def testParse23(self): """Tests the Parse function on a version 23 Prefetch file.""" parser = winprefetch.WinPrefetchParser() storage_writer = self._ParseFile(['PING.EXE-B29F6629.pf'], parser) self.assertEqual(storage_writer.number_of_events, 2) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) events = list(storage_writer.GetEvents()) # The prefetch last run event. expected_event_values = { 'date_time': '2012-04-06 19:00:55.9329556', 'data_type': 'windows:prefetch:execution', 'executable': 'PING.EXE', 'path_hints': ['\\WINDOWS\\SYSTEM32\\PING.EXE'], 'prefetch_hash': 0xb29f6629, 'run_count': 14, 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_RUN, 'version': 23, 'volume_device_paths': ['\\DEVICE\\HARDDISKVOLUME1'], 'volume_serial_numbers': [0xac036525] } self.CheckEventValues(storage_writer, events[1], expected_event_values) # The volume creation event. expected_event_values = { 'date_time': '2010-11-10 17:37:26.4843750', 'data_type': 'windows:volume:creation', 'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParse23MultiVolume(self): """Tests the Parse function on a multi volume version 23 Prefetch file.""" parser = winprefetch.WinPrefetchParser() storage_writer = self._ParseFile(['WUAUCLT.EXE-830BCC14.pf'], parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 6) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) # The prefetch last run event. expected_event_values = { 'date_time': '2012-03-15 21:17:39.8079963', 'data_type': 'windows:prefetch:execution', 'executable': 'WUAUCLT.EXE', 'path_hints': ['\\WINDOWS\\SYSTEM32\\WUAUCLT.EXE'], 'prefetch_hash': 0x830bcc14, 'run_count': 25, 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_RUN, 'version': 23, 'volume_device_paths': [ '\\DEVICE\\HARDDISKVOLUME1', '\\DEVICE\\HARDDISKVOLUMESHADOWCOPY2', '\\DEVICE\\HARDDISKVOLUMESHADOWCOPY4', '\\DEVICE\\HARDDISKVOLUMESHADOWCOPY7', '\\DEVICE\\HARDDISKVOLUMESHADOWCOPY8' ], 'volume_serial_numbers': [0xac036525, 0xac036525, 0xac036525, 0xac036525, 0xac036525] } self.CheckEventValues(storage_writer, events[5], expected_event_values) # The volume creation event. expected_event_values = { 'date_time': '2010-11-10 17:37:26.4843750', 'data_type': 'windows:volume:creation', 'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParse30Compressed(self): """Tests the Parse function on a compressed version 30 Prefetch file.""" parser = winprefetch.WinPrefetchParser() storage_writer = self._ParseFile(['BYTECODEGENERATOR.EXE-C1E9BCE6.pf'], parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 8) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) # The prefetch last run event. expected_event_values = { 'date_time': '2015-05-14 22:11:58.0911341', 'data_type': 'windows:prefetch:execution', 'executable': 'BYTECODEGENERATOR.EXE', 'prefetch_hash': 0xc1e9bce6, 'run_count': 7, 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_RUN, 'version': 30 } self.CheckEventValues(storage_writer, events[1], expected_event_values) # The prefetch previous last run event. expected_event_values = { 'date_time': '2015-05-14 22:11:55.3576520', 'timestamp_desc': 'Previous {0:s}'.format(definitions.TIME_DESCRIPTION_LAST_RUN) } self.CheckEventValues(storage_writer, events[2], expected_event_values) event_data = self._GetEventDataOfEvent(storage_writer, events[2]) self.assertEqual(len(event_data.mapped_files), 1085) # The volume creation event. expected_event_values = { 'date_time': '2015-05-15 06:54:55.1392941', 'data_type': 'windows:volume:creation', 'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParse30Variant2Compressed(self): """Tests the Parse function on a compressed version 30 variant 2 file.""" parser = winprefetch.WinPrefetchParser() storage_writer = self._ParseFile(['NOTEPAD.EXE-D8414F97.pf'], parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 3) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) # The prefetch last run event. expected_event_values = { 'date_time': '2019-06-05 19:55:04.8777787', 'data_type': 'windows:prefetch:execution', 'executable': 'NOTEPAD.EXE', 'prefetch_hash': 0xd8414f97, 'run_count': 2, 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_RUN, 'version': 30 } self.CheckEventValues(storage_writer, events[1], expected_event_values) # The prefetch previous last run event. expected_event_values = { 'date_time': '2019-06-05 19:23:00.8157052', 'timestamp_desc': 'Previous {0:s}'.format(definitions.TIME_DESCRIPTION_LAST_RUN) } self.CheckEventValues(storage_writer, events[2], expected_event_values) event_data = self._GetEventDataOfEvent(storage_writer, events[2]) self.assertEqual(len(event_data.mapped_files), 56) # The volume creation event. expected_event_values = { 'date_time': '2017-07-30 19:40:03.5487843', 'data_type': 'windows:volume:creation', 'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParse23(self): """Tests the Parse function on a version 23 Prefetch file.""" parser = winprefetch.WinPrefetchParser() storage_writer = self._ParseFile(['PING.EXE-B29F6629.pf'], parser) self.assertEqual(storage_writer.number_of_events, 2) events = list(storage_writer.GetEvents()) # The prefetch last run event. event = events[1] self.assertEqual(event.data_type, 'windows:prefetch:execution') self.assertEqual(event.version, 23) expected_timestamp = timelib.Timestamp.CopyFromString( '2012-04-06 19:00:55.932955') self.assertEqual(event.timestamp, expected_timestamp) self.assertEqual( event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_RUN) self.assertEqual(event.executable, 'PING.EXE') self.assertEqual(event.prefetch_hash, 0xb29f6629) self.assertEqual(event.path, '\\WINDOWS\\SYSTEM32\\PING.EXE') self.assertEqual(event.run_count, 14) self.assertEqual(event.volume_device_paths[0], '\\DEVICE\\HARDDISKVOLUME1') self.assertEqual(event.volume_serial_numbers[0], 0xac036525) expected_message = ( 'Prefetch [PING.EXE] was executed - run count 14 path: ' '\\WINDOWS\\SYSTEM32\\PING.EXE ' 'hash: 0xB29F6629 ' 'volume: 1 [serial number: 0xAC036525, ' 'device path: \\DEVICE\\HARDDISKVOLUME1]') expected_short_message = 'PING.EXE was run 14 time(s)' self._TestGetMessageStrings(event, expected_message, expected_short_message) # The volume creation event. event = events[0] self.assertEqual(event.data_type, 'windows:volume:creation') expected_timestamp = timelib.Timestamp.CopyFromString( '2010-11-10 17:37:26.484375') self.assertEqual(event.timestamp, expected_timestamp) self.assertEqual( event.timestamp_desc, definitions.TIME_DESCRIPTION_CREATION)
