def testTransmissionPlugin(self): """Read Transmission activity files and make few tests.""" test_file = self._GetTestFilePath(['bencode_transmission']) event_queue_consumer = self._ParseFile(self._parser, test_file) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 3) event_object = event_objects[0] destination_expected = u'/Users/brian/Downloads' self.assertEqual(event_object.destination, destination_expected) self.assertEqual(event_object.seedtime, 4) description_expected = eventdata.EventTimestamp.ADDED_TIME self.assertEqual(event_object.timestamp_desc, description_expected) expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-11-08 15:31:20') self.assertEqual(event_object.timestamp, expected_timestamp) # Test on second event of first torrent. event_object = event_objects[1] self.assertEqual(event_object.destination, destination_expected) self.assertEqual(event_object.seedtime, 4) description_expected = eventdata.EventTimestamp.FILE_DOWNLOADED self.assertEqual(event_object.timestamp_desc, description_expected) expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-11-08 18:24:24') self.assertEqual(event_object.timestamp, expected_timestamp)
def testParse(self): """Tests the Parse function.""" test_file = self._GetTestFilePath(['typed_history.xml']) event_generator = self._ParseFile(self._parser, test_file) event_objects = self._GetEventObjects(event_generator) self.assertEquals(len(event_objects), 4) event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-11-11 23:45:27') self.assertEquals(event_object.timestamp, expected_timestamp) self.assertEquals(event_object.entry_selection, 'Filled from autocomplete.') expected_string = u'plaso.kiddaland.net (Filled from autocomplete.)' self._TestGetMessageStrings(event_object, expected_string, expected_string) event_object = event_objects[3] expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-11-11 22:46:07') self.assertEquals(event_object.timestamp, expected_timestamp) self.assertEquals(event_object.entry_selection, 'Manually typed.') expected_string = u'theonion.com (Manually typed.)' self._TestGetMessageStrings(event_object, expected_string, expected_string)
def testParse(self): """Tests the Parse function.""" test_file = self._GetTestFilePath(['syslog']) event_generator = self._ParseFile(self._parser, test_file) event_objects = self._GetEventObjects(event_generator) self.assertEquals(len(event_objects), 13) # TODO let's add code to convert Jan 22 2012 07:52:33 into the # corresponding timestamp, I think that will be more readable self.assertEquals(event_objects[0].timestamp, 1327218753000000) self.assertEquals(event_objects[0].hostname, 'myhostname.myhost.com') expected_string = (u'[client, pid: 30840] : INFO No new content.') self._TestGetMessageStrings(event_objects[0], expected_string, expected_string) expected_msg = ( '[aprocess, pid: 101001] : This is a multi-line message that screws up' 'many syslog parsers.') expected_msg_short = ( '[aprocess, pid: 101001] : This is a multi-line message that screws up' 'many sys...') self._TestGetMessageStrings(event_objects[11], expected_msg, expected_msg_short) expected_timestamp = timelib_test.CopyStringToTimestamp( '2012-02-29 01:15:43') self.assertEquals(event_objects[6].timestamp, expected_timestamp) # Testing year increment. expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-03-23 23:01:18') self.assertEquals(event_objects[8].timestamp, expected_timestamp)
def testTextParserSuccess(self): """Test a text parser that will match against content.""" test_file = self._GetTestFilePath(['text_parser', 'test2.txt']) event_queue_consumer = self._ParseFile(self._parser, test_file) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) event_object = event_objects[0] msg1, _ = formatters_manager.EventFormatterManager.GetMessageStrings( event_object) expected_timestamp = timelib_test.CopyStringToTimestamp( '2011-01-01 05:23:15') self.assertEquals(event_object.timestamp, expected_timestamp) self.assertEquals(msg1, 'first line.') self.assertEquals(event_object.hostname, 'myhost') self.assertEquals(event_object.username, 'myuser') event_object = event_objects[1] msg2, _ = formatters_manager.EventFormatterManager.GetMessageStrings( event_object) expected_timestamp = timelib_test.CopyStringToTimestamp( '1991-12-24 19:58:06') self.assertEquals(event_object.timestamp, expected_timestamp) self.assertEquals(msg2, 'second line.') self.assertEquals(event_object.hostname, 'myhost') self.assertEquals(event_object.username, 'myuser')
