def GetValue(self, searcher, unused_knowledge_base):
"""Returns the path as found by the searcher.
Args:
searcher: The file system searcher object (instance of
dfvfs.FileSystemSearcher).
knowledge_base: A knowledge base object (instance of KnowledgeBase),
which contains information from the source data needed
for parsing.
Returns:
The first path location string.
Raises:
PreProcessFail: if the path could not be found.
"""
find_spec = file_system_searcher.FindSpec(location_regex=self.PATH,
case_sensitive=False)
path_specs = list(searcher.Find(find_specs=[find_spec]))
if not path_specs:
raise errors.PreProcessFail(u'Unable to find path: {0:s}'.format(
self.PATH))
relative_path = searcher.GetRelativePath(path_specs[0])
if not relative_path:
raise errors.PreProcessFail(
u'Missing relative path for: {0:s}'.format(self.PATH))
return relative_path
def _FindFileEntry(self, searcher, path):
"""Searches for a file entry that matches the path.
Args:
searcher: The file system searcher object (instance of
dfvfs.FileSystemSearcher).
path: The location of the file entry relative to the file system
of the searcher.
Returns:
The file entry if successful or None otherwise.
Raises:
errors.PreProcessFail: if the file entry cannot be found or opened.
"""
find_spec = file_system_searcher.FindSpec(location=path,
case_sensitive=False)
path_specs = list(searcher.Find(find_specs=[find_spec]))
if not path_specs or len(path_specs) != 1:
raise errors.PreProcessFail(u'Unable to find: {0:s}'.format(path))
try:
file_entry = searcher.GetFileEntryByPathSpec(path_specs[0])
except IOError as exception:
raise errors.PreProcessFail(
u'Unable to retrieve file entry: {0:s} with error: {1:s}'.
format(path, exception))
return file_entry
def GetValue(self, searcher):
"""Returns the path as found by the searcher.
Args:
searcher: The file system searcher object (instance of
dfvfs.FileSystemSearcher).
Returns:
The first path location string.
Raises:
PreProcessFail: if the path could not be found.
"""
find_spec = file_system_searcher.FindSpec(location_regex=self.PATH,
case_sensitive=False)
path_specs = list(searcher.Find(find_specs=[find_spec]))
if not path_specs:
raise errors.PreProcessFail(u'Unable to find path: {0:s}'.format(
self.PATH))
path_location = getattr(path_specs[0], 'location', None)
if not path_location:
raise errors.PreProcessFail(
u'Missing path location for: {0:s}'.format(self.PATH))
return path_location
def _ParseKey(self, knowledge_base, registry_key):
"""Parses a Windows Registry key for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
registry_key (WinRegistryKey): Windows Registry key.
Raises:
errors.PreProcessFail: if the Registry value or value data can not be
retrieved.
"""
try:
registry_value = registry_key.GetValueByName(
self._REGISTRY_VALUE_NAME)
except IOError as exception:
raise errors.PreProcessFail(
(u'Unable to retrieve Registry key: {0:s}, value: {1:s} with '
u'error: {2:s}').format(self._REGISTRY_KEY_PATH,
self._REGISTRY_VALUE_NAME, exception))
if not registry_value:
return
try:
value_data = registry_value.GetDataAsObject()
except IOError as exception:
raise errors.PreProcessFail((
u'Unable to retrieve Registry key: {0:s}, value: {1:s} data with '
u'error: {2:s}').format(self._REGISTRY_KEY_PATH,
self._REGISTRY_VALUE_NAME, exception))
if not value_data:
return
self._ParseValueData(knowledge_base, value_data)
def GetValue(self, searcher):
"""Determines the local time zone settings.
Args:
searcher: The file system searcher object (instance of
dfvfs.FileSystemSearcher).
Returns:
The local timezone settings.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
path = self.ZONE_FILE_PATH
file_entry = self._FindFileEntry(searcher, path)
if not file_entry:
raise errors.PreProcessFail(
u'Unable to find file: {0:s}'.format(path))
if not file_entry.link:
raise errors.PreProcessFail(
u'Unable to retrieve timezone information from: {0:s}.'.format(path))
_, _, zone = file_entry.link.partition(u'zoneinfo/')
return zone
def _OpenPlistFile(self, searcher, path_spec):
"""Open a Plist file given a path and returns a plist top level object.
