def testParseFile(self): """Tests the Parse function on a stand-alone $MFT file.""" parser_object = ntfs.NTFSMFTParser() test_path = self._GetTestFilePath([u'MFT']) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_path) event_queue_consumer = self._ParseFileByPathSpec( parser_object, os_path_spec) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 126352) # A distributed link tracking event. event_object = event_objects[3684] expected_timestamp = timelib.Timestamp.CopyFromString( u'2007-06-30 12:58:40.500004') self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.CREATION_TIME) self.assertEqual(event_object.timestamp, expected_timestamp) expected_message = (u'9fe44b69-2709-11dc-a06b-db3099beae3c ' u'MAC address: db:30:99:be:ae:3c ' u'Origin: $MFT: 462-1') expected_short_message = (u'9fe44b69-2709-11dc-a06b-db3099beae3c ' u'Origin: $MFT: 462-1') self._TestGetMessageStrings(event_object, expected_message, expected_short_message)
def testParseFile(self): """Tests the Parse function on a stand-alone $MFT file.""" parser = ntfs.NTFSMFTParser() test_file_path = self._GetTestFilePath(['MFT']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) storage_writer = self._ParseFileByPathSpec(os_path_spec, parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 126352) events = list(storage_writer.GetEvents()) # A distributed link tracking event. event = events[3684] self.CheckTimestamp(event.timestamp, '2007-06-30 12:58:40.500004') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_CREATION) event_data = self._GetEventDataOfEvent(storage_writer, event) expected_message = ('9fe44b69-2709-11dc-a06b-db3099beae3c ' 'MAC address: db:30:99:be:ae:3c ' 'Origin: $MFT: 462-1') expected_short_message = ('9fe44b69-2709-11dc-a06b-db3099beae3c ' 'Origin: $MFT: 462-1') self._TestGetMessageStrings(event_data, expected_message, expected_short_message)
def testParseImage(self): """Tests the Parse function on a storage media image.""" parser = ntfs.NTFSMFTParser() test_file_path = self._GetTestFilePath(['vsstest.qcow2']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) qcow_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_QCOW, parent=os_path_spec) tsk_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK, inode=0, location='/$MFT', parent=qcow_path_spec) storage_writer = self._ParseFileByPathSpec(tsk_path_spec, parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 284) events = list(storage_writer.GetEvents()) # The creation timestamp. event = events[0] self.CheckTimestamp(event.timestamp, '2013-12-03 06:30:41.807908') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_CREATION) event_data = self._GetEventDataOfEvent(storage_writer, event) # Check that the allocation status is set correctly. self.assertIsInstance(event_data.is_allocated, bool) self.assertTrue(event_data.is_allocated) # The last modification timestamp. event = events[1] self.CheckTimestamp(event.timestamp, '2013-12-03 06:30:41.807908') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_MODIFICATION) event_data = self._GetEventDataOfEvent(storage_writer, event) # Check that the allocation status is set correctly. self.assertIsInstance(event_data.is_allocated, bool) self.assertTrue(event_data.is_allocated) # The last accessed timestamp. event = events[2] self.CheckTimestamp(event.timestamp, '2013-12-03 06:30:41.807908') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_ACCESS) event_data = self._GetEventDataOfEvent(storage_writer, event) # Check that the allocation status is set correctly. self.assertIsInstance(event_data.is_allocated, bool) self.assertTrue(event_data.is_allocated) # The entry modification timestamp. event = events[3] self.CheckTimestamp(event.timestamp, '2013-12-03 06:30:41.807908') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_ENTRY_MODIFICATION) event_data = self._GetEventDataOfEvent(storage_writer, event) # Check that the allocation status is set correctly. self.assertIsInstance(event_data.is_allocated, bool) self.assertTrue(event_data.is_allocated) expected_message = ('TSK:/$MFT ' 'File reference: 0-1 ' 'Attribute name: $STANDARD_INFORMATION') expected_short_message = ('/$MFT 0-1 $STANDARD_INFORMATION') self._TestGetMessageStrings(event_data, expected_message, expected_short_message) # The creation timestamp. event = events[4] self.CheckTimestamp(event.timestamp, '2013-12-03 06:30:41.807908') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_CREATION) event_data = self._GetEventDataOfEvent(storage_writer, event) # Check that the allocation status is set correctly. self.assertIsInstance(event_data.is_allocated, bool) self.assertTrue(event_data.is_allocated) expected_message = ('TSK:/$MFT ' 'File reference: 0-1 ' 'Attribute name: $FILE_NAME ' 'Name: $MFT ' 'Parent file reference: 5-5') expected_short_message = ('/$MFT 0-1 $FILE_NAME') self._TestGetMessageStrings(event_data, expected_message, expected_short_message) # Note that the source file is a RAW (VMDK flat) image. test_file_path = self._GetTestFilePath(['multi_partition_image.vmdk']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) p2_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION, location='/p2', part_index=3, start_offset=0x00510000, parent=os_path_spec) tsk_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK, inode=0, location='/$MFT', parent=p2_path_spec) storage_writer = self._ParseFileByPathSpec(tsk_path_spec, parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 184)
def setUp(self): """Makes preparations before running an individual test.""" self._parser = ntfs.NTFSMFTParser()
def setUp(self): """Sets up the needed objects used throughout the test.""" self._parser = ntfs.NTFSMFTParser()
def testParseImage(self): """Tests the Parse function on a storage media image.""" parser = ntfs.NTFSMFTParser() test_file_path = self._GetTestFilePath(['vsstest.qcow2']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) qcow_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_QCOW, parent=os_path_spec) tsk_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK, inode=0, location='/$MFT', parent=qcow_path_spec) storage_writer = self._ParseFileByPathSpec(tsk_path_spec, parser) number_of_events = storage_writer.GetNumberOfAttributeContainers('event') self.assertEqual(number_of_events, 284) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) # The creation timestamp. expected_event_values = { 'data_type': 'fs:stat:ntfs', 'date_time': '2013-12-03 06:30:41.8079077', 'is_allocated': True, 'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION} self.CheckEventValues(storage_writer, events[0], expected_event_values) # The last modification timestamp. expected_event_values = { 'data_type': 'fs:stat:ntfs', 'date_time': '2013-12-03 06:30:41.8079077', 'is_allocated': True, 'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION} self.CheckEventValues(storage_writer, events[1], expected_event_values) # The last accessed timestamp. expected_event_values = { 'data_type': 'fs:stat:ntfs', 'date_time': '2013-12-03 06:30:41.8079077', 'is_allocated': True, 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_ACCESS} self.CheckEventValues(storage_writer, events[2], expected_event_values) # The entry modification timestamp. expected_event_values = { 'attribute_type': 0x00000010, 'data_type': 'fs:stat:ntfs', 'date_time': '2013-12-03 06:30:41.8079077', 'display_name': 'TSK:/$MFT', 'file_reference': 0x1000000000000, 'is_allocated': True, 'path_hints': ['\\$MFT'], 'timestamp_desc': definitions.TIME_DESCRIPTION_ENTRY_MODIFICATION} self.CheckEventValues(storage_writer, events[7], expected_event_values) # The creation timestamp. expected_event_values = { 'attribute_type': 0x00000030, 'data_type': 'fs:stat:ntfs', 'date_time': '2013-12-03 06:30:41.8079077', 'file_reference': 0x1000000000000, 'is_allocated': True, 'name': '$MFT', 'parent_file_reference': 0x5000000000005, 'path_hints': ['\\$MFT'], 'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION} self.CheckEventValues(storage_writer, events[0], expected_event_values) expected_event_values = { 'attribute_type': 0x00000010, 'data_type': 'fs:stat:ntfs', 'date_time': '2013-12-03 06:35:09.5179783', 'display_name': 'TSK:/$MFT', 'file_reference': 0x1000000000026, 'path_hints': [ '\\System Volume Information\\{3808876b-c176-4e48-b7ae-' '04046e6cc752}']} self.CheckEventValues(storage_writer, events[251], expected_event_values) expected_event_values = { 'attribute_type': 0x00000030, 'data_type': 'fs:stat:ntfs', 'date_time': '2013-12-03 06:35:09.5023783', 'display_name': 'TSK:/$MFT', 'file_reference': 0x1000000000026, 'name': '{38088~1', 'parent_file_reference': 0x1000000000024, 'path_hints': ['\\System Volume Information\\{38088~1']} self.CheckEventValues(storage_writer, events[240], expected_event_values) expected_event_values = { 'attribute_type': 0x00000030, 'data_type': 'fs:stat:ntfs', 'date_time': '2013-12-03 06:35:09.5023783', 