def testProcess(self):
"""Tests the Process function on a Chrome extension activity database."""
test_file = self._GetTestFilePath([u'Extension Activity'])
cache = sqlite.SQLiteCache()
event_queue_consumer = self._ParseDatabaseFileWithPlugin(
self._plugin, test_file, cache)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 56)
event_object = event_objects[0]
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.UNKNOWN)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2014-11-25 21:08:23.698737')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_extension_id = u'ognampngfcbddbfemdapefohjiobgbdl'
self.assertEqual(event_object.extension_id, expected_extension_id)
self.assertEqual(event_object.action_type, 1)
self.assertEqual(event_object.activity_id, 48)
self.assertEqual(event_object.api_name, u'browserAction.onClicked')
expected_msg = (u'Chrome extension: ognampngfcbddbfemdapefohjiobgbdl '
u'Action type: 1 '
u'Activity identifier: 48 '
u'API name: browserAction.onClicked')
expected_short = (
u'ognampngfcbddbfemdapefohjiobgbdl browserAction.onClicked')
self._TestGetMessageStrings(event_object, expected_msg, expected_short)
def testProcessVersion25(self):
"""Tests the Process function on a Firefox History database file v 25."""
plugin_object = firefox.FirefoxHistoryPlugin()
cache = sqlite.SQLiteCache()
storage_writer = self._ParseDatabaseFileWithPlugin(
[u'places_new.sqlite'], plugin_object, cache=cache)
# The places.sqlite file contains 84 events:
# 34 page visits.
# 28 bookmarks
# 14 bookmark folders
# 8 annotations
self.assertEqual(len(storage_writer.events), 84)
counter = collections.Counter()
for event_object in storage_writer.events:
counter[event_object.data_type] += 1
self.assertEqual(counter[u'firefox:places:bookmark'], 28)
self.assertEqual(counter[u'firefox:places:page_visited'], 34)
self.assertEqual(counter[u'firefox:places:bookmark_folder'], 14)
self.assertEqual(counter[u'firefox:places:bookmark_annotation'], 8)
random_event = storage_writer.events[10]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-10-30 21:57:11.281942')
self.assertEqual(random_event.timestamp, expected_timestamp)
expected_short = u'URL: http://code.google.com/p/plaso'
expected_msg = (
u'http://code.google.com/p/plaso [count: 1] Host: code.google.com '
u'(URL not typed directly) Transition: TYPED')
self._TestGetMessageStrings(random_event, expected_msg, expected_short)
def testProcessVersion25(self):
"""Tests the Process function on a Firefox History database file v 25."""
test_file = self._GetTestFilePath(['places_new.sqlite'])
cache = sqlite.SQLiteCache()
event_queue_consumer = self._ParseDatabaseFileWithPlugin(
self._plugin, test_file, cache)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
# The places.sqlite file contains 84 events:
# 34 page visits.
# 28 bookmarks
# 14 bookmark folders
# 8 annotations
self.assertEquals(len(event_objects), 84)
counter = collections.Counter()
for event_object in event_objects:
counter[event_object.data_type] += 1
self.assertEquals(counter['firefox:places:bookmark'], 28)
self.assertEquals(counter['firefox:places:page_visited'], 34)
self.assertEquals(counter['firefox:places:bookmark_folder'], 14)
self.assertEquals(counter['firefox:places:bookmark_annotation'], 8)
random_event = event_objects[10]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-10-30 21:57:11.281942')
self.assertEquals(random_event.timestamp, expected_timestamp)
expected_short = u'URL: http://code.google.com/p/plaso'
expected_msg = (
u'http://code.google.com/p/plaso [count: 1] Host: code.google.com '
u'(URL not typed directly) Transition: TYPED')
self._TestGetMessageStrings(random_event, expected_msg, expected_short)
def testProcess(self):
"""Tests the Process function on a Chrome History database file."""
plugin_object = chrome.ChromeHistoryPlugin()
cache = sqlite.SQLiteCache()
storage_writer = self._ParseDatabaseFileWithPlugin(
[u'History'], plugin_object, cache=cache)
# The History file contains 71 events (69 page visits, 1 file downloads).
self.assertEqual(len(storage_writer.events), 71)
# Check the first page visited entry.
event_object = storage_writer.events[0]
self.assertEqual(
event_object.timestamp_desc, eventdata.EventTimestamp.PAGE_VISITED)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2011-04-07 12:03:11')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_url = u'http://start.ubuntu.com/10.04/Google/'
self.assertEqual(event_object.url, expected_url)
expected_title = u'Ubuntu Start Page'
self.assertEqual(event_object.title, expected_title)
expected_msg = (
u'{0:s} ({1:s}) [count: 0] Host: start.ubuntu.com '
u'Visit Source: [SOURCE_FIREFOX_IMPORTED] Type: [LINK - User clicked '
u'a link] (URL not typed directly - no typed count)').format(
expected_url, expected_title)
expected_short = u'{0:s} ({1:s})'.format(expected_url, expected_title)
self._TestGetMessageStrings(event_object, expected_msg, expected_short)
