def __init__(self, file_system, mount_point, path_attributes=None): """Initializes a Windows Registry file reader object. Args: file_system: the file system object (instance of vfs.FileSystem). mount_point: the mount point path specification (instance of path.PathSpec). path_attributes: optional dictionary of path attributes. The path attributes correspond to environment variable names that can be used in the Windows paths. E.g. the systemroot path attribute corresponds to the %SystemRoot% environment variable. At moment only the systemroot and userprofile path attributes are supported. """ super(FileSystemWinRegistryFileReader, self).__init__() self._file_system = file_system self._path_resolver = windows_path_resolver.WindowsPathResolver( file_system, mount_point) if path_attributes: for attribute_name, attribute_value in iter(path_attributes.items()): # TODO: fix the call to this class and make sure only relevant # values are passed. if attribute_name == u'systemroot': self._path_resolver.SetEnvironmentVariable( u'SystemRoot', attribute_value) elif attribute_name == u'userprofile': self._path_resolver.SetEnvironmentVariable( u'UserProfile', attribute_value)
def _CreateWindowsPathResolver(self, file_system, mount_point, environment_variables): """Create a Windows path resolver and sets the evironment variables. Args: file_system (dfvfs.FileSytem): file system. mount_point (dfvfs.PathSpec): mount point path specification. environment_variables (list[EnvironmentVariableArtifact]): environment variables. Returns: dfvfs.WindowsPathResolver: Windows path resolver. """ if environment_variables is None: environment_variables = [] path_resolver = windows_path_resolver.WindowsPathResolver( file_system, mount_point) for environment_variable in environment_variables: name = environment_variable.name.lower() if name not in (u'systemroot', u'userprofile'): continue path_resolver.SetEnvironmentVariable(environment_variable.name, environment_variable.value) return path_resolver
def _ScanFileSystem(self, scan_node, base_path_specs): """Scans a file system scan node for file systems. This method checks if the file system contains a known Windows directory. Args: scan_node (SourceScanNode): file system scan node. base_path_specs (list[PathSpec]): file system base path specifications. Raises: ScannerError: if the scan node is invalid. """ if not scan_node or not scan_node.path_spec: raise errors.ScannerError( 'Invalid or missing file system scan node.') file_system = resolver.Resolver.OpenFileSystem(scan_node.path_spec) if not file_system: return try: path_resolver = windows_path_resolver.WindowsPathResolver( file_system, scan_node.path_spec.parent) if self._ScanFileSystemForWindowsDirectory(path_resolver): base_path_specs.append(scan_node.path_spec) finally: file_system.Close()
def __init__(self, file_system, mount_point, path_attributes=None): """Initializes a Windows Registry file reader object. Args: file_system (dfvfs.FileSytem): file system. mount_point (dfvfs.PathSpec): mount point path specification. path_attributes (Optional[dict[str, str]]): path attributes e.g. {'SystemRoot': '\\Windows'} """ super(FileSystemWinRegistryFileReader, self).__init__() self._file_system = file_system self._path_resolver = windows_path_resolver.WindowsPathResolver( file_system, mount_point) if path_attributes: for attribute_name, attribute_value in iter( path_attributes.items()): # TODO: fix the call to this class and make sure only relevant # values are passed. if attribute_name == u'systemroot': self._path_resolver.SetEnvironmentVariable( u'SystemRoot', attribute_value) elif attribute_name == u'userprofile': self._path_resolver.SetEnvironmentVariable( u'UserProfile', attribute_value)
def _CreateTestEventMessageStringExtractor(self): """Creates an event message string extractor for testing. Returns: EventMessageStringExtractor: an event message string extractor. """ file_system_builder = fake_file_system_builder.FakeFileSystemBuilder() test_file_path = self._GetTestFilePath(['SOFTWARE']) file_system_builder.AddFileReadData( '/Windows/System32/config/SOFTWARE', test_file_path) test_file_path = self._GetTestFilePath(['SYSTEM']) file_system_builder.AddFileReadData( '/Windows/System32/config/SYSTEM', test_file_path) mount_point = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_FAKE, location='/') extractor_object = extractor.EventMessageStringExtractor() extractor_object._file_system = file_system_builder.file_system extractor_object._path_resolver = ( windows_path_resolver.WindowsPathResolver( file_system_builder.file_system, mount_point)) extractor_object._windows_directory = 'C:\\Windows' extractor_object._path_resolver.SetEnvironmentVariable( 'SystemRoot', extractor_object._windows_directory) extractor_object._path_resolver.SetEnvironmentVariable( 'WinDir', extractor_object._windows_directory) return extractor_object
