def setUp(self):
"""Sets up the needed objects used throughout the test."""
mac_pre_obj = event.PreprocessObject()
mac_pre_obj.guessed_os = 'MacOSX'
self._parser_macbsm = bsm.BsmParser(mac_pre_obj, None)
openbsm_pre_obj = event.PreprocessObject()
openbsm_pre_obj.guessed_os = 'openbsm'
self._parser_openbsm = bsm.BsmParser(openbsm_pre_obj, None)
def _PreprocessSource(self, source_path_specs, source_type):
"""Preprocesses the source.
Args:
source_path_specs: list of path specifications (instances of
dfvfs.PathSpec) to process.
source_type: the dfVFS source type definition.
Returns:
The preprocessing object (instance of PreprocessObject).
"""
pre_obj = None
if self._use_old_preprocess and os.path.isfile(self._storage_file_path):
# Check if the storage file contains a preprocessing object.
try:
with storage.StorageFile(
self._storage_file_path, read_only=True) as storage_file:
storage_information = storage_file.GetStorageInformation()
if storage_information:
logging.info(u'Using preprocessing information from a prior run.')
pre_obj = storage_information[-1]
self._enable_preprocessing = False
except IOError:
logging.warning(u'Storage file does not exist, running preprocess.')
logging.debug(u'Starting preprocessing.')
# TODO: move source_scanner.SourceScannerContext.SOURCE_TYPE_
# to definitions.SOURCE_TYPE_.
if (self._enable_preprocessing and source_type in [
source_scanner.SourceScannerContext.SOURCE_TYPE_DIRECTORY,
source_scanner.SourceScannerContext.SOURCE_TYPE_STORAGE_MEDIA_DEVICE,
source_scanner.SourceScannerContext.SOURCE_TYPE_STORAGE_MEDIA_IMAGE]):
try:
self._engine.PreprocessSource(
source_path_specs, self._operating_system,
resolver_context=self._resolver_context)
except IOError as exception:
logging.error(u'Unable to preprocess with error: {0:s}'.format(
exception))
return event.PreprocessObject()
logging.debug(u'Preprocessing done.')
# TODO: Remove the need for direct access to the pre_obj in favor
# of the knowledge base.
pre_obj = getattr(self._engine.knowledge_base, u'_pre_obj', None)
if not pre_obj:
pre_obj = event.PreprocessObject()
return pre_obj
def _ConvertDictToPreprocessObject(self, json_dict):
"""Converts a JSON dict into a preprocessing object.
The dictionary of the JSON serialized objects consists of:
{
'__type__': 'PreprocessObject'
'collection_information': { ... }
'counter': { ... }
'plugin_counter': { ... }
'store_range': { ... }
'stores': { ... }
'zone': { ... }
...
}
Here '__type__' indicates the object base type. In this case this should
be 'PreprocessObject'. The rest of the elements of the dictionary make up
the preprocessing object properties.
Args:
json_dict: a dictionary of the JSON serialized objects.
Returns:
A preprocessing object (instance of PreprocessObject).
"""
preprocessing_object = event.PreprocessObject()
for key, value in iter(json_dict.items()):
setattr(preprocessing_object, key, value)
return preprocessing_object
def testWriteSerialized(self):
"""Tests the WriteSerialized function."""
preprocess_object = event.PreprocessObject()
preprocess_object.collection_information = {
u'cmd_line': (
u'/usr/bin/log2timeline.py pinfo_test.out tsk_volume_system.raw'),
u'configured_zone': pytz.UTC,
u'debug': False,
u'file_processed': u'/tmp/tsk_volume_system.raw',
u'image_offset': 180224,
u'method': u'imaged processed',
u'os_detected': u'N/A',
u'output_file': u'pinfo_test.out',
u'parser_selection': u'(no list set)',
u'parsers': self._parsers,
u'preferred_encoding': u'utf-8',
u'preprocess': True,
u'protobuf_size': 0,
u'recursive': False,
u'runtime': u'multi process mode',
u'time_of_run': 1430290411000000,
u'version': u'1.2.1_20150424',
u'vss parsing': False,
u'workers': 0
}
preprocess_object.counter = self._counter
preprocess_object.guessed_os = u'None'
preprocess_object.plugin_counter = self._plugin_counter
preprocess_object.store_range = (1, 1)
preprocess_object.stores = self._stores
preprocess_object.zone = pytz.UTC
self._TestWriteSerialized(
self._serializer, preprocess_object, self._json_dict)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
pre_obj = event.PreprocessObject()
registry_cache = cache.WinRegistryCache()
registry_cache.attributes['current_control_set'] = 'ControlSet001'
self._plugin = lfu.BootExecutePlugin(pre_obj=pre_obj,
reg_cache=registry_cache)
def testStorageWriter(self):
"""Test the storage writer."""
