def GetSourceFileSystemSearcher(self, resolver_context=None):
"""Retrieves the file system searcher of the source.
Args:
resolver_context: Optional resolver context (instance of dfvfs.Context).
The default is None. Note that every thread or process
must have its own resolver context.
Returns:
The file system searcher object (instance of dfvfs.FileSystemSearcher).
Raises:
RuntimeError: if source path specification is not set.
"""
if not self._source_path_spec:
raise RuntimeError(u'Missing source.')
file_system = path_spec_resolver.Resolver.OpenFileSystem(
self._source_path_spec, resolver_context=resolver_context)
type_indicator = self._source_path_spec.type_indicator
if type_indicator == dfvfs_definitions.TYPE_INDICATOR_OS:
mount_point = self._source_path_spec
else:
mount_point = self._source_path_spec.parent
return file_system_searcher.FileSystemSearcher(file_system, mount_point)
def Preprocess(self,
artifacts_registry_object,
source_path_specs,
resolver_context=None):
detected_operating_systems = []
for source_path_spec in source_path_specs:
if source_path_spec.IsFileSystem():
try:
file_system, mount_point = self._GetSourceFileSystem(
source_path_spec, resolver_context=resolver_context)
except (RuntimeError, dfvfs_errors.BackEndError) as exception:
logger.error(exception)
continue
try:
searcher = file_system_searcher.FileSystemSearcher(
file_system, mount_point)
operating_system = self._DetermineOperatingSystem(searcher)
if operating_system != definitions.OPERATING_SYSTEM_FAMILY_UNKNOWN:
preprocess_manager.PreprocessPluginsManager.RunPlugins(
artifacts_registry_object, file_system,
mount_point, self.knowledge_base)
detected_operating_systems.append(operating_system)
finally:
file_system.Close()
if detected_operating_systems:
logger.info(
'Preprocessing detected operating systems: {0:s}'.format(
', '.join(detected_operating_systems)))
self.knowledge_base.SetValue('operating_system',
detected_operating_systems)
def _RunPreprocessorPluginOnFileSystem(self, file_system, mount_point,
storage_writer, plugin):
"""Runs a preprocessor plugin on a file system.
Args:
file_system (dfvfs.FileSystem): file system to be preprocessed.
mount_point (dfvfs.PathSpec): mount point path specification that refers
to the base location of the file system.
storage_writer (StorageWriter): storage writer.
plugin (ArtifactPreprocessorPlugin): preprocessor plugin.
Return:
PreprocessMediator: preprocess mediator.
"""
artifact_definition = self._artifacts_registry.GetDefinitionByName(
plugin.ARTIFACT_DEFINITION_NAME)
self.assertIsNotNone(artifact_definition)
session = sessions.Session()
test_knowledge_base = knowledge_base.KnowledgeBase()
test_mediator = mediator.PreprocessMediator(session, storage_writer,
test_knowledge_base)
searcher = file_system_searcher.FileSystemSearcher(
file_system, mount_point)
plugin.Collect(test_mediator, artifact_definition, searcher,
file_system)
return test_mediator
def PreprocessSources(self, source_path_specs, resolver_context=None):
"""Preprocesses the sources.
Args:
source_path_specs: list of path specifications (instances of
dfvfs.PathSpec) to process.
resolver_context: Optional resolver context (instance of dfvfs.Context).
The default is None which will use the built in context
which is not multi process safe. Note that every thread
or process must have its own resolver context.