def testProcess(self): """Tests the Process function.""" plist_name = 'com.apple.iPod.plist' test_file = self._GetTestFilePath([plist_name]) events = self._ParsePlistFileWithPlugin(self._parser, self._plugin, test_file, plist_name) event_objects = self._GetEventObjects(events) self.assertEquals(len(event_objects), 4) event_object = event_objects[1] timestamp = timelib_test.CopyStringToTimestamp('2013-10-09 19:27:54') self.assertEquals(event_object.timestamp, timestamp) expected_string = ( u'Device ID: 4C6F6F6E65000000 Type: iPhone [10016] Connected 1 times ' u'Serial nr: 526F676572 IMEI [012345678901234]') self._TestGetMessageStrings(event_object, expected_string, expected_string[0:77] + '...') self.assertEquals(event_object.timestamp_desc, eventdata.EventTimestamp.LAST_CONNECTED) self.assertEquals(event_object.device_class, u'iPhone') self.assertEquals(event_object.device_id, u'4C6F6F6E65000000') self.assertEquals(event_object.firmware_version, 256) self.assertEquals(event_object.imei, u'012345678901234') self.assertEquals(event_object.use_count, 1) event_object = event_objects[3] timestamp = timelib_test.CopyStringToTimestamp('1995-11-22 18:25:07') self.assertEquals(event_object.timestamp, timestamp) self.assertEquals(event_object.device_id, u'0000A11300000000')
def testParse17(self): """Tests the Parse function on a version 17 Prefetch file.""" test_file = self._GetTestFilePath(['CMD.EXE-087B4001.pf']) event_generator = self._ParseFile(self._parser, test_file) event_objects = self._GetEventObjects(event_generator) self.assertEquals(len(event_objects), 2) # The last run time. event_object = event_objects[1] self.assertEquals(event_object.version, 17) expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-03-10 10:11:49.281250') self.assertEquals(event_object.timestamp, expected_timestamp) self.assertEquals(event_object.timestamp_desc, eventdata.EventTimestamp.LAST_RUNTIME) self.assertEquals(event_object.executable, u'CMD.EXE') self.assertEquals(event_object.prefetch_hash, 0x087b4001) # The volume creation time. event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-03-10 10:19:46.234375') self.assertEquals(event_object.timestamp, expected_timestamp) self.assertEquals(event_object.timestamp_desc, eventdata.EventTimestamp.CREATION_TIME)
def testProcess(self): """Tests the Process function on a Chrome History database file.""" test_file = self._GetTestFilePath(['History']) cache = sqlite.SQLiteCache() event_queue_consumer = self._ParseDatabaseFileWithPlugin( self._plugin, test_file, cache) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) # The History file contains 71 events (69 page visits, 1 file downloads). self.assertEquals(len(event_objects), 71) # Check the first page visited entry. event_object = event_objects[0] self.assertEquals(event_object.timestamp_desc, eventdata.EventTimestamp.PAGE_VISITED) expected_timestamp = timelib_test.CopyStringToTimestamp( '2011-04-07 12:03:11') self.assertEquals(event_object.timestamp, expected_timestamp) expected_url = u'http://start.ubuntu.com/10.04/Google/' self.assertEquals(event_object.url, expected_url) expected_title = u'Ubuntu Start Page' self.assertEquals(event_object.title, expected_title) expected_msg = ( u'{0:s} ({1:s}) [count: 0] Host: start.ubuntu.com ' u'Visit Source: [SOURCE_FIREFOX_IMPORTED] Type: [LINK - User clicked ' u'a link] (URL not typed directly - no typed count)').format( expected_url, expected_title) expected_short = u'{0:s} ({1:s})'.format(expected_url, expected_title) self._TestGetMessageStrings(event_object, expected_msg, expected_short) # Check the first file downloaded entry. event_object = event_objects[69] self.assertEquals(event_object.timestamp_desc, eventdata.EventTimestamp.FILE_DOWNLOADED) expected_timestamp = timelib_test.CopyStringToTimestamp( '2011-05-23 08:35:30') self.assertEquals(event_object.timestamp, expected_timestamp) expected_url = (u'http://fatloss4idiotsx.com/download/funcats/' u'funcats_scr.exe') self.assertEquals(event_object.url, expected_url) expected_full_path = u'/home/john/Downloads/funcats_scr.exe' self.assertEquals(event_object.full_path, expected_full_path) expected_msg = (u'{0:s} ({1:s}). Received: 1132155 bytes out of: ' u'1132155 bytes.').format(expected_url, expected_full_path) expected_short = u'{0:s} downloaded (1132155 bytes)'.format( expected_full_path) self._TestGetMessageStrings(event_object, expected_msg, expected_short)
def testProcess(self): """Tests the Process function on a virtual key.""" key_path = u'\\ControlSet001\\services\\TestDriver' values = [] values.append(winreg_test_lib.TestRegValue( 'Type', '\x02\x00\x00\x00', 4, 123)) values.append(winreg_test_lib.TestRegValue( 'Start', '\x02\x00\x00\x00', 4, 127)) values.append(winreg_test_lib.TestRegValue( 'ErrorControl', '\x01\x00\x00\x00', 4, 131)) values.append(winreg_test_lib.TestRegValue( 'Group', 'Pnp Filter'.encode('utf_16_le'), 1, 140)) values.append(winreg_test_lib.TestRegValue( 'DisplayName', 'Test Driver'.encode('utf_16_le'), 1, 160)) values.append(winreg_test_lib.TestRegValue( 'DriverPackageId', 'testdriver.inf_x86_neutral_dd39b6b0a45226c4'.encode('utf_16_le'), 1, 180)) values.append(winreg_test_lib.TestRegValue( 'ImagePath', 'C:\\Dell\\testdriver.sys'.encode('utf_16_le'), 1, 200)) timestamp = timelib_test.CopyStringToTimestamp( '2012-08-28 09:23:49.002031') winreg_key = winreg_test_lib.TestRegKey( key_path, timestamp, values, 