def testParseWithTimeZone(self): """Tests the Parse function with a time zone.""" parser = msiecf.MSIECFParser() storage_writer = self._ParseFile( ['MSHist012013031020130311-index.dat'], parser, timezone='Europe/Amsterdam') self.assertEqual(storage_writer.number_of_events, 83) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) events = list(storage_writer.GetEvents()) # Test primary last visited time, in UTC, event. expected_event_values = { 'date_time': '2013-03-10 10:18:17.2810000', 'timestamp': '2013-03-10 10:18:17.281000', 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_VISITED, 'url': ':2013031020130311: -@:Host: libmsiecf.googlecode.com' } self.CheckEventValues(storage_writer, events[80], expected_event_values) # Test secondary last visited time, in local time, event. expected_event_values = { 'date_time': '2013-03-10 11:18:17.2810000', 'timestamp': '2013-03-10 10:18:17.281000', 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_VISITED, 'url': ':2013031020130311: -@:Host: libmsiecf.googlecode.com' } self.CheckEventValues(storage_writer, events[81], expected_event_values) # Test last checked time event. expected_event_values = { 'date_time': '2013-03-10 10:18:18', 'timestamp': '2013-03-10 10:18:18.000000', 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_CHECKED, 'url': ':2013031020130311: -@:Host: libmsiecf.googlecode.com' } self.CheckEventValues(storage_writer, events[82], expected_event_values)
def testParseLeakAndRedirect(self): """Tests the Parse function with leak and redirected records.""" parser = msiecf.MSIECFParser() storage_writer = self._ParseFile(['nfury_index.dat'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) # MSIE Cache File information: # Version : 5.2 # File size : 491520 bytes # Number of items : 1027 # Number of recovered items : 8 self.assertEqual(storage_writer.number_of_events, 2898) events = list(storage_writer.GetEvents()) event = events[3] event_data = self._GetEventDataOfEvent(storage_writer, event) # Test cached file path. self.assertEqual(event_data.data_type, 'msiecf:url') expected_message = ( 'Location: http://col.stc.s-msn.com/br/gbl/lg/csl/favicon.ico ' 'Number of hits: 1 ' 'Cached file: R6QWCVX4\\favicon[1].ico ' 'Cached file size: 4286 ' 'HTTP headers: HTTP/1.1 200 OK - ' 'Content-Type: image/x-icon - ' 'ETag: "0922651f38cb1:0", - ' 'X-Powered-By: ASP.NET - P3P: ' 'CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" - ' 'Content-Length: 4286 - ' ' - ~U:nfury - ') expected_short_message = ( 'Location: http://col.stc.s-msn.com/br/gbl/lg/csl/favicon.ico ' 'Cached file: R6Q...') self._TestGetMessageStrings(event_data, expected_message, expected_short_message) event = events[21] expected_url = ( 'http://ad.doubleclick.net/ad/N2724.Meebo/B5343067.13;sz=1x1;' 'pc=[TPAS_ID];ord=2642102') event = events[16] self.assertEqual(event.timestamp, 0) self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_NOT_A_TIME) event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.data_type, 'msiecf:leak') self.assertEqual(event_data.cache_directory_index, 1) self.assertEqual(event_data.cache_directory_name, 'VUQHQA73') self.assertEqual(event_data.cached_file_size, 1966) self.assertEqual(event_data.cached_filename, 'ADSAdClient31[1].htm') self.assertEqual(event_data.recovered, False) expected_message = ('Cached file: VUQHQA73\\ADSAdClient31[1].htm ' 'Cached file size: 1966') expected_short_message = ( 'Cached file: VUQHQA73\\ADSAdClient31[1].htm') self._TestGetMessageStrings(event_data, expected_message, expected_short_message) event = events[21] self.assertEqual(event.timestamp, 0) self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_NOT_A_TIME) event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.data_type, 'msiecf:redirected') expected_url = ( 'http://ad.doubleclick.net/ad/N2724.Meebo/B5343067.13;sz=1x1;' 'pc=[TPAS_ID];ord=2642102') self.assertEqual(event_data.url, expected_url) self.assertEqual(event_data.recovered, False) expected_message = 'Location: {0:s}'.format(expected_url) expected_short_message = ( 'Location: http://ad.doubleclick.net/ad/N2724.Meebo/B5343067.13;' 'sz=1x1;pc=[TPA...') self._TestGetMessageStrings(event_data, expected_message, expected_short_message)
def testParse(self): """Tests the Parse function.""" parser = msiecf.MSIECFParser() storage_writer = self._ParseFile(['index.dat'], parser) # MSIE Cache File information: # Version : 5.2 # File size : 32768 bytes # Number of items : 7 # Number of recovered items : 11 self.assertEqual(storage_writer.number_of_warnings, 0) # 7 + 11 records, each with 4 records. self.assertEqual(storage_writer.number_of_events, (7 + 11) * 4) events = list(storage_writer.GetEvents()) # Record type : URL # Offset range : 21376 - 21632 (256) # Location : Visited: testing@http://www.trafficfusionx.com # /download/tfscrn2/funnycats.exe # Primary time : Jun 23, 2011 18:02:10.066000000 # Secondary time : Jun 23, 2011 18:02:10.066000000 # Expiration time : Jun 29, 2011 17:55:02 # Last checked time : Jun 23, 2011 18:02:12 # Cache directory index : -2 (0xfe) event = events[8] expected_url = ( 'Visited: testing@http://www.trafficfusionx.com/download/tfscrn2' '/funnycats.exe') event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.data_type, 'msiecf:url') self.assertEqual(event_data.offset, 21376) self.assertEqual(event_data.url, expected_url) self.assertEqual(event_data.cache_directory_index, -2) self.CheckTimestamp(event.timestamp, '2011-06-23 18:02:10.066000') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_VISITED) event = events[9] self.CheckTimestamp(event.timestamp, '2011-06-23 18:02:10.066000') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_VISITED) event = events[10] self.CheckTimestamp(event.timestamp, '2011-06-29 17:55:02.000000') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_EXPIRATION) event = events[11] self.CheckTimestamp(event.timestamp, '2011-06-23 18:02:12.000000') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_CHECKED) expected_message = ( 'Location: Visited: testing@http://www.trafficfusionx.com/download' '/tfscrn2/funnycats.exe ' 'Number of hits: 6 ' 'Cached file size: 0') expected_short_message = ( 'Location: Visited: testing@http://www.trafficfusionx.com/download' '/tfscrn2/fun...') self._TestGetMessageStrings(event_data, expected_message, expected_short_message)
def testParseLeakAndRedirect(self): """Tests the Parse function with leak and redirected records.""" parser = msiecf.MSIECFParser() storage_writer = self._ParseFile(['nfury_index.dat'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) # MSIE Cache File information: # Version : 5.2 # File size : 491520 bytes # Number of items : 1027 # Number of recovered items : 8 self.assertEqual(storage_writer.number_of_events, 2898) events = list(storage_writer.GetEvents()) expected_event_values = { 'cache_directory_index': 0, 'cache_directory_name': 'R6QWCVX4', 'cached_file_size': 4286, 'cached_filename': 'favicon[1].ico', 'data_type': 'msiecf:url', 'http_headers': ('HTTP/1.1 200 OK\r\n' 'Content-Type: image/x-icon\r\n' 'ETag: "0922651f38cb1:0",\r\n' 'X-Powered-By: ASP.NET\r\n' 'P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"\r\n' 'Content-Length: 4286\r\n' '\r\n' '~U:nfury\r\n'), 'number_of_hits': 1, 'timestamp': '2010-11-10 07:54:32.000000', 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_CHECKED, 'url': 'http://col.stc.s-msn.com/br/gbl/lg/csl/favicon.ico' } self.CheckEventValues(storage_writer, events[3], expected_event_values) expected_event_values = { 'cache_directory_index': 1, 'cache_directory_name': 'VUQHQA73', 'cached_file_size': 1966, 'cached_filename': 'ADSAdClient31[1].htm', 'data_type': 'msiecf:leak', 'recovered': False, 'timestamp': 0, 'timestamp_desc': definitions.TIME_DESCRIPTION_NOT_A_TIME } self.CheckEventValues(storage_writer, events[16], expected_event_values) expected_event_values = { 'data_type': 'msiecf:redirected', 'recovered': False, 'timestamp': 0, 'timestamp_desc': definitions.TIME_DESCRIPTION_NOT_A_TIME, 'url': ('http://ad.doubleclick.net/ad/N2724.Meebo/B5343067.13;' 'sz=1x1;pc=[TPAS_ID];ord=2642102') } self.CheckEventValues(storage_writer, events[21], expected_event_values)
def testParse(self): """Tests the Parse function.""" parser = msiecf.MSIECFParser() storage_writer = self._ParseFile(['index.dat'], parser) # MSIE Cache File information: # Version : 5.2 # File size : 32768 bytes # Number of items : 7 # Number of recovered items : 11 self.assertEqual(storage_writer.number_of_warnings, 0) # 7 + 11 records, each with 4 records. self.assertEqual(storage_writer.number_of_events, (7 + 11) * 4) events = list(storage_writer.GetEvents()) # Record type : URL # Offset range : 21376 - 21632 (256) # Location : Visited: testing@http://www.trafficfusionx.com # /download/tfscrn2/funnycats.exe # Primary time : Jun 23, 2011 18:02:10.066000000 # Secondary time : Jun 23, 2011 18:02:10.066000000 # Expiration time : Jun 29, 2011 17:55:02 # Last checked time : Jun 23, 2011 18:02:12 # Cache directory index : -2 (0xfe) expected_event_values = { 'cache_directory_index': -2, 'cached_file_size': 0, 'data_type': 'msiecf:url', 'number_of_hits': 6, 'offset': 21376, 'timestamp': '2011-06-23 18:02:10.066000', 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_VISITED, 'url': ('Visited: testing@http://www.trafficfusionx.com/download/tfscrn2' '/funnycats.exe') } self.CheckEventValues(storage_writer, events[8], expected_event_values) expected_event_values = { 'data_type': 'msiecf:url', 'timestamp': '2011-06-23 18:02:10.066000', 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_VISITED } self.CheckEventValues(storage_writer, events[9], expected_event_values) expected_event_values = { 'data_type': 'msiecf:url', 'timestamp': '2011-06-29 17:55:02.000000', 'timestamp_desc': definitions.TIME_DESCRIPTION_EXPIRATION } self.CheckEventValues(storage_writer, events[10], expected_event_values) expected_event_values = { 'data_type': 'msiecf:url', 'timestamp': '2011-06-23 18:02:12.000000', 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_CHECKED } self.CheckEventValues(storage_writer, events[11], expected_event_values)