def testParse30Compressed(self): """Tests the Parse function on a compressed version 30 Prefetch file.""" parser = winprefetch.WinPrefetchParser() storage_writer = self._ParseFile( ['BYTECODEGENERATOR.EXE-C1E9BCE6.pf'], parser) self.assertEqual(storage_writer.number_of_events, 8) events = list(storage_writer.GetEvents()) # The prefetch last run event. event = events[1] self.assertEqual(event.data_type, 'windows:prefetch:execution') self.assertEqual(event.version, 30) self.assertEqual(event.data_type, 'windows:prefetch:execution') expected_timestamp = timelib.Timestamp.CopyFromString( '2015-05-14 22:11:58.091134') self.assertEqual(event.timestamp, expected_timestamp) self.assertEqual( event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_RUN) self.assertEqual(event.executable, 'BYTECODEGENERATOR.EXE') self.assertEqual(event.prefetch_hash, 0xc1e9bce6) # The prefetch previous last run event. event = events[2] expected_timestamp = timelib.Timestamp.CopyFromString( '2015-05-14 22:11:55.357652') self.assertEqual(event.timestamp, expected_timestamp) self.assertEqual( event.timestamp_desc, 'Previous {0:s}'.format(definitions.TIME_DESCRIPTION_LAST_RUN)) self.assertEqual(len(event.mapped_files), 1085) # The volume creation event. event = events[0] self.assertEqual(event.data_type, 'windows:volume:creation') expected_timestamp = timelib.Timestamp.CopyFromString( '2015-05-15 06:54:55.139294') self.assertEqual(event.timestamp, expected_timestamp) self.assertEqual( event.timestamp_desc, definitions.TIME_DESCRIPTION_CREATION)
def testParse23(self): """Tests the Parse function on a version 23 Prefetch file.""" parser_object = winprefetch.WinPrefetchParser() test_file = self._GetTestFilePath([u'PING.EXE-B29F6629.pf']) event_queue_consumer = self._ParseFile(parser_object, test_file) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 2) # The prefetch last run event. event_object = event_objects[1] self.assertEqual(event_object.version, 23) expected_timestamp = timelib.Timestamp.CopyFromString( u'2012-04-06 19:00:55.932955') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.LAST_RUNTIME) self.assertEqual(event_object.executable, u'PING.EXE') self.assertEqual(event_object.prefetch_hash, 0xb29f6629) self.assertEqual(event_object.path, u'\\WINDOWS\\SYSTEM32\\PING.EXE') self.assertEqual(event_object.run_count, 14) self.assertEqual(event_object.volume_device_paths[0], u'\\DEVICE\\HARDDISKVOLUME1') self.assertEqual(event_object.volume_serial_numbers[0], 0xac036525) expected_msg = ( u'Prefetch [PING.EXE] was executed - run count 14 path: ' u'\\WINDOWS\\SYSTEM32\\PING.EXE ' u'hash: 0xB29F6629 ' u'volume: 1 [serial number: 0xAC036525, ' u'device path: \\DEVICE\\HARDDISKVOLUME1]') expected_msg_short = u'PING.EXE was run 14 time(s)' self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short) # The volume creation event. event_object = event_objects[0] expected_timestamp = timelib.Timestamp.CopyFromString( u'2010-11-10 17:37:26.484375') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.CREATION_TIME)
def testParse23(self): """Tests the Parse function on a version 23 Prefetch file.""" parser = winprefetch.WinPrefetchParser() storage_writer = self._ParseFile(['PING.EXE-B29F6629.pf'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 2) events = list(storage_writer.GetEvents()) # The prefetch last run event. expected_event_values = { 'data_type': 'windows:prefetch:execution', 'executable': 'PING.EXE', 'path_hints': ['\\WINDOWS\\SYSTEM32\\PING.EXE'], 'prefetch_hash': 0xb29f6629, 'run_count': 14, 'timestamp': '2012-04-06 19:00:55.932956', 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_RUN, 'version': 23, 'volume_device_paths': ['\\DEVICE\\HARDDISKVOLUME1'], 'volume_serial_numbers': [0xac036525] } self.CheckEventValues(storage_writer, events[1], expected_event_values) expected_message = ('Prefetch [PING.EXE] was executed - run count 14 ' 'path hints: \\WINDOWS\\SYSTEM32\\PING.EXE ' 'hash: 0xB29F6629 ' 'volume: 1 [serial number: 0xAC036525, ' 'device path: \\DEVICE\\HARDDISKVOLUME1]') expected_short_message = 'PING.EXE was run 14 time(s)' event_data = self._GetEventDataOfEvent(storage_writer, events[1]) self._TestGetMessageStrings(event_data, expected_message, expected_short_message) # The volume creation event. expected_event_values = { 'data_type': 'windows:volume:creation', 'timestamp': '2010-11-10 17:37:26.484375', 'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParse30Variant2Compressed(self): """Tests the Parse function on a compressed version 30 variant 2 file.""" parser = winprefetch.WinPrefetchParser() storage_writer = self._ParseFile(['NOTEPAD.EXE-D8414F97.pf'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 3) events = list(storage_writer.GetEvents()) # The prefetch last run event. event = events[1] self.CheckTimestamp(event.timestamp, '2019-06-05 19:55:04.877779') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_RUN) event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.data_type, 'windows:prefetch:execution') self.assertEqual(event_data.version, 30) self.assertEqual(event_data.executable, 'NOTEPAD.EXE') self.assertEqual(event_data.prefetch_hash, 0xd8414f97) self.assertEqual(event_data.run_count, 2) # The prefetch previous last run event. event = events[2] self.CheckTimestamp(event.timestamp, '2019-06-05 19:23:00.815705') expected_timestamp_desc = 'Previous {0:s}'.format( definitions.TIME_DESCRIPTION_LAST_RUN) self.assertEqual(event.timestamp_desc, expected_timestamp_desc) self.assertEqual(len(event_data.mapped_files), 56) # The volume creation event. event = events[0] self.CheckTimestamp(event.timestamp, '2017-07-30 19:40:03.548784') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_CREATION) event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.data_type, 'windows:volume:creation')
