def testGetDate(self): """Tests the GetDate function.""" systemtime_object = systemtime.Systemtime( system_time_tuple=(2010, 8, 4, 12, 20, 6, 31, 142)) date_tuple = systemtime_object.GetDate() self.assertEqual(date_tuple, (2010, 8, 12)) systemtime_object = systemtime.Systemtime() date_tuple = systemtime_object.GetDate() self.assertEqual(date_tuple, (None, None, None))
def testGetTimeOfDay(self): """Tests the GetTimeOfDay function.""" systemtime_object = systemtime.Systemtime( system_time_tuple=(2010, 8, 4, 12, 20, 6, 31, 142)) time_of_day_tuple = systemtime_object.GetTimeOfDay() self.assertEqual(time_of_day_tuple, (20, 6, 31)) systemtime_object = systemtime.Systemtime() time_of_day_tuple = systemtime_object.GetTimeOfDay() self.assertEqual(time_of_day_tuple, (None, None, None))
def testCopyToDateTimeString(self): """Tests the CopyToDateTimeString function.""" systemtime_object = systemtime.Systemtime( system_time_tuple=(2010, 8, 4, 12, 20, 6, 31, 142)) date_time_string = systemtime_object.CopyToDateTimeString() self.assertEqual(date_time_string, '2010-08-12 20:06:31.142') systemtime_object = systemtime.Systemtime() date_time_string = systemtime_object.CopyToDateTimeString() self.assertIsNone(date_time_string)
def testGetNormalizedTimestamp(self): """Tests the _GetNormalizedTimestamp function.""" systemtime_object = systemtime.Systemtime( system_time_tuple=(2010, 8, 4, 12, 20, 6, 31, 142)) normalized_timestamp = systemtime_object._GetNormalizedTimestamp() self.assertEqual(normalized_timestamp, decimal.Decimal('1281643591.142')) systemtime_object = systemtime.Systemtime() normalized_timestamp = systemtime_object._GetNormalizedTimestamp() self.assertIsNone(normalized_timestamp)
def _ParseLastRunTime(self, parser_mediator, fixed_length_section): """Parses the last run time from a fixed-length data section. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfvfs. fixed_length_section (job_fixed_length_data_section): a Windows Scheduled Task job fixed-length data section. Returns: dfdatetime.DateTimeValues: last run date and time or None if not available. """ systemtime_struct = fixed_length_section.last_run_time system_time_tuple = (systemtime_struct.year, systemtime_struct.month, systemtime_struct.weekday, systemtime_struct.day_of_month, systemtime_struct.hours, systemtime_struct.minutes, systemtime_struct.seconds, systemtime_struct.milliseconds) date_time = None if system_time_tuple != self._EMPTY_SYSTEM_TIME_TUPLE: try: date_time = dfdatetime_systemtime.Systemtime( system_time_tuple=system_time_tuple) except ValueError: parser_mediator.ProduceExtractionWarning( 'invalid last run time: {0!s}'.format(system_time_tuple)) return date_time
def testCopyToDateTimeStringISO8601(self): """Tests the CopyToDateTimeStringISO8601 function.""" systemtime_object = systemtime.Systemtime( system_time_tuple=(2010, 8, 4, 12, 20, 6, 31, 142)) date_time_string = systemtime_object.CopyToDateTimeStringISO8601() self.assertEqual(date_time_string, '2010-08-12T20:06:31.142+00:00')
def testGetPlasoTimestamp(self): """Tests the GetPlasoTimestamp function.""" systemtime_object = systemtime.Systemtime(system_time_tuple=(2010, 8, 4, 12, 20, 6, 31, 142)) expected_micro_posix_number_of_seconds = 1281643591142000 micro_posix_number_of_seconds = systemtime_object.GetPlasoTimestamp() self.assertEqual(micro_posix_number_of_seconds, expected_micro_posix_number_of_seconds) systemtime_object = systemtime.Systemtime() micro_posix_number_of_seconds = systemtime_object.GetPlasoTimestamp() self.assertIsNone(micro_posix_number_of_seconds)
