def test_open(self): """Tests the open function.""" if not unittest.source: raise unittest.SkipTest("missing source") scca_file = pyscca.open(unittest.source) self.assertIsNotNone(scca_file) scca_file.close() with self.assertRaises(TypeError): pyscca.open(None) with self.assertRaises(ValueError): pyscca.open(unittest.source, mode="w")
def parse_file(pf_file, volume_information): try: scca = pyscca.open(pf_file) last_run_times = [] for x in range(8): try: if scca.get_last_run_time_as_integer(x) > 0: last_run_times.append( scca.get_last_run_time(x).strftime("%Y-%m-%dT%H:%M:%S") ) #str conversion utilized to change from datetime into human-readable else: last_run_times.append('1700-01-01T00:00:00') except: last_run_times.append('1700-01-01T00:00:00') # === run_count run_count = 0 try: if scca.get_run_count() is not None: run_count = scca.run_count except: pass # === executable_filename executable_filename = scca.executable_filename if executable_filename is None: executable_filename = '-'.join( pf_file.split('/')[-1].split('-')[0:-1]) # === Prefetch hash prefetch_hash = format(scca.prefetch_hash, 'x').upper() if prefetch_hash == '0': prefetch_hash = pf_file.split('/')[-1].split('-')[-1].replace( '.pf', '') output[str(executable_filename)] = [ str(run_count), prefetch_hash.upper(), last_run_times ] if volume_information: output[str(executable_filename)].append(scca.number_of_volumes) volumes = [] for i in range(scca.number_of_volumes): volume = [ str(scca.get_volume_information(i).device_path), scca.get_volume_information(i).creation_time.strftime( "%Y-%m-%d %H:%M:%S"), format(scca.get_volume_information(i).serial_number, 'x').upper() ] volumes.append(volume) output[str(executable_filename)].append(volumes) return output except Exception as e: exc_type, exc_obj, exc_tb = sys.exc_info() print "[-] [Error] " + str(exc_obj) + " - Line No. " + str( exc_tb.tb_lineno) return None
def parse_file(pf_file, volume_information): try: scca = pyscca.open(pf_file) last_run_times = [] for x in range(8): if scca.get_last_run_time_as_integer(x) > 0: last_run_times.append( scca.get_last_run_time(x).strftime("%Y-%m-%d %H:%M:%S") ) #str conversion utilized to change from datetime into human-readable else: last_run_times.append('N/A') output[str(scca.executable_filename)] = [ str(scca.run_count), format(scca.prefetch_hash, 'x').upper(), last_run_times ] if volume_information: output[str(scca.executable_filename)].append( scca.number_of_volumes) volumes = [] for i in range(scca.number_of_volumes): volume = [ str(scca.get_volume_information(i).device_path), scca.get_volume_information(i).creation_time.strftime( "%Y-%m-%d %H:%M:%S"), format(scca.get_volume_information(i).serial_number, 'x').upper() ] volumes.append(volume) output[str(scca.executable_filename)].append(volumes) return output except IOError: pass
def parsePrefetch(inputPF): prefetchfile = pyscca.open(inputPF) FileRunTimes = [] ProgramName = prefetchfile.get_executable_filename() ProgramHash = hex(prefetchfile.get_prefetch_hash()) prefetchCount = prefetchfile.get_run_count() if prefetchCount < 8: for i in range(prefetchCount): if prefetchfile.get_last_run_time_as_integer(i) != 0: executed = [ ProgramName, ProgramHash, prefetchfile.get_last_run_time(i).isoformat(), prefetchCount ] FileRunTimes.append(executed) elif prefetchCount > 7: for i in range(8): if prefetchfile.get_last_run_time_as_integer(i) != 0: executed = [ ProgramName, ProgramHash, prefetchfile.get_last_run_time(i).isoformat(), prefetchCount ] FileRunTimes.append(executed) return FileRunTimes
def main(): # Parsing the Arguments parser = argparse.ArgumentParser() parser.add_argument("-i", "--inputPF", dest="InputFile", help='Path to the prefetch file') parser.add_argument("-d", "--inputDirectory", dest="InputDirectory", help='Path to directory containing prefetch files') parser.add_argument("-o", "--outputfile", dest="OutputFile", help='Path to Export your CSV') args = parser.parse_args() try: FileRunTimes = [] Headers = [ 'ProgramName', 'ProgramHash', 'LastRunTime', 'CountExecuted' ] FileRunTimes.append(Headers) if args.InputFile == None: # get all files in the directory to get each file prefetch files = os.listdir(args.InputDirectory) for i in files: filepath = args.InputDirectory + i results = parsePrefetch(filepath) for t in results: FileRunTimes.append(t) # Now running through the individual file else: prefetchfile = pyscca.open(args.InputFile) prefetchCount = prefetchfile.get_run_count() results = parsePrefetch(args.InputFile) for t in results: FileRunTimes.append(t) except Exception as e: print(e.message) #Now exporting the results to a report with open(args.OutputFile, 'w') as f: wr = csv.writer(f, lineterminator='\n') for row in FileRunTimes: wr.writerow(row)
