def testParseOnCorruptFile(self): """Tests the Parse function on a corrupt bodyfile.""" parser = mactime.MactimeParser() storage_writer = self._ParseFile(['corrupt.body'], parser) self.assertEqual(storage_writer.number_of_events, 10) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 1) events = list(storage_writer.GetSortedEvents()) # Event extracted from line with unescaped \r character. expected_event_values = { 'data_type': 'fs:mactime:line', 'date_time': '2012-05-25 16:00:53', 'filename': '/passwords\r.txt', 'inode': 15, 'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION } self.CheckEventValues(storage_writer, events[3], expected_event_values) # Event extracted from line with unescaped \\ character. expected_event_values = { 'data_type': 'fs:mactime:line', 'date_time': '2019-03-19 04:37:22', 'filename': '/Windows\\System32', 'inode': 75520, 'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION } self.CheckEventValues(storage_writer, events[6], expected_event_values)
def testParse(self): """Tests the Parse function.""" parser = mactime.MactimeParser() storage_writer = self._ParseFile(['mactime.body'], parser) # The file contains 13 lines x 4 timestamps per line, which should be # 52 events in total. However several of these events have an empty # timestamp value and are omitted. # Total entries: 11 * 3 + 2 * 4 = 41 self.assertEqual(storage_writer.number_of_events, 41) # The order in which DSVParser generates events is nondeterministic # hence we sort the events. events = list(storage_writer.GetSortedEvents()) # Test this entry: # 0|/a_directory/another_file|16|r/rrw-------|151107|5000|22|1337961583| # 1337961584|1337961585|0 event = events[21] expected_timestamp = timelib.Timestamp.CopyFromString( '2012-05-25 15:59:43') self.assertEqual(event.timestamp, expected_timestamp) self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_ACCESS) self.assertEqual(event.inode, 16) event = events[22] expected_timestamp = timelib.Timestamp.CopyFromString( '2012-05-25 15:59:44') self.assertEqual(event.timestamp, expected_timestamp) self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_MODIFICATION) event = events[23] expected_timestamp = timelib.Timestamp.CopyFromString( '2012-05-25 15:59:45') self.assertEqual(event.timestamp, expected_timestamp) self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_CHANGE) expected_filename = '/a_directory/another_file' self.assertEqual(event.filename, expected_filename) self.assertEqual(event.mode_as_string, 'r/rrw-------') self._TestGetMessageStrings(event, expected_filename, expected_filename)
def testParse(self): """Tests the Parse function.""" parser_object = mactime.MactimeParser() test_file = self._GetTestFilePath([u'mactime.body']) event_queue_consumer = self._ParseFile(parser_object, test_file) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) # The file contains 13 lines x 4 timestamps per line, which should be # 52 events in total. However several of these events have an empty # timestamp value and are omitted. # Total entries: 11 * 3 + 2 * 4 = 41 self.assertEqual(len(event_objects), 41) # Test this entry: # 0|/a_directory/another_file|16|r/rrw-------|151107|5000|22|1337961583| # 1337961584|1337961585|0 event_object = event_objects[21] expected_timestamp = timelib.Timestamp.CopyFromString( u'2012-05-25 15:59:43') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual( event_object.timestamp_desc, eventdata.EventTimestamp.ACCESS_TIME) self.assertEqual(event_object.inode, 16) expected_string = u'/a_directory/another_file' self._TestGetMessageStrings(event_object, expected_string, expected_string) event_object = event_objects[22] expected_timestamp = timelib.Timestamp.CopyFromString( u'2012-05-25 15:59:44') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual( event_object.timestamp_desc, eventdata.EventTimestamp.MODIFICATION_TIME) event_object = event_objects[23] expected_timestamp = timelib.Timestamp.CopyFromString( u'2012-05-25 15:59:45') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual( event_object.timestamp_desc, eventdata.EventTimestamp.CHANGE_TIME) self.assertEqual(event_object.filename, u'/a_directory/another_file') self.assertEqual(event_object.mode_as_string, u'r/rrw-------')
def testParse(self): """Tests the Parse function.""" parser = mactime.MactimeParser() storage_writer = self._ParseFile(['mactime.body'], parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 67) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetSortedEvents()) # Test this entry: # 0|/a_directory/another_file|16|r/rrw-------|151107|5000|22|1337961583| # 1337961584|1337961585|0 expected_event_values = { 'data_type': 'fs:mactime:line', 'date_time': '2012-05-25 15:59:43', 'inode': 16, 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_ACCESS } self.CheckEventValues(storage_writer, events[25], expected_event_values) expected_event_values = { 'data_type': 'fs:mactime:line', 'date_time': '2012-05-25 15:59:44', 'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION } self.CheckEventValues(storage_writer, events[26], expected_event_values) expected_event_values = { 'data_type': 'fs:mactime:line', 'date_time': '2012-05-25 15:59:45', 'filename': '/a_directory/another_file', 'mode_as_string': 'r/rrw-------', 'timestamp_desc': definitions.TIME_DESCRIPTION_CHANGE } self.CheckEventValues(storage_writer, events[27], expected_event_values) expected_event_values = { 'data_type': 'fs:mactime:line', 'date_time': '2012-05-25 16:17:43', 'filename': '/passwordz\r.txt', 'timestamp_desc': definitions.TIME_DESCRIPTION_CHANGE } self.CheckEventValues(storage_writer, events[38], expected_event_values) expected_event_values = { 'data_type': 'fs:mactime:line', 'date_time': '2020-07-30 06:41:05.354067456', 'filename': '/file|with|pipes', 'mode_as_string': 'r/rrwxrwxrwx', 'timestamp_desc': definitions.TIME_DESCRIPTION_CHANGE } self.CheckEventValues(storage_writer, events[55], expected_event_values) expected_event_values = { 'data_type': 'fs:mactime:line', 'date_time': '2020-08-19 18:48:01', 'filename': '/file_symboliclink1', 'mode_as_string': 'l/lrwxrwxrwx', 'symbolic_link_target': '/mnt/ext/testdir1/testfile1', 'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION } self.CheckEventValues(storage_writer, events[64], expected_event_values)
