def testParseOnCorruptFile(self):
"""Tests the Parse function on a corrupt bodyfile."""
parser = mactime.MactimeParser()
storage_writer = self._ParseFile(['corrupt.body'], parser)
self.assertEqual(storage_writer.number_of_events, 10)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 1)
events = list(storage_writer.GetSortedEvents())
# Event extracted from line with unescaped \r character.
expected_event_values = {
'data_type': 'fs:mactime:line',
'date_time': '2012-05-25 16:00:53',
'filename': '/passwords\r.txt',
'inode': 15,
'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION
}
self.CheckEventValues(storage_writer, events[3], expected_event_values)
# Event extracted from line with unescaped \\ character.
expected_event_values = {
'data_type': 'fs:mactime:line',
'date_time': '2019-03-19 04:37:22',
'filename': '/Windows\\System32',
'inode': 75520,
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION
}
self.CheckEventValues(storage_writer, events[6], expected_event_values)
def testParse(self):
"""Tests the Parse function."""
parser = mactime.MactimeParser()
storage_writer = self._ParseFile(['mactime.body'], parser)
# The file contains 13 lines x 4 timestamps per line, which should be
# 52 events in total. However several of these events have an empty
# timestamp value and are omitted.
# Total entries: 11 * 3 + 2 * 4 = 41
self.assertEqual(storage_writer.number_of_events, 41)
# The order in which DSVParser generates events is nondeterministic
# hence we sort the events.
events = list(storage_writer.GetSortedEvents())
# Test this entry:
# 0|/a_directory/another_file|16|r/rrw-------|151107|5000|22|1337961583|
# 1337961584|1337961585|0
event = events[21]
expected_timestamp = timelib.Timestamp.CopyFromString(
'2012-05-25 15:59:43')
self.assertEqual(event.timestamp, expected_timestamp)
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_LAST_ACCESS)
self.assertEqual(event.inode, 16)
event = events[22]
expected_timestamp = timelib.Timestamp.CopyFromString(
'2012-05-25 15:59:44')
self.assertEqual(event.timestamp, expected_timestamp)
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_MODIFICATION)
event = events[23]
expected_timestamp = timelib.Timestamp.CopyFromString(
'2012-05-25 15:59:45')
self.assertEqual(event.timestamp, expected_timestamp)
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_CHANGE)
expected_filename = '/a_directory/another_file'
self.assertEqual(event.filename, expected_filename)
self.assertEqual(event.mode_as_string, 'r/rrw-------')
self._TestGetMessageStrings(event, expected_filename,
expected_filename)
def testParse(self):
"""Tests the Parse function."""
parser_object = mactime.MactimeParser()
test_file = self._GetTestFilePath([u'mactime.body'])
event_queue_consumer = self._ParseFile(parser_object, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
# The file contains 13 lines x 4 timestamps per line, which should be
# 52 events in total. However several of these events have an empty
# timestamp value and are omitted.
# Total entries: 11 * 3 + 2 * 4 = 41
self.assertEqual(len(event_objects), 41)
# Test this entry:
# 0|/a_directory/another_file|16|r/rrw-------|151107|5000|22|1337961583|
# 1337961584|1337961585|0
event_object = event_objects[21]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2012-05-25 15:59:43')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(
event_object.timestamp_desc, eventdata.EventTimestamp.ACCESS_TIME)
self.assertEqual(event_object.inode, 16)
expected_string = u'/a_directory/another_file'
self._TestGetMessageStrings(event_object, expected_string, expected_string)
event_object = event_objects[22]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2012-05-25 15:59:44')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(
event_object.timestamp_desc, eventdata.EventTimestamp.MODIFICATION_TIME)
event_object = event_objects[23]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2012-05-25 15:59:45')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(
event_object.timestamp_desc, eventdata.EventTimestamp.CHANGE_TIME)
self.assertEqual(event_object.filename, u'/a_directory/another_file')
self.assertEqual(event_object.mode_as_string, u'r/rrw-------')
def testParse(self):
"""Tests the Parse function."""
parser = mactime.MactimeParser()
storage_writer = self._ParseFile(['mactime.body'], parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 67)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetSortedEvents())
# Test this entry:
# 0|/a_directory/another_file|16|r/rrw-------|151107|5000|22|1337961583|
# 1337961584|1337961585|0
expected_event_values = {
'data_type': 'fs:mactime:line',
'date_time': '2012-05-25 15:59:43',
'inode': 16,
'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_ACCESS
}
self.CheckEventValues(storage_writer, events[25],
expected_event_values)
expected_event_values = {
'data_type': 'fs:mactime:line',
'date_time': '2012-05-25 15:59:44',
'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION
}
self.CheckEventValues(storage_writer, events[26],
expected_event_values)
expected_event_values = {
'data_type': 'fs:mactime:line',
'date_time': '2012-05-25 15:59:45',
'filename': '/a_directory/another_file',
'mode_as_string': 'r/rrw-------',
'timestamp_desc': definitions.TIME_DESCRIPTION_CHANGE
}
self.CheckEventValues(storage_writer, events[27],
expected_event_values)
expected_event_values = {
'data_type': 'fs:mactime:line',
'date_time': '2012-05-25 16:17:43',
'filename': '/passwordz\r.txt',
'timestamp_desc': definitions.TIME_DESCRIPTION_CHANGE
}
self.CheckEventValues(storage_writer, events[38],
expected_event_values)
expected_event_values = {
'data_type': 'fs:mactime:line',
'date_time': '2020-07-30 06:41:05.354067456',
'filename': '/file|with|pipes',
'mode_as_string': 'r/rrwxrwxrwx',
'timestamp_desc': definitions.TIME_DESCRIPTION_CHANGE
}
self.CheckEventValues(storage_writer, events[55],
expected_event_values)
expected_event_values = {
'data_type': 'fs:mactime:line',
'date_time': '2020-08-19 18:48:01',
'filename': '/file_symboliclink1',
'mode_as_string': 'l/lrwxrwxrwx',
'symbolic_link_target': '/mnt/ext/testdir1/testfile1',
'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION
}
self.CheckEventValues(storage_writer, events[64],
expected_event_values)
def setUp(self):
"""Makes preparations before running an individual test."""
