Ejemplo n.º 1
0
def Eventlogload():  # https://github.com/libyal/libevtx/wiki/Development
    global file, csvWriter
    file_object = open(
        "C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx",
        "rb")
    evtx_file = pyevtx.file()
    evtx_file.open_file_object(file_object)
    file = open("./regi_evtx.csv", 'w', newline="\n")
    csvWriter = csv.writer(file)
    csvWriter.writerow([
        'ControlSet', 'Device_Name', 'Serial_Number', 'Mounted_Volume_Name',
        'Logical_Drive', 'Init Connected Time', 'Connected Time',
        'Disconnected Time', 'LifeTime'
    ])

    # help(pyevtx.file) # How to use pyevtx
    # print ("\n================== * EventLog Contents * ==================")
    for event_cnt in range(0, evtx_file.number_of_records):
        record = evtx_file.get_record(event_cnt)
        usb_event_log = xml_parser(record.xml_string)
        if usb_event_log != 0:
            # print (usb_event_log, end=" "); print("\n")
            r_s_e_csv(usb_event_log)
        else:
            pass
    file.close()
    evtx_file.close()
Ejemplo n.º 2
0
def pyevtx_test_single_open_close_file_object_with_dereference(
    filename, mode):
  """Tests single file-like object open and close with dereference."""
  description = (
      "Testing single open close of file-like object with dereference of: "
      "{0:s} with access: {1:s}\t").format(
          get_filename_string(filename), get_mode_string(mode))
  print(description, end="")

  error_string = None
  result = True

  try:
    file_object = open(filename, "rb")
    evtx_file = pyevtx.file()

    evtx_file.open_file_object(file_object, mode)
    del file_object
    evtx_file.close()

  except Exception as exception:
    error_string = str(exception)
    result = False

  if not result:
    print("(FAIL)")
  else:
    print("(PASS)")

  if error_string:
    print(error_string)
  return result
Ejemplo n.º 3
0
  def ParseFileObject(self, parser_mediator, file_object, **kwargs):
    """Parses a Windows XML EventLog (EVTX) file-like object.

    Args:
      parser_mediator: a parser mediator object (instance of ParserMediator).
      file_object: a file-like object.
    """
    evtx_file = pyevtx.file()
    evtx_file.set_ascii_codepage(parser_mediator.codepage)

    try:
      evtx_file.open_file_object(file_object)
    except IOError as exception:
      parser_mediator.ProduceExtractionError(
          u'unable to open file with error: {0:s}'.format(exception))
      return

    for record_index, evtx_record in enumerate(evtx_file.records):
      try:
        self._ParseRecord(parser_mediator, record_index, evtx_record)
      except IOError as exception:
        parser_mediator.ProduceExtractionError(
            u'unable to parse event record: {0:d} with error: {1:s}'.format(
                record_index, exception))

    for record_index, evtx_record in enumerate(evtx_file.recovered_records):
      try:
        self._ParseRecord(
            parser_mediator, record_index, evtx_record, recovered=True)
      except IOError as exception:
        parser_mediator.ProduceExtractionError((
            u'unable to parse recovered event record: {0:d} with error: '
            u'{1:s}').format(record_index, exception))

    evtx_file.close()
Ejemplo n.º 4
0
    def test_open_close(self):
        """Tests the open and close functions."""
        test_source = unittest.source
        if not test_source:
            return

        evtx_file = pyevtx.file()

        # Test open and close.
        evtx_file.open(test_source)
        evtx_file.close()

        # Test open and close a second time to validate clean up on close.
        evtx_file.open(test_source)
        evtx_file.close()

        if os.path.isfile(test_source):
            with open(test_source, "rb") as file_object:

                # Test open_file_object and close.
                evtx_file.open_file_object(file_object)
                evtx_file.close()

                # Test open_file_object and close a second time to validate clean up on close.
                evtx_file.open_file_object(file_object)
                evtx_file.close()

                # Test open_file_object and close and dereferencing file_object.
                evtx_file.open_file_object(file_object)
                del file_object
                evtx_file.close()
Ejemplo n.º 5
0
def pyevtx_test_multi_open_close_file(filename, mode):
  """Tests multiple open and close."""
  description = (
      "Testing multi open close of: {0:s} with access: {1:s}"
      "\t").format(get_filename_string(filename), get_mode_string(mode))
  print(description, end="")

  error_string = None
  result = True

  try:
    evtx_file = pyevtx.file()

    evtx_file.open(filename, mode)
    evtx_file.close()
    evtx_file.open(filename, mode)
    evtx_file.close()

  except Exception as exception:
    error_string = str(exception)
    result = False

  if not result:
    print("(FAIL)")
  else:
    print("(PASS)")

  if error_string:
    print(error_string)
  return result
Ejemplo n.º 6
0
    def test_open_close(self):
        """Tests the open and close functions."""
        if not unittest.source:
            return

        evtx_file = pyevtx.file()

        # Test open and close.
        evtx_file.open(unittest.source)
        evtx_file.close()

        # Test open and close a second time to validate clean up on close.
        evtx_file.open(unittest.source)
        evtx_file.close()

        file_object = open(unittest.source, "rb")

        # Test open_file_object and close.
        evtx_file.open_file_object(file_object)
        evtx_file.close()

        # Test open_file_object and close a second time to validate clean up on close.
        evtx_file.open_file_object(file_object)
        evtx_file.close()

