def _OpenPathSpec(self, path_specification, ascii_codepage='cp1252'): """Opens the Windows Registry file specified by the path specification. Args: path_specification (dfvfs.PathSpec): path specification. ascii_codepage (Optional[str]): ASCII string codepage. Returns: WinRegistryFile: Windows Registry file or None. """ if not path_specification: return None file_entry = self._file_system.GetFileEntryByPathSpec(path_specification) if file_entry is None: return None file_object = file_entry.GetFileObject() if file_object is None: return None registry_file = dfwinreg_regf.REGFWinRegistryFile( ascii_codepage=ascii_codepage) try: registry_file.Open(file_object) except IOError as exception: logger.warning( 'Unable to open Windows Registry file with error: {0!s}'.format( exception)) file_object.close() return None return registry_file
def _ParseValueData(self, knowledge_base, value_data): """Parses Windows Registry value data for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. value_data (object): Windows Registry value data. Raises: errors.PreProcessFail: if the preprocessing fails. """ if not isinstance(value_data, py2to3.UNICODE_TYPE): raise errors.PreProcessFail( 'Unsupported Windows Registry value type: {0:s} for ' 'artifact: {1:s}.'.format(type(value_data), self.ARTIFACT_DEFINITION_NAME)) # Map the Windows time zone name to a Python equivalent name. lookup_key = value_data.replace(' ', '') time_zone = time_zones.TIME_ZONES.get(lookup_key, value_data) # TODO: check if time zone is set in knowledge base. if time_zone: try: # Catch and warn about unsupported preprocessor plugin. knowledge_base.SetTimeZone(time_zone) except ValueError: # TODO: add and store preprocessing errors. time_zone = value_data logger.warning( 'Unable to map: "{0:s}" to time zone'.format(value_data))
def CollectFromWindowsRegistry( cls, artifacts_registry, knowledge_base, searcher): """Collects values from Windows Registry values. Args: artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts definitions registry. knowledge_base (KnowledgeBase): to fill with preprocessing information. searcher (dfwinreg.WinRegistrySearcher): Windows Registry searcher to preprocess the Windows Registry. """ for preprocess_plugin in cls._windows_registry_plugins.values(): artifact_definition = artifacts_registry.GetDefinitionByName( preprocess_plugin.ARTIFACT_DEFINITION_NAME) if not artifact_definition: logger.warning('Missing artifact definition: {0:s}'.format( preprocess_plugin.ARTIFACT_DEFINITION_NAME)) continue logger.debug('Running Windows Registry preprocessor plugin: {0:s}'.format( preprocess_plugin.ARTIFACT_DEFINITION_NAME)) try: preprocess_plugin.Collect(knowledge_base, artifact_definition, searcher) except (IOError, errors.PreProcessFail) as exception: logger.warning(( 'Unable to collect value from artifact definition: {0:s} ' 'with error: {1!s}').format( preprocess_plugin.ARTIFACT_DEFINITION_NAME, exception))
def _ParseValueData(self, knowledge_base, value_data): """Parses Windows Registry value data for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. value_data (object): Windows Registry value data. Raises: errors.PreProcessFail: if the preprocessing fails. """ if not isinstance(value_data, py2to3.UNICODE_TYPE): raise errors.PreProcessFail( 'Unsupported Windows Registry value type: {0:s} for ' 'artifact: {1:s}.'.format( type(value_data), self.ARTIFACT_DEFINITION_NAME)) # Map the Windows time zone name to a Python equivalent name. lookup_key = value_data.replace(' ', '') time_zone = time_zones.TIME_ZONES.get(lookup_key, value_data) # TODO: check if time zone is set in knowledge base. if time_zone: try: # Catch and warn about unsupported preprocessor plugin. knowledge_base.SetTimeZone(time_zone) except ValueError: # TODO: add and store preprocessing errors. time_zone = value_data logger.warning('Unable to map: "{0:s}" to time zone'.format( value_data))
def CollectFromFileSystem(cls, artifacts_registry, mediator, searcher, file_system): """Collects values from Windows Registry values. Args: artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts definitions registry. mediator (PreprocessMediator): mediates interactions between preprocess plugins and other components, such as storage and knowledge base. searcher (dfvfs.FileSystemSearcher): file system searcher to preprocess the file system. file_system (dfvfs.FileSystem): file system to be preprocessed. """ for preprocess_plugin in cls._file_system_plugins.values(): artifact_definition = artifacts_registry.GetDefinitionByName( preprocess_plugin.ARTIFACT_DEFINITION_NAME) if not artifact_definition: logger.warning('Missing artifact definition: {0:s}'.format( preprocess_plugin.ARTIFACT_DEFINITION_NAME)) continue logger.debug( 'Running file system preprocessor plugin: {0:s}'.format( preprocess_plugin.ARTIFACT_DEFINITION_NAME)) try: preprocess_plugin.Collect(mediator, artifact_definition, searcher, file_system) except (IOError, errors.PreProcessFail) as exception: logger.warning( ('Unable to collect value from artifact definition: {0:s} ' 'with error: {1!s}').format( preprocess_plugin.ARTIFACT_DEFINITION_NAME, exception))