# Check the first file downloaded entry.
event_object = storage_writer.events[69]
self.assertEqual(
event_object.timestamp_desc, eventdata.EventTimestamp.FILE_DOWNLOADED)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2011-05-23 08:35:30')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_url = (
u'http://fatloss4idiotsx.com/download/funcats/'
u'funcats_scr.exe')
self.assertEqual(event_object.url, expected_url)
expected_full_path = u'/home/john/Downloads/funcats_scr.exe'
self.assertEqual(event_object.full_path, expected_full_path)
expected_msg = (
u'{0:s} ({1:s}). '
u'Received: 1132155 bytes out of: '
u'1132155 bytes.').format(expected_url, expected_full_path)
expected_short = u'{0:s} downloaded (1132155 bytes)'.format(
expected_full_path)
self._TestGetMessageStrings(event_object, expected_msg, expected_short)
def testProcess(self):
"""Tests the Process function on a Chrome extension activity database."""
plugin_object = chrome_extension_activity.ChromeExtensionActivityPlugin(
)
cache = sqlite.SQLiteCache()
storage_writer = self._ParseDatabaseFileWithPlugin(
[u'Extension Activity'], plugin_object, cache=cache)
self.assertEqual(len(storage_writer.events), 56)
event_object = storage_writer.events[0]
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.UNKNOWN)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2014-11-25 21:08:23.698737')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_extension_id = u'ognampngfcbddbfemdapefohjiobgbdl'
self.assertEqual(event_object.extension_id, expected_extension_id)
self.assertEqual(event_object.action_type, 1)
self.assertEqual(event_object.activity_id, 48)
self.assertEqual(event_object.api_name, u'browserAction.onClicked')
expected_msg = (u'Chrome extension: ognampngfcbddbfemdapefohjiobgbdl '
u'Action type: API event callback (type 1) '
u'Activity identifier: 48 '
u'API name: browserAction.onClicked')
expected_short = (
u'ognampngfcbddbfemdapefohjiobgbdl browserAction.onClicked')
self._TestGetMessageStrings(event_object, expected_msg, expected_short)
def testProcessVersion25(self):
"""Tests the Process function on a Firefox Downloads database file."""
test_file = self._GetTestFilePath(['downloads.sqlite'])
cache = sqlite.SQLiteCache()
event_queue_consumer = self._ParseDatabaseFileWithPlugin(
self._plugin, test_file, cache)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
# The downloads.sqlite file contains 2 events (1 download).
self.assertEquals(len(event_objects), 2)
# Check the first page visited event.
event_object = event_objects[0]
self.assertEquals(event_object.data_type, 'firefox:downloads:download')
self.assertEquals(event_object.timestamp_desc,
eventdata.EventTimestamp.START_TIME)
expected_timestamp = timelib_test.CopyStringToTimestamp(
u'2013-07-18 18:59:59.312000+00:00')
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_url = (u'https://plaso.googlecode.com/files/'
u'plaso-static-1.0.1-win32-vs2008.zip')
self.assertEquals(event_object.url, expected_url)
expected_full_path = u'file:///D:/plaso-static-1.0.1-win32-vs2008.zip'
self.assertEquals(event_object.full_path, expected_full_path)
self.assertEquals(event_object.received_bytes, 15974599)
self.assertEquals(event_object.total_bytes, 15974599)
def testProcessWithWAL(self):
"""Tests the Process function on a database with WAL file."""
plugin_object = TestSQLitePlugin()
cache = sqlite.SQLiteCache()
wal_file = self._GetTestFilePath([u'wal_database.db-wal'])
self._ParseDatabaseFileWithPlugin([u'wal_database.db'],
plugin_object,
cache=cache,
wal_path=wal_file)
expected_results = [((u'Committed Text 1', 1, b'None'), False),
((u'Committed Text 2', 2, b'None'), False),
((u'Deleted Text 1', 3, b'None'), False),
((u'Committed Text 3', 4, b'None'), False),
((u'Committed Text 4', 5, b'None'), False),
((u'Deleted Text 2', 6, b'None'), False),
((u'Committed Text 5', 7, b'None'), False),
((u'Committed Text 6', 8, b'None'), False),
((u'Committed Text 7', 9, b'None'), False),
((u'Unhashable Row 1', 10,
b'Binary Text!\x01\x02\x03'), False),
((u'Modified Committed Text 3', 4, b'None'), True),
((u'Unhashable Row 2', 11,
b'More Binary Text!\x01\x02\x03'), True),
((u'New Text 1', 12, b'None'), True),
((u'New Text 2', 13, b'None'), True)]
self.assertEqual(expected_results, plugin_object.results)
def testProcessVersion25(self):
"""Tests the Process function on a Firefox Downloads database file."""
