def testTransmissionPlugin(self):
"""Read Transmission activity files and make few tests."""
test_file = self._GetTestFilePath(['bencode_transmission'])
event_queue_consumer = self._ParseFile(self._parser, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 3)
event_object = event_objects[0]
destination_expected = u'/Users/brian/Downloads'
self.assertEqual(event_object.destination, destination_expected)
self.assertEqual(event_object.seedtime, 4)
description_expected = eventdata.EventTimestamp.ADDED_TIME
self.assertEqual(event_object.timestamp_desc, description_expected)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-11-08 15:31:20')
self.assertEqual(event_object.timestamp, expected_timestamp)
# Test on second event of first torrent.
event_object = event_objects[1]
self.assertEqual(event_object.destination, destination_expected)
self.assertEqual(event_object.seedtime, 4)
description_expected = eventdata.EventTimestamp.FILE_DOWNLOADED
self.assertEqual(event_object.timestamp_desc, description_expected)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-11-08 18:24:24')
self.assertEqual(event_object.timestamp, expected_timestamp)
def testParse(self):
"""Tests the Parse function."""
test_file = self._GetTestFilePath(['typed_history.xml'])
event_generator = self._ParseFile(self._parser, test_file)
event_objects = self._GetEventObjects(event_generator)
self.assertEquals(len(event_objects), 4)
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-11-11 23:45:27')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(event_object.entry_selection,
'Filled from autocomplete.')
expected_string = u'plaso.kiddaland.net (Filled from autocomplete.)'
self._TestGetMessageStrings(event_object, expected_string,
expected_string)
event_object = event_objects[3]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-11-11 22:46:07')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(event_object.entry_selection, 'Manually typed.')
expected_string = u'theonion.com (Manually typed.)'
self._TestGetMessageStrings(event_object, expected_string,
expected_string)
def testParse(self):
"""Tests the Parse function."""
test_file = self._GetTestFilePath(['syslog'])
event_generator = self._ParseFile(self._parser, test_file)
event_objects = self._GetEventObjects(event_generator)
self.assertEquals(len(event_objects), 13)
# TODO let's add code to convert Jan 22 2012 07:52:33 into the
# corresponding timestamp, I think that will be more readable
self.assertEquals(event_objects[0].timestamp, 1327218753000000)
self.assertEquals(event_objects[0].hostname, 'myhostname.myhost.com')
expected_string = (u'[client, pid: 30840] : INFO No new content.')
self._TestGetMessageStrings(event_objects[0], expected_string,
expected_string)
expected_msg = (
'[aprocess, pid: 101001] : This is a multi-line message that screws up'
'many syslog parsers.')
expected_msg_short = (
'[aprocess, pid: 101001] : This is a multi-line message that screws up'
'many sys...')
self._TestGetMessageStrings(event_objects[11], expected_msg,
expected_msg_short)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2012-02-29 01:15:43')
self.assertEquals(event_objects[6].timestamp, expected_timestamp)
# Testing year increment.
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-03-23 23:01:18')
self.assertEquals(event_objects[8].timestamp, expected_timestamp)
def testTextParserSuccess(self):
"""Test a text parser that will match against content."""
test_file = self._GetTestFilePath(['text_parser', 'test2.txt'])
event_queue_consumer = self._ParseFile(self._parser, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
event_object = event_objects[0]
msg1, _ = formatters_manager.EventFormatterManager.GetMessageStrings(
event_object)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2011-01-01 05:23:15')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(msg1, 'first line.')
self.assertEquals(event_object.hostname, 'myhost')
self.assertEquals(event_object.username, 'myuser')
event_object = event_objects[1]
msg2, _ = formatters_manager.EventFormatterManager.GetMessageStrings(
event_object)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'1991-12-24 19:58:06')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(msg2, 'second line.')
self.assertEquals(event_object.hostname, 'myhost')
self.assertEquals(event_object.username, 'myuser')
def testProcess(self):
"""Tests the Process function."""
plist_name = 'com.apple.iPod.plist'
test_file = self._GetTestFilePath([plist_name])
events = self._ParsePlistFileWithPlugin(self._parser, self._plugin,
test_file, plist_name)
event_objects = self._GetEventObjects(events)
self.assertEquals(len(event_objects), 4)
event_object = event_objects[1]
timestamp = timelib_test.CopyStringToTimestamp('2013-10-09 19:27:54')
self.assertEquals(event_object.timestamp, timestamp)
expected_string = (
u'Device ID: 4C6F6F6E65000000 Type: iPhone [10016] Connected 1 times '
u'Serial nr: 526F676572 IMEI [012345678901234]')
self._TestGetMessageStrings(event_object, expected_string,
expected_string[0:77] + '...')