Args:
searcher: The file system searcher object (instance of
dfvfs.FileSystemSearcher).
path_spec: The path specification (instance of dfvfs.PathSpec)
of the plist file.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
plist_file_location = getattr(path_spec, 'location', u'')
file_entry = searcher.GetFileEntryByPathSpec(path_spec)
file_object = file_entry.GetFileObject()
try:
plist_file = binplist.BinaryPlist(file_object)
top_level_object = plist_file.Parse()
except binplist.FormatError as exception:
exception = utils.GetUnicodeString(exception)
raise errors.PreProcessFail(
u'File is not a plist: {0:s}'.format(exception))
except OverflowError as exception:
raise errors.PreProcessFail(
u'Error processing: {0:s} with error: {1:s}'.format(
plist_file_location, exception))
if not plist_file:
raise errors.PreProcessFail(
u'File is not a plist: {0:s}'.format(plist_file_location))
return top_level_object
def GetValue(self, searcher, unused_knowledge_base):
"""Returns the path as found by the searcher.
Args:
searcher: The file system searcher object (instance of
dfvfs.FileSystemSearcher).
knowledge_base: A knowledge base object (instance of KnowledgeBase),
which contains information from the source data needed
for parsing.
Returns:
The first path location string.
Raises:
PreProcessFail: if the path could not be found.
"""
path_specs = self._FindPathSpecs(searcher, self.PATH)
if not path_specs:
raise errors.PreProcessFail(
u'Unable to find path: {0:s}'.format(self.PATH))
relative_path = searcher.GetRelativePath(path_specs[0])
if not relative_path:
raise errors.PreProcessFail(
u'Missing relative path for: {0:s}'.format(self.PATH))
if relative_path.startswith(u'/'):
relative_path = u'\\'.join(relative_path.split(u'/'))
return relative_path
def GetValue(self, searcher, unused_knowledge_base):
"""Determines the user accounts.
Args:
searcher: The file system searcher object (instance of
dfvfs.FileSystemSearcher).
knowledge_base: A knowledge base object (instance of KnowledgeBase),
which contains information from the source data needed
for parsing.
Returns:
A list containing username information dicts.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
find_spec = file_system_searcher.FindSpec(
location_regex=self.USER_PATH, case_sensitive=False)
path_specs = list(searcher.Find(find_specs=[find_spec]))
if not path_specs:
raise errors.PreProcessFail(u'Unable to find user plist files.')
users = []
for path_spec in path_specs:
plist_file_location = getattr(path_spec, 'location', u'')
if not plist_file_location:
raise errors.PreProcessFail(u'Missing user plist file location.')
try:
top_level_object = self._OpenPlistFile(searcher, path_spec)
except IOError:
logging.warning(u'Unable to parse user plist file: {0:s}'.format(
plist_file_location))
continue
try:
match = plist_interface.GetKeysDefaultEmpty(
top_level_object, self._KEYS)
except KeyError as exception:
logging.warning(
u'Unable to read user plist file: {0:s} with error: {1:s}'.format(
plist_file_location, exception))
continue
# TODO: as part of artifacts, create a proper object for this.
user = {
'uid': match.get('uid', [-1])[0],
'path': match.get('home', [u'<not set>'])[0],
'name': match.get('name', [u'<not set>'])[0],
'realname': match.get('realname', [u'N/A'])[0]}
users.append(user)
if not users:
raise errors.PreProcessFail(u'Unable to find any users on the system.')
return users
def GetValue(self, searcher, unused_knowledge_base):
"""Determines the user accounts.
Args:
searcher: The file system searcher object (instance of
dfvfs.FileSystemSearcher).
knowledge_base: A knowledge base object (instance of KnowledgeBase),
which contains information from the source data needed
for parsing.
