def Parse_ESEDB_File(File_To_Parse):
file_object = open(File_To_Parse, "rb")
esedb_file = pyesedb.file()
esedb_file.open_file_object(file_object)
Num_Of_tables = esedb_file.get_number_of_tables()
print ("The number of tables is ==> ", Num_Of_tables)
SQLitedb.CreateTable('ESEDB_Master_Table','Tab_Name text')
SQLitedb.CreateTable('ESEDB_Empty_Tables', 'Tab_Name Text')
for i in range (0, Num_Of_tables):
SQL_Statement = ''
Table = esedb_file.get_table(i)
Table_name = Table_Dict[Table.get_name()]
Template_Name = Table. get_template_name()
Table_Num_Columns = Table.get_number_of_columns()
Table_Num_Records = Table.get_number_of_records()
print ("Table Name is ==> ", Table_name)
if (Table_Num_Records > 0):
SQLitedb.InsertValues('ESEDB_Master_Table','Tab_Name', "'" + Table_name + "'")
SQL_Statement = 'Create Temp Table '+ Table_name + '_Temp ('
Table_Record = Table.get_record(0)
Column_Name = Table_Record.get_column_name(0)
Column_Type = Table_Record.get_column_type(0)
SQLitedb.CreateTempTable(Table_name + '_Temp', SQLitedb.Check_SQL_Reserved_Word(Column_Name) + ' ' + Column_Dict[Column_Type])
for x in range(1, Table_Num_Columns):
Column_Name = Table_Record.get_column_name(x)
Column_Type = Table_Record.get_column_type(x)
SQL_Statement = SQL_Statement + ', ' + SQLitedb.Check_SQL_Reserved_Word(Column_Name) + ' ' + Column_Dict[Column_Type]
SQLitedb.AddColumn(Table_name + '_Temp', SQLitedb.Check_SQL_Reserved_Word(Column_Name) + ' ' + Column_Dict[Column_Type])
SQL_Statement = SQL_Statement + ');'
else:
SQLitedb.InsertValues('ESEDB_Empty_Tables','Tab_Name', "'" + Table_name + "'")
esedb_file.close()
def pyesedb_test_multi_open_close_file(filename, mode):
"""Tests multiple open and close."""
description = (
"Testing multi open close of: {0:s} with access: {1:s}"
"\t").format(get_filename_string(filename), get_mode_string(mode))
print(description, end="")
error_string = None
result = True
try:
esedb_file = pyesedb.file()
esedb_file.open(filename, mode)
esedb_file.close()
esedb_file.open(filename, mode)
esedb_file.close()
except Exception as exception:
error_string = str(exception)
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
if error_string:
print(error_string)
return result
def test_open_file_object(self):
"""Tests the open_file_object function."""
if not unittest.source:
raise unittest.SkipTest("missing source")
if not os.path.isfile(unittest.source):
raise unittest.SkipTest("source not a regular file")
esedb_file = pyesedb.file()
with open(unittest.source, "rb") as file_object:
esedb_file.open_file_object(file_object)
with self.assertRaises(IOError):
esedb_file.open_file_object(file_object)
esedb_file.close()
# TODO: change IOError into TypeError
with self.assertRaises(IOError):
esedb_file.open_file_object(None)
with self.assertRaises(ValueError):
esedb_file.open_file_object(file_object, mode="w")
def pyesedb_test_single_open_close_file_object_with_dereference(
filename, mode):
"""Tests single file-like object open and close with dereference."""
description = (
"Testing single open close of file-like object with dereference of: "
"{0:s} with access: {1:s}\t").format(
get_filename_string(filename), get_mode_string(mode))
print(description, end="")
error_string = None
result = True
try:
file_object = open(filename, "rb")
esedb_file = pyesedb.file()
esedb_file.open_file_object(file_object, mode)
del file_object
esedb_file.close()
except Exception as exception:
error_string = str(exception)
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
if error_string:
print(error_string)
return result
def _ParseESEDBFileWithPlugin(
self, path_segments, plugin, knowledge_base_values=None):
"""Parses a file as an ESE database file and returns an event generator.
Args:
path_segments (list[str]): path segments inside the test data directory.
plugin (ESEDBPlugin): ESE database plugin.
knowledge_base_values (Optional[dict[str, object]]): knowledge base
values.
Returns:
FakeStorageWriter: storage writer.
"""
session = sessions.Session()
storage_writer = fake_writer.FakeStorageWriter(session)
storage_writer.Open()
file_entry = self._GetTestFileEntry(path_segments)
parser_mediator = self._CreateParserMediator(
storage_writer, file_entry=file_entry,
knowledge_base_values=knowledge_base_values)
file_object = file_entry.GetFileObject()
try:
esedb_file = pyesedb.file()
esedb_file.open_file_object(file_object)
cache = esedb.ESEDBCache()
plugin.Process(parser_mediator, cache=cache, database=esedb_file)
esedb_file.close()
finally:
file_object.close()
return storage_writer
def ExtractCatalog(self, filename, output_writer):
"""Extracts the catalog from the database.
Args:
filename (str): name of the file containing the ESE database.
output_writer (OutputWriter): output writer.
"""
esedb_file = pyesedb.file()
esedb_file.open(filename)
ese_database_definition = EseDatabaseDefinition(
self._database_type, self._database_version)
output_writer.WriteDatabaseDefinition(ese_database_definition)
# TODO: write an overview of the table names.
# TODO: write the table and index names per type and version.
for esedb_table in iter(esedb_file.tables):
ese_table_definition = EseTableDefinition(
esedb_table.name, esedb_table.template_name)
for esedb_column in esedb_table.columns:
ese_table_definition.AddColumnDefinition(
esedb_column.identifier, esedb_column.name,
esedb_column.type)
output_writer.WriteTableDefinition(ese_table_definition)
esedb_file.close()
def ParseFileObject(self, parser_mediator, file_object, **kwargs):
"""Parses an ESE database file-like object.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
file_object: A file-like object.
