def testGetDate(self):
"""Tests the GetDate function."""
systemtime_object = systemtime.Systemtime(
system_time_tuple=(2010, 8, 4, 12, 20, 6, 31, 142))
date_tuple = systemtime_object.GetDate()
self.assertEqual(date_tuple, (2010, 8, 12))
systemtime_object = systemtime.Systemtime()
date_tuple = systemtime_object.GetDate()
self.assertEqual(date_tuple, (None, None, None))
def testGetTimeOfDay(self):
"""Tests the GetTimeOfDay function."""
systemtime_object = systemtime.Systemtime(
system_time_tuple=(2010, 8, 4, 12, 20, 6, 31, 142))
time_of_day_tuple = systemtime_object.GetTimeOfDay()
self.assertEqual(time_of_day_tuple, (20, 6, 31))
systemtime_object = systemtime.Systemtime()
time_of_day_tuple = systemtime_object.GetTimeOfDay()
self.assertEqual(time_of_day_tuple, (None, None, None))
def testCopyToDateTimeString(self):
"""Tests the CopyToDateTimeString function."""
systemtime_object = systemtime.Systemtime(
system_time_tuple=(2010, 8, 4, 12, 20, 6, 31, 142))
date_time_string = systemtime_object.CopyToDateTimeString()
self.assertEqual(date_time_string, '2010-08-12 20:06:31.142')
systemtime_object = systemtime.Systemtime()
date_time_string = systemtime_object.CopyToDateTimeString()
self.assertIsNone(date_time_string)
def testGetNormalizedTimestamp(self):
"""Tests the _GetNormalizedTimestamp function."""
systemtime_object = systemtime.Systemtime(
system_time_tuple=(2010, 8, 4, 12, 20, 6, 31, 142))
normalized_timestamp = systemtime_object._GetNormalizedTimestamp()
self.assertEqual(normalized_timestamp, decimal.Decimal('1281643591.142'))
systemtime_object = systemtime.Systemtime()
normalized_timestamp = systemtime_object._GetNormalizedTimestamp()
self.assertIsNone(normalized_timestamp)
def _ParseLastRunTime(self, parser_mediator, fixed_length_section):
"""Parses the last run time from a fixed-length data section.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
fixed_length_section (job_fixed_length_data_section): a Windows
Scheduled Task job fixed-length data section.
Returns:
dfdatetime.DateTimeValues: last run date and time or None if not
available.
"""
systemtime_struct = fixed_length_section.last_run_time
system_time_tuple = (systemtime_struct.year, systemtime_struct.month,
systemtime_struct.weekday,
systemtime_struct.day_of_month,
systemtime_struct.hours,
systemtime_struct.minutes,
systemtime_struct.seconds,
systemtime_struct.milliseconds)
date_time = None
if system_time_tuple != self._EMPTY_SYSTEM_TIME_TUPLE:
try:
date_time = dfdatetime_systemtime.Systemtime(
system_time_tuple=system_time_tuple)
except ValueError:
parser_mediator.ProduceExtractionWarning(
'invalid last run time: {0!s}'.format(system_time_tuple))
return date_time
def testCopyToDateTimeStringISO8601(self):
"""Tests the CopyToDateTimeStringISO8601 function."""
systemtime_object = systemtime.Systemtime(
system_time_tuple=(2010, 8, 4, 12, 20, 6, 31, 142))
date_time_string = systemtime_object.CopyToDateTimeStringISO8601()
self.assertEqual(date_time_string, '2010-08-12T20:06:31.142+00:00')
def testGetPlasoTimestamp(self):
"""Tests the GetPlasoTimestamp function."""
systemtime_object = systemtime.Systemtime(system_time_tuple=(2010, 8,
4, 12, 20,
6, 31,
142))
expected_micro_posix_number_of_seconds = 1281643591142000
micro_posix_number_of_seconds = systemtime_object.GetPlasoTimestamp()
self.assertEqual(micro_posix_number_of_seconds,
expected_micro_posix_number_of_seconds)
systemtime_object = systemtime.Systemtime()
micro_posix_number_of_seconds = systemtime_object.GetPlasoTimestamp()
self.assertIsNone(micro_posix_number_of_seconds)
def testCopyToStatTimeTuple(self):
"""Tests the CopyToStatTimeTuple function."""