Returns:
A list containing username information dicts.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
path_specs = self._FindPathSpecs(searcher, self.USER_PATH)
if not path_specs:
raise errors.PreProcessFail(u'Unable to find user plist files.')
users = []
for path_spec in path_specs:
file_entry = searcher.GetFileEntryByPathSpec(path_spec)
root_key = self._GetPlistRootKey(file_entry)
if not root_key:
location = getattr(path_spec, u'location', u'')
logging.warning(
u'Missing root key in plist: {0:s}'.format(location))
continue
try:
match = self._GetKeysDefaultEmpty(root_key, self._KEYS)
except KeyError as exception:
location = getattr(path_spec, u'location', u'')
logging.warning(
u'Unable to read user plist file: {0:s} with error: {1:s}'.
format(location, exception))
continue
# TODO: as part of artifacts, create a proper object for this.
user = {
u'uid': match.get(u'uid', [-1])[0],
u'path': match.get(u'home', [u'<not set>'])[0],
u'name': match.get(u'name', [u'<not set>'])[0],
u'realname': match.get(u'realname', [u'N/A'])[0]
}
users.append(user)
if not users:
raise errors.PreProcessFail(
u'Unable to find any users on the system.')
return users
def _ParseFileData(self, knowledge_base, file_object):
"""Parses file content (data) for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
file_object (dfvfs.FileIO): file-like object that contains the artifact
value data.
Returns:
bool: True if all the preprocessing attributes were found and
the preprocessor plugin is done.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
plist_file = plist.PlistFile()
try:
plist_file.Read(file_object)
except IOError as exception:
raise errors.PreProcessFail(
'Unable to read: {0:s} with error: {1!s}'.format(
self.ARTIFACT_DEFINITION_NAME, exception))
if not plist_file.root_key:
raise errors.PreProcessFail(
('Unable to read: {0:s} with error: missing root key').format(
self.ARTIFACT_DEFINITION_NAME))
matches = []
self._FindKeys(plist_file.root_key, self._PLIST_KEYS, matches)
if not matches:
raise errors.PreProcessFail(
'Unable to read: {0:s} with error: no such keys: {1:s}.'.
format(self.ARTIFACT_DEFINITION_NAME,
', '.join(self._PLIST_KEYS)))
name = None
value = None
for name, value in matches:
if value:
break
if value is None:
raise errors.PreProcessFail(
('Unable to read: {0:s} with error: no values found for keys: '
'{1:s}.').format(self.ARTIFACT_DEFINITION_NAME,
', '.join(self._PLIST_KEYS)))
return self._ParsePlistKeyValue(knowledge_base, name, value)
def _ParseFileEntry(self, knowledge_base, file_entry):
"""Parses artifact file system data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
file_entry (dfvfs.FileEntry): file entry that contains the artifact
value data.
Returns:
bool: True if all the preprocessing attributes were found and
the preprocessor plugin is done.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
root_key = self._GetPlistRootKey(file_entry)
if not root_key:
location = getattr(file_entry.path_spec, 'location', '')
raise errors.PreProcessFail(
('Unable to read: {0:s} plist: {1:s} with error: missing root '
'key.').format(self.ARTIFACT_DEFINITION_NAME, location))
try:
match = self._GetKeysDefaultEmpty(root_key, self._KEYS)
except KeyError as exception:
location = getattr(file_entry.path_spec, 'location', '')
raise errors.PreProcessFail(
'Unable to read: {0:s} plist: {1:s} with error: {2!s}'.format(
self.ARTIFACT_DEFINITION_NAME, location, exception))
name = match.get('name', [None])[0]
uid = match.get('uid', [None])[0]
if not name or not uid:
# TODO: add and store preprocessing errors.
return False
user_account = artifacts.UserAccountArtifact(identifier=uid,
username=name)
user_account.group_identifier = match.get('gid', [None])[0]
user_account.full_name = match.get('realname', [None])[0]
user_account.shell = match.get('shell', [None])[0]
user_account.user_directory = match.get('home', [None])[0]
try:
knowledge_base.AddUserAccount(user_account)
except KeyError:
# TODO: add and store preprocessing errors.
pass
return False
def _ParseFileData(self, mediator, file_object):
"""Parses file content (data) for a preprocessing attribute.
