def testProcessSourcesVSSImage(self):
"""Tests the ProcessSources function on an image containing VSS."""
test_source = self._GetTestFilePath([u'vsstest.qcow2'])
with shared_test_lib.TempDirectory() as temp_directory:
test_storage_file = os.path.join(temp_directory, u'test.plaso')
options = cli_test_lib.TestOptions()
options.output = test_storage_file
options.quiet = True
options.single_process = True
options.status_view_mode = u'none'
options.source = test_source
options.vss_stores = u'all'
self._test_tool.ParseOptions(options)
self._test_tool.ProcessSources()
output = self._output_writer.ReadOutput()
# TODO: print summary and compare that against output.
_ = output
def _TestScanSourceVSSImage(self, source_path):
"""Tests the ScanSource function on a VSS storage media image.
Args:
source_path: the path of the source device, directory or file.
"""
test_tool = storage_media_tool.StorageMediaTool()
options = test_lib.TestOptions()
options.source = source_path
options.vss_stores = u'all'
test_tool.ParseOptions(options)
scan_context = test_tool.ScanSource()
self.assertIsNotNone(scan_context)
scan_node = self._GetTestScanNode(scan_context)
self.assertIsNotNone(scan_node)
self.assertEqual(
scan_node.type_indicator,
dfvfs_definitions.TYPE_INDICATOR_QCOW)
self.assertEqual(len(scan_node.sub_nodes), 2)
volume_scan_node = scan_node
scan_node = volume_scan_node.sub_nodes[0]
self.assertEqual(
scan_node.type_indicator, dfvfs_definitions.TYPE_INDICATOR_VSHADOW)
self.assertEqual(len(scan_node.sub_nodes), 2)
scan_node = scan_node.sub_nodes[0]
self.assertEqual(
scan_node.type_indicator, dfvfs_definitions.TYPE_INDICATOR_VSHADOW)
# By default the file system inside a VSS volume is not scanned.
self.assertEqual(len(scan_node.sub_nodes), 0)
scan_node = volume_scan_node.sub_nodes[1]
self.assertEqual(
scan_node.type_indicator, dfvfs_definitions.TYPE_INDICATOR_TSK)
def testRunModeRegistryFile(self):
"""Tests the RunModeRegistryFile function."""
options = cli_test_lib.TestOptions()
options.registry_file = self._GetTestFilePath([u'SOFTWARE'])
self._test_tool.ParseOptions(options)
self._test_tool.RunModeRegistryFile()
output = self._output_writer.ReadOutput()
plugins, registry_keys = self._ExtractPluginsAndKey(output)
# Define the minimum set of plugins that need to be in the output.
# This information is gathered from the actual tool output, which
# for aesthetics reasons surrounds the text with **. The above processing
# then cuts of the first half of that, but leaves the second ** intact.
expected_plugins = set([
b'msie_zone', b'windows_run', b'windows_task_cache',
b'windows_version'
])
self.assertTrue(expected_plugins.issubset(plugins))
self.assertIn((b'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\'
b'CurrentVersion\\Schedule\\TaskCache'), registry_keys)
self.assertIn((b'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\'
b'CurrentVersion\\Run'), registry_keys)
self.assertIn((b'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\'
b'CurrentVersion\\Internet Settings\\Lockdown_Zones'),
registry_keys)
# The output should grow with each newly added plugin, and it might be
# reduced with changes to the codebase, yet there should be at least 1.400
# lines in the output.
line_count = 0
for _ in output:
line_count += 1
self.assertGreater(line_count, 1400)
def _TestScanSourceDirectory(self, source_path):
"""Tests the ScanSource function on a directory.
Args:
source_path: the path of the source device, directory or file.
