def Parse_ESEDB_File(File_To_Parse): file_object = open(File_To_Parse, "rb") esedb_file = pyesedb.file() esedb_file.open_file_object(file_object) Num_Of_tables = esedb_file.get_number_of_tables() print ("The number of tables is ==> ", Num_Of_tables) SQLitedb.CreateTable('ESEDB_Master_Table','Tab_Name text') SQLitedb.CreateTable('ESEDB_Empty_Tables', 'Tab_Name Text') for i in range (0, Num_Of_tables): SQL_Statement = '' Table = esedb_file.get_table(i) Table_name = Table_Dict[Table.get_name()] Template_Name = Table. get_template_name() Table_Num_Columns = Table.get_number_of_columns() Table_Num_Records = Table.get_number_of_records() print ("Table Name is ==> ", Table_name) if (Table_Num_Records > 0): SQLitedb.InsertValues('ESEDB_Master_Table','Tab_Name', "'" + Table_name + "'") SQL_Statement = 'Create Temp Table '+ Table_name + '_Temp (' Table_Record = Table.get_record(0) Column_Name = Table_Record.get_column_name(0) Column_Type = Table_Record.get_column_type(0) SQLitedb.CreateTempTable(Table_name + '_Temp', SQLitedb.Check_SQL_Reserved_Word(Column_Name) + ' ' + Column_Dict[Column_Type]) for x in range(1, Table_Num_Columns): Column_Name = Table_Record.get_column_name(x) Column_Type = Table_Record.get_column_type(x) SQL_Statement = SQL_Statement + ', ' + SQLitedb.Check_SQL_Reserved_Word(Column_Name) + ' ' + Column_Dict[Column_Type] SQLitedb.AddColumn(Table_name + '_Temp', SQLitedb.Check_SQL_Reserved_Word(Column_Name) + ' ' + Column_Dict[Column_Type]) SQL_Statement = SQL_Statement + ');' else: SQLitedb.InsertValues('ESEDB_Empty_Tables','Tab_Name', "'" + Table_name + "'") esedb_file.close()
def pyesedb_test_multi_open_close_file(filename, mode): """Tests multiple open and close.""" description = ( "Testing multi open close of: {0:s} with access: {1:s}" "\t").format(get_filename_string(filename), get_mode_string(mode)) print(description, end="") error_string = None result = True try: esedb_file = pyesedb.file() esedb_file.open(filename, mode) esedb_file.close() esedb_file.open(filename, mode) esedb_file.close() except Exception as exception: error_string = str(exception) result = False if not result: print("(FAIL)") else: print("(PASS)") if error_string: print(error_string) return result
def test_open_file_object(self): """Tests the open_file_object function.""" if not unittest.source: raise unittest.SkipTest("missing source") if not os.path.isfile(unittest.source): raise unittest.SkipTest("source not a regular file") esedb_file = pyesedb.file() with open(unittest.source, "rb") as file_object: esedb_file.open_file_object(file_object) with self.assertRaises(IOError): esedb_file.open_file_object(file_object) esedb_file.close() # TODO: change IOError into TypeError with self.assertRaises(IOError): esedb_file.open_file_object(None) with self.assertRaises(ValueError): esedb_file.open_file_object(file_object, mode="w")
def pyesedb_test_single_open_close_file_object_with_dereference( filename, mode): """Tests single file-like object open and close with dereference.""" description = ( "Testing single open close of file-like object with dereference of: " "{0:s} with access: {1:s}\t").format( get_filename_string(filename), get_mode_string(mode)) print(description, end="") error_string = None result = True try: file_object = open(filename, "rb") esedb_file = pyesedb.file() esedb_file.open_file_object(file_object, mode) del file_object esedb_file.close() except Exception as exception: error_string = str(exception) result = False if not result: print("(FAIL)") else: print("(PASS)") if error_string: print(error_string) return result
def _ParseESEDBFileWithPlugin( self, path_segments, plugin, knowledge_base_values=None): """Parses a file as an ESE database file and returns an event generator. Args: path_segments (list[str]): path segments inside the test data directory. plugin (ESEDBPlugin): ESE database plugin. knowledge_base_values (Optional[dict[str, object]]): knowledge base values. Returns: FakeStorageWriter: storage writer. """ session = sessions.Session() storage_writer = fake_writer.FakeStorageWriter(session) storage_writer.Open() file_entry = self._GetTestFileEntry(path_segments) parser_mediator = self._CreateParserMediator( storage_writer, file_entry=file_entry, knowledge_base_values=knowledge_base_values) file_object = file_entry.GetFileObject() try: esedb_file = pyesedb.file() esedb_file.open_file_object(file_object) cache = esedb.ESEDBCache() plugin.Process(parser_mediator, cache=cache, database=esedb_file) esedb_file.close() finally: file_object.close() return storage_writer