self.assertEquals(event_object.timestamp_desc,
eventdata.EventTimestamp.LAST_CONNECTED)
self.assertEquals(event_object.device_class, u'iPhone')
self.assertEquals(event_object.device_id, u'4C6F6F6E65000000')
self.assertEquals(event_object.firmware_version, 256)
self.assertEquals(event_object.imei, u'012345678901234')
self.assertEquals(event_object.use_count, 1)
event_object = event_objects[3]
timestamp = timelib_test.CopyStringToTimestamp('1995-11-22 18:25:07')
self.assertEquals(event_object.timestamp, timestamp)
self.assertEquals(event_object.device_id, u'0000A11300000000')
def testParse17(self):
"""Tests the Parse function on a version 17 Prefetch file."""
test_file = self._GetTestFilePath(['CMD.EXE-087B4001.pf'])
event_generator = self._ParseFile(self._parser, test_file)
event_objects = self._GetEventObjects(event_generator)
self.assertEquals(len(event_objects), 2)
# The last run time.
event_object = event_objects[1]
self.assertEquals(event_object.version, 17)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-03-10 10:11:49.281250')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(event_object.timestamp_desc,
eventdata.EventTimestamp.LAST_RUNTIME)
self.assertEquals(event_object.executable, u'CMD.EXE')
self.assertEquals(event_object.prefetch_hash, 0x087b4001)
# The volume creation time.
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-03-10 10:19:46.234375')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(event_object.timestamp_desc,
eventdata.EventTimestamp.CREATION_TIME)
def testProcess(self):
"""Tests the Process function on a Chrome History database file."""
test_file = self._GetTestFilePath(['History'])
cache = sqlite.SQLiteCache()
event_queue_consumer = self._ParseDatabaseFileWithPlugin(
self._plugin, test_file, cache)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
# The History file contains 71 events (69 page visits, 1 file downloads).
self.assertEquals(len(event_objects), 71)
# Check the first page visited entry.
event_object = event_objects[0]
self.assertEquals(event_object.timestamp_desc,
eventdata.EventTimestamp.PAGE_VISITED)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2011-04-07 12:03:11')
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_url = u'http://start.ubuntu.com/10.04/Google/'
self.assertEquals(event_object.url, expected_url)
expected_title = u'Ubuntu Start Page'
self.assertEquals(event_object.title, expected_title)
expected_msg = (
u'{0:s} ({1:s}) [count: 0] Host: start.ubuntu.com '
u'Visit Source: [SOURCE_FIREFOX_IMPORTED] Type: [LINK - User clicked '
u'a link] (URL not typed directly - no typed count)').format(
expected_url, expected_title)
expected_short = u'{0:s} ({1:s})'.format(expected_url, expected_title)
self._TestGetMessageStrings(event_object, expected_msg, expected_short)
# Check the first file downloaded entry.
event_object = event_objects[69]
self.assertEquals(event_object.timestamp_desc,
eventdata.EventTimestamp.FILE_DOWNLOADED)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2011-05-23 08:35:30')
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_url = (u'http://fatloss4idiotsx.com/download/funcats/'
u'funcats_scr.exe')
self.assertEquals(event_object.url, expected_url)
expected_full_path = u'/home/john/Downloads/funcats_scr.exe'
self.assertEquals(event_object.full_path, expected_full_path)
expected_msg = (u'{0:s} ({1:s}). Received: 1132155 bytes out of: '
u'1132155 bytes.').format(expected_url,
expected_full_path)
expected_short = u'{0:s} downloaded (1132155 bytes)'.format(
expected_full_path)
self._TestGetMessageStrings(event_object, expected_msg, expected_short)
def testProcess(self):
"""Tests the Process function on a virtual key."""
key_path = u'\\ControlSet001\\services\\TestDriver'
values = []
values.append(winreg_test_lib.TestRegValue(
'Type', '\x02\x00\x00\x00', 4, 123))
values.append(winreg_test_lib.TestRegValue(
'Start', '\x02\x00\x00\x00', 4, 127))
values.append(winreg_test_lib.TestRegValue(
'ErrorControl', '\x01\x00\x00\x00', 4, 131))
values.append(winreg_test_lib.TestRegValue(
'Group', 'Pnp Filter'.encode('utf_16_le'), 1, 140))
values.append(winreg_test_lib.TestRegValue(
'DisplayName', 'Test Driver'.encode('utf_16_le'), 1, 160))
values.append(winreg_test_lib.TestRegValue(
'DriverPackageId',
'testdriver.inf_x86_neutral_dd39b6b0a45226c4'.encode('utf_16_le'), 1,
180))
values.append(winreg_test_lib.TestRegValue(
'ImagePath', 'C:\\Dell\\testdriver.sys'.encode('utf_16_le'), 1, 200))
timestamp = timelib_test.CopyStringToTimestamp(
'2012-08-28 09:23:49.002031')
winreg_key = winreg_test_lib.TestRegKey(
key_path, timestamp, values, 1456)
event_queue_consumer = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEquals(len(event_objects), 1)
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2012-08-28 09:23:49.002031')
self.assertEquals(event_object.timestamp, expected_timestamp)
# TODO: Remove RegAlert completely
# self.assertTrue(event_object.regalert)
expected_msg = (
u'[{0:s}] '
u'DisplayName: Test Driver '
u'DriverPackageId: testdriver.inf_x86_neutral_dd39b6b0a45226c4 '
u'ErrorControl: Normal (1) '
u'Group: Pnp Filter '
u'ImagePath: C:\\Dell\\testdriver.sys '
u'Start: Auto Start (2) '
# u'ImagePath: REGALERT Driver not in system32: '
# u'C:\\Dell\\testdriver.sys '
# u'Start: REGALERT Unusual Start for Driver: Auto Start (2) '
u'Type: File System Driver (0x2)').format(key_path)
expected_msg_short = (
u'[{0:s}] '
u'DisplayName: Test Driver '
u'DriverPackageId...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def setUp(self):
"""Setup sets parameters that will be reused throughout this test."""