"""
test_tool = storage_media_tool.StorageMediaTool()
options = test_lib.TestOptions()
options.source = source_path
test_tool.ParseOptions(options)
scan_context = test_tool.ScanSource()
self.assertIsNotNone(scan_context)
scan_node = scan_context.GetRootScanNode()
self.assertIsNotNone(scan_node)
self.assertEqual(
scan_node.type_indicator, dfvfs_definitions.TYPE_INDICATOR_OS)
path_spec = scan_node.path_spec
self.assertEqual(path_spec.location, os.path.abspath(source_path))
def testCreateAnalysisPlugins(self):
"""Tests the _CreateAnalysisPlugins function."""
test_file_path = self._GetTestFilePath(['tagging_file', 'valid.txt'])
self._SkipIfPathNotExists(test_file_path)
output_writer = test_lib.TestOutputWriter(encoding='utf-8')
test_tool = TestToolWithAnalysisPluginOptions(output_writer=output_writer)
options = test_lib.TestOptions()
options.tagging_file = test_file_path
test_tool._analysis_plugins = 'tagging'
plugins = test_tool._CreateAnalysisPlugins(options)
self.assertIn('tagging', plugins.keys())
test_tool._analysis_plugins = 'bogus'
plugins = test_tool._CreateAnalysisPlugins(options)
self.assertEqual(plugins, {})
test_tool._analysis_plugins = ''
plugins = test_tool._CreateAnalysisPlugins(options)
self.assertEqual(plugins, {})
def testProcessStorageWithMissingParameters(self):
"""Test the ProcessStorage function with half-configured output module."""
input_reader = TestInputReader()
output_writer = cli_test_lib.TestOutputWriter(encoding=u'utf-8')
test_tool = psort.PsortTool(
input_reader=input_reader, output_writer=output_writer)
options = cli_test_lib.TestOptions()
options.storage_file = self._GetTestFilePath([u'psort_test.json.plaso'])
options.output_format = u'test_missing'
output_manager.OutputManager.RegisterOutput(
TestOutputModuleMissingParameters)
helpers_manager.ArgumentHelperManager.RegisterHelper(
TestOutputModuleArgumentHelper)
lines = []
with shared_test_lib.TempDirectory() as temp_directory:
temp_file_name = os.path.join(temp_directory, u'output.txt')
options.write = temp_file_name
test_tool.ParseOptions(options)
test_tool.ProcessStorage()
with open(temp_file_name, 'rb') as file_object:
for line in file_object.readlines():
lines.append(line.strip())
self.assertTrue(input_reader.read_called)
self.assertEqual(TestOutputModuleMissingParameters.missing, u'foobar')
self.assertEqual(TestOutputModuleMissingParameters.parameters, u'foobar')
expected_line = u'FILE/OS ctime OS:/tmp/test/test_data/syslog Type: file'
self.assertIn(expected_line, lines)
output_manager.OutputManager.DeregisterOutput(
TestOutputModuleMissingParameters)
helpers_manager.ArgumentHelperManager.DeregisterHelper(
TestOutputModuleArgumentHelper)
def testProcessSourcesExtractWithFilter(self):
"""Tests the ProcessSources function with a filter file."""
test_artifacts_path = self._GetTestFilePath(['artifacts'])
self._SkipIfPathNotExists(test_artifacts_path)
test_file_path = self._GetTestFilePath(['image.qcow2'])
self._SkipIfPathNotExists(test_file_path)
output_writer = test_lib.TestOutputWriter(encoding='utf-8')
test_tool = image_export_tool.ImageExportTool(
output_writer=output_writer)
options = test_lib.TestOptions()
options.artifact_definitions_path = test_artifacts_path
options.image = test_file_path
options.quiet = True
with shared_test_lib.TempDirectory() as temp_directory:
filter_file = os.path.join(temp_directory, 'filter.txt')
with io.open(filter_file, 'wt', encoding='utf-8') as file_object:
file_object.write('/a_directory/.+_file\n')
options.file_filter = filter_file
options.path = temp_directory
test_tool.ParseOptions(options)
test_tool.ProcessSources()
expected_extracted_files = sorted([
os.path.join(temp_directory, 'filter.txt'),
os.path.join(temp_directory, 'a_directory'),
os.path.join(temp_directory, 'a_directory', 'another_file'),
os.path.join(temp_directory, 'a_directory', 'a_file')
])
extracted_files = self._RecursiveList(temp_directory)
self.assertEqual(sorted(extracted_files), expected_extracted_files)
def testPrintFilterCollection(self):
"""Tests the PrintFilterCollection function."""
