def ParseOptions(cls, options, configuration_object):
"""Parses and validates options.
Args:
options (argparse.Namespace): parser options.
configuration_object (CLITool): object to be configured by the argument
helper.
Raises:
BadConfigObject: when the configuration object is of the wrong type.
BadConfigOption: if the required artifact definitions are not defined.
"""
if not isinstance(configuration_object, tools.CLITool):
raise errors.BadConfigObject(
'Configuration object is not an instance of CLITool')
artifacts_path = getattr(options, 'artifact_definitions_path', None)
if ((not artifacts_path or not os.path.exists(artifacts_path))
and configuration_object.data_location):
artifacts_path = os.path.dirname(
configuration_object.data_location)
artifacts_path = os.path.join(artifacts_path, 'artifacts')
if not os.path.exists(
artifacts_path) and 'VIRTUAL_ENV' in os.environ:
artifacts_path = os.path.join(os.environ['VIRTUAL_ENV'],
'share', 'artifacts')
if not os.path.exists(artifacts_path):
artifacts_path = os.path.join(sys.prefix, 'share', 'artifacts')
if not os.path.exists(artifacts_path):
artifacts_path = os.path.join(sys.prefix, 'local', 'share',
'artifacts')
if sys.prefix != '/usr':
if not os.path.exists(artifacts_path):
artifacts_path = os.path.join('/usr', 'share', 'artifacts')
if not os.path.exists(artifacts_path):
artifacts_path = os.path.join('/usr', 'local', 'share',
'artifacts')
if not os.path.exists(artifacts_path):
artifacts_path = None
if not artifacts_path or not os.path.exists(artifacts_path):
raise errors.BadConfigOption(
'Unable to determine path to artifact definitions.')
custom_artifacts_path = getattr(options,
'custom_artifact_definitions_path',
None)
if custom_artifacts_path and not os.path.exists(custom_artifacts_path):
raise errors.BadConfigOption(
('Unable to determine path to custom artifact definitions: '
'{0:s}.').format(custom_artifacts_path))
if custom_artifacts_path:
logger.info('Custom artifact definitions path: {0:s}'.format(
custom_artifacts_path))
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
logger.info('Determined artifact definitions path: {0:s}'.format(
artifacts_path))
try:
if os.path.isdir(artifacts_path):
registry.ReadFromDirectory(reader, artifacts_path)
else:
registry.ReadFromFile(reader, artifacts_path)
except (KeyError, artifacts_errors.FormatError) as exception:
raise errors.BadConfigOption(
('Unable to read artifact definitions from: {0:s} with error: '
'{1!s}').format(artifacts_path, exception))
if custom_artifacts_path:
try:
if os.path.isdir(custom_artifacts_path):
registry.ReadFromDirectory(reader, custom_artifacts_path)
else:
registry.ReadFromFile(reader, custom_artifacts_path)
except (KeyError, artifacts_errors.FormatError) as exception:
raise errors.BadConfigOption((
'Unable to read custorm artifact definitions from: {0:s} with '
'error: {1!s}').format(custom_artifacts_path, exception))
for name in preprocessors_manager.PreprocessPluginsManager.GetNames():
if not registry.GetDefinitionByName(name):
raise errors.BadConfigOption(
'Missing required artifact definition: {0:s}'.format(name))
setattr(configuration_object, '_artifact_definitions_path',
artifacts_path)
setattr(configuration_object, '_custom_artifacts_path',
custom_artifacts_path)
def testReadFileObject(self):
"""Tests the ReadFileObject function."""
artifact_reader = reader.YamlArtifactsReader()
test_file = self._GetTestFilePath(['definitions.yaml'])
with open(test_file, 'rb') as file_object:
artifact_definitions = list(artifact_reader.ReadFileObject(file_object))
self.assertEqual(len(artifact_definitions), 7)
# Artifact with file source type.
artifact_definition = artifact_definitions[0]
self.assertEqual(artifact_definition.name, 'SecurityEventLogEvtx')
expected_description = (
'Windows Security Event log for Vista or later systems.')