plugin_object = firefox.FirefoxDownloadsPlugin()
cache = sqlite.SQLiteCache()
storage_writer = self._ParseDatabaseFileWithPlugin(
[u'downloads.sqlite'], plugin_object, cache=cache)
# The downloads.sqlite file contains 2 events (1 download).
self.assertEqual(len(storage_writer.events), 2)
# Check the first page visited event.
event_object = storage_writer.events[0]
self.assertEqual(event_object.data_type, u'firefox:downloads:download')
self.assertEqual(
event_object.timestamp_desc, eventdata.EventTimestamp.START_TIME)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-07-18 18:59:59.312000')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_url = (
u'https://plaso.googlecode.com/files/'
u'plaso-static-1.0.1-win32-vs2008.zip')
self.assertEqual(event_object.url, expected_url)
expected_full_path = u'file:///D:/plaso-static-1.0.1-win32-vs2008.zip'
self.assertEqual(event_object.full_path, expected_full_path)
self.assertEqual(event_object.received_bytes, 15974599)
self.assertEqual(event_object.total_bytes, 15974599)
def testProcessVersion25(self):
"""Tests the Process function on a Firefox Downloads database file."""
plugin = firefox.FirefoxDownloadsPlugin()
cache = sqlite.SQLiteCache()
storage_writer = self._ParseDatabaseFileWithPlugin(
['downloads.sqlite'], plugin, cache=cache)
# The downloads.sqlite file contains 2 events (1 download).
self.assertEqual(storage_writer.number_of_events, 2)
events = list(storage_writer.GetEvents())
# Check the first page visited event.
event = events[0]
self.assertEqual(event.data_type, 'firefox:downloads:download')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_START)
expected_timestamp = timelib.Timestamp.CopyFromString(
'2013-07-18 18:59:59.312000')
self.assertEqual(event.timestamp, expected_timestamp)
expected_url = ('https://plaso.googlecode.com/files/'
'plaso-static-1.0.1-win32-vs2008.zip')
self.assertEqual(event.url, expected_url)
expected_full_path = 'file:///D:/plaso-static-1.0.1-win32-vs2008.zip'
self.assertEqual(event.full_path, expected_full_path)
self.assertEqual(event.received_bytes, 15974599)
self.assertEqual(event.total_bytes, 15974599)
def _ParseDatabaseFileWithPlugin(self,
path_segments,
plugin,
knowledge_base_values=None,
wal_path_segments=None):
"""Parses a file as a SQLite database with a specific plugin.
This method will first test if a SQLite database contains the required
tables and columns using plugin.CheckRequiredTablesAndColumns() and then
extracts events using plugin.Process().
Args:
path_segments (list[str]): path segments inside the test data directory.
plugin (SQLitePlugin): SQLite database plugin.
knowledge_base_values (Optional[dict[str, object]]): knowledge base
values.
wal_path_segments (list[str]): path segments inside the test data
directory of the SQLite WAL file.
Returns:
FakeStorageWriter: storage writer.
Raises:
SkipTest: if the path inside the test data directory does not exist and
the test should be skipped.
"""
storage_writer = fake_writer.FakeStorageWriter()
storage_writer.Open()
file_entry, database = self._OpenDatabaseFile(
path_segments, wal_path_segments=wal_path_segments)
required_tables_and_column_exist = plugin.CheckRequiredTablesAndColumns(
database)
self.assertTrue(required_tables_and_column_exist)
parser_mediator = self._CreateParserMediator(
storage_writer,
file_entry=file_entry,
knowledge_base_values=knowledge_base_values)
parser_mediator.SetFileEntry(file_entry)
# AppendToParserChain needs to be run after SetFileEntry.
parser_mediator.AppendToParserChain(plugin)
try:
cache = sqlite.SQLiteCache()
plugin.Process(parser_mediator, cache=cache, database=database)
finally:
database.Close()
return storage_writer
def testSchemaMatching(self):
"""Tests the Schema matching capabilities."""
plugin = TestSQLitePlugin()
cache = sqlite.SQLiteCache()
# Test matching schema.
storage_writer = self._ParseDatabaseFileWithPlugin(['wal_database.db'],
plugin,
cache=cache)
for event in storage_writer.GetEvents():
self.assertTrue(event.schema_match)
# Test schema change with WAL.
wal_file = self._GetTestFilePath(['wal_database.db-wal'])
storage_writer = self._ParseDatabaseFileWithPlugin(['wal_database.db'],
plugin,
cache=cache,
wal_path=wal_file)
for event in storage_writer.GetEvents():
if event.from_wal:
self.assertFalse(event.schema_match)
else:
self.assertTrue(event.schema_match)
# Add schema change from WAL file and test again.
plugin.SCHEMAS.append({
'MyTable':
'CREATE TABLE "MyTable" ( `Field1` TEXT, `Field2` INTEGER, `Field3` '
'BLOB , NewField TEXT)',
'NewTable':
'CREATE TABLE NewTable(NewTableField1 TEXT, NewTableField2 TEXT)'
})
storage_writer = self._ParseDatabaseFileWithPlugin(['wal_database.db'],
plugin,
cache=cache,
wal_path=wal_file)
for event in storage_writer.GetEvents():
self.assertTrue(event.schema_match)
# Test without original schema.
del plugin.SCHEMAS[0]
storage_writer = self._ParseDatabaseFileWithPlugin(['wal_database.db'],
plugin,
cache=cache,
wal_path=wal_file)
for event in storage_writer.GetEvents():
if event.from_wal:
self.assertTrue(event.schema_match)
else:
self.assertFalse(event.schema_match)
def _ParseDatabaseFileWithPlugin(self,
path_segments,
plugin,
knowledge_base_values=None,
wal_path_segments=None):
"""Parses a file as a SQLite database with a specific plugin.