event_objects = test_lib.CreateTestEventObjects()
session_start = sessions.SessionStart()
preprocessing_object = event.PreprocessObject()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, u'storage.plaso')
storage_writer = zip_file.ZIPStorageFileWriter(
temp_file, preprocessing_object)
storage_writer.Open()
storage_writer.WriteSessionStart(session_start)
for event_object in event_objects:
storage_writer.AddEvent(event_object)
storage_writer.WriteSessionCompletion()
storage_writer.Close()
storage_file = zipfile.ZipFile(
temp_file, mode='r', compression=zipfile.ZIP_DEFLATED)
expected_filename_list = sorted([
u'event_data.000001',
u'event_index.000001',
u'event_timestamps.000001',
u'information.dump',
u'metadata.txt',
u'session_completion.000001',
u'session_start.000001'])
filename_list = sorted(storage_file.namelist())
self.assertEqual(len(filename_list), 7)
self.assertEqual(filename_list, expected_filename_list)
def ParseFile(file_entry):
"""Parse a file given a file entry and yield results."""
if not file_entry:
return
# Create the necessary items.
proc_queue = queue.SingleThreadedQueue()
storage_queue = queue.SingleThreadedQueue()
storage_queue_producer = queue.EventObjectQueueProducer(storage_queue)
pre_obj = event.PreprocessObject()
all_parsers = putils.FindAllParsers(pre_obj)
# Create a worker.
worker_object = worker.EventExtractionWorker(
'my_worker', proc_queue, storage_queue_producer, pre_obj, all_parsers)
# Parse the file.
worker_object.ParseFile(file_entry)
storage_queue.SignalEndOfInput()
proc_queue.SignalEndOfInput()
while True:
try:
item = storage_queue.PopItem()
except errors.QueueEmpty:
break
if isinstance(item, queue.QueueEndOfInput):
break
yield item
def testGetValue(self):
"""Tests the GetValue function."""
pre_obj = event.PreprocessObject()
plugin = macosx.MacOSXBuild(pre_obj)
plugin.Run(self._searcher)
build = getattr(pre_obj, 'build', None)
self.assertEquals(build, u'10.9.2')
def testGetValue(self):
"""Tests the GetValue function."""
pre_obj = event.PreprocessObject()
plugin = macosx.MacOSXTimeZone(pre_obj)
plugin.Run(self._searcher)
time_zone_str = getattr(pre_obj, 'time_zone_str', None)
self.assertEquals(time_zone_str, u'Europe/Amsterdam')
def testGetValue(self):
"""Tests the GetValue function."""
pre_obj = event.PreprocessObject()
plugin = macosx.MacOSXKeyboard(pre_obj)
plugin.Run(self._searcher)
keyboard_layout = getattr(pre_obj, 'keyboard_layout', None)
self.assertEquals(keyboard_layout, u'US')
def testGetValue(self):
"""Tests the GetValue function."""
pre_obj = event.PreprocessObject()
plugin = macosx.MacOSXHostname(pre_obj)
plugin.Run(self._searcher)
hostname = getattr(pre_obj, 'hostname', None)
self.assertEquals(hostname, u'Plaso\'s Mac mini')
def testGetValue(self):
"""Tests the GetValue function."""
pre_obj = event.PreprocessObject()
plugin = windows.WindowsSystemRootPath(pre_obj)
plugin.Run(self._searcher)
path = getattr(pre_obj, 'systemroot', None)
self.assertEquals(path, u'/Windows/System32')
def testGetValue(self):
"""Tests the GetValue function."""
pre_obj = event.PreprocessObject()
plugin = linux.LinuxHostname(pre_obj)
plugin.Run(self._searcher)
hostname = getattr(pre_obj, 'hostname', None)
self.assertEquals(hostname, u'plaso.kiddaland.net')
def __init__(self, output_mediator):
"""Initializes the output module object.
Args:
output_mediator: The output mediator object (instance of OutputMediator).
"""
super(PlasoStorageOutputModule, self).__init__(output_mediator)
self._file_path = None
self._preprocessing_object = event.PreprocessObject()
self._storage_file = None
def Start(self):
"""Sets up the output storage file."""
pre_obj = event.PreprocessObject()
pre_obj.collection_information = {}
pre_obj.collection_information['time_of_run'] = timelib.Timestamp.GetNow()
if hasattr(self._config, 'filter') and self._config.filter:
pre_obj.collection_information['filter'] = self._config.filter
if hasattr(self._config, 'storagefile') and self._config.storagefile:
pre_obj.collection_information[
'file_processed'] = self._config.storagefile
self._storage = storage.StorageFile(self.filehandle, pre_obj=pre_obj)
def testWritePreprocessObject(self):
"""Tests the WritePreprocessObject function."""
