def GetValue(self, searcher, unused_knowledge_base): """Returns the path as found by the searcher. Args: searcher: The file system searcher object (instance of dfvfs.FileSystemSearcher). knowledge_base: A knowledge base object (instance of KnowledgeBase), which contains information from the source data needed for parsing. Returns: The first path location string. Raises: PreProcessFail: if the path could not be found. """ find_spec = file_system_searcher.FindSpec(location_regex=self.PATH, case_sensitive=False) path_specs = list(searcher.Find(find_specs=[find_spec])) if not path_specs: raise errors.PreProcessFail(u'Unable to find path: {0:s}'.format( self.PATH)) relative_path = searcher.GetRelativePath(path_specs[0]) if not relative_path: raise errors.PreProcessFail( u'Missing relative path for: {0:s}'.format(self.PATH)) return relative_path
def _FindFileEntry(self, searcher, path): """Searches for a file entry that matches the path. Args: searcher: The file system searcher object (instance of dfvfs.FileSystemSearcher). path: The location of the file entry relative to the file system of the searcher. Returns: The file entry if successful or None otherwise. Raises: errors.PreProcessFail: if the file entry cannot be found or opened. """ find_spec = file_system_searcher.FindSpec(location=path, case_sensitive=False) path_specs = list(searcher.Find(find_specs=[find_spec])) if not path_specs or len(path_specs) != 1: raise errors.PreProcessFail(u'Unable to find: {0:s}'.format(path)) try: file_entry = searcher.GetFileEntryByPathSpec(path_specs[0]) except IOError as exception: raise errors.PreProcessFail( u'Unable to retrieve file entry: {0:s} with error: {1:s}'. format(path, exception)) return file_entry
def GetValue(self, searcher): """Returns the path as found by the searcher. Args: searcher: The file system searcher object (instance of dfvfs.FileSystemSearcher). Returns: The first path location string. Raises: PreProcessFail: if the path could not be found. """ find_spec = file_system_searcher.FindSpec(location_regex=self.PATH, case_sensitive=False) path_specs = list(searcher.Find(find_specs=[find_spec])) if not path_specs: raise errors.PreProcessFail(u'Unable to find path: {0:s}'.format( self.PATH)) path_location = getattr(path_specs[0], 'location', None) if not path_location: raise errors.PreProcessFail( u'Missing path location for: {0:s}'.format(self.PATH)) return path_location
def _ParseKey(self, knowledge_base, registry_key): """Parses a Windows Registry key for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. registry_key (WinRegistryKey): Windows Registry key. Raises: errors.PreProcessFail: if the Registry value or value data can not be retrieved. """ try: registry_value = registry_key.GetValueByName( self._REGISTRY_VALUE_NAME) except IOError as exception: raise errors.PreProcessFail( (u'Unable to retrieve Registry key: {0:s}, value: {1:s} with ' u'error: {2:s}').format(self._REGISTRY_KEY_PATH, self._REGISTRY_VALUE_NAME, exception)) if not registry_value: return try: value_data = registry_value.GetDataAsObject() except IOError as exception: raise errors.PreProcessFail(( u'Unable to retrieve Registry key: {0:s}, value: {1:s} data with ' u'error: {2:s}').format(self._REGISTRY_KEY_PATH, self._REGISTRY_VALUE_NAME, exception)) if not value_data: return self._ParseValueData(knowledge_base, value_data)
def GetValue(self, searcher): """Determines the local time zone settings. Args: searcher: The file system searcher object (instance of dfvfs.FileSystemSearcher). Returns: The local timezone settings. Raises: errors.PreProcessFail: if the preprocessing fails. """ path = self.ZONE_FILE_PATH file_entry = self._FindFileEntry(searcher, path) if not file_entry: raise errors.PreProcessFail( u'Unable to find file: {0:s}'.format(path)) if not file_entry.link: raise errors.PreProcessFail( u'Unable to retrieve timezone information from: {0:s}.'.format(path)) _, _, zone = file_entry.link.partition(u'zoneinfo/') return zone