self.assertEqual(artifact_definition.description, expected_description)
self.assertEqual(len(artifact_definition.sources), 1)
source_type = artifact_definition.sources[0]
self.assertIsNotNone(source_type)
self.assertEqual(
source_type.type_indicator, definitions.TYPE_INDICATOR_FILE)
expected_paths = [
'%%environ_systemroot%%\\System32\\winevt\\Logs\\Security.evtx'
]
self.assertEqual(sorted(source_type.paths), sorted(expected_paths))
self.assertEqual(len(artifact_definition.conditions), 1)
expected_condition = 'os_major_version >= 6'
self.assertEqual(artifact_definition.conditions[0], expected_condition)
self.assertEqual(len(artifact_definition.labels), 1)
self.assertEqual(artifact_definition.labels[0], 'Logs')
self.assertEqual(len(artifact_definition.supported_os), 1)
self.assertEqual(artifact_definition.supported_os[0], 'Windows')
self.assertEqual(len(artifact_definition.urls), 1)
expected_url = (
'http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)')
self.assertEqual(artifact_definition.urls[0], expected_url)
# Artifact with Windows Registry key source type.
artifact_definition = artifact_definitions[1]
self.assertEqual(
artifact_definition.name, 'AllUsersProfileEnvironmentVariable')
self.assertEqual(len(artifact_definition.sources), 1)
source_type = artifact_definition.sources[0]
self.assertIsNotNone(source_type)
self.assertEqual(
source_type.type_indicator,
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY)
expected_key1 = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\'
'ProfileList\\ProfilesDirectory')
expected_key2 = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\'
'ProfileList\\AllUsersProfile')
expected_keys = [expected_key1, expected_key2]
self.assertEqual(sorted(source_type.keys), sorted(expected_keys))
# Artifact with Windows Registry value source type.
artifact_definition = artifact_definitions[2]
self.assertEqual(artifact_definition.name, 'CurrentControlSet')
self.assertEqual(len(artifact_definition.sources), 1)
source_type = artifact_definition.sources[0]
self.assertIsNotNone(source_type)
self.assertEqual(
source_type.type_indicator,
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE)
self.assertEqual(len(source_type.key_value_pairs), 1)
key_value_pair = source_type.key_value_pairs[0]
expected_key = 'HKEY_LOCAL_MACHINE\\SYSTEM\\Select'
self.assertEqual(key_value_pair['key'], expected_key)
self.assertEqual(key_value_pair['value'], 'Current')
# Artifact with WMI query source type.
artifact_definition = artifact_definitions[3]
self.assertEqual(artifact_definition.name, 'WMIProfileUsersHomeDir')
expected_provides = sorted(['users.homedir'])
self.assertEqual(sorted(artifact_definition.provides), expected_provides)
self.assertEqual(len(artifact_definition.sources), 1)
source_type = artifact_definition.sources[0]
self.assertIsNotNone(source_type)
self.assertEqual(
source_type.type_indicator, definitions.TYPE_INDICATOR_WMI_QUERY)
expected_query = (
'SELECT * FROM Win32_UserProfile WHERE SID=\'%%users.sid%%\'')
self.assertEqual(source_type.query, expected_query)
# Artifact with artifact definition source type.
artifact_definition = artifact_definitions[4]
self.assertEqual(artifact_definition.name, 'EventLogs')
self.assertEqual(len(artifact_definition.sources), 1)
source_type = artifact_definition.sources[0]
self.assertIsNotNone(source_type)
self.assertEqual(
source_type.type_indicator, definitions.TYPE_INDICATOR_ARTIFACT_GROUP)
# Artifact with command definition source type.
artifact_definition = artifact_definitions[5]
self.assertEqual(artifact_definition.name, 'RedhatPackagesList')
self.assertEqual(len(artifact_definition.sources), 1)
source_type = artifact_definition.sources[0]
self.assertIsNotNone(source_type)
self.assertEqual(
source_type.type_indicator, definitions.TYPE_INDICATOR_COMMAND)
# Artifact with COMMAND definition collector definition.
artifact_definition = artifact_definitions[5]
self.assertEqual(artifact_definition.name, 'RedhatPackagesList')
self.assertEqual(len(artifact_definition.sources), 1)
collector_definition = artifact_definition.sources[0]
self.assertIsNotNone(collector_definition)
self.assertEqual(
collector_definition.type_indicator, definitions.TYPE_INDICATOR_COMMAND)
def testParseSystemWithArtifactFilters(self):
"""Tests the Parse function on a SYSTEM file with artifact filters."""
