def _ParseValueData(self, knowledge_base, value_data):
"""Parses Windows Registry value data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
value_data (object): Windows Registry value data.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
if not isinstance(value_data, str):
raise errors.PreProcessFail(
'Unsupported Windows Registry value type: {0!s} for '
'artifact: {1:s}.'.format(type(value_data),
self.ARTIFACT_DEFINITION_NAME))
# Map the Windows time zone name to a Python equivalent name.
lookup_key = value_data.replace(' ', '')
time_zone = time_zones.TIME_ZONES.get(lookup_key, value_data)
# TODO: check if time zone is set in knowledge base.
if time_zone:
try:
# Catch and warn about unsupported preprocessor plugin.
knowledge_base.SetTimeZone(time_zone)
except ValueError:
# TODO: add and store preprocessing errors.
logger.warning(
'Unable to map: "{0:s}" to time zone'.format(value_data))
def _ParseValueData(self, knowledge_base, value_data):
"""Parses Windows Registry value data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
value_data (object): Windows Registry value data.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
if not isinstance(value_data, str):
raise errors.PreProcessFail(
'Unsupported Windows Registry value type: {0!s} for '
'artifact: {1:s}.'.format(type(value_data),
self.ARTIFACT_DEFINITION_NAME))
# Map the Windows code page name to a Python equivalent name.
codepage = 'cp{0:s}'.format(value_data)
if not knowledge_base.codepage:
try:
knowledge_base.SetCodepage(codepage)
except ValueError:
# TODO: add and store preprocessing errors.
pass
def _ParseValueData(self, knowledge_base, value_data):
"""Parses Windows Registry value data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
value_data (object): Windows Registry value data.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
if not isinstance(value_data, str):
raise errors.PreProcessFail(
'Unsupported Windows Registry value type: {0!s} for '
'artifact: {1:s}.'.format(type(value_data),
self.ARTIFACT_DEFINITION_NAME))
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name=self._NAME, value=value_data)
try:
logger.debug(
'setting environment variable: {0:s} to: "{1:s}"'.format(
self._NAME, value_data))
knowledge_base.AddEnvironmentVariable(environment_variable)
except KeyError:
# TODO: add and store preprocessing errors.
pass
def _ParsePathSpecification(
self, knowledge_base, searcher, file_system, path_specification,
path_separator):
"""Parses a file system for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
searcher (dfvfs.FileSystemSearcher): file system searcher to preprocess
the file system.
file_system (dfvfs.FileSystem): file system to be preprocessed.
path_specification (dfvfs.PathSpec): path specification that contains
the artifact value data.
path_separator (str): path segment separator.
Raises:
PreProcessFail: if the preprocessing fails.
"""
try:
file_entry = searcher.GetFileEntryByPathSpec(path_specification)
except IOError as exception:
relative_path = searcher.GetRelativePath(path_specification)
if path_separator != file_system.PATH_SEPARATOR:
relative_path_segments = file_system.SplitPath(relative_path)
relative_path = '{0:s}{1:s}'.format(
path_separator, path_separator.join(relative_path_segments))
raise errors.PreProcessFail((
'Unable to retrieve file entry: {0:s} with error: '
'{1!s}').format(relative_path, exception))
if file_entry:
self._ParseFileEntry(knowledge_base, file_entry)
def Collect(self, knowledge_base, artifact_definition, searcher):
"""Collects values using a Windows Registry value artifact definition.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
artifact_definition (artifacts.ArtifactDefinition): artifact definition.
searcher (dfwinreg.WinRegistrySearcher): Windows Registry searcher to
preprocess the Windows Registry.
Raises:
PreProcessFail: if the Windows Registry key or value cannot be read.