"""
for source_path_spec in source_path_specs:
file_system, mount_point = self.GetSourceFileSystem(
source_path_spec, resolver_context=resolver_context)
try:
searcher = file_system_searcher.FileSystemSearcher(
file_system, mount_point)
platform = preprocess_interface.GuessOS(searcher)
if platform:
self.knowledge_base.platform = platform
preprocess_manager.PreprocessPluginsManager.RunPlugins(
platform, file_system, mount_point,
self.knowledge_base)
finally:
file_system.Close()
if platform:
break
def testCollect(self):
"""Tests the Collect function."""
file_system_builder = fake_file_system_builder.FakeFileSystemBuilder()
test_file_path = shared_test_lib.GetTestFilePath(['SOFTWARE'])
file_system_builder.AddFileReadData(
'/Windows/System32/config/SOFTWARE', test_file_path)
test_file_path = shared_test_lib.GetTestFilePath(['SYSTEM'])
file_system_builder.AddFileReadData('/Windows/System32/config/SYSTEM',
test_file_path)
session = sessions.Session()
test_knowledge_base = knowledge_base.KnowledgeBase()
storage_writer = fake_writer.FakeStorageWriter()
test_mediator = mediator.PreprocessMediator(session, storage_writer,
test_knowledge_base)
mount_point = fake_path_spec.FakePathSpec(location='/')
searcher = file_system_searcher.FileSystemSearcher(
file_system_builder.file_system, mount_point)
plugin = generic.DetermineOperatingSystemPlugin()
storage_writer.Open()
try:
plugin.Collect(test_mediator, None, searcher,
file_system_builder.file_system)
finally:
storage_writer.Close()
operating_system = test_mediator.knowledge_base.GetValue(
'operating_system')
self.assertEqual(operating_system, 'Windows NT')
def _Preprocess(self, file_system, mount_point):
"""Preprocesses the image.
Args:
file_system: the file system object (instance of vfs.FileSystem)
to be preprocessed.
mount_point: the mount point path specification (instance of
path.PathSpec) that refers to the base location
of the file system.
"""
if self._knowledge_base is not None:
return
self._knowledge_base = knowledge_base.KnowledgeBase()
logging.info(u'Guessing OS')
searcher = file_system_searcher.FileSystemSearcher(
file_system, mount_point)
platform = preprocess_interface.GuessOS(searcher)
logging.info(u'OS: {0:s}'.format(platform))
logging.info(u'Running preprocess.')
preprocess_manager.PreprocessPluginsManager.RunPlugins(
platform, file_system, mount_point, self._knowledge_base)
logging.info(u'Preprocess done, saving files from image.')
def testBuildFindSpecsWithYAMLFilterFile(self):
"""Tests the BuildFindSpecs function with YAML filter file."""
test_filter_file = yaml_filter_file.YAMLFilterFile()
test_path_filters = test_filter_file._ReadFromFileObject(
io.StringIO(self._YAML_FILTER_FILE_DATA))
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value='C:\\Windows')
test_helper = path_filters.PathCollectionFiltersHelper()
test_helper.BuildFindSpecs(
test_path_filters, environment_variables=[environment_variable])
self.assertEqual(len(test_helper.included_file_system_find_specs), 5)
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location='.')
file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec)
searcher = file_system_searcher.FileSystemSearcher(
file_system, path_spec)
path_spec_generator = searcher.Find(
find_specs=test_helper.included_file_system_find_specs)
self.assertIsNotNone(path_spec_generator)
path_specs = list(path_spec_generator)
file_system.Close()
# Two evtx, one symbolic link to evtx, one AUTHORS, two filter_*.txt files,
# total 6 path specifications.
self.assertEqual(len(path_specs), 6)
def _RunPreprocessorPluginOnFileSystem(self, file_system, mount_point,
plugin):
"""Runs a preprocessor plugin on a file system.
Args:
file_system (dfvfs.FileSystem): file system to be preprocessed.
mount_point (dfvfs.PathSpec): mount point path specification that refers
to the base location of the file system.
plugin (ArtifactPreprocessorPlugin): preprocessor plugin.
Return:
KnowledgeBase: knowledge base filled with preprocessing information.