systemtime_object = systemtime.Systemtime(system_time_tuple=(2010, 8,
4, 12, 20,
6, 31,
142))
expected_stat_time_tuple = (1281643591, 1420000)
stat_time_tuple = systemtime_object.CopyToStatTimeTuple()
self.assertEqual(stat_time_tuple, expected_stat_time_tuple)
systemtime_object = systemtime.Systemtime()
expected_stat_time_tuple = (None, None)
stat_time_tuple = systemtime_object.CopyToStatTimeTuple()
self.assertEqual(stat_time_tuple, expected_stat_time_tuple)
def _ParseSystemTime(self, byte_stream):
"""Parses a SYSTEMTIME date and time value from a byte stream.
Args:
byte_stream (bytes): byte stream.
Returns:
dfdatetime.Systemtime: SYSTEMTIME date and time value or None if no
value is set.
Raises:
ParseError: if the SYSTEMTIME could not be parsed.
"""
systemtime_map = self._GetDataTypeMap('systemtime')
try:
systemtime = self._ReadStructureFromByteStream(
byte_stream, 0, systemtime_map)
except (ValueError, errors.ParseError) as exception:
raise errors.ParseError(
'Unable to parse SYSTEMTIME value with error: {0!s}'.format(
exception))
system_time_tuple = (systemtime.year, systemtime.month,
systemtime.weekday, systemtime.day_of_month,
systemtime.hours, systemtime.minutes,
systemtime.seconds, systemtime.milliseconds)
if system_time_tuple == self._EMPTY_SYSTEM_TIME_TUPLE:
return None
try:
return dfdatetime_systemtime.Systemtime(
system_time_tuple=system_time_tuple)
except ValueError:
raise errors.ParseError(
'Invalid SYSTEMTIME value: {0!s}'.format(system_time_tuple))
def ParseFileObject(self, parser_mediator, file_object, **kwargs):
"""Parses a Windows job file-like object.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO): a file-like object.
Raises:
UnableToParseFile: when the file cannot be parsed.
"""
try:
header_struct = self._JOB_FIXED_LENGTH_SECTION_STRUCT.parse_stream(
file_object)
except (IOError, construct.FieldError) as exception:
raise errors.UnableToParseFile(
u'Unable to parse fixed-length section with error: {0:s}'.
format(exception))
if not header_struct.product_version in self._PRODUCT_VERSIONS:
raise errors.UnableToParseFile(
u'Unsupported product version in: 0x{0:04x}'.format(
header_struct.product_version))
if not header_struct.format_version == 1:
raise errors.UnableToParseFile(
u'Unsupported format version in: {0:d}'.format(
header_struct.format_version))
try:
job_variable_struct = self._JOB_VARIABLE_STRUCT.parse_stream(
file_object)
except (IOError, construct.FieldError) as exception:
raise errors.UnableToParseFile(
u'Unable to parse variable-length section with error: {0:s}'.