Raises:
UnableToParseFile: when the file cannot be parsed.
"""
esedb_file = pyesedb.file()
try:
esedb_file.open_file_object(file_object)
except IOError as exception:
raise errors.UnableToParseFile(
u'[{0:s}] unable to parse file {1:s} with error: {2:s}'.format(
self.NAME, parser_mediator.GetDisplayName(), exception))
# Compare the list of available plugins.
cache = EseDbCache()
for plugin_object in self._plugins:
try:
plugin_object.UpdateChainAndProcess(parser_mediator,
database=esedb_file,
cache=cache)
except errors.WrongPlugin:
logging.debug(
(u'[{0:s}] plugin: {1:s} cannot parse the ESE database: '
u'{2:s}').format(self.NAME, plugin_object.NAME,
parser_mediator.GetDisplayName()))
# TODO: explicitly clean up cache.
esedb_file.close()
def pyesedb_test_multi_open_close_file(filename, mode):
"""Tests multiple open and close."""
description = ("Testing multi open close of: {0:s} with access: {1:s}"
"\t").format(get_filename_string(filename),
get_mode_string(mode))
print(description, end="")
error_string = None
result = True
try:
esedb_file = pyesedb.file()
esedb_file.open(filename, mode)
esedb_file.close()
esedb_file.open(filename, mode)
esedb_file.close()
except Exception as exception:
error_string = str(exception)
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
if error_string:
print(error_string)
return result
def pyesedb_test_single_open_close_file_object_with_dereference(
filename, mode):
"""Tests single file-like object open and close with dereference."""
description = (
"Testing single open close of file-like object with dereference of: "
"{0:s} with access: {1:s}\t").format(get_filename_string(filename),
get_mode_string(mode))
print(description, end="")
error_string = None
result = True
try:
file_object = open(filename, "rb")
esedb_file = pyesedb.file()
esedb_file.open_file_object(file_object, mode)
del file_object
esedb_file.close()
except Exception as exception:
error_string = str(exception)
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
if error_string:
print(error_string)
return result
def process_srum(srum, software, tablename = '{DD6636C4-8929-4683-974E-22C046A43763}'):
#This method must commit pin locations to the database
#Do the wireless Data sheet
log.info(f"\nProcessing SRUM events in table {tablename}")
row_num = 1 #Init to 1, first row will be 2 in spreadsheet (1 is headers)
entries = []
ese_db = pyesedb.file()
ese_db.open(srum)
lookups = load_interfaces(software)
ese_table = ese_db.get_table_by_name(tablename)
#If the table is not found it returns None
if not ese_table:
log.info("Unable to find network connections table in SRUM file provided")
raise Exception("Unable to find network connections table in SRUM file provided")
reverse_column_lookup = dict([(x.name,index) for index,x in enumerate(ese_table.columns)])
for ese_row_num in range(ese_table.number_of_records):
#if not sg.OneLineProgressMeter('Discovering Location Event from SRUM...', count, ese_table.number_of_records, 'key'):
# break
#"L2ProfileId=6, connectstart = 8"
profile = smart_retrieve(ese_table, ese_row_num, reverse_column_lookup['L2ProfileId'] )
connected = smart_retrieve(ese_table, ese_row_num, reverse_column_lookup['TimeStamp'] )
#if count%10==0:
# sys.stdout.write(".")
#sys.stdout.flush()
if profile:
bssid,ssid = lookups.get(str(profile),(None,'the profile could not be resolved'))
if bssid:
entries.append((connected,bssid, ssid))
return entries
def ParseFileObject(self, parser_mediator, file_object, **kwargs):
"""Parses an ESE database file-like object.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
file_object: A file-like object.
Raises:
UnableToParseFile: when the file cannot be parsed.
"""
esedb_file = pyesedb.file()
try:
esedb_file.open_file_object(file_object)
except IOError as exception:
raise errors.UnableToParseFile(
u'[{0:s}] unable to parse file {1:s} with error: {2:s}'.format(
self.NAME, parser_mediator.GetDisplayName(), exception))
# Compare the list of available plugins.
cache = EseDbCache()
for plugin_object in self._plugins:
try:
plugin_object.UpdateChainAndProcess(
parser_mediator, database=esedb_file, cache=cache)
except errors.WrongPlugin:
logging.debug((
u'[{0:s}] plugin: {1:s} cannot parse the ESE database: '
u'{2:s}').format(
self.NAME, plugin_object.NAME,
parser_mediator.GetDisplayName()))
# TODO: explicitly clean up cache.
esedb_file.close()
def ExtractCatalog(self, filename, output_writer):
"""Extracts the catalog from the database.
Args:
filename (str): name of the file containing the ESE database.
output_writer (OutputWriter): output writer.
