def test_open(self):
"""Tests the open function."""
if not unittest.source:
raise unittest.SkipTest("missing source")
scca_file = pyscca.open(unittest.source)
self.assertIsNotNone(scca_file)
scca_file.close()
with self.assertRaises(TypeError):
pyscca.open(None)
with self.assertRaises(ValueError):
pyscca.open(unittest.source, mode="w")
def parse_file(pf_file, volume_information):
try:
scca = pyscca.open(pf_file)
last_run_times = []
for x in range(8):
try:
if scca.get_last_run_time_as_integer(x) > 0:
last_run_times.append(
scca.get_last_run_time(x).strftime("%Y-%m-%dT%H:%M:%S")
) #str conversion utilized to change from datetime into human-readable
else:
last_run_times.append('1700-01-01T00:00:00')
except:
last_run_times.append('1700-01-01T00:00:00')
# === run_count
run_count = 0
try:
if scca.get_run_count() is not None:
run_count = scca.run_count
except:
pass
# === executable_filename
executable_filename = scca.executable_filename
if executable_filename is None:
executable_filename = '-'.join(
pf_file.split('/')[-1].split('-')[0:-1])
# === Prefetch hash
prefetch_hash = format(scca.prefetch_hash, 'x').upper()
if prefetch_hash == '0':
prefetch_hash = pf_file.split('/')[-1].split('-')[-1].replace(
'.pf', '')
output[str(executable_filename)] = [
str(run_count),
prefetch_hash.upper(), last_run_times
]
if volume_information:
output[str(executable_filename)].append(scca.number_of_volumes)
volumes = []
for i in range(scca.number_of_volumes):
volume = [
str(scca.get_volume_information(i).device_path),
scca.get_volume_information(i).creation_time.strftime(
"%Y-%m-%d %H:%M:%S"),
format(scca.get_volume_information(i).serial_number,
'x').upper()
]
volumes.append(volume)
output[str(executable_filename)].append(volumes)
return output
except Exception as e:
exc_type, exc_obj, exc_tb = sys.exc_info()
print "[-] [Error] " + str(exc_obj) + " - Line No. " + str(
exc_tb.tb_lineno)
return None
def parse_file(pf_file, volume_information):
try:
scca = pyscca.open(pf_file)
last_run_times = []
for x in range(8):
if scca.get_last_run_time_as_integer(x) > 0:
last_run_times.append(
scca.get_last_run_time(x).strftime("%Y-%m-%d %H:%M:%S")
) #str conversion utilized to change from datetime into human-readable
else:
last_run_times.append('N/A')
output[str(scca.executable_filename)] = [
str(scca.run_count),
format(scca.prefetch_hash, 'x').upper(), last_run_times
]
if volume_information:
output[str(scca.executable_filename)].append(
scca.number_of_volumes)
volumes = []
for i in range(scca.number_of_volumes):
volume = [
str(scca.get_volume_information(i).device_path),
scca.get_volume_information(i).creation_time.strftime(
"%Y-%m-%d %H:%M:%S"),
format(scca.get_volume_information(i).serial_number,
'x').upper()
]
volumes.append(volume)
output[str(scca.executable_filename)].append(volumes)
return output
except IOError:
pass
def parsePrefetch(inputPF):
prefetchfile = pyscca.open(inputPF)
FileRunTimes = []
ProgramName = prefetchfile.get_executable_filename()
ProgramHash = hex(prefetchfile.get_prefetch_hash())
prefetchCount = prefetchfile.get_run_count()
if prefetchCount < 8:
for i in range(prefetchCount):
if prefetchfile.get_last_run_time_as_integer(i) != 0:
executed = [
ProgramName, ProgramHash,
prefetchfile.get_last_run_time(i).isoformat(),
prefetchCount
]
FileRunTimes.append(executed)
elif prefetchCount > 7:
for i in range(8):
if prefetchfile.get_last_run_time_as_integer(i) != 0:
executed = [
ProgramName, ProgramHash,
prefetchfile.get_last_run_time(i).isoformat(),