def _OpenPlistFile(self, searcher, path_spec): """Open a Plist file given a path and returns a plist top level object. Args: searcher: The file system searcher object (instance of dfvfs.FileSystemSearcher). path_spec: The path specification (instance of dfvfs.PathSpec) of the plist file. Raises: errors.PreProcessFail: if the preprocessing fails. """ plist_file_location = getattr(path_spec, 'location', u'') file_entry = searcher.GetFileEntryByPathSpec(path_spec) file_object = file_entry.GetFileObject() try: plist_file = binplist.BinaryPlist(file_object) top_level_object = plist_file.Parse() except binplist.FormatError as exception: exception = utils.GetUnicodeString(exception) raise errors.PreProcessFail( u'File is not a plist: {0:s}'.format(exception)) except OverflowError as exception: raise errors.PreProcessFail( u'Error processing: {0:s} with error: {1:s}'.format( plist_file_location, exception)) if not plist_file: raise errors.PreProcessFail( u'File is not a plist: {0:s}'.format(plist_file_location)) return top_level_object
def GetValue(self, searcher, unused_knowledge_base): """Returns the path as found by the searcher. Args: searcher: The file system searcher object (instance of dfvfs.FileSystemSearcher). knowledge_base: A knowledge base object (instance of KnowledgeBase), which contains information from the source data needed for parsing. Returns: The first path location string. Raises: PreProcessFail: if the path could not be found. """ path_specs = self._FindPathSpecs(searcher, self.PATH) if not path_specs: raise errors.PreProcessFail( u'Unable to find path: {0:s}'.format(self.PATH)) relative_path = searcher.GetRelativePath(path_specs[0]) if not relative_path: raise errors.PreProcessFail( u'Missing relative path for: {0:s}'.format(self.PATH)) if relative_path.startswith(u'/'): relative_path = u'\\'.join(relative_path.split(u'/')) return relative_path
def GetValue(self, searcher, unused_knowledge_base): """Determines the user accounts. Args: searcher: The file system searcher object (instance of dfvfs.FileSystemSearcher). knowledge_base: A knowledge base object (instance of KnowledgeBase), which contains information from the source data needed for parsing. Returns: A list containing username information dicts. Raises: errors.PreProcessFail: if the preprocessing fails. """ find_spec = file_system_searcher.FindSpec( location_regex=self.USER_PATH, case_sensitive=False) path_specs = list(searcher.Find(find_specs=[find_spec])) if not path_specs: raise errors.PreProcessFail(u'Unable to find user plist files.') users = [] for path_spec in path_specs: plist_file_location = getattr(path_spec, 'location', u'') if not plist_file_location: raise errors.PreProcessFail(u'Missing user plist file location.') try: top_level_object = self._OpenPlistFile(searcher, path_spec) except IOError: logging.warning(u'Unable to parse user plist file: {0:s}'.format( plist_file_location)) continue try: match = plist_interface.GetKeysDefaultEmpty( top_level_object, self._KEYS) except KeyError as exception: logging.warning( u'Unable to read user plist file: {0:s} with error: {1:s}'.format( plist_file_location, exception)) continue # TODO: as part of artifacts, create a proper object for this. user = { 'uid': match.get('uid', [-1])[0], 'path': match.get('home', [u'<not set>'])[0], 'name': match.get('name', [u'<not set>'])[0], 'realname': match.get('realname', [u'N/A'])[0]} users.append(user) if not users: raise errors.PreProcessFail(u'Unable to find any users on the system.') return users
def GetValue(self, searcher, unused_knowledge_base): """Determines the user accounts. Args: searcher: The file system searcher object (instance of dfvfs.FileSystemSearcher). knowledge_base: A knowledge base object (instance of KnowledgeBase), which contains information from the source data needed for parsing. Returns: A list containing username information dicts. Raises: errors.PreProcessFail: if the preprocessing fails. """ path_specs = self._FindPathSpecs(searcher, self.USER_PATH) if not path_specs: raise errors.PreProcessFail(u'Unable to find user plist files.') users = [] for path_spec in path_specs: file_entry = searcher.GetFileEntryByPathSpec(path_spec) root_key = self._GetPlistRootKey(file_entry) if not root_key: location = getattr(path_spec, u'location', u'') logging.warning( u'Missing root key in plist: {0:s}'.format(location)) continue try: match = self._GetKeysDefaultEmpty(root_key, self._KEYS) except KeyError as exception: location = getattr(path_spec, u'location', u'') logging.warning( u'Unable to read user plist file: {0:s} with error: {1:s}'. format(location, exception)) continue # TODO: as part of artifacts, create a proper object for this. user = { u'uid': match.get(u'uid', [-1])[0], u'path': match.get(u'home', [u'<not set>'])[0], u'name': match.get(u'name', [u'<not set>'])[0], u'realname': match.get(u'realname', [u'N/A'])[0] } users.append(user) if not users: raise errors.PreProcessFail( u'Unable to find any users on the system.') return users