        # Test open_file_object and close and dereferencing file_object.
        evtx_file.open_file_object(file_object)
        del file_object
        evtx_file.close()
Ejemplo n.º 7
0
    def test_open_file_object(self):
        """Tests the open_file_object function."""
        test_source = unittest.source
        if not test_source:
            raise unittest.SkipTest("missing source")

        if not os.path.isfile(test_source):
            raise unittest.SkipTest("source not a regular file")

        evtx_file = pyevtx.file()

        with open(test_source, "rb") as file_object:

            evtx_file.open_file_object(file_object)

            with self.assertRaises(IOError):
                evtx_file.open_file_object(file_object)

            evtx_file.close()

            with self.assertRaises(TypeError):
                evtx_file.open_file_object(None)

            with self.assertRaises(ValueError):
                evtx_file.open_file_object(file_object, mode="w")
Ejemplo n.º 8
0
    def test_close(self):
        """Tests the close function."""
        if not unittest.source:
            raise unittest.SkipTest("missing source")

        evtx_file = pyevtx.file()

        with self.assertRaises(IOError):
            evtx_file.close()
Ejemplo n.º 9
0
    def test_close(self):
        """Tests the close function."""
        if not unittest.source:
            return

        evtx_file = pyevtx.file()

        with self.assertRaises(IOError):
            evtx_file.close()
Ejemplo n.º 10
0
def main( argc, argv ):
	result = 0

	if argc != 1:
		print "Usage: pyevtx_test_set_ascii_codepage.py\n"
		return 1

	supported_codepages = [
		"ascii", "cp874", "cp932", "cp936", "cp949", "cp950", "cp1250", "cp1251",
		"cp1252", "cp1253", "cp1254", "cp1255", "cp1256", "cp1257", "cp1258" ]

	unsupported_codepages = [
		"iso-8859-1", "iso-8859-2", "iso-8859-3", "iso-8859-4", "iso-8859-5",
		"iso-8859-6", "iso-8859-7", "iso-8859-8", "iso-8859-9", "iso-8859-10",
		"iso-8859-11", "iso-8859-13", "iso-8859-14", "iso-8859-15", "iso-8859-16",
		"koi8_r", "koi8_u" ]

	evtx_file = pyevtx.file()

	for codepage in supported_codepages:
		print "Testing setting supported ASCII codepage of: %s:\t" %( codepage ),

		try:
			evtx_file.ascii_codepage = codepage
			result = 0
		except:
			result = 1

		if result != 0:
			print "(FAIL)"
			return 1
		print "(PASS)"

		print "Testing setting supported ASCII codepage of: %s:\t" %( codepage ),

		try:
			evtx_file.set_ascii_codepage( codepage )
			result = 0
		except:
			result = 1

		if result != 0:
			print "(FAIL)"
			return 1
		print "(PASS)"

	for codepage in unsupported_codepages:
		print "Testing setting unsupported ASCII codepage of: %s:\t" %( codepage ),

		result = 1
		try:
			evtx_file.ascii_codepage = codepage
		except RuntimeError, exception:
			if exception.message == "pyevtx_file_set_ascii_codepage_from_string: unable to determine ASCII codepage.":
				result = 0
		except:
Ejemplo n.º 11
0
 def _GetEventFileList(self):
     '''Get file listing of event files from specified source path'''
     self.filelist = []
     
     if not os.path.isdir(self.options.events_path):
         raise(Exception("Events directory does not exist: {}".format(self.options.events_path)))
     
     for dirName, subdirList, fileList in os.walk(self.options.events_path):
         for filename in fileList:
             fullname = os.path.join(
                 dirName,
                 filename
             )
             if (filename.lower().endswith('.evt') or filename.lower().endswith('.evtx')):
                 if IsSupportedEventFile(fullname):
                     self.filelist.append(fullname)
             elif filename.lower().endswith('.json'):
                 # Check for EvtXtract outputfiles #
                 if IsSupportedEvtXtractFile(fullname):
                     self.filelist.append(fullname)
                     
     self.filelist.sort()
     
     progressBar = ProgressManager.ProgressBarClass(
         Config.Config.UI_TYPE,
         count = len(self.filelist),
         description = u'Enumerating Event Files'.format(dirName)
     )
     
     _fcnt = 0
     for filename in self.filelist:
         if filename.lower().endswith('evtx'):
             wefile = pyevtx.file()
             wefile.open(filename)
             self.total_records += wefile.get_number_of_records()
             self.total_records += wefile.get_number_of_recovered_records()
             wefile.close()
         elif filename.lower().endswith('evt'):
             wefile = pyevt.file()
             wefile.open(filename)
             self.total_records += wefile.get_number_of_records()
             self.total_records += wefile.get_number_of_recovered_records()
             wefile.close()
         elif filename.lower().endswith('json'):
             with open(filename) as wefile:
                 jstruct = json.load(wefile)
                 self.total_records += len(jstruct['valid_records'])
                 wefile.close()
         
         progressBar.Increment(1)
         _fcnt += 1
         
     progressBar.Finish()
Ejemplo n.º 12
0
def parse_event_log(file_to_parse):

    file_object = open(file_to_parse, "rb")
    evtx_file = pyevtx.file()
    evtx_file.open_file_object(file_object)
    SQLitedb.CreateTempTable(table_name + '_temp', table_columns)

    print(' Number of Records in Event Log ==> ',
          evtx_file.get_number_of_records())
    print(' Number of recovered Records in Event Log ==> ',
          evtx_file.get_number_of_recovered_records())

    for i in range(0, evtx_file.get_number_of_records()):
        event_record = []
        event_record.append(ntpath.basename(file_to_parse))
        event_string = ""
        evtx_record = evtx_file.get_record(i)
        event_record.append('N')
        if (evtx_record.get_computer_name() == None):
            event_record.append('NULL')
        else:
            event_record.append(evtx_record.get_computer_name())
        event_record.append(evtx_record.get_event_identifier())
        event_record.append(evtx_record.get_event_identifier_qualifiers())
        event_record.append(evtx_record.get_event_level())
        event_record.append(evtx_record.get_identifier())
        event_record.append(evtx_record.get_offset())
        if (evtx_record.get_source_name() == None):
            event_record.append('NULL')
        else:
            event_record.append(evtx_record.get_source_name())
        if (evtx_record.get_user_security_identifier() == None):
            event_record.append('NULL')
        else:
            event_record.append(evtx_record.get_user_security_identifier())
        event_record.append(evtx_record.get_written_time())
        event_record.append(evtx_record.get_written_time_as_integer())
        for x in range(0, evtx_record.get_number_of_strings()):
            if (evtx_record.get_string(x) == None):
                event_string = event_string + " \n"
            else:
                event_string = event_string + evtx_record.get_string(x) + " \n"
        event_record.append(event_string)