output_writer = test_lib.TestOutputWriter(encoding='utf-8')
test_tool = image_export_tool.ImageExportTool(output_writer=output_writer)
options = test_lib.TestOptions()
options.artifact_definitions_path = self._GetTestFilePath(['artifacts'])
options.date_filters = ['ctime,2012-05-25 15:59:00,2012-05-25 15:59:20']
options.image = self._GetTestFilePath(['image.qcow2'])
options.quiet = True
test_tool.ParseOptions(options)
test_tool.PrintFilterCollection()
expected_output = '\n'.join([
'Filters:',
('\tctime between 2012-05-25 15:59:00.000000 and '
'2012-05-25 15:59:20.000000'),
''])
output = output_writer.ReadOutput()
self.assertEqual(output, expected_output)
def _CreateExtractionOptions(self, source_path, password=None):
"""Create options for testing extraction.
Args:
source_path (str): path of the source (test) data.
password (Optional[str]): password to unlock test data.
Returns:
TestOptions: options for testing extraction.
"""
options = test_lib.TestOptions()
options.artifact_definitions_path = self._GetTestFilePath(
['artifacts'])
options.quiet = True
options.single_process = True
options.status_view_mode = 'none'
options.source = source_path
if password:
options.credentials = ['password:{0:s}'.format(password)]
return options
def testExtractEventsFromSourceBDEImage(self):
"""Tests the ExtractEventsFromSources function on an image with BDE."""
test_artifacts_path = self._GetTestFilePath(['artifacts'])
self._SkipIfPathNotExists(test_artifacts_path)
test_file_path = self._GetTestFilePath(['bdetogo.raw'])
self._SkipIfPathNotExists(test_file_path)
dfvfs_resolver.Resolver.key_chain.Empty()
output_writer = test_lib.TestOutputWriter(encoding='utf-8')
test_tool = psteal_tool.PstealTool(output_writer=output_writer)
options = test_lib.TestOptions()
options.artifact_definitions_path = test_artifacts_path
options.credentials = ['password:{0:s}'.format(self._BDE_PASSWORD)]
options.quiet = True
options.source = test_file_path
options.status_view_mode = 'none'
with shared_test_lib.TempDirectory() as temp_directory:
options.log_file = os.path.join(temp_directory, 'output.log')
options.storage_file = os.path.join(temp_directory,
'storage.plaso')
options.write = os.path.join(temp_directory, 'output.txt')
test_tool.ParseOptions(options)
test_tool.ExtractEventsFromSources()
expected_output = [
'', 'Source path\t\t: {0:s}'.format(options.source),
'Source type\t\t: storage media image',
'Processing time\t\t: 00:00:00', '', 'Processing started.',
'Processing completed.', '', ''
]
output = output_writer.ReadOutput()
self._CheckOutput(output, expected_output)
def testParseOptions(self):
"""Tests the ParseOptions function."""
options = cli_test_lib.TestOptions()
options.storage_format = 'sqlite'
options.task_storage_format = 'sqlite'
test_tool = tools.CLITool()
storage_format.StorageFormatArgumentsHelper.ParseOptions(
options, test_tool)
self.assertEqual(test_tool._storage_format, options.storage_format)
self.assertEqual(test_tool._task_storage_format,
options.task_storage_format)
with self.assertRaises(errors.BadConfigObject):
storage_format.StorageFormatArgumentsHelper.ParseOptions(
options, None)
with self.assertRaises(errors.BadConfigOption):
options.storage_format = 'bogus'
storage_format.StorageFormatArgumentsHelper.ParseOptions(
options, test_tool)
def testExtractEventsFromSourceDirectory(self):
"""Tests the ExtractEventsFromSources function on a directory."""