def _ParseFileData(self, knowledge_base, file_object): """Parses file content (data) for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. file_object (dfvfs.FileIO): file-like object that contains the artifact value data. Returns: bool: True if all the preprocessing attributes were found and the preprocessor plugin is done. Raises: errors.PreProcessFail: if the preprocessing fails. """ plist_file = plist.PlistFile() try: plist_file.Read(file_object) except IOError as exception: raise errors.PreProcessFail( 'Unable to read: {0:s} with error: {1!s}'.format( self.ARTIFACT_DEFINITION_NAME, exception)) if not plist_file.root_key: raise errors.PreProcessFail( ('Unable to read: {0:s} with error: missing root key').format( self.ARTIFACT_DEFINITION_NAME)) matches = [] self._FindKeys(plist_file.root_key, self._PLIST_KEYS, matches) if not matches: raise errors.PreProcessFail( 'Unable to read: {0:s} with error: no such keys: {1:s}.'. format(self.ARTIFACT_DEFINITION_NAME, ', '.join(self._PLIST_KEYS))) name = None value = None for name, value in matches: if value: break if value is None: raise errors.PreProcessFail( ('Unable to read: {0:s} with error: no values found for keys: ' '{1:s}.').format(self.ARTIFACT_DEFINITION_NAME, ', '.join(self._PLIST_KEYS))) return self._ParsePlistKeyValue(knowledge_base, name, value)
def _ParseFileEntry(self, knowledge_base, file_entry): """Parses artifact file system data for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. file_entry (dfvfs.FileEntry): file entry that contains the artifact value data. Returns: bool: True if all the preprocessing attributes were found and the preprocessor plugin is done. Raises: errors.PreProcessFail: if the preprocessing fails. """ root_key = self._GetPlistRootKey(file_entry) if not root_key: location = getattr(file_entry.path_spec, 'location', '') raise errors.PreProcessFail( ('Unable to read: {0:s} plist: {1:s} with error: missing root ' 'key.').format(self.ARTIFACT_DEFINITION_NAME, location)) try: match = self._GetKeysDefaultEmpty(root_key, self._KEYS) except KeyError as exception: location = getattr(file_entry.path_spec, 'location', '') raise errors.PreProcessFail( 'Unable to read: {0:s} plist: {1:s} with error: {2!s}'.format( self.ARTIFACT_DEFINITION_NAME, location, exception)) name = match.get('name', [None])[0] uid = match.get('uid', [None])[0] if not name or not uid: # TODO: add and store preprocessing errors. return False user_account = artifacts.UserAccountArtifact(identifier=uid, username=name) user_account.group_identifier = match.get('gid', [None])[0] user_account.full_name = match.get('realname', [None])[0] user_account.shell = match.get('shell', [None])[0] user_account.user_directory = match.get('home', [None])[0] try: knowledge_base.AddUserAccount(user_account) except KeyError: # TODO: add and store preprocessing errors. pass return False
def _ParseFileData(self, mediator, file_object): """Parses file content (data) for a preprocessing attribute. Args: mediator (PreprocessMediator): mediates interactions between preprocess plugins and other components, such as storage and knowledge base. file_object (dfvfs.FileIO): file-like object that contains the artifact value data. Raises: errors.PreProcessFail: if the preprocessing fails. """ plist_file = plist.PlistFile() try: plist_file.Read(file_object) except IOError as exception: raise errors.PreProcessFail( 'Unable to read: {0:s} with error: {1!s}'.format( self.ARTIFACT_DEFINITION_NAME, exception)) if not plist_file.root_key: raise errors.PreProcessFail( ('Unable to read: {0:s} with error: missing root key').format( self.ARTIFACT_DEFINITION_NAME)) matches = [] self._FindKeys(plist_file.root_key, self._PLIST_KEYS, matches) if not matches: raise errors.PreProcessFail( 'Unable to read: {0:s} with error: no such keys: {1:s}.'. format(self.ARTIFACT_DEFINITION_NAME, ', '.join(self._PLIST_KEYS))) name = None value = None for name, value in matches: if value: break if value is None: raise errors.PreProcessFail( ('Unable to read: {0:s} with error: no values found for keys: ' '{1:s}.').format(self.ARTIFACT_DEFINITION_NAME, ', '.join(self._PLIST_KEYS))) self._ParsePlistKeyValue(mediator, name, value)