def testParse26(self): """Tests the Parse function on a version 26 Prefetch file.""" parser = winprefetch.WinPrefetchParser() storage_writer = self._ParseFile(['TASKHOST.EXE-3AE259FC.pf'], parser) self.assertEqual(storage_writer.number_of_errors, 0) self.assertEqual(storage_writer.number_of_events, 5) events = list(storage_writer.GetEvents()) # The prefetch last run event. event = events[1] self.assertEqual(event.data_type, 'windows:prefetch:execution') self.assertEqual(event.version, 26) self.CheckTimestamp(event.timestamp, '2013-10-04 15:40:09.037833') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_RUN) self.assertEqual(event.executable, 'TASKHOST.EXE') self.assertEqual(event.prefetch_hash, 0x3ae259fc) # The prefetch previous last run event. event = events[2] self.CheckTimestamp(event.timestamp, '2013-10-04 15:28:09.010357') expected_timestamp_desc = 'Previous {0:s}'.format( definitions.TIME_DESCRIPTION_LAST_RUN) self.assertEqual(event.timestamp_desc, expected_timestamp_desc) expected_mapped_files = [ ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTDLL.DLL ' '[MFT entry: 46299, sequence: 1]'), '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TASKHOST.EXE', ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNEL32.DLL ' '[MFT entry: 45747, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNELBASE.DLL ' '[MFT entry: 45734, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\LOCALE.NLS ' '[MFT entry: 45777, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\MSVCRT.DLL ' '[MFT entry: 46033, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RPCRT4.DLL ' '[MFT entry: 46668, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\COMBASE.DLL ' '[MFT entry: 44616, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\OLEAUT32.DLL ' '[MFT entry: 46309, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\OLE32.DLL ' '[MFT entry: 46348, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RPCSS.DLL ' '[MFT entry: 46654, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNEL.APPCORE.DLL ' '[MFT entry: 45698, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CRYPTBASE.DLL ' '[MFT entry: 44560, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\BCRYPTPRIMITIVES.DLL ' '[MFT entry: 44355, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\USER32.DLL ' '[MFT entry: 47130, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\GDI32.DLL ' '[MFT entry: 45344, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\EN-US\\' 'TASKHOST.EXE.MUI'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SECHOST.DLL ' '[MFT entry: 46699, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CLBCATQ.DLL ' '[MFT entry: 44511, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RACENGN.DLL ' '[MFT entry: 46549, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTMARTA.DLL ' '[MFT entry: 46262, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WEVTAPI.DLL ' '[MFT entry: 47223, sequence: 1]'), '\\DEVICE\\HARDDISKVOLUME2\\$MFT', ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SQMAPI.DLL ' '[MFT entry: 46832, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\AEPIC.DLL ' '[MFT entry: 43991, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WINTRUST.DLL ' '[MFT entry: 47372, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SLWGA.DLL ' '[MFT entry: 46762, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\DXGI.DLL ' '[MFT entry: 44935, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\ESENT.DLL ' '[MFT entry: 45256, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WMICLNT.DLL ' '[MFT entry: 47413, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL ' '[MFT entry: 43994, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SFC_OS.DLL ' '[MFT entry: 46729, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\VERSION.DLL ' '[MFT entry: 47120, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CRYPT32.DLL ' '[MFT entry: 44645, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\MSASN1.DLL ' '[MFT entry: 45909, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WTSAPI32.DLL ' '[MFT entry: 47527, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SPPC.DLL ' '[MFT entry: 46803, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\POWRPROF.DLL ' '[MFT entry: 46413, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\PROFAPI.DLL ' '[MFT entry: 46441, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\' 'RACMETADATA.DAT [MFT entry: 39345, sequence: 2]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\GLOBALIZATION\\SORTING\\' 'SORTDEFAULT.NLS [MFT entry: 37452, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RACRULES.XML ' '[MFT entry: 46509, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TASKSCHD.DLL ' '[MFT entry: 47043, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SSPICLI.DLL ' '[MFT entry: 46856, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\XMLLITE.DLL ' '[MFT entry: 47569, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\' 'RACWMIEVENTDATA.DAT [MFT entry: 23870, sequence: 3]'), ('\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\' 'RACWMIDATABOOKMARKS.DAT [MFT entry: 23871, sequence: 2]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TPMTASKS.DLL ' '[MFT entry: 47003, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NCRYPT.DLL ' '[MFT entry: 46073, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\BCRYPT.DLL ' '[MFT entry: 44346, sequence: 1]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTASN1.DLL ' '[MFT entry: 46261, sequence: 1]') ] self.assertEqual(event.mapped_files, expected_mapped_files) # The volume creation event. event = events[0] self.assertEqual(event.data_type, 'windows:volume:creation') self.CheckTimestamp(event.timestamp, '2013-10-04 15:57:26.146548') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_CREATION)