"""
esedb_file = pyesedb.file()
esedb_file.open(filename)
ese_database_definition = EseDatabaseDefinition(
self._database_type, self._database_version)
output_writer.WriteDatabaseDefinition(ese_database_definition)
# TODO: write an overview of the table names.
# TODO: write the table and index names per type and version.
for esedb_table in iter(esedb_file.tables):
ese_table_definition = EseTableDefinition(
esedb_table.name, esedb_table.template_name)
for esedb_column in esedb_table.columns:
ese_table_definition.AddColumnDefinition(
esedb_column.identifier, esedb_column.name, esedb_column.type)
output_writer.WriteTableDefinition(ese_table_definition)
esedb_file.close()
def test_open_close(self):
"""Tests the open and close functions."""
if not unittest.source:
return
esedb_file = pyesedb.file()
# Test open and close.
esedb_file.open(unittest.source)
esedb_file.close()
# Test open and close a second time to validate clean up on close.
esedb_file.open(unittest.source)
esedb_file.close()
file_object = open(unittest.source, "rb")
# Test open_file_object and close.
esedb_file.open_file_object(file_object)
esedb_file.close()
# Test open_file_object and close a second time to validate clean up on close.
esedb_file.open_file_object(file_object)
esedb_file.close()
# Test open_file_object and close and dereferencing file_object.
esedb_file.open_file_object(file_object)
del file_object
esedb_file.close()
def test_open_close(self):
"""Tests the open and close functions."""
if not unittest.source:
return
esedb_file = pyesedb.file()
# Test open and close.
esedb_file.open(unittest.source)
esedb_file.close()
# Test open and close a second time to validate clean up on close.
esedb_file.open(unittest.source)
esedb_file.close()
file_object = open(unittest.source, "rb")
# Test open_file_object and close.
esedb_file.open_file_object(file_object)
esedb_file.close()
# Test open_file_object and close a second time to validate clean up on close.
esedb_file.open_file_object(file_object)
esedb_file.close()
# Test open_file_object and close and dereferencing file_object.
esedb_file.open_file_object(file_object)
del file_object
esedb_file.close()
def extract_webcachev01_dat(file_path):
"""Extracts data from WebCacheVxx.dat.
"""
visits = []
esedb_file = pyesedb.file()
with open(file_path, "rb") as f:
esedb_file.open_file_object(f) # read the file
containers_table = esedb_file.get_table_by_name("Containers") # look for tables "Containers"
for i in range(0, containers_table.get_number_of_records()):
if containers_table.get_record(i).get_value_data_as_string(8) == 'History': # only look for History containers
container_id = containers_table.get_record(i).get_value_data_as_integer(0)
history_table = esedb_file.get_table_by_name("Container_" + str(container_id)) # get the container by its ID
for j in range(0, history_table.get_number_of_records()): # for each record in the container table
record = {}
for v in range(0 , history_table.get_record(j).get_number_of_values()): # for each value in the record
column_name = history_table.get_record(j).get_column_name(v) # get the current column name
column_type = history_table.get_record(j).get_column_type(v) # get the current column type number
if column_type == 12 : # column is string
record[column_name] = history_table.get_record(j).get_value_data_as_string(v)
elif column_type == 15 or column_type == 14: # column is int
if column_name in ["SyncTime" , "CreationTime" , "ExpiryTime" , "ModifiedTime" , "AccessedTime"]:
record[column_name] = convert_timestamp( history_table.get_record(j).get_value_data_as_integer(v) , browser_name='IE11', tz='utc')
else:
record[column_name] = history_table.get_record(j).get_value_data_as_integer(v)
elif column_type == 11: # column is hex
if history_table.get_record(j).get_value_data(v) is not None:
h = [ord(x) for x in history_table.get_record(j).get_value_data(v)]
record[column_name] = ''.join('{:02x} '.format(x) for x in h)
else:
record[column_name] = history_table.get_record(j).get_value_data(v)
else:
record[column_name] = history_table.get_record(j).get_value_data(v)
record["@timestamp"] = record["AccessedTime"].replace(" " , "T")
record["browser_name"] = "Internet Explorer"
record["type"] = "visits"
link = record['Url'].split('@' , 1)
if len(link) == 1:
record['link'] = link[0]
else:
record['link'] = link[1]
record['time'] = record['AccessedTime']
for k in record.keys():
if k in ["UrlHash" , "Type"]:
record[k] = str(record[k])
if record[k] is None:
record[k] = "None"
visits.append(record)
esedb_file.close()
return visits
def test_close(self):
"""Tests the close function."""
if not unittest.source:
raise unittest.SkipTest("missing source")
esedb_file = pyesedb.file()
with self.assertRaises(IOError):
esedb_file.close()
def test_close(self):
"""Tests the close function."""
if not unittest.source:
return
esedb_file = pyesedb.file()
with self.assertRaises(IOError):
esedb_file.close()
def __init__(self, srumdbpath="C:\\Windows\\System32\\sru\\SRUDB.dat"):
try:
self.srumdb = pyesedb.file()
self.srumdb.open(srumdbpath)
self.__set_table_mapping__()
except Exception as e:
print("Impossible to open SRUM DB: %s" % srumdbpath)
print(e)
return
def test_close(self):
"""Tests the close function."""