def ParseFile(self, file_entry, file_object): """Parses the plist file and returns the parsed key. Args: file_entry: The file entry (instance of dfvfs.FileEntry). file_object: The file-like object. Returns: The value of the first key defined by PLIST_KEYS that is found. Raises: errors.PreProcessFail: if the preprocessing fails. """ try: plist_file = binplist.BinaryPlist(file_object) top_level_object = plist_file.Parse() except binplist.FormatError as exception: raise errors.PreProcessFail( u'File is not a plist: {0:s} with error: {1:s}'.format( file_entry.path_spec.comparable, exception)) except OverflowError as exception: raise errors.PreProcessFail( u'Unable to process plist: {0:s} with error: {1:s}'.format( file_entry.path_spec.comparable, exception)) if not plist_file: raise errors.PreProcessFail(u'File is not a plist: {0:s}'.format( file_entry.path_spec.comparable)) match = None key_name = '' for plist_key in self.PLIST_KEYS: try: match = plist_interface.GetKeys(top_level_object, frozenset([plist_key])) except KeyError: continue if match: key_name = plist_key break if not match: raise errors.PreProcessFail( u'Keys not found inside plist file: {0:s}.'.format(u','.join( self.PLIST_KEYS))) return self.ParseKey(match, key_name)
def GetValue(self, searcher, unused_knowledge_base): """Returns a value retrieved from keys within a plist file. Where the name of the keys are defined in PLIST_KEYS. Args: searcher: The file system searcher object (instance of dfvfs.FileSystemSearcher). knowledge_base: A knowledge base object (instance of KnowledgeBase), which contains information from the source data needed for parsing. Returns: The value of the first key that is found. Raises: errors.PreProcessFail: if the preprocessing fails. """ file_entry = self._FindFileEntry(searcher, self.PLIST_PATH) if not file_entry: raise errors.PreProcessFail(u'Unable to open file: {0:s}'.format( self.PLIST_PATH)) root_key = self._GetPlistRootKey(file_entry) if not root_key: location = getattr(file_entry.path_spec, u'location', u'') raise errors.PreProcessFail( u'Missing root key in plist: {0:s}'.format(location)) matches = [] self._FindKeys(root_key, self.PLIST_KEYS, matches) if not matches: raise errors.PreProcessFail(u'No such keys: {0:s}.'.format( u', '.join(self.PLIST_KEYS))) key_name = None key_value = None for key_name, key_value in matches: if key_value: break if key_value is None: raise errors.PreProcessFail( u'No values found for keys: {0:s}.'.format(u', '.join( self.PLIST_KEYS))) return self.ParseValue(key_name, key_value)
def _ParsePathSpecification(self, knowledge_base, searcher, file_system, path_specification, path_separator): """Parses a file system for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. searcher (dfvfs.FileSystemSearcher): file system searcher to preprocess the file system. file_system (dfvfs.FileSystem): file system to be preprocessed. path_specification (dfvfs.PathSpec): path specification that contains the artifact value data. path_separator (str): path segment separator. Raises: PreProcessFail: if the preprocessing fails. """ try: file_entry = searcher.GetFileEntryByPathSpec(path_specification) except IOError as exception: relative_path = searcher.GetRelativePath(path_specification) if path_separator != file_system.PATH_SEPARATOR: relative_path_segments = file_system.SplitPath(relative_path) relative_path = '{0:s}{1:s}'.format( path_separator, path_separator.join(relative_path_segments)) raise errors.PreProcessFail( ('Unable to retrieve file entry: {0:s} with error: ' '{1!s}').format(relative_path, exception)) self._ParseFileEntry(knowledge_base, file_entry)
def _ParseFileEntry(self, mediator, file_entry): """Parses artifact file system data for a preprocessing attribute. Args: mediator (PreprocessMediator): mediates interactions between preprocess plugins and other components, such as storage and knowledge base. file_entry (dfvfs.FileEntry): file entry that contains the artifact value data. Raises: errors.PreProcessFail: if the preprocessing fails. """ if not file_entry or not file_entry.link: raise errors.PreProcessFail( 'Unable to read: {0:s} with error: not a symbolic link'.format( self.ARTIFACT_DEFINITION_NAME)) _, _, time_zone = file_entry.link.partition('zoneinfo/') if time_zone: try: mediator.SetTimeZone(time_zone) except ValueError: mediator.ProducePreprocessingWarning( self.ARTIFACT_DEFINITION_NAME, 'Unable to set time zone in knowledge base.')
