def _ParseFilterOptions(self, options):
"""Parses the filter options.
Args:
options: the command line arguments (instance of argparse.Namespace).
Raises:
BadConfigOption: if the options are invalid.
"""
self._filter_expression = getattr(options, u'filter', None)
if self._filter_expression:
self._filter_object = filters.GetFilter(self._filter_expression)
if not self._filter_object:
raise errors.BadConfigOption(
u'Invalid filter expression: {0:s}'.format(
self._filter_expression))
self._time_slice_event_time_string = getattr(options, u'slice', None)
self._time_slice_duration = getattr(options, u'slice_size', 5)
self._use_time_slicer = getattr(options, u'slicer', False)
self._front_end.SetFilter(self._filter_object, self._filter_expression)
# The slice and slicer cannot be set at the same time.
if self._time_slice_event_time_string and self._use_time_slicer:
raise errors.BadConfigOption(
u'Time slice and slicer cannot be used at the same time.')
def _ParseTaggingFile(self, input_path):
"""Parses tagging input file.
Parses a tagging input file and returns a dictionary of tags, where each
key represents a tag and each entry is a list of plaso filters.
Args:
input_path: filesystem path to the tagging input file.
Returns:
A dictionary whose keys are tags and values are EventObjectFilter objects.
"""
with open(input_path, 'rb') as tag_input_file:
tags = {}
current_tag = u''
for line in tag_input_file:
line_rstrip = line.rstrip()
line_strip = line_rstrip.lstrip()
if not line_strip or line_strip.startswith(u'#'):
continue
if not line_rstrip[0].isspace():
current_tag = line_rstrip
tags[current_tag] = []
else:
if not current_tag:
continue
compiled_filter = filters.GetFilter(line_strip)
if compiled_filter:
if compiled_filter not in tags[current_tag]:
tags[current_tag].append(compiled_filter)
else:
logging.warning(
u'Tag "{0:s}" contains invalid filter: {1:s}'.
format(current_tag, line_strip))
return tags
def ParseOptions(self, options):
"""Parses the options and initializes the front-end.
Args:
options: the command line arguments (instance of argparse.Namespace).
Raises:
BadConfigOption: if the options are invalid.
"""
super(PsortFrontend, self).ParseOptions(options)
self._output_format = getattr(options, u'output_format', None)
if not self._output_format:
raise errors.BadConfigOption(u'Missing output format.')
if not output_manager.OutputManager.HasOutputClass(self._output_format):
raise errors.BadConfigOption(
u'Unsupported output format: {0:s}.'.format(self._output_format))
self._output_filename = getattr(options, u'write', None)
self._filter_expression = getattr(options, u'filter', None)
if self._filter_expression:
self._filter_object = filters.GetFilter(self._filter_expression)
if not self._filter_object:
raise errors.BadConfigOption(
u'Invalid filter expression: {0:s}'.format(self._filter_expression))
# Check to see if we need to create a circular buffer.
if getattr(options, u'slicer', None):
self._slice_size = getattr(options, u'slice_size', 5)
self._filter_buffer = bufferlib.CircularBuffer(self._slice_size)
self._preferred_language = getattr(options, u'preferred_language', u'en-US')
def __init__(self, pre_obj, incoming_queue, outgoing_queue):
"""Constructor for the browser history plugin."""
super(AnalyzeBrowserSearchPlugin,
self).__init__(pre_obj, incoming_queue, outgoing_queue)
self._filter_dict = {}
self._counter = collections.Counter()
for filter_str, call_back in self.FILTERS:
filter_obj = filters.GetFilter(filter_str)
call_back_obj = getattr(FilterClass, call_back, None)
if filter_obj and call_back_obj:
self._filter_dict[filter_obj] = (call_back, call_back_obj)
def __init__(self, incoming_queue):
"""Initializes the browser search analysis plugin.
Args:
incoming_queue: A queue that is used to listen to incoming events.