def testResolvePathWithEnvironmentVariable(self): """Test the resolve path function with environment variable expansion.""" path_resolver = windows_path_resolver.WindowsPathResolver( self._tsk_file_system, self._qcow_path_spec) path_resolver.SetEnvironmentVariable( u'SystemRoot', u'C:\\System Volume Information') expected_path = ( u'/System Volume Information/{3808876b-c176-4e48-b7ae-04046e6cc752}') windows_path = u'%SystemRoot%\\{3808876b-c176-4e48-b7ae-04046e6cc752}' path_spec = path_resolver.ResolvePath(windows_path) self.assertNotEqual(path_spec, None) self.assertEqual(path_spec.location, expected_path) expected_windows_path = ( u'C:\\System Volume Information' u'\\{3808876b-c176-4e48-b7ae-04046e6cc752}') test_windows_path = path_resolver.GetWindowsPath(path_spec) self.assertEqual(test_windows_path, expected_windows_path) windows_path = u'%WinDir%\\{3808876b-c176-4e48-b7ae-04046e6cc752}' path_spec = path_resolver.ResolvePath(windows_path) self.assertEqual(path_spec, None)
def testResolvePathWithEnvironmentVariable(self): """Test the resolve path function with environment variable expansion.""" path_resolver = windows_path_resolver.WindowsPathResolver( self._tsk_file_system, self._qcow_path_spec) path_resolver.SetEnvironmentVariable(u'SystemRoot', u'C:\\System Volume Information') expected_path = ( u'/System Volume Information/{3808876b-c176-4e48-b7ae-04046e6cc752}' ) windows_path = u'%SystemRoot%\\{3808876b-c176-4e48-b7ae-04046e6cc752}' path_spec = path_resolver.ResolvePath(windows_path) self.assertIsNotNone(path_spec) self.assertEqual(path_spec.location, expected_path) expected_windows_path = (u'C:\\System Volume Information' u'\\{3808876b-c176-4e48-b7ae-04046e6cc752}') test_windows_path = path_resolver.GetWindowsPath(path_spec) self.assertEqual(test_windows_path, expected_windows_path) windows_path = u'%WinDir%\\{3808876b-c176-4e48-b7ae-04046e6cc752}' path_spec = path_resolver.ResolvePath(windows_path) self.assertIsNone(path_spec) # Test resolving multi path segment environment variables. path_resolver = windows_path_resolver.WindowsPathResolver( self._os_file_system, self._os_path_spec) expected_path = self._GetTestFilePath( [u'testdir_os', u'subdir1', u'file6.txt']) path_resolver.SetEnvironmentVariable(u'Test', u'C:\\testdir_os\\subdir1') windows_path = u'%Test%\\file6.txt' path_spec = path_resolver.ResolvePath(windows_path) self.assertIsNotNone(path_spec) self.assertEqual(path_spec.location, expected_path)
def ScanForWindowsVolume(self, source_path, options=None): """Scans for a Windows volume. Args: source_path (str): source path. options (Optional[VolumeScannerOptions]): volume scanner options. If None the default volume scanner options are used, which are defined in the VolumeScannerOptions class. Returns: bool: True if a Windows volume was found. Raises: ScannerError: if the source path does not exists, or if the source path is not a file or directory, or if the format of or within the source file is not supported. """ windows_path_specs = self.GetBasePathSpecs(source_path, options=options) if (not windows_path_specs or self._source_type == definitions.SOURCE_TYPE_FILE): return False file_system_path_spec = windows_path_specs[0] self._file_system = resolver.Resolver.OpenFileSystem(file_system_path_spec) if file_system_path_spec.type_indicator == definitions.TYPE_INDICATOR_OS: mount_point = file_system_path_spec else: mount_point = file_system_path_spec.parent self._path_resolver = windows_path_resolver.WindowsPathResolver( self._file_system, mount_point) # The source is a directory or single volume storage media image. if not self._windows_directory: self._ScanFileSystemForWindowsDirectory(self._path_resolver) if not self._windows_directory: return False self._path_resolver.SetEnvironmentVariable( 'SystemRoot', self._windows_directory) self._path_resolver.SetEnvironmentVariable( 'WinDir', self._windows_directory) return True
