def testParseSystemWithArtifactFilters(self):
"""Tests the Parse function on a SYSTEM file with artifact filters."""
parser = winreg.WinRegistryParser()
knowledge_base = knowledge_base_engine.KnowledgeBase()
artifact_filter_names = ['TestRegistryKey', 'TestRegistryValue']
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
registry.ReadFromDirectory(reader,
self._GetTestFilePath(['artifacts']))
artifacts_filter_helper = artifact_filters.ArtifactDefinitionsFilterHelper(
registry, knowledge_base)
artifacts_filter_helper.BuildFindSpecs(artifact_filter_names,
environment_variables=None)
storage_writer = self._ParseFile(
['SYSTEM'],
parser,
artifacts_filter_helper=artifacts_filter_helper)
events = list(storage_writer.GetEvents())
parser_chains = self._GetParserChains(events)
# Check the existence of few known plugins, see if they
# are being properly picked up and are parsed.
plugin_names = [
'windows_usbstor_devices', 'windows_boot_execute',
'windows_services'
]
for plugin in plugin_names:
expected_parser_chain = self._PluginNameToParserChain(plugin)
self.assertTrue(
expected_parser_chain in parser_chains,
'Chain {0:s} not found in events.'.format(
expected_parser_chain))
# Check that the number of events produced by each plugin are correct.
# There will be 5 usbstor chains for currentcontrolset:
# 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR'
parser_chain = self._PluginNameToParserChain('windows_usbstor_devices')
self.assertEqual(parser_chains.get(parser_chain, 0), 5)
# There will be 4 Windows boot execute chains for key_value pairs:
# {key: 'HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager',
# value: 'BootExecute'}
# {key: 'HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Session Manager',
# value: 'BootExecute'}
parser_chain = self._PluginNameToParserChain('windows_boot_execute')
self.assertEqual(parser_chains.get(parser_chain, 0), 4)
# There will be 831 windows services chains for keys:
# 'HKEY_LOCAL_MACHINE\System\ControlSet001\services\**'
# 'HKEY_LOCAL_MACHINE\System\ControlSet002\services\**'
parser_chain = self._PluginNameToParserChain('windows_services')
self.assertEqual(parser_chains.get(parser_chain, 0), 831)
def BuildFilterFindSpecs(cls,
artifact_definitions_path,
custom_artifacts_path,
knowledge_base_object,
artifact_filter_names=None,
filter_file_path=None):
"""Builds find specifications from artifacts or filter file if available.
Args:
artifact_definitions_path (str): path to artifact definitions file.
custom_artifacts_path (str): path to custom artifact definitions file.
knowledge_base_object (KnowledgeBase): knowledge base.
artifact_filter_names (Optional[list[str]]): names of artifact
definitions that are used for filtering file system and Windows
Registry key paths.
filter_file_path (Optional[str]): path of filter file.
Returns:
list[dfvfs.FindSpec]: find specifications for the file source type.
Raises:
InvalidFilter: if no valid FindSpecs are built.
"""
environment_variables = knowledge_base_object.GetEnvironmentVariables()
find_specs = None
if artifact_filter_names:
logger.debug(
'building find specification based on artifacts: {0:s}'.format(
', '.join(artifact_filter_names)))
artifacts_registry_object = cls.BuildArtifactsRegistry(
artifact_definitions_path, custom_artifacts_path)
artifact_filters_object = (
artifact_filters.ArtifactDefinitionsFilterHelper(
artifacts_registry_object, artifact_filter_names,
knowledge_base_object))
artifact_filters_object.BuildFindSpecs(
environment_variables=environment_variables)
find_specs = knowledge_base_object.GetValue(
artifact_filters_object.KNOWLEDGE_BASE_VALUE)[
artifact_types.TYPE_INDICATOR_FILE]
elif filter_file_path:
logger.debug(
'building find specification based on filter file: {0:s}'.
format(filter_file_path))
filter_file_object = filter_file.FilterFile(filter_file_path)
find_specs = filter_file_object.BuildFindSpecs(
environment_variables=environment_variables)
if (artifact_filter_names or filter_file_path) and not find_specs:
raise errors.InvalidFilter(
'Error processing filters, no valid specifications built.')
return find_specs
def _CreateTestArtifactDefinitionsFilterHelper(self, knowledge_base):
"""Creates an artifact definitions filter helper for testing.
Args:
knowledge_base (KnowledgeBase): contains information from the source
data needed for filtering.
Returns:
ArtifactDefinitionsFilterHelper: artifact definitions filter helper.
"""
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
test_artifacts_path = self._GetTestFilePath(['artifacts'])
registry.ReadFromDirectory(reader, test_artifacts_path)
return artifact_filters.ArtifactDefinitionsFilterHelper(
registry, knowledge_base)
def BuildFilterFindSpecs(self,
artifact_definitions_path,
custom_artifacts_path,
knowledge_base_object,
artifact_filter_names=None,
filter_file_path=None):
"""Builds find specifications from artifacts or filter file if available.
Args:
artifact_definitions_path (str): path to artifact definitions file.
custom_artifacts_path (str): path to custom artifact definitions file.
knowledge_base_object (KnowledgeBase): knowledge base.
artifact_filter_names (Optional[list[str]]): names of artifact
definitions that are used for filtering file system and Windows
Registry key paths.
filter_file_path (Optional[str]): path of filter file.
Returns:
list[dfvfs.FindSpec]: find specifications for the file source type.
Raises:
InvalidFilter: if no valid FindSpecs are built.
"""
environment_variables = knowledge_base_object.GetEnvironmentVariables()
find_specs = None
if artifact_filter_names:
logger.debug(
'building find specification based on artifacts: {0:s}'.format(
', '.join(artifact_filter_names)))
artifacts_registry_object = BaseEngine.BuildArtifactsRegistry(
artifact_definitions_path, custom_artifacts_path)
self._artifacts_filter_helper = (
artifact_filters.ArtifactDefinitionsFilterHelper(
artifacts_registry_object, knowledge_base_object))
self._artifacts_filter_helper.BuildFindSpecs(
artifact_filter_names,
environment_variables=environment_variables)
# If the user selected Windows Registry artifacts we have to ensure
# the Windows Registry files are parsed.
if self._artifacts_filter_helper.registry_find_specs:
self._artifacts_filter_helper.BuildFindSpecs(
self._WINDOWS_REGISTRY_FILES_ARTIFACT_NAMES,
environment_variables=environment_variables)
find_specs = self._artifacts_filter_helper.file_system_find_specs
if not find_specs:
raise errors.InvalidFilter(
'No valid file system find specifications were built from '
'artifacts.')
elif filter_file_path:
logger.debug(
'building find specification based on filter file: {0:s}'.
format(filter_file_path))
filter_file_object = filter_file.FilterFile(filter_file_path)
find_specs = filter_file_object.BuildFindSpecs(
environment_variables=environment_variables)
if not find_specs:
raise errors.InvalidFilter(
'No valid file system find specifications were built from filter '
'file.')
return find_specs