def testProcessVersion3(self):
"""Tests the Process function on version 3 .automaticDestinations-ms."""
plugin = automatic_destinations.AutomaticDestinationsOLECFPlugin()
storage_writer = self._ParseOLECFFileWithPlugin(
['9d1f905ce5044aee.automaticDestinations-ms'], plugin)
# Number of events:
# olecf:dest_list:entry: 2
# windows:lnk:link 2
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 4)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
# Check a AutomaticDestinationsDestListEntryEvent.
expected_event_values = {
'birth_droid_file_identifier':
'{00000000-0000-0000-0000-000000000000}',
'birth_droid_volume_identifier':
('{00000000-0000-0000-0000-000000000000}'),
'data_type':
'olecf:dest_list:entry',
'date_time':
'2016-01-17 13:08:08.2475045',
'droid_file_identifier':
'{00000000-0000-0000-0000-000000000000}',
'droid_volume_identifier':
'{00000000-0000-0000-0000-000000000000}',
'entry_number':
2,
'offset':
32,
'path':
'http://support.microsoft.com/kb/3124263',
'pin_status':
-1,
'timestamp_desc':
definitions.TIME_DESCRIPTION_MODIFICATION
}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
# Check a WinLnkLinkEvent.
expected_event_values = {
'data_type': 'windows:lnk:link',
'date_time': 'Not set',
'timestamp_desc': definitions.TIME_DESCRIPTION_NOT_A_TIME
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessVersion3(self):
"""Tests the Process function on version 3 .automaticDestinations-ms."""
plugin = automatic_destinations.AutomaticDestinationsOLECFPlugin()
storage_writer = self._ParseOLECFFileWithPlugin(
['9d1f905ce5044aee.automaticDestinations-ms'], plugin)
# Number of events:
# olecf:dest_list:entry: 2
# windows:lnk:link 2
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 4)
events = list(storage_writer.GetEvents())
# Check a AutomaticDestinationsDestListEntryEvent.
# Check a WinLnkLinkEvent.
event = events[1]
self.CheckTimestamp(event.timestamp, '2016-01-17 13:08:08.247505')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_MODIFICATION)
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.offset, 32)
self.assertEqual(event_data.data_type, 'olecf:dest_list:entry')
self.assertEqual(event_data.pin_status, -1)
expected_message = (
'Entry: 2 '
'Pin status: Unpinned '
'Path: http://support.microsoft.com/kb/3124263 '
'Droid volume identifier: {00000000-0000-0000-0000-000000000000} '
'Droid file identifier: {00000000-0000-0000-0000-000000000000} '
'Birth droid volume identifier: '
'{00000000-0000-0000-0000-000000000000} '
'Birth droid file identifier: {00000000-0000-0000-0000-000000000000}'
)
expected_short_message = (
'Entry: 2 '
'Pin status: Unpinned '
'Path: http://support.microsoft.com/kb/3124263')
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
# Check a WinLnkLinkEvent.
event = events[0]
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_NOT_A_TIME)
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.data_type, 'windows:lnk:link')
def testProcessVersion3(self):
"""Tests the Process function on version 3 .automaticDestinations-ms."""
plugin_object = automatic_destinations.AutomaticDestinationsOLECFPlugin(
)
storage_writer = self._ParseOLECFFileWithPlugin(
[u'9d1f905ce5044aee.automaticDestinations-ms'], plugin_object)
self.assertEqual(len(storage_writer.events), 4)
# Check a AutomaticDestinationsDestListEntryEvent.
# Check a WinLnkLinkEvent.
event_object = storage_writer.events[1]
self.assertEqual(event_object.offset, 32)
self.assertEqual(event_object.data_type, u'olecf:dest_list:entry')
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.MODIFICATION_TIME)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2016-01-17 13:08:08.247504')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_message = (
u'Entry: 2 '
u'Pin status: Unpinned '
u'Path: http://support.microsoft.com/kb/3124263 '
u'Droid volume identifier: {00000000-0000-0000-0000-000000000000} '
u'Droid file identifier: {00000000-0000-0000-0000-000000000000} '
u'Birth droid volume identifier: '
u'{00000000-0000-0000-0000-000000000000} '
u'Birth droid file identifier: {00000000-0000-0000-0000-000000000000}'
)
expected_message_short = (
u'Entry: 2 '
u'Pin status: Unpinned '
u'Path: http://support.microsoft.com/kb/3124263')
self._TestGetMessageStrings(event_object, expected_message,
expected_message_short)
# Check a WinLnkLinkEvent.
event_object = storage_writer.events[0]
self.assertEqual(event_object.data_type, u'windows:lnk:link')
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.NOT_A_TIME)
def testProcessVersion1(self):
"""Tests the Process function on version 1 .automaticDestinations-ms."""