def GetValue(self, searcher, unused_knowledge_base): """Determines the hostname based on the contents of /etc/hostname. Args: searcher: The file system searcher object (instance of dfvfs.FileSystemSearcher). knowledge_base: A knowledge base object (instance of KnowledgeBase), which contains information from the source data needed for parsing. Returns: The hostname. Raises: errors.PreProcessFail: if the preprocessing fails. """ path = u'/etc/hostname' file_entry = self._FindFileEntry(searcher, path) if not file_entry: raise errors.PreProcessFail( u'Unable to find file entry for path: {0:s}.'.format(path)) file_object = file_entry.GetFileObject() file_data = file_object.read(512) file_object.close() hostname, _, _ = file_data.partition('\n') return u'{0:s}'.format(hostname)
def _ParsePathSpecification(self, mediator, searcher, file_system, path_specification, path_separator): """Parses a file system for a preprocessing attribute. Args: mediator (PreprocessMediator): mediates interactions between preprocess plugins and other components, such as storage and knowledge base. searcher (dfvfs.FileSystemSearcher): file system searcher to preprocess the file system. file_system (dfvfs.FileSystem): file system to be preprocessed. path_specification (dfvfs.PathSpec): path specification that contains the artifact value data. path_separator (str): path segment separator. Raises: PreProcessFail: if the preprocessing fails. """ try: file_entry = searcher.GetFileEntryByPathSpec(path_specification) except IOError as exception: relative_path = searcher.GetRelativePath(path_specification) if path_separator != file_system.PATH_SEPARATOR: relative_path_segments = file_system.SplitPath(relative_path) relative_path = '{0:s}{1:s}'.format( path_separator, path_separator.join(relative_path_segments)) raise errors.PreProcessFail( ('Unable to retrieve file entry: {0:s} with error: ' '{1!s}').format(relative_path, exception)) if file_entry: mediator.SetFileEntry(file_entry) self._ParseFileEntry(mediator, file_entry)
def GetValue(self, searcher, unused_knowledge_base): """Determines the timezone based on the contents of /etc/timezone. Args: searcher: The file system searcher object (instance of dfvfs.FileSystemSearcher). knowledge_base: A knowledge base object (instance of KnowledgeBase), which contains information from the source data needed for parsing. Returns: A string containing a tzdata (Olsen) timezone name (for example, America/New_York). Raises: errors.PreProcessFail: if the preprocessing fails. """ path = u'/etc/timezone' file_entry = self._FindFileEntry(searcher, path) if not file_entry: raise errors.PreProcessFail( u'Unable to find file entry for path: {0:s}.'.format(path)) file_object = file_entry.GetFileObject() try: text_file_object = text_file.TextFile(file_object) file_data = text_file_object.readline() finally: file_object.close() return file_data.strip()
def _ParseValueData(self, knowledge_base, value_data): """Parses Windows Registry value data for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. value_data (object): Windows Registry value data. Raises: errors.PreProcessFail: if the preprocessing fails. """ if not isinstance(value_data, py2to3.UNICODE_TYPE): raise errors.PreProcessFail( 'Unsupported Windows Registry value type: {0:s} for ' 'artifact: {1:s}.'.format(type(value_data), self.ARTIFACT_DEFINITION_NAME)) # Map the Windows code page name to a Python equivalent name. codepage = 'cp{0:s}'.format(value_data) if not knowledge_base.codepage: try: knowledge_base.SetCodepage(codepage) except ValueError: # TODO: add and store preprocessing errors. pass