def ExtractCatalog(self, filename, output_writer): """Extracts the catalog from the database. Args: filename (str): name of the file containing the ESE database. output_writer (OutputWriter): output writer. """ esedb_file = pyesedb.file() esedb_file.open(filename) ese_database_definition = EseDatabaseDefinition( self._database_type, self._database_version) output_writer.WriteDatabaseDefinition(ese_database_definition) # TODO: write an overview of the table names. # TODO: write the table and index names per type and version. for esedb_table in iter(esedb_file.tables): ese_table_definition = EseTableDefinition( esedb_table.name, esedb_table.template_name) for esedb_column in esedb_table.columns: ese_table_definition.AddColumnDefinition( esedb_column.identifier, esedb_column.name, esedb_column.type) output_writer.WriteTableDefinition(ese_table_definition) esedb_file.close()
def ParseFileObject(self, parser_mediator, file_object, **kwargs): """Parses an ESE database file-like object. Args: parser_mediator: A parser mediator object (instance of ParserMediator). file_object: A file-like object. Raises: UnableToParseFile: when the file cannot be parsed. """ esedb_file = pyesedb.file() try: esedb_file.open_file_object(file_object) except IOError as exception: raise errors.UnableToParseFile( u'[{0:s}] unable to parse file {1:s} with error: {2:s}'.format( self.NAME, parser_mediator.GetDisplayName(), exception)) # Compare the list of available plugins. cache = EseDbCache() for plugin_object in self._plugins: try: plugin_object.UpdateChainAndProcess(parser_mediator, database=esedb_file, cache=cache) except errors.WrongPlugin: logging.debug( (u'[{0:s}] plugin: {1:s} cannot parse the ESE database: ' u'{2:s}').format(self.NAME, plugin_object.NAME, parser_mediator.GetDisplayName())) # TODO: explicitly clean up cache. esedb_file.close()
def pyesedb_test_multi_open_close_file(filename, mode): """Tests multiple open and close.""" description = ("Testing multi open close of: {0:s} with access: {1:s}" "\t").format(get_filename_string(filename), get_mode_string(mode)) print(description, end="") error_string = None result = True try: esedb_file = pyesedb.file() esedb_file.open(filename, mode) esedb_file.close() esedb_file.open(filename, mode) esedb_file.close() except Exception as exception: error_string = str(exception) result = False if not result: print("(FAIL)") else: print("(PASS)") if error_string: print(error_string) return result
def pyesedb_test_single_open_close_file_object_with_dereference( filename, mode): """Tests single file-like object open and close with dereference.""" description = ( "Testing single open close of file-like object with dereference of: " "{0:s} with access: {1:s}\t").format(get_filename_string(filename), get_mode_string(mode)) print(description, end="") error_string = None result = True try: file_object = open(filename, "rb") esedb_file = pyesedb.file() esedb_file.open_file_object(file_object, mode) del file_object esedb_file.close() except Exception as exception: error_string = str(exception) result = False if not result: print("(FAIL)") else: print("(PASS)") if error_string: print(error_string) return result
def process_srum(srum, software, tablename = '{DD6636C4-8929-4683-974E-22C046A43763}'): #This method must commit pin locations to the database #Do the wireless Data sheet log.info(f"\nProcessing SRUM events in table {tablename}") row_num = 1 #Init to 1, first row will be 2 in spreadsheet (1 is headers) entries = [] ese_db = pyesedb.file() ese_db.open(srum) lookups = load_interfaces(software) ese_table = ese_db.get_table_by_name(tablename) #If the table is not found it returns None if not ese_table: log.info("Unable to find network connections table in SRUM file provided") raise Exception("Unable to find network connections table in SRUM file provided") reverse_column_lookup = dict([(x.name,index) for index,x in enumerate(ese_table.columns)]) for ese_row_num in range(ese_table.number_of_records): #if not sg.OneLineProgressMeter('Discovering Location Event from SRUM...', count, ese_table.number_of_records, 'key'): # break #"L2ProfileId=6, connectstart = 8" profile = smart_retrieve(ese_table, ese_row_num, reverse_column_lookup['L2ProfileId'] ) connected = smart_retrieve(ese_table, ese_row_num, reverse_column_lookup['TimeStamp'] ) #if count%10==0: # sys.stdout.write(".") #sys.stdout.flush() if profile: bssid,ssid = lookups.get(str(profile),(None,'the profile could not be resolved')) if bssid: entries.append((connected,bssid, ssid)) return entries
def ParseFileObject(self, parser_mediator, file_object, **kwargs): """Parses an ESE database file-like object. Args: parser_mediator: A parser mediator object (instance of ParserMediator). file_object: A file-like object. Raises: UnableToParseFile: when the file cannot be parsed. """ esedb_file = pyesedb.file() try: esedb_file.open_file_object(file_object) except IOError as exception: raise errors.UnableToParseFile( u'[{0:s}] unable to parse file {1:s} with error: {2:s}'.format( self.NAME, parser_mediator.GetDisplayName(), exception)) # Compare the list of available plugins. cache = EseDbCache() for plugin_object in self._plugins: try: plugin_object.UpdateChainAndProcess( parser_mediator, database=esedb_file, cache=cache) except errors.WrongPlugin: logging.debug(( u'[{0:s}] plugin: {1:s} cannot parse the ESE database: ' u'{2:s}').format( self.NAME, plugin_object.NAME, parser_mediator.GetDisplayName())) # TODO: explicitly clean up cache. esedb_file.close()
def test_open_close(self): """Tests the open and close functions.""" if not unittest.source: return esedb_file = pyesedb.file() # Test open and close. esedb_file.open(unittest.source) esedb_file.close() # Test open and close a second time to validate clean up on close. esedb_file.open(unittest.source) esedb_file.close() file_object = open(unittest.source, "rb") # Test open_file_object and close. esedb_file.open_file_object(file_object) esedb_file.close() # Test open_file_object and close a second time to validate clean up on close. esedb_file.open_file_object(file_object) esedb_file.close() # Test open_file_object and close and dereferencing file_object. esedb_file.open_file_object(file_object) del file_object esedb_file.close()
def extract_webcachev01_dat(file_path): """Extracts data from WebCacheVxx.dat. """ visits = [] esedb_file = pyesedb.file() with open(file_path, "rb") as f: esedb_file.open_file_object(f) # read the file containers_table = esedb_file.get_table_by_name("Containers") # look for tables "Containers" for i in range(0, containers_table.get_number_of_records()): if containers_table.get_record(i).get_value_data_as_string(8) == 'History': # only look for History containers container_id = containers_table.get_record(i).get_value_data_as_integer(0) history_table = esedb_file.get_table_by_name("Container_" + str(container_id)) # get the container by its ID for j in range(0, history_table.get_number_of_records()): # for each record in the container table record = {} for v in range(0 , history_table.get_record(j).get_number_of_values()): # for each value in the record column_name = history_table.get_record(j).get_column_name(v) # get the current column name column_type = history_table.get_record(j).get_column_type(v) # get the current column type number if column_type == 12 : # column is string record[column_name] = history_table.get_record(j).get_value_data_as_string(v) elif column_type == 15 or column_type == 14: # column is int if column_name in ["SyncTime" , "CreationTime" , "ExpiryTime" , "ModifiedTime" , "AccessedTime"]: record[column_name] = convert_timestamp( history_table.get_record(j).get_value_data_as_integer(v) , browser_name='IE11', tz='utc') else: record[column_name] = history_table.get_record(j).get_value_data_as_integer(v) elif column_type == 11: # column is hex if history_table.get_record(j).get_value_data(v) is not None: h = [ord(x) for x in history_table.get_record(j).get_value_data(v)] record[column_name] = ''.join('{:02x} '.format(x) for x in h) else: record[column_name] = history_table.get_record(j).get_value_data(v) else: record[column_name] = history_table.get_record(j).get_value_data(v) record["@timestamp"] = record["AccessedTime"].replace(" " , "T") record["browser_name"] = "Internet Explorer" record["type"] = "visits" link = record['Url'].split('@' , 1) if len(link) == 1: record['link'] = link[0] else: record['link'] = link[1] record['time'] = record['AccessedTime'] for k in record.keys(): if k in ["UrlHash" , "Type"]: record[k] = str(record[k]) if record[k] is None: record[k] = "None" visits.append(record) esedb_file.close() return visits
def test_close(self): """Tests the close function.""" if not unittest.source: raise unittest.SkipTest("missing source") esedb_file = pyesedb.file() with self.assertRaises(IOError): esedb_file.close()
def test_close(self): """Tests the close function.""" if not unittest.source: return esedb_file = pyesedb.file() with self.assertRaises(IOError): esedb_file.close()
def __init__(self, srumdbpath="C:\\Windows\\System32\\sru\\SRUDB.dat"): try: self.srumdb = pyesedb.file() self.srumdb.open(srumdbpath) self.__set_table_mapping__() except Exception as e: print("Impossible to open SRUM DB: %s" % srumdbpath) print(e) return
def ie_hist(cfg): csv_list = [] dbs = find_dbs( os.path.join(cfg["mount_dir"], "Users", '*', "AppData", "Local", "Microsoft", "Windows", "WebCache", "WebCacheV??.dat")) for db in dbs: user = user_of(db) history_containers = [] db_fh = open(db, 'rb') ese_db = pyesedb.file() ese_db.open_file_object(db_fh) containers = ese_db.get_table_by_name("Containers") if not containers: print "Error opening Containers table in %s" % db break # Find history tables from the Containers table for row in range(0, containers.get_number_of_records() - 1): container = containers.get_record(row) row_id = str(container.get_value_data_as_integer(0)) row_name = container.get_value_data_as_string(8) row_dir = container.get_value_data_as_string(10) if "History" in row_name and ("History.IE5" in row_dir or "MicrosoftEdge" in