"""
artifact_definition = self._artifacts_registry.GetDefinitionByName(
plugin.ARTIFACT_DEFINITION_NAME)
self.assertIsNotNone(artifact_definition)
knowledge_base_object = knowledge_base.KnowledgeBase()
searcher = file_system_searcher.FileSystemSearcher(
file_system, mount_point)
plugin.Collect(knowledge_base_object, artifact_definition, searcher,
file_system)
return knowledge_base_object
def _GetSourceFileSystemSearcher(self, resolver_context=None):
"""Retrieves the file system searcher of the source.
Args:
resolver_context: Optional resolver context (instance of dfvfs.Context).
The default is None. Note that every thread or process
must have its own resolver context.
Returns:
A tuple of the file system (instance of dfvfs.FileSystem) and
the file system searcher object (instance of dfvfs.FileSystemSearcher).
Raises:
RuntimeError: if source path specification is not set.
"""
if not self._source_path_spec:
raise RuntimeError(u'Missing source.')
file_system = path_spec_resolver.Resolver.OpenFileSystem(
self._source_path_spec, resolver_context=resolver_context)
type_indicator = self._source_path_spec.type_indicator
if path_spec_factory.Factory.IsSystemLevelTypeIndicator(type_indicator):
mount_point = self._source_path_spec
else:
mount_point = self._source_path_spec.parent
searcher = file_system_searcher.FileSystemSearcher(file_system, mount_point)
return file_system, searcher
def RunPlugins(cls, artifacts_registry, file_system, mount_point,
knowledge_base):
searcher = file_system_searcher.FileSystemSearcher(
file_system, mount_point)
cls.CollectFromFileSystem(artifacts_registry, knowledge_base, searcher,
file_system)
environment_variables = None
if knowledge_base:
environment_variables = knowledge_base.GetEnvironmentVariables()
registry_file_reader = FileSystemWinRegistryFileReader(
file_system,
mount_point,
environment_variables=environment_variables)
win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
searcher = registry_searcher.WinRegistrySearcher(win_registry)
cls.CollectFromWindowsRegistry(artifacts_registry, knowledge_base,
searcher)
cls.CollectFromKnowledgeBase(knowledge_base)
if not knowledge_base.HasUserAccounts():
logger.warning('Unable to find any user accounts on the system.')
def RunPlugins(cls, platform, file_system, mount_point, knowledge_base):
"""Runs the plugins for a specific platform.
Args:
platform: A string containing the supported operating system
of the plugin.
file_system: the file system object (instance of vfs.FileSystem)
to be preprocessed.
mount_point: the mount point path specification (instance of
path.PathSpec) that refers to the base location
of the file system.
knowledge_base: A knowledge base object (instance of KnowledgeBase),
which contains information from the source data needed
for parsing.
"""
# TODO: bootstrap the artifact preprocessor.
searcher = file_system_searcher.FileSystemSearcher(file_system, mount_point)
for weight in cls._GetWeights(cls._plugin_classes, platform):
for plugin_object in cls._GetPluginsByWeight(
cls._plugin_classes, platform, weight):
try:
plugin_object.Run(searcher, knowledge_base)
except (IOError, errors.PreProcessFail) as exception:
logging.warning((
u'Unable to run preprocessor: {0:s} for attribute: {1:s} '
u'with error: {2:s}').format(
plugin_object.plugin_name, plugin_object.ATTRIBUTE,
exception))
# Run the Registry plugins separately so we do not have to open
# Registry files in every plugin.
if knowledge_base:
pre_obj = knowledge_base.pre_obj
path_attributes = pre_obj.__dict__
else:
pre_obj = None
path_attributes = None
registry_file_reader = FileSystemWinRegistryFileReader(
file_system, mount_point, path_attributes=path_attributes)
win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
for weight in cls._GetWeights(cls._registry_plugin_classes, platform):
for plugin_object in cls._GetPluginsByWeight(
cls._registry_plugin_classes, platform, weight):
try:
plugin_object.Run(win_registry, knowledge_base)
except (IOError, errors.PreProcessFail) as exception:
logging.warning((
u'Unable to run preprocessor: {0:s} for attribute: {1:s} '
u'with error: {2:s}').format(
plugin_object.plugin_name, plugin_object.ATTRIBUTE,
exception))
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._fake_file_system = self._BuildSingleLinkFakeFileSystem(
u'/private/etc/localtime', u'/usr/share/zoneinfo/Europe/Amsterdam')
mount_point = fake_path_spec.FakePathSpec(location=u'/')
self._searcher = file_system_searcher.FileSystemSearcher(
self._fake_file_system, mount_point)
def setUp(self):
"""Makes preparations before running an individual test."""