        SQLitedb.InsertBindValues(table_name + '_temp', sql_ins_columns,
                                  sql_bind, event_record)

    if (SQLitedb.TableExists(table_name)):
        SQLitedb.AppendTempToPermanentTable(table_name)
    else:
        SQLitedb.CreatePermanentTable(table_name)
    SQLitedb.DropTable(table_name + '_temp')
Ejemplo n.º 13
0
def parse_event_log(file_to_parse):

   
   file_object = open(file_to_parse, "rb")
   evtx_file = pyevtx.file()
   evtx_file.open_file_object(file_object)
   SQLitedb.CreateTempTable(table_name + '_temp', table_columns)   

   print (' Number of Records in Event Log ==> ', evtx_file.get_number_of_records())
   print (' Number of recovered Records in Event Log ==> ', evtx_file.get_number_of_recovered_records())

   for i in range (0, evtx_file.get_number_of_records()):
      event_record = []
      event_record.append(ntpath.basename(file_to_parse))
      event_string = ""
      evtx_record = evtx_file.get_record(i)
      event_record.append('N')
      if (evtx_record.get_computer_name() == None):
         event_record.append('NULL')
      else:
         event_record.append(evtx_record.get_computer_name())   
      event_record.append(evtx_record.get_event_identifier())   
      event_record.append(evtx_record.get_event_identifier_qualifiers())   
      event_record.append(evtx_record.get_event_level())   
      event_record.append(evtx_record.get_identifier())   
      event_record.append(evtx_record.get_offset())   
      if (evtx_record.get_source_name() == None):
         event_record.append('NULL')
      else:
         event_record.append(evtx_record.get_source_name())   
      if (evtx_record.get_user_security_identifier() == None):
         event_record.append('NULL')
      else:
         event_record.append(evtx_record.get_user_security_identifier())   
      event_record.append(evtx_record.get_written_time())
      event_record.append(evtx_record.get_written_time_as_integer()) 
      for x in range (0, evtx_record.get_number_of_strings()):
         if (evtx_record.get_string(x) == None):
            event_string = event_string + " \n"
         else:
            event_string = event_string + evtx_record.get_string(x) + " \n"
      event_record.append(event_string)	  
  
      SQLitedb.InsertBindValues(table_name + '_temp', sql_ins_columns, sql_bind, event_record) 


   if (SQLitedb.TableExists(table_name)):  
      SQLitedb.AppendTempToPermanentTable(table_name)
   else:
      SQLitedb.CreatePermanentTable(table_name)
   SQLitedb.DropTable(table_name + '_temp')
Ejemplo n.º 14
0
    def Parse(self, parser_context, file_entry):
        """Extract data from a Windows XML EventLog (EVTX) file.

    Args:
      parser_context: A parser context object (instance of ParserContext).
      file_entry: A file entry object (instance of dfvfs.FileEntry).
    """
        file_object = file_entry.GetFileObject()
        evtx_file = pyevtx.file()
        evtx_file.set_ascii_codepage(parser_context.codepage)

        try:
            evtx_file.open_file_object(file_object)
        except IOError as exception:
            evtx_file.close()
            file_object.close()
            raise errors.UnableToParseFile(
                u'[{0:s}] unable to parse file {1:s} with error: {2:s}'.format(
                    self.NAME, file_entry.name, exception))

        for record_index in range(0, evtx_file.number_of_records):
            try:
                evtx_record = evtx_file.get_record(record_index)
                event_object = WinEvtxRecordEvent(evtx_record)
                parser_context.ProduceEvent(event_object,
                                            parser_name=self.NAME,
                                            file_entry=file_entry)
            except IOError as exception:
                logging.warning((
                    u'[{0:s}] unable to parse event record: {1:d} in file: {2:s} '
                    u'with error: {3:s}').format(self.NAME, record_index,
                                                 file_entry.name, exception))

        for record_index in range(0, evtx_file.number_of_recovered_records):
            try:
                evtx_record = evtx_file.get_recovered_record(record_index)
                event_object = WinEvtxRecordEvent(evtx_record, recovered=True)
                parser_context.ProduceEvent(event_object,
                                            parser_name=self.NAME,
                                            file_entry=file_entry)
            except IOError as exception:
                logging.debug((
                    u'[{0:s}] unable to parse recovered event record: {1:d} in file: '
                    u'{2:s} with error: {3:s}').format(self.NAME, record_index,
                                                       file_entry.name,
                                                       exception))

        evtx_file.close()
        file_object.close()
Ejemplo n.º 15
0
def pyevtx_test_single_open_close_file(filename, mode):
  """Tests a single open and close."""
  description = (
      "Testing single open close of: {0:s} with access: {1:s}"
      "\t").format(get_filename_string(filename), get_mode_string(mode))
  print(description, end="")

  error_string = None
  result = True

  try:
    evtx_file = pyevtx.file()

    evtx_file.open(filename, mode)
    evtx_file.close()

  except TypeError as exception:
    expected_message = (
        "{0:s}: unsupported string object type.").format(
            "pyevtx_file_open")

    if not filename and str(exception) == expected_message:
      pass

    else:
      error_string = str(exception)
      result = False

  except ValueError as exception:
    expected_message = (
        "{0:s}: unsupported mode: w.").format(
            "pyevtx_file_open")

    if mode != "w" or str(exception) != expected_message:
      error_string = str(exception)
      result = False

  except Exception as exception:
    error_string = str(exception)
    result = False

  if not result:
    print("(FAIL)")
  else:
    print("(PASS)")

  if error_string:
    print(error_string)
  return result
Ejemplo n.º 16
0
    def test_get_number_of_records(self):
        """Tests the get_number_of_records function and number_of_records property."""
        if not unittest.source:
            raise unittest.SkipTest("missing source")

        evtx_file = pyevtx.file()

        evtx_file.open(unittest.source)

        number_of_records = evtx_file.get_number_of_records()
        self.assertIsNotNone(number_of_records)

        self.assertIsNotNone(evtx_file.number_of_records)

        evtx_file.close()
Ejemplo n.º 17
0
    def test_get_ascii_codepage(self):
        """Tests the get_ascii_codepage function and ascii_codepage property."""
        if not unittest.source:
            raise unittest.SkipTest("missing source")

        evtx_file = pyevtx.file()

        evtx_file.open(unittest.source)

        ascii_codepage = evtx_file.get_ascii_codepage()
        self.assertIsNotNone(ascii_codepage)

        self.assertIsNotNone(evtx_file.ascii_codepage)

        evtx_file.close()
Ejemplo n.º 18
0
    def _GetEventFileList(self):
        '''Get file listing of event files from specified source path'''
        self.filelist = []

        for dirName, subdirList, fileList in os.walk(self.options.events_path):
            for filename in fileList:
                fullname = os.path.join(dirName, filename)
                if (filename.lower().endswith('.evt')
                        or filename.lower().endswith('.evtx')):
                    self.filelist.append(fullname)
                elif filename.lower().endswith('.json'):
                    # Check for EvtXtract outputfiles #
                    if IsSupportedEvtXtractFile(fullname):
                        self.filelist.append(fullname)

        self.filelist.sort()

        progressBar = ProgressManager.ProgressBarClass(
            Config.Config.UI_TYPE,
            count=len(self.filelist),
            description=u'Enumerating Event Files'.format(dirName))

