def testProcessVersion3(self): """Tests the Process function on version 3 .automaticDestinations-ms.""" plugin = automatic_destinations.AutomaticDestinationsOLECFPlugin() storage_writer = self._ParseOLECFFileWithPlugin( ['9d1f905ce5044aee.automaticDestinations-ms'], plugin) # Number of events: # olecf:dest_list:entry: 2 # windows:lnk:link 2 number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 4) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) # Check a AutomaticDestinationsDestListEntryEvent. expected_event_values = { 'birth_droid_file_identifier': '{00000000-0000-0000-0000-000000000000}', 'birth_droid_volume_identifier': ('{00000000-0000-0000-0000-000000000000}'), 'data_type': 'olecf:dest_list:entry', 'date_time': '2016-01-17 13:08:08.2475045', 'droid_file_identifier': '{00000000-0000-0000-0000-000000000000}', 'droid_volume_identifier': '{00000000-0000-0000-0000-000000000000}', 'entry_number': 2, 'offset': 32, 'path': 'http://support.microsoft.com/kb/3124263', 'pin_status': -1, 'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION } self.CheckEventValues(storage_writer, events[1], expected_event_values) # Check a WinLnkLinkEvent. expected_event_values = { 'data_type': 'windows:lnk:link', 'date_time': 'Not set', 'timestamp_desc': definitions.TIME_DESCRIPTION_NOT_A_TIME } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessVersion3(self): """Tests the Process function on version 3 .automaticDestinations-ms.""" plugin = automatic_destinations.AutomaticDestinationsOLECFPlugin() storage_writer = self._ParseOLECFFileWithPlugin( ['9d1f905ce5044aee.automaticDestinations-ms'], plugin) # Number of events: # olecf:dest_list:entry: 2 # windows:lnk:link 2 self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 4) events = list(storage_writer.GetEvents()) # Check a AutomaticDestinationsDestListEntryEvent. # Check a WinLnkLinkEvent. event = events[1] self.CheckTimestamp(event.timestamp, '2016-01-17 13:08:08.247505') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_MODIFICATION) event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.offset, 32) self.assertEqual(event_data.data_type, 'olecf:dest_list:entry') self.assertEqual(event_data.pin_status, -1) expected_message = ( 'Entry: 2 ' 'Pin status: Unpinned ' 'Path: http://support.microsoft.com/kb/3124263 ' 'Droid volume identifier: {00000000-0000-0000-0000-000000000000} ' 'Droid file identifier: {00000000-0000-0000-0000-000000000000} ' 'Birth droid volume identifier: ' '{00000000-0000-0000-0000-000000000000} ' 'Birth droid file identifier: {00000000-0000-0000-0000-000000000000}' ) expected_short_message = ( 'Entry: 2 ' 'Pin status: Unpinned ' 'Path: http://support.microsoft.com/kb/3124263') self._TestGetMessageStrings(event, expected_message, expected_short_message) # Check a WinLnkLinkEvent. event = events[0] self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_NOT_A_TIME) event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.data_type, 'windows:lnk:link')
def testProcessVersion3(self): """Tests the Process function on version 3 .automaticDestinations-ms.""" plugin_object = automatic_destinations.AutomaticDestinationsOLECFPlugin( ) storage_writer = self._ParseOLECFFileWithPlugin( [u'9d1f905ce5044aee.automaticDestinations-ms'], plugin_object) self.assertEqual(len(storage_writer.events), 4) # Check a AutomaticDestinationsDestListEntryEvent. # Check a WinLnkLinkEvent. event_object = storage_writer.events[1] self.assertEqual(event_object.offset, 32) self.assertEqual(event_object.data_type, u'olecf:dest_list:entry') self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.MODIFICATION_TIME) expected_timestamp = timelib.Timestamp.CopyFromString( u'2016-01-17 13:08:08.247504') self.assertEqual(event_object.timestamp, expected_timestamp) expected_message = ( u'Entry: 2 ' u'Pin status: Unpinned ' u'Path: http://support.microsoft.com/kb/3124263 ' u'Droid volume identifier: {00000000-0000-0000-0000-000000000000} ' u'Droid file identifier: {00000000-0000-0000-0000-000000000000} ' u'Birth droid volume identifier: ' u'{00000000-0000-0000-0000-000000000000} ' u'Birth droid file identifier: {00000000-0000-0000-0000-000000000000}' ) expected_message_short = ( u'Entry: 2 ' u'Pin status: Unpinned ' u'Path: http://support.microsoft.com/kb/3124263') self._TestGetMessageStrings(event_object, expected_message, expected_message_short) # Check a WinLnkLinkEvent. event_object = storage_writer.events[0] self.assertEqual(event_object.data_type, u'windows:lnk:link') self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.NOT_A_TIME)