format(exception))
event_data = WinJobEventData()
event_data.application = binary.ReadUTF16(
job_variable_struct.application)
event_data.comment = binary.ReadUTF16(job_variable_struct.comment)
event_data.parameters = binary.ReadUTF16(job_variable_struct.parameter)
event_data.username = binary.ReadUTF16(job_variable_struct.username)
event_data.working_directory = binary.ReadUTF16(
job_variable_struct.working_directory)
systemtime_struct = header_struct.last_run_time
system_time_tuple = (systemtime_struct.year, systemtime_struct.month,
systemtime_struct.weekday, systemtime_struct.day,
systemtime_struct.hours,
systemtime_struct.minutes,
systemtime_struct.seconds,
systemtime_struct.milliseconds)
date_time = None
if system_time_tuple != self._EMPTY_SYSTEM_TIME_TUPLE:
try:
date_time = dfdatetime_systemtime.Systemtime(
system_time_tuple=system_time_tuple)
except ValueError:
parser_mediator.ProduceExtractionError(
u'invalid last run time: {0!s}'.format(system_time_tuple))
if date_time:
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_LAST_RUN)
parser_mediator.ProduceEventWithEventData(event, event_data)
for index in range(job_variable_struct.number_of_triggers):
try:
trigger_struct = self._TRIGGER_STRUCT.parse_stream(file_object)
except (IOError, construct.FieldError) as exception:
parser_mediator.ProduceExtractionError(
u'unable to parse trigger: {0:d} with error: {1:s}'.format(
index, exception))
return
event_data.trigger_type = trigger_struct.trigger_type
time_elements_tuple = (trigger_struct.start_year,
trigger_struct.start_month,
trigger_struct.start_day,
trigger_struct.start_hour,
trigger_struct.start_minute, 0)
if time_elements_tuple != (0, 0, 0, 0, 0, 0):
try:
date_time = dfdatetime_time_elements.TimeElements(
time_elements_tuple=time_elements_tuple)
date_time.is_local_time = True
date_time.precision = dfdatetime_definitions.PRECISION_1_MINUTE
except ValueError:
date_time = None
parser_mediator.ProduceExtractionError(
u'invalid trigger start time: {0!s}'.format(
time_elements_tuple))
if date_time:
event = time_events.DateTimeValuesEvent(
date_time,
u'Scheduled to start',
time_zone=parser_mediator.timezone)
parser_mediator.ProduceEventWithEventData(
event, event_data)
time_elements_tuple = (trigger_struct.end_year,
trigger_struct.end_month,
trigger_struct.end_day, 0, 0, 0)
if time_elements_tuple != (0, 0, 0, 0, 0, 0):
try:
date_time = dfdatetime_time_elements.TimeElements(
time_elements_tuple=time_elements_tuple)
date_time.is_local_time = True
date_time.precision = dfdatetime_definitions.PRECISION_1_DAY
except ValueError:
date_time = None
parser_mediator.ProduceExtractionError(
u'invalid trigger end time: {0!s}'.format(
time_elements_tuple))
if date_time:
event = time_events.DateTimeValuesEvent(
date_time,
u'Scheduled to end',
time_zone=parser_mediator.timezone)
parser_mediator.ProduceEventWithEventData(
event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
network_info = {}
signatures = registry_key.GetSubkeyByName('Signatures')
if signatures:
network_info = self._GetNetworkInfo(signatures)
profiles = registry_key.GetSubkeyByName('Profiles')
if not profiles:
return
for subkey in profiles.GetSubkeys():
default_gateway_mac, dns_suffix = network_info.get(
subkey.name, (None, None))
event_data = WindowsRegistryNetworkEventData()
event_data.default_gateway_mac = default_gateway_mac
event_data.dns_suffix = dns_suffix
ssid_value = subkey.GetValueByName('ProfileName')
if ssid_value:
event_data.ssid = ssid_value.GetDataAsObject()
description_value = subkey.GetValueByName('Description')
if description_value:
event_data.description = description_value.GetDataAsObject()
connection_type_value = subkey.GetValueByName('NameType')
if connection_type_value:
connection_type = connection_type_value.GetDataAsObject()
# TODO: move to formatter.
connection_type = self._CONNECTION_TYPE.get(
connection_type, 'unknown')
event_data.connection_type = connection_type
date_created_value = subkey.GetValueByName('DateCreated')
if date_created_value:
try:
systemtime_struct = self._SYSTEMTIME_STRUCT.parse(
date_created_value.data)
except construct.ConstructError as exception:
systemtime_struct = None
parser_mediator.ProduceExtractionError(
'unable to parse date created with error: {0!s}'.