def testParse17(self): """Tests the Parse function on a version 17 Prefetch file.""" parser = winprefetch.WinPrefetchParser() storage_writer = self._ParseFile(['CMD.EXE-087B4001.pf'], parser) self.assertEqual(storage_writer.number_of_errors, 0) self.assertEqual(storage_writer.number_of_events, 2) events = list(storage_writer.GetEvents()) # The prefetch last run event. event = events[1] self.assertEqual(event.data_type, 'windows:prefetch:execution') self.assertEqual(event.version, 17) self.CheckTimestamp(event.timestamp, '2013-03-10 10:11:49.281250') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_RUN) self.assertEqual(event.executable, 'CMD.EXE') self.assertEqual(event.prefetch_hash, 0x087b4001) self.assertEqual(event.volume_serial_numbers[0], 0x24cb074b) expected_mapped_files = [ '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\NTDLL.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\KERNEL32.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\UNICODE.NLS', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\LOCALE.NLS', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SORTTBLS.NLS', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\MSVCRT.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CMD.EXE', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\USER32.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\GDI32.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHIMENG.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\APPPATCH\\SYSMAIN.SDB', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\APPPATCH\\ACGENRAL.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\RPCRT4.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\WINMM.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\OLE32.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\OLEAUT32.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\MSACM32.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\VERSION.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHELL32.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHLWAPI.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\USERENV.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\UXTHEME.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CTYPE.NLS', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SORTKEY.NLS', ('\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\WINSXS\\X86_MICROSOFT.WINDOWS.' 'COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2180_X-WW_A84F1FF9\\' 'COMCTL32.DLL'), '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\WINDOWSSHELL.MANIFEST', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\COMCTL32.DLL', ('\\DEVICE\\HARDDISKVOLUME1\\D50FF1E628137B1A251B47AB9466\\UPDATE\\' 'UPDATE.EXE.MANIFEST'), '\\DEVICE\\HARDDISKVOLUME1\\$MFT', ('\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\IE7\\SPUNINST\\SPUNINST.EXE.' 'MANIFEST'), ('\\DEVICE\\HARDDISKVOLUME1\\D50FF1E628137B1A251B47AB9466\\UPDATE\\' 'IERESETICONS.EXE'), '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\IE7\\SPUNINST\\IERESETICONS.EXE' ] self.assertEqual(event.mapped_files, expected_mapped_files) # The volume creation event. event = events[0] self.assertEqual(event.data_type, 'windows:volume:creation') self.CheckTimestamp(event.timestamp, '2013-03-10 10:19:46.234375') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_CREATION) expected_message = ('\\DEVICE\\HARDDISKVOLUME1 ' 'Serial number: 0x24CB074B ' 'Origin: CMD.EXE-087B4001.pf') expected_short_message = ('\\DEVICE\\HARDDISKVOLUME1 ' 'Origin: CMD.EXE-087B4001.pf') self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testParse23MultiVolume(self): """Tests the Parse function on a multi volume version 23 Prefetch file.""" parser = winprefetch.WinPrefetchParser() storage_writer = self._ParseFile(['WUAUCLT.EXE-830BCC14.pf'], parser) self.assertEqual(storage_writer.number_of_errors, 0) self.assertEqual(storage_writer.number_of_events, 6) events = list(storage_writer.GetEvents()) # The prefetch last run event. event = events[5] self.assertEqual(event.data_type, 'windows:prefetch:execution') self.assertEqual(event.version, 23) self.CheckTimestamp(event.timestamp, '2012-03-15 21:17:39.807996') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_RUN) self.assertEqual(event.executable, 'WUAUCLT.EXE') self.assertEqual(event.prefetch_hash, 0x830bcc14) self.assertEqual(event.path, '\\WINDOWS\\SYSTEM32\\WUAUCLT.EXE') self.assertEqual(event.run_count, 25) self.assertEqual(event.volume_device_paths[0], '\\DEVICE\\HARDDISKVOLUME1') self.assertEqual(event.volume_serial_numbers[0], 0xac036525) expected_message = ( 'Prefetch [WUAUCLT.EXE] was executed - run count 25 path: ' '\\WINDOWS\\SYSTEM32\\WUAUCLT.EXE ' 'hash: 0x830BCC14 ' 'volume: 1 [serial number: 0xAC036525, ' 'device path: \\DEVICE\\HARDDISKVOLUME1], ' 'volume: 2 [serial number: 0xAC036525, ' 'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY2], ' 'volume: 3 [serial number: 0xAC036525, ' 'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY4], ' 'volume: 4 [serial number: 0xAC036525, ' 'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY7], ' 'volume: 5 [serial number: 0xAC036525, ' 'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY8]') expected_short_message = 'WUAUCLT.EXE was run 25 time(s)' self._TestGetMessageStrings(event, expected_message, expected_short_message) # The volume creation event. event = events[0] self.assertEqual(event.data_type, 'windows:volume:creation') self.CheckTimestamp(event.timestamp, '2010-11-10 17:37:26.484375') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_CREATION) expected_message = ('\\DEVICE\\HARDDISKVOLUME1 ' 'Serial number: 0xAC036525 ' 'Origin: WUAUCLT.EXE-830BCC14.pf') expected_short_message = ('\\DEVICE\\HARDDISKVOLUME1 ' 'Origin: WUAUCLT.EXE-830BCC14.pf') self._TestGetMessageStrings(event, expected_message, expected_short_message)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._parser = winprefetch.WinPrefetchParser()