'display_name': 'TSK:/$MFT', 'file_reference': 0x1000000000026, 'name': '{3808876b-c176-4e48-b7ae-04046e6cc752}', 'parent_file_reference': 0x1000000000024, 'path_hints': [ '\\System Volume Information\\' '{3808876b-c176-4e48-b7ae-04046e6cc752}']} self.CheckEventValues(storage_writer, events[244], expected_event_values) # Note that the source file is a RAW (VMDK flat) image. test_file_path = self._GetTestFilePath(['multi_partition_image.vmdk']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) p2_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION, location='/p2', part_index=3, start_offset=0x00510000, parent=os_path_spec) tsk_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK, inode=0, location='/$MFT', parent=p2_path_spec) storage_writer = self._ParseFileByPathSpec(tsk_path_spec, parser) number_of_events = storage_writer.GetNumberOfAttributeContainers('event') self.assertEqual(number_of_events, 184) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0)
def testParseFile(self): """Tests the Parse function on a stand-alone $MFT file.""" parser = ntfs.NTFSMFTParser() test_file_path = self._GetTestFilePath(['MFT']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) storage_writer = self._ParseFileByPathSpec(os_path_spec, parser) number_of_events = storage_writer.GetNumberOfAttributeContainers('event') self.assertEqual(number_of_events, 126352) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) # A distributed link tracking event. expected_event_values = { 'data_type': 'windows:distributed_link_tracking:creation', 'date_time': '2007-06-30 12:58:40.5000041', 'mac_address': 'db:30:99:be:ae:3c', 'origin': '$MFT: 462-1', 'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION, 'uuid': '9fe44b69-2709-11dc-a06b-db3099beae3c'} self.CheckEventValues(storage_writer, events[3680], expected_event_values) # Test path hints of a regular file. expected_event_values = { 'data_type': 'fs:stat:ntfs', 'name': 'SAM', 'path_hints': ['\\WINDOWS\\system32\\config\\SAM']} self.CheckEventValues(storage_writer, events[28741], expected_event_values) # Test path hints of a deleted file. expected_path_hints = [( '\\Documents and Settings\\Donald Blake\\Local Settings\\' 'Temporary Internet Files\\Content.IE5\\9EUWFPZ1\\CAJA1S19.js')] expected_event_values = { 'data_type': 'fs:stat:ntfs', 'date_time': '2009-01-14 03:38:58.5869993', 'is_allocated': False, 'name': 'CAJA1S19.js', 'path_hints': expected_path_hints} self.CheckEventValues(storage_writer, events[120476], expected_event_values) # Testing path hint of orphaned file. expected_event_values = { 'data_type': 'fs:stat:ntfs', 'date_time': '2009-01-14 21:07:11.5721856', 'name': 'menu.text.css', 'path_hints': ['$Orphan\\session\\menu.text.css']} self.CheckEventValues(storage_writer, events[125432], expected_event_values)
def testParseImage(self): """Tests the Parse function on a storage media image.""" parser = ntfs.NTFSMFTParser() test_file_path = self._GetTestFilePath(['vsstest.qcow2']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) qcow_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_QCOW, parent=os_path_spec) tsk_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK, inode=0, location='/$MFT', parent=qcow_path_spec) storage_writer = self._ParseFileByPathSpec(tsk_path_spec, parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 284) events = list(storage_writer.GetEvents()) # The creation timestamp. expected_event_values = { 'is_allocated': True, 'timestamp': '2013-12-03 06:30:41.807908', 'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION } self.CheckEventValues(storage_writer, events[0], expected_event_values) # The last modification timestamp. expected_event_values = { 'is_allocated': True, 'timestamp': '2013-12-03 06:30:41.807908', 'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION } self.CheckEventValues(storage_writer, events[1], expected_event_values) # The last accessed timestamp. expected_event_values = { 'is_allocated': True, 'timestamp': '2013-12-03 06:30:41.807908', 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_ACCESS } self.CheckEventValues(storage_writer, events[2], expected_event_values) # The entry modification timestamp. expected_event_values = { 'is_allocated': True, 'timestamp': '2013-12-03 06:30:41.807908', 'timestamp_desc': definitions.TIME_DESCRIPTION_ENTRY_MODIFICATION } self.CheckEventValues(storage_writer, events[7], expected_event_values) expected_message = ('TSK:/$MFT ' 