def CollectFromFileSystem(cls, artifacts_registry, knowledge_base, searcher, file_system): """Collects values from Windows Registry values. Args: artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts definitions registry. knowledge_base (KnowledgeBase): to fill with preprocessing information. searcher (dfvfs.FileSystemSearcher): file system searcher to preprocess the file system. file_system (dfvfs.FileSystem): file system to be preprocessed. """ for preprocess_plugin in cls._file_system_plugins.values(): artifact_definition = artifacts_registry.GetDefinitionByName( preprocess_plugin.ARTIFACT_DEFINITION_NAME) if not artifact_definition: logger.warning('Missing artifact definition: {0:s}'.format( preprocess_plugin.ARTIFACT_DEFINITION_NAME)) continue try: preprocess_plugin.Collect(knowledge_base, artifact_definition, searcher, file_system) except (IOError, errors.PreProcessFail) as exception: logger.warning( ('Unable to collect value from artifact definition: {0:s} ' 'with error: {1!s}').format( preprocess_plugin.ARTIFACT_DEFINITION_NAME, exception)) continue
def CollectFromFileSystem( cls, artifacts_registry, knowledge_base, searcher, file_system): """Collects values from Windows Registry values. Args: artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts definitions registry. knowledge_base (KnowledgeBase): to fill with preprocessing information. searcher (dfvfs.FileSystemSearcher): file system searcher to preprocess the file system. file_system (dfvfs.FileSystem): file system to be preprocessed. """ for preprocess_plugin in cls._file_system_plugins.values(): artifact_definition = artifacts_registry.GetDefinitionByName( preprocess_plugin.ARTIFACT_DEFINITION_NAME) if not artifact_definition: logger.warning('Missing artifact definition: {0:s}'.format( preprocess_plugin.ARTIFACT_DEFINITION_NAME)) continue try: preprocess_plugin.Collect( knowledge_base, artifact_definition, searcher, file_system) except (IOError, errors.PreProcessFail) as exception: logger.warning(( 'Unable to collect value from artifact definition: {0:s} ' 'with error: {1!s}').format( preprocess_plugin.ARTIFACT_DEFINITION_NAME, exception)) continue
def CollectFromKnowledgeBase(cls, knowledge_base): """Collects values from knowledge base values. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. """ for preprocess_plugin in cls._knowledge_base_plugins.values(): logger.debug('Running knowledge base preprocessor plugin: {0:s}'.format( preprocess_plugin.__class__.__name__)) try: preprocess_plugin.Collect(knowledge_base) except errors.PreProcessFail as exception: logger.warning( 'Unable to collect knowledge base value with error: {0!s}'.format( exception))
def CollectFromKnowledgeBase(cls, mediator): """Collects values from knowledge base values. Args: mediator (PreprocessMediator): mediates interactions between preprocess plugins and other components, such as storage and knowledge base. """ for preprocess_plugin in cls._knowledge_base_plugins.values(): logger.debug( 'Running knowledge base preprocessor plugin: {0:s}'.format( preprocess_plugin.__class__.__name__)) try: preprocess_plugin.Collect(mediator) except errors.PreProcessFail as exception: logger.warning( 'Unable to collect knowledge base value with error: {0!s}'. format(exception))
def RunPlugins(cls, artifacts_registry, file_system, mount_point, mediator): """Runs the preprocessing plugins. Args: artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts definitions registry. file_system (dfvfs.FileSystem): file system to be preprocessed. mount_point (dfvfs.PathSpec): mount point path specification that refers to the base location of the file system. mediator (PreprocessMediator): mediates interactions between preprocess plugins and other components, such as storage and knowledge base. """ searcher = file_system_searcher.FileSystemSearcher( file_system, mount_point) cls.CollectFromFileSystem(artifacts_registry, mediator, searcher, file_system) # Run the Registry plugins separately so we do not have to open # Registry files for every preprocess plugin. environment_variables = None if mediator.knowledge_base: environment_variables = mediator.knowledge_base.GetEnvironmentVariables( ) registry_file_reader = FileSystemWinRegistryFileReader( file_system, mount_point, environment_variables=environment_variables) win_registry = dfwinreg_registry.WinRegistry( registry_file_reader=registry_file_reader) searcher = registry_searcher.WinRegistrySearcher(win_registry) cls.CollectFromWindowsRegistry(artifacts_registry, mediator, searcher) cls.CollectFromKnowledgeBase(mediator) if not mediator.knowledge_base.HasUserAccounts(): logger.warning('Unable to find any user accounts on the system.')