def _ParseFileEntry(self, knowledge_base, file_entry): """Parses artifact file system data for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. file_entry (dfvfs.FileEntry): file entry that contains the artifact value data. Returns: bool: True if all the preprocessing attributes were found and the preprocessor plugin is done. Raises: errors.PreProcessFail: if the preprocessing fails. """ if not file_entry or not file_entry.link: raise errors.PreProcessFail( 'Unable to read: {0:s} with error: not a symbolic link'.format( self.ARTIFACT_DEFINITION_NAME)) result = False _, _, time_zone = file_entry.link.partition('zoneinfo/') if time_zone: try: knowledge_base.SetTimeZone(time_zone) result = True except ValueError: # TODO: add and store preprocessing errors. pass return result
def _ParseKey(self, mediator, registry_key, value_name): """Parses a Windows Registry key for a preprocessing attribute. Args: mediator (PreprocessMediator): mediates interactions between preprocess plugins and other components, such as storage and knowledge base. registry_key (dfwinreg.WinRegistryKey): Windows Registry key. value_name (str): name of the Windows Registry value or None if not specified. Raises: PreProcessFail: if the preprocessing fails. """ try: registry_value = registry_key.GetValueByName(value_name) except IOError as exception: raise errors.PreProcessFail( ('Unable to retrieve Windows Registry key: {0:s} value: {1:s} ' 'with error: {2!s}').format(registry_key.path, value_name, exception)) if registry_value: value_object = registry_value.GetDataAsObject() if value_object: self._ParseValueData(mediator, value_object)
def _ParseValueData(self, knowledge_base, value_data): """Parses Windows Registry value data for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. value_data (object): Windows Registry value data. Raises: errors.PreProcessFail: if the preprocessing fails. """ if not isinstance(value_data, py2to3.UNICODE_TYPE): raise errors.PreProcessFail( 'Unsupported Windows Registry value type: {0:s} for ' 'artifact: {1:s}.'.format(type(value_data), self.ARTIFACT_DEFINITION_NAME)) # Map the Windows time zone name to a Python equivalent name. lookup_key = value_data.replace(' ', '') time_zone = time_zones.TIME_ZONES.get(lookup_key, value_data) # TODO: check if time zone is set in knowledge base. if time_zone: try: # Catch and warn about unsupported preprocessor plugin. knowledge_base.SetTimeZone(time_zone) except ValueError: # TODO: add and store preprocessing errors. time_zone = value_data logger.warning( 'Unable to map: "{0:s}" to time zone'.format(value_data))
def _ParseValueData(self, knowledge_base, value_data): """Parses Windows Registry value data for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. value_data (object): Windows Registry value data. Returns: bool: True if all the preprocessing attributes were found and the preprocessor plugin is done. Raises: errors.PreProcessFail: if the preprocessing fails. """ if not isinstance(value_data, py2to3.UNICODE_TYPE): raise errors.PreProcessFail( u'Unsupported Windows Registry value type: {0:s} for ' u'artifact: {1:s}.'.format(type(value_data), self.ARTIFACT_DEFINITION_NAME)) result = False evironment_variable = artifacts.EnvironmentVariableArtifact( case_sensitive=False, name=self._NAME, value=value_data) try: knowledge_base.AddEnvironmentVariable(evironment_variable) result = True except KeyError: # TODO: add and store preprocessing errors. pass return result
def _ParsePathSpecification(self, knowledge_base, searcher, file_system, path_specification, path_separator): """Parses artifact file system data for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. searcher (dfvfs.FileSystemSearcher): file system searcher to preprocess the file system. file_system (dfvfs.FileSystem): file system to be preprocessed. path_specification (dfvfs.PathSpec): path specification that contains the artifact value data. path_separator (str): path segment separator. Raises: errors.PreProcessFail: if the preprocessing fails. """ relative_path = searcher.GetRelativePath(path_specification) if not relative_path: raise errors.PreProcessFail( 'Unable to read: {0:s} with error: missing relative path'. format(self.ARTIFACT_DEFINITION_NAME)) if path_separator != file_system.PATH_SEPARATOR: relative_path_segments = file_system.SplitPath(relative_path) relative_path = '{0:s}{1:s}'.format( path_separator, path_separator.join(relative_path_segments)) evironment_variable = artifacts.EnvironmentVariableArtifact( case_sensitive=False, name=self._NAME, value=relative_path) try: knowledge_base.AddEnvironmentVariable(evironment_variable) except KeyError: # TODO: add and store preprocessing errors. pass