        _fcnt = 0
        for filename in self.filelist:
            if filename.lower().endswith('evtx'):
                wefile = pyevtx.file()
                wefile.open(filename)
                self.total_records += wefile.get_number_of_records()
                self.total_records += wefile.get_number_of_recovered_records()
                wefile.close()
            elif filename.lower().endswith('evt'):
                wefile = pyevt.file()
                wefile.open(filename)
                self.total_records += wefile.get_number_of_records()
                self.total_records += wefile.get_number_of_recovered_records()
                wefile.close()
            elif filename.lower().endswith('json'):
                with open(filename) as wefile:
                    jstruct = json.load(wefile)
                    self.total_records += len(jstruct['valid_records'])
                    wefile.close()

            progressBar.Increment(1)
            _fcnt += 1

        progressBar.Finish()
Ejemplo n.º 19
0
  def ParseFileObject(self, parser_mediator, file_object, **kwargs):
    """Parses a Windows XML EventLog (EVTX) file-like object.

    Args:
      parser_mediator: A parser mediator object (instance of ParserMediator).
      file_object: A file-like object.

    Raises:
      UnableToParseFile: when the file cannot be parsed.
    """
    evtx_file = pyevtx.file()
    evtx_file.set_ascii_codepage(parser_mediator.codepage)

    try:
      evtx_file.open_file_object(file_object)
    except IOError as exception:
      evtx_file.close()
      raise errors.UnableToParseFile(
          u'[{0:s}] unable to parse file {1:s} with error: {2:s}'.format(
              self.NAME, parser_mediator.GetDisplayName(), exception))

    for record_index in range(0, evtx_file.number_of_records):
      try:
        evtx_record = evtx_file.get_record(record_index)
        event_object = WinEvtxRecordEvent(evtx_record)
        parser_mediator.ProduceEvent(event_object)
      except IOError as exception:
        logging.warning((
            u'[{0:s}] unable to parse event record: {1:d} in file: {2:s} '
            u'with error: {3:s}').format(
                self.NAME, record_index, parser_mediator.GetDisplayName(),
                exception))

    for record_index in range(0, evtx_file.number_of_recovered_records):
      try:
        evtx_record = evtx_file.get_recovered_record(record_index)
        event_object = WinEvtxRecordEvent(evtx_record, recovered=True)
        parser_mediator.ProduceEvent(event_object)
      except IOError as exception:
        logging.debug((
            u'[{0:s}] unable to parse recovered event record: {1:d} in file: '
            u'{2:s} with error: {3:s}').format(
                self.NAME, record_index, parser_mediator.GetDisplayName(),
                exception))

    evtx_file.close()
Ejemplo n.º 20
0
    def _OpenFile(self):
        '''Open the WindowsEventHandler's evt or evtx file handle for processing'''
        if self.ext.lower().endswith('evtx'):
            self.eventfile_type = 'evtx'
            self.file = pyevtx.file()
        elif self.ext.lower().endswith('evt'):
            self.eventfile_type = 'evt'
            self.file = pyevt.file()
        elif self.ext.lower().endswith('json'):
            self.eventfile_type = 'evtxtract'
            self.file = EvtXtractFile()
        else:
            raise Exception(
                '{} Is not a supported extention. (.evt || .evtx || .json [EVTXtract json file]) [{}]'
                .format(self.ext, self.filename))

        self.file.open(self.filename)
Ejemplo n.º 21
0
def pyevtx_test_single_open_close_file(filename, mode):
  if not filename:
    filename_string = "None"
  else:
    filename_string = filename

  print("Testing single open close of: {0:s} with access: {1:s}\t".format(
      filename_string, get_mode_string(mode)))

  result = True
  try:
    evtx_file = pyevtx.file()

    evtx_file.open(filename, mode)
    evtx_file.close()

  except TypeError as exception:
    expected_message = (
        "{0:s}: unsupported string object type.").format(
            "pyevtx_file_open")

    if not filename and str(exception) == expected_message:
      pass

    else:
      print(str(exception))
      result = False

  except ValueError as exception:
    expected_message = (
        "{0:s}: unsupported mode: w.").format(
            "pyevtx_file_open")

    if mode != "w" or str(exception) != expected_message:
      print(str(exception))
      result = False

  except Exception as exception:
    print(str(exception))
    result = False

  if not result:
    print("(FAIL)")
  else:
    print("(PASS)")
  return result
Ejemplo n.º 22
0
def pyevtx_test_single_open_close_file_object(filename, mode):
  print ("Testing single open close of file-like object of: {0:s} with access: "
         "{1:s}\t").format(filename, get_mode_string(mode))

  try:
    file_object = open(filename, mode)
    evtx_file = pyevtx.file()

    evtx_file.open_file_object(file_object, mode)
    evtx_file.close()

  except:
    print "(FAIL)"
    return False

  print "(PASS)"
  return True
Ejemplo n.º 23
0
    def ParseFileObject(self, parser_mediator, file_object, **kwargs):
        """Parses a Windows XML EventLog (EVTX) file-like object.

    Args:
      parser_mediator: A parser mediator object (instance of ParserMediator).
      file_object: A file-like object.