Args:
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
file_object (dfvfs.FileIO): file-like object that contains the artifact
value data.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
plist_file = plist.PlistFile()
try:
plist_file.Read(file_object)
except IOError as exception:
raise errors.PreProcessFail(
'Unable to read: {0:s} with error: {1!s}'.format(
self.ARTIFACT_DEFINITION_NAME, exception))
if not plist_file.root_key:
raise errors.PreProcessFail(
('Unable to read: {0:s} with error: missing root key').format(
self.ARTIFACT_DEFINITION_NAME))
matches = []
self._FindKeys(plist_file.root_key, self._PLIST_KEYS, matches)
if not matches:
raise errors.PreProcessFail(
'Unable to read: {0:s} with error: no such keys: {1:s}.'.
format(self.ARTIFACT_DEFINITION_NAME,
', '.join(self._PLIST_KEYS)))
name = None
value = None
for name, value in matches:
if value:
break
if value is None:
raise errors.PreProcessFail(
('Unable to read: {0:s} with error: no values found for keys: '
'{1:s}.').format(self.ARTIFACT_DEFINITION_NAME,
', '.join(self._PLIST_KEYS)))
self._ParsePlistKeyValue(mediator, name, value)
def ParseFile(self, file_entry, file_object):
"""Parses the plist file and returns the parsed key.
Args:
file_entry: The file entry (instance of dfvfs.FileEntry).
file_object: The file-like object.
Returns:
The value of the first key defined by PLIST_KEYS that is found.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
try:
plist_file = binplist.BinaryPlist(file_object)
top_level_object = plist_file.Parse()
except binplist.FormatError as exception:
raise errors.PreProcessFail(
u'File is not a plist: {0:s} with error: {1:s}'.format(
file_entry.path_spec.comparable, exception))
except OverflowError as exception:
raise errors.PreProcessFail(
u'Unable to process plist: {0:s} with error: {1:s}'.format(
file_entry.path_spec.comparable, exception))
if not plist_file:
raise errors.PreProcessFail(u'File is not a plist: {0:s}'.format(
file_entry.path_spec.comparable))
match = None
key_name = ''
for plist_key in self.PLIST_KEYS:
try:
match = plist_interface.GetKeys(top_level_object,
frozenset([plist_key]))
except KeyError:
continue
if match:
key_name = plist_key
break
if not match:
raise errors.PreProcessFail(
u'Keys not found inside plist file: {0:s}.'.format(u','.join(
self.PLIST_KEYS)))
return self.ParseKey(match, key_name)
def GetValue(self, searcher, unused_knowledge_base):
"""Returns a value retrieved from keys within a plist file.
Where the name of the keys are defined in PLIST_KEYS.
Args:
searcher: The file system searcher object (instance of
dfvfs.FileSystemSearcher).
knowledge_base: A knowledge base object (instance of KnowledgeBase),
which contains information from the source data needed
for parsing.
Returns:
The value of the first key that is found.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
file_entry = self._FindFileEntry(searcher, self.PLIST_PATH)
if not file_entry:
raise errors.PreProcessFail(u'Unable to open file: {0:s}'.format(
self.PLIST_PATH))
root_key = self._GetPlistRootKey(file_entry)
if not root_key:
location = getattr(file_entry.path_spec, u'location', u'')
raise errors.PreProcessFail(
u'Missing root key in plist: {0:s}'.format(location))
matches = []
self._FindKeys(root_key, self.PLIST_KEYS, matches)
if not matches:
raise errors.PreProcessFail(u'No such keys: {0:s}.'.format(
u', '.join(self.PLIST_KEYS)))
key_name = None
key_value = None
for key_name, key_value in matches:
if key_value:
break
if key_value is None:
raise errors.PreProcessFail(
u'No values found for keys: {0:s}.'.format(u', '.join(
self.PLIST_KEYS)))
return self.ParseValue(key_name, key_value)
def _ParsePathSpecification(self, knowledge_base, searcher, file_system,
path_specification, path_separator):
"""Parses a file system for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
searcher (dfvfs.FileSystemSearcher): file system searcher to preprocess
the file system.
file_system (dfvfs.FileSystem): file system to be preprocessed.
path_specification (dfvfs.PathSpec): path specification that contains
the artifact value data.
path_separator (str): path segment separator.