def testParse23MultiVolume(self): """Tests the Parse function on a multi volume version 23 Prefetch file.""" parser_object = winprefetch.WinPrefetchParser() test_file = self._GetTestFilePath([u'WUAUCLT.EXE-830BCC14.pf']) event_queue_consumer = self._ParseFile(parser_object, test_file) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 6) # The prefetch last run event. event_object = event_objects[5] self.assertEqual(event_object.version, 23) expected_timestamp = timelib.Timestamp.CopyFromString( u'2012-03-15 21:17:39.807996') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.LAST_RUNTIME) self.assertEqual(event_object.executable, u'WUAUCLT.EXE') self.assertEqual(event_object.prefetch_hash, 0x830bcc14) self.assertEqual(event_object.path, u'\\WINDOWS\\SYSTEM32\\WUAUCLT.EXE') self.assertEqual(event_object.run_count, 25) self.assertEqual(event_object.volume_device_paths[0], u'\\DEVICE\\HARDDISKVOLUME1') self.assertEqual(event_object.volume_serial_numbers[0], 0xac036525) expected_msg = ( u'Prefetch [WUAUCLT.EXE] was executed - run count 25 path: ' u'\\WINDOWS\\SYSTEM32\\WUAUCLT.EXE ' u'hash: 0x830BCC14 ' u'volume: 1 [serial number: 0xAC036525, ' u'device path: \\DEVICE\\HARDDISKVOLUME1], ' u'volume: 2 [serial number: 0xAC036525, ' u'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY2], ' u'volume: 3 [serial number: 0xAC036525, ' u'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY4], ' u'volume: 4 [serial number: 0xAC036525, ' u'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY7], ' u'volume: 5 [serial number: 0xAC036525, ' u'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY8]') expected_msg_short = u'WUAUCLT.EXE was run 25 time(s)' self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short) # The volume creation event. event_object = event_objects[0] expected_timestamp = timelib.Timestamp.CopyFromString( u'2010-11-10 17:37:26.484375') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.CREATION_TIME) expected_msg = (u'\\DEVICE\\HARDDISKVOLUME1 ' u'Serial number: 0xAC036525 ' u'Origin: WUAUCLT.EXE-830BCC14.pf') expected_msg_short = (u'\\DEVICE\\HARDDISKVOLUME1 ' u'Origin: WUAUCLT.EXE-830BCC14.pf') self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testParse17(self): """Tests the Parse function on a version 17 Prefetch file.""" parser_object = winprefetch.WinPrefetchParser() test_file = self._GetTestFilePath([u'CMD.EXE-087B4001.pf']) event_queue_consumer = self._ParseFile(parser_object, test_file) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 2) # The prefetch last run event. event_object = event_objects[1] self.assertEqual(event_object.version, 17) expected_timestamp = timelib.Timestamp.CopyFromString( u'2013-03-10 10:11:49.281250') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.LAST_RUNTIME) self.assertEqual(event_object.executable, u'CMD.EXE') self.assertEqual(event_object.prefetch_hash, 0x087b4001) self.assertEqual(event_object.volume_serial_numbers[0], 0x24cb074b) expected_mapped_files = [ u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\NTDLL.DLL', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\KERNEL32.DLL', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\UNICODE.NLS', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\LOCALE.NLS', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SORTTBLS.NLS', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\MSVCRT.DLL', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CMD.EXE', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\USER32.DLL', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\GDI32.DLL', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHIMENG.DLL', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\APPPATCH\\SYSMAIN.SDB', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\APPPATCH\\ACGENRAL.DLL', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\RPCRT4.DLL', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\WINMM.DLL', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\OLE32.DLL', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\OLEAUT32.DLL', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\MSACM32.DLL', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\VERSION.DLL', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHELL32.DLL', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHLWAPI.DLL', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\USERENV.DLL', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\UXTHEME.DLL', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CTYPE.NLS', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SORTKEY.NLS', (u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\WINSXS\\X86_MICROSOFT.WINDOWS.' u'COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2180_X-WW_A84F1FF9\\' u'COMCTL32.DLL'), u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\WINDOWSSHELL.MANIFEST', u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\COMCTL32.DLL', (u'\\DEVICE\\HARDDISKVOLUME1\\D50FF1E628137B1A251B47AB9466\\UPDATE\\' u'UPDATE.EXE.MANIFEST'), u'\\DEVICE\\HARDDISKVOLUME1\\$MFT', (u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\IE7\\SPUNINST\\SPUNINST.EXE.' u'MANIFEST'), (u'\\DEVICE\\HARDDISKVOLUME1\\D50FF1E628137B1A251B47AB9466\\UPDATE\\' u'IERESETICONS.EXE'), u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\IE7\\SPUNINST\\IERESETICONS.EXE' ] self.assertEqual(event_object.mapped_files, expected_mapped_files) # The