    Raises:
      UnableToParseFile: when the file cannot be parsed.
    """
        evtx_file = pyevtx.file()
        evtx_file.set_ascii_codepage(parser_mediator.codepage)

        try:
            evtx_file.open_file_object(file_object)
        except IOError as exception:
            evtx_file.close()
            raise errors.UnableToParseFile(
                u'[{0:s}] unable to parse file {1:s} with error: {2:s}'.format(
                    self.NAME, parser_mediator.GetDisplayName(), exception))

        for record_index in range(0, evtx_file.number_of_records):
            try:
                evtx_record = evtx_file.get_record(record_index)
                event_object = WinEvtxRecordEvent(evtx_record)
                parser_mediator.ProduceEvent(event_object)
            except IOError as exception:
                logging.warning((
                    u'[{0:s}] unable to parse event record: {1:d} in file: {2:s} '
                    u'with error: {3:s}').format(
                        self.NAME, record_index,
                        parser_mediator.GetDisplayName(), exception))

        for record_index in range(0, evtx_file.number_of_recovered_records):
            try:
                evtx_record = evtx_file.get_recovered_record(record_index)
                event_object = WinEvtxRecordEvent(evtx_record, recovered=True)
                parser_mediator.ProduceEvent(event_object)
            except IOError as exception:
                logging.debug((
                    u'[{0:s}] unable to parse recovered event record: {1:d} in file: '
                    u'{2:s} with error: {3:s}').format(
                        self.NAME, record_index,
                        parser_mediator.GetDisplayName(), exception))

        evtx_file.close()
Ejemplo n.º 24
0
 def _OpenFile(self):
     '''Open the WindowsEventHandler's evt or evtx file handle for processing'''
     if self.ext.lower().endswith('evtx'):
         self.eventfile_type = 'evtx'
         self.file = pyevtx.file()
     elif self.ext.lower().endswith('evt'):
         self.eventfile_type = 'evt'
         self.file = pyevt.file()
     elif self.ext.lower().endswith('json'):
         self.eventfile_type = 'evtxtract'
         self.file = EvtXtractFile()
     else:
         raise Exception('{} Is not a supported extention. (.evt || .evtx || .json [EVTXtract json file]) [{}]'.format(
             self.ext,
             self.filename
         ))
     
     self.file.open(self.filename)
Ejemplo n.º 25
0
def pyevtx_test_multi_open_close_file(filename, mode):
  print "Testing multi open close of: {0:s} with access: {1:s}\t".format(
      filename, get_mode_string(mode))

  try:
    evtx_file = pyevtx.file()

    evtx_file.open(filename, mode)
    evtx_file.close()
    evtx_file.open(filename, mode)
    evtx_file.close()

  except:
    print "(FAIL)"
    return False

  print "(PASS)"
  return True
Ejemplo n.º 26
0
def ProcessEventFile(file_path):
    """Process an event log file.
    
    Params:
        file_path (str|unicode): Location of the eventlog
    """
    if file_path.lower().endswith('.evtx'):
        evtx_file = pyevtx.file()
        evtx_file.open(file_path)
        ProcessEventLog(evtx_file, file_path)
    elif file_path.lower().endswith('.evt'):
        evt_file = pyevt.file()
        evt_file.open(file_path)
        ProcessEventLog(evt_file, file_path)
    else:
        raise Exception(
            "File not processed (needs .evtx or .evt extention): {}".format(
                file_path))
Ejemplo n.º 27
0
    def ParseFileObject(self, parser_mediator, file_object, **kwargs):
        """Parses a Windows XML EventLog (EVTX) file-like object.

    Args:
      parser_mediator (ParserMediator): parser mediator.
      file_object (dfvfs.FileIO): a file-like object.
    """
        evtx_file = pyevtx.file()
        evtx_file.set_ascii_codepage(parser_mediator.codepage)

        try:
            evtx_file.open_file_object(file_object)
        except IOError as exception:
            parser_mediator.ProduceExtractionError(
                u'unable to open file with error: {0:s}'.format(exception))
            return

        for record_index, evtx_record in enumerate(evtx_file.records):
            if parser_mediator.abort:
                break

            try:
                self._ParseRecord(parser_mediator, record_index, evtx_record)
            except IOError as exception:
                parser_mediator.ProduceExtractionError(
                    u'unable to parse event record: {0:d} with error: {1:s}'.
                    format(record_index, exception))

        for record_index, evtx_record in enumerate(
                evtx_file.recovered_records):
            if parser_mediator.abort:
                break

            try:
                self._ParseRecord(parser_mediator,
                                  record_index,
                                  evtx_record,
                                  recovered=True)
            except IOError as exception:
                parser_mediator.ProduceExtractionError((
                    u'unable to parse recovered event record: {0:d} with error: '
                    u'{1:s}').format(record_index, exception))

        evtx_file.close()
Ejemplo n.º 28
0
    def iterate_over_records(self):

        #MAKE THIS LIB OPTIONAL
        try:
            import pyevtx
        except ImportError:
            print("Module pyevtx (libyal/libevtx) is not installed")
            print("pip3 install --upgrade libevtx-python")
            sys.exit(0)

        if self.is_valid():
            evtx_file = pyevtx.file()

            #OPEN MMAP AS EVTX
            try:
                evtx_file.open_file_object(self.map)
            except IOError as e:
                yield (False, e.strerror, None)
                evtx_file.close()
                return

            # NORMAL EVENTS
            for i in range(0, evtx_file.get_number_of_records()):
                try:
                    # is_valid, error, record
                    yield (True, None, evtx_file.get_record(i))
                except Exception as error:
                    yield (
                        False,
                        "Error opening normal record with ID: {} / {}".format(
                            i, error.args), None)

            # RECOVERED EVENTS
            if self.recovery:
                for record_index in range(
                        0, evtx_file.number_of_recovered_records):
                    try:
                        yield (True, None,
                               evtx_file.get_recovered_record(record_index))
                    except IOError as error:
                        yield (False,
                               "Error opening recovered record with ID: {}".
                               format(record_index, error.strerror), None)
Ejemplo n.º 29
0
    def test_open(self):
        """Tests the open function."""
        if not unittest.source:
            return

        evtx_file = pyevtx.file()

        evtx_file.open(unittest.source)

        with self.assertRaises(IOError):
            evtx_file.open(unittest.source)

        evtx_file.close()

        with self.assertRaises(TypeError):
            evtx_file.open(None)

        with self.assertRaises(ValueError):
            evtx_file.open(unittest.source, mode="w")
Ejemplo n.º 30
0
    def ParseFileObject(self, parser_mediator, file_object, **kwargs):
        """Parses a Windows XML EventLog (EVTX) file-like object.

    Args:
      parser_mediator: a parser mediator object (instance of ParserMediator).
      file_object: a file-like object.