file_system_builder = shared_test_lib.FakeFileSystemBuilder()
file_system_builder.AddFile(u'/etc/passwd', self._FILE_DATA)
mount_point = fake_path_spec.FakePathSpec(location=u'/')
self._searcher = file_system_searcher.FileSystemSearcher(
file_system_builder.file_system, mount_point)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._fake_file_system = self._BuildSingleFileFakeFileSystem(
u'/etc/passwd', self._FILE_DATA)
mount_point = fake_path_spec.FakePathSpec(location=u'/')
self._searcher = file_system_searcher.FileSystemSearcher(
self._fake_file_system, mount_point)
def _GetSearchersForImage(self, volume_path_spec):
"""Retrieves the file systems searchers for searching the image.
Args:
volume_path_spec: The path specification of the volume containing
the file system (instance of dfvfs.PathSpec).
Returns:
A list of tuples containing the a string identifying the file system
searcher and a file system searcher object (instance of
dfvfs.FileSystemSearcher).
"""
searchers = []
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK, location=u'/',
parent=volume_path_spec)
file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec)
searcher = file_system_searcher.FileSystemSearcher(
file_system, volume_path_spec)
searchers.append((u'', searcher))
vss_stores = self._vss_stores
if not vss_stores:
return searchers
for store_index in vss_stores:
vss_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_VSHADOW, store_index=store_index - 1,
parent=volume_path_spec)
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK, location=u'/',
parent=vss_path_spec)
file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec)
searcher = file_system_searcher.FileSystemSearcher(
file_system, vss_path_spec)
searchers.append((
u':VSS Store {0:d}'.format(store_index), searcher))
return searchers
def setUp(self):
"""Sets up the needed objects used throughout the test."""
file_data = self._ReadTestFile([u'SYSTEM'])
self._fake_file_system = self._BuildSingleFileFakeFileSystem(
u'/Windows/System32/config/SYSTEM', file_data)
mount_point = fake_path_spec.FakePathSpec(location=u'/')
self._searcher = file_system_searcher.FileSystemSearcher(
self._fake_file_system, mount_point)
def testBuildFindSpecsWithFileSystem(self):
"""Tests the BuildFindSpecs function for file type artifacts."""
knowledge_base = knowledge_base_engine.KnowledgeBase()
testuser1 = artifacts.UserAccountArtifact(
identifier='1000',
user_directory='C:\\\\Users\\\\testuser1',
username='******')
knowledge_base.AddUserAccount(testuser1)
testuser2 = artifacts.UserAccountArtifact(
identifier='1001',
user_directory='C:\\\\Users\\\\testuser2',
username='******')
knowledge_base.AddUserAccount(testuser2)
test_filter_file = self._CreateTestArtifactDefinitionsFilterHelper(
['TestFiles', 'TestFiles2'], knowledge_base)
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemDrive', value='C:')
test_filter_file.BuildFindSpecs(
environment_variables=[environment_variable])
find_specs_per_source_type = knowledge_base.GetValue(
test_filter_file.KNOWLEDGE_BASE_VALUE)
find_specs = find_specs_per_source_type.get(
artifact_types.TYPE_INDICATOR_FILE, [])
# Should build 15 FindSpec entries.
self.assertEqual(len(find_specs), 15)
# Last find_spec should contain the testuser2 profile path.
location_segments = sorted(
[find_spec._location_segments for find_spec in find_specs])
path_segments = [
'Users', 'testuser2', 'Documents', 'WindowsPowerShell',
'profile\\.ps1'
]
self.assertEqual(location_segments[2], path_segments)
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location='.')