def _GetPlistRootKey(self, file_entry): """Retrieves the root key of a plist file. Args: file_entry (dfvfs.FileEntry): file entry of the plist. Returns: dict[str, object]: plist root key. Raises: errors.PreProcessFail: if the preprocessing fails. """ file_object = file_entry.GetFileObject() try: plist_file = plist.PlistFile() plist_file.Read(file_object) except IOError as exception: location = getattr(file_entry.path_spec, 'location', '') raise errors.PreProcessFail( 'Unable to read plist file: {0:s} with error: {1!s}'.format( location, exception)) finally: file_object.close() return plist_file.root_key
def GetValue(self, searcher): """Returns a value retrieved from keys within a plist file. Where the name of the keys are defined in PLIST_KEYS. Args: searcher: The file system searcher object (instance of dfvfs.FileSystemSearcher). Returns: The value of the first key that is found. Raises: errors.PreProcessFail: if the preprocessing fails. """ file_entry = self._FindFileEntry(searcher, self.PLIST_PATH) if not file_entry: raise errors.PreProcessFail(u'Unable to open file: {0:s}'.format( self.PLIST_PATH)) file_object = file_entry.GetFileObject() value = self.ParseFile(file_entry, file_object) file_object.close() return value
def Run(self, searcher, knowledge_base): """Determines the value of the preprocessing attributes. Args: searcher (dfvfs.FileSystemSearcher): file system searcher. knowledge_base (KnowledgeBase): to fill with preprocessing information. Raises: errors.PreProcessFail: if the preprocessing fails. """ file_entry = self._FindFileEntry(searcher, self._PATH) if not file_entry: return if not file_entry.link: raise errors.PreProcessFail( u'Unable to retrieve time zone information from: {0:s}.'. format(self._PATH)) _, _, time_zone = file_entry.link.partition(u'zoneinfo/') if not time_zone: return try: knowledge_base.SetTimeZone(time_zone) except ValueError: # TODO: add and store preprocessing errors. pass
def _ParseValueData(self, knowledge_base, value_data): """Parses Windows Registry value data for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. value_data (object): Windows Registry value data. Returns: bool: True if all the preprocessing attributes were found and the preprocessor plugin is done. Raises: errors.PreProcessFail: if the preprocessing fails. """ if not isinstance(value_data, py2to3.UNICODE_TYPE): raise errors.PreProcessFail( u'Unsupported Windows Registry value type: {0:s} for ' u'artifact: {1:s}.'.format(type(value_data), self.ARTIFACT_DEFINITION_NAME)) result = False # Map the Windows code page name to a Python equivalent name. codepage = u'cp{0:s}'.format(value_data) try: knowledge_base.SetCodepage(codepage) result = True except ValueError: # TODO: add and store preprocessing errors. pass return result
def _ParseValueData(self, knowledge_base, value_data): """Parses Windows Registry value data for a preprocessing attribute. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. value_data (object): Windows Registry value data. Raises: errors.PreProcessFail: if the preprocessing fails. """ if not isinstance(value_data, py2to3.UNICODE_TYPE): raise errors.PreProcessFail( 'Unsupported Windows Registry value type: {0:s} for ' 'artifact: {1:s}.'.format( type(value_data), self.ARTIFACT_DEFINITION_NAME)) environment_variable = artifacts.EnvironmentVariableArtifact( case_sensitive=False, name=self._NAME, value=value_data) try: logger.debug('setting environment variable: {0:s} to: "{1:s}"'.format( self._NAME, value_data)) knowledge_base.AddEnvironmentVariable(environment_variable) except KeyError: # TODO: add and store preprocessing errors. pass