plugin = automatic_destinations.AutomaticDestinationsOLECFPlugin()
storage_writer = self._ParseOLECFFileWithPlugin(
['1b4dd67f29cb1962.automaticDestinations-ms'], plugin)
# Number of events:
# olecf:dest_list:entry: 11
# windows:lnk:link 33
# windows:distributed_link_tracking:creation: 44
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 88)
events = list(storage_writer.GetEvents())
# Check a AutomaticDestinationsDestListEntryEvent.
expected_event_values = {
'birth_droid_file_identifier':
'{63eea867-7b85-11e1-8950-005056a50b40}',
'birth_droid_volume_identifier':
('{cf6619c2-66a8-44a6-8849-1582fcd3a338}'),
'data_type':
'olecf:dest_list:entry',
'droid_file_identifier':
'{63eea867-7b85-11e1-8950-005056a50b40}',
'droid_volume_identifier':
'{cf6619c2-66a8-44a6-8849-1582fcd3a338}',
'entry_number':
11,
'hostname':
'wks-win764bitb',
'offset':
32,
'path':
'C:\\Users\\nfury\\Pictures\\The SHIELD',
'pin_status':
-1,
'timestamp':
'2012-04-01 13:52:38.997538',
'timestamp_desc':
definitions.TIME_DESCRIPTION_MODIFICATION
}
self.CheckEventValues(storage_writer, events[7], expected_event_values)
# Check a WinLnkLinkEvent.
expected_event_values = {
'data_type':
'windows:lnk:link',
'drive_serial_number':
0x24ba718b,
'drive_type':
3,
'file_attribute_flags':
0x00002020,
'file_size':
3545,
'link_target':
'<Users Libraries> <UNKNOWN: 0x00>',
'local_path':
('C:\\Users\\nfury\\AppData\\Roaming\\Microsoft\\Windows\\'
'Libraries\\Documents.library-ms'),
'timestamp':
'2010-11-10 07:51:16.749125'
}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
# Check a WindowsDistributedLinkTrackingCreationEvent.
expected_event_values = {
'data_type': 'windows:distributed_link_tracking:creation',
'mac_address': '00:50:56:a5:0b:40',
'origin': 'DestList entry at offset: 0x00000020',
'timestamp': '2012-03-31 23:01:03.527742',
'uuid': '63eea867-7b85-11e1-8950-005056a50b40'
}
self.CheckEventValues(storage_writer, events[5], expected_event_values)
def testProcessVersion1(self):
"""Tests the Process function on version 1 .automaticDestinations-ms."""
plugin = automatic_destinations.AutomaticDestinationsOLECFPlugin()
storage_writer = self._ParseOLECFFileWithPlugin(
['1b4dd67f29cb1962.automaticDestinations-ms'], plugin)
# Number of events:
# olecf:dest_list:entry: 11
# windows:lnk:link 33
# windows:distributed_link_tracking:creation: 44
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 88)
events = list(storage_writer.GetEvents())
# Check a AutomaticDestinationsDestListEntryEvent.
event = events[7]
self.CheckTimestamp(event.timestamp, '2012-04-01 13:52:38.997538')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_MODIFICATION)
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.offset, 32)
self.assertEqual(event_data.data_type, 'olecf:dest_list:entry')
self.assertEqual(event_data.pin_status, -1)
expected_message = (
'Entry: 11 '
'Pin status: Unpinned '
'Hostname: wks-win764bitb '
'Path: C:\\Users\\nfury\\Pictures\\The SHIELD '
'Droid volume identifier: {cf6619c2-66a8-44a6-8849-1582fcd3a338} '
'Droid file identifier: {63eea867-7b85-11e1-8950-005056a50b40} '
'Birth droid volume identifier: '
'{cf6619c2-66a8-44a6-8849-1582fcd3a338} '
'Birth droid file identifier: {63eea867-7b85-11e1-8950-005056a50b40}'
)
expected_short_message = (
'Entry: 11 '
'Pin status: Unpinned '
'Path: C:\\Users\\nfury\\Pictures\\The SHIELD')