def _parse_prefecth_file(self, path: str): scca = pyscca.open(path) all_strings = [] for entry_index, file_metrics in enumerate(scca.file_metrics_entries): all_strings.append(file_metrics.filename) last_run_times = [] for exe_timestamp in range(scca.run_count): try: if scca.get_last_run_time_as_integer(exe_timestamp) > 0: time = Time.change_output_date_format_from_epoch( scca.get_last_run_time(exe_timestamp).replace( tzinfo=timezone.utc).timestamp()) last_run_times.append(time) except OSError: # No hay mas fechas de ejecucion guardadas break volume_serial_number = [] volume_device_path = [] volume_timestamp = [] for volume_information in iter(scca.volumes): volume_serial_number.append( format(volume_information.serial_number, 'x').upper()) volume_device_path.append(str(volume_information.device_path)) volume_timestamp.append( Time.change_output_date_format_from_epoch( volume_information.creation_time.replace( tzinfo=timezone.utc).timestamp())) return { "version": scca.format_version, "executable_file_name": str(scca.executable_filename), "hash": format(scca.prefetch_hash, 'x').upper(), "number_of_files_accessed": scca.number_of_file_metrics_entries, "directories_accessed": all_strings, "number_of_volumes": scca.number_of_volumes, "run_counts": scca.run_count, "last_run_times": last_run_times, "volume_timestamp": volume_timestamp, "volume_device_path": volume_device_path, "volume_serial_number": volume_serial_number }
def parse_file(pf_file,volume_information): try: scca = pyscca.open(pf_file) last_run_times = [] for x in range(8): if scca.get_last_run_time_as_integer(x) > 0: last_run_times.append(scca.get_last_run_time(x).strftime("%Y-%m-%d %H:%M:%S")) #str conversion utilized to change from datetime into human-readable else: last_run_times.append('N/A') output[str(scca.executable_filename)] = [str(scca.run_count), format(scca.prefetch_hash, 'x').upper(), last_run_times] if volume_information: output[str(scca.executable_filename)].append(scca.number_of_volumes) volumes = [] for i in range(scca.number_of_volumes): volume = [str(scca.get_volume_information(i).device_path), scca.get_volume_information(i).creation_time.strftime("%Y-%m-%d %H:%M:%S"), format(scca.get_volume_information(i).serial_number,'x').upper()] volumes.append(volume) output[str(scca.executable_filename)].append(volumes) return output except IOError: pass
def parse_file(prefetch_file, outpath): try: #open prefetch file with pyscca and get values everything = [] prefetch_values = [] pf_file_name = os.path.basename(prefetch_file) scca = pyscca.open(prefetch_file) prefetch_version = str(scca.format_version) executable_file_name = str(scca.executable_filename) prefetch_hash = format(scca.prefetch_hash, 'x').upper() run_count = (scca.run_count) number_of_volumes = str(scca.number_of_volumes) number_of_files = str(scca.number_of_file_metrics_entries) count = 1 all_strings = [] for entry_index, file_metrics in enumerate(scca.file_metrics_entries): mapped_file_string = file_metrics.filename strings = (pf_file_name, executable_file_name, count, number_of_files, mapped_file_string) all_strings.append(strings) count = (count + 1) stringsfile = (outpath + '_strings.csv') strings_file = open(stringsfile, 'a+') with strings_file: write = csv.writer(strings_file) write.writerows(all_strings) #Parse last run timestamps for each last run value for exe_timestamp in range(8): if scca.get_last_run_time_as_integer(exe_timestamp) > 0: time = (scca.get_last_run_time(exe_timestamp).strftime( "%Y-%m-%d %H:%M:%S")) run_count_number = (str(run_count - exe_timestamp) + "_of_" + str(run_count)) prefetch_values = [ time, executable_file_name, prefetch_hash, run_count_number, pf_file_name, prefetch_version, number_of_volumes ] # Find volume information for each prefetch file and append to prefetch output for volume_information in iter(scca.volumes): volume_serial_number = format( volume_information.serial_number, 'x').upper() volume_device_path = str(volume_information.device_path) volume_timestamp = volume_information.creation_time.strftime( "%Y-%m-%d %H:%M:%S") prefetch_values.append(volume_timestamp) prefetch_values.append(volume_device_path) prefetch_values.append(volume_serial_number) print(','.join(prefetch_values)) runcountsfile = (outpath + '_run_count.csv') if int(prefetch_version) < 30: run_count_file = open(runcountsfile, 'a+') with run_count_file: write = csv.writer(run_count_file) write.writerow(prefetch_values) exit() everything.append(prefetch_values) run_count_file = open(runcountsfile, 'a+') with run_count_file: write = csv.writer(run_count_file) write.writerows(everything) except: pass
SQLitedb.RemoveDB_File(SQLiteDbName) SQLitedb.Open(SQLiteDbName) SQLitedb.CreateTable(tableName, tableColumns) SQLitedb.CreateTable(fileMetricsTabName, fileMetricsColumnNames) SQLitedb.CreateTable(volumeTabName, volumeColumnNames) SQLitedb.CreateTable(fileTabName, fileColumnNames) for root, dirs, files in os.walk(prefetchDirectory): # print ("root = > " + str(root)) # print ("dirs = > " + str(dirs)) # print ("files = > " + str(files)) for file in files: if ".pf" in file: prefetchRecord = [] try: scca = pyscca.open(os.path.join(root, file)) #print("File Name is ==> " + file) prefetchRecord.append(file) prefetchRecord.append(scca.get_executable_filename()) prefetchExecutableFileName = scca.get_executable_filename() prefetchExecutableFilePath = "" prefetchExecutablePath = "" #print ("File Name ==> " + scca.get_executable_filename()) #print ("File Name ==> " + scca.get_filename()) try: if scca.get_run_count() is None: prefetchRecord.append(0) else: prefetchRecord.append(scca.get_run_count()) except: prefetchRecord.append(0)