winspsrc package

Submodules

winspsrc.data_format module

Binary data format.

class winspsrc.data_format.BinaryDataFile[source]

Bases: object

Binary data file.

Close()[source]

Closes a binary data file.

Raises:

  • IOError – if the file is not opened.

  • OSError – if the file is not opened.

Open(file_object)[source]

Opens a binary data file.

Parameters:

file_object (file) – file-like object.

Raises:

  • IOError – if the file is already opened.

  • OSError – if the file is already opened.

classmethod ReadDefinitionFile(filename)[source]

Reads a dtFabric definition file.

Parameters:

filename (str) – name of the dtFabric definition file.

Returns:

data type fabric which contains the data format

data type maps of the data type definition, such as a structure, that can be mapped onto binary data or None if no filename is provided.

Return type:

dtfabric.DataTypeFabric

abstract ReadFileObject(file_object)[source]

Reads binary data from a file-like object.

Parameters:

file_object (file) – file-like object.

__init__()[source]

Initializes a binary data file.

winspsrc.data_range module

Data range file-like object.

class winspsrc.data_range.DataRange(file_object, data_offset=0, data_size=0)[source]

Bases: object

In-file data range file-like object.

data_offset

offset of the data.

Type:

int

data_size

size of the data.

Type:

int

__init__(file_object, data_offset=0, data_size=0)[source]

Initializes a file-like object.

Parameters:

  • file_object (file) – parent file-like object.

  • data_offset (Optional[int]) – offset of the data.

  • data_size (Optional[int]) – size of the data.

get_offset()[source]

Retrieves the current offset into the file-like object.

Returns:

offset.

Return type:

int

get_size()[source]

Retrieves the size of the file-like object.

Returns:

size.

Return type:

int

read(size=None)[source]

Reads a byte string from the file-like object at the current offset.

The function will read a byte string of the specified size or all of the remaining data if no size was specified.

Parameters:

size (Optional[int]) – number of bytes to read, where None represents all remaining data.

Returns:

data read.

Return type:

bytes

Raises:

  • IOError – if the read failed.

  • OSError – if the read failed.

seek(offset, whence=0)[source]

Seeks an offset within the file-like object.

Parameters:

  • offset (int) – offset to seek.

  • whence (Optional[int]) – indicates whether offset is an absolute or relative position within the file.

Raises:

  • IOError – if the seek failed.

  • OSError – if the seek failed.

seekable()[source]

Determines if a file-like object is seekable.

Returns:

True if seekable.

Return type:

bool

tell()[source]

Retrieves the current offset into the file-like object.

Returns:

offset.

Return type:

int

winspsrc.errors module

Errors.

exception winspsrc.errors.ParseError[source]

Bases: Exception

Error that is raised when data cannot be parsed.

winspsrc.extractor module

Windows serialized property extractor.

class winspsrc.extractor.SerializedProperty[source]

Bases: object

Windows serialized property.

format_identifier

format class (or property set) identifier.

Type:

str

property_identifier

identifier of the property within the format class (or property set).

Type:

str

origin

path of the file from which the property originates.

Type:

str

value_type

value type used by the property.

Type:

int

__init__()[source]

Initializes a Windows serialized property.

property lookup_key

lookup key.

Type:

str

class winspsrc.extractor.SerializedPropertyExtractor(*args: Any, **kwargs: Any)[source]

Bases: WindowsVolumeScanner

Windows serialized property extractor.

ascii_codepage

ASCII string codepage.

Type:

str

preferred_language_identifier

preferred language identifier (LCID).

Type:

int

CollectSerializedProperies()[source]

Retrieves serialized properties.

Yields:

SerializedProperty – serialized property.

ScanForWindowsVolume(source_path, options=None)[source]

Scans for a Windows volume.

Parameters:

  • source_path (str) – source path.

  • options (Optional[VolumeScannerOptions]) – volume scanner options. If None the default volume scanner options are used, which are defined in the VolumeScannerOptions class.

Returns:

True if a Windows volume was found.

Return type:

bool

Raises:

ScannerError – if the source path does not exists, or if the source path is not a file or directory, or if the format of or within the source file is not supported.

__init__(debug=False, mediator=None)[source]

Initializes a Windows serialized property extractor.

Parameters:

  • debug (Optional[bool]) – True if debug information should be printed.

  • mediator (dfvfs.VolumeScannerMediator) – a volume scanner mediator or None.

property windows_version

The Windows version (getter).

winspsrc.jump_list module

Windows Jump List files: * .automaticDestinations-ms * .customDestinations-ms

class winspsrc.jump_list.AutomaticDestinationsFile[source]

Bases: BinaryDataFile

Automatic Destinations Jump List (.automaticDestinations-ms) file.

