import uuid import construct import pyfsntfs from plaso import dependencies from plaso.events import file_system_events from plaso.events import windows_events from plaso.lib import eventdata from plaso.lib import specification from plaso.parsers import interface from plaso.parsers import manager dependencies.CheckModuleVersion(u'pyfsntfs') class NTFSMFTParser(interface.FileObjectParser): """Parses a NTFS $MFT metadata file.""" _INITIAL_FILE_OFFSET = None NAME = u'mft' DESCRIPTION = u'Parser for NTFS $MFT metadata files.' _MFT_ATTRIBUTE_STANDARD_INFORMATION = 0x00000010 _MFT_ATTRIBUTE_FILE_NAME = 0x00000030 _MFT_ATTRIBUTE_OBJECT_ID = 0x00000040 @classmethod
# -*- coding: utf-8 -*-
"""Parser for Windows NT shell items."""
import pyfwsi
from plaso import dependencies
from plaso.events import shell_item_events
from plaso.lib import eventdata
from plaso.winnt import shell_folder_ids
dependencies.CheckModuleVersion(u'pyfwsi')
class ShellItemsParser(object):
"""Parses for Windows NT shell items."""
NAME = u'shell_items'
def __init__(self, origin):
"""Initializes the parser.
Args:
origin: A string containing the origin of the event (event source).
"""
super(ShellItemsParser, self).__init__()
self._origin = origin
self._path_segments = []
def _ParseShellItem(self, parser_mediator, shell_item):
"""Parses a shell item.
# -*- coding: utf-8 -*-
"""Parser for OLE Compound Files (OLECF)."""
import logging
import pyolecf
from plaso import dependencies
from plaso.lib import errors
from plaso.lib import specification
from plaso.parsers import interface
from plaso.parsers import manager
dependencies.CheckModuleVersion(u'pyolecf')
class OleCfParser(interface.SingleFileBasePluginsParser):
"""Parses OLE Compound Files (OLECF)."""
_INITIAL_FILE_OFFSET = None
NAME = u'olecf'
DESCRIPTION = u'Parser for OLE Compound Files (OLECF).'
_plugin_classes = {}
def __init__(self):
"""Initializes a parser object."""
super(OleCfParser, self).__init__()
self._plugins = OleCfParser.GetPluginObjects()
import uuid
import pylnk
from plaso import dependencies
from plaso.containers import time_events
from plaso.containers import windows_events
from plaso.lib import eventdata
from plaso.lib import specification
from plaso.parsers import interface
from plaso.parsers import manager
from plaso.parsers.shared import shell_items
dependencies.CheckModuleVersion(u'pylnk')
class WinLnkLinkEvent(time_events.FiletimeEvent):
"""Convenience class for a Windows Shortcut (LNK) link event.
Attributes:
birth_droid_file_identifier: the distributed link tracking brith droid
file identifier.
birth_droid_volume_identifier: the distributed link tracking brith droid
volume identifier.
command_line_arguments: the command line arguments.
description: the description of the linked item.
drive_serial_number: the drive serial number where the linked item resides.
drive_type: the drive type where the linked item resided.
droid_file_identifier: the distributed link tracking droid file
# -*- coding: utf-8 -*-
"""Parser for Windows EventLog (EVT) files."""
import pyevt
from plaso import dependencies
from plaso.containers import time_events
from plaso.lib import eventdata
from plaso.lib import specification
from plaso.parsers import interface
from plaso.parsers import manager
dependencies.CheckModuleVersion(u'pyevt')
class WinEvtRecordEvent(time_events.PosixTimeEvent):
"""Convenience class for a Windows EventLog (EVT) record event.