prefetchCount
]
FileRunTimes.append(executed)
return FileRunTimes
def main():
# Parsing the Arguments
parser = argparse.ArgumentParser()
parser.add_argument("-i",
"--inputPF",
dest="InputFile",
help='Path to the prefetch file')
parser.add_argument("-d",
"--inputDirectory",
dest="InputDirectory",
help='Path to directory containing prefetch files')
parser.add_argument("-o",
"--outputfile",
dest="OutputFile",
help='Path to Export your CSV')
args = parser.parse_args()
try:
FileRunTimes = []
Headers = [
'ProgramName', 'ProgramHash', 'LastRunTime', 'CountExecuted'
]
FileRunTimes.append(Headers)
if args.InputFile == None:
# get all files in the directory to get each file prefetch
files = os.listdir(args.InputDirectory)
for i in files:
filepath = args.InputDirectory + i
results = parsePrefetch(filepath)
for t in results:
FileRunTimes.append(t)
# Now running through the individual file
else:
prefetchfile = pyscca.open(args.InputFile)
prefetchCount = prefetchfile.get_run_count()
results = parsePrefetch(args.InputFile)
for t in results:
FileRunTimes.append(t)
except Exception as e:
print(e.message)
#Now exporting the results to a report
with open(args.OutputFile, 'w') as f:
wr = csv.writer(f, lineterminator='\n')
for row in FileRunTimes:
wr.writerow(row)
def _parse_prefecth_file(self, path: str):
scca = pyscca.open(path)
all_strings = []
for entry_index, file_metrics in enumerate(scca.file_metrics_entries):
all_strings.append(file_metrics.filename)
last_run_times = []
for exe_timestamp in range(scca.run_count):
try:
if scca.get_last_run_time_as_integer(exe_timestamp) > 0:
time = Time.change_output_date_format_from_epoch(
scca.get_last_run_time(exe_timestamp).replace(
tzinfo=timezone.utc).timestamp())
last_run_times.append(time)
except OSError:
# No hay mas fechas de ejecucion guardadas
break
volume_serial_number = []
volume_device_path = []
volume_timestamp = []
for volume_information in iter(scca.volumes):
volume_serial_number.append(
format(volume_information.serial_number, 'x').upper())
volume_device_path.append(str(volume_information.device_path))
volume_timestamp.append(
Time.change_output_date_format_from_epoch(
volume_information.creation_time.replace(
tzinfo=timezone.utc).timestamp()))
return {
"version": scca.format_version,
"executable_file_name": str(scca.executable_filename),
"hash": format(scca.prefetch_hash, 'x').upper(),
"number_of_files_accessed": scca.number_of_file_metrics_entries,
"directories_accessed": all_strings,
"number_of_volumes": scca.number_of_volumes,
"run_counts": scca.run_count,
"last_run_times": last_run_times,
"volume_timestamp": volume_timestamp,
"volume_device_path": volume_device_path,
"volume_serial_number": volume_serial_number
}
def parse_file(pf_file,volume_information):
try:
scca = pyscca.open(pf_file)
last_run_times = []
for x in range(8):
if scca.get_last_run_time_as_integer(x) > 0:
last_run_times.append(scca.get_last_run_time(x).strftime("%Y-%m-%d %H:%M:%S")) #str conversion utilized to change from datetime into human-readable
else:
last_run_times.append('N/A')
output[str(scca.executable_filename)] = [str(scca.run_count), format(scca.prefetch_hash, 'x').upper(), last_run_times]
if volume_information:
output[str(scca.executable_filename)].append(scca.number_of_volumes)
volumes = []
for i in range(scca.number_of_volumes):
volume = [str(scca.get_volume_information(i).device_path), scca.get_volume_information(i).creation_time.strftime("%Y-%m-%d %H:%M:%S"), format(scca.get_volume_information(i).serial_number,'x').upper()]
