def __init__(self, parser_filter_expression=None): """Initializes an event extraction worker. Args: parser_filter_expression (Optional[str]): parser filter expression, where None represents all parsers and plugins. The parser filter expression is a comma separated value string that denotes a list of parser names to include and/or exclude. Each entry can have the value of: * An exact match of a list of parsers, or a preset (see plaso/parsers/presets.py for a full list of available presets). * A name of a single parser (case insensitive), e.g. msiecf. * A glob name for a single parser, e.g. '*msie*' (case insensitive). """ super(EventExtractionWorker, self).__init__() self._abort = False self._analyzers = [] self._event_extractor = extractors.EventExtractor( parser_filter_expression=parser_filter_expression) self._hasher_file_size_limit = None self._path_spec_extractor = extractors.PathSpecExtractor() self._process_archives = None self._process_compressed_streams = None self._processing_profiler = None self.last_activity_timestamp = 0.0 self.processing_status = definitions.PROCESSING_STATUS_IDLE
def __init__(self, parser_filter_expression=None): """Initializes an event extraction worker. Args: parser_filter_expression (Optional[str]): parser filter expression, where None represents all parsers and plugins. A parser filter expression is a comma separated value string that denotes which parsers and plugins should be used. See filters/parser_filter.py for details of the expression syntax. This function does not support presets, and requires a parser filter expression where presets have been expanded. """ super(EventExtractionWorker, self).__init__() self._abort = False self._analyzers = [] self._analyzers_profiler = None self._event_extractor = extractors.EventExtractor( parser_filter_expression=parser_filter_expression) self._hasher_file_size_limit = None self._path_spec_extractor = extractors.PathSpecExtractor() self._process_archives = None self._process_compressed_streams = None self._processing_profiler = None self.last_activity_timestamp = 0.0 self.processing_status = definitions.STATUS_INDICATOR_IDLE
def testParseDataStream(self): """Tests the ParseDataStream function.""" test_file_path = self._GetTestFilePath(['INFO2']) self._SkipIfPathNotExists(test_file_path) test_extractor = extractors.EventExtractor( parser_filter_expression='recycle_bin_info2') path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) file_entry = path_spec_resolver.Resolver.OpenFileEntry(path_spec) storage_writer = self._CreateStorageWriter() parser_mediator = self._CreateParserMediator(storage_writer, file_entry=file_entry) test_extractor.ParseDataStream(parser_mediator, file_entry, '') number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 4) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0)
def InitializeParserObjects(self, parser_filter_expression=None): """Initializes the parser objects. The parser_filter_expression is a comma separated value string that denotes a list of parser names to include and/or exclude. Each entry can have the value of: * An exact match of a list of parsers, or a preset (see plaso/frontend/presets.py for a full list of available presets). * A name of a single parser (case insensitive), e.g. msiecf. * A glob name for a single parser, e.g. '*msie*' (case insensitive). Args: parser_filter_expression: optional string containing the parser filter expression, where None represents all parsers and plugins. """ self._event_extractor = extractors.EventExtractor( self._resolver_context, parser_filter_expression=parser_filter_expression)
def testParseDataStreamWithForceParser(self): """Tests the ParseDataStream function with force parser.""" test_file_path = self._GetTestFilePath(['UsnJrnl.raw']) self._SkipIfPathNotExists(test_file_path) test_extractor = extractors.EventExtractor( force_parser=True, parser_filter_expression='usnjrnl') path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) file_entry = path_spec_resolver.Resolver.OpenFileEntry(path_spec) storage_writer = self._CreateStorageWriter() parser_mediator = self._CreateParserMediator(storage_writer, file_entry=file_entry) test_extractor.ParseDataStream(parser_mediator, file_entry, '') self.assertEqual(storage_writer.number_of_events, 0) self.assertEqual(storage_writer.number_of_extraction_warnings, 1) self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
def __init__( self, resolver_context, parser_filter_expression=None, process_archives=False, process_compressed_streams=True): """Initializes the event extraction worker object. Args: resolver_context (dfvfs.Context): resolver context. parser_filter_expression (Optional[str]): parser filter expression. None represents all parsers and plugins. The parser filter expression is a comma separated value string that denotes a list of parser names to include and/or exclude. Each entry can have the value of: * An exact match of a list of parsers, or a preset (see plaso/frontend/presets.py for a full list of available presets). * A name of a single parser (case insensitive), e.g. msiecf. * A glob name for a single parser, e.g. '*msie*' (case insensitive). process_archives (Optional[bool]): True if the worker should scan for file entries inside archive files. process_compressed_streams (Optional[bool]): True if file content in compressed streams should be processed. """ super(EventExtractionWorker, self).__init__() self._abort = False self._analyzers = [] self._event_extractor = extractors.EventExtractor( resolver_context, parser_filter_expression=parser_filter_expression) self._hasher_names = None self._process_archives = process_archives self._process_compressed_streams = process_compressed_streams self._processing_profiler = None self._resolver_context = resolver_context self.last_activity_timestamp = 0.0 self.processing_status = definitions.PROCESSING_STATUS_IDLE