test_artifacts_path = self._GetTestFilePath(['artifacts'])
self._SkipIfPathNotExists(test_artifacts_path)
test_file_path = self._GetTestFilePath(['testdir'])
self._SkipIfPathNotExists(test_file_path)
output_writer = test_lib.TestOutputWriter(encoding='utf-8')
test_tool = psteal_tool.PstealTool(output_writer=output_writer)
options = test_lib.TestOptions()
options.artifact_definitions_path = test_artifacts_path
options.quiet = True
options.status_view_mode = 'none'
options.source = test_file_path
with shared_test_lib.TempDirectory() as temp_directory:
options.log_file = os.path.join(temp_directory, 'output.log')
options.storage_file = os.path.join(temp_directory, 'storage.plaso')
options.write = os.path.join(temp_directory, 'output.txt')
test_tool.ParseOptions(options)
test_tool.ExtractEventsFromSources()
expected_output = [
'',
'Source path\t\t: {0:s}'.format(options.source),
'Source type\t\t: directory',
'Processing time\t\t: 00:00:00',
'',
'Processing started.',
'Processing completed.',
'',
'']
output = output_writer.ReadOutput()
self._CheckOutput(output, expected_output)
def testExtractEventsFromSourceVSSImage(self):
"""Tests the ExtractEventsFromSources function on an image with VSS."""
output_writer = test_lib.TestOutputWriter(encoding='utf-8')
test_tool = psteal_tool.PstealTool(output_writer=output_writer)
options = test_lib.TestOptions()
options.artifact_definitions_path = self._GetTestFilePath(['artifacts'])
options.quiet = True
options.single_process = True
options.status_view_mode = 'none'
options.source = self._GetTestFilePath(['vsstest.qcow2'])
options.vss_stores = 'all'
with shared_test_lib.TempDirectory() as temp_directory:
options.log_file = os.path.join(temp_directory, 'output.log')
options.storage_file = os.path.join(temp_directory, 'storage.plaso')
options.write = os.path.join(temp_directory, 'output.txt')
test_tool.ParseOptions(options)
test_tool.ExtractEventsFromSources()
expected_output = [
'',
'Source path\t\t: {0:s}'.format(options.source),
'Source type\t\t: storage media image',
'Processing time\t\t: 00:00:00',
'',
'Processing started.',
'Processing completed.',
'',
'Number of warnings generated while extracting events: 3.',
'',
'Use pinfo to inspect warnings in more detail.',
'',
'']
output = output_writer.ReadOutput()
self._CheckOutput(output, expected_output)
def testProcessSourcesBDEImage(self):
"""Tests the ProcessSources function on an image containing BDE."""
test_source = self._GetTestFilePath([u'bdetogo.raw'])
with shared_test_lib.TempDirectory() as temp_directory:
test_storage_file = os.path.join(temp_directory, u'test.plaso')
options = cli_test_lib.TestOptions()
options.credentials = [u'password:{0:s}'.format(self._BDE_PASSWORD)]
options.output = test_storage_file
options.quiet = True
options.single_process = True
options.status_view_mode = u'none'
options.source = test_source
self._test_tool.ParseOptions(options)
self._test_tool.ProcessSources()
output = self._output_writer.ReadOutput()
# TODO: print summary and compare that against output.
_ = output
def testParseOptions(self):
"""Tests the ParseOptions function."""
test_file_path = self._GetTestFilePath(['tagging_file', 'valid.txt'])
self._SkipIfPathNotExists(test_file_path)
options = cli_test_lib.TestOptions()
options.tagging_file = test_file_path
analysis_plugin = tagging.TaggingAnalysisPlugin()
tagging_analysis.TaggingAnalysisArgumentsHelper.ParseOptions(
options, analysis_plugin)
with self.assertRaises(errors.BadConfigObject):
tagging_analysis.TaggingAnalysisArgumentsHelper.ParseOptions(
options, None)
options.tagging_file = None
with self.assertRaises(errors.BadConfigOption):
tagging_analysis.TaggingAnalysisArgumentsHelper.ParseOptions(
options, analysis_plugin)
test_file_path = self._GetTestFilePath(
['tagging_file', 'invalid_syntax.txt'])
self._SkipIfPathNotExists(test_file_path)
options.tagging_file = test_file_path
with self.assertRaises(errors.BadConfigOption):
tagging_analysis.TaggingAnalysisArgumentsHelper.ParseOptions(
options, analysis_plugin)
options.tagging_file = self._GetTestFilePath(
['tagging_file', 'invalid_encoding.txt'])
with self.assertRaises(errors.BadConfigOption):
tagging_analysis.TaggingAnalysisArgumentsHelper.ParseOptions(
options, analysis_plugin)
def testPrintStorageInformationAsJSON(self):
"""Tests the PrintStorageInformation function with JSON output format."""