Args:
path_segments (list[str]): path segments inside the test data directory.
plugin (SQLitePlugin): SQLite database plugin.
knowledge_base_values (Optional[dict[str, object]]): knowledge base
values.
wal_path_segments (list[str]): path segments inside the test data
directory of the SQLite WAL file.
Returns:
FakeStorageWriter: storage writer.
Raises:
SkipTest: if the path inside the test data directory does not exist and
the test should be skipped.
"""
session = sessions.Session()
storage_writer = fake_writer.FakeStorageWriter(session)
storage_writer.Open()
file_entry, database = self._OpenDatabaseFile(
path_segments, wal_path_segments=wal_path_segments)
parser_mediator = self._CreateParserMediator(
storage_writer,
file_entry=file_entry,
knowledge_base_values=knowledge_base_values)
parser_mediator.SetFileEntry(file_entry)
# AppendToParserChain needs to be run after SetFileEntry.
parser_mediator.AppendToParserChain(plugin)
try:
cache = sqlite.SQLiteCache()
plugin.Process(parser_mediator, cache=cache, database=database)
finally:
database.Close()
return storage_writer
def testProcessWithoutWAL(self):
"""Tests the Process function on a database without WAL file."""
plugin = TestSQLitePlugin()
cache = sqlite.SQLiteCache()
self._ParseDatabaseFileWithPlugin([u'wal_database.db'],
plugin,
cache=cache)
expected_results = [((u'Committed Text 1', 1, b'None'), False),
((u'Committed Text 2', 2, b'None'), False),
((u'Deleted Text 1', 3, b'None'), False),
((u'Committed Text 3', 4, b'None'), False),
((u'Committed Text 4', 5, b'None'), False),
((u'Deleted Text 2', 6, b'None'), False),
((u'Committed Text 5', 7, b'None'), False),
((u'Committed Text 6', 8, b'None'), False),
((u'Committed Text 7', 9, b'None'), False),
((u'Unhashable Row 1', 10,
b'Binary Text!\x01\x02\x03'), False)]
self.assertEqual(expected_results, plugin.results)
def testProcess(self):
"""Tests the Process function on a Chrome extension activity database."""
plugin = chrome_extension_activity.ChromeExtensionActivityPlugin()
cache = sqlite.SQLiteCache()
storage_writer = self._ParseDatabaseFileWithPlugin(
[u'Extension Activity'], plugin, cache=cache)
self.assertEqual(storage_writer.number_of_events, 56)
events = list(storage_writer.GetEvents())
event = events[0]
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_UNKNOWN)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2014-11-25 21:08:23.698737')
self.assertEqual(event.timestamp, expected_timestamp)
expected_extension_id = u'ognampngfcbddbfemdapefohjiobgbdl'
self.assertEqual(event.extension_id, expected_extension_id)
self.assertEqual(event.action_type, 1)
self.assertEqual(event.activity_id, 48)
self.assertEqual(event.api_name, u'browserAction.onClicked')
expected_message = (
u'Chrome extension: ognampngfcbddbfemdapefohjiobgbdl '
u'Action type: API event callback (type 1) '
u'Activity identifier: 48 '
u'API name: browserAction.onClicked')
expected_short_message = (
u'ognampngfcbddbfemdapefohjiobgbdl browserAction.onClicked')
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testProcessPriorTo24(self):
"""Tests the Process function on a Firefox History database file."""
# This is probably version 23 but potentially an older version.
plugin = firefox.FirefoxHistoryPlugin()
cache = sqlite.SQLiteCache()
storage_writer = self._ParseDatabaseFileWithPlugin(['places.sqlite'],
plugin,
cache=cache)
# The places.sqlite file contains 205 events (1 page visit,
# 2 x 91 bookmark records, 2 x 3 bookmark annotations,
# 2 x 8 bookmark folders).
# However there are three events that do not have a timestamp
# so the test file will show 202 extracted events.
self.assertEqual(storage_writer.number_of_events, 202)
events = list(storage_writer.GetEvents())
# Check the first page visited event.
event = events[0]
self.assertEqual(event.data_type, 'firefox:places:page_visited')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_LAST_VISITED)
expected_timestamp = timelib.Timestamp.CopyFromString(
'2011-07-01 11:16:21.371935')
self.assertEqual(event.timestamp, expected_timestamp)
expected_url = 'http://news.google.com/'
self.assertEqual(event.url, expected_url)
expected_title = 'Google News'
self.assertEqual(event.title, expected_title)
expected_message = (
'{0:s} ({1:s}) [count: 1] Host: news.google.com '
'(URL not typed directly) Transition: TYPED').format(
expected_url, expected_title)
expected_short_message = 'URL: {0:s}'.format(expected_url)