"""
super(BrowserSearchPlugin, self).__init__(incoming_queue)
self._filter_dict = {}
self._counter = collections.Counter()
# Store a list of search terms in a timeline format.
# The format is key = timestamp, value = (source, engine, search term).
self._search_term_timeline = []
for filter_str, call_back in self.FILTERS:
filter_obj = filters.GetFilter(filter_str)
call_back_obj = getattr(FilterClass, call_back, None)
if filter_obj and call_back_obj:
self._filter_dict[filter_obj] = (call_back, call_back_obj)
def ParseOptions(self, options):
"""Parses the options and initializes the front-end.
Args:
options: the command line arguments (instance of argparse.Namespace).
Raises:
BadConfigOption: if the options are invalid.
"""
super(PsortFrontend, self).ParseOptions(options)
output_format = getattr(options, 'output_format', None)
if not output_format:
raise errors.BadConfigOption(u'Missing output format.')
self._output_module_class = output_lib.GetOutputFormatter(
output_format)
if not self._output_module_class:
raise errors.BadConfigOption(
u'Invalid output format: {0:s}.'.format(output_format))
self._output_stream = getattr(options, 'write', None)
if not self._output_stream:
self._output_stream = sys.stdout
self._filter_expression = getattr(options, 'filter', None)
if self._filter_expression:
self._filter_object = filters.GetFilter(self._filter_expression)
if not self._filter_object:
raise errors.BadConfigOption(
u'Invalid filter expression: {0:s}'.format(
self._filter_expression))
# Check to see if we need to create a circular buffer.
if getattr(options, 'slicer', None):
self._slice_size = getattr(options, 'slice_size', 5)
self._filter_buffer = bufferlib.CircularBuffer(
self._slice_size)
def Main():
"""Run the tool."""
arg_parser = argparse.ArgumentParser(description=(
'plaso_extract_search_history is a simple script that reads the '
'content of a plaso storage file and tries to extract known search '
'engine history from it'))
arg_parser.add_argument('-w',
'--write',
metavar='FILENAME',
action='store',
dest='output_file',
default='',
help='Write results to a file.')
arg_parser.add_argument('filename',
action='store',
metavar='STORAGE_FILE',
help=('The path to the plaso storage file.'))
options = arg_parser.parse_args()
preferred_encoding = locale.getpreferredencoding()
if preferred_encoding.lower() == 'ascii':
preferred_encoding = 'utf-8'
if not os.path.isfile(options.filename):
raise RuntimeError(u'File {} does not exist'.format(options.filename))
results = {}
result_count = {}
output_filehandle = output.OutputFilehandle(preferred_encoding)
if options.output_file:
output_filehandle.Open(path=options.output_file)
else:
output_filehandle.Open(sys.stdout)
# Build filters.
filter_dict = {}
for filter_str, call_back in FILTERS:
filter_obj = filters.GetFilter(filter_str)
call_back_obj = getattr(FilterClass, call_back, None)
results[call_back] = []
if filter_obj and call_back_obj:
filter_dict[filter_obj] = (call_back, call_back_obj)
with storage.StorageFile(options.filename, read_only=True) as store:
event_object = store.GetSortedEntry()
while event_object:
for filter_obj, call_backs in filter_dict.items():
call_back_name, call_back_object = call_backs
if filter_obj.Match(event_object):
url_attribute = getattr(event_object, 'url', None)
if not url_attribute:
continue
ret_line = ScrubLine(call_back_object(url_attribute))
if not ret_line:
continue
if ret_line in results[call_back_name]:
result_count[u'{}:{}'.format(call_back_name,
ret_line)] += 1
else:
results[call_back_name].append(ret_line)
result_count[u'{}:{}'.format(call_back_name,
ret_line)] = 1
event_object = store.GetSortedEntry()
for engine_name, result_list in results.items():
results_with_count = []
for result in result_list:
results_with_count.append(
(result_count[u'{}:{}'.format(engine_name, result)], result))
header = u' == ENGINE: {0:s} ==\n'.format(engine_name)
output_filehandle.WriteLine(header)
for count, result in sorted(results_with_count, reverse=True):
line = u'{} {}\n'.format(count, result)
output_filehandle.WriteLine(line)
output_filehandle.WriteLine('\n')