file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec)
searcher = file_system_searcher.FileSystemSearcher(
file_system, path_spec)
path_spec_generator = searcher.Find(find_specs=find_specs)
self.assertIsNotNone(path_spec_generator)
path_specs = list(path_spec_generator)
# Two evtx, one symbolic link to evtx, one AUTHORS, two filter_*.txt files,
# total 6 path specifications.
self.assertEqual(len(path_specs), 6)
file_system.Close()
def setUp(self):
"""Makes preparations before running an individual test."""
file_system_builder = shared_test_lib.FakeFileSystemBuilder()
file_system_builder.AddSymbolicLink(
u'/private/etc/localtime', u'/usr/share/zoneinfo/Europe/Amsterdam')
mount_point = fake_path_spec.FakePathSpec(location=u'/')
self._searcher = file_system_searcher.FileSystemSearcher(
file_system_builder.file_system, mount_point)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._fake_file_system = self._BuildSingleFileFakeFileSystem(
u'/Library/Preferences/SystemConfiguration/preferences.plist',
self._FILE_DATA)
mount_point = fake_path_spec.FakePathSpec(location=u'/')
self._searcher = file_system_searcher.FileSystemSearcher(
self._fake_file_system, mount_point)
def _ExtractWithFilter(self,
source_path_specs,
destination_path,
output_writer,
artifact_filters,
filter_file,
artifact_definitions_path,
custom_artifacts_path,
skip_duplicates=True):
"""Extracts files using a filter expression.
This method runs the file extraction process on the image and
potentially on every VSS if that is wanted.
Args:
source_path_specs (list[dfvfs.PathSpec]): path specifications to extract.
destination_path (str): path where the extracted files should be stored.
output_writer (CLIOutputWriter): output writer.
artifact_definitions_path (str): path to artifact definitions file.
custom_artifacts_path (str): path to custom artifact definitions file.
artifact_filters (list[str]): names of artifact definitions that are
used for filtering file system and Windows Registry key paths.
filter_file (str): path of the file that contains the filter file path
filters.
skip_duplicates (Optional[bool]): True if files with duplicate content
should be skipped.
"""
extraction_engine = engine.BaseEngine()
# If the source is a directory or a storage media image
# run pre-processing.
if self._source_type in self._SOURCE_TYPES_TO_PREPROCESS:
self._PreprocessSources(extraction_engine)
for source_path_spec in source_path_specs:
file_system, mount_point = self._GetSourceFileSystem(
source_path_spec, resolver_context=self._resolver_context)
display_name = path_helper.PathHelper.GetDisplayNameForPathSpec(
source_path_spec)
output_writer.Write(
'Extracting file entries from: {0:s}\n'.format(display_name))
filter_find_specs = engine.BaseEngine.BuildFilterFindSpecs(
artifact_definitions_path, custom_artifacts_path,
extraction_engine.knowledge_base, artifact_filters,
filter_file)
searcher = file_system_searcher.FileSystemSearcher(
file_system, mount_point)
for path_spec in searcher.Find(find_specs=filter_find_specs):
self._ExtractFileEntry(path_spec,
destination_path,
output_writer,
skip_duplicates=skip_duplicates)
file_system.Close()
def setUp(self):
"""Sets up the needed objects used throughout the test."""
file_data = self._ReadTestFile([u'com.apple.HIToolbox.plist'])
self._fake_file_system = self._BuildSingleFileFakeFileSystem(
u'/Library/Preferences/com.apple.HIToolbox.plist', file_data)
mount_point = fake_path_spec.FakePathSpec(location=u'/')
self._searcher = file_system_searcher.FileSystemSearcher(
self._fake_file_system, mount_point)
def testBuildFindSpecsWithFileSystem(self):
"""Tests the BuildFindSpecs function for file type artifacts."""
