system = getattr(options, 'os', None)
if self._operating_system:
self._mount_path = getattr(options, 'filename', None)
helpers_manager.ArgumentHelperManager.ParseOptions(
options, self, names=['status_view'])
self._enable_sigsegv_handler = getattr(options, 'sigsegv_handler', False)# Either the file path or location string can be used to distinguish
# between the different type of files.
timestamp = msiecf_item.get_primary_time_as_integer()
if not timestamp:
primary_date_time = dfdatetime_semantic_time.SemanticTime('Not set')
else:
primary_date_time = dfdatetime_filetime.Filetime(timestamp=timestamp)
primary_date_time_description = 'Primary Time'
timestamp = msiecf_item.get_secondary_time_as_integer()
secondary_date_time = dfdatetime_filetime.Filetime(timestamp=timestamp)
secondary_date_time_description = 'Secondary Time'
if msiecf_item.type:
if msiecf_item.type == 'cache':
primary_date_time_description = definitions.TIME_DESCRIPTION_LAST_ACCESS
secondary_date_time_description = (
definitions.TIME_DESCRIPTION_MODIFICATION)
elif msiecf_item.type == 'cookie':
primary_date_time_description = definitions.TIME_DESCRIPTION_LAST_ACCESS
secondary_date_time_description = (
definitions.TIME_DESCRIPTION_MODIFICATION)
elif msiecf_item.type == 'history':
primary_date_time_description = (
definitions.TIME_DESCRIPTION_LAST_VISITED)
secondary_date_time_description = (
definitions.TIME_DESCRIPTION_LAST_VISITED)
elif msiecf_item.type == 'history-daily':
primary_date_time_description = (parser_mediator.ProduceExtractionWarning((
'unable to read written time from event record: {0:d} '
'with error: {1!s}').format(record_index, exception))
written_time = None
if written_time:
date_time = dfdatetime_posix_time.PosixTime(timestamp=written_time)
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
if not creation_time and not written_time:
date_time = dfdatetime_semantic_time.SemanticTime('Not set')
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_NOT_A_TIME)
parser_mediator.ProduceEventWithEventData(event, event_data)and other components, such as storage and dfvfs.
data (Optional[dict[str, object]]): bencode data values.
"""
seeding_time = data.get('seeding-time-seconds', None)
event_data = TransmissionEventData()
event_data.destination = data.get('destination', None)
# Convert seconds to minutes.
event_data.seedtime, _ = divmod(seeding_time, 60)
# Create timeline events based on extracted values.
timestamp = data.get('added-date', None)
if timestamp:
date_time = dfdatetime_posix_time.PosixTime(timestamp=timestamp)
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_ADDED)
parser_mediator.ProduceEventWithEventData(event, event_data)
timestamp = data.get('done-date', None)
if timestamp:
date_time = dfdatetime_posix_time.PosixTime(timestamp=timestamp)
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_FILE_DOWNLOADED)
parser_mediator.ProduceEventWithEventData(event, event_data)
timestamp = data.get('activity-date', None)
if timestamp:
date_time = dfdatetime_posix_time.PosixTime(timestamp=timestamp)
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_LAST_ACCESS)
parser_mediator.ProduceEventWithEventData(event, event_data)
def __init__(self, storage_type=definitions.STORAGE_TYPE_TASK):
"""Initializes a store.
Args:
storage_type (Optional[str]): storage type.
Raises:
ValueError: if the storage type is not supported.
"""
if storage_type != definitions.STORAGE_TYPE_TASK:
raise ValueError('Unsupported storage type: {0:s}.'.format(
storage_type))
super(GZIPStorageFile, self).__init__()
self._attribute_containers = {}
self._gzip_file = None
self._number_of_containers = 0Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
top_level (dict[str, object]): plist top-level key.
"""
for root, key, datetime_value in interface.RecurseKey(top_level):
if not isinstance(datetime_value, datetime.datetime):
continue
event_data = plist_event.PlistTimeEventData()
event_data.key = key
event_data.root = root
event = time_events.PythonDatetimeEvent(
datetime_value, definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
timestamp = timestamp.strip()
try:
timestamp = int(timestamp, 10)
except ValueError:
parser_mediator.ProduceExtractionWarning(
'unable to convert timestamp: {0:s}'.format(timestamp))
timestamp = None
if timestamp is None:
date_time = dfdatetime_semantic_time.SemanticTime('Invalid')
else:
date_time = dfdatetime_posix_time.PosixTime(timestamp=timestamp)
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_LAST_VISITED)
parser_mediator.ProduceEventWithEventData(event, event_data)
return Truevalues_dict = self._GetValuesFromKey(
registry_key, names_to_skip=['InstallDate'])
installation_time = None
registry_value = registry_key.GetValueByName('InstallDate')
if registry_value:
installation_time = registry_value.GetDataAsObject()
event_data = windows_events.WindowsRegistryEventData()
event_data.key_path = registry_key.path
event_data.values = ' '.join([
'{0:s}: {1!s}'.format(name, value)
for name, value in sorted(values_dict.items())]) or None
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time, definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
# TODO: if not present indicate anomaly of missing installation
# date and time.
if installation_time is not None:
event_data = WindowsRegistryInstallationEventData()
event_data.key_path = registry_key.path
registry_value = registry_key.GetValueByName('CurrentBuildNumber')
if registry_value:
event_data.build_number = registry_value.GetDataAsObject()
registry_value = registry_key.GetValueByName('RegisteredOwner')
if registry_value:
event_data.owner = registry_value.GetDataAsObject()plaso
Plaso (log2timeline) - Super timeline all the things
Package Health Score
81 / 100Popular plaso functions
- plaso.containers.events
- plaso.containers.events.EventData
- plaso.containers.sessions.Session
- plaso.containers.time_events
- plaso.containers.time_events.DateTimeValuesEvent
- plaso.engine.knowledge_base.KnowledgeBase
- plaso.formatters.interface
- plaso.formatters.interface.ConditionalEventFormatter
- plaso.formatters.manager
- plaso.formatters.manager.FormattersManager
- plaso.formatters.manager.FormattersManager.RegisterFormatter
- plaso.lib.definitions
- plaso.lib.errors
- plaso.lib.errors.BadConfigObject
- plaso.lib.errors.BadConfigOption
- plaso.lib.errors.ParseError
- plaso.lib.errors.UnableToParseFile
- plaso.lib.py2to3
- plaso.lib.timelib.Timestamp.CopyFromString
- plaso.parsers.manager.ParsersManager.RegisterParser