def testParseImage(self):
"""Tests the Parse function on a storage media image."""
parser = ntfs.NTFSUsnJrnlParser()
test_file_path = self._GetTestFilePath(['usnjrnl.qcow2'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
qcow_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_QCOW, parent=os_path_spec)
volume_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION,
location='/p1',
part_index=2,
start_offset=0x00007e00,
parent=qcow_path_spec)
# To be able to ignore the sparse data ranges the UsnJrnl parser
# requires to read directly from the volume.
storage_writer = self._ParseFileByPathSpec(volume_path_spec, parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 19)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2015-11-30 21:15:27.203125')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_ENTRY_MODIFICATION)
event_data = self._GetEventDataOfEvent(storage_writer, event)
expected_message = ('Nieuw - Tekstdocument.txt '
'File reference: 30-1 '
'Parent file reference: 5-5 '
'Update reason: USN_REASON_FILE_CREATE')
expected_short_message = (
'Nieuw - Tekstdocument.txt 30-1 USN_REASON_FILE_CREATE')
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
def testParseImage(self):
"""Tests the Parse function on a storage media image."""
parser = ntfs.NTFSUsnJrnlParser()
test_file_path = self._GetTestFilePath(['usnjrnl.qcow2'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
qcow_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_QCOW, parent=os_path_spec)
volume_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION, location='/p1',
part_index=2, start_offset=0x00007e00, parent=qcow_path_spec)
# To be able to ignore the sparse data ranges the UsnJrnl parser
# requires to read directly from the volume.
storage_writer = self._ParseFileByPathSpec(volume_path_spec, parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers('event')
self.assertEqual(number_of_events, 19)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'data_type': 'fs:ntfs:usn_change',
'date_time': '2015-11-30 21:15:27.2031250',
'filename': 'Nieuw - Tekstdocument.txt',
'file_reference': 0x100000000001e,
'parent_file_reference': 0x5000000000005,
'timestamp_desc': definitions.TIME_DESCRIPTION_ENTRY_MODIFICATION,
'update_reason_flags': 0x00000100}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParseImage(self):
"""Tests the Parse function on a storage media image."""
parser_object = ntfs.NTFSUsnJrnlParser()
test_path = self._GetTestFilePath([u'usnjrnl.qcow2'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_path)
qcow_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_QCOW, parent=os_path_spec)
volume_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION,
location=u'/p1',
part_index=2,
start_offset=0x00007e00,
parent=qcow_path_spec)
# To be able to ignore the sparse data ranges the UsnJrnl parser
# requires to read directly from the volume.
event_queue_consumer = self._ParseFileByPathSpec(
parser_object, volume_path_spec)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 19)
event_object = event_objects[0]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2015-11-30 21:15:27.203125')
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.ENTRY_MODIFICATION_TIME)
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_message = (u'Nieuw - Tekstdocument.txt '
u'File reference: 30-1 '
u'Parent file reference: 5-5 '
u'Update reason: USN_REASON_FILE_CREATE')
expected_short_message = (
u'Nieuw - Tekstdocument.txt 30-1 USN_REASON_FILE_CREATE')
self._TestGetMessageStrings(event_object, expected_message,
expected_short_message)
def setUp(self):
"""Makes preparations before running an individual test."""
self._parser = ntfs.NTFSUsnJrnlParser()