test_filename = 'pinfo_test.plaso'
session_identifier = 'c1ce225e-7eec-49a6-9f5c-35907e518ff8'
session_start_time = '2020-04-04 06:40:08.695055'
test_file_path = self._GetTestFilePath([test_filename])
self._SkipIfPathNotExists(test_file_path)
options = test_lib.TestOptions()
options.storage_file = test_file_path
options.output_format = 'json'
options.sections = 'events,reports,sessions,warnings'
output_writer = test_lib.TestOutputWriter(encoding='utf-8')
test_tool = pinfo_tool.PinfoTool(output_writer=output_writer)
test_tool.ParseOptions(options)
test_tool.PrintStorageInformation()
output = output_writer.ReadOutput()
json_output = json.loads(output)
sessions = json_output.get('sessions')
self.assertIsNotNone(sessions)
first_session = sessions.get('session')
self.assertIsNotNone(first_session)
self.assertEqual(
first_session['identifier'], session_identifier.replace('-', ''))
expected_start_time = shared_test_lib.CopyTimestampFromSring(
session_start_time)
self.assertEqual(first_session['start_time'], expected_start_time)
parsers_counter = first_session['parsers_counter']
self.assertEqual(parsers_counter['total'], 3)
self.assertEqual(parsers_counter['filestat'], 3)
def testPrintStorageInformationAsJSON(self):
"""Tests the PrintStorageInformation function with JSON output format."""
test_filename = 'pinfo_test.plaso'
session_identifier = '678d3612-feac-4de7-b929-0bd3260a9365'
session_start_time = '2021-06-23 07:42:30.094310'
test_file_path = self._GetTestFilePath([test_filename])
self._SkipIfPathNotExists(test_file_path)
options = test_lib.TestOptions()
options.storage_file = test_file_path
options.output_format = 'json'
options.sections = 'events,reports,sessions,warnings'
output_writer = test_lib.TestOutputWriter(encoding='utf-8')
test_tool = pinfo_tool.PinfoTool(output_writer=output_writer)
test_tool.ParseOptions(options)
test_tool.PrintStorageInformation()
output = output_writer.ReadOutput()
json_output = json.loads(output)
sessions = json_output.get('sessions')
self.assertIsNotNone(sessions)
first_session = sessions.get('session')
self.assertIsNotNone(first_session)
self.assertEqual(first_session['identifier'],
session_identifier.replace('-', ''))
expected_start_time = shared_test_lib.CopyTimestampFromString(
session_start_time)
self.assertEqual(first_session['start_time'], expected_start_time)
parsers_counter = first_session['parsers_counter']
self.assertEqual(parsers_counter['total'], 3)
self.assertEqual(parsers_counter['filestat'], 3)
def _TestScanSourcePartitionedImage(self, source_path):
"""Tests the ScanSource function on an image containing multiple partitions.
Args:
source_path (str): path of the source device, directory or file.
"""
test_tool = storage_media_tool.StorageMediaTool()
options = test_lib.TestOptions()
options.partitions = u'all'
options.source = source_path
test_tool.ParseOptions(options)
scan_context = test_tool.ScanSource()
self.assertIsNotNone(scan_context)
scan_node = self._GetTestScanNode(scan_context)
self.assertIsNotNone(scan_node)
self.assertEqual(scan_node.type_indicator,
dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION)
self.assertEqual(len(scan_node.sub_nodes), 7)
for scan_node in scan_node.sub_nodes:
if getattr(scan_node.path_spec, u'location', None) == u'/p2':
break
self.assertIsNotNone(scan_node)
self.assertEqual(scan_node.type_indicator,
dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION)
self.assertEqual(len(scan_node.sub_nodes), 1)
path_spec = scan_node.path_spec
self.assertEqual(path_spec.start_offset, 180224)
scan_node = scan_node.sub_nodes[0]
self.assertIsNotNone(scan_node)
self.assertEqual(scan_node.type_indicator,
dfvfs_definitions.TYPE_INDICATOR_TSK)
def testProcessSourcesPartitionedImage(self):
"""Tests the ProcessSources function on a multi partition image."""