    Raises:
      UnableToParseFile: when the file cannot be parsed.
    """
        evtx_file = pyevtx.file()
        evtx_file.set_ascii_codepage(parser_mediator.codepage)

        try:
            evtx_file.open_file_object(file_object)
        except IOError as exception:
            display_name = parser_mediator.GetDisplayName()
            raise errors.UnableToParseFile(
                u'[{0:s}] unable to parse file {1:s} with error: {2:s}'.format(
                    self.NAME, display_name, exception))

        for record_index, evtx_record in enumerate(evtx_file.records):
            try:
                self._ParseRecord(parser_mediator, record_index, evtx_record)
            except IOError as exception:
                parser_mediator.ProduceParseError(
                    u'unable to parse event record: {0:d} with error: {1:s}'.
                    format(record_index, exception))

        for record_index, evtx_record in enumerate(
                evtx_file.recovered_records):
            try:
                self._ParseRecord(parser_mediator,
                                  record_index,
                                  evtx_record,
                                  recovered=True)
            except IOError as exception:
                parser_mediator.ProduceParseError((
                    u'unable to parse recovered event record: {0:d} with error: '
                    u'{1:s}').format(record_index, exception))

        evtx_file.close()
Ejemplo n.º 31
0
    def test_open(self):
        """Tests the open function."""
        test_source = unittest.source
        if not test_source:
            raise unittest.SkipTest("missing source")

        evtx_file = pyevtx.file()

        evtx_file.open(test_source)

        with self.assertRaises(IOError):
            evtx_file.open(test_source)

        evtx_file.close()

        with self.assertRaises(TypeError):
            evtx_file.open(None)

        with self.assertRaises(ValueError):
            evtx_file.open(test_source, mode="w")
Ejemplo n.º 32
0
  def Parse(self, file_entry):
    """Extract data from a Windows XML EventLog (EVTX) file.

    Args:
      file_entry: A file entry object.

    Yields:
      An event object (WinEvtxRecordEvent) that contains the parsed data.
    """
    file_object = file_entry.GetFileObject()
    evtx_file = pyevtx.file()
    evtx_file.set_ascii_codepage(self._codepage)

    try:
      evtx_file.open_file_object(file_object)
    except IOError as exception:
      raise errors.UnableToParseFile(
          u'[{0:s}] unable to parse file {1:s} with error: {2:s}'.format(
              self.parser_name, file_entry.name, exception))

    for record_index in range(0, evtx_file.number_of_records):
      try:
        evtx_record = evtx_file.get_record(record_index)
        yield WinEvtxRecordEvent(evtx_record)
      except IOError as exception:
        logging.warning((
            u'[{0:s}] unable to parse event record: {1:d} in file: {2:s} '
            u'with error: {3:s}').format(
                self.parser_name, record_index, file_entry.name, exception))

    for record_index in range(0, evtx_file.number_of_recovered_records):
      try:
        evtx_record = evtx_file.get_recovered_record(record_index)
        yield WinEvtxRecordEvent(evtx_record, recovered=True)
      except IOError as exception:
        logging.debug((
            u'[{0:s}] unable to parse recovered event record: {1:d} in file: '
            u'{2:s} with error: {3:s}').format(
                self.parser_name, record_index, file_entry.name, exception))

    file_object.close()
Ejemplo n.º 33
0
  def test_set_ascii_codepage(self):
    """Tests the set_ascii_codepage function."""
    supported_codepages = (
        "ascii", "cp874", "cp932", "cp936", "cp949", "cp950", "cp1250",
        "cp1251", "cp1252", "cp1253", "cp1254", "cp1255", "cp1256", "cp1257",
        "cp1258")

    evtx_file = pyevtx.file()

    for codepage in supported_codepages:
      evtx_file.set_ascii_codepage(codepage)

    unsupported_codepages = (
        "iso-8859-1", "iso-8859-2", "iso-8859-3", "iso-8859-4", "iso-8859-5",
        "iso-8859-6", "iso-8859-7", "iso-8859-8", "iso-8859-9", "iso-8859-10",
        "iso-8859-11", "iso-8859-13", "iso-8859-14", "iso-8859-15",
        "iso-8859-16", "koi8_r", "koi8_u")

    for codepage in unsupported_codepages:
      with self.assertRaises(RuntimeError):
        evtx_file.set_ascii_codepage(codepage)
Ejemplo n.º 34
0
def pyevtx_test_single_open_close_file_object(filename, mode):
  print(("Testing single open close of file-like object of: {0:s} "
         "with access: {1:s}\t").format(filename, get_mode_string(mode)))

  result = True
  try:
    file_object = open(filename, "rb")
    evtx_file = pyevtx.file()

    evtx_file.open_file_object(file_object, mode)
    evtx_file.close()

  except Exception as exception:
    print(str(exception))
    result = False

  if not result:
    print("(FAIL)")
  else:
    print("(PASS)")
  return result
Ejemplo n.º 35
0
  def ParseFileObject(self, parser_mediator, file_object):
    """Parses a Windows XML EventLog (EVTX) file-like object.

    Args:
      parser_mediator (ParserMediator): mediates interactions between parsers
          and other components, such as storage and dfvfs.
      file_object (dfvfs.FileIO): a file-like object.
    """
    evtx_file = pyevtx.file()
    evtx_file.set_ascii_codepage(parser_mediator.codepage)

    try:
      evtx_file.open_file_object(file_object)
    except IOError as exception:
      parser_mediator.ProduceExtractionWarning(
          'unable to open file with error: {0!s}'.format(exception))
      return

    try:
      self._ParseRecords(parser_mediator, evtx_file)
    finally:
      evtx_file.close()
Ejemplo n.º 36
0
    def ParseFileObject(self, parser_mediator, file_object):
        """Parses a Windows XML EventLog (EVTX) file-like object.

