def ParseOptions(cls, options, configuration_object): """Parses and validates options. Args: options (argparse.Namespace): parser options. configuration_object (CLITool): object to be configured by the argument helper. Raises: BadConfigObject: when the configuration object is of the wrong type. BadConfigOption: if the required artifact definitions are not defined. """ if not isinstance(configuration_object, tools.CLITool): raise errors.BadConfigObject( 'Configuration object is not an instance of CLITool') artifacts_path = getattr(options, 'artifact_definitions_path', None) if ((not artifacts_path or not os.path.exists(artifacts_path)) and configuration_object.data_location): artifacts_path = os.path.dirname( configuration_object.data_location) artifacts_path = os.path.join(artifacts_path, 'artifacts') if not os.path.exists( artifacts_path) and 'VIRTUAL_ENV' in os.environ: artifacts_path = os.path.join(os.environ['VIRTUAL_ENV'], 'share', 'artifacts') if not os.path.exists(artifacts_path): artifacts_path = os.path.join(sys.prefix, 'share', 'artifacts') if not os.path.exists(artifacts_path): artifacts_path = os.path.join(sys.prefix, 'local', 'share', 'artifacts') if sys.prefix != '/usr': if not os.path.exists(artifacts_path): artifacts_path = os.path.join('/usr', 'share', 'artifacts') if not os.path.exists(artifacts_path): artifacts_path = os.path.join('/usr', 'local', 'share', 'artifacts') if not os.path.exists(artifacts_path): artifacts_path = None if not artifacts_path or not os.path.exists(artifacts_path): raise errors.BadConfigOption( 'Unable to determine path to artifact definitions.') custom_artifacts_path = getattr(options, 'custom_artifact_definitions_path', None) if custom_artifacts_path and not os.path.exists(custom_artifacts_path): raise errors.BadConfigOption( ('Unable to determine path to custom artifact definitions: ' '{0:s}.').format(custom_artifacts_path)) if custom_artifacts_path: logger.info('Custom artifact definitions path: {0:s}'.format( custom_artifacts_path)) registry = artifacts_registry.ArtifactDefinitionsRegistry() reader = artifacts_reader.YamlArtifactsReader() logger.info('Determined artifact definitions path: {0:s}'.format( artifacts_path)) try: if os.path.isdir(artifacts_path): registry.ReadFromDirectory(reader, artifacts_path) else: registry.ReadFromFile(reader, artifacts_path) except (KeyError, artifacts_errors.FormatError) as exception: raise errors.BadConfigOption( ('Unable to read artifact definitions from: {0:s} with error: ' '{1!s}').format(artifacts_path, exception)) if custom_artifacts_path: try: if os.path.isdir(custom_artifacts_path): registry.ReadFromDirectory(reader, custom_artifacts_path) else: registry.ReadFromFile(reader, custom_artifacts_path) except (KeyError, artifacts_errors.FormatError) as exception: raise errors.BadConfigOption(( 'Unable to read custorm artifact definitions from: {0:s} with ' 'error: {1!s}').format(custom_artifacts_path, exception)) for name in preprocessors_manager.PreprocessPluginsManager.GetNames(): if not registry.GetDefinitionByName(name): raise errors.BadConfigOption( 'Missing required artifact definition: {0:s}'.format(name)) setattr(configuration_object, '_artifact_definitions_path', artifacts_path) setattr(configuration_object, '_custom_artifacts_path', custom_artifacts_path)
def testReadFileObject(self): """Tests the ReadFileObject function.""" artifact_reader = reader.YamlArtifactsReader() test_file = self._GetTestFilePath(['definitions.yaml']) with open(test_file, 'rb') as file_object: artifact_definitions = list(artifact_reader.ReadFileObject(file_object)) self.assertEqual(len(artifact_definitions), 7) # Artifact with file source type. artifact_definition = artifact_definitions[0] self.assertEqual(artifact_definition.name, 'SecurityEventLogEvtx') expected_description = ( 'Windows Security Event log for Vista or later systems.') self.assertEqual(artifact_definition.description, expected_description) self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_FILE) expected_paths = [ '%%environ_systemroot%%\\System32\\winevt\\Logs\\Security.evtx' ] self.assertEqual(sorted(source_type.paths), sorted(expected_paths)) self.assertEqual(len(artifact_definition.conditions), 