volume creation event. event_object = event_objects[0] expected_timestamp = timelib.Timestamp.CopyFromString( u'2013-03-10 10:19:46.234375') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.CREATION_TIME) expected_msg = (u'\\DEVICE\\HARDDISKVOLUME1 ' u'Serial number: 0x24CB074B ' u'Origin: CMD.EXE-087B4001.pf') expected_msg_short = (u'\\DEVICE\\HARDDISKVOLUME1 ' u'Origin: CMD.EXE-087B4001.pf') self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testParse26(self): """Tests the Parse function on a version 26 Prefetch file.""" parser_object = winprefetch.WinPrefetchParser() test_file = self._GetTestFilePath([u'TASKHOST.EXE-3AE259FC.pf']) event_queue_consumer = self._ParseFile(parser_object, test_file) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 5) # The prefetch last run event. event_object = event_objects[1] self.assertEqual(event_object.version, 26) expected_timestamp = timelib.Timestamp.CopyFromString( u'2013-10-04 15:40:09.037833') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.LAST_RUNTIME) self.assertEqual(event_object.executable, u'TASKHOST.EXE') self.assertEqual(event_object.prefetch_hash, 0x3ae259fc) # The prefetch previous last run event. event_object = event_objects[2] expected_timestamp = timelib.Timestamp.CopyFromString( u'2013-10-04 15:28:09.010356') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual( event_object.timestamp_desc, u'Previous {0:s}'.format(eventdata.EventTimestamp.LAST_RUNTIME)) expected_mapped_files = [ (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTDLL.DLL ' u'[MFT entry: 46299, sequence: 1]'), u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TASKHOST.EXE', (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNEL32.DLL ' u'[MFT entry: 45747, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNELBASE.DLL ' u'[MFT entry: 45734, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\LOCALE.NLS ' u'[MFT entry: 45777, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\MSVCRT.DLL ' u'[MFT entry: 46033, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RPCRT4.DLL ' u'[MFT entry: 46668, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\COMBASE.DLL ' u'[MFT entry: 44616, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\OLEAUT32.DLL ' u'[MFT entry: 46309, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\OLE32.DLL ' u'[MFT entry: 46348, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RPCSS.DLL ' u'[MFT entry: 46654, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNEL.APPCORE.DLL ' u'[MFT entry: 45698, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CRYPTBASE.DLL ' u'[MFT entry: 44560, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\BCRYPTPRIMITIVES.DLL ' u'[MFT entry: 44355, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\USER32.DLL ' u'[MFT entry: 47130, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\GDI32.DLL ' u'[MFT entry: 45344, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\EN-US\\' u'TASKHOST.EXE.MUI'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SECHOST.DLL ' u'[MFT entry: 46699, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CLBCATQ.DLL ' u'[MFT entry: 44511, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RACENGN.DLL ' u'[MFT entry: 46549, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTMARTA.DLL ' u'[MFT entry: 46262, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WEVTAPI.DLL ' u'[MFT entry: 47223, sequence: 1]'), u'\\DEVICE\\HARDDISKVOLUME2\\$MFT', (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SQMAPI.DLL ' u'[MFT entry: 46832, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\AEPIC.DLL ' u'[MFT entry: 43991, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WINTRUST.DLL ' u'[MFT entry: 47372, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SLWGA.DLL ' u'[MFT entry: 46762, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\DXGI.DLL ' u'[MFT entry: 44935, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\ESENT.DLL ' u'[MFT entry: 45256, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WMICLNT.DLL ' u'[MFT entry: 47413, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL ' u'[MFT entry: 43994, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SFC_OS.DLL ' u'[MFT entry: 46729, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\VERSION.DLL ' u'[MFT entry: 47120, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CRYPT32.DLL ' u'[MFT entry: 44645, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\MSASN1.DLL ' u'[MFT entry: 45909, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WTSAPI32.DLL ' u'[MFT entry: 47527, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SPPC.DLL ' u'[MFT entry: 46803, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\POWRPROF.DLL ' u'[MFT entry: 46413, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\PROFAPI.DLL ' u'[MFT entry: 46441, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\' u'RACMETADATA.DAT [MFT entry: 39345, sequence: 2]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\GLOBALIZATION\\SORTING\\' u'SORTDEFAULT.NLS [MFT entry: 37452, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RACRULES.XML ' u'[MFT entry: 46509, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TASKSCHD.DLL ' u'[MFT entry: 47043, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SSPICLI.DLL ' u'[MFT entry: 46856, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\XMLLITE.DLL ' u'[MFT entry: 47569, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\' u'RACWMIEVENTDATA.DAT [MFT entry: 23870, sequence: 3]'), (u'\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\' u'RACWMIDATABOOKMARKS.DAT [MFT entry: 23871, sequence: 2]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TPMTASKS.DLL ' u'[MFT entry: 47003, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NCRYPT.DLL ' u'[MFT entry: 46073, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\BCRYPT.DLL ' u'[MFT entry: 44346, sequence: 1]'), (u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTASN1.DLL ' u'[MFT entry: 46261, sequence: 1]') ] self.assertEqual(event_object.mapped_files, expected_mapped_files) # The volume creation event. event_object = event_objects[0] expected_timestamp = timelib.Timestamp.CopyFromString( u'2013-10-04 15:57:26.146547') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.CREATION_TIME)