self._parser = mactime.MactimeParser()
def setUp(self):
"""Sets up the needed objects used throughout the test."""
pre_obj = event.PreprocessObject()
self._parser = mactime.MactimeParser(pre_obj, None)
def testParse(self):
"""Tests the Parse function."""
parser = mactime.MactimeParser()
storage_writer = self._ParseFile(['mactime.body'], parser)
# The file contains 17 lines x 4 timestamps per line, which should be
# 68 events in total. However several of these events have an empty
# timestamp value and are omitted.
# Total entries: ( 11 * 3 ) + ( 6 * 4 ) = 41
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 60)
# The order in which DSVParser generates events is nondeterministic
# hence we sort the events.
events = list(storage_writer.GetSortedEvents())
# Test this entry:
# 0|/a_directory/another_file|16|r/rrw-------|151107|5000|22|1337961583|
# 1337961584|1337961585|0
expected_event_values = {
'inode': 16,
'timestamp': '2012-05-25 15:59:43.000000',
'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_ACCESS
}
self.CheckEventValues(storage_writer, events[21],
expected_event_values)
expected_event_values = {
'timestamp': '2012-05-25 15:59:44.000000',
'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION
}
self.CheckEventValues(storage_writer, events[22],
expected_event_values)
expected_filename = '/a_directory/another_file'
expected_event_values = {
'filename': expected_filename,
'mode_as_string': 'r/rrw-------',
'timestamp': '2012-05-25 15:59:45.000000',
'timestamp_desc': definitions.TIME_DESCRIPTION_CHANGE
}
self.CheckEventValues(storage_writer, events[23],
expected_event_values)
event_data = self._GetEventDataOfEvent(storage_writer, events[23])
self._TestGetMessageStrings(event_data, expected_filename,
expected_filename)
expected_filename = '/file|with|pipes'
expected_event_values = {
'filename': expected_filename,
'mode_as_string': 'r/rrwxrwxrwx',
'timestamp': '2020-07-30 06:41:05.354067',
'timestamp_desc': definitions.TIME_DESCRIPTION_CHANGE
}
self.CheckEventValues(storage_writer, events[48],
expected_event_values)
event_data = self._GetEventDataOfEvent(storage_writer, events[48])
self._TestGetMessageStrings(event_data, expected_filename,
expected_filename)
expected_event_values = {
'filename': '/file_symboliclink1',
'mode_as_string': 'l/lrwxrwxrwx',
'symbolic_link_target': '/mnt/ext/testdir1/testfile1',
'timestamp': '2020-08-19 18:48:01.000000',
'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION
}
self.CheckEventValues(storage_writer, events[57],
expected_event_values)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._parser = mactime.MactimeParser()
def testParse(self):
"""Tests the Parse function."""
parser = mactime.MactimeParser()
storage_writer = self._ParseFile(['mactime.body'], parser)
# The file contains 17 lines x 4 timestamps per line, which should be
# 68 events in total. However several of these events have an empty
# timestamp value and are omitted.
# Total entries: ( 11 * 3 ) + ( 6 * 4 ) = 41
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 57)
# The order in which DSVParser generates events is nondeterministic
# hence we sort the events.
events = list(storage_writer.GetSortedEvents())
# Test this entry:
# 0|/a_directory/another_file|16|r/rrw-------|151107|5000|22|1337961583|
# 1337961584|1337961585|0
event = events[21]
self.CheckTimestamp(event.timestamp, '2012-05-25 15:59:43.000000')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_LAST_ACCESS)
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.inode, 16)
event = events[22]
self.CheckTimestamp(event.timestamp, '2012-05-25 15:59:44.000000')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_MODIFICATION)
event = events[23]
self.CheckTimestamp(event.timestamp, '2012-05-25 15:59:45.000000')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_CHANGE)
event_data = self._GetEventDataOfEvent(storage_writer, event)
expected_filename = '/a_directory/another_file'
self.assertEqual(event_data.filename, expected_filename)
self.assertEqual(event_data.mode_as_string, 'r/rrw-------')
self._TestGetMessageStrings(event_data, expected_filename,
expected_filename)
event = events[48]
self.CheckTimestamp(event.timestamp, '2020-07-30 06:41:05.354067')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_CHANGE)
event_data = self._GetEventDataOfEvent(storage_writer, event)
expected_filename = '/file|with|pipes'
self.assertEqual(event_data.filename, expected_filename)
self.assertEqual(event_data.mode_as_string, 'r/rrwxrwxrwx')
self._TestGetMessageStrings(event_data, expected_filename,
expected_filename)