row_dir): history_containers.append(row_id) # Parse each history table/container for i in history_containers: current_table = ese_db.get_table_by_name("Container_%s" % i) if not current_table: print "Error opening table Container_%s in %s" % (i, db) continue # For each row for row_num in range(0, current_table.get_number_of_records() - 1): row = current_table.get_record(row_num) if not row: break # Handle long values in the URL column if row.is_long_value(17): url = row.get_value_data_as_long_value( 17).get_data_as_string() else: url = row.get_value_data_as_string(17) # Account for search parameters if cfg["search"] and cfg["search"] not in url: continue # Normalize data, add to CSV buffer url = '@'.join(url.split('@')[1:]) accessed_time = row.get_value_data_as_integer(13) timestamp = datetime.datetime(1602, 1, 1) + datetime.timedelta( microseconds=(accessed_time / 10)) # Append time, domain, title (unavailable), url, browser, user csv_list.append([ str(timestamp), urlparse(url).hostname, None, url, "IE/Edge", user ]) ese_db.close() write_lines(cfg["out_file"], csv_list)
def open_file_as_esedb(esedb): file_size = esedb.info.meta.size file_content = esedb.read_random(0, file_size) file_like_obj = StringIO.StringIO(file_content) esedb = pyesedb.file() try: esedb.open_file_object(file_like_obj) except IOError: return None return esedb
def _OpenEseDbFile(self, path): """Opens an ESE database file and returns back a pyesedb.file object.""" path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_OS, location=path) file_entry = path_spec_resolver.Resolver.OpenFileEntry(path_spec) file_object = file_entry.GetFileObject() esedb_file = pyesedb.file() esedb_file.open_file_object(file_object) return esedb_file
def _OpenEseDbFile(self, path_segments): """Opens an ESE database file and returns back a pyesedb.file object. Args: path: The path to the ESE database test file. """ file_entry = self._GetTestFileEntryFromPath(path_segments) file_object = file_entry.GetFileObject() esedb_file = pyesedb.file() esedb_file.open_file_object(file_object) return esedb_file
def __init__(self, options): '''Create a SrumHandler Args: options: Options''' self.srum_db = options.srum_db self.output_db = options.output_db self.esedb_file = pyesedb.file() self.esedb_file.open(self.srum_db) self.outputDbConfig = DbConfig(dbname=self.output_db) self.outputDbHandler = DbHandler(self.outputDbConfig)
def pyesedb_test_single_open_close_file(filename, mode): """Tests a single open and close.""" description = ( "Testing single open close of: {0:s} with access: {1:s}" "\t").format(get_filename_string(filename), get_mode_string(mode)) print(description, end="") error_string = None result = True try: esedb_file = pyesedb.file() esedb_file.open(filename, mode) esedb_file.close() except TypeError as exception: expected_message = ( "{0:s}: unsupported string object type.").format( "pyesedb_file_open") if not filename and str(exception) == expected_message: pass else: error_string = str(exception) result = False except ValueError as exception: expected_message = ( "{0:s}: unsupported mode: w.").format( "pyesedb_file_open") if mode != "w" or str(exception) != expected_message: error_string = str(exception) result = False except Exception as exception: error_string = str(exception) result = False if not result: print("(FAIL)") else: print("(PASS)") if error_string: print(error_string) return result
def test_get_page_size(self): """Tests the get_page_size function and page_size property.""" if not unittest.source: raise unittest.SkipTest("missing source") esedb_file = pyesedb.file() esedb_file.open(unittest.source) page_size = esedb_file.get_page_size() self.assertIsNotNone(page_size) self.assertIsNotNone(esedb_file.page_size) esedb_file.close()
def test_get_number_of_tables(self): """Tests the get_number_of_tables function and number_of_tables property.""" if not unittest.source: raise unittest.SkipTest("missing source") esedb_file = pyesedb.file() esedb_file.open(unittest.source) number_of_tables = esedb_file.get_number_of_tables() self.assertIsNotNone(number_of_tables) self.assertIsNotNone(esedb_file.number_of_tables) esedb_file.close()
def test_get_type(self): """Tests the get_type function and type property.""" if not unittest.source: raise unittest.SkipTest("missing source") esedb_file = pyesedb.file() esedb_file.open(unittest.source) type = esedb_file.get_type() self.assertIsNotNone(type) self.assertIsNotNone(esedb_file.type) esedb_file.close()
def Open(self, file_object): """Opens an Extensible Storage Engine (ESE) database file. Args: file_object (dfvfs.FileIO): file-like object. Raises: IOError: if the file-like object cannot be read. OSError: if the file-like object cannot be read. ValueError: if the file-like object is missing. """ if not file_object: raise ValueError('Missing file object.') self._esedb_file = pyesedb.file() self._esedb_file.open_file_object(file_object)
