def testProcessSourcesFilestat(self):
"""Test if the filestat and other parsers ran."""
output_writer = cli_test_lib.TestOutputWriter(encoding=u'utf-8')
test_tool = log2timeline.Log2TimelineTool(output_writer=output_writer)
options = cli_test_lib.TestOptions()
options.quiet = True
options.parsers = u'filestat,pe'
options.single_process = True
options.status_view_mode = u'none'
options.source = self._GetTestFilePath([u'test_pe.exe'])
with shared_test_lib.TempDirectory() as temp_directory:
options.output = os.path.join(temp_directory, u'storage.plaso')
test_tool.ParseOptions(options)
test_tool.ProcessSources()
storage_file = storage_zip_file.ZIPStorageFile()
try:
storage_file.Open(path=options.output, read_only=True)
except IOError as exception:
self.fail((
u'Unable to open storage file after processing with error: '
u'{0:s}.').format(exception))
# There should be 3 filestat and 3 pe parser generated events.
event_objects = list(storage_file.GetEvents())
self.assertEquals(len(event_objects), 6)
def testExtractEventsFromSourcesWithFilestat(self):
"""Tests the ExtractEventsFromSources function with filestat parser."""
output_writer = test_lib.TestOutputWriter(encoding='utf-8')
test_tool = log2timeline_tool.Log2TimelineTool(
output_writer=output_writer)
options = test_lib.TestOptions()
options.artifact_definitions_path = self._GetTestFilePath(
['artifacts'])
options.quiet = True
options.parsers = 'filestat,pe'
options.single_process = True
options.status_view_mode = 'none'
options.source = self._GetTestFilePath(['test_pe.exe'])
with shared_test_lib.TempDirectory() as temp_directory:
options.storage_file = os.path.join(temp_directory,
'storage.plaso')
options.storage_format = definitions.STORAGE_FORMAT_ZIP
test_tool.ParseOptions(options)
test_tool.ExtractEventsFromSources()
storage_file = storage_zip_file.ZIPStorageFile()
try:
storage_file.Open(path=options.storage_file, read_only=True)
except IOError as exception:
self.fail((
'Unable to open storage file after processing with error: '
'{0:s}.').format(exception))
# There should be 3 filestat and 3 pe parser generated events.
events = list(storage_file.GetSortedEvents())
self.assertEqual(len(events), 6)
def testPopEvent(self):
"""Tests the PopEvent function."""
event_heap = event_heaps.SerializedStreamEventHeap()
test_event = event_heap.PopEvent()
self.assertEqual(test_event, (None, None))
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, u'storage.plaso')
storage_file = zip_file.ZIPStorageFile()
storage_file.Open(path=temp_file, read_only=False)
test_events = self._CreateTestEvents()
for event in test_events:
storage_file.AddEvent(event)
event_heap.PushEvent(event)
test_event, stream_number = event_heap.PopEvent()
self.assertEqual(test_event, test_events[3])
self.assertEqual(stream_number, 1)
test_event, _ = event_heap.PopEvent()
self.assertEqual(test_event, test_events[2])
test_event, _ = event_heap.PopEvent()
self.assertEqual(test_event, test_events[0])
test_event, _ = event_heap.PopEvent()
self.assertEqual(test_event, test_events[1])
def CompareStorages(self):
"""Compares the contents of two storages.
Returns:
bool: True if the content of the storages is identical.
"""
storage_file = storage_zip_file.ZIPStorageFile()
try:
storage_file.Open(path=self._storage_file_path, read_only=True)
except IOError as exception:
logging.error(
u'Unable to open storage file: {0:s} with error: {1:s}'.format(
self._storage_file_path, exception))
return
compare_storage_file = storage_zip_file.ZIPStorageFile()
try:
compare_storage_file.Open(path=self._compare_storage_file_path,
read_only=True)
except IOError as exception:
logging.error(
u'Unable to open storage file: {0:s} with error: {1:s}'.format(
self._compare_storage_file_path, exception))
storage_file.Close()
return
try:
result = self._CompareStorages(storage_file, compare_storage_file)
finally:
compare_storage_file.Close()
storage_file.Close()
if result:
self._output_writer.Write(u'Storages are identical.\n')
else:
self._output_writer.Write(u'Storages are different.\n')
return result
def CreateStorageFileForFile(cls, path):
"""Creates a storage file based on the file.