self._front_end = psort.PsortFrontend()
# TODO: have sample output generated from the test.
self._test_file = os.path.join(self._TEST_DATA_PATH, 'psort_test.out')
self.first = timelib_test.CopyStringToTimestamp('2012-07-24 21:45:24')
self.last = timelib_test.CopyStringToTimestamp('2016-11-18 01:15:43')
def setUp(self):
"""Setup sets parameters that will be reused throughout this test."""
# TODO: have sample output generated from the test.
# TODO: Use input data with a defined year. syslog parser chooses a
# year based on system clock; forcing updates to test file if regenerated.
self.test_file = os.path.join('test_data', 'psort_test.out')
self.first = timelib_test.CopyStringToTimestamp('2012-07-20 15:44:14')
self.last = timelib_test.CopyStringToTimestamp('2016-11-18 01:15:43')
def testParse(self):
"""Tests the Parse function."""
knowledge_base_values = {'zone': pytz.timezone('Europe/Rome')}
test_file = self._GetTestFilePath(['xchat.log'])
event_queue_consumer = self._ParseFile(
self._parser, test_file, knowledge_base_values=knowledge_base_values)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEquals(len(event_objects), 9)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2011-12-31 21:11:55+01:00')
self.assertEquals(event_objects[0].timestamp, expected_timestamp)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2011-12-31 23:00:00+01:00')
self.assertEquals(event_objects[7].timestamp, expected_timestamp)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2011-12-31 23:59:00+01:00')
self.assertEquals(event_objects[8].timestamp, expected_timestamp)
expected_string = u'XChat start logging'
self._TestGetMessageStrings(
event_objects[0], expected_string, expected_string)
expected_string = u'--> You are now talking on #gugle'
self._TestGetMessageStrings(
event_objects[1], expected_string, expected_string)
expected_string = u'--- Topic for #gugle is plaso, a difficult word'
self._TestGetMessageStrings(
event_objects[2], expected_string, expected_string)
expected_string = u'Topic for #gugle set by Kristinn'
self._TestGetMessageStrings(
event_objects[3], expected_string, expected_string)
expected_string = u'--- Joachim gives voice to fpi'
self._TestGetMessageStrings(
event_objects[4], expected_string, expected_string)
expected_string = u'* XChat here'
self._TestGetMessageStrings(
event_objects[5], expected_string, expected_string)
expected_string = u'[nickname: fpi] ola plas-ing guys!'
self._TestGetMessageStrings(
event_objects[6], expected_string, expected_string)
expected_string = u'[nickname: STRANGER] \u65e5\u672c'
self._TestGetMessageStrings(
event_objects[7], expected_string, expected_string)
expected_string = u'XChat end logging'
self._TestGetMessageStrings(
event_objects[8], expected_string, expected_string)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\Microsoft\\Some Windows\\InterestingApp\\MRU'
values = []
values.append(
winreg_test_lib.TestRegValue('MRUList',
'acb'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ,
offset=123))
values.append(
winreg_test_lib.TestRegValue(
'a',
'Some random text here'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ,
offset=1892))
values.append(
winreg_test_lib.TestRegValue(
'b',
'c:/evil.exe'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_BINARY,
offset=612))
values.append(
winreg_test_lib.TestRegValue(
'c',
'C:/looks_legit.exe'.encode('utf_16_le'),
winreg_test_lib.TestRegValue.REG_SZ,
offset=1001))
timestamp = timelib_test.CopyStringToTimestamp(
'2012-08-28 09:23:49.002031')
winreg_key = winreg_test_lib.TestRegKey(key_path, timestamp, values,
1456)
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEquals(len(event_objects), 1)
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2012-08-28 09:23:49.002031')
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_msg = (u'[{0:s}] '
u'Index: 1 [MRU Value a]: Some random text here '
u'Index: 2 [MRU Value c]: C:/looks_legit.exe '
u'Index: 3 [MRU Value b]: ').format(key_path)
expected_msg_short = (
u'[{0:s}] Index: 1 [MRU Value a]: Some ran...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testParse(self):
"""Tests the Parse function."""