1456) event_queue_consumer = self._ParseKeyWithPlugin(self._plugin, winreg_key) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEquals(len(event_objects), 1) event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2012-08-28 09:23:49.002031') self.assertEquals(event_object.timestamp, expected_timestamp) # TODO: Remove RegAlert completely # self.assertTrue(event_object.regalert) expected_msg = ( u'[{0:s}] ' u'DisplayName: Test Driver ' u'DriverPackageId: testdriver.inf_x86_neutral_dd39b6b0a45226c4 ' u'ErrorControl: Normal (1) ' u'Group: Pnp Filter ' u'ImagePath: C:\\Dell\\testdriver.sys ' u'Start: Auto Start (2) ' # u'ImagePath: REGALERT Driver not in system32: ' # u'C:\\Dell\\testdriver.sys ' # u'Start: REGALERT Unusual Start for Driver: Auto Start (2) ' u'Type: File System Driver (0x2)').format(key_path) expected_msg_short = ( u'[{0:s}] ' u'DisplayName: Test Driver ' u'DriverPackageId...').format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def setUp(self): """Setup sets parameters that will be reused throughout this test.""" self._front_end = psort.PsortFrontend() # TODO: have sample output generated from the test. self._test_file = os.path.join(self._TEST_DATA_PATH, 'psort_test.out') self.first = timelib_test.CopyStringToTimestamp('2012-07-24 21:45:24') self.last = timelib_test.CopyStringToTimestamp('2016-11-18 01:15:43')
def setUp(self): """Setup sets parameters that will be reused throughout this test.""" # TODO: have sample output generated from the test. # TODO: Use input data with a defined year. syslog parser chooses a # year based on system clock; forcing updates to test file if regenerated. self.test_file = os.path.join('test_data', 'psort_test.out') self.first = timelib_test.CopyStringToTimestamp('2012-07-20 15:44:14') self.last = timelib_test.CopyStringToTimestamp('2016-11-18 01:15:43')
def testParse(self): """Tests the Parse function.""" knowledge_base_values = {'zone': pytz.timezone('Europe/Rome')} test_file = self._GetTestFilePath(['xchat.log']) event_queue_consumer = self._ParseFile( self._parser, test_file, knowledge_base_values=knowledge_base_values) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEquals(len(event_objects), 9) expected_timestamp = timelib_test.CopyStringToTimestamp( '2011-12-31 21:11:55+01:00') self.assertEquals(event_objects[0].timestamp, expected_timestamp) expected_timestamp = timelib_test.CopyStringToTimestamp( '2011-12-31 23:00:00+01:00') self.assertEquals(event_objects[7].timestamp, expected_timestamp) expected_timestamp = timelib_test.CopyStringToTimestamp( '2011-12-31 23:59:00+01:00') self.assertEquals(event_objects[8].timestamp, expected_timestamp) expected_string = u'XChat start logging' self._TestGetMessageStrings( event_objects[0], expected_string, expected_string) expected_string = u'--> You are now talking on #gugle' self._TestGetMessageStrings( event_objects[1], expected_string, expected_string) expected_string = u'--- Topic for #gugle is plaso, a difficult word' self._TestGetMessageStrings( event_objects[2], expected_string, expected_string) expected_string = u'Topic for #gugle set by Kristinn' self._TestGetMessageStrings( event_objects[3], expected_string, expected_string) expected_string = u'--- Joachim gives voice to fpi' self._TestGetMessageStrings( event_objects[4], expected_string, expected_string) expected_string = u'* XChat here' self._TestGetMessageStrings( event_objects[5], expected_string, expected_string) expected_string = u'[nickname: fpi] ola plas-ing guys!' self._TestGetMessageStrings( event_objects[6], expected_string, expected_string) expected_string = u'[nickname: STRANGER] \u65e5\u672c' self._TestGetMessageStrings( event_objects[7], expected_string, expected_string) expected_string = u'XChat end logging' self._TestGetMessageStrings( event_objects[8], expected_string, expected_string)
def testProcess(self): """Tests the Process function.""" key_path = u'\\Microsoft\\Some Windows\\InterestingApp\\MRU' values = [] values.append( winreg_test_lib.TestRegValue('MRUList', 'acb'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ, offset=123)) values.append( winreg_test_lib.TestRegValue( 'a', 'Some random text here'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ, offset=1892)) values.append( winreg_test_lib.TestRegValue( 'b', 'c:/evil.exe'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_BINARY, offset=612)) values.append( winreg_test_lib.TestRegValue( 'c', 'C:/looks_legit.exe'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ, offset=1001)) timestamp = timelib_test.CopyStringToTimestamp( '2012-08-28 09:23:49.002031') winreg_key = winreg_test_lib.TestRegKey(key_path, timestamp, values, 1456) event_queue_consumer = self._ParseKeyWithPlugin( self._plugin, winreg_key) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEquals(len(event_objects), 1) event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2012-08-28 09:23:49.002031') self.assertEquals(event_object.timestamp, expected_timestamp) expected_msg = (u'[{0:s}] ' u'Index: 1 [MRU Value a]: Some random text here ' u'Index: 2 [MRU Value c]: C:/looks_legit.exe ' u'Index: 3 [MRU Value b]: ').format(key_path) expected_msg_short = ( u'[{0:s}] Index: 1 [MRU Value a]: Some ran...').format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testParse(self): """Tests the Parse function.""" test_file = self._GetTestFilePath(['utmpx_mac']) event_generator = self._ParseFile(self._parser, test_file) event_objects = self._GetEventObjects(event_generator) self.assertEqual(len(event_objects), 6) event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-11-13 17:52:34') self.assertEqual(event_object.timestamp, expected_timestamp) expected_msg_short = u'User: N/A' expected_msg = (u'User: N/A Status: BOOT_TIME ' u'Computer Name: localhost Terminal: N/A') self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short) event_object = event_objects[1] expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-11-13 17:52:41.736713') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.user, u'moxilo') self.assertEqual( event_object.terminal, u'console', ) self.assertEqual(event_object.status, u'USER_PROCESS') self.assertEqual(event_object.computer_name, u'localhost') expected_msg = (u'User: moxilo Status: ' u'USER_PROCESS ' u'Computer Name: localhost ' u'Terminal: console') expected_msg_short = (u'User: moxilo') self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short) event_object = event_objects[4] expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-11-14 04:32:56.641464') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.user, u'moxilo') self.assertEqual(event_object.terminal, u'ttys002') self.assertEqual(event_object.status, u'DEAD_PROCESS') expected_msg = (u'User: moxilo Status: ' u'DEAD_PROCESS ' u'Computer Name: localhost ' u'Terminal: ttys002') expected_msg_short = (u'User: moxilo') self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testParse23MultiVolume(self): """Tests the Parse function on a mulit volume version 23 Prefetch file.""" test_file = self._GetTestFilePath(['WUAUCLT.EXE-830BCC14.pf']) event_generator = self._ParseFile(self._parser, test_file) event_objects = self._GetEventObjects(event_generator) self.assertEquals(len(event_objects), 6) # The last run time. event_object = event_objects[5] self.assertEquals(event_object.version, 23) expected_timestamp = timelib_test.CopyStringToTimestamp( '2012-03-15 21:17:39.807996') self.assertEquals(event_object.timestamp, expected_timestamp) self.assertEquals(event_object.timestamp_desc, eventdata.EventTimestamp.LAST_RUNTIME) # The creation time. event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2010-11-10 17:37:26.484375') self.assertEquals(event_object.timestamp, expected_timestamp) self.assertEquals(event_object.timestamp_desc, eventdata.EventTimestamp.CREATION_TIME) self.assertEquals(event_object.executable, u'WUAUCLT.EXE') self.assertEquals(event_object.prefetch_hash, 0x830bcc14) self.assertEquals(event_object.path, u'\\WINDOWS\\SYSTEM32\\WUAUCLT.EXE') self.assertEquals(event_object.run_count, 25) self.assertEquals(event_object.volume_device_paths[0], u'\\DEVICE\\HARDDISKVOLUME1') self.assertEquals(event_object.volume_serial_numbers[0], 0xac036525) expected_msg = ( u'Prefetch [WUAUCLT.EXE] was executed - run count 25 path: ' u'\\WINDOWS\\SYSTEM32\\WUAUCLT.EXE ' u'hash: 0x830BCC14 ' u'volume: 1 [serial number: 0xAC036525, ' u'device path: \\DEVICE\\HARDDISKVOLUME1], ' u'volume: 2 [serial number: 0xAC036525, ' u'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY2], ' u'volume: 3 [serial number: 0xAC036525, ' u'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY4], ' u'volume: 4 [serial number: 0xAC036525, ' u'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY7], ' u'volume: 5 [serial number: 0xAC036525, ' u'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY8]') expected_msg_short = u'WUAUCLT.EXE was run 25 time(s)' self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testParse(self): """Tests the Parse function.""" # TODO: only tested against Mac OS X Cups IPP (Version 2.0) test_file = self._GetTestFilePath(['mac_cups_ipp']) events = self._ParseFile(self._parser, test_file) event_objects = self._GetEventObjectsFromQueue(events) self.assertEqual(len(event_objects), 3) event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-11-03 18:07:21') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.CREATION_TIME) self.assertEqual(event_object.application, u'LibreOffice') self.assertEqual(event_object.job_name, u'Assignament 1') self.assertEqual(event_object.computer_name, u'localhost') self.assertEqual(event_object.copies, 1) self.assertEqual(event_object.doc_type, u'application/pdf') expected_job = u'urn:uuid:d51116d9-143c-3863-62aa-6ef0202de49a' self.assertEqual(event_object.job_id, expected_job) self.assertEqual(event_object.owner, u'Joaquin Moreno