Attributes:
computer_name (str): computer name stored in the event record.
event_category (int): event category.
event_identifier (int): event identifier.
event_type (int): event type.
facility (int): event facility.
message_identifier (int): event message identifier.
offset (int): data offset of the event record with in the file.
record_number (int): event record number.
recovered (bool): True if the record was recovered.
severity (int): event severity.
source_name (str): name of the event source.
def testCheckModuleVersion(self):
"""Tests the CheckModuleVersion function."""
dependencies.CheckModuleVersion(u'dfdatetime')
with self.assertRaises(ImportError):
dependencies.CheckModuleVersion(u'bogus')
# -*- coding: utf-8 -*-
"""Parser for Extensible Storage Engine (ESE) database files (EDB)."""
import pyesedb
from plaso import dependencies
from plaso.lib import specification
from plaso.parsers import interface
from plaso.parsers import manager
from plaso.parsers import plugins
dependencies.CheckModuleVersion(u'pyesedb')
class ESEDBCache(plugins.BasePluginCache):
"""A cache storing query results for ESEDB plugins."""
def StoreDictInCache(self, attribute_name, dict_object):
"""Store a dict object in cache.
Args:
attribute_name (str): name of the attribute.
dict_object (dict): dictionary.
"""
setattr(self, attribute_name, dict_object)
class ESEDBParser(interface.FileObjectParser):
"""Parses Extensible Storage Engine (ESE) database files (EDB)."""
_INITIAL_FILE_OFFSET = None
# -*- coding: utf-8 -*-
"""Fake Windows Registry objects implementation."""
import calendar
import construct
from plaso import dependencies
from plaso.dfwinreg import definitions
from plaso.dfwinreg import errors
from plaso.dfwinreg import interface
dependencies.CheckModuleVersion(u'construct')
# TODO: give this class a place of its own when dfwinreg is split off.
class Filetime(object):
"""Class that implements a FILETIME timestamp.
The FILETIME timestamp is a 64-bit integer that contains the number
of 100th nano seconds since 1601-01-01 00:00:00.
Do not confuse this with the FILETIME structure that consists of
2 x 32-bit integers and is presumed to be unsigned.
Attributes:
timestamp: the FILETIME timestamp.
"""
# The difference between Jan 1, 1601 and Jan 1, 1970 in seconds.
_FILETIME_TO_POSIX_BASE = 11644473600L
# -*- coding: utf-8 -*-
"""Parser for Windows Prefetch files."""
import pyscca
from plaso import dependencies
from plaso.containers import time_events
from plaso.containers import windows_events
from plaso.lib import eventdata
from plaso.lib import specification
from plaso.lib import timelib
from plaso.parsers import interface
from plaso.parsers import manager
dependencies.CheckModuleVersion(u'pyscca')
class WinPrefetchExecutionEvent(time_events.FiletimeEvent):
"""Class that defines a Windows Prefetch execution event.
Attributes:
executable: a string containing the executable filename.
format_version: an integer containing the format version.
mapped_files: a list of strings containing the mapped filenames.
number_of_volumes: an integer containing the number of volumes.
path: a path to the executable.
prefetch_hash: an integer containing the prefetch hash.
run_count: an integer containing the run count.
volume_device_paths: a list of strings containing volume device path
strings.
# -*- coding: utf-8 -*-
"""Pyregf specific implementation for the Windows Registry file access."""
import logging
import pyregf
from plaso import dependencies
from plaso.dfwinreg import interface
from plaso.lib import errors
from plaso.lib import timelib
dependencies.CheckModuleVersion(u'pyregf')
class WinPyregfKey(interface.WinRegKey):
"""Implementation of a Windows Registry key using pyregf."""
def __init__(self, pyregf_key, parent_path=u'', root=False):
"""Initializes a Windows Registry key object.
Args:
pyregf_key: An instance of a pyregf.key object.
parent_path: The path of the parent key.
root: A boolean value indicating we are dealing with a root key.
"""
super(WinPyregfKey, self).__init__()
self._pyregf_key = pyregf_key
# Adding few checks to make sure the root key is not
# invalid in plugin checks (root key is equal to the
# path separator).
if parent_path == self.PATH_SEPARATOR:
