def testProcess(self):
"""Tests the Process function."""
test_file_entry = self._GetTestFileEntry(['NTUSER-WIN7.DAT'])
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\14.0\\Word\\'
'File MRU')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = officemru.OfficeMRUPlugin()
storage_writer = self._ParseKeyWithPlugin(
registry_key, plugin, file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 6)
events = list(storage_writer.GetEvents())
expected_event_values = {
'data_type': 'windows:registry:office_mru_list',
'entries': (
'Item 1: [F00000000][T01CD0146EA1EADB0][O00000000]*'
'C:\\Users\\nfury\\Documents\\StarFury\\StarFury\\'
'SA-23E Mitchell-Hyundyne Starfury.docx '
'Item 2: [F00000000][T01CD00921FC127F0][O00000000]*'
'C:\\Users\\nfury\\Documents\\StarFury\\StarFury\\Earthforce '
'SA-26 Thunderbolt Star Fury.docx '
'Item 3: [F00000000][T01CD009208780140][O00000000]*'
'C:\\Users\\nfury\\Documents\\StarFury\\StarFury\\StarFury.docx '
'Item 4: [F00000000][T01CCFE0B22DA9EF0][O00000000]*'
'C:\\Users\\nfury\\Documents\\VIBRANIUM.docx '
'Item 5: [F00000000][T01CCFCBA595DFC30][O00000000]*'
'C:\\Users\\nfury\\Documents\\ADAMANTIUM-Background.docx'),
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
'parser': plugin.plugin_name,
'timestamp': '2012-03-13 18:27:15.089802',
'timestamp_desc': definitions.TIME_DESCRIPTION_WRITTEN}
self.CheckEventValues(storage_writer, events[5], expected_event_values)
# Test OfficeMRUWindowsRegistryEvent.
expected_value_string = (
'[F00000000][T01CD0146EA1EADB0][O00000000]*'
'C:\\Users\\nfury\\Documents\\StarFury\\StarFury\\'
'SA-23E Mitchell-Hyundyne Starfury.docx')
expected_event_values = {
'data_type': 'windows:registry:office_mru',
'key_path': key_path,
'timestamp': '2012-03-13 18:27:15.083000',
'timestamp_desc': definitions.TIME_DESCRIPTION_WRITTEN,
'value_string': expected_value_string}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testFilters(self):
"""Tests the FILTERS class attribute."""
plugin = officemru.OfficeMRUPlugin()
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\14.0\\'
'Access\\File MRU')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\14.0\\'
'Access\\Place MRU')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\14.0\\'
'Excel\\File MRU')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\14.0\\'
'Excel\\Place MRU')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\14.0\\'
'PowerPoint\\File MRU')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\14.0\\'
'PowerPoint\\Place MRU')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\14.0\\'
'Word\\File MRU')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\14.0\\'
'Word\\Place MRU')
self._AssertFiltersOnKeyPath(plugin, key_path)
self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
def testProcess(self):
"""Tests the Process function."""
test_file_entry = self._GetTestFileEntry(['NTUSER-WIN7.DAT'])
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\14.0\\Word\\'
'File MRU')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = officemru.OfficeMRUPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_events, 6)
events = list(storage_writer.GetEvents())
event = events[5]
self.assertEqual(event.pathspec, test_file_entry.path_spec)
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event.parser, plugin.plugin_name)
self.CheckTimestamp(event.timestamp, '2012-03-13 18:27:15.089802')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_WRITTEN)
regvalue_identifier = 'Item 1'
expected_value_string = (
'[F00000000][T01CD0146EA1EADB0][O00000000]*'
'C:\\Users\\nfury\\Documents\\StarFury\\StarFury\\'
'SA-23E Mitchell-Hyundyne Starfury.docx')
self._TestRegvalue(event, regvalue_identifier, expected_value_string)
expected_message = (
'[{0:s}] '
'{1:s}: {2:s} '
'Item 2: [F00000000][T01CD00921FC127F0][O00000000]*'
'C:\\Users\\nfury\\Documents\\StarFury\\StarFury\\Earthforce SA-26 '
'Thunderbolt Star Fury.docx '
'Item 3: [F00000000][T01CD009208780140][O00000000]*'
'C:\\Users\\nfury\\Documents\\StarFury\\StarFury\\StarFury.docx '
'Item 4: [F00000000][T01CCFE0B22DA9EF0][O00000000]*'
'C:\\Users\\nfury\\Documents\\VIBRANIUM.docx '
'Item 5: [F00000000][T01CCFCBA595DFC30][O00000000]*'
'C:\\Users\\nfury\\Documents\\ADAMANTIUM-Background.docx').format(
key_path, regvalue_identifier, expected_value_string)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
# Test OfficeMRUWindowsRegistryEvent.
event = events[0]
self.CheckTimestamp(event.timestamp, '2012-03-13 18:27:15.083000')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_WRITTEN)
self.assertEqual(event.value_string, expected_value_string)
expected_message = '[{0:s}] Value: {1:s}'.format(
key_path, expected_value_string)
expected_short_message = '{0:s}...'.format(expected_value_string[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._plugin = officemru.OfficeMRUPlugin()
def setUp(self):
"""Makes preparations before running an individual test."""
self._plugin = officemru.OfficeMRUPlugin()