if not unittest.source:
return
esedb_file = pyesedb.file()
with self.assertRaises(IOError):
esedb_file.close()
def ie_hist(cfg):
csv_list = []
dbs = find_dbs(
os.path.join(cfg["mount_dir"], "Users", '*', "AppData", "Local",
"Microsoft", "Windows", "WebCache", "WebCacheV??.dat"))
for db in dbs:
user = user_of(db)
history_containers = []
db_fh = open(db, 'rb')
ese_db = pyesedb.file()
ese_db.open_file_object(db_fh)
containers = ese_db.get_table_by_name("Containers")
if not containers:
print "Error opening Containers table in %s" % db
break
# Find history tables from the Containers table
for row in range(0, containers.get_number_of_records() - 1):
container = containers.get_record(row)
row_id = str(container.get_value_data_as_integer(0))
row_name = container.get_value_data_as_string(8)
row_dir = container.get_value_data_as_string(10)
if "History" in row_name and ("History.IE5" in row_dir
or "MicrosoftEdge" in row_dir):
history_containers.append(row_id)
# Parse each history table/container
for i in history_containers:
current_table = ese_db.get_table_by_name("Container_%s" % i)
if not current_table:
print "Error opening table Container_%s in %s" % (i, db)
continue
# For each row
for row_num in range(0, current_table.get_number_of_records() - 1):
row = current_table.get_record(row_num)
if not row:
break
# Handle long values in the URL column
if row.is_long_value(17):
url = row.get_value_data_as_long_value(
17).get_data_as_string()
else:
url = row.get_value_data_as_string(17)
# Account for search parameters
if cfg["search"] and cfg["search"] not in url:
continue
# Normalize data, add to CSV buffer
url = '@'.join(url.split('@')[1:])
accessed_time = row.get_value_data_as_integer(13)
timestamp = datetime.datetime(1602, 1, 1) + datetime.timedelta(
microseconds=(accessed_time / 10))
# Append time, domain, title (unavailable), url, browser, user
csv_list.append([
str(timestamp),
urlparse(url).hostname, None, url, "IE/Edge", user
])
ese_db.close()
write_lines(cfg["out_file"], csv_list)
def open_file_as_esedb(esedb):
file_size = esedb.info.meta.size
file_content = esedb.read_random(0, file_size)
file_like_obj = StringIO.StringIO(file_content)
esedb = pyesedb.file()
try:
esedb.open_file_object(file_like_obj)
except IOError:
return None
return esedb
def _OpenEseDbFile(self, path):
"""Opens an ESE database file and returns back a pyesedb.file object."""
path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=path)
file_entry = path_spec_resolver.Resolver.OpenFileEntry(path_spec)
file_object = file_entry.GetFileObject()
esedb_file = pyesedb.file()
esedb_file.open_file_object(file_object)
return esedb_file
def _OpenEseDbFile(self, path):
"""Opens an ESE database file and returns back a pyesedb.file object."""
path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=path)
file_entry = path_spec_resolver.Resolver.OpenFileEntry(path_spec)
file_object = file_entry.GetFileObject()
esedb_file = pyesedb.file()
esedb_file.open_file_object(file_object)
return esedb_file
def _OpenEseDbFile(self, path_segments):
"""Opens an ESE database file and returns back a pyesedb.file object.
Args:
path: The path to the ESE database test file.
"""
file_entry = self._GetTestFileEntryFromPath(path_segments)
file_object = file_entry.GetFileObject()
esedb_file = pyesedb.file()
esedb_file.open_file_object(file_object)
return esedb_file
def __init__(self, options):
'''Create a SrumHandler
Args:
options: Options'''
self.srum_db = options.srum_db
self.output_db = options.output_db
self.esedb_file = pyesedb.file()
self.esedb_file.open(self.srum_db)
self.outputDbConfig = DbConfig(dbname=self.output_db)
self.outputDbHandler = DbHandler(self.outputDbConfig)
def _OpenEseDbFile(self, path_segments):
"""Opens an ESE database file and returns back a pyesedb.file object.
Args:
path: The path to the ESE database test file.
"""
file_entry = self._GetTestFileEntryFromPath(path_segments)
file_object = file_entry.GetFileObject()
esedb_file = pyesedb.file()
esedb_file.open_file_object(file_object)
return esedb_file
def pyesedb_test_single_open_close_file(filename, mode):
"""Tests a single open and close."""
description = (
"Testing single open close of: {0:s} with access: {1:s}"
"\t").format(get_filename_string(filename), get_mode_string(mode))
print(description, end="")
error_string = None
result = True
try:
esedb_file = pyesedb.file()
esedb_file.open(filename, mode)
esedb_file.close()
except TypeError as exception:
expected_message = (
"{0:s}: unsupported string object type.").format(
"pyesedb_file_open")
if not filename and str(exception) == expected_message:
pass
else:
error_string = str(exception)
result = False
except ValueError as exception:
expected_message = (
"{0:s}: unsupported mode: w.").format(
"pyesedb_file_open")
if mode != "w" or str(exception) != expected_message:
error_string = str(exception)
result = False
except Exception as exception:
error_string = str(exception)
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
if error_string:
print(error_string)
return result
def test_get_page_size(self):
"""Tests the get_page_size function and page_size property."""
if not unittest.source:
raise unittest.SkipTest("missing source")
esedb_file = pyesedb.file()
esedb_file.open(unittest.source)
page_size = esedb_file.get_page_size()
self.assertIsNotNone(page_size)
self.assertIsNotNone(esedb_file.page_size)
esedb_file.close()
def test_get_number_of_tables(self):
"""Tests the get_number_of_tables function and number_of_tables property."""
if not unittest.source:
raise unittest.SkipTest("missing source")
esedb_file = pyesedb.file()
esedb_file.open(unittest.source)
number_of_tables = esedb_file.get_number_of_tables()
self.assertIsNotNone(number_of_tables)
self.assertIsNotNone(esedb_file.number_of_tables)
esedb_file.close()
def test_get_type(self):
"""Tests the get_type function and type property."""
if not unittest.source:
raise unittest.SkipTest("missing source")
esedb_file = pyesedb.file()
esedb_file.open(unittest.source)
type = esedb_file.get_type()
self.assertIsNotNone(type)
self.assertIsNotNone(esedb_file.type)
esedb_file.close()
def Open(self, file_object):
"""Opens an Extensible Storage Engine (ESE) database file.
Args:
file_object (dfvfs.FileIO): file-like object.