def testResolvePathDirectory(self): """Test the resolve path function on a mount point directory.""" path_resolver = windows_path_resolver.WindowsPathResolver( self._os_file_system, self._os_path_spec) expected_path = self._GetTestFilePath(['testdir_os', 'file1.txt']) windows_path = 'C:\\testdir_os\\file1.txt' path_spec = path_resolver.ResolvePath(windows_path) self.assertIsNotNone(path_spec) self.assertEqual(path_spec.location, expected_path) test_windows_path = path_resolver.GetWindowsPath(path_spec) self.assertEqual(test_windows_path, windows_path) windows_path = 'C:\\testdir_os\\file6.txt' path_spec = path_resolver.ResolvePath(windows_path) self.assertIsNone(path_spec)
def ScanForWindowsVolume(self, source_path): """Scans for a Windows volume. Args: source_path: a string containing the source path. Returns: A boolean value indicating if a Windows volume was found. Raises: ScannerError: if the source path does not exists, or if the source path is not a file or directory, or if the format of or within the source file is not supported. """ windows_path_specs = self.GetBasePathSpecs(source_path) if (not windows_path_specs or self._source_type == definitions.SOURCE_TYPE_FILE): return False file_system_path_spec = windows_path_specs[0] self._file_system = resolver.Resolver.OpenFileSystem( file_system_path_spec) if file_system_path_spec.type_indicator == definitions.TYPE_INDICATOR_OS: mount_point = file_system_path_spec else: mount_point = file_system_path_spec.parent self._path_resolver = windows_path_resolver.WindowsPathResolver( self._file_system, mount_point) # The source is a directory or single volume storage media image. if not self._windows_directory: self._ScanFileSystemForWindowsDirectory(self._path_resolver) if not self._windows_directory: return False self._path_resolver.SetEnvironmentVariable(u'SystemRoot', self._windows_directory) self._path_resolver.SetEnvironmentVariable(u'WinDir', self._windows_directory) return True
def testExtractEventLogMessageStrings(self): """Tests the ExtractEventLogMessageStrings function.""" file_system_builder = fake_file_system_builder.FakeFileSystemBuilder() test_file_path = self._GetTestFilePath([u'SOFTWARE']) file_system_builder.AddFileReadData( u'/Windows/System32/config/SOFTWARE', test_file_path) test_file_path = self._GetTestFilePath([u'SYSTEM']) file_system_builder.AddFileReadData( u'/Windows/System32/config/SYSTEM', test_file_path) mount_point = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_FAKE, location=u'/') extractor_object = extractor.EventMessageStringExtractor() extractor_object._file_system = file_system_builder.file_system extractor_object._path_resolver = ( windows_path_resolver.WindowsPathResolver( file_system_builder.file_system, mount_point)) extractor_object._windows_directory = u'C:\\Windows' extractor_object._path_resolver.SetEnvironmentVariable( u'SystemRoot', extractor_object._windows_directory) extractor_object._path_resolver.SetEnvironmentVariable( u'WinDir', extractor_object._windows_directory) system_root = extractor_object._GetSystemRoot() self.assertEqual(system_root, u'C:\\WINDOWS') event_log_providers = list(extractor_object._GetEventLogProviders()) self.assertEqual(len(event_log_providers), 258) event_log_providers = list( extractor_object._GetEventLogProviders(all_control_sets=True)) self.assertEqual(len(event_log_providers), 516) output_writer = TestOutputWriter() extractor_object.ExtractEventLogMessageStrings(output_writer) self.assertEqual(len(output_writer.event_log_providers), 258) self.assertEqual(len(output_writer.message_files), 0)
def testResolvePathDirectory(self): """Test the resolve path function on a mount point directory.""" path_resolver = windows_path_resolver.WindowsPathResolver( self._os_file_system, self._os_path_spec) expected_path = os.path.join( os.getcwd(), u'test_data', u'testdir_os', u'file1.txt') windows_path = u'C:\\testdir_os\\file1.txt' path_spec = path_resolver.ResolvePath(windows_path) self.assertNotEqual(path_spec, None) self.assertEqual(path_spec.location, expected_path) test_windows_path = path_resolver.GetWindowsPath(path_spec) self.assertEqual(test_windows_path, windows_path) windows_path = u'C:\\testdir_os\\file6.txt' path_spec = path_resolver.ResolvePath(windows_path) self.assertEqual(path_spec, None)