preprocessing_object = event.PreprocessObject()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, u'storage.plaso')
storage_file = zip_file.StorageFile(temp_file)
storage_file.WritePreprocessObject(preprocessing_object)
storage_file.Close()
def __init__(self):
"""Initialize the knowledge base object."""
super(KnowledgeBase, self).__init__()
# TODO: the first versions of the knowledge base will wrap the pre-process
# object, but this should be replaced by an artifact style knowledge base
# or artifact cache.
self._pre_obj = event.PreprocessObject()
self._default_codepage = u'cp1252'
self._default_timezone = pytz.timezone(u'UTC')
def Open(self):
"""Opens the plaso storage file."""
pre_obj = event.PreprocessObject()
pre_obj.collection_information = {
'time_of_run': timelib.Timestamp.GetNow()
}
if hasattr(self._config, 'filter') and self._config.filter:
pre_obj.collection_information['filter'] = self._config.filter
if hasattr(self._config, 'storagefile') and self._config.storagefile:
pre_obj.collection_information[
'file_processed'] = self._config.storagefile
self._storage = storage.StorageFile(self.filehandle, pre_obj=pre_obj)
def testWriteSerialized(self):
"""Tests the WriteSerialized function."""
preprocess_object = event.PreprocessObject()
preprocess_object.collection_information = self._collection_information
preprocess_object.counter = self._counter
preprocess_object.guessed_os = u'None'
preprocess_object.plugin_counter = self._plugin_counter
preprocess_object.store_range = (1, 1)
preprocess_object.zone = pytz.UTC
self._TestWriteSerialized(self._serializer, preprocess_object,
self._proto_string)
def testSeparator(self):
"""Test the separator detection."""
pre_obj = event.PreprocessObject()
analysis_plugin = chrome_extension.AnalyzeChromeExtensionPlugin(
pre_obj, None, None)
analysis_plugin._sep = u'/'
for path in self.MAC_PATHS:
self.assertEquals(analysis_plugin._GetSeparator(path), u'/')
analysis_plugin._sep = u'\\'
for path in self.WIN_PATHS:
self.assertEquals(analysis_plugin._GetSeparator(path), u'\\')
def testGetValue(self):
"""Tests the GetValue function."""
pre_obj = event.PreprocessObject()
# The plug-in needs to expand {sysregistry} so we need to run
# the WindowsSystemRegistryPath plug-in first.
plugin = windows.WindowsSystemRegistryPath(pre_obj)
plugin.Run(self._searcher)
plugin = windows.WindowsProgramFilesPath(pre_obj)
plugin.Run(self._searcher)
path = getattr(pre_obj, 'programfiles', None)
self.assertEquals(path, u'Program Files')
def testGetValue(self):
"""Tests the GetValue function."""
pre_obj = event.PreprocessObject()
# The plug-in needs to expand {sysregistry} so we need to run
# the WindowsSystemRegistryPath plug-in first.
plugin = windows.WindowsSystemRegistryPath(pre_obj)
plugin.Run(self._searcher)
plugin = windows.WindowsHostname(pre_obj)
plugin.Run(self._searcher)
hostname = getattr(pre_obj, 'hostname', None)
self.assertEquals(hostname, u'WKS-WIN732BITA')
def testGetValue(self):
"""Tests the GetValue function."""
pre_obj = event.PreprocessObject()
# The plug-in needs to expand {sysregistry} so we need to run
# the WindowsSystemRegistryPath plug-in first.
plugin = windows.WindowsSystemRegistryPath(pre_obj)
plugin.Run(self._searcher)
plugin = windows.WindowsCodepage(pre_obj)
plugin.Run(self._searcher)
codepage = getattr(pre_obj, 'code_page', None)
self.assertEquals(codepage, u'cp1252')
def testGetValue(self):
"""Tests the GetValue function."""
pre_obj = event.PreprocessObject()
# The plug-in needs to expand {sysregistry} so we need to run
# the WindowsSystemRegistryPath plug-in first.
plugin = windows.WindowsSystemRegistryPath(pre_obj)
plugin.Run(self._searcher)
plugin = windows.WindowsVersion(pre_obj)
plugin.Run(self._searcher)
version = getattr(pre_obj, 'osversion', None)
self.assertEquals(version, u'Windows 7 Ultimate')
def testGetValue(self):
"""Tests the GetValue function."""
pre_obj = event.PreprocessObject()
# The plug-in needs to expand {sysregistry} so we need to run
# the WindowsSystemRegistryPath plug-in first.
plugin = windows.WindowsSystemRegistryPath(pre_obj)
plugin.Run(self._searcher)
plugin = windows.WindowsTimeZone(pre_obj)
plugin.Run(self._searcher)
timezone = getattr(pre_obj, 'time_zone_str', None)
self.assertEquals(timezone, u'EST5EDT')
def Open(self):
"""Opens the plaso storage file."""