test_file = self._GetTestFilePath(['utmpx_mac'])
event_generator = self._ParseFile(self._parser, test_file)
event_objects = self._GetEventObjects(event_generator)
self.assertEqual(len(event_objects), 6)
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-11-13 17:52:34')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_msg_short = u'User: N/A'
expected_msg = (u'User: N/A Status: BOOT_TIME '
u'Computer Name: localhost Terminal: N/A')
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
event_object = event_objects[1]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-11-13 17:52:41.736713')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.user, u'moxilo')
self.assertEqual(
event_object.terminal,
u'console',
)
self.assertEqual(event_object.status, u'USER_PROCESS')
self.assertEqual(event_object.computer_name, u'localhost')
expected_msg = (u'User: moxilo Status: '
u'USER_PROCESS '
u'Computer Name: localhost '
u'Terminal: console')
expected_msg_short = (u'User: moxilo')
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
event_object = event_objects[4]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-11-14 04:32:56.641464')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.user, u'moxilo')
self.assertEqual(event_object.terminal, u'ttys002')
self.assertEqual(event_object.status, u'DEAD_PROCESS')
expected_msg = (u'User: moxilo Status: '
u'DEAD_PROCESS '
u'Computer Name: localhost '
u'Terminal: ttys002')
expected_msg_short = (u'User: moxilo')
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testParse23MultiVolume(self):
"""Tests the Parse function on a mulit volume version 23 Prefetch file."""
test_file = self._GetTestFilePath(['WUAUCLT.EXE-830BCC14.pf'])
event_generator = self._ParseFile(self._parser, test_file)
event_objects = self._GetEventObjects(event_generator)
self.assertEquals(len(event_objects), 6)
# The last run time.
event_object = event_objects[5]
self.assertEquals(event_object.version, 23)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2012-03-15 21:17:39.807996')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(event_object.timestamp_desc,
eventdata.EventTimestamp.LAST_RUNTIME)
# The creation time.
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2010-11-10 17:37:26.484375')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(event_object.timestamp_desc,
eventdata.EventTimestamp.CREATION_TIME)
self.assertEquals(event_object.executable, u'WUAUCLT.EXE')
self.assertEquals(event_object.prefetch_hash, 0x830bcc14)
self.assertEquals(event_object.path,
u'\\WINDOWS\\SYSTEM32\\WUAUCLT.EXE')
self.assertEquals(event_object.run_count, 25)
self.assertEquals(event_object.volume_device_paths[0],
u'\\DEVICE\\HARDDISKVOLUME1')
self.assertEquals(event_object.volume_serial_numbers[0], 0xac036525)
expected_msg = (
u'Prefetch [WUAUCLT.EXE] was executed - run count 25 path: '
u'\\WINDOWS\\SYSTEM32\\WUAUCLT.EXE '
u'hash: 0x830BCC14 '
u'volume: 1 [serial number: 0xAC036525, '
u'device path: \\DEVICE\\HARDDISKVOLUME1], '
u'volume: 2 [serial number: 0xAC036525, '
u'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY2], '
u'volume: 3 [serial number: 0xAC036525, '
u'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY4], '
u'volume: 4 [serial number: 0xAC036525, '
u'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY7], '
u'volume: 5 [serial number: 0xAC036525, '
u'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY8]')
expected_msg_short = u'WUAUCLT.EXE was run 25 time(s)'
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testParse(self):
"""Tests the Parse function."""
# TODO: only tested against Mac OS X Cups IPP (Version 2.0)
test_file = self._GetTestFilePath(['mac_cups_ipp'])
events = self._ParseFile(self._parser, test_file)
event_objects = self._GetEventObjectsFromQueue(events)
self.assertEqual(len(event_objects), 3)
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-11-03 18:07:21')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.CREATION_TIME)
self.assertEqual(event_object.application, u'LibreOffice')
self.assertEqual(event_object.job_name, u'Assignament 1')
self.assertEqual(event_object.computer_name, u'localhost')
self.assertEqual(event_object.copies, 1)
self.assertEqual(event_object.doc_type, u'application/pdf')
expected_job = u'urn:uuid:d51116d9-143c-3863-62aa-6ef0202de49a'
self.assertEqual(event_object.job_id, expected_job)
self.assertEqual(event_object.owner, u'Joaquin Moreno Garijo')
self.assertEqual(event_object.user, u'moxilo')
self.assertEqual(event_object.printer_id, u'RHULBW')
expected_uri = u'ipp://localhost:631/printers/RHULBW'
self.assertEqual(event_object.uri, expected_uri)
expected_msg = (u'User: moxilo '
u'Owner: Joaquin Moreno Garijo '
u'Job Name: Assignament 1 '
u'Application: LibreOffice '
u'Printer: RHULBW')
expected_msg_short = (u'Job Name: Assignament 1')
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
event_object = event_objects[1]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-11-03 18:07:21')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.START_TIME)
event_object = event_objects[2]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-11-03 18:07:32')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.END_TIME)
def testParse(self):
"""Tests the Parse function."""