def testResolvePathImage(self): """Test the resolve path function on a storage media image.""" path_resolver = windows_path_resolver.WindowsPathResolver( self._tsk_file_system, self._qcow_path_spec) expected_path = ( '/System Volume Information/{3808876b-c176-4e48-b7ae-04046e6cc752}' ) windows_path = ('C:\\System Volume Information' '\\{3808876b-c176-4e48-b7ae-04046e6cc752}') path_spec = path_resolver.ResolvePath(windows_path) self.assertIsNotNone(path_spec) self.assertEqual(path_spec.location, expected_path) test_windows_path = path_resolver.GetWindowsPath(path_spec) self.assertEqual(test_windows_path, windows_path) windows_path = ('\\\\?\\C:\\System Volume Information' '\\{3808876b-c176-4e48-b7ae-04046e6cc752}') path_spec = path_resolver.ResolvePath(windows_path) self.assertIsNotNone(path_spec) self.assertEqual(path_spec.location, expected_path) windows_path = ('\\\\.\\C:\\System Volume Information' '\\{3808876b-c176-4e48-b7ae-04046e6cc752}') path_spec = path_resolver.ResolvePath(windows_path) self.assertIsNotNone(path_spec) self.assertEqual(path_spec.location, expected_path) expected_path = '/syslog.gz' windows_path = '\\SYSLOG.GZ' path_spec = path_resolver.ResolvePath(windows_path) self.assertIsNotNone(path_spec) self.assertEqual(path_spec.location, expected_path) windows_path = 'C:\\..\\SYSLOG.GZ' path_spec = path_resolver.ResolvePath(windows_path) self.assertIsNotNone(path_spec) self.assertEqual(path_spec.location, expected_path) expected_path = '/' windows_path = '\\' path_spec = path_resolver.ResolvePath(windows_path) self.assertIsNotNone(path_spec) self.assertEqual(path_spec.location, expected_path) windows_path = 'S' path_spec = path_resolver.ResolvePath(windows_path) self.assertIsNone(path_spec) windows_path = '\\\\?\\' path_spec = path_resolver.ResolvePath(windows_path) self.assertIsNone(path_spec) windows_path = '\\\\.\\' path_spec = path_resolver.ResolvePath(windows_path) self.assertIsNone(path_spec) windows_path = '\\\\?\\UNC\\server\\share\\directory\\file.txt' path_spec = path_resolver.ResolvePath(windows_path) self.assertIsNone(path_spec) windows_path = '\\\\server\\share\\directory\\file.txt' path_spec = path_resolver.ResolvePath(windows_path) self.assertIsNone(path_spec) windows_path = 'SYSLOG.GZ' path_spec = path_resolver.ResolvePath(windows_path) self.assertIsNone(path_spec) windows_path = '.\\SYSLOG.GZ' path_spec = path_resolver.ResolvePath(windows_path) self.assertIsNone(path_spec) windows_path = '..\\SYSLOG.GZ' path_spec = path_resolver.ResolvePath(windows_path) self.assertIsNone(path_spec)
def _GetRegistryHelperFromPath(self, path, codepage): """Return a Registry helper object from a path. Given a path to a Registry file this function goes through all the discovered source path specifications (instance of PathSpec) and extracts Registry helper objects based on the supplied path. Args: path: the path filter to a Registry file. codepage: the codepage used for the Registry file. Yields: A Registry helper object (instance of PregRegistryHelper). """ # TODO: deprecate usage of pre_obj. path_attributes = self.knowledge_base_object.pre_obj.__dict__ for source_path_spec in self._source_path_specs: if source_path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_OS: file_entry = path_spec_resolver.Resolver.OpenFileEntry( source_path_spec) if file_entry.IsFile(): yield PregRegistryHelper(file_entry, u'OS', self.knowledge_base_object, codepage=codepage) continue # TODO: Change this into an actual mount point path spec. self._mount_path_spec = source_path_spec collector_name = source_path_spec.type_indicator parent_path_spec = getattr(source_path_spec, u'parent', None) if parent_path_spec and parent_path_spec.type_indicator == ( dfvfs_definitions.TYPE_INDICATOR_VSHADOW): vss_store = getattr(parent_path_spec, u'store_index', 0) collector_name = u'VSS Store: {0:d}'.format(vss_store) file_system, mount_point = self._GetSourceFileSystem( source_path_spec) try: path_resolver = windows_path_resolver.WindowsPathResolver( file_system, mount_point) if path.startswith(u'%UserProfile%\\'): searcher = file_system_searcher.FileSystemSearcher( file_system, mount_point) user_profiles = [] # TODO: determine the users path properly instead of relying on # common defaults. Note that these paths are language dependent. for user_path in (u'/Documents and Settings/.