def testProcess(self): """Tests the Process function.""" test_file_entry = self._GetTestFileEntry(['NTUSER-WIN7.DAT']) key_path = ( 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'Explorer\\TypedPaths') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = typedurls.TypedURLsPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2010-11-10 07:58:15.811625') event_data = self._GetEventDataOfEvent(storage_writer, event) # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event_data.parser, plugin.plugin_name) self.assertEqual(event_data.data_type, 'windows:registry:typedurls') expected_message = ('[{0:s}] ' 'url1: \\\\controller').format(key_path) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event_data, expected_message, expected_short_message)
def testProcess(self): """Tests the Process function.""" test_file_entry = self._GetTestFileEntry(['NTUSER-WIN7.DAT']) key_path = ( 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'Explorer\\TypedPaths') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = typedurls.TypedURLsPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) expected_entries = ('url1: \\\\controller') expected_event_values = { 'data_type': 'windows:registry:typedurls', 'entries': expected_entries, 'key_path': key_path, # This should just be the plugin name, as we're invoking it directly, # and not through the parser. 'parser': plugin.plugin_name, 'timestamp': '2010-11-10 07:58:15.811625' } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcess(self): """Tests the Process function.""" test_file_entry = self._GetTestFileEntry(['NTUSER-WIN7.DAT']) key_path = ( 'HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\' 'TypedURLs') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = typedurls.TypedURLsPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 1) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) expected_entries = ( 'url1: http://cnn.com/ ' 'url2: http://twitter.com/ ' 'url3: http://linkedin.com/ ' 'url4: http://tweetdeck.com/ ' 'url5: mozilla ' 'url6: http://google.com/ ' 'url7: http://controller.shieldbase.local/certsrv/ ' 'url8: http://controller.shieldbase.local/ ' 'url9: http://www.stark-research-labs.com/ ' 'url10: http://www.adobe.com/ ' 'url11: http://www.google.com/ ' 'url12: http://www.firefox.com/ ' 'url13: http://go.microsoft.com/fwlink/?LinkId=69157') expected_event_values = { 'date_time': '2012-03-12 21:23:53.3077499', 'data_type': 'windows:registry:typedurls', 'entries': expected_entries, 'key_path': key_path, # This should just be the plugin name, as we're invoking it directly, # and not through the parser. 'parser': plugin.NAME } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcess(self): """Tests the Process function.""" test_file_entry = self._GetTestFileEntry(['NTUSER-WIN7.DAT']) key_path = ( 'HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\' 'TypedURLs') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = typedurls.TypedURLsPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] self.assertEqual(event.pathspec, test_file_entry.path_spec) # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event.parser, plugin.plugin_name) expected_timestamp = timelib.Timestamp.CopyFromString( '2012-03-12 21:23:53.307749') self.assertEqual(event.timestamp, expected_timestamp) regvalue_identifier = 'url1' expected_value = 'http://cnn.com/' self._TestRegvalue(event, regvalue_identifier, expected_value) expected_message = ( '[{0:s}] ' 'url1: http://cnn.com/ ' 'url10: http://www.adobe.com/ ' 'url11: http://www.google.com/ ' 'url12: http://www.firefox.com/ ' 'url13: http://go.microsoft.com/fwlink/?LinkId=69157 ' 'url2: http://twitter.com/ ' 'url3: http://linkedin.com/ ' 'url4: http://tweetdeck.com/ ' 'url5: mozilla ' 'url6: http://google.com/ ' 'url7: http://controller.shieldbase.local/certsrv/ ' 'url8: http://controller.shieldbase.local/ ' 'url9: http://www.stark-research-labs.com/').format(key_path) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testFilters(self): """Tests the FILTERS class attribute.""" plugin = typedurls.TypedURLsPlugin() key_path = ( 'HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\' 'TypedURLs') self._AssertFiltersOnKeyPath(plugin, key_path) key_path = ( 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'Explorer\\TypedPaths') self._AssertFiltersOnKeyPath(plugin, key_path) self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
def testProcess(self): """Tests the Process function.""" test_file_entry = self._GetTestFileEntry(['NTUSER-WIN7.DAT']) key_path = ( 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'Explorer\\TypedPaths') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = typedurls.TypedURLsPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] self.assertEqual(event.pathspec, test_file_entry.path_spec) # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event.parser, plugin.plugin_name) expected_timestamp = timelib.Timestamp.CopyFromString( '2010-11-10 07:58:15.811625') self.assertEqual(event.timestamp, expected_timestamp) regvalue_identifier = 'url1' expected_value = '\\\\controller' self._TestRegvalue(event, regvalue_identifier, expected_value) expected_message = '[{0:s}] {1:s}: {2:s}'.format( key_path, regvalue_identifier, expected_value) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._plugin = typedurls.TypedURLsPlugin()
def setUp(self): """Makes preparations before running an individual test.""" self._plugin = typedurls.TypedURLsPlugin()