test_file = self._GetTestFilePath(['iis.log'])
event_queue_consumer = self._ParseFile(self._parser, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEquals(len(event_objects), 11)
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-07-30 00:00:00')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(event_object.source_ip, u'10.10.10.100')
self.assertEquals(event_object.dest_ip, u'10.10.10.100')
self.assertEquals(event_object.dest_port, 80)
expected_msg = (u'GET /some/image/path/something.jpg '
u'[ 10.10.10.100 > 10.10.10.100 : 80 ] '
u'Http Status: 200 '
u'User Agent: Mozilla/4.0+(compatible;+Win32;'
u'+WinHttp.WinHttpRequest.5)')
expected_msg_short = (u'GET /some/image/path/something.jpg '
u'[ 10.10.10.100 > 10.10.10.100 : 80 ]')
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
event_object = event_objects[5]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-07-30 00:00:05')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(event_object.http_method, 'GET')
self.assertEquals(event_object.http_status, 200)
self.assertEquals(event_object.requested_uri_stem,
u'/some/image/path/something.jpg')
event_object = event_objects[1]
expected_msg = (
u'GET /some/image/path/something.htm '
u'[ 22.22.22.200 > 10.10.10.100 : 80 ] '
u'Http Status: 404 '
u'User Agent: Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_6_8)'
u'+AppleWebKit/534.57.2+(KHTML,+like+Gecko)+Version/5.1.7'
u'+Safari/534.57.2')
expected_msg_short = (u'GET /some/image/path/something.htm '
u'[ 22.22.22.200 > 10.10.10.100 : 80 ]')
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
test_file = self._GetTestFilePath(['NTUSER.DAT'])
key_path = (
u'\\Software\\Microsoft\\Windows\\ShellNoRoam\\BagMRU')
winreg_key = self._GetKeyFromFile(test_file, key_path)
event_queue_consumer = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEquals(len(event_objects), 15)
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2009-08-04 15:19:16.997750')
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_msg = (
u'[{0:s}] '
u'Index: 1 [MRU Value 0]: '
u'Shell item list: [My Computer]').format(key_path)
expected_msg_short = (
u'[{0:s}] Index: 1 [MRU Value 0]: Shel...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
event_object = event_objects[1]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2009-08-04 15:19:10.669625')
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_msg = (
u'[{0:s}\\0] '
u'Index: 1 [MRU Value 0]: '
u'Shell item list: [My Computer, C:\\]').format(key_path)
expected_msg_short = (
u'[{0:s}\\0] Index: 1 [MRU Value 0]: Sh...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
event_object = event_objects[14]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2009-08-04 15:19:16.997750')
self.assertEquals(event_object.timestamp, expected_timestamp)
# The winreg_formatter will add a space after the key path even when there
# is not text.
expected_msg = u'[{0:s}\\0\\0\\0\\0\\0] '.format(key_path)
self._TestGetMessageStrings(event_object, expected_msg, expected_msg)
def testProcess(self):
"""Tests the Process function."""
test_file = self._GetTestFilePath(['NTUSER-WIN7.DAT'])
key_path = (
u'\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\'
u'OpenSavePidlMRU')
winreg_key = self._GetKeyFromFile(test_file, key_path)
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEquals(len(event_objects), 65)
# A MRUListEx event object.
event_object = event_objects[40]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2011-08-28 22:48:28.159308')
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_msg = (
u'[{0:s}\\exe] '
u'Index: 1 [MRU Value 1]: Shell item list: [My Computer, P:\\, '
u'Application Tools, Firefox 6.0, Firefox Setup 6.0.exe] '
u'Index: 2 [MRU Value 0]: Shell item list: [Computers and Devices, '
u'UNKNOWN: 0x00, \\\\controller\\WebDavShare, Firefox Setup 3.6.12.exe'
u']').format(key_path)
expected_msg_short = (
u'[\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\'
u'OpenSavePidlMRU...')
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
# A shell item event object.
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2012-03-08 22:16:02')
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_msg = (u'Name: ALLOYR~1 '
u'Long name: Alloy Research '
u'NTFS file reference: 44518-33 '
u'Origin: {0:s}\\*').format(key_path)
expected_msg_short = (u'Name: ALLOYR~1 '
u'NTFS file reference: 44518-33 '
u'Origin: \\Software\\Microsoft\\Wind...')