def testCopyToStatTimeTuple(self): """Tests the CopyToStatTimeTuple function.""" systemtime_object = systemtime.Systemtime(system_time_tuple=(2010, 8, 4, 12, 20, 6, 31, 142)) expected_stat_time_tuple = (1281643591, 1420000) stat_time_tuple = systemtime_object.CopyToStatTimeTuple() self.assertEqual(stat_time_tuple, expected_stat_time_tuple) systemtime_object = systemtime.Systemtime() expected_stat_time_tuple = (None, None) stat_time_tuple = systemtime_object.CopyToStatTimeTuple() self.assertEqual(stat_time_tuple, expected_stat_time_tuple)
def _ParseSystemTime(self, byte_stream): """Parses a SYSTEMTIME date and time value from a byte stream. Args: byte_stream (bytes): byte stream. Returns: dfdatetime.Systemtime: SYSTEMTIME date and time value or None if no value is set. Raises: ParseError: if the SYSTEMTIME could not be parsed. """ systemtime_map = self._GetDataTypeMap('systemtime') try: systemtime = self._ReadStructureFromByteStream( byte_stream, 0, systemtime_map) except (ValueError, errors.ParseError) as exception: raise errors.ParseError( 'Unable to parse SYSTEMTIME value with error: {0!s}'.format( exception)) system_time_tuple = (systemtime.year, systemtime.month, systemtime.weekday, systemtime.day_of_month, systemtime.hours, systemtime.minutes, systemtime.seconds, systemtime.milliseconds) if system_time_tuple == self._EMPTY_SYSTEM_TIME_TUPLE: return None try: return dfdatetime_systemtime.Systemtime( system_time_tuple=system_time_tuple) except ValueError: raise errors.ParseError( 'Invalid SYSTEMTIME value: {0!s}'.format(system_time_tuple))
def ParseFileObject(self, parser_mediator, file_object, **kwargs): """Parses a Windows job file-like object. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfvfs. file_object (dfvfs.FileIO): a file-like object. Raises: UnableToParseFile: when the file cannot be parsed. """ try: header_struct = self._JOB_FIXED_LENGTH_SECTION_STRUCT.parse_stream( file_object) except (IOError, construct.FieldError) as exception: raise errors.UnableToParseFile( u'Unable to parse fixed-length section with error: {0:s}'. format(exception)) if not header_struct.product_version in self._PRODUCT_VERSIONS: raise errors.UnableToParseFile( u'Unsupported product version in: 0x{0:04x}'.format( header_struct.product_version)) if not header_struct.format_version == 1: raise errors.UnableToParseFile( u'Unsupported format version in: {0:d}'.format( header_struct.format_version)) try: job_variable_struct = self._JOB_VARIABLE_STRUCT.parse_stream( file_object) except (IOError, construct.FieldError) as exception: raise errors.UnableToParseFile( u'Unable to parse variable-length section with error: {0:s}'. format(exception)) event_data = WinJobEventData() event_data.application = binary.ReadUTF16( job_variable_struct.application) event_data.comment = binary.ReadUTF16(job_variable_struct.comment) event_data.parameters = binary.ReadUTF16(job_variable_struct.parameter) event_data.username = binary.ReadUTF16(job_variable_struct.username) event_data.working_directory = binary.ReadUTF16( job_variable_struct.working_directory) systemtime_struct = header_struct.last_run_time system_time_tuple = (systemtime_struct.year, systemtime_struct.month, systemtime_struct.weekday, systemtime_struct.day, systemtime_struct.hours, systemtime_struct.minutes, systemtime_struct.seconds, systemtime_struct.milliseconds) date_time = None if system_time_tuple != self._EMPTY_SYSTEM_TIME_TUPLE: try: date_time = dfdatetime_systemtime.Systemtime( system_time_tuple=system_time_tuple) except ValueError: parser_mediator.ProduceExtractionError( u'invalid last run time: {0!s}'.format(system_time_tuple)) if date_time: event = time_events.DateTimeValuesEvent( date_time, definitions.TIME_DESCRIPTION_LAST_RUN) parser_mediator.ProduceEventWithEventData(event, event_data) for index in range(job_variable_struct.number_of_triggers): try: trigger_struct = self._TRIGGER_STRUCT.parse_stream(file_object) except (IOError, construct.FieldError) as exception: parser_mediator.ProduceExtractionError( u'unable to parse trigger: {0:d} with error: {1:s}'.format( index, exception)) return event_data.trigger_type = trigger_struct.trigger_type time_elements_tuple = (trigger_struct.start_year, trigger_struct.start_month, trigger_struct.start_day, trigger_struct.start_hour, trigger_struct.start_minute, 0) if time_elements_tuple != (0, 0, 0, 0, 0, 0): try: date_time = dfdatetime_time_elements.TimeElements( time_elements_tuple=time_elements_tuple) date_time.is_local_time = True date_time.precision = dfdatetime_definitions.PRECISION_1_MINUTE except ValueError: date_time = None parser_mediator.ProduceExtractionError( u'invalid trigger start time: {0!s}'.format( time_elements_tuple)) if date_time: event = time_events.DateTimeValuesEvent( date_time, u'Scheduled to start', time_zone=parser_mediator.timezone) parser_mediator.ProduceEventWithEventData( event, event_data) time_elements_tuple = (trigger_struct.end_year, trigger_struct.end_month, trigger_struct.end_day, 0, 0, 0) if time_elements_tuple != (0, 0, 0, 0, 0, 0): try: date_time = dfdatetime_time_elements.TimeElements( time_elements_tuple=time_elements_tuple) date_time.is_local_time = True date_time.precision = dfdatetime_definitions.PRECISION_1_DAY except ValueError: date_time = None parser_mediator.ProduceExtractionError( u'invalid trigger end time: {0!s}'.format( time_elements_tuple)) if date_time: event = time_events.DateTimeValuesEvent( date_time, u'Scheduled to end', time_zone=parser_mediator.timezone) parser_mediator.ProduceEventWithEventData( event, event_data)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs): """Extracts events from a Windows Registry key. Args: parser_mediator (ParserMediator): mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey): Windows Registry key. """ network_info = {} signatures = registry_key.GetSubkeyByName('Signatures') if signatures: network_info = self._GetNetworkInfo(signatures) profiles = registry_key.GetSubkeyByName('Profiles') if not profiles: return for subkey in profiles.GetSubkeys(): default_gateway_mac, dns_suffix = network_info.get( subkey.name, (None, None)) event_data = WindowsRegistryNetworkEventData() event_data.default_gateway_mac = default_gateway_mac event_data.dns_suffix = dns_suffix ssid_value = subkey.GetValueByName('ProfileName') if ssid_value: event_data.ssid = ssid_value.GetDataAsObject() description_value = subkey.GetValueByName('Description') if description_value: event_data.description = description_value.GetDataAsObject() connection_type_value = subkey.GetValueByName('NameType') if connection_type_value: connection_type = connection_type_value.GetDataAsObject() # TODO: move to formatter. connection_type = self._CONNECTION_TYPE.get( connection_type, 'unknown') event_data.connection_type = connection_type date_created_value = subkey.GetValueByName('DateCreated') if date_created_value: try: systemtime_struct = self._SYSTEMTIME_STRUCT.parse( date_created_value.data) except construct.ConstructError as exception: systemtime_struct = None parser_mediator.ProduceExtractionError( 'unable to