    Args:
      parser_mediator (ParserMediator): mediates interactions between parsers
          and other components, such as storage and dfvfs.
      file_object (dfvfs.FileIO): a file-like object.
    """
        evtx_file = pyevtx.file()
        evtx_file.set_ascii_codepage(parser_mediator.codepage)

        try:
            evtx_file.open_file_object(file_object)
        except IOError as exception:
            parser_mediator.ProduceExtractionWarning(
                'unable to open file with error: {0!s}'.format(exception))
            return

        try:
            self._ParseRecords(parser_mediator, evtx_file)
        finally:
            evtx_file.close()
Ejemplo n.º 37
0
def pyevtx_test_multi_open_close_file(filename, mode):
  print("Testing multi open close of: {0:s} with access: {1:s}\t".format(
      filename, get_mode_string(mode)))

  result = True
  try:
    evtx_file = pyevtx.file()

    evtx_file.open(filename, mode)
    evtx_file.close()
    evtx_file.open(filename, mode)
    evtx_file.close()

  except Exception as exception:
    print(str(exception))
    result = False

  if not result:
    print("(FAIL)")
  else:
    print("(PASS)")
  return result
Ejemplo n.º 38
0
  def ParseFileObject(self, parser_mediator, file_object, **kwargs):
    """Parses a Windows XML EventLog (EVTX) file-like object.

    Args:
      parser_mediator: a parser mediator object (instance of ParserMediator).
      file_object: a file-like object.

    Raises:
      UnableToParseFile: when the file cannot be parsed.
    """
    evtx_file = pyevtx.file()
    evtx_file.set_ascii_codepage(parser_mediator.codepage)

    try:
      evtx_file.open_file_object(file_object)
    except IOError as exception:
      display_name = parser_mediator.GetDisplayName()
      raise errors.UnableToParseFile(
          u'[{0:s}] unable to parse file {1:s} with error: {2:s}'.format(
              self.NAME, display_name, exception))

    for record_index, evtx_record in enumerate(evtx_file.records):
      try:
        self._ParseRecord(parser_mediator, record_index, evtx_record)
      except IOError as exception:
        parser_mediator.ProduceParseError(
            u'unable to parse event record: {0:d} with error: {1:s}'.format(
                record_index, exception))

    for record_index, evtx_record in enumerate(evtx_file.recovered_records):
      try:
        self._ParseRecord(
            parser_mediator, record_index, evtx_record, recovered=True)
      except IOError as exception:
        parser_mediator.ProduceParseError((
            u'unable to parse recovered event record: {0:d} with error: '
            u'{1:s}').format(record_index, exception))

    evtx_file.close()
Ejemplo n.º 39
0
    def test_open_file_object(self):
        """Tests the open_file_object function."""
        if not unittest.source:
            return

        file_object = open(unittest.source, "rb")

        evtx_file = pyevtx.file()

        evtx_file.open_file_object(file_object)

        with self.assertRaises(IOError):
            evtx_file.open_file_object(file_object)

        evtx_file.close()

        # TODO: change IOError into TypeError
        with self.assertRaises(IOError):
            evtx_file.open_file_object(None)

        with self.assertRaises(ValueError):
            evtx_file.open_file_object(file_object, mode="w")
Ejemplo n.º 40
0
def pyevtx_test_single_open_close_file(filename, mode):
  if not filename:
    filename_string = "None"
  else:
    filename_string = filename

  print "Testing single open close of: {0:s} with access: {1:s}\t".format(
      filename_string, get_mode_string(mode))

  try:
    evtx_file = pyevtx.file()

    evtx_file.open(filename, mode)
    evtx_file.close()

  except TypeError, exception:
    if (not filename and
        exception.message == "pyevtx_file_open: unsupported string object type."):
      pass

    else:
      print "(FAIL)"
      return False
Ejemplo n.º 41
0
def main():
    supported_codepages = [
        "ascii", "cp874", "cp932", "cp936", "cp949", "cp950", "cp1250",
        "cp1251", "cp1252", "cp1253", "cp1254", "cp1255", "cp1256", "cp1257",
        "cp1258"
    ]

    unsupported_codepages = [
        "iso-8859-1", "iso-8859-2", "iso-8859-3", "iso-8859-4", "iso-8859-5",
        "iso-8859-6", "iso-8859-7", "iso-8859-8", "iso-8859-9", "iso-8859-10",
        "iso-8859-11", "iso-8859-13", "iso-8859-14", "iso-8859-15",
        "iso-8859-16", "koi8_r", "koi8_u"
    ]

    evtx_file = pyevtx.file()

    result = True
    for codepage in supported_codepages:
        print("Testing setting supported ASCII codepage of: {0:s}:\t".format(
            codepage)),
        try:
            evtx_file.ascii_codepage = codepage
            result = True
        except:
            result = False

        if not result:
            print("(FAIL)")
            return False
        print("(PASS)")

        print("Testing setting supported ASCII codepage of: {0:s}:\t".format(
            codepage)),
        try:
            evtx_file.set_ascii_codepage(codepage)
            result = True
        except:
            result = False

        if not result:
            print("(FAIL)")
            return False
        print("(PASS)")

        for codepage in unsupported_codepages:
            print("Testing setting unsupported ASCII codepage of: {0:s}:\t".
                  format(codepage)),

            result = False
            try:
                evtx_file.ascii_codepage = codepage
            except RuntimeError as exception:
                expected_message = (
                    "{0:s}: unable to determine ASCII codepage."
                ).format("pyevtx_file_set_ascii_codepage_from_string")

                if str(exception) == expected_message:
                    result = True
            except:
                pass

            if not result:
                print("(FAIL)")
                return False
            print("(PASS)")

            print("Testing setting unsupported ASCII codepage of: {0:s}:\t".
                  format(codepage)),

            result = False
            try:
                evtx_file.set_ascii_codepage(codepage)
            except RuntimeError as exception:
                expected_message = (
                    "{0:s}: unable to determine ASCII codepage."
                ).format("pyevtx_file_set_ascii_codepage_from_string")

                if str(exception) == expected_message:
                    result = True
            except:
                pass

            if not result:
                print("(FAIL)")
                return False
            print("(PASS)")

    return True
Ejemplo n.º 42
0
def event_open(path):
    evtx_file = pyevtx.file()
    evtx_file.open(path)
    return evtx_file
Ejemplo n.º 43
0
  def _ReadEVTX(self, source):
    """Read a XML EventLog file.

    Args:
      source (str): name of the EventLog file that contains the process start
          and stop events.