Garijo') self.assertEqual(event_object.user, u'moxilo') self.assertEqual(event_object.printer_id, u'RHULBW') expected_uri = u'ipp://localhost:631/printers/RHULBW' self.assertEqual(event_object.uri, expected_uri) expected_msg = (u'User: moxilo ' u'Owner: Joaquin Moreno Garijo ' u'Job Name: Assignament 1 ' u'Application: LibreOffice ' u'Printer: RHULBW') expected_msg_short = (u'Job Name: Assignament 1') self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short) event_object = event_objects[1] expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-11-03 18:07:21') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.START_TIME) event_object = event_objects[2] expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-11-03 18:07:32') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.END_TIME)
def testParse(self): """Tests the Parse function.""" test_file = self._GetTestFilePath(['iis.log']) event_queue_consumer = self._ParseFile(self._parser, test_file) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEquals(len(event_objects), 11) event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-07-30 00:00:00') self.assertEquals(event_object.timestamp, expected_timestamp) self.assertEquals(event_object.source_ip, u'10.10.10.100') self.assertEquals(event_object.dest_ip, u'10.10.10.100') self.assertEquals(event_object.dest_port, 80) expected_msg = (u'GET /some/image/path/something.jpg ' u'[ 10.10.10.100 > 10.10.10.100 : 80 ] ' u'Http Status: 200 ' u'User Agent: Mozilla/4.0+(compatible;+Win32;' u'+WinHttp.WinHttpRequest.5)') expected_msg_short = (u'GET /some/image/path/something.jpg ' u'[ 10.10.10.100 > 10.10.10.100 : 80 ]') self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short) event_object = event_objects[5] expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-07-30 00:00:05') self.assertEquals(event_object.timestamp, expected_timestamp) self.assertEquals(event_object.http_method, 'GET') self.assertEquals(event_object.http_status, 200) self.assertEquals(event_object.requested_uri_stem, u'/some/image/path/something.jpg') event_object = event_objects[1] expected_msg = ( u'GET /some/image/path/something.htm ' u'[ 22.22.22.200 > 10.10.10.100 : 80 ] ' u'Http Status: 404 ' u'User Agent: Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_6_8)' u'+AppleWebKit/534.57.2+(KHTML,+like+Gecko)+Version/5.1.7' u'+Safari/534.57.2') expected_msg_short = (u'GET /some/image/path/something.htm ' u'[ 22.22.22.200 > 10.10.10.100 : 80 ]') self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Tests the Process function.""" test_file = self._GetTestFilePath(['NTUSER.DAT']) key_path = ( u'\\Software\\Microsoft\\Windows\\ShellNoRoam\\BagMRU') winreg_key = self._GetKeyFromFile(test_file, key_path) event_queue_consumer = self._ParseKeyWithPlugin(self._plugin, winreg_key) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEquals(len(event_objects), 15) event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2009-08-04 15:19:16.997750') self.assertEquals(event_object.timestamp, expected_timestamp) expected_msg = ( u'[{0:s}] ' u'Index: 1 [MRU Value 0]: ' u'Shell item list: [My Computer]').format(key_path) expected_msg_short = ( u'[{0:s}] Index: 1 [MRU Value 0]: Shel...').format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short) event_object = event_objects[1] expected_timestamp = timelib_test.CopyStringToTimestamp( '2009-08-04 15:19:10.669625') self.assertEquals(event_object.timestamp, expected_timestamp) expected_msg = ( u'[{0:s}\\0] ' u'Index: 1 [MRU Value 0]: ' u'Shell item list: [My Computer, C:\\]').format(key_path) expected_msg_short = ( u'[{0:s}\\0] Index: 1 [MRU Value 0]: Sh...').format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short) event_object = event_objects[14] expected_timestamp = timelib_test.CopyStringToTimestamp( '2009-08-04 15:19:16.997750') self.assertEquals(event_object.timestamp, expected_timestamp) # The winreg_formatter will add a space after the key path even when there # is not text. expected_msg = u'[{0:s}\\0\\0\\0\\0\\0] '.format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg)
def testProcess(self): """Tests the Process function.""" test_file = self._GetTestFilePath(['NTUSER-WIN7.DAT']) key_path = ( u'\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\' u'OpenSavePidlMRU') winreg_key = self._GetKeyFromFile(test_file, key_path) event_queue_consumer = self._ParseKeyWithPlugin( self._plugin, winreg_key) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEquals(len(event_objects), 65) # A MRUListEx event object. event_object = event_objects[40] expected_timestamp = timelib_test.CopyStringToTimestamp( '2011-08-28 22:48:28.159308') self.assertEquals(event_object.timestamp, expected_timestamp) expected_msg = ( u'[{0:s}\\exe] ' u'Index: 1 [MRU Value 1]: Shell item list: [My Computer, P:\\, ' u'Application Tools, Firefox 6.0, Firefox Setup 6.0.exe] ' u'Index: 2 [MRU Value 0]: Shell item list: [Computers and Devices, ' u'UNKNOWN: 0x00, \\\\controller\\WebDavShare, Firefox