class RestorePointLogParser(interface.FileObjectParser):
"""A parser for Windows Restore Point (rp.log) files."""
NAME = u'rplog'
DESCRIPTION = u'Parser for Windows Restore Point (rp.log) files.'
FILTERS = frozenset([
interface.FileNameFileEntryFilter(u'rp.log')])
_FILE_HEADER_STRUCT = construct.Struct(
u'file_header',
construct.ULInt32(u'event_type'),
construct.ULInt32(u'restore_point_type'),
construct.ULInt64(u'sequence_number'),
construct.RepeatUntil(
lambda character, ctx: character == b'\x00\x00',
construct.Field(u'description', 2)))
_FILE_FOOTER_STRUCT = construct.Struct(
u'file_footer',
construct.ULInt64(u'creation_time'))
def _ParseFileHeader(self, file_object):
"""Parses the file header.
Args:
file_object: A file-like object to read data from.
Returns:
The file header construct object.
Raises:
UnableToParseFile: when the header cannot be parsed.
"""
try:
file_header = self._FILE_HEADER_STRUCT.parse_stream(file_object)
except (IOError, construct.FieldError) as exception:
raise errors.UnableToParseFile(
u'Unable to parse file header with error: {0:s}'.format(exception))
if not file_header:
raise errors.UnableToParseFile(u'Unable to read file header')
return file_header
def _ParseFileFooter(self, file_object):
"""Parses the file footer.
Args:
file_object: A file-like object to read data from.
Returns:
The file footer construct object.
Raises:
UnableToParseFile: when the footer cannot be parsed.
"""
try:
file_footer = self._FILE_FOOTER_STRUCT.parse_stream(file_object)
except (IOError, construct.FieldError) as exception:
raise errors.UnableToParseFile(
u'Unable to parse file footer with error: {0:s}'.format(exception))
if not file_footer:
raise errors.UnableToParseFile(u'Unable to read file footer')
return file_footer
def ParseFileObject(self, parser_mediator, file_object, **unused_kwargs):
"""Parses a Windows Restore Point (rp.log) log file-like object.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
file_object: A file-like object.
Raises:
UnableToParseFile: when the file cannot be parsed.
"""
file_header = self._ParseFileHeader(file_object)
try:
# The struct includes the end-of-string character that we need
# to strip off.
description = b''.join(file_header.description).decode(u'utf16')[:-1]
except UnicodeDecodeError as exception:
description = u''
parser_mediator.ProduceParseError((
u'unable to decode description UTF-16 stream with error: '
u'{0:s}').format(exception))
file_object.seek(-8, os.SEEK_END)
file_footer = self._ParseFileFooter(file_object)
timestamp = file_footer.get(u'creation_time', None)
if timestamp is None:
parser_mediator.ProduceParseError(u'Timestamp not set.')
else:
event_object = RestorePointInfoEvent(
timestamp, file_header.event_type, file_header.restore_point_type,
file_header.sequence_number, description)
parser_mediator.ProduceEvent(event_object)
class RestorePointLogParser(dtfabric_parser.DtFabricBaseParser):
"""A parser for Windows Restore Point (rp.log) files."""
NAME = 'rplog'
DESCRIPTION = 'Parser for Windows Restore Point (rp.log) files.'
FILTERS = frozenset([
interface.FileNameFileEntryFilter('rp.log')])
_DEFINITION_FILE = 'winrestore.yaml'
def ParseFileObject(self, parser_mediator, file_object):
"""Parses a Windows Restore Point (rp.log) log file-like object.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO): file-like object.
Raises:
UnableToParseFile: when the file cannot be parsed.
"""
file_size = file_object.get_size()
file_header_map = self._GetDataTypeMap('rp_log_file_header')
try:
file_header, _ = self._ReadStructureFromFileObject(
file_object, 0, file_header_map)
except (ValueError, errors.ParseError) as exception:
raise errors.UnableToParseFile(
'Unable to parse file header with error: {0!s}'.format(
exception))
file_footer_map = self._GetDataTypeMap('rp_log_file_footer')
file_footer_offset = file_size - file_footer_map.GetByteSize()
try:
file_footer, _ = self._ReadStructureFromFileObject(
file_object, file_footer_offset, file_footer_map)
except (ValueError, errors.ParseError) as exception:
parser_mediator.ProduceExtractionError(
'unable to parse file footer with error: {0!s}'.format(exception))
return
# The description in the file header includes the end-of-string character
# that we need to strip off.
description = file_header.description.rstrip('\0')
if file_footer.creation_time == 0:
date_time = dfdatetime_semantic_time.SemanticTime('Not set')
else:
date_time = dfdatetime_filetime.Filetime(
timestamp=file_footer.creation_time)
event_data = RestorePointEventData()
event_data.description = description
event_data.restore_point_event_type = file_header.event_type
event_data.restore_point_type = file_header.restore_point_type
event_data.sequence_number = file_header.sequence_number
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_CREATION)
parser_mediator.ProduceEventWithEventData(event, event_data)
class RestorePointLogParser(interface.FileObjectParser):
"""A parser for Windows Restore Point (rp.log) files."""
NAME = u'rplog'
DESCRIPTION = u'Parser for Windows Restore Point (rp.log) files.'
FILTERS = frozenset([
interface.FileNameFileEntryFilter(u'rp.log')])
_FILE_HEADER_STRUCT = construct.Struct(
u'file_header',
construct.ULInt32(u'event_type'),
construct.ULInt32(u'restore_point_type'),
construct.ULInt64(u'sequence_number'),
construct.RepeatUntil(
lambda character, ctx: character == b'\x00\x00',
construct.Field(u'description', 2)))
_FILE_FOOTER_STRUCT = construct.Struct(
u'file_footer',
construct.ULInt64(u'creation_time'))
def ParseFileObject(self, parser_mediator, file_object, **unused_kwargs):
"""Parses a Windows Restore Point (rp.log) log file-like object.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO): file-like object.
"""
try:
file_header_struct = self._FILE_HEADER_STRUCT.parse_stream(file_object)
except (IOError, construct.FieldError) as exception:
parser_mediator.ProduceExtractionError(
u'unable to parse file header with error: {0:s}'.format(exception))
return
file_object.seek(-8, os.SEEK_END)
try:
file_footer_struct = self._FILE_FOOTER_STRUCT.parse_stream(file_object)
except (IOError, construct.FieldError) as exception:
parser_mediator.ProduceExtractionError(
u'unable to parse file footer with error: {0:s}'.format(exception))
return
try:
description = b''.join(file_header_struct.description)
# The struct includes the end-of-string character that we need
# to strip off.
description = description.decode(u'utf16')[:-1]
except UnicodeDecodeError as exception:
description = u''
parser_mediator.ProduceExtractionError((
u'unable to decode description UTF-16 stream with error: '
u'{0:s}').format(exception))
if file_footer_struct.creation_time == 0:
date_time = dfdatetime_semantic_time.SemanticTime(u'Not set')
else:
date_time = dfdatetime_filetime.Filetime(
timestamp=file_footer_struct.creation_time)
event_data = RestorePointEventData()
event_data.description = description
event_data.restore_point_event_type = file_header_struct.event_type
event_data.restore_point_type = file_header_struct.restore_point_type
event_data.sequence_number = file_header_struct.sequence_number
event = time_events.DateTimeValuesEvent(
date_time, eventdata.EventTimestamp.CREATION_TIME)
parser_mediator.ProduceEventWithEventData(event, event_data)