def _ParseValueData(self, knowledge_base, value_data): """Parses Windows Registry value data for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. value_data (object): Windows Registry value data. Raises: errors.PreProcessFail: if the preprocessing fails. """ if not isinstance(value_data, str): raise errors.PreProcessFail( 'Unsupported Windows Registry value type: {0!s} for ' 'artifact: {1:s}.'.format(type(value_data), self.ARTIFACT_DEFINITION_NAME)) # Map the Windows time zone name to a Python equivalent name. lookup_key = value_data.replace(' ', '') time_zone = time_zones.TIME_ZONES.get(lookup_key, value_data) # TODO: check if time zone is set in knowledge base. if time_zone: try: # Catch and warn about unsupported preprocessor plugin. knowledge_base.SetTimeZone(time_zone) except ValueError: # TODO: add and store preprocessing errors. logger.warning( 'Unable to map: "{0:s}" to time zone'.format(value_data))
def _ParseValueData(self, knowledge_base, value_data): """Parses Windows Registry value data for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. value_data (object): Windows Registry value data. Raises: errors.PreProcessFail: if the preprocessing fails. """ if not isinstance(value_data, str): raise errors.PreProcessFail( 'Unsupported Windows Registry value type: {0!s} for ' 'artifact: {1:s}.'.format(type(value_data), self.ARTIFACT_DEFINITION_NAME)) # Map the Windows code page name to a Python equivalent name. codepage = 'cp{0:s}'.format(value_data) if not knowledge_base.codepage: try: knowledge_base.SetCodepage(codepage) except ValueError: # TODO: add and store preprocessing errors. pass
def _ParseValueData(self, knowledge_base, value_data): """Parses Windows Registry value data for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. value_data (object): Windows Registry value data. Raises: errors.PreProcessFail: if the preprocessing fails. """ if not isinstance(value_data, str): raise errors.PreProcessFail( 'Unsupported Windows Registry value type: {0!s} for ' 'artifact: {1:s}.'.format(type(value_data), self.ARTIFACT_DEFINITION_NAME)) environment_variable = artifacts.EnvironmentVariableArtifact( case_sensitive=False, name=self._NAME, value=value_data) try: logger.debug( 'setting environment variable: {0:s} to: "{1:s}"'.format( self._NAME, value_data)) knowledge_base.AddEnvironmentVariable(environment_variable) except KeyError: # TODO: add and store preprocessing errors. pass
def _ParsePathSpecification( self, knowledge_base, searcher, file_system, path_specification, path_separator): """Parses a file system for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. searcher (dfvfs.FileSystemSearcher): file system searcher to preprocess the file system. file_system (dfvfs.FileSystem): file system to be preprocessed. path_specification (dfvfs.PathSpec): path specification that contains the artifact value data. path_separator (str): path segment separator. Raises: PreProcessFail: if the preprocessing fails. """ try: file_entry = searcher.GetFileEntryByPathSpec(path_specification) except IOError as exception: relative_path = searcher.GetRelativePath(path_specification) if path_separator != file_system.PATH_SEPARATOR: relative_path_segments = file_system.SplitPath(relative_path) relative_path = '{0:s}{1:s}'.format( path_separator, path_separator.join(relative_path_segments)) raise errors.PreProcessFail(( 'Unable to retrieve file entry: {0:s} with error: ' '{1!s}').format(relative_path, exception)) if file_entry: self._ParseFileEntry(knowledge_base, file_entry)
def Collect(self, knowledge_base, artifact_definition, searcher): """Collects values using a Windows Registry value artifact definition. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. artifact_definition (artifacts.ArtifactDefinition): artifact definition. searcher (dfwinreg.WinRegistrySearcher): Windows Registry searcher to preprocess the Windows Registry. Raises: PreProcessFail: if the Windows Registry key or value cannot be read. """ for source in artifact_definition.sources: if source.type_indicator not in ( artifact_definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY, artifact_definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE ): continue if source.type_indicator == ( artifact_definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY): key_value_pairs = [{'key': key} for