Raises:
PreProcessFail: if the preprocessing fails.
"""
try:
file_entry = searcher.GetFileEntryByPathSpec(path_specification)
except IOError as exception:
relative_path = searcher.GetRelativePath(path_specification)
if path_separator != file_system.PATH_SEPARATOR:
relative_path_segments = file_system.SplitPath(relative_path)
relative_path = '{0:s}{1:s}'.format(
path_separator,
path_separator.join(relative_path_segments))
raise errors.PreProcessFail(
('Unable to retrieve file entry: {0:s} with error: '
'{1!s}').format(relative_path, exception))
self._ParseFileEntry(knowledge_base, file_entry)
def _ParseFileEntry(self, mediator, file_entry):
"""Parses artifact file system data for a preprocessing attribute.
Args:
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
file_entry (dfvfs.FileEntry): file entry that contains the artifact
value data.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
if not file_entry or not file_entry.link:
raise errors.PreProcessFail(
'Unable to read: {0:s} with error: not a symbolic link'.format(
self.ARTIFACT_DEFINITION_NAME))
_, _, time_zone = file_entry.link.partition('zoneinfo/')
if time_zone:
try:
mediator.SetTimeZone(time_zone)
except ValueError:
mediator.ProducePreprocessingWarning(
self.ARTIFACT_DEFINITION_NAME,
'Unable to set time zone in knowledge base.')
def GetValue(self, searcher, unused_knowledge_base):
"""Determines the hostname based on the contents of /etc/hostname.
Args:
searcher: The file system searcher object (instance of
dfvfs.FileSystemSearcher).
knowledge_base: A knowledge base object (instance of KnowledgeBase),
which contains information from the source data needed
for parsing.
Returns:
The hostname.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
path = u'/etc/hostname'
file_entry = self._FindFileEntry(searcher, path)
if not file_entry:
raise errors.PreProcessFail(
u'Unable to find file entry for path: {0:s}.'.format(path))
file_object = file_entry.GetFileObject()
file_data = file_object.read(512)
file_object.close()
hostname, _, _ = file_data.partition('\n')
return u'{0:s}'.format(hostname)
def _ParsePathSpecification(self, mediator, searcher, file_system,
path_specification, path_separator):
"""Parses a file system for a preprocessing attribute.
Args:
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
searcher (dfvfs.FileSystemSearcher): file system searcher to preprocess
the file system.
file_system (dfvfs.FileSystem): file system to be preprocessed.
path_specification (dfvfs.PathSpec): path specification that contains
the artifact value data.
path_separator (str): path segment separator.
Raises:
PreProcessFail: if the preprocessing fails.
"""
try:
file_entry = searcher.GetFileEntryByPathSpec(path_specification)
except IOError as exception:
relative_path = searcher.GetRelativePath(path_specification)
if path_separator != file_system.PATH_SEPARATOR:
relative_path_segments = file_system.SplitPath(relative_path)
relative_path = '{0:s}{1:s}'.format(
path_separator,
path_separator.join(relative_path_segments))
raise errors.PreProcessFail(
('Unable to retrieve file entry: {0:s} with error: '
'{1!s}').format(relative_path, exception))
if file_entry:
mediator.SetFileEntry(file_entry)
self._ParseFileEntry(mediator, file_entry)
def GetValue(self, searcher, unused_knowledge_base):
"""Determines the timezone based on the contents of /etc/timezone.
Args:
searcher: The file system searcher object (instance of
dfvfs.FileSystemSearcher).
knowledge_base: A knowledge base object (instance of KnowledgeBase),
which contains information from the source data needed
for parsing.
Returns:
A string containing a tzdata (Olsen) timezone name (for example,
America/New_York).
