def testParseV2(self):
"""Tests the Parse function on a version 2 file."""
parser = fseventsd.FseventsdParser()
path = self._GetTestFilePath(['fsevents-00000000001a0b79'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=path)
gzip_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec)
storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 6)
events = list(storage_writer.GetEvents())
# The timestamp since it is derived from the file entry.
os_file_entry = path_spec_resolver.Resolver.OpenFileEntry(os_path_spec)
expected_time = os_file_entry.modification_time
expected_timestamp = expected_time.GetPlasoTimestamp()
expected_event_values = {
'data_type': 'macos:fseventsd:record',
'event_identifier': 1706838,
'flags': 0x01000008,
'path': 'Hi, Sierra',
'timestamp': expected_timestamp}
self.CheckEventValues(storage_writer, events[2], expected_event_values)
def testParseV2(self):
"""Tests the Parse function on a version 2 file."""
parser = fseventsd.FseventsdParser()
path = self._GetTestFilePath(['fsevents-00000000001a0b79'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=path)
gzip_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec)
storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser)
self.assertEqual(storage_writer.number_of_events, 6)
events = list(storage_writer.GetEvents())
event = events[2]
self.assertEqual(event.path, 'Hi, Sierra')
self.assertEqual(event.event_identifier, 1706838)
self.assertEqual(event.flags, 0x8000001)
os_file_entry = path_spec_resolver.Resolver.OpenFileEntry(os_path_spec)
expected_time = os_file_entry.modification_time
expected_timestamp = expected_time.GetPlasoTimestamp()
self.assertEqual(event.timestamp, expected_timestamp)
expected_message = (
'Hi, Sierra Flag Values: IsDirectory, Renamed Flags: 0x8000001 '
'Event Identifier: 1706838')
expected_short_message = 'Hi, Sierra IsDirectory, Renamed'
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testParseV1(self):
"""Tests the Parse function on a version 1 file."""
parser = fseventsd.FseventsdParser()
path = self._GetTestFilePath(['fsevents-0000000002d89b58'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=path)
gzip_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec)
storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser)
self.assertEqual(storage_writer.number_of_events, 12)
events = list(storage_writer.GetEvents())
event = events[3]
self.assertEqual(event.path, '.Spotlight-V100/Store-V1')
self.assertEqual(event.event_identifier, 47747061)
self.assertEqual(event.flags, 0x80000001)
os_file_entry = path_spec_resolver.Resolver.OpenFileEntry(os_path_spec)
expected_time = os_file_entry.modification_time
expected_timestamp = expected_time.GetPlasoTimestamp()
self.assertEqual(event.timestamp, expected_timestamp)
expected_message = ('.Spotlight-V100/Store-V1 '
'Flag Values: IsDirectory, DirectoryCreated '
'Flags: 0x80000001 Event Identifier: 47747061')
expected_short_message = (
'.Spotlight-V100/Store-V1 IsDirectory, DirectoryCreated')
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testParseV1(self):
"""Tests the Parse function on a version 1 file."""
parser = fseventsd.FseventsdParser()
path = self._GetTestFilePath(['fsevents-0000000002d89b58'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=path)
gzip_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec)
storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser)
self.assertEqual(storage_writer.number_of_events, 12)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetEvents())
# The date and time are derived from the file entry.
os_file_entry = path_spec_resolver.Resolver.OpenFileEntry(os_path_spec)
expected_event_values = {
'data_type': 'macos:fseventsd:record',
'date_time': os_file_entry.modification_time,
'event_identifier': 47747061,
'flags': 0x01000080,
'path': '.Spotlight-V100/Store-V1'
}
self.CheckEventValues(storage_writer, events[3], expected_event_values)
def testParseV1(self):
"""Tests the Parse function on a version 1 file."""
parser = fseventsd.FseventsdParser()
path = self._GetTestFilePath(['fsevents-0000000002d89b58'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=path)
gzip_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec)
storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 12)
events = list(storage_writer.GetEvents())
# The timestamp since it is derived from the file entry.
os_file_entry = path_spec_resolver.Resolver.OpenFileEntry(os_path_spec)
expected_time = os_file_entry.modification_time
expected_timestamp = expected_time.GetPlasoTimestamp()
expected_event_values = {
'event_identifier': 47747061,
'flags': 0x01000080,
'path': '.Spotlight-V100/Store-V1',
'timestamp': expected_timestamp
}
self.CheckEventValues(storage_writer, events[3], expected_event_values)
expected_message = ('.Spotlight-V100/Store-V1 '
'Flag Values: DirectoryCreated, IsDirectory '
'Flags: 0x01000080 Event Identifier: 47747061')
expected_short_message = (
'.Spotlight-V100/Store-V1 DirectoryCreated, IsDirectory')
event_data = self._GetEventDataOfEvent(storage_writer, events[3])
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
def testParseV2(self):
"""Tests the Parse function on a version 2 file."""
parser = fseventsd.FseventsdParser()
path = self._GetTestFilePath(['fsevents-00000000001a0b79'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=path)
gzip_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec)
storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 6)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
# The date and time are derived from the file entry.
os_file_entry = path_spec_resolver.Resolver.OpenFileEntry(os_path_spec)
expected_event_values = {
'data_type': 'macos:fseventsd:record',
'date_time': os_file_entry.modification_time,
'event_identifier': 1706838,
'flags': 0x01000008,
'path': 'Hi, Sierra'
}
self.CheckEventValues(storage_writer, events[2], expected_event_values)