format(exception))
system_time_tuple = self._EMPTY_SYSTEM_TIME_TUPLE
if systemtime_struct:
system_time_tuple = (systemtime_struct.year,
systemtime_struct.month,
systemtime_struct.day_of_week,
systemtime_struct.day_of_month,
systemtime_struct.hours,
systemtime_struct.minutes,
systemtime_struct.seconds,
systemtime_struct.milliseconds)
date_time = None
if system_time_tuple != self._EMPTY_SYSTEM_TIME_TUPLE:
try:
date_time = dfdatetime_systemtime.Systemtime(
system_time_tuple=system_time_tuple)
except ValueError:
parser_mediator.ProduceExtractionError(
'invalid system time: {0!s}'.format(
system_time_tuple))
if date_time:
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_CREATION)
parser_mediator.ProduceEventWithEventData(
event, event_data)
date_last_connected_value = subkey.GetValueByName(
'DateLastConnected')
if date_last_connected_value:
try:
systemtime_struct = self._SYSTEMTIME_STRUCT.parse(
date_last_connected_value.data)
except construct.ConstructError as exception:
systemtime_struct = None
parser_mediator.ProduceExtractionError(
'unable to parse date last connected with error: {0!s}'
.format(exception))
system_time_tuple = self._EMPTY_SYSTEM_TIME_TUPLE
if systemtime_struct:
system_time_tuple = (systemtime_struct.year,
systemtime_struct.month,
systemtime_struct.day_of_week,
systemtime_struct.day_of_month,
systemtime_struct.hours,
systemtime_struct.minutes,
systemtime_struct.seconds,
systemtime_struct.milliseconds)
date_time = None
if system_time_tuple != self._EMPTY_SYSTEM_TIME_TUPLE:
try:
date_time = dfdatetime_systemtime.Systemtime(
system_time_tuple=system_time_tuple)
except ValueError:
parser_mediator.ProduceExtractionError(
'invalid system time: {0!s}'.format(
system_time_tuple))
if date_time:
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_LAST_CONNECTED)
parser_mediator.ProduceEventWithEventData(
event, event_data)
def testCopyFromDateTimeString(self):
"""Tests the CopyFromDateTimeString function."""
systemtime_object = systemtime.Systemtime()
expected_number_of_seconds = 1281571200
systemtime_object.CopyFromDateTimeString('2010-08-12')
self.assertEqual(systemtime_object._number_of_seconds,
expected_number_of_seconds)
self.assertEqual(systemtime_object.year, 2010)
self.assertEqual(systemtime_object.month, 8)
self.assertEqual(systemtime_object.day_of_month, 12)
self.assertEqual(systemtime_object.hours, 0)
self.assertEqual(systemtime_object.minutes, 0)
self.assertEqual(systemtime_object.seconds, 0)
self.assertEqual(systemtime_object.milliseconds, 0)
expected_number_of_seconds = 1281647191
systemtime_object.CopyFromDateTimeString('2010-08-12 21:06:31')
self.assertEqual(systemtime_object._number_of_seconds,
expected_number_of_seconds)
self.assertEqual(systemtime_object.year, 2010)
self.assertEqual(systemtime_object.month, 8)
self.assertEqual(systemtime_object.day_of_month, 12)
self.assertEqual(systemtime_object.hours, 21)
self.assertEqual(systemtime_object.minutes, 6)
self.assertEqual(systemtime_object.seconds, 31)
self.assertEqual(systemtime_object.milliseconds, 0)
expected_number_of_seconds = 1281647191
systemtime_object.CopyFromDateTimeString('2010-08-12 21:06:31.546875')
self.assertEqual(systemtime_object._number_of_seconds,
expected_number_of_seconds)
self.assertEqual(systemtime_object.year, 2010)
self.assertEqual(systemtime_object.month, 8)
self.assertEqual(systemtime_object.day_of_month, 12)
self.assertEqual(systemtime_object.hours, 21)
self.assertEqual(systemtime_object.minutes, 6)
self.assertEqual(systemtime_object.seconds, 31)