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testProcess(self):
"""Test the Process function on an Android contacts2.db file."""
test_file = self._GetTestFilePath(['contacts2.db'])
event_queue_consumer = self._ParseDatabaseFileWithPlugin(
self._plugin, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
# The contacts2 database file contains 5 events (MISSED/OUTGOING/INCOMING).
self.assertEquals(len(event_objects), 5)
# Check the first event.
event_object = event_objects[0]
self.assertEquals(event_object.timestamp_desc, u'Call Started')
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-11-06 21:17:16.690')
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_number = u'5404561685'
self.assertEquals(event_object.number, expected_number)
expected_type = u'MISSED'
self.assertEquals(event_object.call_type, expected_type)
expected_call = (u'MISSED '
u'Number: 5404561685 '
u'Name: Barney '
u'Duration: 0 seconds')
expected_short = u'MISSED Call'
self._TestGetMessageStrings(event_object, expected_call,
expected_short)
# Run some tests on the last 2 events.
event_object_3 = event_objects[3]
event_object_4 = event_objects[4]
# Check the timestamp_desc of the last event.
self.assertEquals(event_object_4.timestamp_desc, u'Call Ended')
expected_timestamp3 = timelib_test.CopyStringToTimestamp(
'2013-11-07 00:03:36.690')
self.assertEquals(event_object_3.timestamp, expected_timestamp3)
expected_timestamp4 = timelib_test.CopyStringToTimestamp(
'2013-11-07 00:14:15.690')
self.assertEquals(event_object_4.timestamp, expected_timestamp4)
# Ensure the difference in btw. events 3 and 4 equals the duration.
expected_duration = ((expected_timestamp4 - expected_timestamp3) /
1000000)
self.assertEquals(event_object_4.duration, expected_duration)
def testProcess(self):
"""Tests the Process function on a LS Quarantine database file."""
test_file = self._GetTestFilePath(['quarantine.db'])
event_queue_consumer = self._ParseDatabaseFileWithPlugin(
self._plugin, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
# The quarantine database contains 14 event_objects.
self.assertEquals(len(event_objects), 14)
# Examine a VLC event.
event_object = event_objects[3]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-07-08 21:12:03')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(event_object.agent, u'Google Chrome')
vlc_url = (
u'http://download.cnet.com/VLC-Media-Player/3001-2139_4-10210434.html'
u'?spi=40ab24d3c71594a5017d74be3b0c946c')
self.assertEquals(event_object.url, vlc_url)
self.assertTrue(u'vlc-2.0.7-intel64.dmg' in event_object.data)
# Examine a MacKeeper event.
event_object = event_objects[9]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-07-12 19:28:58')
self.assertEquals(event_object.timestamp, expected_timestamp)
# Examine a SpeedTest event.
event_object = event_objects[10]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-07-12 19:30:16')
self.assertEquals(event_object.timestamp, expected_timestamp)
speedtest_message = (
u'[Google Chrome] Downloaded: http://mackeeperapp.zeobit.com/aff/'
u'speedtest.net.6/download.php?affid=460245286&trt=5&utm_campaign='
u'3ES&tid_ext=P107fSKcSfqpMbcP3sI4fhKmeMchEB3dkAGpX4YIsvM;US;L;1 '
u'<http://download.mackeeper.zeobit.com/package.php?'
u'key=460245286&trt=5&landpr=Speedtest>')
speedtest_short = (
u'http://mackeeperapp.zeobit.com/aff/speedtest.net.6/download.php?'
u'affid=4602452...')
self._TestGetMessageStrings(
event_object, speedtest_message, speedtest_short)
def testProcess(self):
"""Tests the Process function."""
test_file = self._GetTestFilePath(['application_usage.sqlite'])
event_generator = self._ParseDatabaseFileWithPlugin(self._plugin, test_file)
event_objects = self._GetEventObjects(event_generator)
# The sqlite database contains 5 events.
self.assertEquals(len(event_objects), 5)
# Check the first event.
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2014-05-07 18:52:02')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(event_object.application, u'/Applications/Safari.app')
self.assertEquals(event_object.app_version, u'9537.75.14')
self.assertEquals(event_object.bundle_id, u'com.apple.Safari')
self.assertEquals(event_object.count, 1)
expected_msg = (
u'/Applications/Safari.app v.9537.75.14 '
u'(bundle: com.apple.Safari). '
u'Launched: 1 time(s)')
expected_msg_short = u'/Applications/Safari.app (1 time(s))'
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcessVersion25(self):
"""Tests the Process function on a Firefox History database file v 25."""