def RunPlugins( cls, artifacts_registry, file_system, mount_point, knowledge_base): """Runs the preprocessing plugins. Args: artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts definitions registry. file_system (dfvfs.FileSystem): file system to be preprocessed. mount_point (dfvfs.PathSpec): mount point path specification that refers to the base location of the file system. knowledge_base (KnowledgeBase): to fill with preprocessing information. """ searcher = file_system_searcher.FileSystemSearcher(file_system, mount_point) cls.CollectFromFileSystem( artifacts_registry, knowledge_base, searcher, file_system) # Run the Registry plugins separately so we do not have to open # Registry files for every preprocess plugin. environment_variables = None if knowledge_base: environment_variables = knowledge_base.GetEnvironmentVariables() registry_file_reader = FileSystemWinRegistryFileReader( file_system, mount_point, environment_variables=environment_variables) win_registry = dfwinreg_registry.WinRegistry( registry_file_reader=registry_file_reader) searcher = registry_searcher.WinRegistrySearcher(win_registry) cls.CollectFromWindowsRegistry( artifacts_registry, knowledge_base, searcher) cls.CollectFromKnowledgeBase(knowledge_base) if not knowledge_base.HasUserAccounts(): logger.warning('Unable to find any user accounts on the system.')
def Open(self, path, ascii_codepage='cp1252'): """Opens the Windows Registry file specified by the path. Args: path (str): path of the Windows Registry file. ascii_codepage (Optional[str]): ASCII string codepage. Returns: WinRegistryFile: Windows Registry file or None. """ path_specification = None try: path_specification = self._path_resolver.ResolvePath(path) except dfvfs_errors.BackEndError as exception: logger.warning( ('Unable to open Windows Registry file: {0:s} with error: ' '{1!s}').format(path, exception)) if path_specification is None: return None return self._OpenPathSpec(path_specification)
def CollectFromWindowsRegistry(cls, artifacts_registry, mediator, searcher): """Collects values from Windows Registry values. Args: artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts definitions registry. mediator (PreprocessMediator): mediates interactions between preprocess plugins and other components, such as storage and knowledge base. searcher (dfwinreg.WinRegistrySearcher): Windows Registry searcher to preprocess the Windows Registry. """ # TODO: define preprocessing plugin dependency and sort preprocess_plugins # for now sort alphabetically to ensure WindowsAvailableTimeZones is run # before WindowsTimezone. for _, preprocess_plugin in sorted( cls._windows_registry_plugins.items()): artifact_definition = artifacts_registry.GetDefinitionByName( preprocess_plugin.ARTIFACT_DEFINITION_NAME) if not artifact_definition: logger.warning('Missing artifact definition: {0:s}'.format( preprocess_plugin.ARTIFACT_DEFINITION_NAME)) continue logger.debug( 'Running Windows Registry preprocessor plugin: {0:s}'.format( preprocess_plugin.ARTIFACT_DEFINITION_NAME)) try: preprocess_plugin.Collect(mediator, artifact_definition, searcher) except (IOError, errors.PreProcessFail) as exception: logger.warning( ('Unable to collect value from artifact definition: {0:s} ' 'with error: {1!s}').format( preprocess_plugin.ARTIFACT_DEFINITION_NAME, exception))