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
# Check a WinLnkLinkEvent.
event = events[1]
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.data_type, 'windows:lnk:link')
self.CheckTimestamp(event.timestamp, '2010-11-10 07:51:16.749125')
expected_message = (
'[Empty description] '
'File size: 3545 '
'File attribute flags: 0x00002020 '
'Drive type: 3 '
'Drive serial number: 0x24ba718b '
'Local path: C:\\Users\\nfury\\AppData\\Roaming\\Microsoft\\Windows\\'
'Libraries\\Documents.library-ms '
'Link target: <Users Libraries> <UNKNOWN: 0x00>')
expected_short_message = (
'[Empty description] '
'C:\\Users\\nfury\\AppData\\Roaming\\Microsoft\\Windows\\Librarie...'
)
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
# Check a WindowsDistributedLinkTrackingCreationEvent.
event = events[5]
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.data_type,
'windows:distributed_link_tracking:creation')
self.CheckTimestamp(event.timestamp, '2012-03-31 23:01:03.527742')
expected_message = ('63eea867-7b85-11e1-8950-005056a50b40 '
'MAC address: 00:50:56:a5:0b:40 '
'Origin: DestList entry at offset: 0x00000020')
expected_short_message = (
'63eea867-7b85-11e1-8950-005056a50b40 '
'Origin: DestList entry at offset: 0x0000...')
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testProcessVersion1(self):
"""Tests the Process function on version 1 .automaticDestinations-ms."""
plugin_object = automatic_destinations.AutomaticDestinationsOLECFPlugin(
)
storage_writer = self._ParseOLECFFileWithPlugin(
[u'1b4dd67f29cb1962.automaticDestinations-ms'], plugin_object)
self.assertEqual(len(storage_writer.events), 88)
# Check a AutomaticDestinationsDestListEntryEvent.
event_object = storage_writer.events[7]
self.assertEqual(event_object.offset, 32)
self.assertEqual(event_object.data_type, u'olecf:dest_list:entry')
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.MODIFICATION_TIME)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2012-04-01 13:52:38.997538')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_message = (
u'Entry: 11 '
u'Pin status: Unpinned '
u'Hostname: wks-win764bitb '
u'Path: C:\\Users\\nfury\\Pictures\\The SHIELD '
u'Droid volume identifier: {cf6619c2-66a8-44a6-8849-1582fcd3a338} '
u'Droid file identifier: {63eea867-7b85-11e1-8950-005056a50b40} '
u'Birth droid volume identifier: '
u'{cf6619c2-66a8-44a6-8849-1582fcd3a338} '
u'Birth droid file identifier: {63eea867-7b85-11e1-8950-005056a50b40}'
)
expected_message_short = (
u'Entry: 11 '
u'Pin status: Unpinned '
u'Path: C:\\Users\\nfury\\Pictures\\The SHIELD')
self._TestGetMessageStrings(event_object, expected_message,
expected_message_short)
# Check a WinLnkLinkEvent.
event_object = storage_writer.events[1]
self.assertEqual(event_object.data_type, u'windows:lnk:link')
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2010-11-10 07:51:16.749125')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_message = (
u'[Empty description] '
u'File size: 3545 '
u'File attribute flags: 0x00002020 '
u'Drive type: 3 '
u'Drive serial number: 0x24ba718b '
u'Local path: C:\\Users\\nfury\\AppData\\Roaming\\Microsoft\\Windows\\'
u'Libraries\\Documents.library-ms '
u'Link target: <Users Libraries> <UNKNOWN: 0x00>')
expected_message_short = (
u'[Empty description] '
u'C:\\Users\\nfury\\AppData\\Roaming\\Microsoft\\Windows\\Librarie...'
)
self._TestGetMessageStrings(event_object, expected_message,
expected_message_short)
# Check a WindowsDistributedLinkTrackingCreationEvent.
event_object = storage_writer.events[5]
self.assertEqual(event_object.data_type,
u'windows:distributed_link_tracking:creation')
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2012-03-31 23:01:03.527741')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_message = (u'63eea867-7b85-11e1-8950-005056a50b40 '
u'MAC address: 00:50:56:a5:0b:40 '
u'Origin: DestList entry at offset: 0x00000020')
expected_message_short = (
u'63eea867-7b85-11e1-8950-005056a50b40 '
u'Origin: DestList entry at offset: 0x0000...')
self._TestGetMessageStrings(event_object, expected_message,
expected_message_short)
