def __init__(self, date_time, date_time_description, entry_offset,
dest_list_entry, droid_volume_identifier,
droid_file_identifier, birth_droid_volume_identifier,
birth_droid_file_identifier):
"""Initializes an event.
Args:
date_time (dfdatetime.DateTimeValues): date and time values.
date_time_description (str): description of the meaning of the date
and time values.
entry_offset (int): offset of the DestList entry relative to the start of
the DestList stream.
droid_volume_identifier (str): droid volume identifier.
droid_file_identifier (str): droid file identifier.
birth_droid_volume_identifier (str): birth droid volume identifier.
birth_droid_file_identifier (str): birth droid file identifier.
dest_list_entry (construct.Struct): DestList entry.
"""
# TODO: move to parser plugin.
hostname = binary.ByteStreamCopyToString(dest_list_entry.hostname,
codepage=u'ascii')
path = binary.UTF16StreamCopyToString(dest_list_entry.path)
super(AutomaticDestinationsDestListEntryEvent,
self).__init__(date_time, date_time_description)
self.birth_droid_file_identifier = birth_droid_file_identifier
self.birth_droid_volume_identifier = birth_droid_volume_identifier
self.droid_file_identifier = droid_file_identifier
self.droid_volume_identifier = droid_volume_identifier
self.entry_number = dest_list_entry.entry_number
self.hostname = hostname
self.offset = entry_offset
self.path = path
self.pin_status = dest_list_entry.pin_status
def __init__(self, timestamp, timestamp_description, entry_offset,
dest_list_entry):
"""Initializes the event object.
Args:
timestamp: The FILETIME value for the timestamp.
timestamp_description: The usage string for the timestamp value.
entry_offset: The offset of the DestList entry relative to the start of
the DestList stream.
dest_list_entry: The DestList entry (instance of construct.Struct).
"""
super(AutomaticDestinationsDestListEntryEvent,
self).__init__(timestamp, timestamp_description)
self.offset = entry_offset
self.entry_number = dest_list_entry.entry_number
self.hostname = binary.ByteStreamCopyToString(dest_list_entry.hostname,
codepage=u'ascii')
self.path = binary.Ut16StreamCopyToString(dest_list_entry.path)
self.pin_status = dest_list_entry.pin_status
self.droid_volume_identifier = binary.ByteStreamCopyToGuid(
dest_list_entry.droid_volume_identifier)
self.droid_file_identifier = binary.ByteStreamCopyToGuid(
dest_list_entry.droid_file_identifier)
self.birth_droid_volume_identifier = binary.ByteStreamCopyToGuid(
dest_list_entry.birth_droid_volume_identifier)
self.birth_droid_file_identifier = binary.ByteStreamCopyToGuid(
dest_list_entry.birth_droid_file_identifier)
def ParseDestList(self, parser_mediator, olecf_item):
"""Parses the DestList OLECF item.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
olecf_item (pyolecf.item): OLECF item.
"""
try:
header = self._DEST_LIST_STREAM_HEADER.parse_stream(olecf_item)
except (IOError, construct.FieldError) as exception:
raise errors.UnableToParseFile(
'Unable to parse DestList header with error: {0!s}'.format(
exception))
if header.format_version not in (1, 3, 4):
parser_mediator.ProduceExtractionError(
'unsupported format version: {0:d}.'.format(header.format_version))
if header.format_version == 1:
dest_list_stream_entry = self._DEST_LIST_STREAM_ENTRY_V1
elif header.format_version in (3, 4):
dest_list_stream_entry = self._DEST_LIST_STREAM_ENTRY_V3
entry_offset = olecf_item.get_offset()
while entry_offset < olecf_item.size:
try:
entry = dest_list_stream_entry.parse_stream(olecf_item)
except (IOError, construct.FieldError) as exception:
raise errors.UnableToParseFile(
'Unable to parse DestList entry with error: {0!s}'.format(
exception))
if not entry:
break
display_name = 'DestList entry at offset: 0x{0:08x}'.format(entry_offset)
try:
droid_volume_identifier = self._ParseDistributedTrackingIdentifier(
parser_mediator, entry.droid_volume_identifier, display_name)
except (TypeError, ValueError) as exception:
droid_volume_identifier = ''
parser_mediator.ProduceExtractionError(
'unable to read droid volume identifier with error: {0!s}'.format(
exception))
try:
droid_file_identifier = self._ParseDistributedTrackingIdentifier(
parser_mediator, entry.droid_file_identifier, display_name)
except (TypeError, ValueError) as exception:
droid_file_identifier = ''
parser_mediator.ProduceExtractionError(
'unable to read droid file identifier with error: {0!s}'.format(
exception))
try:
birth_droid_volume_identifier = (
self._ParseDistributedTrackingIdentifier(
parser_mediator, entry.birth_droid_volume_identifier,
display_name))
except (TypeError, ValueError) as exception:
birth_droid_volume_identifier = ''
parser_mediator.ProduceExtractionError((
'unable to read birth droid volume identifier with error: '
'{0:s}').format(
exception))
try:
birth_droid_file_identifier = self._ParseDistributedTrackingIdentifier(
parser_mediator, entry.birth_droid_file_identifier, display_name)
except (TypeError, ValueError) as exception:
birth_droid_file_identifier = ''
parser_mediator.ProduceExtractionError((
'unable to read birth droid file identifier with error: '
'{0:s}').format(
exception))
if entry.last_modification_time == 0:
date_time = dfdatetime_semantic_time.SemanticTime('Not set')
else:
date_time = dfdatetime_filetime.Filetime(
timestamp=entry.last_modification_time)
event_data = AutomaticDestinationsDestListEntryEventData()
event_data.birth_droid_file_identifier = birth_droid_file_identifier
event_data.birth_droid_volume_identifier = birth_droid_volume_identifier
event_data.droid_file_identifier = droid_file_identifier
event_data.droid_volume_identifier = droid_volume_identifier
event_data.entry_number = entry.entry_number
event_data.hostname = binary.ByteStreamCopyToString(
entry.hostname, codepage='ascii')
event_data.offset = entry_offset
event_data.path = binary.UTF16StreamCopyToString(entry.path)
event_data.pin_status = entry.pin_status
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_MODIFICATION)
parser_mediator.ProduceEventWithEventData(event, event_data)
entry_offset = olecf_item.get_offset()