Raises:
IOError: if the file-like object cannot be read.
OSError: if the file-like object cannot be read.
ValueError: if the file-like object is missing.
"""
if not file_object:
raise ValueError('Missing file object.')
self._esedb_file = pyesedb.file()
self._esedb_file.open_file_object(file_object)
def pyesedb_test_single_open_close_file(filename, mode):
"""Tests a single open and close."""
description = ("Testing single open close of: {0:s} with access: {1:s}"
"\t").format(get_filename_string(filename),
get_mode_string(mode))
print(description, end="")
error_string = None
result = True
try:
esedb_file = pyesedb.file()
esedb_file.open(filename, mode)
esedb_file.close()
except TypeError as exception:
expected_message = ("{0:s}: unsupported string object type."
).format("pyesedb_file_open")
if not filename and str(exception) == expected_message:
pass
else:
error_string = str(exception)
result = False
except ValueError as exception:
expected_message = (
"{0:s}: unsupported mode: w.").format("pyesedb_file_open")
if mode != "w" or str(exception) != expected_message:
error_string = str(exception)
result = False
except Exception as exception:
error_string = str(exception)
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
if error_string:
print(error_string)
return result
def getHistory(filepath, timeline=None):
esedb_file = pyesedb.file()
esedb_file.open(filepath)
containers = esedb_file.get_table_by_name("Containers")
#Get list of containers that contain IE history
histContList = []
histNameDict = dict()
histDirDict = dict()
for cRecords in containers.records:
if "Hist" in cRecords.get_value_data_as_string(8):
histContList.append("Container_%s" % cRecords.get_value_data_as_integer(0))
histNameDict["Container_%s" % cRecords.get_value_data_as_integer(0)] = cRecords.get_value_data_as_string(8)
histDirDict["Container_%s" % cRecords.get_value_data_as_integer(0)] = cRecords.get_value_data_as_string(10)
items = []
head = [CONSTANT.HISTORY_KEYWORD, False, CONSTANT.IE, 1] # Edge OK
#Get history from each container
for hcl in histContList:
histCont = esedb_file.get_table_by_name(hcl)
for hRecords in histCont.records:
_url = hRecords.get_value_data_as_string(17)
if _url.count("@") > 0:
URL = _url.split("@")[1]
if not URL.startswith("http"):
continue
accessedTime = getFiletime(hRecords.get_value_data_as_integer(13))
modifiedTime = getFiletime(hRecords.get_value_data_as_integer(12))
content = [
"{}.{}".format(hRecords.get_value_data_as_integer(1), hRecords.get_value_data_as_integer(0)),
histNameDict[hcl],
"{}".format(getFiletime(hRecords.get_value_data_as_integer(10))),
"{}".format(accessedTime),
"{}".format(modifiedTime),
"{}".format(getFiletime(hRecords.get_value_data_as_integer(11))),
"{}".format(getFiletime(hRecords.get_value_data_as_integer(9))),
str(hRecords.get_value_data_as_integer(15)),
str(hRecords.get_value_data_as_integer(8)),
_url,
hRecords.get_value_data_as_string(18),
str(hRecords.get_value_data_as_integer(5)),
histDirDict[hcl],
None
]
items.append([head, accessedTime, URL, modifiedTime, content])
return items
def Parse_ESEDB_File(File_To_Parse, SQLite_DB_Name):
file_object = open(File_To_Parse, "rb")
esedb_file = pyesedb.file()
esedb_file.open_file_object(file_object)
Num_Of_tables = esedb_file.get_number_of_tables()
print ("The number of tables is ==> ", Num_Of_tables)
SQLitedb.CreateTable('ESEDB_Master_Table','Tab_Name text')
SQLitedb.CreateTable('ESEDB_Empty_Tables', 'Tab_Name Text')
for i in range (0, Num_Of_tables):
SQL_Statement = ''
Table = esedb_file.get_table(i)
Table_name = Table.get_name()
Template_Name = Table. get_template_name()
Table_Num_Columns = Table.get_number_of_columns()
Table_Num_Records = Table.get_number_of_records()
print ("Table Name is ==> ", Table_name, " Number of records is ==> ", Table_Num_Records)
if (Table_Num_Records > 0):
SQLitedb.InsertValues('ESEDB_Master_Table','Tab_Name', "'" + Table_name + "'")
SQL_Statement = 'Create Temp Table '+ Table_name + '_Temp ('
Table_Record = Table.get_record(0)
Column_Name = Table_Record.get_column_name(0)
Column_Type = Table_Record.get_column_type(0)
SQLitedb.CreateTable(Table_name, SQLitedb.Check_SQL_Reserved_Word(Column_Name) + ' ' + Column_Dict[Column_Type])
for x in range(1, Table_Num_Columns):
Column_Name = Table_Record.get_column_name(x)
Column_Type = Table_Record.get_column_type(x)
SQL_Statement = SQL_Statement + ', ' + SQLitedb.Check_SQL_Reserved_Word(Column_Name) + ' ' + Column_Dict[Column_Type]
SQLitedb.AddColumn(Table_name, SQLitedb.Check_SQL_Reserved_Word(Column_Name) + ' ' + Column_Dict[Column_Type])
SQL_Statement = SQL_Statement + ');'
Num_Records_Begin = 0
Num_Records_End = 20000
while True:
if Table_Num_Records < 19999:
ESEDB_Process_Records.append(["Export_Webcache_Records.exe", File_To_Parse, SQLite_DB_Name, Table_name, str(Num_Records_Begin), str(Table_Num_Records)])