def setUp(self): """Makes preparations before running an individual test.""" self._parser = mactime.MactimeParser()
def setUp(self): """Sets up the needed objects used throughout the test.""" pre_obj = event.PreprocessObject() self._parser = mactime.MactimeParser(pre_obj, None)
def testParse(self): """Tests the Parse function.""" parser = mactime.MactimeParser() storage_writer = self._ParseFile(['mactime.body'], parser) # The file contains 17 lines x 4 timestamps per line, which should be # 68 events in total. However several of these events have an empty # timestamp value and are omitted. # Total entries: ( 11 * 3 ) + ( 6 * 4 ) = 41 self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 60) # The order in which DSVParser generates events is nondeterministic # hence we sort the events. events = list(storage_writer.GetSortedEvents()) # Test this entry: # 0|/a_directory/another_file|16|r/rrw-------|151107|5000|22|1337961583| # 1337961584|1337961585|0 expected_event_values = { 'inode': 16, 'timestamp': '2012-05-25 15:59:43.000000', 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_ACCESS } self.CheckEventValues(storage_writer, events[21], expected_event_values) expected_event_values = { 'timestamp': '2012-05-25 15:59:44.000000', 'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION } self.CheckEventValues(storage_writer, events[22], expected_event_values) expected_filename = '/a_directory/another_file' expected_event_values = { 'filename': expected_filename, 'mode_as_string': 'r/rrw-------', 'timestamp': '2012-05-25 15:59:45.000000', 'timestamp_desc': definitions.TIME_DESCRIPTION_CHANGE } self.CheckEventValues(storage_writer, events[23], expected_event_values) event_data = self._GetEventDataOfEvent(storage_writer, events[23]) self._TestGetMessageStrings(event_data, expected_filename, expected_filename) expected_filename = '/file|with|pipes' expected_event_values = { 'filename': expected_filename, 'mode_as_string': 'r/rrwxrwxrwx', 'timestamp': '2020-07-30 06:41:05.354067', 'timestamp_desc': definitions.TIME_DESCRIPTION_CHANGE } self.CheckEventValues(storage_writer, events[48], expected_event_values) event_data = self._GetEventDataOfEvent(storage_writer, events[48]) self._TestGetMessageStrings(event_data, expected_filename, expected_filename) expected_event_values = { 'filename': '/file_symboliclink1', 'mode_as_string': 'l/lrwxrwxrwx', 'symbolic_link_target': '/mnt/ext/testdir1/testfile1', 'timestamp': '2020-08-19 18:48:01.000000', 'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION } self.CheckEventValues(storage_writer, events[57], expected_event_values)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._parser = mactime.MactimeParser()
def testParse(self): """Tests the Parse function.""" parser = mactime.MactimeParser() storage_writer = self._ParseFile(['mactime.body'], parser) # The file contains 17 lines x 4 timestamps per line, which should be # 68 events in total. However several of these events have an empty # timestamp value and are omitted. # Total entries: ( 11 * 3 ) + ( 6 * 4 ) = 41 self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 57) # The order in which DSVParser generates events is nondeterministic # hence we sort the events. events = list(storage_writer.GetSortedEvents()) # Test this entry: # 0|/a_directory/another_file|16|r/rrw-------|151107|5000|22|1337961583| # 1337961584|1337961585|0 event = events[21] self.CheckTimestamp(event.timestamp, '2012-05-25 15:59:43.000000') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_ACCESS) event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.inode, 16) event = events[22] self.CheckTimestamp(event.timestamp, '2012-05-25 15:59:44.000000') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_MODIFICATION) event = events[23] self.CheckTimestamp(event.timestamp, '2012-05-25 15:59:45.000000') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_CHANGE) event_data = self._GetEventDataOfEvent(storage_writer, event) expected_filename = '/a_directory/another_file' self.assertEqual(event_data.filename, expected_filename) self.assertEqual(event_data.mode_as_string, 'r/rrw-------') self._TestGetMessageStrings(event_data, expected_filename, expected_filename) event = events[48] self.CheckTimestamp(event.timestamp, '2020-07-30 06:41:05.354067') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_CHANGE) event_data = self._GetEventDataOfEvent(storage_writer, event) expected_filename = '/file|with|pipes' self.assertEqual(event_data.filename, expected_filename) self.assertEqual(event_data.mode_as_string, 'r/rrwxrwxrwx') self._TestGetMessageStrings(event_data, expected_filename, expected_filename)