test_file = self._GetTestFilePath(['places_new.sqlite'])
cache = sqlite.SQLiteCache()
event_queue_consumer = self._ParseDatabaseFileWithPlugin(
self._plugin, test_file, cache)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
# The places.sqlite file contains 84 events:
# 34 page visits.
# 28 bookmarks
# 14 bookmark folders
# 8 annotations
self.assertEquals(len(event_objects), 84)
counter = collections.Counter()
for event_object in event_objects:
counter[event_object.data_type] += 1
self.assertEquals(counter['firefox:places:bookmark'], 28)
self.assertEquals(counter['firefox:places:page_visited'], 34)
self.assertEquals(counter['firefox:places:bookmark_folder'], 14)
self.assertEquals(counter['firefox:places:bookmark_annotation'], 8)
random_event = event_objects[10]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-10-30 21:57:11.281942')
self.assertEquals(random_event.timestamp, expected_timestamp)
expected_short = u'URL: http://code.google.com/p/plaso'
expected_msg = (
u'http://code.google.com/p/plaso [count: 1] Host: code.google.com '
u'(URL not typed directly) Transition: TYPED')
self._TestGetMessageStrings(random_event, expected_msg, expected_short)
def testProcessVersion25(self):
"""Tests the Process function on a Firefox Downloads database file."""
test_file = self._GetTestFilePath(['downloads.sqlite'])
cache = sqlite.SQLiteCache()
event_queue_consumer = self._ParseDatabaseFileWithPlugin(
self._plugin, test_file, cache)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
# The downloads.sqlite file contains 2 events (1 download).
self.assertEquals(len(event_objects), 2)
# Check the first page visited event.
event_object = event_objects[0]
self.assertEquals(event_object.data_type, 'firefox:downloads:download')
self.assertEquals(event_object.timestamp_desc,
eventdata.EventTimestamp.START_TIME)
expected_timestamp = timelib_test.CopyStringToTimestamp(
u'2013-07-18 18:59:59.312000+00:00')
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_url = (u'https://plaso.googlecode.com/files/'
u'plaso-static-1.0.1-win32-vs2008.zip')
self.assertEquals(event_object.url, expected_url)
expected_full_path = u'file:///D:/plaso-static-1.0.1-win32-vs2008.zip'
self.assertEquals(event_object.full_path, expected_full_path)
self.assertEquals(event_object.received_bytes, 15974599)
self.assertEquals(event_object.total_bytes, 15974599)
def testProcess(self):
"""Tests the Process function."""
test_file = self._GetTestFilePath(['NTUSER-WIN7.DAT'])
key_path = self._plugin.REG_KEYS[0]
winreg_key = self._GetKeyFromFile(test_file, key_path)
event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjects(event_generator)
self.assertEquals(len(event_objects), 5)
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2011-08-23 17:10:14.960960')
self.assertEquals(event_object.timestamp, expected_timestamp)
regvalue = event_object.regvalue
self.assertEquals(regvalue.get('Share_Name'), r'\home\nfury')
expected_string = (
u'[{0:s}] Label: Home Drive Remote_Server: controller Share_Name: '
u'\\home\\nfury Type: Remote Drive Volume: '
u'##controller#home#nfury').format(key_path)
expected_string_short = u'{0:s}...'.format(expected_string[0:77])
self._TestGetMessageStrings(event_object, expected_string,
expected_string_short)
def testParseCache_002(self):
"""Test Firefox 28 cache file _CACHE_002_ parsing."""
test_file = self._GetTestFilePath(
['firefox_cache', 'firefox28', '_CACHE_002_'])
event_generator = self._ParseFile(self._parser, test_file)
event_objects = self._GetEventObjects(event_generator)
self.assertEquals(58, len(event_objects))
self.assertEquals(
event_objects[2].url,
('HTTP:http://www.google-analytics.com/__utm.gif?utmwv=5.5.0&utms='
'1&utmn=1106893631&utmhn=www.dagbladet.no&utmcs=windows-1252&ut'
'msr=1920x1080&utmvp=1430x669&utmsc=24-bit&utmul=en-us&utmje=0&'
'utmfl=-&utmdt=Dagbladet.no%20-%20forsiden&utmhid=460894302&utm'
'r=-&utmp=%2F&utmht=1398089458997&utmac=UA-3072159-1&utmcc=__ut'
'ma%3D68537988.718312608.1398089459.1398089459.1398089459.1%3B%'
'2B__utmz%3D68537988.1398089459.1.1.utmcsr%3D(direct)%7Cutmccn'
'%3D(direct)%7Cutmcmd%3D(none)%3B&aip=1&utmu=qBQ~'))
self.assertEquals(
event_objects[1].timestamp,
timelib_test.CopyStringToTimestamp('2014-04-21 14:10:58'))
self.VerifyMajorMinor(event_objects)
def testProcess(self):
"""Test the Process function on an Android SMS mmssms.db file."""
test_file = self._GetTestFilePath(['mmssms.db'])
event_queue_consumer = self._ParseDatabaseFileWithPlugin(
self._plugin, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
# The SMS database file contains 9 events (5 SENT, 4 RECEIVED messages).
self.assertEquals(len(event_objects), 9)
# Check the first SMS sent.
event_object = event_objects[0]
self.assertEquals(event_object.timestamp_desc,
eventdata.EventTimestamp.CREATION_TIME)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-10-29 16:56:28.038')
self.assertEquals(event_object.timestamp, expected_timestamp)
expected_address = u'1 555-521-5554'
self.assertEquals(event_object.address, expected_address)
expected_body = u'Yo Fred this is my new number.'