'File reference: 0-1 ' 'Attribute name: $STANDARD_INFORMATION ' 'Path hints: \\$MFT') expected_short_message = ('/$MFT 0-1 $STANDARD_INFORMATION') event_data = self._GetEventDataOfEvent(storage_writer, events[7]) self._TestGetMessageStrings(event_data, expected_message, expected_short_message) # The creation timestamp. expected_event_values = { 'is_allocated': True, 'timestamp': '2013-12-03 06:30:41.807908', 'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION } self.CheckEventValues(storage_writer, events[0], expected_event_values) expected_message = ('TSK:/$MFT ' 'File reference: 0-1 ' 'Attribute name: $FILE_NAME ' 'Name: $MFT ' 'Parent file reference: 5-5 ' 'Path hints: \\$MFT') expected_short_message = ('/$MFT 0-1 $FILE_NAME') event_data = self._GetEventDataOfEvent(storage_writer, events[0]) self._TestGetMessageStrings(event_data, expected_message, expected_short_message) expected_path_hints = [ '\\System Volume Information\\{3808876b-c176-4e48-b7ae-04046e6cc752}' ] expected_event_values = {'path_hints': expected_path_hints} self.CheckEventValues(storage_writer, events[251], expected_event_values) expected_message = ('TSK:/$MFT ' 'File reference: 38-1 ' 'Attribute name: $STANDARD_INFORMATION ' 'Path hints: \\System Volume Information\\' '{3808876b-c176-4e48-b7ae-04046e6cc752}') expected_short_message = ('/$MFT 38-1 $STANDARD_INFORMATION') event_data = self._GetEventDataOfEvent(storage_writer, events[251]) self._TestGetMessageStrings(event_data, expected_message, expected_short_message) expected_event_values = { 'path_hints': ['\\System Volume Information\\{38088~1'] } self.CheckEventValues(storage_writer, events[240], expected_event_values) expected_message = ( 'TSK:/$MFT ' 'File reference: 38-1 ' 'Attribute name: $FILE_NAME ' 'Name: {38088~1 ' 'Parent file reference: 36-1 ' 'Path hints: \\System Volume Information\\{38088~1') expected_short_message = ('/$MFT 38-1 $FILE_NAME') event_data = self._GetEventDataOfEvent(storage_writer, events[240]) self._TestGetMessageStrings(event_data, expected_message, expected_short_message) expected_path_hints = [ '\\System Volume Information\\{3808876b-c176-4e48-b7ae-04046e6cc752}' ] expected_event_values = {'path_hints': expected_path_hints} self.CheckEventValues(storage_writer, events[244], expected_event_values) expected_message = ('TSK:/$MFT ' 'File reference: 38-1 ' 'Attribute name: $FILE_NAME ' 'Name: {3808876b-c176-4e48-b7ae-04046e6cc752} ' 'Parent file reference: 36-1 ' 'Path hints: \\System Volume Information\\' '{3808876b-c176-4e48-b7ae-04046e6cc752}') expected_short_message = ('/$MFT 38-1 $FILE_NAME') event_data = self._GetEventDataOfEvent(storage_writer, events[244]) self._TestGetMessageStrings(event_data, expected_message, expected_short_message) # Note that the source file is a RAW (VMDK flat) image. test_file_path = self._GetTestFilePath(['multi_partition_image.vmdk']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) p2_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION, location='/p2', part_index=3, start_offset=0x00510000, parent=os_path_spec) tsk_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK, inode=0, location='/$MFT', parent=p2_path_spec) storage_writer = self._ParseFileByPathSpec(tsk_path_spec, parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 184)
def testParseFile(self): """Tests the Parse function on a stand-alone $MFT file.""" parser = ntfs.NTFSMFTParser() test_file_path = self._GetTestFilePath(['MFT']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) storage_writer = self._ParseFileByPathSpec(os_path_spec, parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 126352) events = list(storage_writer.GetEvents()) # A distributed link tracking event. expected_event_values = { 'timestamp': '2007-06-30 12:58:40.500004', 'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION } self.CheckEventValues(storage_writer, events[3680], expected_event_values) expected_message = ('9fe44b69-2709-11dc-a06b-db3099beae3c ' 'MAC address: db:30:99:be:ae:3c ' 'Origin: $MFT: 462-1') expected_short_message = ('9fe44b69-2709-11dc-a06b-db3099beae3c ' 'Origin: $MFT: 462-1') event_data = self._GetEventDataOfEvent(storage_writer, events[3680]) self._TestGetMessageStrings(event_data, expected_message, expected_short_message) # Test path hints of a regular file. expected_event_values = { 'name': 'SAM', 'path_hints': ['\\WINDOWS\\system32\\config\\SAM'] } self.CheckEventValues(storage_writer, events[28741], expected_event_values) # Test path hints of a deleted file. expected_path_hints = [ ('\\Documents and Settings\\Donald Blake\\Local Settings\\' 'Temporary Internet Files\\Content.IE5\\9EUWFPZ1\\CAJA1S19.js') ] expected_event_values = { 'is_allocated': False, 'name': 'CAJA1S19.js', 'path_hints': expected_path_hints } self.CheckEventValues(storage_writer, events[120476], expected_event_values) # Testing path hint of orphaned file. expected_event_values = { 'name': 'menu.text.css', 'path_hints': ['$Orphan\\session\\menu.text.css'] } self.CheckEventValues(storage_writer, events[125432], expected_event_values)