1) expected_condition = 'os_major_version >= 6' self.assertEqual(artifact_definition.conditions[0], expected_condition) self.assertEqual(len(artifact_definition.labels), 1) self.assertEqual(artifact_definition.labels[0], 'Logs') self.assertEqual(len(artifact_definition.supported_os), 1) self.assertEqual(artifact_definition.supported_os[0], 'Windows') self.assertEqual(len(artifact_definition.urls), 1) expected_url = ( 'http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)') self.assertEqual(artifact_definition.urls[0], expected_url) # Artifact with Windows Registry key source type. artifact_definition = artifact_definitions[1] self.assertEqual( artifact_definition.name, 'AllUsersProfileEnvironmentVariable') self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY) expected_key1 = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\' 'ProfileList\\ProfilesDirectory') expected_key2 = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\' 'ProfileList\\AllUsersProfile') expected_keys = [expected_key1, expected_key2] self.assertEqual(sorted(source_type.keys), sorted(expected_keys)) # Artifact with Windows Registry value source type. artifact_definition = artifact_definitions[2] self.assertEqual(artifact_definition.name, 'CurrentControlSet') self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE) self.assertEqual(len(source_type.key_value_pairs), 1) key_value_pair = source_type.key_value_pairs[0] expected_key = 'HKEY_LOCAL_MACHINE\\SYSTEM\\Select' self.assertEqual(key_value_pair['key'], expected_key) self.assertEqual(key_value_pair['value'], 'Current') # Artifact with WMI query source type. artifact_definition = artifact_definitions[3] self.assertEqual(artifact_definition.name, 'WMIProfileUsersHomeDir') expected_provides = sorted(['users.homedir']) self.assertEqual(sorted(artifact_definition.provides), expected_provides) self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_WMI_QUERY) expected_query = ( 'SELECT * FROM Win32_UserProfile WHERE SID=\'%%users.sid%%\'') self.assertEqual(source_type.query, expected_query) # Artifact with artifact definition source type. artifact_definition = artifact_definitions[4] self.assertEqual(artifact_definition.name, 'EventLogs') self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_ARTIFACT_GROUP) # Artifact with command definition source type. artifact_definition = artifact_definitions[5] self.assertEqual(artifact_definition.name, 'RedhatPackagesList') self.assertEqual(len(artifact_definition.sources), 1) source_type = artifact_definition.sources[0] self.assertIsNotNone(source_type) self.assertEqual( source_type.type_indicator, definitions.TYPE_INDICATOR_COMMAND) # Artifact with COMMAND definition collector definition. artifact_definition = artifact_definitions[5] self.assertEqual(artifact_definition.name, 'RedhatPackagesList') self.assertEqual(len(artifact_definition.sources), 1) collector_definition = artifact_definition.sources[0] self.assertIsNotNone(collector_definition) self.assertEqual( collector_definition.type_indicator, definitions.TYPE_INDICATOR_COMMAND)
def testParseSystemWithArtifactFilters(self): """Tests the Parse function on a SYSTEM file with artifact filters.""" artifacts_path = self._GetTestFilePath(['artifacts']) self._SkipIfPathNotExists(artifacts_path) parser = winreg_parser.WinRegistryParser() knowledge_base = knowledge_base_engine.KnowledgeBase() artifact_filter_names = ['TestRegistryKey', 'TestRegistryValue'] registry = artifacts_registry.ArtifactDefinitionsRegistry() reader = artifacts_reader.YamlArtifactsReader() registry.ReadFromDirectory(reader, artifacts_path) artifacts_filters_helper = ( artifact_filters.ArtifactDefinitionsFiltersHelper( registry, knowledge_base)) artifacts_filters_helper.BuildFindSpecs(artifact_filter_names, environment_variables=None) storage_writer = self._ParseFile( ['SYSTEM'], parser, collection_filters_helper=artifacts_filters_helper) parser_chains = self._GetParserChains(storage_writer) # Check the existence of few known plugins, see if they # are being properly picked up and are parsed. plugin_names = [ 'windows_usbstor_devices', 'windows_boot_execute', 'windows_services' ] for plugin in plugin_names: expected_parser_chain = self._GetParserChainOfPlugin(plugin) self.assertIn(expected_parser_chain, parser_chains.keys()) # Check that the number of events produced by each plugin are correct. # There will be 10 usbstor chains for ControlSet001 and ControlSet002: # 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR' parser_chain = self._GetParserChainOfPlugin('windows_usbstor_devices') number_of_parser_chains = parser_chains.get(parser_chain, 0) self.assertEqual(number_of_parser_chains, 10) # There will be 4 Windows boot execute chains for key_value pairs: # {key: 'HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager', # value: 'BootExecute'} # {key: 'HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Session Manager', # value: 'BootExecute'} parser_chain = self._GetParserChainOfPlugin('windows_boot_execute') number_of_parser_chains = parser_chains.get(parser_chain, 0) self.assertEqual(number_of_parser_chains, 4) # There will be 831 windows services chains for keys: # 'HKEY_LOCAL_MACHINE\System\ControlSet001\services\**' # 'HKEY_LOCAL_MACHINE\System\ControlSet002\services\**' parser_chain = self._GetParserChainOfPlugin('windows_services') number_of_parser_chains = parser_chains.get(parser_chain, 0) self.assertEqual(number_of_parser_chains, 831)
def testYamlWriter(self): """Tests conversion with the YamlArtifactsWriter.""" artifact_reader = reader.YamlArtifactsReader() artifact_writer = writer.YamlArtifactsWriter() self._TestArtifactsConversion(artifact_reader, artifact_writer, 'definitions.yaml')
def CheckFile(self, filename): """Validates the artifacts definition in a specific file. Args: filename (str): name of the artifacts definition file. Returns: bool: True if the file contains valid artifacts definitions. """ result = True artifact_reader = reader.YamlArtifactsReader() try: for artifact_definition in artifact_reader.ReadFile(filename): try: self._artifact_registry.RegisterDefinition(artifact_definition) except KeyError: logging.warning( 'Duplicate artifact definition: {0:s} in file: {1:s}'.format( artifact_definition.name, filename)) result = False artifact_definition_supports_windows = ( definitions.SUPPORTED_OS_WINDOWS in ( artifact_definition.supported_os)) for source in artifact_definition.sources: if source.type_indicator in ( definitions.TYPE_INDICATOR_FILE, definitions.TYPE_INDICATOR_PATH): if (artifact_definition_supports_windows or definitions.SUPPORTED_OS_WINDOWS in source.supported_os): for path in source.paths: if not self._CheckWindowsPath( filename, artifact_definition, source, path): result = False elif source.type_indicator == ( definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY): # Exempt the legacy file from duplicate checking because it has # duplicates intentionally. if (filename != self.LEGACY_PATH and self._HasDuplicateRegistryKeyPaths( filename, artifact_definition, source)): result = False for key_path in source.keys: if not self._CheckRegistryKeyPath( filename, artifact_definition, key_path): result = False elif source.type_indicator == ( definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE): for key_value_pair in source.key_value_pairs: if not self._CheckRegistryKeyPath( filename, artifact_definition, key_value_pair['key']): result = False except errors.FormatError as exception: logging.warning( 'Unable to validate file: {0:s} with error: {1!s}'.format( filename, exception)) result = False return result
def testParseRegistry(self): """Tests the _ParseRegistryFile and ParseRegistryKey functions.""" path = self._GetTestFilePath(['artifacts']) artifact_registry = artifacts_registry.ArtifactDefinitionsRegistry() reader = artifacts_reader.YamlArtifactsReader() artifact_registry.ReadFromDirectory(reader, path) test_tool = self._ConfigureSingleFileTest() registry_helpers = test_tool.GetRegistryHelpers( artifact_registry, registry_file_types=['SYSTEM']) registry_helper = registry_helpers[0] plugins = test_tool._GetRegistryPluginsFromRegistryType('SYSTEM') key_list = [] plugin_list = [] for plugin in plugins: for key_filter in plugin.FILTERS: plugin_list.append(plugin.NAME) key_list.extend(key_filter.key_paths) test_tool._ExpandKeysRedirect(key_list) parsed_data = test_tool._ParseRegistryFile(registry_helper, key_paths=key_list, use_plugins=plugin_list) for key_parsed in parsed_data: self.assertIn(key_parsed, key_list) usb_parsed_data = parsed_data.get( 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Enum\\USBSTOR', None) self.assertIsNotNone(usb_parsed_data) usb_key = usb_parsed_data.get('key', None) self.assertIsNotNone(usb_key) expected_key_path = ( 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Enum\\USBSTOR') self.assertEqual(usb_key.path, expected_key_path) data = usb_parsed_data.get('data', None) self.assertIsNotNone(data) plugin_names = [plugin.NAME for plugin in data.keys()] self.assertIn('windows_usbstor_devices', plugin_names) usb_plugin = None for plugin in data.keys(): if plugin.NAME == 'windows_usbstor_devices': usb_plugin = plugin break event_objects = data.get(usb_plugin, []) self.assertEqual(len(event_objects), 5) event = event_objects[2] self.assertEqual(event.data_type, 'windows:registry:key_value') parse_key_data = test_tool.ParseRegistryKey( usb_key, registry_helper, use_plugins='windows_usbstor_devices') self.assertEqual(len(parse_key_data.keys()), 1) parsed_key_value = parse_key_data.values()[0] for index, event in enumerate(event_objects): parsed_key_event = parsed_key_value[index] event_values = event.CopyToDict() parsed_key_event_values = parsed_key_event.CopyToDict() self.assertEqual(event_values, parsed_key_event_values)
def testRead(self): """Tests the Read function.""" artifact_reader = reader.YamlArtifactsReader() test_file = os.path.join('test_data', 'definitions.yaml') with open(test_file, 'rb') as file_object: artifact_definitions = list(artifact_reader.Read(file_object)) self.assertEqual(len(artifact_definitions), 5) # Artifact with file collector definition. artifact_definition = artifact_definitions[0] self.assertEqual(artifact_definition.name, 'SecurityEventLogEvtx') expected_description = ( 'Windows Security Event log for Vista or later systems.') self.assertEqual(artifact_definition.description, expected_description) self.assertEqual(artifact_definition.doc, expected_description) self.assertEqual(len(artifact_definition.collectors), 1) collector_definition = artifact_definition.collectors[0] self.assertNotEqual(collector_definition, None) self.assertEqual(collector_definition.type_indicator, definitions.TYPE_INDICATOR_FILE) expected_path_list = sorted( ['%%environ_systemroot%%\\System32\\winevt\\Logs\\Security.evtx']) self.assertEqual(sorted(collector_definition.path_list), expected_path_list) self.assertEqual(len(artifact_definition.conditions), 1) expected_condition = 'os_major_version >= 6' self.assertEqual(artifact_definition.conditions[0], expected_condition) self.assertEqual(len(artifact_definition.labels), 1) self.assertEqual(artifact_definition.labels[0], 'Logs') self.assertEqual(len(artifact_definition.supported_os), 1) self.assertEqual(artifact_definition.supported_os[0], 'Windows') self.assertEqual(len(artifact_definition.urls), 1) expected_url = ( 'http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)') self.assertEqual(artifact_definition.urls[0], expected_url) # Artifact with Windows Registry key collector definition. artifact_definition = artifact_definitions[1] self.assertEqual(artifact_definition.name, 'AllUsersProfileEnvironmentVariable') self.assertEqual(len(artifact_definition.collectors), 1) collector_definition = artifact_definition.collectors[0] self.assertNotEqual(collector_definition, None) self.assertEqual(collector_definition.type_indicator, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY) expected_path_list = sorted([ ('HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\' 'ProfileList\\ProfilesDirectory'), ('HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\' 'ProfileList\\AllUsersProfile') ]) self.assertEqual(sorted(collector_definition.path_list), expected_path_list) # Artifact with Windows Registry value collector definition. artifact_definition = artifact_definitions[2] self.assertEqual(artifact_definition.name, 'CurrentControlSet') self.assertEqual(len(artifact_definition.collectors), 1) collector_definition = artifact_definition.collectors[0] self.assertNotEqual(collector_definition, None) self.assertEqual(collector_definition.type_indicator, definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE) expected_path_list = sorted( ['HKEY_LOCAL_MACHINE\\SYSTEM\\Select\\Current']) self.assertEqual(sorted(collector_definition.path_list), expected_path_list) # Artifact with WMI query collector definition. artifact_definition = artifact_definitions[3] self.assertEqual(artifact_definition.name, 'WMIProfileUsersHomeDir') expected_provides = sorted(['users.homedir']) self.assertEqual(sorted(artifact_definition.provides), expected_provides) self.assertEqual(len(artifact_definition.collectors), 1) collector_definition = artifact_definition.collectors[0] self.assertNotEqual(collector_definition, None) self.assertEqual(collector_definition.type_indicator, definitions.TYPE_INDICATOR_WMI_QUERY) expected_query = ( 'SELECT * FROM Win32_UserProfile WHERE SID=\'%%users.sid%%\'') self.assertEqual(collector_definition.query, expected_query) # Artifact with artifact definition collector definition. artifact_definition = artifact_definitions[4] self.assertEqual(artifact_definition.name, 'EventLogs') self.assertEqual(len(artifact_definition.collectors), 1) collector_definition = artifact_definition.collectors[0] self.assertNotEqual(collector_definition, None) self.assertEqual(collector_definition.type_indicator, definitions.TYPE_INDICATOR_ARTIFACT)
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser( description=('Checks artifact definitions on a storage media image.')) argument_parser.add_argument( '--artifact_definitions', '--artifact-definitions', dest='artifact_definitions', type=str, metavar='PATH', action='store', help=('Path to a directory or file containing the artifact definition ' '.yaml files.')) argument_parser.add_argument('--back_end', '--back-end', dest='back_end', action='store', metavar='NTFS', default=None, help='preferred dfVFS back-end.') argument_parser.add_argument( '--partitions', '--partition', dest='partitions', action='store', type=str, default=None, help= ('Define partitions to be processed. A range of partitions can be ' 'defined as: "3..5". Multiple partitions can be defined as: "1,3,5" ' '(a list of comma separated values). Ranges and lists can also be ' 'combined as: "1,3..5". The first partition is 1. All partitions ' 'can be specified with: "all".')) argument_parser.add_argument( '--snapshots', '--snapshot', dest='snapshots', action='store', type=str, default=None, help= ('Define snapshots to be processed. A range of snapshots can be ' 'defined as: "3..5". Multiple snapshots can be defined as: "1,3,5" ' '(a list of comma separated values). Ranges and lists can also be ' 'combined as: "1,3..5". The first snapshot is 1. All snapshots can ' 'be specified with: "all".')) argument_parser.add_argument( '--volumes', '--volume', dest='volumes', action='store', type=str, default=None, help= ('Define volumes to be processed. A range of volumes can be defined ' 'as: "3..5". Multiple volumes can be defined as: "1,3,5" (a list ' 'of comma separated values). Ranges and lists can also be combined ' 'as: "1,3..5". The first volume is 1. All volumes can be specified ' 'with: "all".')) argument_parser.add_argument( '-w', '--windows_version', '--windows-version', dest='windows_version', action='store', metavar='Windows XP', default=None, help='string that identifies the Windows version.') argument_parser.add_argument('source', nargs='?', action='store', metavar='image.raw', default=None, help='path of the storage media image.') options = argument_parser.parse_args() if not options.source: print('Path to source storage media image is missing.') print('') argument_parser.print_help() print('') return False if not options.artifact_definitions: print('Path to artifact definitions is missing.') print('') argument_parser.print_help() print('') return False dfimagetools_helpers.SetDFVFSBackEnd(options.back_end) logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') registry = artifacts_registry.ArtifactDefinitionsRegistry() reader = artifacts_reader.YamlArtifactsReader() if os.path.isdir(options.artifact_definitions): registry.ReadFromDirectory(reader, options.artifact_definitions) elif os.path.isfile(options.artifact_definitions): registry.ReadFromFile(reader, options.artifact_definitions) mediator = dfvfs_command_line.CLIVolumeScannerMediator() scanner = volume_scanner.ArtifactDefinitionsVolumeScanner( registry, mediator=mediator) volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions() volume_scanner_options.partitions = mediator.ParseVolumeIdentifiersString( options.partitions) if options.snapshots == 'none': volume_scanner_options.snapshots = ['none'] else: volume_scanner_options.snapshots = mediator.ParseVolumeIdentifiersString( options.snapshots) volume_scanner_options.volumes = mediator.ParseVolumeIdentifiersString( options.volumes) try: if not scanner.ScanForOperatingSystemVolumes( options.source, options=volume_scanner_options): print('Unable to retrieve an operating system volume from: {0:s}.'. format(options.source)) print('') return False definitions_with_check_results = {} for artifact_definition in registry.GetDefinitions(): group_only = True for source in artifact_definition.sources: if source.type_indicator != ( artifacts_definitions.TYPE_INDICATOR_ARTIFACT_GROUP): group_only = False break if group_only: # Not interested in results of group-only artifact definitions. continue check_result = scanner.CheckArtifactDefinition(artifact_definition) if check_result.number_of_file_entries: definitions_with_check_results[ artifact_definition.name] = check_result except dfvfs_errors.ScannerError as exception: print('[ERROR] {0!s}'.format(exception), file=sys.stderr) print('') return False except KeyboardInterrupt: print('Aborted by user.', file=sys.stderr) print('') return False print('Aritfact definitions found:') for name, check_result in sorted(definitions_with_check_results.items()): text = '* {0:s} [results: {1:d}]'.format( name, check_result.number_of_file_entries) if check_result.data_formats: text = '{0:s} [formats: {1:s}]'.format( text, ', '.join(sorted(check_result.data_formats))) print(text) print('') return True
def testParseSystemWithArtifactFilters(self): """Tests the Parse function on a SYSTEM file with artifact filters.""" parser = winreg.WinRegistryParser() knowledge_base = knowledge_base_engine.KnowledgeBase() artifacts_filters = ['TestRegistryKey', 'TestRegistryValue'] registry = artifacts_registry.ArtifactDefinitionsRegistry() reader = artifacts_reader.YamlArtifactsReader() registry.ReadFromDirectory(reader, self._GetTestFilePath(['artifacts'])) test_filter_file = artifact_filters.ArtifactDefinitionsFilterHelper( registry, artifacts_filters, knowledge_base) test_filter_file.BuildFindSpecs(environment_variables=None) find_specs = { test_filter_file.KNOWLEDGE_BASE_VALUE: knowledge_base.GetValue(test_filter_file.KNOWLEDGE_BASE_VALUE) } storage_writer = self._ParseFile(['SYSTEM'], parser, knowledge_base_values=find_specs) events = list(storage_writer.GetEvents()) parser_chains = self._GetParserChains(events) # Check the existence of few known plugins, see if they # are being properly picked up and are parsed. plugin_names = [ 'windows_usbstor_devices', 'windows_boot_execute', 'windows_services' ] for plugin in plugin_names: expected_parser_chain = self._PluginNameToParserChain(plugin) self.assertTrue( expected_parser_chain in parser_chains, 'Chain {0:s} not found in events.'.format( expected_parser_chain)) # Check that the number of events produced by each plugin are correct. # There will be 5 usbstor chains for currentcontrolset: # 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR' parser_chain = self._PluginNameToParserChain('windows_usbstor_devices') self.assertEqual(parser_chains.get(parser_chain, 0), 5) # There will be 4 Windows boot execute chains for key_value pairs: # {key: 'HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager', # value: 'BootExecute'} # {key: 'HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Session Manager', # value: 'BootExecute'} parser_chain = self._PluginNameToParserChain('windows_boot_execute') self.assertEqual(parser_chains.get(parser_chain, 0), 4) # There will be 831 windows services chains for keys: # 'HKEY_LOCAL_MACHINE\System\ControlSet001\services\**' # 'HKEY_LOCAL_MACHINE\System\ControlSet002\services\**' parser_chain = self._PluginNameToParserChain('windows_services') self.assertEqual(parser_chains.get(parser_chain, 0), 831)