self.assertEquals(event_object.body, expected_body)
expected_msg = (u'Type: SENT '
u'Address: 1 555-521-5554 '
u'Status: READ '
u'Message: Yo Fred this is my new number.')
expected_short = u'Yo Fred this is my new number.'
self._TestGetMessageStrings(event_object, expected_msg, expected_short)
def testProcess(self):
"""Tests the Process function."""
test_file = self._GetTestFilePath(['NTUSER-WIN7.DAT'])
key_path = (
u'\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths'
)
winreg_key = self._GetKeyFromFile(test_file, key_path)
event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjects(event_generator)
self.assertEquals(len(event_objects), 1)
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2010-11-10 07:58:15.811625')
self.assertEquals(event_object.timestamp, expected_timestamp)
regvalue_identifier = u'url1'
expected_value = u'\\\\controller'
self._TestRegvalue(event_object, regvalue_identifier, expected_value)
expected_msg = u'[{0:s}] {1:s}: {2:s}'.format(key_path,
regvalue_identifier,
expected_value)
expected_msg_short = u'[{0:s}] {1:s}: \\\\cont...'.format(
key_path, regvalue_identifier)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testParseWtmpFile(self):
"""Tests the Parse function for an WTMP file."""
test_file = self._GetTestFilePath(['wtmp.1'])
events = self._ParseFile(self._parser, test_file)
event_objects = self._GetEventObjects(events)
self.assertEqual(len(event_objects), 4)
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2011-12-01 17:36:38.432935')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.user, u'userA')
self.assertEqual(event_object.computer_name, u'10.10.122.1')
self.assertEqual(event_object.terminal, u'pts/32')
self.assertEqual(event_object.status, u'USER_PROCESS')
self.assertEqual(event_object.ip_address, u'10.10.122.1')
self.assertEqual(event_object.exit, 0)
self.assertEqual(event_object.pid, 20060)
self.assertEqual(event_object.terminal_id, 842084211)
expected_msg = (u'User: userA '
u'Computer Name: 10.10.122.1 '
u'Terminal: pts/32 '
u'PID: 20060 '
u'Terminal_ID: 842084211 '
u'Status: USER_PROCESS '
u'IP Address: 10.10.122.1 '
u'Exit: 0')
expected_msg_short = (u'User: userA')
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
test_file = self._GetTestFilePath(['NTUSER-WIN7.DAT'])
key_path = u'\\Software\\Microsoft\\Office\\14.0\\Word\\File MRU'
winreg_key = self._GetKeyFromFile(test_file, key_path)
event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjects(event_generator)
self.assertEquals(len(event_objects), 5)
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2012-03-13 18:27:15.083')
self.assertEquals(event_object.timestamp, expected_timestamp)
regvalue_identifier = u'Item 1'
expected_value = (
u'[F00000000][T01CD0146EA1EADB0][O00000000]*'
u'C:\\Users\\nfury\\Documents\\StarFury\\StarFury\\'
u'SA-23E Mitchell-Hyundyne Starfury.docx')
self._TestRegvalue(event_object, regvalue_identifier, expected_value)
expected_msg = u'[{0:s}] {1:s}: {2:s}'.format(
key_path, regvalue_identifier, expected_value)
expected_msg_short = u'[{0:s}] {1:s}: [F00000000][T01CD0146...'.format(
key_path, regvalue_identifier)
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
plist_name = u'user.plist'
test_file = self._GetTestFilePath([plist_name])
event_queue_consumer = self._ParsePlistFileWithPlugin(
self._parser, self._plugin, test_file, plist_name)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEquals(len(event_objects), 1)
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-12-28 04:35:47')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.key, u'passwordLastSetTime')
self.assertEqual(event_object.root, u'/')
expected_desc = (
u'Last time user (501) changed the password: '******'$ml$37313$fa6cac1869263baa85cffc5e77a3d4ee164b7'
u'5536cae26ce8547108f60e3f554$a731dbb0e386b169af8'
u'9fbb33c255ceafc083c6bc5194853f72f11c550c42e4625'
u'ef113b66f3f8b51fc3cd39106bad5067db3f7f1491758ff'
u'e0d819a1b0aba20646fd61345d98c0c9a411bfd1144dd4b'
u'3c40ec0f148b66d5b9ab014449f9b2e103928ef21db6e25'
u'b536a60ff17a84e985be3aa7ba3a4c16b34e0d1d2066ae178')
self.assertEqual(event_object.desc, expected_desc)
expected_string = u'//passwordLastSetTime {}'.format(expected_desc)
expected_short = u'{}...'.format(expected_string[:77])
self._TestGetMessageStrings(
event_object, expected_string, expected_short)