self.assertEqual(systemtime_object.milliseconds, 546)
expected_number_of_seconds = 1281650791
systemtime_object.CopyFromDateTimeString(
'2010-08-12 21:06:31.546875-01:00')
self.assertEqual(systemtime_object._number_of_seconds,
expected_number_of_seconds)
self.assertEqual(systemtime_object.year, 2010)
self.assertEqual(systemtime_object.month, 8)
self.assertEqual(systemtime_object.day_of_month, 12)
self.assertEqual(systemtime_object.hours, 21)
self.assertEqual(systemtime_object.minutes, 6)
self.assertEqual(systemtime_object.seconds, 31)
self.assertEqual(systemtime_object.milliseconds, 546)
self.assertEqual(systemtime_object.time_zone_offset, -60)
expected_number_of_seconds = 1281643591
systemtime_object.CopyFromDateTimeString(
'2010-08-12 21:06:31.546875+01:00')
self.assertEqual(systemtime_object._number_of_seconds,
expected_number_of_seconds)
self.assertEqual(systemtime_object.year, 2010)
self.assertEqual(systemtime_object.month, 8)
self.assertEqual(systemtime_object.day_of_month, 12)
self.assertEqual(systemtime_object.hours, 21)
self.assertEqual(systemtime_object.minutes, 6)
self.assertEqual(systemtime_object.seconds, 31)
self.assertEqual(systemtime_object.milliseconds, 546)
self.assertEqual(systemtime_object.time_zone_offset, 60)
expected_number_of_seconds = -11644387200
systemtime_object.CopyFromDateTimeString('1601-01-02 00:00:00')
self.assertEqual(systemtime_object._number_of_seconds,
expected_number_of_seconds)
self.assertEqual(systemtime_object.year, 1601)
self.assertEqual(systemtime_object.month, 1)
self.assertEqual(systemtime_object.day_of_month, 2)
self.assertEqual(systemtime_object.hours, 0)
self.assertEqual(systemtime_object.minutes, 0)
self.assertEqual(systemtime_object.seconds, 0)
self.assertEqual(systemtime_object.milliseconds, 0)
with self.assertRaises(ValueError):
systemtime_object.CopyFromDateTimeString('1600-01-02 00:00:00')
def testInitialize(self):
"""Tests the initialization function."""
systemtime_object = systemtime.Systemtime()
self.assertIsNotNone(systemtime_object)
systemtime_object = systemtime.Systemtime(system_time_tuple=(2010, 8,
4, 12, 20,
6, 31,
142))
self.assertIsNotNone(systemtime_object)
self.assertEqual(systemtime_object.year, 2010)
self.assertEqual(systemtime_object.month, 8)
self.assertEqual(systemtime_object.day_of_month, 12)
self.assertEqual(systemtime_object.hours, 20)
self.assertEqual(systemtime_object.minutes, 6)
self.assertEqual(systemtime_object.seconds, 31)
self.assertEqual(systemtime_object.milliseconds, 142)
with self.assertRaises(ValueError):
systemtime.Systemtime(system_time_tuple=(2010, 8, 4, 12, 20, 6,
31))
with self.assertRaises(ValueError):
systemtime.Systemtime(system_time_tuple=(1500, 8, 4, 12, 20, 6, 31,
142))
with self.assertRaises(ValueError):
systemtime.Systemtime(system_time_tuple=(2010, 13, 4, 12, 20, 6,
31, 142))
with self.assertRaises(ValueError):
systemtime.Systemtime(system_time_tuple=(2010, 8, 7, 12, 20, 6, 31,
142))
with self.assertRaises(ValueError):
systemtime.Systemtime(system_time_tuple=(2010, 8, 4, 32, 20, 6, 31,
142))
with self.assertRaises(ValueError):
systemtime.Systemtime(system_time_tuple=(2010, 8, 4, 12, 24, 6, 31,
142))
with self.assertRaises(ValueError):
systemtime.Systemtime(system_time_tuple=(2010, 8, 4, 12, 20, 61,
31, 142))
with self.assertRaises(ValueError):
systemtime.Systemtime(system_time_tuple=(2010, 8, 4, 12, 20, 6, 61,
142))
with self.assertRaises(ValueError):
systemtime.Systemtime(system_time_tuple=(2010, 8, 4, 12, 20, 6, 31,
1001))