test_file_path = self._GetTestFilePath(['System.evtx'])
self._SkipIfPathNotExists(test_file_path)
test_file_path = self._GetTestFilePath(['testdir', 'filter_1.txt'])
self._SkipIfPathNotExists(test_file_path)
test_file_path = self._GetTestFilePath(['testdir', 'filter_3.txt'])
self._SkipIfPathNotExists(test_file_path)
knowledge_base = self._CreateTestKnowledgeBaseWindows()
artifact_filter_names = ['TestFiles', 'TestFiles2']
test_filters_helper = self._CreateTestArtifactDefinitionsFiltersHelper(
knowledge_base)
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemDrive', value='C:')
test_filters_helper.BuildFindSpecs(
artifact_filter_names,
environment_variables=[environment_variable])
self.assertEqual(
len(test_filters_helper.included_file_system_find_specs), 16)
self.assertEqual(len(test_filters_helper.registry_find_specs), 0)
# Last find_spec should contain the testuser2 profile path.
location_segments = sorted([
find_spec._location_segments for find_spec in
test_filters_helper.included_file_system_find_specs
])
path_segments = [
'Users', 'testuser2', 'Documents', 'WindowsPowerShell',
'profile\\.ps1'
]
self.assertEqual(location_segments[2], path_segments)
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location='.')
file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec)
searcher = file_system_searcher.FileSystemSearcher(
file_system, path_spec)
path_spec_generator = searcher.Find(
find_specs=test_filters_helper.included_file_system_find_specs)
self.assertIsNotNone(path_spec_generator)
path_specs = list(path_spec_generator)
# Two evtx, one symbolic link to evtx, one AUTHORS, two filter_*.txt files,
# total 6 path specifications.
self.assertEqual(len(path_specs), 6)
file_system.Close()
def setUp(self):
"""Makes preparations before running an individual test."""
file_system_builder = shared_test_lib.FakeFileSystemBuilder()
file_system_builder.AddFile(u'/Windows/System32/config/SYSTEM',
self._FILE_DATA)
mount_point = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_FAKE, location=u'/')
self._searcher = file_system_searcher.FileSystemSearcher(
file_system_builder.file_system, mount_point)
def setUp(self):
"""Makes preparations before running an individual test."""
file_system_builder = shared_test_lib.FakeFileSystemBuilder()
file_system_builder.AddFile(
u'/Library/Preferences/SystemConfiguration/preferences.plist',
self._FILE_DATA)
mount_point = fake_path_spec.FakePathSpec(location=u'/')
self._searcher = file_system_searcher.FileSystemSearcher(
file_system_builder.file_system, mount_point)
def setUp(self):
"""Makes preparations before running an individual test."""
file_system_builder = shared_test_lib.FakeFileSystemBuilder()
file_system_builder.AddTestFile(
u'/private/var/db/dslocal/nodes/Default/users/nobody.plist',
[u'com.apple.HIToolbox.plist'])
mount_point = fake_path_spec.FakePathSpec(location=u'/')
self._searcher = file_system_searcher.FileSystemSearcher(
file_system_builder.file_system, mount_point)
def setUp(self):
"""Makes preparations before running an individual test."""
file_system_builder = shared_test_lib.FakeFileSystemBuilder()
file_system_builder.AddTestFile(
u'/Library/Preferences/com.apple.HIToolbox.plist',
[u'com.apple.HIToolbox.plist'])
mount_point = fake_path_spec.FakePathSpec(location=u'/')
self._searcher = file_system_searcher.FileSystemSearcher(
file_system_builder.file_system, mount_point)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
file_data = self._ReadTestFile([u'com.apple.HIToolbox.plist'])
self._fake_file_system = self._BuildSingleFileFakeFileSystem(
u'/private/var/db/dslocal/nodes/Default/users/nobody.plist',
file_data)
mount_point = fake_path_spec.FakePathSpec(location=u'/')
self._searcher = file_system_searcher.FileSystemSearcher(
self._fake_file_system, mount_point)
def setUp(self):
"""Makes preparations before running an individual test."""