"""
for source in artifact_definition.sources:
if source.type_indicator not in (
artifact_definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY,
artifact_definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE
):
continue
if source.type_indicator == (
artifact_definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY):
key_value_pairs = [{'key': key} for key in source.keys]
else:
key_value_pairs = source.key_value_pairs
for key_value_pair in key_value_pairs:
key_path = key_value_pair['key']
# The artifact definitions currently incorrectly define
# CurrentControlSet so we correct it here for now.
# Also see: https://github.com/ForensicArtifacts/artifacts/issues/120
key_path_upper = key_path.upper()
if key_path_upper.startswith('%%CURRENT_CONTROL_SET%%'):
key_path = '{0:s}{1:s}'.format(
'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet',
key_path[23:])
find_spec = registry_searcher.FindSpec(key_path_glob=key_path)
for key_path in searcher.Find(find_specs=[find_spec]):
try:
registry_key = searcher.GetKeyByPath(key_path)
except IOError as exception:
raise errors.PreProcessFail((
'Unable to retrieve Windows Registry key: {0:s} with error: '
'{1!s}').format(key_path, exception))
if registry_key:
value_name = key_value_pair.get('value', None)
self._ParseKey(knowledge_base, registry_key,
value_name)
def _ParseValueData(self, knowledge_base, value_data):
"""Parses Windows Registry value data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
value_data (object): Windows Registry value data.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
if not isinstance(value_data, str):
raise errors.PreProcessFail(
'Unsupported Windows Registry value type: {0!s} for '
'artifact: {1:s}.'.format(type(value_data),
self.ARTIFACT_DEFINITION_NAME))
if not knowledge_base.GetValue('operating_system_version'):
knowledge_base.SetValue('operating_system_version', value_data)
def _ParsePathSpecification(self, knowledge_base, searcher, file_system,
path_specification, path_separator):
"""Parses artifact file system data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
searcher (dfvfs.FileSystemSearcher): file system searcher to preprocess
the file system.
file_system (dfvfs.FileSystem): file system to be preprocessed.
path_specification (dfvfs.PathSpec): path specification that contains
the artifact value data.
path_separator (str): path segment separator.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
relative_path = searcher.GetRelativePath(path_specification)
if not relative_path:
raise errors.PreProcessFail(
'Unable to read: {0:s} with error: missing relative path'.
format(self.ARTIFACT_DEFINITION_NAME))
if path_separator != file_system.PATH_SEPARATOR:
relative_path_segments = file_system.SplitPath(relative_path)
relative_path = '{0:s}{1:s}'.format(
path_separator, path_separator.join(relative_path_segments))
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name=self._NAME, value=relative_path)
try:
logger.debug(
'setting environment variable: {0:s} to: "{1:s}"'.format(
self._NAME, relative_path))
knowledge_base.AddEnvironmentVariable(environment_variable)
except KeyError:
# TODO: add and store preprocessing errors.
pass
def _ParseValueData(self, knowledge_base, value_data):
"""Parses Windows Registry value data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
value_data (object): Windows Registry value data.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
if not isinstance(value_data, str):
if not hasattr(value_data, '__iter__'):
raise errors.PreProcessFail(
'Unsupported Windows Registry value type: {0!s} for '
'artifact: {1:s}.'.format(type(value_data),
self.ARTIFACT_DEFINITION_NAME))
# If the value data is a multi string only use the first string.
value_data = value_data[0]
if not knowledge_base.GetHostname():
hostname_artifact = artifacts.HostnameArtifact(name=value_data)
knowledge_base.SetHostname(hostname_artifact)
def _ParseKey(self, knowledge_base, registry_key, value_name):
"""Parses a Windows Registry key for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
value_name (str): name of the Windows Registry value.
Raises:
PreProcessFail: if the preprocessing fails.
"""
try:
registry_value = registry_key.GetValueByName(value_name)
except IOError as exception:
raise errors.PreProcessFail((
'Unable to retrieve Windows Registry key: {0:s} value: {1:s} '
'with error: {2!s}').format(
registry_key.path, value_name, exception))
if registry_value:
value_object = registry_value.GetDataAsObject()
if value_object:
self._ParseValueData(knowledge_base, value_object)