def pyesedb_test_single_open_close_file(filename, mode): """Tests a single open and close.""" description = ("Testing single open close of: {0:s} with access: {1:s}" "\t").format(get_filename_string(filename), get_mode_string(mode)) print(description, end="") error_string = None result = True try: esedb_file = pyesedb.file() esedb_file.open(filename, mode) esedb_file.close() except TypeError as exception: expected_message = ("{0:s}: unsupported string object type." ).format("pyesedb_file_open") if not filename and str(exception) == expected_message: pass else: error_string = str(exception) result = False except ValueError as exception: expected_message = ( "{0:s}: unsupported mode: w.").format("pyesedb_file_open") if mode != "w" or str(exception) != expected_message: error_string = str(exception) result = False except Exception as exception: error_string = str(exception) result = False if not result: print("(FAIL)") else: print("(PASS)") if error_string: print(error_string) return result
def getHistory(filepath, timeline=None): esedb_file = pyesedb.file() esedb_file.open(filepath) containers = esedb_file.get_table_by_name("Containers") #Get list of containers that contain IE history histContList = [] histNameDict = dict() histDirDict = dict() for cRecords in containers.records: if "Hist" in cRecords.get_value_data_as_string(8): histContList.append("Container_%s" % cRecords.get_value_data_as_integer(0)) histNameDict["Container_%s" % cRecords.get_value_data_as_integer(0)] = cRecords.get_value_data_as_string(8) histDirDict["Container_%s" % cRecords.get_value_data_as_integer(0)] = cRecords.get_value_data_as_string(10) items = [] head = [CONSTANT.HISTORY_KEYWORD, False, CONSTANT.IE, 1] # Edge OK #Get history from each container for hcl in histContList: histCont = esedb_file.get_table_by_name(hcl) for hRecords in histCont.records: _url = hRecords.get_value_data_as_string(17) if _url.count("@") > 0: URL = _url.split("@")[1] if not URL.startswith("http"): continue accessedTime = getFiletime(hRecords.get_value_data_as_integer(13)) modifiedTime = getFiletime(hRecords.get_value_data_as_integer(12)) content = [ "{}.{}".format(hRecords.get_value_data_as_integer(1), hRecords.get_value_data_as_integer(0)), histNameDict[hcl], "{}".format(getFiletime(hRecords.get_value_data_as_integer(10))), "{}".format(accessedTime), "{}".format(modifiedTime), "{}".format(getFiletime(hRecords.get_value_data_as_integer(11))), "{}".format(getFiletime(hRecords.get_value_data_as_integer(9))), str(hRecords.get_value_data_as_integer(15)), str(hRecords.get_value_data_as_integer(8)), _url, hRecords.get_value_data_as_string(18), str(hRecords.get_value_data_as_integer(5)), histDirDict[hcl], None ] items.append([head, accessedTime, URL, modifiedTime, content]) return items
def Parse_ESEDB_File(File_To_Parse, SQLite_DB_Name): file_object = open(File_To_Parse, "rb") esedb_file = pyesedb.file() esedb_file.open_file_object(file_object) Num_Of_tables = esedb_file.get_number_of_tables() print ("The number of tables is ==> ", Num_Of_tables) SQLitedb.CreateTable('ESEDB_Master_Table','Tab_Name text') SQLitedb.CreateTable('ESEDB_Empty_Tables', 'Tab_Name Text') for i in range (0, Num_Of_tables): SQL_Statement = '' Table = esedb_file.get_table(i) Table_name = Table.get_name() Template_Name = Table. get_template_name() Table_Num_Columns = Table.get_number_of_columns() Table_Num_Records = Table.get_number_of_records() print ("Table Name is ==> ", Table_name, " Number of records is ==> ", Table_Num_Records) if (Table_Num_Records > 0): SQLitedb.InsertValues('ESEDB_Master_Table','Tab_Name', "'" + Table_name + "'") SQL_Statement = 'Create Temp Table '+ Table_name + '_Temp (' Table_Record = Table.get_record(0) Column_Name = Table_Record.get_column_name(0) Column_Type = Table_Record.get_column_type(0) SQLitedb.CreateTable(Table_name, SQLitedb.Check_SQL_Reserved_Word(Column_Name) + ' ' + Column_Dict[Column_Type]) for x in range(1, Table_Num_Columns): Column_Name = Table_Record.get_column_name(x) Column_Type = Table_Record.get_column_type(x) SQL_Statement = SQL_Statement + ', ' + SQLitedb.Check_SQL_Reserved_Word(Column_Name) + ' ' + Column_Dict[Column_Type] SQLitedb.AddColumn(Table_name, SQLitedb.Check_SQL_Reserved_Word(Column_Name) + ' ' + Column_Dict[Column_Type]) SQL_Statement = SQL_Statement + ');' Num_Records_Begin = 0 Num_Records_End = 20000 while True: if Table_Num_Records < 19999: ESEDB_Process_Records.append(["Export_Webcache_Records.exe", File_To_Parse, SQLite_DB_Name, Table_name, str(Num_Records_Begin), str(Table_Num_Records)]) break elif Table_Num_Records < Num_Records_End: ESEDB_Process_Records.append(["Export_Webcache_Records.exe", File_To_Parse, SQLite_DB_Name, Table_name, str(Num_Records_Begin), str(Table_Num_Records)]) break else: ESEDB_Process_Records.append(["Export_Webcache_Records.exe", File_To_Parse, SQLite_DB_Name, Table_name, str(Num_Records_Begin), str(Num_Records_End)]) Num_Records_Begin = Num_Records_Begin + 20000 Num_Records_End = Num_Records_End + 20000 else: SQLitedb.InsertValues('ESEDB_Empty_Tables','Tab_Name', "'" + Table_name + "'") esedb_file.close()