parse date created with error: {0!s}'. format(exception)) system_time_tuple = self._EMPTY_SYSTEM_TIME_TUPLE if systemtime_struct: system_time_tuple = (systemtime_struct.year, systemtime_struct.month, systemtime_struct.day_of_week, systemtime_struct.day_of_month, systemtime_struct.hours, systemtime_struct.minutes, systemtime_struct.seconds, systemtime_struct.milliseconds) date_time = None if system_time_tuple != self._EMPTY_SYSTEM_TIME_TUPLE: try: date_time = dfdatetime_systemtime.Systemtime( system_time_tuple=system_time_tuple) except ValueError: parser_mediator.ProduceExtractionError( 'invalid system time: {0!s}'.format( system_time_tuple)) if date_time: event = time_events.DateTimeValuesEvent( date_time, definitions.TIME_DESCRIPTION_CREATION) parser_mediator.ProduceEventWithEventData( event, event_data) date_last_connected_value = subkey.GetValueByName( 'DateLastConnected') if date_last_connected_value: try: systemtime_struct = self._SYSTEMTIME_STRUCT.parse( date_last_connected_value.data) except construct.ConstructError as exception: systemtime_struct = None parser_mediator.ProduceExtractionError( 'unable to parse date last connected with error: {0!s}' .format(exception)) system_time_tuple = self._EMPTY_SYSTEM_TIME_TUPLE if systemtime_struct: system_time_tuple = (systemtime_struct.year, systemtime_struct.month, systemtime_struct.day_of_week, systemtime_struct.day_of_month, systemtime_struct.hours, systemtime_struct.minutes, systemtime_struct.seconds, systemtime_struct.milliseconds) date_time = None if system_time_tuple != self._EMPTY_SYSTEM_TIME_TUPLE: try: date_time = dfdatetime_systemtime.Systemtime( system_time_tuple=system_time_tuple) except ValueError: parser_mediator.ProduceExtractionError( 'invalid system time: {0!s}'.format( system_time_tuple)) if date_time: event = time_events.DateTimeValuesEvent( date_time, definitions.TIME_DESCRIPTION_LAST_CONNECTED) parser_mediator.ProduceEventWithEventData( event, event_data)
def testCopyFromDateTimeString(self): """Tests the CopyFromDateTimeString function.""" systemtime_object = systemtime.Systemtime() expected_number_of_seconds = 1281571200 systemtime_object.CopyFromDateTimeString('2010-08-12') self.assertEqual(systemtime_object._number_of_seconds, expected_number_of_seconds) self.assertEqual(systemtime_object.year, 2010) self.assertEqual(systemtime_object.month, 8) self.assertEqual(systemtime_object.day_of_month, 12) self.assertEqual(systemtime_object.hours, 0) self.assertEqual(systemtime_object.minutes, 0) self.assertEqual(systemtime_object.seconds, 0) self.assertEqual(systemtime_object.milliseconds, 0) expected_number_of_seconds = 1281647191 systemtime_object.CopyFromDateTimeString('2010-08-12 21:06:31') self.assertEqual(systemtime_object._number_of_seconds, expected_number_of_seconds) self.assertEqual(systemtime_object.year, 2010) self.assertEqual(systemtime_object.month, 8) self.assertEqual(systemtime_object.day_of_month, 12) self.assertEqual(systemtime_object.hours, 21) self.assertEqual(systemtime_object.minutes, 6) self.assertEqual(systemtime_object.seconds, 31) self.assertEqual(systemtime_object.milliseconds, 0) expected_number_of_seconds = 1281647191 systemtime_object.CopyFromDateTimeString('2010-08-12 21:06:31.546875') self.assertEqual(systemtime_object._number_of_seconds, expected_number_of_seconds) self.assertEqual(systemtime_object.year, 2010) self.assertEqual(systemtime_object.month, 8) self.assertEqual(systemtime_object.day_of_month, 12) self.assertEqual(systemtime_object.hours, 21) self.assertEqual(systemtime_object.minutes, 