artifacts_path = self._GetTestFilePath(['artifacts'])
self._SkipIfPathNotExists(artifacts_path)
parser = winreg_parser.WinRegistryParser()
knowledge_base = knowledge_base_engine.KnowledgeBase()
artifact_filter_names = ['TestRegistryKey', 'TestRegistryValue']
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
registry.ReadFromDirectory(reader, artifacts_path)
artifacts_filters_helper = (
artifact_filters.ArtifactDefinitionsFiltersHelper(
registry, knowledge_base))
artifacts_filters_helper.BuildFindSpecs(artifact_filter_names,
environment_variables=None)
storage_writer = self._ParseFile(
['SYSTEM'],
parser,
collection_filters_helper=artifacts_filters_helper)
parser_chains = self._GetParserChains(storage_writer)
# Check the existence of few known plugins, see if they
# are being properly picked up and are parsed.
plugin_names = [
'windows_usbstor_devices', 'windows_boot_execute',
'windows_services'
]
for plugin in plugin_names:
expected_parser_chain = self._GetParserChainOfPlugin(plugin)
self.assertIn(expected_parser_chain, parser_chains.keys())
# Check that the number of events produced by each plugin are correct.
# There will be 10 usbstor chains for ControlSet001 and ControlSet002:
# 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR'
parser_chain = self._GetParserChainOfPlugin('windows_usbstor_devices')
number_of_parser_chains = parser_chains.get(parser_chain, 0)
self.assertEqual(number_of_parser_chains, 10)
# There will be 4 Windows boot execute chains for key_value pairs:
# {key: 'HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager',
# value: 'BootExecute'}
# {key: 'HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Session Manager',
# value: 'BootExecute'}
parser_chain = self._GetParserChainOfPlugin('windows_boot_execute')
number_of_parser_chains = parser_chains.get(parser_chain, 0)
self.assertEqual(number_of_parser_chains, 4)
# There will be 831 windows services chains for keys:
# 'HKEY_LOCAL_MACHINE\System\ControlSet001\services\**'
# 'HKEY_LOCAL_MACHINE\System\ControlSet002\services\**'
parser_chain = self._GetParserChainOfPlugin('windows_services')
number_of_parser_chains = parser_chains.get(parser_chain, 0)
self.assertEqual(number_of_parser_chains, 831)
def testYamlWriter(self):
"""Tests conversion with the YamlArtifactsWriter."""
artifact_reader = reader.YamlArtifactsReader()
artifact_writer = writer.YamlArtifactsWriter()
self._TestArtifactsConversion(artifact_reader, artifact_writer,
'definitions.yaml')
def CheckFile(self, filename):
"""Validates the artifacts definition in a specific file.
Args:
filename (str): name of the artifacts definition file.
Returns:
bool: True if the file contains valid artifacts definitions.
"""
result = True
artifact_reader = reader.YamlArtifactsReader()
try:
for artifact_definition in artifact_reader.ReadFile(filename):
try:
self._artifact_registry.RegisterDefinition(artifact_definition)
except KeyError:
logging.warning(
'Duplicate artifact definition: {0:s} in file: {1:s}'.format(
artifact_definition.name, filename))
result = False
artifact_definition_supports_windows = (
definitions.SUPPORTED_OS_WINDOWS in (
artifact_definition.supported_os))
for source in artifact_definition.sources:
if source.type_indicator in (
definitions.TYPE_INDICATOR_FILE, definitions.TYPE_INDICATOR_PATH):
if (artifact_definition_supports_windows or
definitions.SUPPORTED_OS_WINDOWS in source.supported_os):
for path in source.paths:
if not self._CheckWindowsPath(
filename, artifact_definition, source, path):
result = False
elif source.type_indicator == (
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY):
# Exempt the legacy file from duplicate checking because it has
# duplicates intentionally.
if (filename != self.LEGACY_PATH and
self._HasDuplicateRegistryKeyPaths(
filename, artifact_definition, source)):
result = False
for key_path in source.keys:
if not self._CheckRegistryKeyPath(
filename, artifact_definition, key_path):
result = False
elif source.type_indicator == (
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE):
for key_value_pair in source.key_value_pairs:
if not self._CheckRegistryKeyPath(
filename, artifact_definition, key_value_pair['key']):
result = False
except errors.FormatError as exception:
logging.warning(
'Unable to validate file: {0:s} with error: {1!s}'.format(
filename, exception))
result = False
return result
def testParseRegistry(self):
"""Tests the _ParseRegistryFile and ParseRegistryKey functions."""