key in source.keys] else: key_value_pairs = source.key_value_pairs for key_value_pair in key_value_pairs: key_path = key_value_pair['key'] # The artifact definitions currently incorrectly define # CurrentControlSet so we correct it here for now. # Also see: https://github.com/ForensicArtifacts/artifacts/issues/120 key_path_upper = key_path.upper() if key_path_upper.startswith('%%CURRENT_CONTROL_SET%%'): key_path = '{0:s}{1:s}'.format( 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet', key_path[23:]) find_spec = registry_searcher.FindSpec(key_path_glob=key_path) for key_path in searcher.Find(find_specs=[find_spec]): try: registry_key = searcher.GetKeyByPath(key_path) except IOError as exception: raise errors.PreProcessFail(( 'Unable to retrieve Windows Registry key: {0:s} with error: ' '{1!s}').format(key_path, exception)) if registry_key: value_name = key_value_pair.get('value', None) self._ParseKey(knowledge_base, registry_key, value_name)
def _ParseValueData(self, knowledge_base, value_data): """Parses Windows Registry value data for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. value_data (object): Windows Registry value data. Raises: errors.PreProcessFail: if the preprocessing fails. """ if not isinstance(value_data, str): raise errors.PreProcessFail( 'Unsupported Windows Registry value type: {0!s} for ' 'artifact: {1:s}.'.format(type(value_data), self.ARTIFACT_DEFINITION_NAME)) if not knowledge_base.GetValue('operating_system_version'): knowledge_base.SetValue('operating_system_version', value_data)
def _ParsePathSpecification(self, knowledge_base, searcher, file_system, path_specification, path_separator): """Parses artifact file system data for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. searcher (dfvfs.FileSystemSearcher): file system searcher to preprocess the file system. file_system (dfvfs.FileSystem): file system to be preprocessed. path_specification (dfvfs.PathSpec): path specification that contains the artifact value data. path_separator (str): path segment separator. Raises: errors.PreProcessFail: if the preprocessing fails. """ relative_path = searcher.GetRelativePath(path_specification) if not relative_path: raise errors.PreProcessFail( 'Unable to read: {0:s} with error: missing relative path'. format(self.ARTIFACT_DEFINITION_NAME)) if path_separator != file_system.PATH_SEPARATOR: relative_path_segments = file_system.SplitPath(relative_path) relative_path = '{0:s}{1:s}'.format( path_separator, path_separator.join(relative_path_segments)) environment_variable = artifacts.EnvironmentVariableArtifact( case_sensitive=False, name=self._NAME, value=relative_path) try: logger.debug( 'setting environment variable: {0:s} to: "{1:s}"'.format( self._NAME, relative_path)) knowledge_base.AddEnvironmentVariable(environment_variable) except KeyError: # TODO: add and store preprocessing errors. pass
def _ParseValueData(self, knowledge_base, value_data): """Parses Windows Registry value data for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. value_data (object): Windows Registry value data. Raises: errors.PreProcessFail: if the preprocessing fails. """ if not isinstance(value_data, str): if not hasattr(value_data, '__iter__'): raise errors.PreProcessFail( 'Unsupported Windows Registry value type: {0!s} for ' 'artifact: {1:s}.'.format(type(value_data), self.ARTIFACT_DEFINITION_NAME)) # If the value data is a multi string only use the first string. value_data = value_data[0] if not knowledge_base.GetHostname(): hostname_artifact = artifacts.HostnameArtifact(name=value_data) knowledge_base.SetHostname(hostname_artifact)
def _ParseKey(self, knowledge_base, registry_key, value_name): """Parses a Windows Registry key for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. registry_key (dfwinreg.WinRegistryKey): Windows Registry key. value_name (str): name of the Windows Registry value. Raises: PreProcessFail: if the preprocessing fails. """ try: registry_value = registry_key.GetValueByName(value_name) except IOError as exception: raise errors.PreProcessFail(( 'Unable to retrieve Windows Registry key: {0:s} value: {1:s} ' 'with error: {2!s}').format( registry_key.path, value_name, exception)) if registry_value: value_object = registry_value.GetDataAsObject() if value_object: self._ParseValueData(knowledge_base, value_object)