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
# Check the first bookmark event.
event = events[1]
self.assertEqual(event.data_type, 'firefox:places:bookmark')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_ADDED)
expected_timestamp = timelib.Timestamp.CopyFromString(
'2011-07-01 11:13:59.266344')
self.assertEqual(event.timestamp, expected_timestamp)
# Check the second bookmark event.
event = events[2]
self.assertEqual(event.data_type, 'firefox:places:bookmark')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_MODIFICATION)
expected_timestamp = timelib.Timestamp.CopyFromString(
'2011-07-01 11:13:59.267198')
self.assertEqual(event.timestamp, expected_timestamp)
expected_url = (
'place:folder=BOOKMARKS_MENU&folder=UNFILED_BOOKMARKS&folder=TOOLBAR&'
'sort=12&excludeQueries=1&excludeItemIfParentHasAnnotation=livemark%2F'
'feedURI&maxResults=10&queryType=1')
self.assertEqual(event.url, expected_url)
expected_title = 'Recently Bookmarked'
self.assertEqual(event.title, expected_title)
expected_message = (
'Bookmark URL {0:s} ({1:s}) [folder=BOOKMARKS_MENU&'
'folder=UNFILED_BOOKMARKS&folder=TOOLBAR&sort=12&excludeQueries=1&'
'excludeItemIfParentHasAnnotation=livemark%2FfeedURI&maxResults=10&'
'queryType=1] visit count 0').format(expected_title, expected_url)
expected_short_message = (
'Bookmarked Recently Bookmarked '
'(place:folder=BOOKMARKS_MENU&folder=UNFILED_BO...')
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
# Check the first bookmark annotation event.
event = events[183]
self.assertEqual(event.data_type, 'firefox:places:bookmark_annotation')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_CREATION)
expected_timestamp = timelib.Timestamp.CopyFromString(
'2011-07-01 11:13:59.267146')
self.assertEqual(event.timestamp, expected_timestamp)
# Check another bookmark annotation event.
event = events[184]
self.assertEqual(event.data_type, 'firefox:places:bookmark_annotation')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_CREATION)
expected_timestamp = timelib.Timestamp.CopyFromString(
'2011-07-01 11:13:59.267605')
self.assertEqual(event.timestamp, expected_timestamp)
expected_url = 'place:sort=14&type=6&maxResults=10&queryType=1'
self.assertEqual(event.url, expected_url)
expected_title = 'Recent Tags'
self.assertEqual(event.title, expected_title)
expected_message = ('Bookmark Annotation: [RecentTags] to bookmark '
'[{0:s}] ({1:s})').format(expected_title,
expected_url)
expected_short_message = 'Bookmark Annotation: Recent Tags'
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
# Check the second last bookmark folder event.
event = events[200]
self.assertEqual(event.data_type, 'firefox:places:bookmark_folder')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_ADDED)
expected_timestamp = timelib.Timestamp.CopyFromString(
'2011-03-21 10:05:01.553774')
self.assertEqual(event.timestamp, expected_timestamp)
# Check the last bookmark folder event.
event = events[201]
self.assertEqual(event.data_type, 'firefox:places:bookmark_folder')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_MODIFICATION)
expected_timestamp = timelib.Timestamp.CopyFromString(
'2011-07-01 11:14:11.766851')
self.assertEqual(event.timestamp, expected_timestamp)
expected_title = 'Latest Headlines'
self.assertEqual(event.title, expected_title)
expected_message = expected_title
expected_short_message = expected_title
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testProcess(self):
"""Tests the Process function on a Chrome History database file."""
plugin = chrome.ChromeHistoryPlugin()
cache = sqlite.SQLiteCache()
storage_writer = self._ParseDatabaseFileWithPlugin(
['History'], plugin, cache=cache)
# The History file contains 71 events (69 page visits, 1 file downloads).
self.assertEqual(storage_writer.number_of_events, 71)
events = list(storage_writer.GetEvents())
# Check the first page visited entry.
event = events[0]
self.assertEqual(
event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_VISITED)
expected_timestamp = timelib.Timestamp.CopyFromString(
'2011-04-07 12:03:11')
self.assertEqual(event.timestamp, expected_timestamp)
expected_url = 'http://start.ubuntu.com/10.04/Google/'
self.assertEqual(event.url, expected_url)
expected_title = 'Ubuntu Start Page'
self.assertEqual(event.title, expected_title)
expected_message = (
'{0:s} ({1:s}) [count: 0] Host: start.ubuntu.com '
'Visit Source: [SOURCE_FIREFOX_IMPORTED] Type: [LINK - User clicked '
'a link] (URL not typed directly - no typed count)').format(
expected_url, expected_title)
expected_short_message = '{0:s} ({1:s})'.format(
expected_url, expected_title)
self._TestGetMessageStrings(event, expected_message, expected_short_message)