test_source = self._GetTestFilePath([u'multi_partition_image.vmdk'])
with shared_test_lib.TempDirectory() as temp_directory:
test_storage_file = os.path.join(temp_directory, u'test.plaso')
options = cli_test_lib.TestOptions()
# TODO: refactor to partitions.
options.partition_number = u'all'
options.output = test_storage_file
options.quiet = True
options.single_process = True
options.status_view_mode = u'none'
options.source = test_source
self._test_tool.ParseOptions(options)
self._test_tool.ProcessSources()
output = self._output_writer.ReadOutput()
# TODO: print summary and compare that against output.
_ = output
def testProcessSourcesImage(self):
"""Tests the ProcessSources function on a single partition image."""
output_writer = cli_test_lib.TestOutputWriter(encoding=u'utf-8')
test_tool = image_export.ImageExportTool(output_writer=output_writer)
options = cli_test_lib.TestOptions()
options.image = self._GetTestFilePath([u'ímynd.dd'])
options.quiet = True
with shared_test_lib.TempDirectory() as temp_directory:
options.path = temp_directory
test_tool.ParseOptions(options)
test_tool.ProcessSources()
expected_output = b'\n'.join([
b'Export started.', b'Extracting file entries.',
b'Export completed.', b'', b''
])
output = output_writer.ReadOutput()
self.assertEqual(output, expected_output)
def testProcessSourcesExtractWithExtensionsFilter(self):
"""Tests the ProcessSources function with an extensions filter."""
output_writer = test_lib.TestOutputWriter(encoding='utf-8')
test_tool = image_export_tool.ImageExportTool(output_writer=output_writer)
options = test_lib.TestOptions()
options.artifact_definitions_path = self._GetTestFilePath(['artifacts'])
options.extensions_string = 'txt'
options.image = self._GetTestFilePath(['image.qcow2'])
options.quiet = True
with shared_test_lib.TempDirectory() as temp_directory:
options.path = temp_directory
test_tool.ParseOptions(options)
test_tool.ProcessSources()
expected_extracted_files = sorted([
os.path.join(temp_directory, 'passwords.txt')])
extracted_files = self._RecursiveList(temp_directory)
self.assertEqual(sorted(extracted_files), expected_extracted_files)
def _TestScanSourceImage(self, source_path):
"""Tests the ScanSource function on an image containing a single partition.
Args:
source_path (str): path of the source device, directory or file.
"""
test_tool = storage_media_tool.StorageMediaTool()
options = test_lib.TestOptions()
options.source = source_path
test_tool._ParseStorageMediaImageOptions(options)
test_tool._ParseVSSProcessingOptions(options)
test_tool._ParseCredentialOptions(options)
test_tool._ParseSourcePathOption(options)
scan_context = test_tool.ScanSource(source_path)
self.assertIsNotNone(scan_context)
scan_node = self._GetTestScanNode(scan_context)
self.assertIsNotNone(scan_node)
self.assertEqual(scan_node.type_indicator,
dfvfs_definitions.TYPE_INDICATOR_TSK)
def testParseOptions(self):
"""Tests the ParseOptions function."""
options = cli_test_lib.TestOptions()
options.filter = 'event.timestamp == 0'
options.slice = '2020-06-13T06:33:10'
options.slicer = False
test_tool = tools.CLITool()
event_filters.EventFiltersArgumentsHelper.ParseOptions(options, test_tool)
self.assertEqual(test_tool._event_filter_expression, options.filter)
self.assertIsNotNone(test_tool._event_filter)
with self.assertRaises(errors.BadConfigObject):
event_filters.EventFiltersArgumentsHelper.ParseOptions(options, None)
options.filter = 'BOGUS'
with self.assertRaises(errors.BadConfigOption):
event_filters.EventFiltersArgumentsHelper.ParseOptions(options, test_tool)
options.filter = 'event.timestamp == 0'
options.slice = '2020-06-13 06:33:10'
with self.assertRaises(errors.BadConfigOption):
event_filters.EventFiltersArgumentsHelper.ParseOptions(options, test_tool)
options.slice = 'YEAR-06-13T06:33:10'
with self.assertRaises(errors.BadConfigOption):
event_filters.EventFiltersArgumentsHelper.ParseOptions(options, test_tool)
options.slice = '2020-06-13T06:33:10'
options.slicer = True
with self.assertRaises(errors.BadConfigOption):
event_filters.EventFiltersArgumentsHelper.ParseOptions(options, test_tool)
def testExtractEventsFromSourceVSSImage(self):
"""Tests the ExtractEventsFromSources function on an image with VSS."""