file_system_builder = fake_file_system_builder.FakeFileSystemBuilder()
file_system_builder.AddFile(
u'/System/Library/CoreServices/SystemVersion.plist',
self._FILE_DATA)
mount_point = fake_path_spec.FakePathSpec(location=u'/')
self._searcher = file_system_searcher.FileSystemSearcher(
file_system_builder.file_system, mount_point)
def RunPlugins(cls, file_system, mount_point, knowledge_base):
"""Runs the preprocessing plugins.
Args:
file_system (dfvfs.FileSystem): file system to be preprocessed.
mount_point (dfvfs.PathSpec): mount point path specification that refers
to the base location of the file system.
knowledge_base (KnowledgeBase): to fill with preprocessing information.
"""
# TODO: bootstrap the artifact preprocessor.
searcher = file_system_searcher.FileSystemSearcher(
file_system, mount_point)
for plugin_object in cls._GetPluginObjects(
cls._file_system_plugin_classes):
try:
plugin_object.Run(searcher, knowledge_base)
# All exceptions need to be caught here to prevent the manager
# from being killed by an uncaught exception.
except Exception as exception: # pylint: disable=broad-except
logging.warning(
u'Preprocess plugin: {0:s} run failed with error: {1:s}'.
format(plugin_object.plugin_name, exception))
# Run the Registry plugins separately so we do not have to open
# Registry files in every plugin.
environment_variables = None
if knowledge_base:
environment_variables = knowledge_base.GetEnvironmentVariables()
registry_file_reader = FileSystemWinRegistryFileReader(
file_system,
mount_point,
environment_variables=environment_variables)
win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
for plugin_object in cls._GetPluginObjects(
cls._registry_plugin_classes):
try:
plugin_object.Run(win_registry, knowledge_base)
# All exceptions need to be caught here to prevent the manager
# from being killed by an uncaught exception.
except Exception as exception: # pylint: disable=broad-except
logging.warning(
u'Preprocess plugin: {0:s} run failed with error: {1:s}'.
format(plugin_object.plugin_name, exception))
if not knowledge_base.HasUserAccounts():
logging.warning(u'Unable to find any user accounts on the system.')
def _ExtractPathSpecsFromFileSystem(self,
path_spec,
find_specs=None,
recurse_file_system=True,
resolver_context=None):
"""Extracts path specification from a file system within a specific source.
Args:
path_spec (dfvfs.PathSpec): path specification of the root of
the file system.
find_specs (Optional[list[dfvfs.FindSpec]]): find specifications
used in path specification extraction.
recurse_file_system (Optional[bool]): True if extraction should
recurse into a file system.
resolver_context (Optional[dfvfs.Context]): resolver context.
Yields:
dfvfs.PathSpec: path specification of a file entry found in
the file system.
"""
file_system = None
try:
file_system = path_spec_resolver.Resolver.OpenFileSystem(
path_spec, resolver_context=resolver_context)
except (dfvfs_errors.AccessError, dfvfs_errors.BackEndError,
dfvfs_errors.PathSpecError) as exception:
logger.error('Unable to open file system with error: {0!s}'.format(
exception))
if file_system:
try:
if find_specs:
searcher = file_system_searcher.FileSystemSearcher(
file_system, path_spec)
for extracted_path_spec in searcher.Find(
find_specs=find_specs):
yield extracted_path_spec
elif recurse_file_system:
file_entry = file_system.GetFileEntryByPathSpec(path_spec)
if file_entry:
for extracted_path_spec in self._ExtractPathSpecsFromDirectory(
file_entry):
yield extracted_path_spec
else:
yield path_spec
except (dfvfs_errors.AccessError, dfvfs_errors.BackEndError,
dfvfs_errors.PathSpecError) as exception:
logger.warning('{0!s}'.format(exception))
finally:
file_system.Close()