# Check the first file downloaded entry.
event = events[69]
self.assertEqual(
event.timestamp_desc, definitions.TIME_DESCRIPTION_FILE_DOWNLOADED)
expected_timestamp = timelib.Timestamp.CopyFromString(
'2011-05-23 08:35:30')
self.assertEqual(event.timestamp, expected_timestamp)
expected_url = (
'http://fatloss4idiotsx.com/download/funcats/'
'funcats_scr.exe')
self.assertEqual(event.url, expected_url)
expected_full_path = '/home/john/Downloads/funcats_scr.exe'
self.assertEqual(event.full_path, expected_full_path)
expected_message = (
'{0:s} ({1:s}). '
'Received: 1132155 bytes out of: '
'1132155 bytes.').format(expected_url, expected_full_path)
expected_short_message = '{0:s} downloaded (1132155 bytes)'.format(
expected_full_path)
self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testProcess(self):
"""Tests the Process function on a Skype History database file.
The History file contains 24 events:
4 call events
4 transfers file events
1 sms events
15 chat events
Events used:
id = 16 -> SMS
id = 22 -> Call
id = 18 -> File
id = 1 -> Chat
id = 14 -> ChatRoom
"""
test_file = self._GetTestFilePath([u'skype_main.db'])
cache = sqlite.SQLiteCache()
event_queue_consumer = self._ParseDatabaseFileWithPlugin(
self._plugin, test_file, cache)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
calls = 0
files = 0
sms = 0
chats = 0
for event_object in event_objects:
if event_object.data_type == u'skype:event:call':
calls += 1
if event_object.data_type == u'skype:event:transferfile':
files += 1
if event_object.data_type == u'skype:event:sms':
sms += 1
if event_object.data_type == u'skype:event:chat':
chats += 1
self.assertEqual(len(event_objects), 24)
self.assertEqual(files, 4)
self.assertEqual(sms, 1)
self.assertEqual(chats, 15)
self.assertEqual(calls, 3)
# TODO: Split this up into separate functions for testing each type of
# event, e.g. testSMS, etc.
sms_event_object = event_objects[16]
call_event_object = event_objects[22]
event_file = event_objects[18]
chat_event_object = event_objects[1]
chat_room_event_object = event_objects[14]
# Test cache processing and format strings.
expected_msg = (
u'Source: gen.beringer <Gen Beringer> Destination: '
u'european.bbq.competitor <European BBQ> File: secret-project.pdf '
u'[SENDSOLICITUDE]')
self._TestGetMessageStrings(event_objects[17], expected_msg,
expected_msg[0:77] + '...')
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-07-01 22:14:22')
self.assertEqual(sms_event_object.timestamp, expected_timestamp)
text_sms = (u'If you want I can copy '
u'some documents for you, '
u'if you can pay it... ;)')
self.assertEqual(sms_event_object.text, text_sms)
number = u'+34123456789'
self.assertEqual(sms_event_object.number, number)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-10-24 21:49:35')
self.assertEqual(event_file.timestamp, expected_timestamp)
action_type = u'GETSOLICITUDE'
self.assertEqual(event_file.action_type, action_type)
source = u'gen.beringer <Gen Beringer>'
self.assertEqual(event_file.source, source)
destination = u'european.bbq.competitor <European BBQ>'
self.assertEqual(event_file.destination, destination)
transferred_filename = u'secret-project.pdf'
self.assertEqual(event_file.transferred_filename, transferred_filename)
filepath = u'/Users/gberinger/Desktop/secret-project.pdf'
self.assertEqual(event_file.transferred_filepath, filepath)
self.assertEqual(event_file.transferred_filesize, 69986)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-07-30 21:27:11')
self.assertEqual(chat_event_object.timestamp, expected_timestamp)
title = u'European Competitor | need to know if you got it..'
self.assertEqual(chat_event_object.title, title)
expected_msg = u'need to know if you got it this time.'
self.assertEqual(chat_event_object.text, expected_msg)
from_account = u'Gen Beringer <gen.beringer>'
self.assertEqual(chat_event_object.from_account, from_account)
self.assertEqual(chat_event_object.to_account,
u'european.bbq.competitor')
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-10-27 15:29:19')
self.assertEqual(chat_room_event_object.timestamp, expected_timestamp)
title = u'European Competitor, Echo123'
self.assertEqual(chat_room_event_object.title, title)
expected_msg = u'He is our new employee'
self.assertEqual(chat_room_event_object.text, expected_msg)
from_account = u'European Competitor <european.bbq.competitor>'
self.assertEqual(chat_room_event_object.from_account, from_account)
to_account = u'gen.beringer, echo123'
self.assertEqual(chat_room_event_object.to_account, to_account)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-07-01 22:12:17')
self.assertEqual(call_event_object.timestamp, expected_timestamp)
self.assertEqual(call_event_object.dst_call,
u'european.bbq.competitor')
self.assertEqual(call_event_object.src_call, u'gen.beringer')
self.assertEqual(call_event_object.user_start_call, False)
self.assertEqual(call_event_object.video_conference, False)
def testProcessPriorTo24(self):
"""Tests the Process function on a Firefox History database file."""