break
elif Table_Num_Records < Num_Records_End:
ESEDB_Process_Records.append(["Export_Webcache_Records.exe", File_To_Parse, SQLite_DB_Name, Table_name, str(Num_Records_Begin), str(Table_Num_Records)])
break
else:
ESEDB_Process_Records.append(["Export_Webcache_Records.exe", File_To_Parse, SQLite_DB_Name, Table_name, str(Num_Records_Begin), str(Num_Records_End)])
Num_Records_Begin = Num_Records_Begin + 20000
Num_Records_End = Num_Records_End + 20000
else:
SQLitedb.InsertValues('ESEDB_Empty_Tables','Tab_Name', "'" + Table_name + "'")
esedb_file.close()
def pyesedb_test_single_open_close_file(filename, mode):
if not filename:
filename_string = "None"
else:
filename_string = filename
print("Testing single open close of: {0:s} with access: {1:s}\t".format(
filename_string, get_mode_string(mode)))
result = True
try:
esedb_file = pyesedb.file()
esedb_file.open(filename, mode)
esedb_file.close()
except TypeError as exception:
expected_message = (
"{0:s}: unsupported string object type.").format(
"pyesedb_file_open")
if not filename and str(exception) == expected_message:
pass
else:
print(str(exception))
result = False
except ValueError as exception:
expected_message = (
"{0:s}: unsupported mode: w.").format(
"pyesedb_file_open")
if mode != "w" or str(exception) != expected_message:
print(str(exception))
result = False
except Exception as exception:
print(str(exception))
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
return result
def __init__(self, options, guid_table=None):
'''Create a SrumHandler
Args:
options: Options
guid_table: Optional guid table mapping'''
self.srum_db = options.srum_db
self.output_db = options.output_db
self.esedb_file = pyesedb.file()
self.esedb_file.open(self.srum_db)
if guid_table:
SrumHandler.GUID_TABLES = guid_table
self.outputDbConfig = DbConfig(dbname=self.output_db)
self.outputDbHandler = DbHandler(self.outputDbConfig)
def __init__(self,options):
'''Create a SrumHandler
Args:
options: Options'''
self.srum_db = options.srum_db
self.output_db = options.output_db
self.esedb_file = pyesedb.file()
self.esedb_file.open(self.srum_db)
self.outputDbConfig = DbConfig(
dbname=self.output_db
)
self.outputDbHandler = DbHandler(
self.outputDbConfig
)
def pyesedb_test_single_open_close_file(filename, mode):
if not filename:
filename_string = "None"
else:
filename_string = filename
print("Testing single open close of: {0:s} with access: {1:s}\t".format(
filename_string, get_mode_string(mode)))
result = True
try:
esedb_file = pyesedb.file()
esedb_file.open(filename, mode)
esedb_file.close()
except TypeError as exception:
expected_message = ("{0:s}: unsupported string object type."
).format("pyesedb_file_open")
if not filename and str(exception) == expected_message:
pass
else:
print(str(exception))
result = False
except ValueError as exception:
expected_message = (
"{0:s}: unsupported mode: w.").format("pyesedb_file_open")
if mode != "w" or str(exception) != expected_message:
print(str(exception))
result = False
except Exception as exception:
print(str(exception))
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
return result
def test_open(self):
"""Tests the open function."""
if not unittest.source:
return
esedb_file = pyesedb.file()
esedb_file.open(unittest.source)
with self.assertRaises(IOError):
esedb_file.open(unittest.source)
esedb_file.close()
with self.assertRaises(TypeError):
esedb_file.open(None)
with self.assertRaises(ValueError):
esedb_file.open(unittest.source, mode="w")
def test_open(self):
"""Tests the open function."""
if not unittest.source:
return
esedb_file = pyesedb.file()
esedb_file.open(unittest.source)
with self.assertRaises(IOError):
esedb_file.open(unittest.source)
esedb_file.close()
with self.assertRaises(TypeError):
esedb_file.open(None)
with self.assertRaises(ValueError):
esedb_file.open(unittest.source, mode="w")
def ParseFileObject(self, parser_mediator, file_object):
"""Parses an ESE database file-like object.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO): file-like object.
"""
esedb_file = pyesedb.file()
try:
esedb_file.open_file_object(file_object)
except IOError as exception:
parser_mediator.ProduceExtractionWarning(
'unable to open file with error: {0!s}'.format(exception))
return
# Compare the list of available plugin objects.
cache = ESEDBCache()
try:
table_names = frozenset(self._GetTableNames(esedb_file))
for plugin in self._plugins:
if parser_mediator.abort:
break
if not plugin.required_tables.issubset(table_names):
continue
try:
plugin.UpdateChainAndProcess(parser_mediator,
cache=cache,
database=esedb_file)
except Exception as exception: # pylint: disable=broad-except
parser_mediator.ProduceExtractionWarning((
'plugin: {0:s} unable to parse ESE database with error: '
'{1!s}').format(plugin.NAME, exception))
finally:
# TODO: explicitly clean up cache.
esedb_file.close()
def Populate_ESEDB_DB(File_To_Parse):
idType = None
file_object = open(File_To_Parse, "rb")
esedb_file = pyesedb.file()
esedb_file.open_file_object(file_object)
Table_Names = SQLitedb.SelectAllRows("Select tab_name from ESEDB_Master_Table where Tab_name not in (Select tab_name from ESEDB_Empty_tables);")
for Table_Name in Table_Names:
Table_name = str(Table_Name[0])
print ("Inserting into table " + str(Table_name))
EsedbTable = esedb_file.get_table_by_name(Table_Rev_Dict[Table_Name[0]])
for i in range(0,EsedbTable.get_number_of_records()):
SQL_Bind_Values = []
SQL_Statement_Table = 'Insert into ' + Table_Name[0] + '_temp'
EsedbTable_Record = EsedbTable.get_record(i)
EsedbTable_Num_Columns = EsedbTable.get_number_of_columns()
Column_Name = EsedbTable_Record.get_column_name(0)
SQL_Statement_Columns = SQLitedb.Check_SQL_Reserved_Word(Column_Name)
SQL_Bind_Variables = SQLitedb.create_question_bind_variables(EsedbTable.get_number_of_columns())
Column_Type = EsedbTable_Record.get_column_type(0)
Check_Column_Type(EsedbTable_Record, Column_Type, 0, SQL_Bind_Values, False)
idType = 0
if Column_Name == 'IdType':
idType = SQL_Bind_Values[len(SQL_Bind_Values) - 1]
for x in range(1,EsedbTable.get_number_of_columns()):
Column_Name = EsedbTable_Record.get_column_name(x)
SQL_Statement_Columns = SQL_Statement_Columns + ',' + SQLitedb.Check_SQL_Reserved_Word(Column_Name)
Column_Type = EsedbTable_Record.get_column_type(x)
if Column_Name == 'IdBlob':
if idType == 3:
Check_Column_Type(EsedbTable_Record, 10, x, SQL_Bind_Values, True)
else:
Check_Column_Type(EsedbTable_Record, 10, x, SQL_Bind_Values, False)
else:
Check_Column_Type(EsedbTable_Record, Column_Type, x, SQL_Bind_Values, False)
try:
SQLitedb.InsertBindValues(Table_Name[0] + '_temp', SQL_Statement_Columns, SQL_Bind_Variables, SQL_Bind_Values)
except:
print ("SQL_Statement_Columns ==> " + SQL_Statement_Columns)
print ("SQL_Bind_Variables ==> " + SQL_Bind_Variables)
print ("SQL_Bind_Values ==> " + str(SQL_Bind_Values))
esedb_file.close()
def ParseFileObject(self, parser_mediator, file_object):
"""Parses an ESE database file-like object.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO): file-like object.
"""
esedb_file = pyesedb.file()
try:
esedb_file.open_file_object(file_object)
except IOError as exception:
parser_mediator.ProduceExtractionError(
'unable to open file with error: {0!s}'.format(exception))
return
# Compare the list of available plugin objects.
cache = ESEDBCache()
try:
table_names = frozenset(self._GetTableNames(esedb_file))
for plugin in self._plugins:
if parser_mediator.abort:
break
if not plugin.required_tables.issubset(table_names):
continue
try:
plugin.UpdateChainAndProcess(
parser_mediator, cache=cache, database=esedb_file)
except Exception as exception: # pylint: disable=broad-except
parser_mediator.ProduceExtractionError((
'plugin: {0:s} unable to parse ESE database with error: '
'{1!s}').format(plugin.NAME, exception))
finally:
# TODO: explicitly clean up cache.
esedb_file.close()
def getCookies(filepath):
esedb_file = pyesedb.file()
esedb_file.open(filepath)
containers = esedb_file.get_table_by_name("Containers")
#Get list of containers that contain IE cookies
histContList = []
histNameDict = dict()
histDirDict = dict()
for cRecords in containers.records:
if "Cookies" in cRecords.get_value_data_as_string(8):
histContList.append("Container_%s" % cRecords.get_value_data_as_integer(0))
histNameDict["Container_%s" % cRecords.get_value_data_as_integer(0)] = cRecords.get_value_data_as_string(8)
histDirDict["Container_%s" % cRecords.get_value_data_as_integer(0)] = cRecords.get_value_data_as_string(10)
#Get cookies from each container
for hcl in histContList:
histCont = esedb_file.get_table_by_name(hcl)
for hRecords in histCont.records:
print('"%s","%s","%s","%s","%s","%s","%s","%s","%s","%s","%s","%s","%s","%s"' % ('%s.%s' % (hRecords.get_value_data_as_integer(1),hRecords.get_value_data_as_integer(0)),histNameDict[hcl],getFiletime(hRecords.get_value_data_as_integer(10)),getFiletime(hRecords.get_value_data_as_integer(13)),getFiletime(hRecords.get_value_data_as_integer(12)),getFiletime(hRecords.get_value_data_as_integer(11)),getFiletime(hRecords.get_value_data_as_integer(9)),hRecords.get_value_data_as_integer(15),hRecords.get_value_data_as_integer(8),hRecords.get_value_data_as_string(17),hRecords.get_value_data_as_string(18),hRecords.get_value_data_as_integer(5),"-",histDirDict[hcl]))
def pyesedb_test_single_open_close_file_object(filename, mode):
print(("Testing single open close of file-like object of: {0:s} "
"with access: {1:s}\t").format(filename, get_mode_string(mode)))
result = True
try:
file_object = open(filename, "rb")
esedb_file = pyesedb.file()
esedb_file.open_file_object(file_object, mode)
esedb_file.close()
except Exception as exception:
print(str(exception))
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
return result
def test_open_file_object(self):
"""Tests the open_file_object function."""
if not unittest.source:
return
file_object = open(unittest.source, "rb")
esedb_file = pyesedb.file()
esedb_file.open_file_object(file_object)
with self.assertRaises(IOError):
esedb_file.open_file_object(file_object)
esedb_file.close()
# TODO: change IOError into TypeError
with self.assertRaises(IOError):
esedb_file.open_file_object(None)
with self.assertRaises(ValueError):
esedb_file.open_file_object(file_object, mode="w")
def pyesedb_test_multi_open_close_file(filename, mode):
print("Testing multi open close of: {0:s} with access: {1:s}\t".format(
filename, get_mode_string(mode)))
result = True
try:
esedb_file = pyesedb.file()
esedb_file.open(filename, mode)
esedb_file.close()
esedb_file.open(filename, mode)
esedb_file.close()
except Exception as exception:
print(str(exception))
result = False
if not result:
print("(FAIL)")
else:
print("(PASS)")
return result
def Parse(self, parser_context, file_entry):
"""Extracts data from an ESE database File.