6) self.assertEqual(systemtime_object.seconds, 31) self.assertEqual(systemtime_object.milliseconds, 546) expected_number_of_seconds = 1281650791 systemtime_object.CopyFromDateTimeString( '2010-08-12 21:06:31.546875-01:00') self.assertEqual(systemtime_object._number_of_seconds, expected_number_of_seconds) self.assertEqual(systemtime_object.year, 2010) self.assertEqual(systemtime_object.month, 8) self.assertEqual(systemtime_object.day_of_month, 12) self.assertEqual(systemtime_object.hours, 21) self.assertEqual(systemtime_object.minutes, 6) self.assertEqual(systemtime_object.seconds, 31) self.assertEqual(systemtime_object.milliseconds, 546) self.assertEqual(systemtime_object.time_zone_offset, -60) expected_number_of_seconds = 1281643591 systemtime_object.CopyFromDateTimeString( '2010-08-12 21:06:31.546875+01:00') self.assertEqual(systemtime_object._number_of_seconds, expected_number_of_seconds) self.assertEqual(systemtime_object.year, 2010) self.assertEqual(systemtime_object.month, 8) self.assertEqual(systemtime_object.day_of_month, 12) self.assertEqual(systemtime_object.hours, 21) self.assertEqual(systemtime_object.minutes, 6) self.assertEqual(systemtime_object.seconds, 31) self.assertEqual(systemtime_object.milliseconds, 546) self.assertEqual(systemtime_object.time_zone_offset, 60) expected_number_of_seconds = -11644387200 systemtime_object.CopyFromDateTimeString('1601-01-02 00:00:00') self.assertEqual(systemtime_object._number_of_seconds, expected_number_of_seconds) self.assertEqual(systemtime_object.year, 1601) self.assertEqual(systemtime_object.month, 1) self.assertEqual(systemtime_object.day_of_month, 2) self.assertEqual(systemtime_object.hours, 0) self.assertEqual(systemtime_object.minutes, 0) self.assertEqual(systemtime_object.seconds, 0) self.assertEqual(systemtime_object.milliseconds, 0) with self.assertRaises(ValueError): systemtime_object.CopyFromDateTimeString('1600-01-02 00:00:00')
def testInitialize(self): """Tests the initialization function.""" systemtime_object = systemtime.Systemtime() self.assertIsNotNone(systemtime_object) systemtime_object = systemtime.Systemtime(system_time_tuple=(2010, 8, 4, 12, 20, 6, 31, 142)) self.assertIsNotNone(systemtime_object) self.assertEqual(systemtime_object.year, 2010) self.assertEqual(systemtime_object.month, 8) self.assertEqual(systemtime_object.day_of_month, 12) self.assertEqual(systemtime_object.hours, 20) self.assertEqual(systemtime_object.minutes, 6) self.assertEqual(systemtime_object.seconds, 31) self.assertEqual(systemtime_object.milliseconds, 142) with self.assertRaises(ValueError): systemtime.Systemtime(system_time_tuple=(2010, 8, 4, 12, 20, 6, 31)) with self.assertRaises(ValueError): systemtime.Systemtime(system_time_tuple=(1500, 8, 4, 12, 20, 6, 31, 142)) with self.assertRaises(ValueError): systemtime.Systemtime(system_time_tuple=(2010, 13, 4, 12, 20, 6, 31, 142)) with self.assertRaises(ValueError): systemtime.Systemtime(system_time_tuple=(2010, 8, 7, 12, 20, 6, 31, 142)) with self.assertRaises(ValueError): systemtime.Systemtime(system_time_tuple=(2010, 8, 4, 32, 20, 6, 31, 142)) with self.assertRaises(ValueError): systemtime.Systemtime(system_time_tuple=(2010, 8, 4, 12, 24, 6, 31, 142)) with self.assertRaises(ValueError): systemtime.Systemtime(system_time_tuple=(2010, 8, 4, 12, 20, 61, 31, 142)) with self.assertRaises(ValueError): systemtime.Systemtime(system_time_tuple=(2010, 8, 4, 12, 20, 6, 61, 142)) with self.assertRaises(ValueError): systemtime.Systemtime(system_time_tuple=(2010, 8, 4, 12, 20, 6, 31, 1001))