def _OpenPathSpec(self, path_specification, ascii_codepage='cp1252'):
"""Opens the Windows Registry file specified by the path specification.
Args:
path_specification (dfvfs.PathSpec): path specification.
ascii_codepage (Optional[str]): ASCII string codepage.
Returns:
WinRegistryFile: Windows Registry file or None.
"""
if not path_specification:
return None
file_entry = self._file_system.GetFileEntryByPathSpec(path_specification)
if file_entry is None:
return None
file_object = file_entry.GetFileObject()
if file_object is None:
return None
registry_file = dfwinreg_regf.REGFWinRegistryFile(
ascii_codepage=ascii_codepage)
try:
registry_file.Open(file_object)
except IOError as exception:
logger.warning(
'Unable to open Windows Registry file with error: {0!s}'.format(
exception))
file_object.close()
return None
return registry_file
def _ParseValueData(self, knowledge_base, value_data):
"""Parses Windows Registry value data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
value_data (object): Windows Registry value data.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
if not isinstance(value_data, py2to3.UNICODE_TYPE):
raise errors.PreProcessFail(
'Unsupported Windows Registry value type: {0:s} for '
'artifact: {1:s}.'.format(type(value_data),
self.ARTIFACT_DEFINITION_NAME))
# Map the Windows time zone name to a Python equivalent name.
lookup_key = value_data.replace(' ', '')
time_zone = time_zones.TIME_ZONES.get(lookup_key, value_data)
# TODO: check if time zone is set in knowledge base.
if time_zone:
try:
# Catch and warn about unsupported preprocessor plugin.
knowledge_base.SetTimeZone(time_zone)
except ValueError:
# TODO: add and store preprocessing errors.
time_zone = value_data
logger.warning(
'Unable to map: "{0:s}" to time zone'.format(value_data))
def CollectFromWindowsRegistry(
cls, artifacts_registry, knowledge_base, searcher):
"""Collects values from Windows Registry values.
Args:
artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts
definitions registry.
knowledge_base (KnowledgeBase): to fill with preprocessing information.
searcher (dfwinreg.WinRegistrySearcher): Windows Registry searcher to
preprocess the Windows Registry.
"""
for preprocess_plugin in cls._windows_registry_plugins.values():
artifact_definition = artifacts_registry.GetDefinitionByName(
preprocess_plugin.ARTIFACT_DEFINITION_NAME)
if not artifact_definition:
logger.warning('Missing artifact definition: {0:s}'.format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME))
continue
logger.debug('Running Windows Registry preprocessor plugin: {0:s}'.format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME))
try:
preprocess_plugin.Collect(knowledge_base, artifact_definition, searcher)
except (IOError, errors.PreProcessFail) as exception:
logger.warning((
'Unable to collect value from artifact definition: {0:s} '
'with error: {1!s}').format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME, exception))
def _ParseValueData(self, knowledge_base, value_data):
"""Parses Windows Registry value data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
value_data (object): Windows Registry value data.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
if not isinstance(value_data, py2to3.UNICODE_TYPE):
raise errors.PreProcessFail(
'Unsupported Windows Registry value type: {0:s} for '
'artifact: {1:s}.'.format(
type(value_data), self.ARTIFACT_DEFINITION_NAME))
# Map the Windows time zone name to a Python equivalent name.
lookup_key = value_data.replace(' ', '')
time_zone = time_zones.TIME_ZONES.get(lookup_key, value_data)
# TODO: check if time zone is set in knowledge base.
if time_zone:
try:
# Catch and warn about unsupported preprocessor plugin.
knowledge_base.SetTimeZone(time_zone)
except ValueError:
# TODO: add and store preprocessing errors.
time_zone = value_data
logger.warning('Unable to map: "{0:s}" to time zone'.format(
value_data))
def CollectFromFileSystem(cls, artifacts_registry, mediator, searcher,
file_system):
"""Collects values from Windows Registry values.
Args:
artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts
definitions registry.