volumes.append(volume)
output[str(scca.executable_filename)].append(volumes)
return output
except IOError:
pass
def parse_file(prefetch_file, outpath):
try:
#open prefetch file with pyscca and get values
everything = []
prefetch_values = []
pf_file_name = os.path.basename(prefetch_file)
scca = pyscca.open(prefetch_file)
prefetch_version = str(scca.format_version)
executable_file_name = str(scca.executable_filename)
prefetch_hash = format(scca.prefetch_hash, 'x').upper()
run_count = (scca.run_count)
number_of_volumes = str(scca.number_of_volumes)
number_of_files = str(scca.number_of_file_metrics_entries)
count = 1
all_strings = []
for entry_index, file_metrics in enumerate(scca.file_metrics_entries):
mapped_file_string = file_metrics.filename
strings = (pf_file_name, executable_file_name, count,
number_of_files, mapped_file_string)
all_strings.append(strings)
count = (count + 1)
stringsfile = (outpath + '_strings.csv')
strings_file = open(stringsfile, 'a+')
with strings_file:
write = csv.writer(strings_file)
write.writerows(all_strings)
#Parse last run timestamps for each last run value
for exe_timestamp in range(8):
if scca.get_last_run_time_as_integer(exe_timestamp) > 0:
time = (scca.get_last_run_time(exe_timestamp).strftime(
"%Y-%m-%d %H:%M:%S"))
run_count_number = (str(run_count - exe_timestamp) + "_of_" +
str(run_count))
prefetch_values = [
time, executable_file_name, prefetch_hash,
run_count_number, pf_file_name, prefetch_version,
number_of_volumes
]
# Find volume information for each prefetch file and append to prefetch output
for volume_information in iter(scca.volumes):
volume_serial_number = format(
volume_information.serial_number, 'x').upper()
volume_device_path = str(volume_information.device_path)
volume_timestamp = volume_information.creation_time.strftime(
"%Y-%m-%d %H:%M:%S")
prefetch_values.append(volume_timestamp)
prefetch_values.append(volume_device_path)
prefetch_values.append(volume_serial_number)
print(','.join(prefetch_values))
runcountsfile = (outpath + '_run_count.csv')
if int(prefetch_version) < 30:
run_count_file = open(runcountsfile, 'a+')
with run_count_file:
write = csv.writer(run_count_file)
write.writerow(prefetch_values)
exit()
everything.append(prefetch_values)
run_count_file = open(runcountsfile, 'a+')
with run_count_file:
write = csv.writer(run_count_file)
write.writerows(everything)
except:
pass
SQLitedb.RemoveDB_File(SQLiteDbName)
SQLitedb.Open(SQLiteDbName)
SQLitedb.CreateTable(tableName, tableColumns)
SQLitedb.CreateTable(fileMetricsTabName, fileMetricsColumnNames)
SQLitedb.CreateTable(volumeTabName, volumeColumnNames)
SQLitedb.CreateTable(fileTabName, fileColumnNames)
for root, dirs, files in os.walk(prefetchDirectory):
# print ("root = > " + str(root))
# print ("dirs = > " + str(dirs))
# print ("files = > " + str(files))
for file in files:
if ".pf" in file:
prefetchRecord = []
try:
scca = pyscca.open(os.path.join(root, file))
#print("File Name is ==> " + file)
prefetchRecord.append(file)
prefetchRecord.append(scca.get_executable_filename())
prefetchExecutableFileName = scca.get_executable_filename()
prefetchExecutableFilePath = ""
prefetchExecutablePath = ""
#print ("File Name ==> " + scca.get_executable_filename())
#print ("File Name ==> " + scca.get_filename())
try:
if scca.get_run_count() is None:
prefetchRecord.append(0)
else:
prefetchRecord.append(scca.get_run_count())
except:
prefetchRecord.append(0)