# This is probably version 23 but potentially an older version.
test_file = self._GetTestFilePath(['places.sqlite'])
cache = sqlite.SQLiteCache()
event_queue_consumer = self._ParseDatabaseFileWithPlugin(
self._plugin, test_file, cache)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
# The places.sqlite file contains 205 events (1 page visit,
# 2 x 91 bookmark records, 2 x 3 bookmark annotations,
# 2 x 8 bookmark folders).
# However there are three events that do not have a timestamp
# so the test file will show 202 extracted events.
self.assertEquals(len(event_objects), 202)
# Check the first page visited event.
event_object = event_objects[0]
self.assertEquals(event_object.data_type,
'firefox:places:page_visited')
self.assertEquals(event_object.timestamp_desc,
eventdata.EventTimestamp.PAGE_VISITED)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2011-07-01 11:16:21.371935')
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_url = u'http://news.google.com/'
self.assertEquals(event_object.url, expected_url)
expected_title = u'Google News'
self.assertEquals(event_object.title, expected_title)
expected_msg = (u'{} ({}) [count: 1] Host: news.google.com '
u'(URL not typed directly) Transition: TYPED').format(
expected_url, expected_title)
expected_short = u'URL: {}'.format(expected_url)
self._TestGetMessageStrings(event_object, expected_msg, expected_short)
# Check the first bookmark event.
event_object = event_objects[1]
self.assertEquals(event_object.data_type, 'firefox:places:bookmark')
self.assertEquals(event_object.timestamp_desc,
eventdata.EventTimestamp.ADDED_TIME)
expected_timestamp = timelib_test.CopyStringToTimestamp(
u'2011-07-01 11:13:59.266344+00:00')
self.assertEquals(event_object.timestamp, expected_timestamp)
# Check the second bookmark event.
event_object = event_objects[2]
self.assertEquals(event_object.data_type, 'firefox:places:bookmark')
self.assertEquals(event_object.timestamp_desc,
eventdata.EventTimestamp.MODIFICATION_TIME)
expected_timestamp = timelib_test.CopyStringToTimestamp(
u'2011-07-01 11:13:59.267198+00:00')
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_url = (
u'place:folder=BOOKMARKS_MENU&folder=UNFILED_BOOKMARKS&folder=TOOLBAR&'
u'sort=12&excludeQueries=1&excludeItemIfParentHasAnnotation=livemark%2F'
u'feedURI&maxResults=10&queryType=1')
self.assertEquals(event_object.url, expected_url)
expected_title = u'Recently Bookmarked'
self.assertEquals(event_object.title, expected_title)
expected_msg = (
u'Bookmark URL {} ({}) [folder=BOOKMARKS_MENU&'
u'folder=UNFILED_BOOKMARKS&folder=TOOLBAR&sort=12&excludeQueries=1&'
u'excludeItemIfParentHasAnnotation=livemark%2FfeedURI&maxResults=10&'
u'queryType=1] visit count 0').format(expected_title, expected_url)
expected_short = (u'Bookmarked Recently Bookmarked '
u'(place:folder=BOOKMARKS_MENU&folder=UNFILED_BO...')
self._TestGetMessageStrings(event_object, expected_msg, expected_short)
# Check the first bookmark annotation event.
event_object = event_objects[183]
self.assertEquals(event_object.data_type,
'firefox:places:bookmark_annotation')
self.assertEquals(event_object.timestamp_desc,
eventdata.EventTimestamp.CREATION_TIME)
expected_timestamp = timelib_test.CopyStringToTimestamp(
u'2011-07-01 11:13:59.267146+00:00')
self.assertEquals(event_object.timestamp, expected_timestamp)
# Check another bookmark annotation event.
event_object = event_objects[184]
self.assertEquals(event_object.data_type,
'firefox:places:bookmark_annotation')
self.assertEquals(event_object.timestamp_desc,
eventdata.EventTimestamp.CREATION_TIME)
expected_timestamp = timelib_test.CopyStringToTimestamp(
u'2011-07-01 11:13:59.267605+00:00')
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_url = u'place:sort=14&type=6&maxResults=10&queryType=1'
self.assertEquals(event_object.url, expected_url)
expected_title = u'Recent Tags'
self.assertEquals(event_object.title, expected_title)
expected_msg = (u'Bookmark Annotation: [RecentTags] to bookmark '
u'[{}] ({})').format(expected_title, expected_url)
expected_short = u'Bookmark Annotation: Recent Tags'
self._TestGetMessageStrings(event_object, expected_msg, expected_short)
# Check the second last bookmark folder event.
event_object = event_objects[200]
self.assertEquals(event_object.data_type,
'firefox:places:bookmark_folder')
self.assertEquals(event_object.timestamp_desc,
eventdata.EventTimestamp.ADDED_TIME)
expected_timestamp = timelib_test.CopyStringToTimestamp(
u'2011-03-21 10:05:01.553774+00:00')
self.assertEquals(event_object.timestamp, expected_timestamp)
# Check the last bookmark folder event.
event_object = event_objects[201]
self.assertEquals(event_object.data_type,
'firefox:places:bookmark_folder')
self.assertEquals(event_object.timestamp_desc,
eventdata.EventTimestamp.MODIFICATION_TIME)
expected_timestamp = timelib_test.CopyStringToTimestamp(
u'2011-07-01 11:14:11.766851+00:00')
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_title = u'Latest Headlines'
self.assertEquals(event_object.title, expected_title)
expected_msg = expected_title
expected_short = expected_title
self._TestGetMessageStrings(event_object, expected_msg, expected_short)
def testProcess(self):
"""Tests the Process function on a Google Drive database file."""