    Yields:
      pyevtx.record: XML EventLog record.
    """
    evtx_file = pyevtx.file()
    evtx_file.open(source)

    # pylint: disable=not-an-iterable
    for evtx_record in evtx_file.records:
      if evtx_record.event_identifier == 4688:
        process_start_event = ProcessStartEvent()
        process_start_event.command_line = evtx_record.get_string(8)

        try:
          string_value = evtx_record.get_string(4)
          process_start_event.new_process_id = int(string_value, 16)
        except ValueError:
          pass

        process_start_event.new_process_name = evtx_record.get_string(5)

        try:
          string_value = evtx_record.get_string(7)
          process_start_event.process_id = int(string_value, 16)
        except ValueError:
          pass

        process_start_event.subject_domain_name = evtx_record.get_string(2)
        process_start_event.subject_logon_id = evtx_record.get_string(3)
        process_start_event.subject_user_name = evtx_record.get_string(1)
        process_start_event.subject_user_sid = evtx_record.get_string(0)
        process_start_event.token_elevation_type = evtx_record.get_string(6)
        process_start_event.written_time = evtx_record.written_time

        yield process_start_event

      elif evtx_record.event_identifier == 4689:
        process_stop_event = ProcessStopEvent()

        try:
          string_value = evtx_record.get_string(5)
          process_stop_event.process_id = int(string_value, 16)
        except ValueError:
          pass

        process_stop_event.process_name = evtx_record.get_string(6)
        process_stop_event.status = evtx_record.get_string(4)
        process_stop_event.subject_domain_name = evtx_record.get_string(2)
        process_stop_event.subject_logon_id = evtx_record.get_string(3)
        process_stop_event.subject_user_name = evtx_record.get_string(1)
        process_stop_event.subject_user_sid = evtx_record.get_string(0)
        process_stop_event.written_time = evtx_record.written_time

        yield process_stop_event

    evtx_file.close()
Ejemplo n.º 44
0
    def _ReadEVTX(self, source):
        """Read a XML EventLog file.

    Args:
      source (str): EventLog file that contains the start and stop events.

    Yields:
      pyevtx.record: XML EventLog record.
    """
        evtx_file = pyevtx.file()
        evtx_file.open(source)

        for evtx_record in evtx_file.records:
            if evtx_record.event_identifier == 4688:
                process_start_event = ProcessStartEvent()
                process_start_event.command_line = evtx_record.get_string(8)

                try:
                    string_value = evtx_record.get_string(4)
                    process_start_event.new_process_id = int(string_value, 16)
                except ValueError:
                    pass

                process_start_event.new_process_name = evtx_record.get_string(
                    5)

                try:
                    string_value = evtx_record.get_string(7)
                    process_start_event.process_id = int(string_value, 16)
                except ValueError:
                    pass

                process_start_event.subject_domain_name = evtx_record.get_string(
                    2)
                process_start_event.subject_logon_id = evtx_record.get_string(
                    3)
                process_start_event.subject_user_name = evtx_record.get_string(
                    1)
                process_start_event.subject_user_sid = evtx_record.get_string(
                    0)
                process_start_event.token_elevation_type = evtx_record.get_string(
                    6)
                process_start_event.written_time = evtx_record.written_time

                yield process_start_event

            elif evtx_record.event_identifier == 4689:
                process_stop_event = ProcessStopEvent()

                try:
                    string_value = evtx_record.get_string(5)
                    process_stop_event.process_id = int(string_value, 16)
                except ValueError:
                    pass

                process_stop_event.process_name = evtx_record.get_string(6)
                process_stop_event.status = evtx_record.get_string(4)
                process_stop_event.subject_domain_name = evtx_record.get_string(
                    2)
                process_stop_event.subject_logon_id = evtx_record.get_string(3)
                process_stop_event.subject_user_name = evtx_record.get_string(
                    1)
                process_stop_event.subject_user_sid = evtx_record.get_string(0)
                process_stop_event.written_time = evtx_record.written_time

                yield process_stop_event

        evtx_file.close()
Ejemplo n.º 45
0
def main():
  supported_codepages = [
      "ascii", "cp874", "cp932", "cp936", "cp949", "cp950", "cp1250",
      "cp1251", "cp1252", "cp1253", "cp1254", "cp1255", "cp1256", "cp1257",
      "cp1258"]

  unsupported_codepages = [
      "iso-8859-1", "iso-8859-2", "iso-8859-3", "iso-8859-4", "iso-8859-5",
      "iso-8859-6", "iso-8859-7", "iso-8859-8", "iso-8859-9", "iso-8859-10",
      "iso-8859-11", "iso-8859-13", "iso-8859-14", "iso-8859-15",
      "iso-8859-16", "koi8_r", "koi8_u"]

  evtx_file = pyevtx.file()

  result = True
  for codepage in supported_codepages:
    print("Testing setting supported ASCII codepage of: {0:s}:\t".format(
        codepage)),
    try:
      evtx_file.ascii_codepage = codepage
      result = True
    except:
      result = False

    if not result:
      print("(FAIL)")
      return False
    print("(PASS)")

    print("Testing setting supported ASCII codepage of: {0:s}:\t".format(
        codepage)),
    try:
      evtx_file.set_ascii_codepage(codepage)
      result = True
    except:
      result = False

    if not result:
      print("(FAIL)")
      return False
    print("(PASS)")

    for codepage in unsupported_codepages:
      print("Testing setting unsupported ASCII codepage of: {0:s}:\t".format(
          codepage)),

      result = False
      try:
        evtx_file.ascii_codepage = codepage
      except RuntimeError as exception:
        expected_message = (
            "{0:s}: unable to determine ASCII codepage.").format(
                "pyevtx_file_set_ascii_codepage_from_string")

        if str(exception) == expected_message:
          result = True
      except:
        pass

      if not result:
        print("(FAIL)")
        return False
      print("(PASS)")

      print("Testing setting unsupported ASCII codepage of: {0:s}:\t".format(
          codepage)),

      result = False
      try:
        evtx_file.set_ascii_codepage(codepage)
      except RuntimeError as exception:
        expected_message = (
            "{0:s}: unable to determine ASCII codepage.").format(
                "pyevtx_file_set_ascii_codepage_from_string")

        if str(exception) == expected_message:
          result = True
      except:
        pass

      if not result:
        print("(FAIL)")
        return False
      print("(PASS)")

  return True
Ejemplo n.º 46
0
    def test_signal_abort(self):
        """Tests the signal_abort function."""
        evtx_file = pyevtx.file()

        evtx_file.signal_abort()