Setup 3.6.12.exe' u']').format(key_path) expected_msg_short = ( u'[\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\' u'OpenSavePidlMRU...') self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short) # A shell item event object. event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2012-03-08 22:16:02') self.assertEquals(event_object.timestamp, expected_timestamp) expected_msg = (u'Name: ALLOYR~1 ' u'Long name: Alloy Research ' u'NTFS file reference: 44518-33 ' u'Origin: {0:s}\\*').format(key_path) expected_msg_short = (u'Name: ALLOYR~1 ' u'NTFS file reference: 44518-33 ' u'Origin: \\Software\\Microsoft\\Wind...') self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Test the Process function on an Android contacts2.db file.""" test_file = self._GetTestFilePath(['contacts2.db']) event_queue_consumer = self._ParseDatabaseFileWithPlugin( self._plugin, test_file) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) # The contacts2 database file contains 5 events (MISSED/OUTGOING/INCOMING). self.assertEquals(len(event_objects), 5) # Check the first event. event_object = event_objects[0] self.assertEquals(event_object.timestamp_desc, u'Call Started') expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-11-06 21:17:16.690') self.assertEquals(event_object.timestamp, expected_timestamp) expected_number = u'5404561685' self.assertEquals(event_object.number, expected_number) expected_type = u'MISSED' self.assertEquals(event_object.call_type, expected_type) expected_call = (u'MISSED ' u'Number: 5404561685 ' u'Name: Barney ' u'Duration: 0 seconds') expected_short = u'MISSED Call' self._TestGetMessageStrings(event_object, expected_call, expected_short) # Run some tests on the last 2 events. event_object_3 = event_objects[3] event_object_4 = event_objects[4] # Check the timestamp_desc of the last event. self.assertEquals(event_object_4.timestamp_desc, u'Call Ended') expected_timestamp3 = timelib_test.CopyStringToTimestamp( '2013-11-07 00:03:36.690') self.assertEquals(event_object_3.timestamp, expected_timestamp3) expected_timestamp4 = timelib_test.CopyStringToTimestamp( '2013-11-07 00:14:15.690') self.assertEquals(event_object_4.timestamp, expected_timestamp4) # Ensure the difference in btw. events 3 and 4 equals the duration. expected_duration = ((expected_timestamp4 - expected_timestamp3) / 1000000) self.assertEquals(event_object_4.duration, expected_duration)
def testProcess(self): """Tests the Process function on a LS Quarantine database file.""" test_file = self._GetTestFilePath(['quarantine.db']) event_queue_consumer = self._ParseDatabaseFileWithPlugin( self._plugin, test_file) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) # The quarantine database contains 14 event_objects. self.assertEquals(len(event_objects), 14) # Examine a VLC event. event_object = event_objects[3] expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-07-08 21:12:03') self.assertEquals(event_object.timestamp, expected_timestamp) self.assertEquals(event_object.agent, u'Google Chrome') vlc_url = ( u'http://download.cnet.com/VLC-Media-Player/3001-2139_4-10210434.html' u'?spi=40ab24d3c71594a5017d74be3b0c946c') self.assertEquals(event_object.url, vlc_url) self.assertTrue(u'vlc-2.0.7-intel64.dmg' in event_object.data) # Examine a MacKeeper event. event_object = event_objects[9] expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-07-12 19:28:58') self.assertEquals(event_object.timestamp, expected_timestamp) # Examine a SpeedTest event. event_object = event_objects[10] expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-07-12 19:30:16') self.assertEquals(event_object.timestamp, expected_timestamp) speedtest_message = ( u'[Google Chrome] Downloaded: http://mackeeperapp.zeobit.com/aff/' u'speedtest.net.6/download.php?affid=460245286&trt=5&utm_campaign=' u'3ES&tid_ext=P107fSKcSfqpMbcP3sI4fhKmeMchEB3dkAGpX4YIsvM;US;L;1 ' u'<http://download.mackeeper.zeobit.com/package.php?' u'key=460245286&trt=5&landpr=Speedtest>') speedtest_short = ( u'http://mackeeperapp.zeobit.com/aff/speedtest.net.6/download.php?' u'affid=4602452...') self._TestGetMessageStrings( event_object, speedtest_message, speedtest_short)
def testProcess(self): """Tests the Process function.""" test_file = self._GetTestFilePath(['application_usage.sqlite']) event_generator = self._ParseDatabaseFileWithPlugin(self._plugin, test_file) event_objects = self._GetEventObjects(event_generator) # The sqlite database contains 5 events. self.assertEquals(len(event_objects), 5) # Check the first event. event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2014-05-07 18:52:02') self.assertEquals(event_object.timestamp, expected_timestamp) self.assertEquals(event_object.application, u'/Applications/Safari.app') self.assertEquals(event_object.app_version, u'9537.75.14') self.assertEquals(event_object.bundle_id, u'com.apple.Safari') self.assertEquals(event_object.count, 1) expected_msg = ( u'/Applications/Safari.app