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
searcher (dfvfs.FileSystemSearcher): file system searcher to preprocess
the file system.
file_system (dfvfs.FileSystem): file system to be preprocessed.
"""
for preprocess_plugin in cls._file_system_plugins.values():
artifact_definition = artifacts_registry.GetDefinitionByName(
preprocess_plugin.ARTIFACT_DEFINITION_NAME)
if not artifact_definition:
logger.warning('Missing artifact definition: {0:s}'.format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME))
continue
logger.debug(
'Running file system preprocessor plugin: {0:s}'.format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME))
try:
preprocess_plugin.Collect(mediator, artifact_definition,
searcher, file_system)
except (IOError, errors.PreProcessFail) as exception:
logger.warning(
('Unable to collect value from artifact definition: {0:s} '
'with error: {1!s}').format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME,
exception))
def CollectFromFileSystem(cls, artifacts_registry, knowledge_base,
searcher, file_system):
"""Collects values from Windows Registry values.
Args:
artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts
definitions registry.
knowledge_base (KnowledgeBase): to fill with preprocessing information.
searcher (dfvfs.FileSystemSearcher): file system searcher to preprocess
the file system.
file_system (dfvfs.FileSystem): file system to be preprocessed.
"""
for preprocess_plugin in cls._file_system_plugins.values():
artifact_definition = artifacts_registry.GetDefinitionByName(
preprocess_plugin.ARTIFACT_DEFINITION_NAME)
if not artifact_definition:
logger.warning('Missing artifact definition: {0:s}'.format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME))
continue
try:
preprocess_plugin.Collect(knowledge_base, artifact_definition,
searcher, file_system)
except (IOError, errors.PreProcessFail) as exception:
logger.warning(
('Unable to collect value from artifact definition: {0:s} '
'with error: {1!s}').format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME,
exception))
continue
def CollectFromFileSystem(
cls, artifacts_registry, knowledge_base, searcher, file_system):
"""Collects values from Windows Registry values.
Args:
artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts
definitions registry.
knowledge_base (KnowledgeBase): to fill with preprocessing information.
searcher (dfvfs.FileSystemSearcher): file system searcher to preprocess
the file system.
file_system (dfvfs.FileSystem): file system to be preprocessed.
"""
for preprocess_plugin in cls._file_system_plugins.values():
artifact_definition = artifacts_registry.GetDefinitionByName(
preprocess_plugin.ARTIFACT_DEFINITION_NAME)
if not artifact_definition:
logger.warning('Missing artifact definition: {0:s}'.format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME))
continue
try:
preprocess_plugin.Collect(
knowledge_base, artifact_definition, searcher, file_system)
except (IOError, errors.PreProcessFail) as exception:
logger.warning((
'Unable to collect value from artifact definition: {0:s} '
'with error: {1!s}').format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME, exception))
continue
def CollectFromKnowledgeBase(cls, knowledge_base):
"""Collects values from knowledge base values.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
"""
for preprocess_plugin in cls._knowledge_base_plugins.values():
logger.debug('Running knowledge base preprocessor plugin: {0:s}'.format(
preprocess_plugin.__class__.__name__))
try:
preprocess_plugin.Collect(knowledge_base)
except errors.PreProcessFail as exception:
logger.warning(
'Unable to collect knowledge base value with error: {0!s}'.format(
exception))
def CollectFromKnowledgeBase(cls, mediator):
"""Collects values from knowledge base values.
Args:
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
"""
for preprocess_plugin in cls._knowledge_base_plugins.values():
logger.debug(
'Running knowledge base preprocessor plugin: {0:s}'.format(
preprocess_plugin.__class__.__name__))
try:
preprocess_plugin.Collect(mediator)
except errors.PreProcessFail as exception:
logger.warning(
'Unable to collect knowledge base value with error: {0!s}'.
format(exception))
def RunPlugins(cls, artifacts_registry, file_system, mount_point,
mediator):
"""Runs the preprocessing plugins.
