def testParseV2(self): """Tests the Parse function on a version 2 file.""" parser = fseventsd.FseventsdParser() path = self._GetTestFilePath(['fsevents-00000000001a0b79']) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=path) gzip_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec) storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 6) events = list(storage_writer.GetEvents()) # The timestamp since it is derived from the file entry. os_file_entry = path_spec_resolver.Resolver.OpenFileEntry(os_path_spec) expected_time = os_file_entry.modification_time expected_timestamp = expected_time.GetPlasoTimestamp() expected_event_values = { 'data_type': 'macos:fseventsd:record', 'event_identifier': 1706838, 'flags': 0x01000008, 'path': 'Hi, Sierra', 'timestamp': expected_timestamp} self.CheckEventValues(storage_writer, events[2], expected_event_values)
def testParseV2(self): """Tests the Parse function on a version 2 file.""" parser = fseventsd.FseventsdParser() path = self._GetTestFilePath(['fsevents-00000000001a0b79']) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=path) gzip_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec) storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser) self.assertEqual(storage_writer.number_of_events, 6) events = list(storage_writer.GetEvents()) event = events[2] self.assertEqual(event.path, 'Hi, Sierra') self.assertEqual(event.event_identifier, 1706838) self.assertEqual(event.flags, 0x8000001) os_file_entry = path_spec_resolver.Resolver.OpenFileEntry(os_path_spec) expected_time = os_file_entry.modification_time expected_timestamp = expected_time.GetPlasoTimestamp() self.assertEqual(event.timestamp, expected_timestamp) expected_message = ( 'Hi, Sierra Flag Values: IsDirectory, Renamed Flags: 0x8000001 ' 'Event Identifier: 1706838') expected_short_message = 'Hi, Sierra IsDirectory, Renamed' self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testParseV1(self): """Tests the Parse function on a version 1 file.""" parser = fseventsd.FseventsdParser() path = self._GetTestFilePath(['fsevents-0000000002d89b58']) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=path) gzip_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec) storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser) self.assertEqual(storage_writer.number_of_events, 12) events = list(storage_writer.GetEvents()) event = events[3] self.assertEqual(event.path, '.Spotlight-V100/Store-V1') self.assertEqual(event.event_identifier, 47747061) self.assertEqual(event.flags, 0x80000001) os_file_entry = path_spec_resolver.Resolver.OpenFileEntry(os_path_spec) expected_time = os_file_entry.modification_time expected_timestamp = expected_time.GetPlasoTimestamp() self.assertEqual(event.timestamp, expected_timestamp) expected_message = ('.Spotlight-V100/Store-V1 ' 'Flag Values: IsDirectory, DirectoryCreated ' 'Flags: 0x80000001 Event Identifier: 47747061') expected_short_message = ( '.Spotlight-V100/Store-V1 IsDirectory, DirectoryCreated') self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testParseV1(self): """Tests the Parse function on a version 1 file.""" parser = fseventsd.FseventsdParser() path = self._GetTestFilePath(['fsevents-0000000002d89b58']) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=path) gzip_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec) storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser) self.assertEqual(storage_writer.number_of_events, 12) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) events = list(storage_writer.GetEvents()) # The date and time are derived from the file entry. os_file_entry = path_spec_resolver.Resolver.OpenFileEntry(os_path_spec) expected_event_values = { 'data_type': 'macos:fseventsd:record', 'date_time': os_file_entry.modification_time, 'event_identifier': 47747061, 'flags': 0x01000080, 'path': '.Spotlight-V100/Store-V1' } self.CheckEventValues(storage_writer, events[3], expected_event_values)
def testParseV1(self): """Tests the Parse function on a version 1 file.""" parser = fseventsd.FseventsdParser() path = self._GetTestFilePath(['fsevents-0000000002d89b58']) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=path) gzip_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec) storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 12) events = list(storage_writer.GetEvents()) # The timestamp since it is derived from the file entry. os_file_entry = path_spec_resolver.Resolver.OpenFileEntry(os_path_spec) expected_time = os_file_entry.modification_time expected_timestamp = expected_time.GetPlasoTimestamp() expected_event_values = { 'event_identifier': 47747061, 'flags': 0x01000080, 'path': '.Spotlight-V100/Store-V1', 'timestamp': expected_timestamp } self.CheckEventValues(storage_writer, events[3], expected_event_values) expected_message = ('.Spotlight-V100/Store-V1 ' 'Flag Values: DirectoryCreated, IsDirectory ' 'Flags: 0x01000080 Event Identifier: 47747061') expected_short_message = ( '.Spotlight-V100/Store-V1 DirectoryCreated, IsDirectory') event_data = self._GetEventDataOfEvent(storage_writer, events[3]) self._TestGetMessageStrings(event_data, expected_message, expected_short_message)
def testParseV2(self): """Tests the Parse function on a version 2 file.""" parser = fseventsd.FseventsdParser() path = self._GetTestFilePath(['fsevents-00000000001a0b79']) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=path) gzip_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec) storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 6) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) # The date and time are derived from the file entry. os_file_entry = path_spec_resolver.Resolver.OpenFileEntry(os_path_spec) expected_event_values = { 'data_type': 'macos:fseventsd:record', 'date_time': os_file_entry.modification_time, 'event_identifier': 1706838, 'flags': 0x01000008, 'path': 'Hi, Sierra' } self.CheckEventValues(storage_writer, events[2], expected_event_values)