pre_obj = event.PreprocessObject()
pre_obj.collection_information = {
u'time_of_run': timelib.Timestamp.GetNow()}
filter_expression = self._output_mediator.filter_expression
if filter_expression:
pre_obj.collection_information[u'filter'] = filter_expression
storage_file_path = self._output_mediator.storage_file_path
if storage_file_path:
pre_obj.collection_information[u'file_processed'] = storage_file_path
self._storage = storage.StorageFile(self._file_object, pre_obj=pre_obj)
def testGetValue(self):
"""Tests the GetValue function."""
pre_obj = event.PreprocessObject()
plugin = linux.LinuxUsernames(pre_obj)
plugin.Run(self._searcher)
users = getattr(pre_obj, 'users', None)
self.assertEquals(len(users), 13)
self.assertEquals(users[11].get('uid', None), u'14')
self.assertEquals(users[11].get('gid', None), u'50')
self.assertEquals(users[11].get('name', None), u'ftp')
self.assertEquals(users[11].get('path', None), u'/var/ftp')
self.assertEquals(users[11].get('shell', None), u'/sbin/nologin')
def testGetValue(self):
"""Tests the GetValue function."""
pre_obj = event.PreprocessObject()
# The plug-in needs to expand {sysregistry} so we need to run
# the WindowsSystemRegistryPath plug-in first.
plugin = windows.WindowsSystemRegistryPath(pre_obj)
plugin.Run(self._searcher)
plugin = windows.WindowsProgramFilesX86Path(pre_obj)
plugin.Run(self._searcher)
path = getattr(pre_obj, 'programfilesx86', None)
# The test SOFTWARE Registry file does not contain a value for
# the Program Files X86 path.
self.assertEquals(path, None)
def testEngine(self):
"""Test the engine functionality."""
collection_queue = queue.SingleThreadedQueue()
storage_queue = queue.SingleThreadedQueue()
resolver_context = context.Context()
test_engine = engine.Engine(collection_queue, storage_queue)
self.assertNotEquals(test_engine, None)
source_path = os.path.join(self._TEST_DATA_PATH, u'image.dd')
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=source_path)
source_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK,
location=u'/',
parent=os_path_spec)
test_engine.SetSource(source_path_spec,
resolver_context=resolver_context)
self.assertFalse(test_engine.SourceIsDirectory())
self.assertFalse(test_engine.SourceIsFile())
self.assertTrue(test_engine.SourceIsStorageMediaImage())
test_searcher = test_engine.GetSourceFileSystemSearcher(
resolver_context=resolver_context)
self.assertNotEquals(test_searcher, None)
self.assertIsInstance(test_searcher,
file_system_searcher.FileSystemSearcher)
pre_obj = event.PreprocessObject()
test_engine.PreprocessSource(pre_obj, 'Windows')
test_collector = test_engine.CreateCollector(
False,
vss_stores=None,
filter_find_specs=None,
resolver_context=resolver_context)
self.assertNotEquals(test_collector, None)
self.assertIsInstance(test_collector, collector.Collector)
test_extraction_worker = test_engine.CreateExtractionWorker(
0, None, pre_obj)
self.assertNotEquals(test_extraction_worker, None)
self.assertIsInstance(test_extraction_worker,
worker.EventExtractionWorker)
def PreprocessSource(self, options):
"""Preprocesses the source.
Args:
options: the command line arguments (instance of argparse.Namespace).
Returns:
The preprocessing object (instance of PreprocessObject).
"""
pre_obj = None
if self._old_preprocess and os.path.isfile(self._storage_file_path):
# Check if the storage file contains a preprocessing object.
try:
with storage.StorageFile(
self._storage_file_path, read_only=True) as store:
storage_information = store.GetStorageInformation()
if storage_information:
logging.info(u'Using preprocessing information from a prior run.')
pre_obj = storage_information[-1]
self._preprocess = False
except IOError:
logging.warning(u'Storage file does not exist, running preprocess.')
if self._preprocess and self._scan_context.source_type in [
self._scan_context.SOURCE_TYPE_DIRECTORY,
self._scan_context.SOURCE_TYPE_STORAGE_MEDIA_DEVICE,
self._scan_context.SOURCE_TYPE_STORAGE_MEDIA_IMAGE]:
try:
self._engine.PreprocessSource(
self._operating_system, resolver_context=self._resolver_context)
except IOError as exception:
logging.error(u'Unable to preprocess with error: {0:s}'.format(
exception))
return
# TODO: Remove the need for direct access to the pre_obj in favor
# of the knowledge base.
pre_obj = getattr(self._engine.knowledge_base, '_pre_obj', None)
if not pre_obj:
pre_obj = event.PreprocessObject()
self._PreprocessSetTimezone(options, pre_obj)
self._PreprocessSetParserFilter(options, pre_obj)
return pre_obj