def setUp(self): """Sets up the needed objects used throughout the test.""" pre_obj = event.PreprocessObject() self._parser = winprefetch.WinPrefetchParser(pre_obj)
def testParse26(self): """Tests the Parse function on a version 26 Prefetch file.""" parser = winprefetch.WinPrefetchParser() storage_writer = self._ParseFile(['TASKHOST.EXE-3AE259FC.pf'], parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 5) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) # The prefetch last run event. expected_event_values = { 'date_time': '2013-10-04 15:40:09.0378333', 'data_type': 'windows:prefetch:execution', 'executable': 'TASKHOST.EXE', 'prefetch_hash': 0x3ae259fc, 'run_count': 4, 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_RUN, 'version': 26 } self.CheckEventValues(storage_writer, events[1], expected_event_values) # The prefetch previous last run event. expected_mapped_files = [ '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTDLL.DLL [46299-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TASKHOST.EXE', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNEL32.DLL [45747-1]', ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNELBASE.DLL ' '[45734-1]'), '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\LOCALE.NLS [45777-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\MSVCRT.DLL [46033-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RPCRT4.DLL [46668-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\COMBASE.DLL [44616-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\OLEAUT32.DLL [46309-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\OLE32.DLL [46348-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RPCSS.DLL [46654-1]', ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNEL.APPCORE.DLL ' '[45698-1]'), '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CRYPTBASE.DLL [44560-1]', ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\BCRYPTPRIMITIVES.DLL ' '[44355-1]'), '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\USER32.DLL [47130-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\GDI32.DLL [45344-1]', ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\EN-US\\' 'TASKHOST.EXE.MUI'), '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SECHOST.DLL [46699-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CLBCATQ.DLL [44511-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RACENGN.DLL [46549-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTMARTA.DLL [46262-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WEVTAPI.DLL [47223-1]', '\\DEVICE\\HARDDISKVOLUME2\\$MFT', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SQMAPI.DLL [46832-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\AEPIC.DLL [43991-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WINTRUST.DLL [47372-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SLWGA.DLL [46762-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\DXGI.DLL [44935-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\ESENT.DLL [45256-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WMICLNT.DLL [47413-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL [43994-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SFC_OS.DLL [46729-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\VERSION.DLL [47120-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CRYPT32.DLL [44645-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\MSASN1.DLL [45909-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WTSAPI32.DLL [47527-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SPPC.DLL [46803-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\POWRPROF.DLL [46413-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\PROFAPI.DLL [46441-1]', ('\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\' 'RACMETADATA.DAT [39345-2]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\GLOBALIZATION\\SORTING\\' 'SORTDEFAULT.NLS [37452-1]'), '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RACRULES.XML [46509-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TASKSCHD.DLL [47043-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SSPICLI.DLL [46856-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\XMLLITE.DLL [47569-1]', ('\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\' 'RACWMIEVENTDATA.DAT [23870-3]'), ('\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\' 'RACWMIDATABOOKMARKS.DAT [23871-2]'), ('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TPMTASKS.DLL ' '[47003-1]'), '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NCRYPT.DLL [46073-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\BCRYPT.DLL [44346-1]', '\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTASN1.DLL [46261-1]' ] expected_event_values = { 'date_time': '2013-10-04 15:28:09.0103565', 'mapped_files': expected_mapped_files, 'timestamp_desc': 'Previous {0:s}'.format(definitions.TIME_DESCRIPTION_LAST_RUN) } self.CheckEventValues(storage_writer, events[2], expected_event_values) # The volume creation event. expected_event_values = { 'date_time': '2013-10-04 15:57:26.1465476', 'data_type': 'windows:volume:creation', 'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParse23MultiVolume(self): """Tests