def pyesedb_test_single_open_close_file(filename, mode): if not filename: filename_string = "None" else: filename_string = filename print("Testing single open close of: {0:s} with access: {1:s}\t".format( filename_string, get_mode_string(mode))) result = True try: esedb_file = pyesedb.file() esedb_file.open(filename, mode) esedb_file.close() except TypeError as exception: expected_message = ( "{0:s}: unsupported string object type.").format( "pyesedb_file_open") if not filename and str(exception) == expected_message: pass else: print(str(exception)) result = False except ValueError as exception: expected_message = ( "{0:s}: unsupported mode: w.").format( "pyesedb_file_open") if mode != "w" or str(exception) != expected_message: print(str(exception)) result = False except Exception as exception: print(str(exception)) result = False if not result: print("(FAIL)") else: print("(PASS)") return result
def __init__(self, options, guid_table=None): '''Create a SrumHandler Args: options: Options guid_table: Optional guid table mapping''' self.srum_db = options.srum_db self.output_db = options.output_db self.esedb_file = pyesedb.file() self.esedb_file.open(self.srum_db) if guid_table: SrumHandler.GUID_TABLES = guid_table self.outputDbConfig = DbConfig(dbname=self.output_db) self.outputDbHandler = DbHandler(self.outputDbConfig)
def __init__(self,options): '''Create a SrumHandler Args: options: Options''' self.srum_db = options.srum_db self.output_db = options.output_db self.esedb_file = pyesedb.file() self.esedb_file.open(self.srum_db) self.outputDbConfig = DbConfig( dbname=self.output_db ) self.outputDbHandler = DbHandler( self.outputDbConfig )
def pyesedb_test_single_open_close_file(filename, mode): if not filename: filename_string = "None" else: filename_string = filename print("Testing single open close of: {0:s} with access: {1:s}\t".format( filename_string, get_mode_string(mode))) result = True try: esedb_file = pyesedb.file() esedb_file.open(filename, mode) esedb_file.close() except TypeError as exception: expected_message = ("{0:s}: unsupported string object type." ).format("pyesedb_file_open") if not filename and str(exception) == expected_message: pass else: print(str(exception)) result = False except ValueError as exception: expected_message = ( "{0:s}: unsupported mode: w.").format("pyesedb_file_open") if mode != "w" or str(exception) != expected_message: print(str(exception)) result = False except Exception as exception: print(str(exception)) result = False if not result: print("(FAIL)") else: print("(PASS)") return result
def test_open(self): """Tests the open function.""" if not unittest.source: return esedb_file = pyesedb.file() esedb_file.open(unittest.source) with self.assertRaises(IOError): esedb_file.open(unittest.source) esedb_file.close() with self.assertRaises(TypeError): esedb_file.open(None) with self.assertRaises(ValueError): esedb_file.open(unittest.source, mode="w")
def ParseFileObject(self, parser_mediator, file_object): """Parses an ESE database file-like object. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO): file-like object. """ esedb_file = pyesedb.file() try: esedb_file.open_file_object(file_object) except IOError as exception: parser_mediator.ProduceExtractionWarning( 'unable to open file with error: {0!s}'.format(exception)) return # Compare the list of available plugin objects. cache = ESEDBCache() try: table_names = frozenset(self._GetTableNames(esedb_file)) for plugin in self._plugins: if parser_mediator.abort: break if not plugin.required_tables.issubset(table_names): continue try: plugin.UpdateChainAndProcess(parser_mediator, cache=cache, database=esedb_file) except Exception as exception: # pylint: disable=broad-except parser_mediator.ProduceExtractionWarning(( 'plugin: {0:s} unable to parse ESE database with error: ' '{1!s}').format(plugin.NAME, exception)) finally: # TODO: explicitly clean up cache. esedb_file.close()