def testParseImage(self): """Tests the Parse function on a storage media image.""" parser_object = ntfs.NTFSMFTParser() test_path = self._GetTestFilePath([u'vsstest.qcow2']) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_path) qcow_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_QCOW, parent=os_path_spec) tsk_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK, inode=0, location=u'/$MFT', parent=qcow_path_spec) event_queue_consumer = self._ParseFileByPathSpec( parser_object, tsk_path_spec) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 284) # The creation timestamp. event_object = event_objects[0] # Check that the allocation status is set correctly. self.assertIsInstance(event_object.is_allocated, bool) self.assertTrue(event_object.is_allocated) expected_timestamp = timelib.Timestamp.CopyFromString( u'2013-12-03 06:30:41.807907') self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.CREATION_TIME) self.assertEqual(event_object.timestamp, expected_timestamp) # The last modification timestamp. event_object = event_objects[1] # Check that the allocation status is set correctly. self.assertIsInstance(event_object.is_allocated, bool) self.assertTrue(event_object.is_allocated) expected_timestamp = timelib.Timestamp.CopyFromString( u'2013-12-03 06:30:41.807907') self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.MODIFICATION_TIME) self.assertEqual(event_object.timestamp, expected_timestamp) # The last accessed timestamp. event_object = event_objects[2] # Check that the allocation status is set correctly. self.assertIsInstance(event_object.is_allocated, bool) self.assertTrue(event_object.is_allocated) expected_timestamp = timelib.Timestamp.CopyFromString( u'2013-12-03 06:30:41.807907') self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.ACCESS_TIME) self.assertEqual(event_object.timestamp, expected_timestamp) # The entry modification timestamp. event_object = event_objects[3] # Check that the allocation status is set correctly. self.assertIsInstance(event_object.is_allocated, bool) self.assertTrue(event_object.is_allocated) expected_timestamp = timelib.Timestamp.CopyFromString( u'2013-12-03 06:30:41.807907') self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.ENTRY_MODIFICATION_TIME) self.assertEqual(event_object.timestamp, expected_timestamp) expected_message = (u'TSK:/$MFT ' u'File reference: 0-1 ' u'Attribute name: $STANDARD_INFORMATION') expected_short_message = (u'/$MFT 0-1 $STANDARD_INFORMATION') self._TestGetMessageStrings(event_object, expected_message, expected_short_message) # The creation timestamp. event_object = event_objects[4] # Check that the allocation status is set correctly. self.assertIsInstance(event_object.is_allocated, bool) self.assertTrue(event_object.is_allocated) expected_timestamp = timelib.Timestamp.CopyFromString( u'2013-12-03 06:30:41.807907') self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.CREATION_TIME) self.assertEqual(event_object.timestamp, expected_timestamp) expected_message = (u'TSK:/$MFT ' u'File reference: 0-1 ' u'Attribute name: $FILE_NAME ' u'Name: $MFT ' u'Parent file reference: 5-5') expected_short_message = (u'/$MFT 0-1 $FILE_NAME') self._TestGetMessageStrings(event_object, expected_message, expected_short_message) # Note that the source file is a RAW (VMDK flat) image. test_path = self._GetTestFilePath([u'multi_partition_image.vmdk']) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_path) p2_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION, location=u'/p2', part_index=3, start_offset=0x00510000, parent=os_path_spec) tsk_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK, inode=0, location=u'/$MFT', parent=p2_path_spec) event_queue_consumer = self._ParseFileByPathSpec( parser_object, tsk_path_spec) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 184)