+', u'/Users/.+'): find_spec = file_system_searcher.FindSpec( location_regex=user_path, case_sensitive=False) for path_spec in searcher.Find(find_specs=[find_spec]): location = getattr(path_spec, u'location', None) if location: if location.startswith(u'/'): location = u'\\'.join(location.split(u'/')) user_profiles.append(location) for user_profile in user_profiles: path_resolver.SetEnvironmentVariable( u'UserProfile', user_profile) path_spec = path_resolver.ResolvePath(path) if not path_spec: continue file_entry = file_system.GetFileEntryByPathSpec( path_spec) if not file_entry: continue yield PregRegistryHelper(file_entry, collector_name, self.knowledge_base_object, codepage=codepage) else: path_attribute_value = path_attributes.get( u'systemroot', None) if path_attribute_value: path_resolver.SetEnvironmentVariable( u'SystemRoot', path_attribute_value) path_spec = path_resolver.ResolvePath(path) if not path_spec: continue file_entry = file_system.GetFileEntryByPathSpec(path_spec) if not file_entry: continue yield PregRegistryHelper(file_entry, collector_name, self.knowledge_base_object, codepage=codepage) finally: file_system.Close()
def ScanForOperatingSystemVolumes(self, source_path, options=None): """Scans for volumes containing an operating system. Args: source_path (str): source path. options (Optional[dfvfs.VolumeScannerOptions]): volume scanner options. If None the default volume scanner options are used, which are defined in the VolumeScannerOptions class. Returns: bool: True if a volume with an operating system was found. Raises: ScannerError: if the source path does not exists, or if the source path is not a file or directory, or if the format of or within the source file is not supported. """ if not options: options = dfvfs_volume_scanner.VolumeScannerOptions() scan_context = self._ScanSource(source_path) self._source_path = source_path self._source_type = scan_context.source_type base_path_specs = self._GetBasePathSpecs(scan_context, options) if (not base_path_specs or scan_context.source_type == dfvfs_definitions.SOURCE_TYPE_FILE): return False for path_spec in base_path_specs: file_system = dfvfs_resolver.Resolver.OpenFileSystem(path_spec) if path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_OS: mount_point = path_spec else: mount_point = path_spec.parent file_system_searcher = dfvfs_file_system_searcher.FileSystemSearcher( file_system, mount_point) system_directories = [] for system_directory_path_spec in file_system_searcher.Find( find_specs=self._SYSTEM_DIRECTORY_FIND_SPECS): relative_path = file_system_searcher.GetRelativePath( system_directory_path_spec) if relative_path: system_directories.append(relative_path.lower()) if system_directories or len(base_path_specs) == 1: self._file_system_searcher = file_system_searcher self._file_system = file_system self._mount_point = mount_point if self._WINDOWS_SYSTEM_DIRECTORIES.intersection( set(system_directories)): path_resolver = dfvfs_windows_path_resolver.WindowsPathResolver( file_system, mount_point) # TODO: determine Windows directory based on system directories. windows_directory = None for windows_path in self._WINDOWS_DIRECTORIES: windows_path_spec = path_resolver.ResolvePath(windows_path) if windows_path_spec is not None: windows_directory = windows_path break if windows_directory: path_resolver.SetEnvironmentVariable( 'SystemRoot', windows_directory) path_resolver.SetEnvironmentVariable( 'WinDir', windows_directory) registry_file_reader = ( windows_registry. StorageMediaImageWindowsRegistryFileReader( file_system, path_resolver)) winregistry = dfwinreg_registry.WinRegistry( registry_file_reader=registry_file_reader) collector = (environment_variables. WindowsEnvironmentVariablesCollector()) self._environment_variables = list( collector.Collect(winregistry)) self._path_resolver = path_resolver self._windows_directory = windows_directory self._windows_registry = winregistry if system_directories: # TODO: on Mac OS prevent detecting the Recovery volume. break self._filter_generator = ( artifact_filters.ArtifactDefinitionFiltersGenerator( self._artifacts_registry, self._environment_variables, [])) return True