def Populate_ESEDB_DB(File_To_Parse): idType = None file_object = open(File_To_Parse, "rb") esedb_file = pyesedb.file() esedb_file.open_file_object(file_object) Table_Names = SQLitedb.SelectAllRows("Select tab_name from ESEDB_Master_Table where Tab_name not in (Select tab_name from ESEDB_Empty_tables);") for Table_Name in Table_Names: Table_name = str(Table_Name[0]) print ("Inserting into table " + str(Table_name)) EsedbTable = esedb_file.get_table_by_name(Table_Rev_Dict[Table_Name[0]]) for i in range(0,EsedbTable.get_number_of_records()): SQL_Bind_Values = [] SQL_Statement_Table = 'Insert into ' + Table_Name[0] + '_temp' EsedbTable_Record = EsedbTable.get_record(i) EsedbTable_Num_Columns = EsedbTable.get_number_of_columns() Column_Name = EsedbTable_Record.get_column_name(0) SQL_Statement_Columns = SQLitedb.Check_SQL_Reserved_Word(Column_Name) SQL_Bind_Variables = SQLitedb.create_question_bind_variables(EsedbTable.get_number_of_columns()) Column_Type = EsedbTable_Record.get_column_type(0) Check_Column_Type(EsedbTable_Record, Column_Type, 0, SQL_Bind_Values, False) idType = 0 if Column_Name == 'IdType': idType = SQL_Bind_Values[len(SQL_Bind_Values) - 1] for x in range(1,EsedbTable.get_number_of_columns()): Column_Name = EsedbTable_Record.get_column_name(x) SQL_Statement_Columns = SQL_Statement_Columns + ',' + SQLitedb.Check_SQL_Reserved_Word(Column_Name) Column_Type = EsedbTable_Record.get_column_type(x) if Column_Name == 'IdBlob': if idType == 3: Check_Column_Type(EsedbTable_Record, 10, x, SQL_Bind_Values, True) else: Check_Column_Type(EsedbTable_Record, 10, x, SQL_Bind_Values, False) else: Check_Column_Type(EsedbTable_Record, Column_Type, x, SQL_Bind_Values, False) try: SQLitedb.InsertBindValues(Table_Name[0] + '_temp', SQL_Statement_Columns, SQL_Bind_Variables, SQL_Bind_Values) except: print ("SQL_Statement_Columns ==> " + SQL_Statement_Columns) print ("SQL_Bind_Variables ==> " + SQL_Bind_Variables) print ("SQL_Bind_Values ==> " + str(SQL_Bind_Values)) esedb_file.close()
def ParseFileObject(self, parser_mediator, file_object): """Parses an ESE database file-like object. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO): file-like object. """ esedb_file = pyesedb.file() try: esedb_file.open_file_object(file_object) except IOError as exception: parser_mediator.ProduceExtractionError( 'unable to open file with error: {0!s}'.format(exception)) return # Compare the list of available plugin objects. cache = ESEDBCache() try: table_names = frozenset(self._GetTableNames(esedb_file)) for plugin in self._plugins: if parser_mediator.abort: break if not plugin.required_tables.issubset(table_names): continue try: plugin.UpdateChainAndProcess( parser_mediator, cache=cache, database=esedb_file) except Exception as exception: # pylint: disable=broad-except parser_mediator.ProduceExtractionError(( 'plugin: {0:s} unable to parse ESE database with error: ' '{1!s}').format(plugin.NAME, exception)) finally: # TODO: explicitly clean up cache. esedb_file.close()
def getCookies(filepath): esedb_file = pyesedb.file() esedb_file.open(filepath) containers = esedb_file.get_table_by_name("Containers") #Get list of containers that contain IE cookies histContList = [] histNameDict = dict() histDirDict = dict() for cRecords in containers.records: if "Cookies" in cRecords.get_value_data_as_string(8): histContList.append("Container_%s" % cRecords.get_value_data_as_integer(0)) histNameDict["Container_%s" % cRecords.get_value_data_as_integer(0)] = cRecords.get_value_data_as_string(8) histDirDict["Container_%s" % cRecords.get_value_data_as_integer(0)] = cRecords.get_value_data_as_string(10) #Get cookies from each container for hcl in histContList: histCont = esedb_file.get_table_by_name(hcl) for hRecords in histCont.records: print('"%s","%s","%s","%s","%s","%s","%s","%s","%s","%s","%s","%s","%s","%s"' % ('%s.%s' % (hRecords.get_value_data_as_integer(1),hRecords.get_value_data_as_integer(0)),histNameDict[hcl],getFiletime(hRecords.get_value_data_as_integer(10)),getFiletime(hRecords.get_value_data_as_integer(13)),getFiletime(hRecords.get_value_data_as_integer(12)),getFiletime(hRecords.get_value_data_as_integer(11)),getFiletime(hRecords.get_value_data_as_integer(9)),hRecords.get_value_data_as_integer(15),hRecords.get_value_data_as_integer(8),hRecords.get_value_data_as_string(17),hRecords.get_value_data_as_string(18),hRecords.get_value_data_as_integer(5),"-",histDirDict[hcl]))
def pyesedb_test_single_open_close_file_object(filename, mode): print(("Testing single open close of file-like object of: {0:s} " "with access: {1:s}\t").format(filename, get_mode_string(mode))) result = True try: file_object = open(filename, "rb") esedb_file = pyesedb.file() esedb_file.open_file_object(file_object, mode) esedb_file.close() except Exception as exception: print(str(exception)) result = False if not result: print("(FAIL)") else: print("(PASS)") return result
def test_open_file_object(self): """Tests the open_file_object function.""" if not unittest.source: return file_object = open(unittest.source, "rb") esedb_file = pyesedb.file() esedb_file.open_file_object(file_object) with self.assertRaises(IOError): esedb_file.open_file_object(file_object) esedb_file.close() # TODO: change IOError into TypeError with self.assertRaises(IOError): esedb_file.open_file_object(None) with self.assertRaises(ValueError): esedb_file.open_file_object(file_object, mode="w")