Args:
artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts
definitions registry.
file_system (dfvfs.FileSystem): file system to be preprocessed.
mount_point (dfvfs.PathSpec): mount point path specification that refers
to the base location of the file system.
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
"""
searcher = file_system_searcher.FileSystemSearcher(
file_system, mount_point)
cls.CollectFromFileSystem(artifacts_registry, mediator, searcher,
file_system)
# Run the Registry plugins separately so we do not have to open
# Registry files for every preprocess plugin.
environment_variables = None
if mediator.knowledge_base:
environment_variables = mediator.knowledge_base.GetEnvironmentVariables(
)
registry_file_reader = FileSystemWinRegistryFileReader(
file_system,
mount_point,
environment_variables=environment_variables)
win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
searcher = registry_searcher.WinRegistrySearcher(win_registry)
cls.CollectFromWindowsRegistry(artifacts_registry, mediator, searcher)
cls.CollectFromKnowledgeBase(mediator)
if not mediator.knowledge_base.HasUserAccounts():
logger.warning('Unable to find any user accounts on the system.')
def RunPlugins(
cls, artifacts_registry, file_system, mount_point, knowledge_base):
"""Runs the preprocessing plugins.
Args:
artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts
definitions registry.
file_system (dfvfs.FileSystem): file system to be preprocessed.
mount_point (dfvfs.PathSpec): mount point path specification that refers
to the base location of the file system.
knowledge_base (KnowledgeBase): to fill with preprocessing information.
"""
searcher = file_system_searcher.FileSystemSearcher(file_system, mount_point)
cls.CollectFromFileSystem(
artifacts_registry, knowledge_base, searcher, file_system)
# Run the Registry plugins separately so we do not have to open
# Registry files for every preprocess plugin.
environment_variables = None
if knowledge_base:
environment_variables = knowledge_base.GetEnvironmentVariables()
registry_file_reader = FileSystemWinRegistryFileReader(
file_system, mount_point, environment_variables=environment_variables)
win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
searcher = registry_searcher.WinRegistrySearcher(win_registry)
cls.CollectFromWindowsRegistry(
artifacts_registry, knowledge_base, searcher)
cls.CollectFromKnowledgeBase(knowledge_base)
if not knowledge_base.HasUserAccounts():
logger.warning('Unable to find any user accounts on the system.')
def Open(self, path, ascii_codepage='cp1252'):
"""Opens the Windows Registry file specified by the path.
Args:
path (str): path of the Windows Registry file.
ascii_codepage (Optional[str]): ASCII string codepage.
Returns:
WinRegistryFile: Windows Registry file or None.
"""
path_specification = None
try:
path_specification = self._path_resolver.ResolvePath(path)
except dfvfs_errors.BackEndError as exception:
logger.warning(
('Unable to open Windows Registry file: {0:s} with error: '
'{1!s}').format(path, exception))
if path_specification is None:
return None
return self._OpenPathSpec(path_specification)
def CollectFromWindowsRegistry(cls, artifacts_registry, mediator,
searcher):
"""Collects values from Windows Registry values.
Args:
artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts
definitions registry.
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
searcher (dfwinreg.WinRegistrySearcher): Windows Registry searcher to
preprocess the Windows Registry.
"""
# TODO: define preprocessing plugin dependency and sort preprocess_plugins
# for now sort alphabetically to ensure WindowsAvailableTimeZones is run
# before WindowsTimezone.
for _, preprocess_plugin in sorted(
cls._windows_registry_plugins.items()):
artifact_definition = artifacts_registry.GetDefinitionByName(
preprocess_plugin.ARTIFACT_DEFINITION_NAME)
if not artifact_definition:
logger.warning('Missing artifact definition: {0:s}'.format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME))
continue
logger.debug(
'Running Windows Registry preprocessor plugin: {0:s}'.format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME))
try:
preprocess_plugin.Collect(mediator, artifact_definition,
searcher)
except (IOError, errors.PreProcessFail) as exception:
logger.warning(
('Unable to collect value from artifact definition: {0:s} '
'with error: {1!s}').format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME,
exception))