path = self._GetTestFilePath(['artifacts'])
artifact_registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
artifact_registry.ReadFromDirectory(reader, path)
test_tool = self._ConfigureSingleFileTest()
registry_helpers = test_tool.GetRegistryHelpers(
artifact_registry, registry_file_types=['SYSTEM'])
registry_helper = registry_helpers[0]
plugins = test_tool._GetRegistryPluginsFromRegistryType('SYSTEM')
key_list = []
plugin_list = []
for plugin in plugins:
for key_filter in plugin.FILTERS:
plugin_list.append(plugin.NAME)
key_list.extend(key_filter.key_paths)
test_tool._ExpandKeysRedirect(key_list)
parsed_data = test_tool._ParseRegistryFile(registry_helper,
key_paths=key_list,
use_plugins=plugin_list)
for key_parsed in parsed_data:
self.assertIn(key_parsed, key_list)
usb_parsed_data = parsed_data.get(
'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Enum\\USBSTOR',
None)
self.assertIsNotNone(usb_parsed_data)
usb_key = usb_parsed_data.get('key', None)
self.assertIsNotNone(usb_key)
expected_key_path = (
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Enum\\USBSTOR')
self.assertEqual(usb_key.path, expected_key_path)
data = usb_parsed_data.get('data', None)
self.assertIsNotNone(data)
plugin_names = [plugin.NAME for plugin in data.keys()]
self.assertIn('windows_usbstor_devices', plugin_names)
usb_plugin = None
for plugin in data.keys():
if plugin.NAME == 'windows_usbstor_devices':
usb_plugin = plugin
break
event_objects = data.get(usb_plugin, [])
self.assertEqual(len(event_objects), 5)
event = event_objects[2]
self.assertEqual(event.data_type, 'windows:registry:key_value')
parse_key_data = test_tool.ParseRegistryKey(
usb_key, registry_helper, use_plugins='windows_usbstor_devices')
self.assertEqual(len(parse_key_data.keys()), 1)
parsed_key_value = parse_key_data.values()[0]
for index, event in enumerate(event_objects):
parsed_key_event = parsed_key_value[index]
event_values = event.CopyToDict()
parsed_key_event_values = parsed_key_event.CopyToDict()
self.assertEqual(event_values, parsed_key_event_values)
def testRead(self):
"""Tests the Read function."""
artifact_reader = reader.YamlArtifactsReader()
test_file = os.path.join('test_data', 'definitions.yaml')
with open(test_file, 'rb') as file_object:
artifact_definitions = list(artifact_reader.Read(file_object))
self.assertEqual(len(artifact_definitions), 5)
# Artifact with file collector definition.
artifact_definition = artifact_definitions[0]
self.assertEqual(artifact_definition.name, 'SecurityEventLogEvtx')
expected_description = (
'Windows Security Event log for Vista or later systems.')
self.assertEqual(artifact_definition.description, expected_description)
self.assertEqual(artifact_definition.doc, expected_description)
self.assertEqual(len(artifact_definition.collectors), 1)
collector_definition = artifact_definition.collectors[0]
self.assertNotEqual(collector_definition, None)
self.assertEqual(collector_definition.type_indicator,
definitions.TYPE_INDICATOR_FILE)
expected_path_list = sorted(
['%%environ_systemroot%%\\System32\\winevt\\Logs\\Security.evtx'])
self.assertEqual(sorted(collector_definition.path_list),
expected_path_list)
self.assertEqual(len(artifact_definition.conditions), 1)
expected_condition = 'os_major_version >= 6'
self.assertEqual(artifact_definition.conditions[0], expected_condition)
self.assertEqual(len(artifact_definition.labels), 1)
self.assertEqual(artifact_definition.labels[0], 'Logs')
self.assertEqual(len(artifact_definition.supported_os), 1)
self.assertEqual(artifact_definition.supported_os[0], 'Windows')
self.assertEqual(len(artifact_definition.urls), 1)
expected_url = (
'http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)')
self.assertEqual(artifact_definition.urls[0], expected_url)
# Artifact with Windows Registry key collector definition.
artifact_definition = artifact_definitions[1]
self.assertEqual(artifact_definition.name,
'AllUsersProfileEnvironmentVariable')
self.assertEqual(len(artifact_definition.collectors), 1)
collector_definition = artifact_definition.collectors[0]
self.assertNotEqual(collector_definition, None)
self.assertEqual(collector_definition.type_indicator,
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY)
expected_path_list = sorted([
('HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\'
'ProfileList\\ProfilesDirectory'),
('HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\'
'ProfileList\\AllUsersProfile')
])
self.assertEqual(sorted(collector_definition.path_list),
expected_path_list)