def pyesedb_test_multi_open_close_file(filename, mode): print("Testing multi open close of: {0:s} with access: {1:s}\t".format( filename, get_mode_string(mode))) result = True try: esedb_file = pyesedb.file() esedb_file.open(filename, mode) esedb_file.close() esedb_file.open(filename, mode) esedb_file.close() except Exception as exception: print(str(exception)) result = False if not result: print("(FAIL)") else: print("(PASS)") return result
def Parse(self, parser_context, file_entry): """Extracts data from an ESE database File. Args: parser_context: A parser context object (instance of ParserContext). file_entry: A file entry object (instance of dfvfs.FileEntry). Yields: An event event (instance of EventObject) that contains the parsed values. """ file_object = file_entry.GetFileObject() esedb_file = pyesedb.file() try: esedb_file.open_file_object(file_object) except IOError as exception: file_object.close() raise errors.UnableToParseFile( u'[{0:s}] unable to parse file {1:s} with error: {2:s}'.format( self.NAME, file_entry.name, exception)) # Compare the list of available plugins. cache = EseDbCache() for plugin_object in self._plugins: try: plugin_object.Process( parser_context, database=esedb_file, cache=cache) except errors.WrongPlugin: logging.debug(( u'[{0:s}] plugin: {1:s} cannot parse the ESE database: ' u'{2:s}').format( self.NAME, plugin_object.NAME, file_entry.name)) # TODO: explicitly clean up cache. esedb_file.close() file_object.close()
def Parse(self, file_entry): """Extracts data from an ESE database File. Args: file_entry: A file entry object. Yields: An event event (instance of EventObject) that contains the parsed values. """ file_object = file_entry.GetFileObject() esedb_file = pyesedb.file() try: esedb_file.open_file_object(file_object) except IOError as exception: raise errors.UnableToParseFile( u'[{0:s}] unable to parse file {1:s} with error: {2:s}'.format( self.parser_name, file_entry.name, exception)) # Compare the list of available plugins. cache = interface.EseDbCache() for esedb_plugin in self._plugins.itervalues(): try: for event_object in esedb_plugin.Process( database=esedb_file, cache=cache): event_object.plugin = esedb_plugin.plugin_name yield event_object except errors.WrongPlugin: logging.debug(( u'[{0:s}] plugin: {1:s} cannot parse the ESE database: ' u'{2:s}').format( self.parser_name, esedb_plugin.plugin_name, file_entry.name)) # TODO: explicitly clean up cache. file_object.close()
def _ParseEseDbFileWithPlugin( self, path_segments, plugin_object, knowledge_base_values=None): """Parses a file as an ESE database file and returns an event generator. Args: path_segments: a list of strings containinge the path segments inside the test data directory. plugin_object: an ESE database plugin object (instance of EseDbPlugin). knowledge_base_values: optional dictionary containing the knowledge base values. Returns: A storage writer object (instance of FakeStorageWriter). """ session = sessions.Session() storage_writer = fake_storage.FakeStorageWriter(session) storage_writer.Open() file_entry = self._GetTestFileEntryFromPath(path_segments) parser_mediator = self._GetParserMediator( storage_writer, file_entry=file_entry, knowledge_base_values=knowledge_base_values) file_object = file_entry.GetFileObject() try: esedb_file = pyesedb.file() esedb_file.open_file_object(file_object) cache = esedb.EseDbCache() plugin_object.Process(parser_mediator, cache=cache, database=esedb_file) esedb_file.close() finally: file_object.close() return storage_writer
return Record_List.append(str(EsedbTable_Record.get_value_data(Column_Number).decode('utf-16', 'ignore'))) elif (Column_Type == 17): #INTEGER_16BIT_UNSIGNED return Record_List.append(EsedbTable_Record.get_value_data_as_integer(Column_Number)) args = sys.argv[1:] File_To_Parse = args[0] SQLite_DB_Name = args[1] Table_Name = args[2] Begin_Record_Number = args[3] End_Record_Number = args[4] SQLitedb = SQLiteDb() SQLitedb.Open(SQLite_DB_Name) file_object = open(File_To_Parse, "rb") esedb_file = pyesedb.file() esedb_file.open_file_object(file_object) EsedbTable = esedb_file.get_table_by_name(Table_Name) print ("Inserting records into table ==> " + Table_Name) for i in range(int(Begin_Record_Number), int(End_Record_Number)): SQL_Bind_Values = [] SQL_Statement_Table = 'Insert into ' + Table_Name + ' ' EsedbTable_Record = EsedbTable.get_record(i) EsedbTable_Num_Columns = EsedbTable.get_number_of_columns() Column_Name = EsedbTable_Record.get_column_name(0) SQL_Statement_Columns = SQLitedb.Check_SQL_Reserved_Word(Column_Name) SQL_Bind_Variables = SQLitedb.create_question_bind_variables(EsedbTable.get_number_of_columns()) Column_Type = EsedbTable_Record.get_column_type(0) Check_Column_Type(EsedbTable_Record, Column_Type, 0, SQL_Bind_Values) for x in range(1,EsedbTable.get_number_of_columns()): Column_Name = EsedbTable_Record.get_column_name(x)
def test_signal_abort(self): """Tests the signal_abort function.""" esedb_file = pyesedb.file() esedb_file.signal_abort()