esedbrc package

Submodules

esedbrc.definitions module

Definitions.

esedbrc.file_entry_lister module

Volume scanner for ESE databases.

class esedbrc.file_entry_lister.ESEDatabaseFileEntryLister(*args: Any, **kwargs: Any)[source]

Bases: FileEntryLister

ESE database file entry lister.

ListDatabaseFileEntries(base_path_specs)[source]

Lists file entries that contain an ESE database.

Parameters:: base_path_specs (list[dfvfs.PathSpec]) – source path specifications.
Yields:: tuple[dfvfs.FileEntry, list[str]] – file entry and path segments.

__init__(mediator=None)[source]

Initializes an ESE database file entry lister.

Parameters:: mediator (Optional[dfvfs.VolumeScannerMediator]) – a volume scanner mediator.

esedbrc.resources module

ESE database resources.

class esedbrc.resources.DatabaseDefinition[source]

Bases: object

Database definition.

artifact_definition

name of the corresponding Digital Forensics Artifact definition.

Type:: str

database_identifier

identifier of the database type.

Type:: str

__init__()[source]: Initializes a database definition.

class esedbrc.resources.EseColumnDefinition(column_identifier, column_name, column_type)[source]

Bases: object

ESE database column definition.

identifier

column identifier.

Type:: str

name

column name.

Type:: str

type

column type.

Type:: str

CopyToDict()[source]

Copies the ESE database column definition to a dictionary.

Returns:

dictionary containing the ESE database column: definition.

Return type:

dict[str, object]

__init__(column_identifier, column_name, column_type)[source]

Initializes an ESE database column definition.

Parameters:

column_identifier (int) – column identifier.
column_name (str) – column name.
column_type (int) – column type.

class esedbrc.resources.EseTableDefinition(table_name, template_table_name)[source]

Bases: object

ESE database table definition.

aliases

table name aliases.

Type:: list[str]

column_definitions

column definitions.

Type:: list[EseColumnDefinition]

name

table name.

Type:: str

template_table_name

template table name.

Type:: str

AddColumnDefinition(column_identifier, column_name, column_type)[source]

Adds a column.

Parameters:

column_identifier (int) – column identifier.
column_name (str) – column name.
column_type (int) – column type.

GetCommonName()[source]

Determines the common name.

Returns:: common name or None if no common could be determined.
Return type:: str

__init__(table_name, template_table_name)[source]

Initializes an ESE database table definition.

Parameters:

table_name (str) – table name.
template_table_name (str) – template table name.

esedbrc.schema_extractor module

ESE database schema extractor.

class esedbrc.schema_extractor.EseDbSchemaExtractor(artifact_definitions, mediator=None)[source]

Bases: object

ESE database schema extractor.

ExtractSchemas(path, options=None)[source]

Extracts database schemas from the path.

Parameters:

path (str) – path of a ESE database file or storage media image containing ESE database files.
options (Optional[dfvfs.VolumeScannerOptions]) – volume scanner options. If None the default volume scanner options are used, which are defined in the dfVFS VolumeScannerOptions class.

Yields:

tuple[str, dict[str, str]] –

known database type identifier or the name of: the ESE database file if not known and schema.

FormatSchema(schema, output_format)[source]

Formats a schema into a word-wrapped string.

Parameters:

schema (dict[str, str]) – schema as an SQL query per table name.
output_format (str) – output format.

Returns:

formatted schema.

Return type:

str

Raises:

RuntimeError – if a query could not be parsed.

GetDisplayPath(path_segments, data_stream_name=None)[source]

Retrieves a path to display.

Parameters:

path_segments (list[str]) – path segments of the full path of the file entry.
data_stream_name (Optional[str]) – name of the data stream.

Returns:

path to display.

Return type:

str

__init__(artifact_definitions, mediator=None)[source]

Initializes a ESE database file schema extractor.

Parameters:

artifact_definitions (str) – path to a single artifact definitions YAML file or a directory of definitions YAML files.
mediator (Optional[dfvfs.VolumeScannerMediator]) – a volume scanner mediator.

esedbrc.yaml_definitions_file module

YAML-based database definitions file.

class esedbrc.yaml_definitions_file.YAMLDatabaseDefinitionsFile[source]

Bases: object

YAML-based database definitions file.

A YAML-based database definitions file contains one or more database definitions. A database definition consists of:

artifact_definition: SafariCacheSQLiteDatabaseFile database_identifier: safari:cache.db

Where: * artifact_definition, name of the corresponding Digital Forensics Artifact

definition.

database_identifier, identifier of the database type.

ReadFromFile(path)[source]

Reads the event formatters from a YAML file.

Parameters:: path (str) – path to a formatters file.
Yields:: DatabaseDefinition – database definition.

Module contents

Extensible Storage Engine (ESE) Database resources (esedbrc).