# Artifact with Windows Registry value collector definition.
artifact_definition = artifact_definitions[2]
self.assertEqual(artifact_definition.name, 'CurrentControlSet')
self.assertEqual(len(artifact_definition.collectors), 1)
collector_definition = artifact_definition.collectors[0]
self.assertNotEqual(collector_definition, None)
self.assertEqual(collector_definition.type_indicator,
definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE)
expected_path_list = sorted(
['HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\Current'])
self.assertEqual(sorted(collector_definition.path_list),
expected_path_list)
# Artifact with WMI query collector definition.
artifact_definition = artifact_definitions[3]
self.assertEqual(artifact_definition.name, 'WMIProfileUsersHomeDir')
expected_provides = sorted(['users.homedir'])
self.assertEqual(sorted(artifact_definition.provides),
expected_provides)
self.assertEqual(len(artifact_definition.collectors), 1)
collector_definition = artifact_definition.collectors[0]
self.assertNotEqual(collector_definition, None)
self.assertEqual(collector_definition.type_indicator,
definitions.TYPE_INDICATOR_WMI_QUERY)
expected_query = (
'SELECT * FROM Win32_UserProfile WHERE SID=\'%%users.sid%%\'')
self.assertEqual(collector_definition.query, expected_query)
# Artifact with artifact definition collector definition.
artifact_definition = artifact_definitions[4]
self.assertEqual(artifact_definition.name, 'EventLogs')
self.assertEqual(len(artifact_definition.collectors), 1)
collector_definition = artifact_definition.collectors[0]
self.assertNotEqual(collector_definition, None)
self.assertEqual(collector_definition.type_indicator,
definitions.TYPE_INDICATOR_ARTIFACT)
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(
description=('Checks artifact definitions on a storage media image.'))
argument_parser.add_argument(
'--artifact_definitions',
'--artifact-definitions',
dest='artifact_definitions',
type=str,
metavar='PATH',
action='store',
help=('Path to a directory or file containing the artifact definition '
'.yaml files.'))
argument_parser.add_argument('--back_end',
'--back-end',
dest='back_end',
action='store',
metavar='NTFS',
default=None,
help='preferred dfVFS back-end.')
argument_parser.add_argument(
'--partitions',
'--partition',
dest='partitions',
action='store',
type=str,
default=None,
help=
('Define partitions to be processed. A range of partitions can be '
'defined as: "3..5". Multiple partitions can be defined as: "1,3,5" '
'(a list of comma separated values). Ranges and lists can also be '
'combined as: "1,3..5". The first partition is 1. All partitions '
'can be specified with: "all".'))
argument_parser.add_argument(
'--snapshots',
'--snapshot',
dest='snapshots',
action='store',
type=str,
default=None,
help=
('Define snapshots to be processed. A range of snapshots can be '
'defined as: "3..5". Multiple snapshots can be defined as: "1,3,5" '
'(a list of comma separated values). Ranges and lists can also be '
'combined as: "1,3..5". The first snapshot is 1. All snapshots can '
'be specified with: "all".'))
argument_parser.add_argument(
'--volumes',
'--volume',
dest='volumes',
action='store',
type=str,
default=None,
help=
('Define volumes to be processed. A range of volumes can be defined '
'as: "3..5". Multiple volumes can be defined as: "1,3,5" (a list '
'of comma separated values). Ranges and lists can also be combined '
'as: "1,3..5". The first volume is 1. All volumes can be specified '
'with: "all".'))
argument_parser.add_argument(
'-w',
'--windows_version',
'--windows-version',
dest='windows_version',
action='store',
metavar='Windows XP',
default=None,
help='string that identifies the Windows version.')
argument_parser.add_argument('source',
nargs='?',
action='store',
metavar='image.raw',
default=None,
help='path of the storage media image.')
options = argument_parser.parse_args()
if not options.source:
print('Path to source storage media image is missing.')
print('')
argument_parser.print_help()
print('')
return False
if not options.artifact_definitions:
print('Path to artifact definitions is missing.')