output_writer = test_lib.TestOutputWriter(encoding=u'utf-8')
test_tool = psteal_tool.PstealTool(output_writer=output_writer)
options = test_lib.TestOptions()
options.artifact_definitions_path = self._GetTestFilePath([u'artifacts'])
options.quiet = True
options.single_process = True
options.status_view_mode = u'none'
options.source = self._GetTestFilePath([u'vsstest.qcow2'])
options.vss_stores = u'all'
with shared_test_lib.TempDirectory() as temp_directory:
options.write = os.path.join(temp_directory, u'unused_output.txt')
options.storage_file = os.path.join(temp_directory, u'storage.plaso')
test_tool.ParseOptions(options)
test_tool.ExtractEventsFromSources()
expected_output = [
b'',
b'Source path\t: {0:s}'.format(options.source.encode(u'utf-8')),
b'Source type\t: storage media image',
b'',
b'Processing started.',
b'Processing completed.',
b'',
b'Number of errors encountered while extracting events: 1.',
b'',
b'Use pinfo to inspect errors in more detail.',
b'',
b'']
output = output_writer.ReadOutput()
self.assertEqual(output.split(b'\n'), expected_output)
def testParseOptions(self):
"""Tests the ParseOptions function."""
output_writer = test_lib.TestOutputWriter(encoding=u'utf-8')
test_tool = psteal_tool.PstealTool(output_writer=output_writer)
options = test_lib.TestOptions()
options.artifact_definitions_path = self._GetTestFilePath([u'artifacts'])
# Test when the output file is missing.
expected_error = (u'Output format: dynamic requires an output file')
with self.assertRaisesRegexp(errors.BadConfigOption, expected_error):
test_tool.ParseOptions(options)
options.write = u'dynamic.out'
# Test when the source is missing.
expected_error = u'Missing source path.'
with self.assertRaisesRegexp(errors.BadConfigOption, expected_error):
test_tool.ParseOptions(options)
with shared_test_lib.TempDirectory() as temp_directory:
options.source = self._GetTestFilePath([u'testdir'])
options.write = os.path.join(temp_directory, u'dynamic.out')
# Test when both source and output are specified.
test_tool.ParseOptions(options)
with open(options.write, 'w') as file_object:
file_object.write(u'bogus')
# Test when output file already exists.
# Escape \ otherwise assertRaisesRegexp can error with:
# error: bogus escape: u'\\1'
expected_error = u'Output file already exists: {0:s}.'.format(
options.write.replace(u'\\', u'\\\\'))
with self.assertRaisesRegexp(errors.BadConfigOption, expected_error):
test_tool.ParseOptions(options)
def testParseOptions(self):
"""Tests the ParseOptions function."""
test_file_path = self._GetTestFilePath(['rules.yara'])
self._SkipIfPathNotExists(test_file_path)
invalid_rules_path = self._GetTestFilePath(['another_file'])
self._SkipIfPathNotExists(invalid_rules_path)
unsupported_rules_path = self._GetTestFilePath(
['unsupported_rules.yara'])
self._SkipIfPathNotExists(unsupported_rules_path)
options = cli_test_lib.TestOptions()
options.yara_rules_path = test_file_path
test_tool = tools.CLITool()
yara_rules.YaraRulesArgumentsHelper.ParseOptions(options, test_tool)
self.assertIsNotNone(test_tool._yara_rules_string)
with self.assertRaises(errors.BadConfigObject):
yara_rules.YaraRulesArgumentsHelper.ParseOptions(options, None)
options.yara_rules_path = '/tmp/non_existant'
with self.assertRaises(errors.BadConfigOption):
yara_rules.YaraRulesArgumentsHelper.ParseOptions(
options, test_tool)
options.yara_rules_path = invalid_rules_path
with self.assertRaises(errors.BadConfigOption):
yara_rules.YaraRulesArgumentsHelper.ParseOptions(
options, test_tool)
options.yara_rules_path = unsupported_rules_path
with self.assertRaises(errors.BadConfigOption):
yara_rules.YaraRulesArgumentsHelper.ParseOptions(
options, test_tool)
def testShowInfo(self):
"""Tests the output of the tool in info mode."""