plugin_object = gdrive.GoogleDrivePlugin()
cache = sqlite.SQLiteCache()
storage_writer = self._ParseDatabaseFileWithPlugin([u'snapshot.db'],
plugin_object,
cache=cache)
self.assertEqual(len(storage_writer.events), 30)
# Let's verify that we've got the correct balance of cloud and local
# entry events.
# 10 files mounting to:
# 20 Cloud Entries (two timestamps per entry).
# 10 Local Entries (one timestamp per entry).
local_entries = []
cloud_entries = []
for event_object in storage_writer.events:
if event_object.data_type == u'gdrive:snapshot:local_entry':
local_entries.append(event_object)
else:
cloud_entries.append(event_object)
self.assertEqual(len(local_entries), 10)
self.assertEqual(len(cloud_entries), 20)
# Test one local and one cloud entry.
event_object = local_entries[5]
file_path = (u'%local_sync_root%/Top Secret/Enn meiri '
u'leyndarmál/Sýnileiki - Örverpi.gdoc')
self.assertEqual(event_object.path, file_path)
expected_msg = u'File Path: {0:s} Size: 184'.format(file_path)
self._TestGetMessageStrings(event_object, expected_msg, file_path)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2014-01-28 00:11:25')
self.assertEqual(event_object.timestamp, expected_timestamp)
event_object = cloud_entries[16]
self.assertEqual(event_object.document_type, 6)
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.MODIFICATION_TIME)
expected_url = (
u'https://docs.google.com/document/d/'
u'1ypXwXhQWliiMSQN9S5M0K6Wh39XF4Uz4GmY-njMf-Z0/edit?usp=docslist_api'
)
self.assertEqual(event_object.url, expected_url)
expected_msg = (u'File Path: /Almenningur/Saklausa hliðin '
u'[Private] '
u'Size: 0 '
u'URL: {0:s} '
u'Type: DOCUMENT').format(expected_url)
expected_msg_short = u'/Almenningur/Saklausa hliðin'
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2014-01-28 00:12:27')
self.assertEqual(event_object.timestamp, expected_timestamp)
def testProcess(self):
"""Tests the Process function on a Google Drive database file."""
test_file = self._GetTestFilePath(['snapshot.db'])
cache = sqlite.SQLiteCache()
event_queue_consumer = self._ParseDatabaseFileWithPlugin(self._plugin,
test_file,
cache=cache)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEquals(len(event_objects), 30)
# Let's verify that we've got the correct balance of cloud and local
# entry events.
# 10 files mounting to:
# 20 Cloud Entries (two timestamps per file).
# 10 Local Entries (one timestamp per file).
local_entries = []
cloud_entries = []
for event_object in event_objects:
if event_object.data_type == 'gdrive:snapshot:local_entry':
local_entries.append(event_object)
else:
cloud_entries.append(event_object)
self.assertEquals(len(local_entries), 10)
self.assertEquals(len(cloud_entries), 20)
# Test one local and one cloud entry.
event_object = local_entries[5]
file_path = (u'%local_sync_root%/Top Secret/Enn meiri '
u'leyndarm\xe1l/S\xfdnileiki - \xd6rverpi.gdoc')
self.assertEquals(event_object.path, file_path)
expected_msg = u'File Path: {} Size: 184'.format(file_path)
self._TestGetMessageStrings(event_object, expected_msg, file_path)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2014-01-28 00:11:25')
self.assertEquals(event_object.timestamp, expected_timestamp)
event_object = cloud_entries[16]
self.assertEquals(event_object.document_type, u'DOCUMENT')
self.assertEquals(event_object.timestamp_desc,
eventdata.EventTimestamp.MODIFICATION_TIME)
self.assertEquals(event_object.url, (
u'https://docs.google.com/document/d/'
u'1ypXwXhQWliiMSQN9S5M0K6Wh39XF4Uz4GmY-njMf-Z0/edit?usp=docslist_api'
))
expected_msg = (
u'File Path: /Almenningur/Saklausa hli\xf0in [Private] Size: 0 URL: '
u'https://docs.google.com/document/d/'
u'1ypXwXhQWliiMSQN9S5M0K6Wh39XF4Uz4GmY-njMf-Z0/edit?usp=docslist_api '
u'Type: DOCUMENT')
expected_short = u'/Almenningur/Saklausa hli\xf0in'
self._TestGetMessageStrings(event_object, expected_msg, expected_short)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2014-01-28 00:12:27')
self.assertEquals(event_object.timestamp, expected_timestamp)