Close()[source]

Closes an Automatic Destinations Jump List file.

Raises:

  • IOError – if the file is not opened.

  • OSError – if the file is not opened.

GetJumpListEntries()[source]

Retrieves jump list entries.

Yields:

JumpListEntry – a jump list entry.

ReadFileObject(file_object)[source]

Reads an Automatic Destinations Jump List file-like object.

Parameters:

file_object (file) – file-like object.

Raises:

ParseError – if the file cannot be read.

__init__()[source]

Initializes an Automatic Destinations Jump List file.

class winspsrc.jump_list.CustomDestinationsFile[source]

Bases: BinaryDataFile

Custom Destinations Jump List (.customDestinations-ms) file.

GetJumpListEntries()[source]

Retrieves jump list entries.

Yields:

JumpListEntry – a jump list entry.

Raises:

ParseError – if the jump list entries cannot be read.

ReadFileObject(file_object)[source]

Reads a Custom Destinations Jump List file-like object.

Parameters:

file_object (file) – file-like object.

Raises:

ParseError – if the file cannot be read.

__init__()[source]

Initializes a Custom Destinations Jump List file.

class winspsrc.jump_list.JumpListEntry(identifier, file_object)[source]

Bases: object

Jump list entry.

identifier

identifier.

Type:

str

lnk_file

LNK file.

Type:

pylnk.file

__del__()[source]

Destroy the jump list entry.

__init__(identifier, file_object)[source]

Initializes the jump list entry.

Parameters:

  • identifier (str) – identifier.

  • file_object (file) – file-like object that contains the LNK file entry data.

winspsrc.resource_file module

Windows Resource file.

class winspsrc.resource_file.WindowsResourceFile(windows_path, ascii_codepage='cp1252', preferred_language_identifier=1033)[source]

Bases: object

Windows Resource file.

windows_path

Windows path of the resource file.

Type:

str

Close()[source]

Closes the Windows Resource file.

Raises:

  • IOError – if not open.

  • OSError – if not open.

OpenFileObject(file_object)[source]

Opens the Windows Resource file using a file-like object.

Parameters:

file_object (file) – file-like object.

Raises:

  • IOError – if already open.

  • OSError – if already open.

__init__(windows_path, ascii_codepage='cp1252', preferred_language_identifier=1033)[source]

Initializes the Windows Resource file.

Parameters:

  • windows_path (str) – normalized version of the Windows path.

  • ascii_codepage (Optional[str]) – ASCII string codepage.

  • preferred_language_identifier (Optional[int]) – preferred language identifier (LCID).

property file_version

the file version.

Type:

str

property product_version

the product version.

Type:

str

winspsrc.resources module

Windows serialized property resources.

class winspsrc.resources.SerializedPropertyDefinition[source]

Bases: object

Windows serialized property definition.

aliases

aliases that identify the property.

Type:

set[str]

format_class

name of the format class (or property set).

Type:

str

format_identifier

identifier of the format class (or property set).

Type:

str

names

names that identify the property.

Type:

set[str]

property_identifier

identifier of the property within the format class (or property set).

Type:

int|str

shell_property_keys

keys that identify the property.

Type:

set[str]

value_types

value types used by the property.

Type:

set[str]

Merge(other)[source]

Merges the values of another property definition into the current one.

Parameters:

other (SerializedPropertyDefinition) – property definition to merge values from.

__init__()[source]

Initializes a Windows serialized property definition.

property lookup_key

lookup key.

Type:

str

winspsrc.yaml_definitions_file module

YAML-based properties definitions file.

class winspsrc.yaml_definitions_file.YAMLPropertiesDefinitionsFile[source]

Bases: object

YAML-based properties definitions file.

A YAML-based properties definitions file contains one or more property definitions. A property definition consists of:

format_identifier: 00000000-0000-0000-0000-000000000000 name: System.Null property_identifier: 0 shell_property_key: PKEY_Null value_type: VT_NULL

Where: * alias, defines one or more aliases that identify the property; * format_class, name of the format class (or property set); * format_identifier, identifier of the format class (or property set); * name, defines one or more names that identify the property; * property_identifier, defines he property within the format class (or

property set).

  • shell_property_key, defines one or more shell properties key that identify

    the property;

  • value_type, defines one or more value types used by the property.

ReadFromFile(path)[source]

Reads the event formatters from a YAML file.

Parameters:

path (str) – path to a formatters file.

Yields:

SerializedPropertyDefinition – property definition.

Module contents

Windows Serialized Property Store (SPS) resources (winspsrc).