Args:
parser_context: A parser context object (instance of ParserContext).
file_entry: A file entry object (instance of dfvfs.FileEntry).
Yields:
An event event (instance of EventObject) that contains the parsed
values.
"""
file_object = file_entry.GetFileObject()
esedb_file = pyesedb.file()
try:
esedb_file.open_file_object(file_object)
except IOError as exception:
file_object.close()
raise errors.UnableToParseFile(
u'[{0:s}] unable to parse file {1:s} with error: {2:s}'.format(
self.NAME, file_entry.name, exception))
# Compare the list of available plugins.
cache = EseDbCache()
for plugin_object in self._plugins:
try:
plugin_object.Process(
parser_context, database=esedb_file, cache=cache)
except errors.WrongPlugin:
logging.debug((
u'[{0:s}] plugin: {1:s} cannot parse the ESE database: '
u'{2:s}').format(
self.NAME, plugin_object.NAME, file_entry.name))
# TODO: explicitly clean up cache.
esedb_file.close()
file_object.close()
def Parse(self, file_entry):
"""Extracts data from an ESE database File.
Args:
file_entry: A file entry object.
Yields:
An event event (instance of EventObject) that contains the parsed
values.
"""
file_object = file_entry.GetFileObject()
esedb_file = pyesedb.file()
try:
esedb_file.open_file_object(file_object)
except IOError as exception:
raise errors.UnableToParseFile(
u'[{0:s}] unable to parse file {1:s} with error: {2:s}'.format(
self.parser_name, file_entry.name, exception))
# Compare the list of available plugins.
cache = interface.EseDbCache()
for esedb_plugin in self._plugins.itervalues():
try:
for event_object in esedb_plugin.Process(
database=esedb_file, cache=cache):
event_object.plugin = esedb_plugin.plugin_name
yield event_object
except errors.WrongPlugin:
logging.debug((
u'[{0:s}] plugin: {1:s} cannot parse the ESE database: '
u'{2:s}').format(
self.parser_name, esedb_plugin.plugin_name, file_entry.name))
# TODO: explicitly clean up cache.
file_object.close()
def _ParseEseDbFileWithPlugin(
self, path_segments, plugin_object, knowledge_base_values=None):
"""Parses a file as an ESE database file and returns an event generator.
Args:
path_segments: a list of strings containinge the path segments inside
the test data directory.
plugin_object: an ESE database plugin object (instance of EseDbPlugin).
knowledge_base_values: optional dictionary containing the knowledge base
values.
Returns:
A storage writer object (instance of FakeStorageWriter).
"""
session = sessions.Session()
storage_writer = fake_storage.FakeStorageWriter(session)
storage_writer.Open()
file_entry = self._GetTestFileEntryFromPath(path_segments)
parser_mediator = self._GetParserMediator(
storage_writer, file_entry=file_entry,
knowledge_base_values=knowledge_base_values)
file_object = file_entry.GetFileObject()
try:
esedb_file = pyesedb.file()
esedb_file.open_file_object(file_object)
cache = esedb.EseDbCache()
plugin_object.Process(parser_mediator, cache=cache, database=esedb_file)
esedb_file.close()
finally:
file_object.close()
return storage_writer
return Record_List.append(str(EsedbTable_Record.get_value_data(Column_Number).decode('utf-16', 'ignore')))
elif (Column_Type == 17): #INTEGER_16BIT_UNSIGNED
return Record_List.append(EsedbTable_Record.get_value_data_as_integer(Column_Number))
args = sys.argv[1:]
File_To_Parse = args[0]
SQLite_DB_Name = args[1]
Table_Name = args[2]
Begin_Record_Number = args[3]
End_Record_Number = args[4]
SQLitedb = SQLiteDb()
SQLitedb.Open(SQLite_DB_Name)
file_object = open(File_To_Parse, "rb")
esedb_file = pyesedb.file()
esedb_file.open_file_object(file_object)
EsedbTable = esedb_file.get_table_by_name(Table_Name)
print ("Inserting records into table ==> " + Table_Name)
for i in range(int(Begin_Record_Number), int(End_Record_Number)):
SQL_Bind_Values = []
SQL_Statement_Table = 'Insert into ' + Table_Name + ' '
EsedbTable_Record = EsedbTable.get_record(i)
EsedbTable_Num_Columns = EsedbTable.get_number_of_columns()
Column_Name = EsedbTable_Record.get_column_name(0)
SQL_Statement_Columns = SQLitedb.Check_SQL_Reserved_Word(Column_Name)
SQL_Bind_Variables = SQLitedb.create_question_bind_variables(EsedbTable.get_number_of_columns())
Column_Type = EsedbTable_Record.get_column_type(0)
Check_Column_Type(EsedbTable_Record, Column_Type, 0, SQL_Bind_Values)
for x in range(1,EsedbTable.get_number_of_columns()):
Column_Name = EsedbTable_Record.get_column_name(x)
def test_signal_abort(self):
"""Tests the signal_abort function."""
esedb_file = pyesedb.file()
esedb_file.signal_abort()