output_writer = test_lib.TestOutputWriter(encoding='utf-8')
test_tool = log2timeline_tool.Log2TimelineTool(
output_writer=output_writer)
options = test_lib.TestOptions()
options.artifact_definitions_path = self._GetTestFilePath(
['artifacts'])
options.show_info = True
test_tool.ParseOptions(options)
test_tool.ShowInfo()
output = output_writer.ReadOutput()
section_headings = [
'Hashers', 'Parsers', 'Parser Plugins', 'Parser Presets',
'Versions'
]
for heading in section_headings:
self.assertIn(heading, output)
self.assertNotIn('<class', output)
def testProcessSourcesExtractWithArtifactsGroupFilter(self):
"""Tests the ProcessSources function with a group artifacts filter file."""
test_artifacts_path = self._GetTestFilePath(['artifacts'])
self._SkipIfPathNotExists(test_artifacts_path)
test_file_path = self._GetTestFilePath(['image.qcow2'])
self._SkipIfPathNotExists(test_file_path)
output_writer = test_lib.TestOutputWriter(encoding='utf-8')
test_tool = image_export_tool.ImageExportTool(
output_writer=output_writer)
options = test_lib.TestOptions()
options.artifact_definitions_path = test_artifacts_path
options.image = test_file_path
options.quiet = True
options.artifact_filter_string = 'TestGroupExport'
with shared_test_lib.TempDirectory() as temp_directory:
options.path = temp_directory
test_tool.ParseOptions(options)
test_tool.ProcessSources()
expected_extracted_files = sorted([
os.path.join(temp_directory, 'a_directory'),
os.path.join(temp_directory, 'a_directory', 'another_file'),
os.path.join(temp_directory, 'a_directory', 'a_file'),
os.path.join(temp_directory, 'passwords.txt'),
os.path.join(temp_directory, 'hashes.json')
])
extracted_files = self._RecursiveList(temp_directory)
self.assertEqual(sorted(extracted_files), expected_extracted_files)
def testProcessSourcesExtractWithSignaturesFilter(self):
"""Tests the ProcessSources function with a signatures filter."""
output_writer = test_lib.TestOutputWriter(encoding='utf-8')
test_tool = image_export_tool.ImageExportTool(output_writer=output_writer)
options = test_lib.TestOptions()
options.artifact_definitions_path = self._GetTestFilePath(['artifacts'])
options.image = self._GetTestFilePath(['syslog_image.dd'])
options.quiet = True
options.signature_identifiers = 'gzip'
with shared_test_lib.TempDirectory() as temp_directory:
options.path = temp_directory
test_tool.ParseOptions(options)
test_tool.ProcessSources()
expected_extracted_files = sorted([
os.path.join(temp_directory, 'logs'),
os.path.join(temp_directory, 'logs', 'sys.tgz')])
extracted_files = self._RecursiveList(temp_directory)
self.assertEqual(sorted(extracted_files), expected_extracted_files)
def testProcessSourcesExtractWithDateTimeFilter(self):
"""Tests the ProcessSources function with a date time filter."""
output_writer = test_lib.TestOutputWriter(encoding='utf-8')
test_tool = image_export_tool.ImageExportTool(output_writer=output_writer)
options = test_lib.TestOptions()
options.artifact_definitions_path = self._GetTestFilePath(['artifacts'])
options.date_filters = ['ctime,2012-05-25 15:59:00,2012-05-25 15:59:20']
options.image = self._GetTestFilePath(['image.qcow2'])
options.quiet = True
with shared_test_lib.TempDirectory() as temp_directory:
options.path = temp_directory
test_tool.ParseOptions(options)
test_tool.ProcessSources()
expected_extracted_files = sorted([
os.path.join(temp_directory, 'a_directory'),
os.path.join(temp_directory, 'a_directory', 'a_file')])
extracted_files = self._RecursiveList(temp_directory)
self.assertEqual(sorted(extracted_files), expected_extracted_files)