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
path = u'/etc/timezone'
file_entry = self._FindFileEntry(searcher, path)
if not file_entry:
raise errors.PreProcessFail(
u'Unable to find file entry for path: {0:s}.'.format(path))
file_object = file_entry.GetFileObject()
try:
text_file_object = text_file.TextFile(file_object)
file_data = text_file_object.readline()
finally:
file_object.close()
return file_data.strip()
def _ParseValueData(self, knowledge_base, value_data):
"""Parses Windows Registry value data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
value_data (object): Windows Registry value data.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
if not isinstance(value_data, py2to3.UNICODE_TYPE):
raise errors.PreProcessFail(
'Unsupported Windows Registry value type: {0:s} for '
'artifact: {1:s}.'.format(type(value_data),
self.ARTIFACT_DEFINITION_NAME))
# Map the Windows code page name to a Python equivalent name.
codepage = 'cp{0:s}'.format(value_data)
if not knowledge_base.codepage:
try:
knowledge_base.SetCodepage(codepage)
except ValueError:
# TODO: add and store preprocessing errors.
pass
def _ParseFileEntry(self, knowledge_base, file_entry):
"""Parses artifact file system data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
file_entry (dfvfs.FileEntry): file entry that contains the artifact
value data.
Returns:
bool: True if all the preprocessing attributes were found and
the preprocessor plugin is done.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
if not file_entry or not file_entry.link:
raise errors.PreProcessFail(
'Unable to read: {0:s} with error: not a symbolic link'.format(
self.ARTIFACT_DEFINITION_NAME))
result = False
_, _, time_zone = file_entry.link.partition('zoneinfo/')
if time_zone:
try:
knowledge_base.SetTimeZone(time_zone)
result = True
except ValueError:
# TODO: add and store preprocessing errors.
pass
return result
def _ParseKey(self, mediator, registry_key, value_name):
"""Parses a Windows Registry key for a preprocessing attribute.
Args:
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
value_name (str): name of the Windows Registry value or None if not
specified.
Raises:
PreProcessFail: if the preprocessing fails.
"""
try:
registry_value = registry_key.GetValueByName(value_name)
except IOError as exception:
raise errors.PreProcessFail(
('Unable to retrieve Windows Registry key: {0:s} value: {1:s} '
'with error: {2!s}').format(registry_key.path, value_name,
exception))
if registry_value:
value_object = registry_value.GetDataAsObject()
if value_object:
self._ParseValueData(mediator, value_object)
def _ParseValueData(self, knowledge_base, value_data):
"""Parses Windows Registry value data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
value_data (object): Windows Registry value data.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
if not isinstance(value_data, py2to3.UNICODE_TYPE):
raise errors.PreProcessFail(
'Unsupported Windows Registry value type: {0:s} for '
'artifact: {1:s}.'.format(type(value_data),
self.ARTIFACT_DEFINITION_NAME))
# Map the Windows time zone name to a Python equivalent name.
lookup_key = value_data.replace(' ', '')
time_zone = time_zones.TIME_ZONES.get(lookup_key, value_data)
# TODO: check if time zone is set in knowledge base.
if time_zone:
try:
# Catch and warn about unsupported preprocessor plugin.
knowledge_base.SetTimeZone(time_zone)
except ValueError:
# TODO: add and store preprocessing errors.
time_zone = value_data
logger.warning(
'Unable to map: "{0:s}" to time zone'.format(value_data))
def _ParseValueData(self, knowledge_base, value_data):
"""Parses Windows Registry value data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
value_data (object): Windows Registry value data.
Returns:
bool: True if all the preprocessing attributes were found and
the preprocessor plugin is done.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
if not isinstance(value_data, py2to3.UNICODE_TYPE):
raise errors.PreProcessFail(
u'Unsupported Windows Registry value type: {0:s} for '
u'artifact: {1:s}.'.format(type(value_data),
self.ARTIFACT_DEFINITION_NAME))
result = False
evironment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name=self._NAME, value=value_data)
try:
knowledge_base.AddEnvironmentVariable(evironment_variable)
result = True
except KeyError:
# TODO: add and store preprocessing errors.
pass
return result
def _ParsePathSpecification(self, knowledge_base, searcher, file_system,
path_specification, path_separator):
"""Parses artifact file system data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
searcher (dfvfs.FileSystemSearcher): file system searcher to preprocess
the file system.
file_system (dfvfs.FileSystem): file system to be preprocessed.