v.9537.75.14 ' u'(bundle: com.apple.Safari). ' u'Launched: 1 time(s)') expected_msg_short = u'/Applications/Safari.app (1 time(s))' self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcessVersion25(self): """Tests the Process function on a Firefox History database file v 25.""" test_file = self._GetTestFilePath(['places_new.sqlite']) cache = sqlite.SQLiteCache() event_queue_consumer = self._ParseDatabaseFileWithPlugin( self._plugin, test_file, cache) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) # The places.sqlite file contains 84 events: # 34 page visits. # 28 bookmarks # 14 bookmark folders # 8 annotations self.assertEquals(len(event_objects), 84) counter = collections.Counter() for event_object in event_objects: counter[event_object.data_type] += 1 self.assertEquals(counter['firefox:places:bookmark'], 28) self.assertEquals(counter['firefox:places:page_visited'], 34) self.assertEquals(counter['firefox:places:bookmark_folder'], 14) self.assertEquals(counter['firefox:places:bookmark_annotation'], 8) random_event = event_objects[10] expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-10-30 21:57:11.281942') self.assertEquals(random_event.timestamp, expected_timestamp) expected_short = u'URL: http://code.google.com/p/plaso' expected_msg = ( u'http://code.google.com/p/plaso [count: 1] Host: code.google.com ' u'(URL not typed directly) Transition: TYPED') self._TestGetMessageStrings(random_event, expected_msg, expected_short)
def testProcessVersion25(self): """Tests the Process function on a Firefox Downloads database file.""" test_file = self._GetTestFilePath(['downloads.sqlite']) cache = sqlite.SQLiteCache() event_queue_consumer = self._ParseDatabaseFileWithPlugin( self._plugin, test_file, cache) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) # The downloads.sqlite file contains 2 events (1 download). self.assertEquals(len(event_objects), 2) # Check the first page visited event. event_object = event_objects[0] self.assertEquals(event_object.data_type, 'firefox:downloads:download') self.assertEquals(event_object.timestamp_desc, eventdata.EventTimestamp.START_TIME) expected_timestamp = timelib_test.CopyStringToTimestamp( u'2013-07-18 18:59:59.312000+00:00') self.assertEquals(event_object.timestamp, expected_timestamp) expected_url = (u'https://plaso.googlecode.com/files/' u'plaso-static-1.0.1-win32-vs2008.zip') self.assertEquals(event_object.url, expected_url) expected_full_path = u'file:///D:/plaso-static-1.0.1-win32-vs2008.zip' self.assertEquals(event_object.full_path, expected_full_path) self.assertEquals(event_object.received_bytes, 15974599) self.assertEquals(event_object.total_bytes, 15974599)
def testProcess(self): """Tests the Process function.""" test_file = self._GetTestFilePath(['NTUSER-WIN7.DAT']) key_path = self._plugin.REG_KEYS[0] winreg_key = self._GetKeyFromFile(test_file, key_path) event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key) event_objects = self._GetEventObjects(event_generator) self.assertEquals(len(event_objects), 5) event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2011-08-23 17:10:14.960960') self.assertEquals(event_object.timestamp, expected_timestamp) regvalue = event_object.regvalue self.assertEquals(regvalue.get('Share_Name'), r'\home\nfury') expected_string = ( u'[{0:s}] Label: Home Drive Remote_Server: controller Share_Name: ' u'\\home\\nfury Type: Remote Drive Volume: ' u'##controller#home#nfury').format(key_path) expected_string_short = u'{0:s}...'.format(expected_string[0:77]) self._TestGetMessageStrings(event_object, expected_string, expected_string_short)
def testParseCache_002(self): """Test Firefox 28 cache file _CACHE_002_ parsing.""" test_file = self._GetTestFilePath( ['firefox_cache', 'firefox28', '_CACHE_002_']) event_generator = self._ParseFile(self._parser, test_file) event_objects = self._GetEventObjects(event_generator) self.assertEquals(58, len(event_objects)) self.assertEquals( event_objects[2].url, ('HTTP:http://www.google-analytics.com/__utm.gif?utmwv=5.5.0&utms=' '1&utmn=1106893631&utmhn=www.dagbladet.no&utmcs=windows-1252&ut' 'msr=1920x1080&utmvp=1430x669&utmsc=24-bit&utmul=en-us&utmje=0&' 'utmfl=-&utmdt=Dagbladet.no%20-%20forsiden&utmhid=460894302&utm' 'r=-&utmp=%2F&utmht=1398089458997&utmac=UA-3072159-1&utmcc=__ut' 'ma%3D68537988.718312608.1398089459.1398089459.1398089459.1%3B%' '2B__utmz%3D68537988.1398089459.1.1.utmcsr%3D(direct)%7Cutmccn' '%3D(direct)%7Cutmcmd%3D(none)%3B&aip=1&utmu=qBQ~')) self.assertEquals( event_objects[1].timestamp, timelib_test.CopyStringToTimestamp('2014-04-21 14:10:58')) self.VerifyMajorMinor(event_objects)