the Parse function on a multi volume version 23 Prefetch file.""" parser = winprefetch.WinPrefetchParser() storage_writer = self._ParseFile(['WUAUCLT.EXE-830BCC14.pf'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 6) events = list(storage_writer.GetEvents()) # The prefetch last run event. expected_event_values = { 'data_type': 'windows:prefetch:execution', 'executable': 'WUAUCLT.EXE', 'path_hints': ['\\WINDOWS\\SYSTEM32\\WUAUCLT.EXE'], 'prefetch_hash': 0x830bcc14, 'run_count': 25, 'timestamp': '2012-03-15 21:17:39.807996', 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_RUN, 'version': 23, 'volume_device_paths': [ '\\DEVICE\\HARDDISKVOLUME1', '\\DEVICE\\HARDDISKVOLUMESHADOWCOPY2', '\\DEVICE\\HARDDISKVOLUMESHADOWCOPY4', '\\DEVICE\\HARDDISKVOLUMESHADOWCOPY7', '\\DEVICE\\HARDDISKVOLUMESHADOWCOPY8' ], 'volume_serial_numbers': [0xac036525, 0xac036525, 0xac036525, 0xac036525, 0xac036525] } self.CheckEventValues(storage_writer, events[5], expected_event_values) expected_message = ( 'Prefetch [WUAUCLT.EXE] was executed - run count 25 ' 'path hints: \\WINDOWS\\SYSTEM32\\WUAUCLT.EXE ' 'hash: 0x830BCC14 ' 'volume: 1 [serial number: 0xAC036525, ' 'device path: \\DEVICE\\HARDDISKVOLUME1], ' 'volume: 2 [serial number: 0xAC036525, ' 'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY2], ' 'volume: 3 [serial number: 0xAC036525, ' 'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY4], ' 'volume: 4 [serial number: 0xAC036525, ' 'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY7], ' 'volume: 5 [serial number: 0xAC036525, ' 'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY8]') expected_short_message = 'WUAUCLT.EXE was run 25 time(s)' event_data = self._GetEventDataOfEvent(storage_writer, events[5]) self._TestGetMessageStrings(event_data, expected_message, expected_short_message) # The volume creation event. expected_event_values = { 'data_type': 'windows:volume:creation', 'timestamp': '2010-11-10 17:37:26.484375', 'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION } self.CheckEventValues(storage_writer, events[0], expected_event_values) expected_message = ('\\DEVICE\\HARDDISKVOLUME1 ' 'Serial number: 0xAC036525 ' 'Origin: WUAUCLT.EXE-830BCC14.pf') expected_short_message = ('\\DEVICE\\HARDDISKVOLUME1 ' 'Origin: WUAUCLT.EXE-830BCC14.pf') event_data = self._GetEventDataOfEvent(storage_writer, events[0]) self._TestGetMessageStrings(event_data, expected_message, expected_short_message)
def testParse17(self): """Tests the Parse function on a version 17 Prefetch file.""" parser = winprefetch.WinPrefetchParser() storage_writer = self._ParseFile(['CMD.EXE-087B4001.pf'], parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 2) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) # Check the prefetch last run event. expected_mapped_files = [ '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\NTDLL.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\KERNEL32.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\UNICODE.NLS', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\LOCALE.NLS', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SORTTBLS.NLS', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\MSVCRT.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CMD.EXE', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\USER32.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\GDI32.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHIMENG.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\APPPATCH\\SYSMAIN.SDB', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\APPPATCH\\ACGENRAL.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\RPCRT4.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\WINMM.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\OLE32.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\OLEAUT32.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\MSACM32.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\VERSION.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHELL32.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHLWAPI.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\USERENV.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\UXTHEME.DLL', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CTYPE.NLS', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SORTKEY.NLS', ('\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\WINSXS\\X86_MICROSOFT.WINDOWS.' 'COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2180_X-WW_A84F1FF9\\' 'COMCTL32.DLL'), '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\WINDOWSSHELL.MANIFEST', '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\COMCTL32.DLL', ('\\DEVICE\\HARDDISKVOLUME1\\D50FF1E628137B1A251B47AB9466\\UPDATE\\' 'UPDATE.EXE.MANIFEST'), '\\DEVICE\\HARDDISKVOLUME1\\$MFT', ('\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\IE7\\SPUNINST\\SPUNINST.EXE.' 'MANIFEST'), ('\\DEVICE\\HARDDISKVOLUME1\\D50FF1E628137B1A251B47AB9466\\UPDATE\\' 'IERESETICONS.EXE'), '\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\IE7\\SPUNINST\\IERESETICONS.EXE' ] expected_event_values = { 'date_time': '2013-03-10 10:11:49.2812500', 'data_type': 'windows:prefetch:execution', 'executable': 'CMD.EXE', 'mapped_files': expected_mapped_files, 'prefetch_hash': 0x087b4001, 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_RUN, 'version': 17, 'volume_serial_numbers': [0x24cb074b] } self.CheckEventValues(storage_writer, events[1], expected_event_values) # Check the volume creation event. expected_event_values = { 'date_time': '2013-03-10 10:19:46.2343750', 'data_type': 'windows:volume:creation', 'device_path': '\\DEVICE\\HARDDISKVOLUME1', 'origin': 'CMD.EXE-087B4001.pf', 'serial_number': 0x24cb074b, 'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION } self.CheckEventValues(storage_writer, events[0], expected_event_values)