path_specification (dfvfs.PathSpec): path specification that contains
the artifact value data.
path_separator (str): path segment separator.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
relative_path = searcher.GetRelativePath(path_specification)
if not relative_path:
raise errors.PreProcessFail(
'Unable to read: {0:s} with error: missing relative path'.
format(self.ARTIFACT_DEFINITION_NAME))
if path_separator != file_system.PATH_SEPARATOR:
relative_path_segments = file_system.SplitPath(relative_path)
relative_path = '{0:s}{1:s}'.format(
path_separator, path_separator.join(relative_path_segments))
evironment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name=self._NAME, value=relative_path)
try:
knowledge_base.AddEnvironmentVariable(evironment_variable)
except KeyError:
# TODO: add and store preprocessing errors.
pass
def _GetPlistRootKey(self, file_entry):
"""Retrieves the root key of a plist file.
Args:
file_entry (dfvfs.FileEntry): file entry of the plist.
Returns:
dict[str, object]: plist root key.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
file_object = file_entry.GetFileObject()
try:
plist_file = plist.PlistFile()
plist_file.Read(file_object)
except IOError as exception:
location = getattr(file_entry.path_spec, 'location', '')
raise errors.PreProcessFail(
'Unable to read plist file: {0:s} with error: {1!s}'.format(
location, exception))
finally:
file_object.close()
return plist_file.root_key
def GetValue(self, searcher):
"""Returns a value retrieved from keys within a plist file.
Where the name of the keys are defined in PLIST_KEYS.
Args:
searcher: The file system searcher object (instance of
dfvfs.FileSystemSearcher).
Returns:
The value of the first key that is found.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
file_entry = self._FindFileEntry(searcher, self.PLIST_PATH)
if not file_entry:
raise errors.PreProcessFail(u'Unable to open file: {0:s}'.format(
self.PLIST_PATH))
file_object = file_entry.GetFileObject()
value = self.ParseFile(file_entry, file_object)
file_object.close()
return value
def Run(self, searcher, knowledge_base):
"""Determines the value of the preprocessing attributes.
Args:
searcher (dfvfs.FileSystemSearcher): file system searcher.
knowledge_base (KnowledgeBase): to fill with preprocessing information.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
file_entry = self._FindFileEntry(searcher, self._PATH)
if not file_entry:
return
if not file_entry.link:
raise errors.PreProcessFail(
u'Unable to retrieve time zone information from: {0:s}.'.
format(self._PATH))
_, _, time_zone = file_entry.link.partition(u'zoneinfo/')
if not time_zone:
return
try:
knowledge_base.SetTimeZone(time_zone)
except ValueError:
# TODO: add and store preprocessing errors.
pass
def _ParseValueData(self, knowledge_base, value_data):
"""Parses Windows Registry value data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
value_data (object): Windows Registry value data.
Returns:
bool: True if all the preprocessing attributes were found and
the preprocessor plugin is done.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
if not isinstance(value_data, py2to3.UNICODE_TYPE):
raise errors.PreProcessFail(
u'Unsupported Windows Registry value type: {0:s} for '
u'artifact: {1:s}.'.format(type(value_data),
self.ARTIFACT_DEFINITION_NAME))
result = False
# Map the Windows code page name to a Python equivalent name.
codepage = u'cp{0:s}'.format(value_data)
try:
knowledge_base.SetCodepage(codepage)
result = True
except ValueError:
# TODO: add and store preprocessing errors.
pass
return result
def _ParseValueData(self, knowledge_base, value_data):
"""Parses Windows Registry value data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
value_data (object): Windows Registry value data.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
if not isinstance(value_data, py2to3.UNICODE_TYPE):
raise errors.PreProcessFail(
'Unsupported Windows Registry value type: {0:s} for '
'artifact: {1:s}.'.format(
type(value_data), self.ARTIFACT_DEFINITION_NAME))
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name=self._NAME, value=value_data)
try:
logger.debug('setting environment variable: {0:s} to: "{1:s}"'.format(
self._NAME, value_data))
knowledge_base.AddEnvironmentVariable(environment_variable)
except KeyError:
# TODO: add and store preprocessing errors.
pass