def testProcessVersion1(self): """Tests the Process function on version 1 .automaticDestinations-ms.""" plugin = automatic_destinations.AutomaticDestinationsOLECFPlugin() storage_writer = self._ParseOLECFFileWithPlugin( ['1b4dd67f29cb1962.automaticDestinations-ms'], plugin) # Number of events: # olecf:dest_list:entry: 11 # windows:lnk:link 33 # windows:distributed_link_tracking:creation: 44 self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 88) events = list(storage_writer.GetEvents()) # Check a AutomaticDestinationsDestListEntryEvent. expected_event_values = { 'birth_droid_file_identifier': '{63eea867-7b85-11e1-8950-005056a50b40}', 'birth_droid_volume_identifier': ('{cf6619c2-66a8-44a6-8849-1582fcd3a338}'), 'data_type': 'olecf:dest_list:entry', 'droid_file_identifier': '{63eea867-7b85-11e1-8950-005056a50b40}', 'droid_volume_identifier': '{cf6619c2-66a8-44a6-8849-1582fcd3a338}', 'entry_number': 11, 'hostname': 'wks-win764bitb', 'offset': 32, 'path': 'C:\\Users\\nfury\\Pictures\\The SHIELD', 'pin_status': -1, 'timestamp': '2012-04-01 13:52:38.997538', 'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION } self.CheckEventValues(storage_writer, events[7], expected_event_values) # Check a WinLnkLinkEvent. expected_event_values = { 'data_type': 'windows:lnk:link', 'drive_serial_number': 0x24ba718b, 'drive_type': 3, 'file_attribute_flags': 0x00002020, 'file_size': 3545, 'link_target': '<Users Libraries> <UNKNOWN: 0x00>', 'local_path': ('C:\\Users\\nfury\\AppData\\Roaming\\Microsoft\\Windows\\' 'Libraries\\Documents.library-ms'), 'timestamp': '2010-11-10 07:51:16.749125' } self.CheckEventValues(storage_writer, events[1], expected_event_values) # Check a WindowsDistributedLinkTrackingCreationEvent. expected_event_values = { 'data_type': 'windows:distributed_link_tracking:creation', 'mac_address': '00:50:56:a5:0b:40', 'origin': 'DestList entry at offset: 0x00000020', 'timestamp': '2012-03-31 23:01:03.527742', 'uuid': '63eea867-7b85-11e1-8950-005056a50b40' } self.CheckEventValues(storage_writer, events[5], expected_event_values)
def testProcessVersion1(self): """Tests the Process function on version 1 .automaticDestinations-ms.""" plugin = automatic_destinations.AutomaticDestinationsOLECFPlugin() storage_writer = self._ParseOLECFFileWithPlugin( ['1b4dd67f29cb1962.automaticDestinations-ms'], plugin) # Number of events: # olecf:dest_list:entry: 11 # windows:lnk:link 33 # windows:distributed_link_tracking:creation: 44 self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 88) events = list(storage_writer.GetEvents()) # Check a AutomaticDestinationsDestListEntryEvent. event = events[7] self.CheckTimestamp(event.timestamp, '2012-04-01 13:52:38.997538') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_MODIFICATION) event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.offset, 32) self.assertEqual(event_data.data_type, 'olecf:dest_list:entry') self.assertEqual(event_data.pin_status, -1) expected_message = ( 'Entry: 11 ' 'Pin status: Unpinned ' 'Hostname: wks-win764bitb ' 'Path: C:\\Users\\nfury\\Pictures\\The SHIELD ' 'Droid volume identifier: {cf6619c2-66a8-44a6-8849-1582fcd3a338} ' 'Droid file identifier: {63eea867-7b85-11e1-8950-005056a50b40} ' 'Birth droid volume identifier: ' '{cf6619c2-66a8-44a6-8849-1582fcd3a338} ' 'Birth droid file identifier: {63eea867-7b85-11e1-8950-005056a50b40}' ) expected_short_message = ( 'Entry: 11 ' 'Pin status: Unpinned ' 'Path: C:\\Users\\nfury\\Pictures\\The SHIELD') self._TestGetMessageStrings(event, expected_message, expected_short_message) # Check a WinLnkLinkEvent. event = events[1] event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.data_type, 'windows:lnk:link') self.CheckTimestamp(event.timestamp, '2010-11-10 07:51:16.749125') expected_message = ( '[Empty description] ' 'File size: 3545 ' 'File attribute flags: 0x00002020 ' 'Drive type: 3 ' 'Drive serial number: 0x24ba718b ' 'Local path: C:\\Users\\nfury\\AppData\\Roaming\\Microsoft\\Windows\\' 'Libraries\\Documents.library-ms ' 'Link target: <Users Libraries> <UNKNOWN: 0x00>') expected_short_message = ( '[Empty description] ' 'C:\\Users\\nfury\\AppData\\Roaming\\Microsoft\\Windows\\Librarie...' ) self._TestGetMessageStrings(event, expected_message, expected_short_message) # Check a WindowsDistributedLinkTrackingCreationEvent. event = events[5] event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.data_type, 'windows:distributed_link_tracking:creation') self.CheckTimestamp(event.timestamp, '2012-03-31 23:01:03.527742') expected_message = ('63eea867-7b85-11e1-8950-005056a50b40 ' 'MAC address: 00:50:56:a5:0b:40 ' 'Origin: DestList entry at offset: 0x00000020') expected_short_message = ( '63eea867-7b85-11e1-8950-005056a50b40 ' 'Origin: DestList entry at offset: 0x0000...') self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testProcessVersion1(self): """Tests the Process function on version 1 .automaticDestinations-ms.""" plugin_object = automatic_destinations.AutomaticDestinationsOLECFPlugin( ) storage_writer = self._ParseOLECFFileWithPlugin( [u'1b4dd67f29cb1962.automaticDestinations-ms'], plugin_object) self.assertEqual(len(storage_writer.events), 88) # Check a AutomaticDestinationsDestListEntryEvent. event_object = storage_writer.events[7] self.assertEqual(event_object.offset, 32) self.assertEqual(event_object.data_type, u'olecf:dest_list:entry') self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.MODIFICATION_TIME) expected_timestamp = timelib.Timestamp.CopyFromString( u'2012-04-01 13:52:38.997538') self.assertEqual(event_object.timestamp, expected_timestamp) expected_message = ( u'Entry: 11 ' u'Pin status: Unpinned ' u'Hostname: wks-win764bitb ' u'Path: C:\\Users\\nfury\\Pictures\\The SHIELD ' u'Droid volume identifier: {cf6619c2-66a8-44a6-8849-1582fcd3a338} ' u'Droid file identifier: {63eea867-7b85-11e1-8950-005056a50b40} ' u'Birth droid volume identifier: ' u'{cf6619c2-66a8-44a6-8849-1582fcd3a338} ' u'Birth droid file identifier: {63eea867-7b85-11e1-8950-005056a50b40}' ) expected_message_short = ( u'Entry: 11 ' u'Pin status: Unpinned ' u'Path: C:\\Users\\nfury\\Pictures\\The SHIELD') self._TestGetMessageStrings(event_object, expected_message, expected_message_short) # Check a WinLnkLinkEvent. event_object = storage_writer.events[1] self.assertEqual(event_object.data_type, u'windows:lnk:link') expected_timestamp = timelib.Timestamp.CopyFromString( u'2010-11-10 07:51:16.749125') self.assertEqual(event_object.timestamp, expected_timestamp) expected_message = ( u'[Empty description] ' u'File size: 3545 ' u'File attribute flags: 0x00002020 ' u'Drive type: 3 ' u'Drive serial number: 0x24ba718b ' u'Local path: C:\\Users\\nfury\\AppData\\Roaming\\Microsoft\\Windows\\' u'Libraries\\Documents.library-ms ' u'Link target: <Users Libraries> <UNKNOWN: 0x00>') expected_message_short = ( u'[Empty description] ' u'C:\\Users\\nfury\\AppData\\Roaming\\Microsoft\\Windows\\Librarie...' ) self._TestGetMessageStrings(event_object, expected_message, expected_message_short) # Check a WindowsDistributedLinkTrackingCreationEvent. event_object = storage_writer.events[5] self.assertEqual(event_object.data_type, u'windows:distributed_link_tracking:creation') expected_timestamp = timelib.Timestamp.CopyFromString( u'2012-03-31 23:01:03.527741') self.assertEqual(event_object.timestamp, expected_timestamp) expected_message = (u'63eea867-7b85-11e1-8950-005056a50b40 ' u'MAC address: 00:50:56:a5:0b:40 ' u'Origin: DestList entry at offset: 0x00000020') expected_message_short = ( u'63eea867-7b85-11e1-8950-005056a50b40 ' u'Origin: DestList entry at offset: 0x0000...') self._TestGetMessageStrings(event_object, expected_message, expected_message_short)