print('')
argument_parser.print_help()
print('')
return False
dfimagetools_helpers.SetDFVFSBackEnd(options.back_end)
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
if os.path.isdir(options.artifact_definitions):
registry.ReadFromDirectory(reader, options.artifact_definitions)
elif os.path.isfile(options.artifact_definitions):
registry.ReadFromFile(reader, options.artifact_definitions)
mediator = dfvfs_command_line.CLIVolumeScannerMediator()
scanner = volume_scanner.ArtifactDefinitionsVolumeScanner(
registry, mediator=mediator)
volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
volume_scanner_options.partitions = mediator.ParseVolumeIdentifiersString(
options.partitions)
if options.snapshots == 'none':
volume_scanner_options.snapshots = ['none']
else:
volume_scanner_options.snapshots = mediator.ParseVolumeIdentifiersString(
options.snapshots)
volume_scanner_options.volumes = mediator.ParseVolumeIdentifiersString(
options.volumes)
try:
if not scanner.ScanForOperatingSystemVolumes(
options.source, options=volume_scanner_options):
print('Unable to retrieve an operating system volume from: {0:s}.'.
format(options.source))
print('')
return False
definitions_with_check_results = {}
for artifact_definition in registry.GetDefinitions():
group_only = True
for source in artifact_definition.sources:
if source.type_indicator != (
artifacts_definitions.TYPE_INDICATOR_ARTIFACT_GROUP):
group_only = False
break
if group_only:
# Not interested in results of group-only artifact definitions.
continue
check_result = scanner.CheckArtifactDefinition(artifact_definition)
if check_result.number_of_file_entries:
definitions_with_check_results[
artifact_definition.name] = check_result
except dfvfs_errors.ScannerError as exception:
print('[ERROR] {0!s}'.format(exception), file=sys.stderr)
print('')
return False
except KeyboardInterrupt:
print('Aborted by user.', file=sys.stderr)
print('')
return False
print('Aritfact definitions found:')
for name, check_result in sorted(definitions_with_check_results.items()):
text = '* {0:s} [results: {1:d}]'.format(
name, check_result.number_of_file_entries)
if check_result.data_formats:
text = '{0:s} [formats: {1:s}]'.format(
text, ', '.join(sorted(check_result.data_formats)))
print(text)
print('')
return True
def testParseSystemWithArtifactFilters(self):
"""Tests the Parse function on a SYSTEM file with artifact filters."""
parser = winreg.WinRegistryParser()
knowledge_base = knowledge_base_engine.KnowledgeBase()
artifacts_filters = ['TestRegistryKey', 'TestRegistryValue']
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
registry.ReadFromDirectory(reader,
self._GetTestFilePath(['artifacts']))
test_filter_file = artifact_filters.ArtifactDefinitionsFilterHelper(
registry, artifacts_filters, knowledge_base)
test_filter_file.BuildFindSpecs(environment_variables=None)
find_specs = {
test_filter_file.KNOWLEDGE_BASE_VALUE:
knowledge_base.GetValue(test_filter_file.KNOWLEDGE_BASE_VALUE)
}
storage_writer = self._ParseFile(['SYSTEM'],
parser,
knowledge_base_values=find_specs)
events = list(storage_writer.GetEvents())
parser_chains = self._GetParserChains(events)
# Check the existence of few known plugins, see if they
# are being properly picked up and are parsed.
plugin_names = [
'windows_usbstor_devices', 'windows_boot_execute',
'windows_services'
]
for plugin in plugin_names:
expected_parser_chain = self._PluginNameToParserChain(plugin)
self.assertTrue(
expected_parser_chain in parser_chains,
'Chain {0:s} not found in events.'.format(
expected_parser_chain))
# Check that the number of events produced by each plugin are correct.
# There will be 5 usbstor chains for currentcontrolset:
# 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR'
parser_chain = self._PluginNameToParserChain('windows_usbstor_devices')
self.assertEqual(parser_chains.get(parser_chain, 0), 5)
# There will be 4 Windows boot execute chains for key_value pairs:
# {key: 'HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager',
# value: 'BootExecute'}
# {key: 'HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Session Manager',
# value: 'BootExecute'}
parser_chain = self._PluginNameToParserChain('windows_boot_execute')
self.assertEqual(parser_chains.get(parser_chain, 0), 4)
# There will be 831 windows services chains for keys:
# 'HKEY_LOCAL_MACHINE\System\ControlSet001\services\**'
# 'HKEY_LOCAL_MACHINE\System\ControlSet002\services\**'
parser_chain = self._PluginNameToParserChain('windows_services')
self.assertEqual(parser_chains.get(parser_chain, 0), 831)