def testProcess(self): """Test the Process function on an Android SMS mmssms.db file.""" test_file = self._GetTestFilePath(['mmssms.db']) event_queue_consumer = self._ParseDatabaseFileWithPlugin( self._plugin, test_file) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) # The SMS database file contains 9 events (5 SENT, 4 RECEIVED messages). self.assertEquals(len(event_objects), 9) # Check the first SMS sent. event_object = event_objects[0] self.assertEquals(event_object.timestamp_desc, eventdata.EventTimestamp.CREATION_TIME) expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-10-29 16:56:28.038') self.assertEquals(event_object.timestamp, expected_timestamp) expected_address = u'1 555-521-5554' self.assertEquals(event_object.address, expected_address) expected_body = u'Yo Fred this is my new number.' self.assertEquals(event_object.body, expected_body) expected_msg = (u'Type: SENT ' u'Address: 1 555-521-5554 ' u'Status: READ ' u'Message: Yo Fred this is my new number.') expected_short = u'Yo Fred this is my new number.' self._TestGetMessageStrings(event_object, expected_msg, expected_short)
def testProcess(self): """Tests the Process function.""" test_file = self._GetTestFilePath(['NTUSER-WIN7.DAT']) key_path = ( u'\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths' ) winreg_key = self._GetKeyFromFile(test_file, key_path) event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key) event_objects = self._GetEventObjects(event_generator) self.assertEquals(len(event_objects), 1) event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2010-11-10 07:58:15.811625') self.assertEquals(event_object.timestamp, expected_timestamp) regvalue_identifier = u'url1' expected_value = u'\\\\controller' self._TestRegvalue(event_object, regvalue_identifier, expected_value) expected_msg = u'[{0:s}] {1:s}: {2:s}'.format(key_path, regvalue_identifier, expected_value) expected_msg_short = u'[{0:s}] {1:s}: \\\\cont...'.format( key_path, regvalue_identifier) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testParseWtmpFile(self): """Tests the Parse function for an WTMP file.""" test_file = self._GetTestFilePath(['wtmp.1']) events = self._ParseFile(self._parser, test_file) event_objects = self._GetEventObjects(events) self.assertEqual(len(event_objects), 4) event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2011-12-01 17:36:38.432935') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.user, u'userA') self.assertEqual(event_object.computer_name, u'10.10.122.1') self.assertEqual(event_object.terminal, u'pts/32') self.assertEqual(event_object.status, u'USER_PROCESS') self.assertEqual(event_object.ip_address, u'10.10.122.1') self.assertEqual(event_object.exit, 0) self.assertEqual(event_object.pid, 20060) self.assertEqual(event_object.terminal_id, 842084211) expected_msg = (u'User: userA ' u'Computer Name: 10.10.122.1 ' u'Terminal: pts/32 ' u'PID: 20060 ' u'Terminal_ID: 842084211 ' u'Status: USER_PROCESS ' u'IP Address: 10.10.122.1 ' u'Exit: 0') expected_msg_short = (u'User: userA') self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Tests the Process function.""" test_file = self._GetTestFilePath(['NTUSER-WIN7.DAT']) key_path = u'\\Software\\Microsoft\\Office\\14.0\\Word\\File MRU' winreg_key = self._GetKeyFromFile(test_file, key_path) event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key) event_objects = self._GetEventObjects(event_generator) self.assertEquals(len(event_objects), 5) event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2012-03-13 18:27:15.083') self.assertEquals(event_object.timestamp, expected_timestamp) regvalue_identifier = u'Item 1' expected_value = ( u'[F00000000][T01CD0146EA1EADB0][O00000000]*' u'C:\\Users\\nfury\\Documents\\StarFury\\StarFury\\' u'SA-23E Mitchell-Hyundyne Starfury.docx') self._TestRegvalue(event_object, regvalue_identifier, expected_value) expected_msg = u'[{0:s}] {1:s}: {2:s}'.format( key_path, regvalue_identifier, expected_value) expected_msg_short = u'[{0:s}] {1:s}: [F00000000][T01CD0146...'.format( key_path, regvalue_identifier) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Tests the Process function.""" plist_name = u'user.plist' test_file = self._GetTestFilePath([plist_name]) event_queue_consumer = self._ParsePlistFileWithPlugin( self._parser, self._plugin, test_file, plist_name) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEquals(len(event_objects), 1) event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2013-12-28 04:35:47') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.key, u'passwordLastSetTime') self.assertEqual(event_object.root, u'/') expected_desc = ( u'Last time user (501) changed the password: '******'$ml$37313$fa6cac1869263baa85cffc5e77a3d4ee164b7' u'5536cae26ce8547108f60e3f554$a731dbb0e386b169af8' u'9fbb33c255ceafc083c6bc5194853f72f11c550c42e4625' u'ef113b66f3f8b51fc3cd39106bad5067db3f7f1491758ff' u'e0d819a1b0aba20646fd61345d98c0c9a411bfd1144dd4b' u'3c40ec0f148b66d5b9ab014449f9b2e103928ef21db6e25' u'b536a60ff17a84e985be3aa7ba3a4c16b34e0d1d2066ae178') self.assertEqual(event_object.desc, expected_desc) expected_string = u'//passwordLastSetTime {}'.format(expected_desc) expected_short = u'{}...'.format(expected_string[:77]) self._TestGetMessageStrings( event_object, expected_string, expected_short)