def testParseImage(self): """Tests the Parse function on a storage media image.""" parser = ntfs.NTFSUsnJrnlParser() test_file_path = self._GetTestFilePath(['usnjrnl.qcow2']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) qcow_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_QCOW, parent=os_path_spec) volume_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION, location='/p1', part_index=2, start_offset=0x00007e00, parent=qcow_path_spec) # To be able to ignore the sparse data ranges the UsnJrnl parser # requires to read directly from the volume. storage_writer = self._ParseFileByPathSpec(volume_path_spec, parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 19) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2015-11-30 21:15:27.203125') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_ENTRY_MODIFICATION) event_data = self._GetEventDataOfEvent(storage_writer, event) expected_message = ('Nieuw - Tekstdocument.txt ' 'File reference: 30-1 ' 'Parent file reference: 5-5 ' 'Update reason: USN_REASON_FILE_CREATE') expected_short_message = ( 'Nieuw - Tekstdocument.txt 30-1 USN_REASON_FILE_CREATE') self._TestGetMessageStrings(event_data, expected_message, expected_short_message)
def testParseImage(self): """Tests the Parse function on a storage media image.""" parser = ntfs.NTFSUsnJrnlParser() test_file_path = self._GetTestFilePath(['usnjrnl.qcow2']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) qcow_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_QCOW, parent=os_path_spec) volume_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION, location='/p1', part_index=2, start_offset=0x00007e00, parent=qcow_path_spec) # To be able to ignore the sparse data ranges the UsnJrnl parser # requires to read directly from the volume. storage_writer = self._ParseFileByPathSpec(volume_path_spec, parser) number_of_events = storage_writer.GetNumberOfAttributeContainers('event') self.assertEqual(number_of_events, 19) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'data_type': 'fs:ntfs:usn_change', 'date_time': '2015-11-30 21:15:27.2031250', 'filename': 'Nieuw - Tekstdocument.txt', 'file_reference': 0x100000000001e, 'parent_file_reference': 0x5000000000005, 'timestamp_desc': definitions.TIME_DESCRIPTION_ENTRY_MODIFICATION, 'update_reason_flags': 0x00000100} self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParseImage(self): """Tests the Parse function on a storage media image.""" parser_object = ntfs.NTFSUsnJrnlParser() test_path = self._GetTestFilePath([u'usnjrnl.qcow2']) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_path) qcow_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_QCOW, parent=os_path_spec) volume_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION, location=u'/p1', part_index=2, start_offset=0x00007e00, parent=qcow_path_spec) # To be able to ignore the sparse data ranges the UsnJrnl parser # requires to read directly from the volume. event_queue_consumer = self._ParseFileByPathSpec( parser_object, volume_path_spec) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 19) event_object = event_objects[0] expected_timestamp = timelib.Timestamp.CopyFromString( u'2015-11-30 21:15:27.203125') self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.ENTRY_MODIFICATION_TIME) self.assertEqual(event_object.timestamp, expected_timestamp) expected_message = (u'Nieuw - Tekstdocument.txt ' u'File reference: 30-1 ' u'Parent file reference: 5-5 ' u'Update reason: USN_REASON_FILE_CREATE') expected_short_message = ( u'Nieuw - Tekstdocument.txt 30-1 USN_REASON_FILE_CREATE') self._TestGetMessageStrings(event_object, expected_message, expected_short_message)
def setUp(self): """Makes preparations before running an individual test.""" self._parser = ntfs.NTFSUsnJrnlParser()