Args:
path (str): path to the storage file.
Returns:
StorageFile: a storage file or None if the storage file cannot be
opened or the storage format is not supported.
"""
if storage_sqlite_file.SQLiteStorageFile.CheckSupportedFormat(path):
return storage_sqlite_file.SQLiteStorageFile()
elif storage_zip_file.ZIPStorageFile.CheckSupportedFormat(path):
return storage_zip_file.ZIPStorageFile()
def testPushEvent(self):
"""Tests the PushEvent function."""
event_heap = event_heaps.SerializedStreamEventHeap()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, u'storage.plaso')
storage_file = zip_file.ZIPStorageFile()
storage_file.Open(path=temp_file, read_only=False)
test_events = self._CreateTestEvents()
for event in test_events:
storage_file.AddEvent(event)
event_heap.PushEvent(event)
self.assertEqual(event_heap.number_of_events, 4)
def PrintStorageInformation(self):
"""Prints the storage information."""
storage_file = storage_zip_file.ZIPStorageFile()
try:
storage_file.Open(path=self._storage_file_path, read_only=True)
except IOError as exception:
logging.error(
u'Unable to open storage file: {0:s} with error: {1:s}'.format(
self._storage_file_path, exception))
return
try:
self._PrintStorageInformation(storage_file)
finally:
storage_file.Close()
def _CreateTestStorageFile(self, path):
"""Creates a storage file for testing.
Args:
path (str): path.
"""
storage_file = storage_zip_file.ZIPStorageFile()
storage_file.Open(path=path, read_only=False)
# TODO: add preprocessing information.
for timestamp, kwargs in self._TEST_EVENTS:
event = TestEvent(timestamp, **kwargs)
storage_file.AddEvent(event)
storage_file.Close()
def _CreateTestStorageFile(self, path):
"""Creates a storage file for testing.
Args:
path (str): path.
"""
storage_file = storage_zip_file.ZIPStorageFile()
storage_file.Open(path=path, read_only=False)
# TODO: add preprocessing information.
storage_file.AddEvent(TestEvent(5134324321))
storage_file.AddEvent(TestEvent(2134324321))
storage_file.AddEvent(TestEvent(9134324321))
storage_file.AddEvent(TestEvent(15134324321))
storage_file.AddEvent(TestEvent(5134324322))
storage_file.AddEvent(TestEvent(5134024321))
storage_file.Close()
def testProcessSources(self):
"""Tests the ProcessSources function."""
session = sessions.Session()
test_front_end = extraction_frontend.ExtractionFrontend()
test_file = self._GetTestFilePath([u'ímynd.dd'])
volume_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file)
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK,
location=u'/',
parent=volume_path_spec)
source_type = dfvfs_definitions.SOURCE_TYPE_STORAGE_MEDIA_IMAGE
with shared_test_lib.TempDirectory() as temp_directory:
storage_file_path = os.path.join(temp_directory, u'storage.plaso')
storage_writer = storage_zip_file.ZIPStorageFileWriter(
session, storage_file_path)
test_front_end.ProcessSources(session, storage_writer, [path_spec],
source_type)
storage_file = storage_zip_file.ZIPStorageFile()
try:
storage_file.Open(path=storage_file_path)
except IOError:
self.fail(u'Unable to open storage file after processing.')
# Make sure we can read events from the storage.
event_objects = list(storage_file.GetEvents())
self.assertNotEqual(len(event_objects), 0)
event_object = event_objects[0]
self.assertEqual(event_object.data_type, u'fs:stat')
self.assertEqual(event_object.filename, u'/lost+found')