def testProcess(self):
"""Tests the Process function on a Windows Timeline SQLite database."""
plugin = windows_timeline.WindowsTimelinePlugin()
storage_writer = self._ParseDatabaseFileWithPlugin(
['windows_timeline_ActivitiesCache.db'], plugin)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 112)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'active_duration_seconds': 9,
'data_type': 'windows:timeline:user_engaged',
'date_time': '2018-08-03 11:29:00',
'package_identifier': 'c:\\python34\\python.exe',
'reporting_app': 'ShellActivityMonitor',
'timestamp_desc': definitions.TIME_DESCRIPTION_START
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
expected_event_values = {
'active_duration_seconds':
11,
'data_type':
'windows:timeline:user_engaged',
'date_time':
'2018-07-27 11:58:55',
'package_identifier':
('c:\\users\\demouser\\appdata\\local\\programs\\python\\'
'python37-32\\python.exe'),
'reporting_app':
'ShellActivityMonitor',
'timestamp_desc':
definitions.TIME_DESCRIPTION_START
}
self.CheckEventValues(storage_writer, events[2], expected_event_values)
expected_event_values = {
'application_display_name': 'OneDrive',
'data_type': 'windows:timeline:generic',
'date_time': '2018-07-25 12:04:48',
'description': '',
'package_identifier': 'Microsoft.SkyDrive.Desktop',
'timestamp_desc': definitions.TIME_DESCRIPTION_START
}
self.CheckEventValues(storage_writer, events[80],
expected_event_values)
expected_event_values = {
'application_display_name':
'Notepad',
'data_type':
'windows:timeline:generic',
'date_time':
'2018-07-27 12:36:09',
'description':
'C:\\Users\\demouser\\Desktop\\SCHEMA.txt',
'package_identifier':
('{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\notepad.exe'),
'timestamp_desc':
definitions.TIME_DESCRIPTION_START
}
self.CheckEventValues(storage_writer, events[96],
expected_event_values)
def testProcess(self):
"""Tests the Process function on a Windows Timeline SQLite database."""
plugin = windows_timeline.WindowsTimelinePlugin()
storage_writer = self._ParseDatabaseFileWithPlugin(
['windows_timeline_ActivitiesCache.db'], plugin)
self.assertEqual(112, storage_writer.number_of_events)
events = list(storage_writer.GetEvents())
expected_event_values = {
'active_duration_seconds': 9,
'data_type': 'windows:timeline:user_engaged',
'package_identifier': 'c:\\python34\\python.exe',
'reporting_app': 'ShellActivityMonitor',
'timestamp': '2018-08-03 11:29:00.000000',
'timestamp_desc': definitions.TIME_DESCRIPTION_START}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
expected_message = (
'Package Identifier: c:\\python34\\python.exe '
'Active Duration (seconds): 9 Reporting App: ShellActivityMonitor')
expected_short_message = 'c:\\python34\\python.exe'
event_data = self._GetEventDataOfEvent(storage_writer, events[0])
self._TestGetMessageStrings(
event_data, expected_message, expected_short_message)
expected_event_values = {
'active_duration_seconds': 11,
'data_type': 'windows:timeline:user_engaged',
'package_identifier': (
'c:\\users\\demouser\\appdata\\local\\programs\\python\\'
'python37-32\\python.exe'),
'reporting_app': 'ShellActivityMonitor',
'timestamp': '2018-07-27 11:58:55.000000',
'timestamp_desc': definitions.TIME_DESCRIPTION_START}
self.CheckEventValues(storage_writer, events[2], expected_event_values)
expected_message = (
'Package Identifier: c:\\users\\demouser\\appdata'
'\\local\\programs\\python\\python37-32\\python.exe Active Duration ('
'seconds): 11 Reporting App: ShellActivityMonitor')
expected_short_message = (
'c:\\users\\demouser\\appdata\\local\\programs\\'
'python\\python37-32\\python.exe')
event_data = self._GetEventDataOfEvent(storage_writer, events[2])
self._TestGetMessageStrings(
event_data, expected_message, expected_short_message)
expected_event_values = {
'application_display_name': 'OneDrive',
'data_type': 'windows:timeline:generic',
'description': '',
'package_identifier': 'Microsoft.SkyDrive.Desktop',
'timestamp': '2018-07-25 12:04:48.000000',
'timestamp_desc': definitions.TIME_DESCRIPTION_START}
self.CheckEventValues(storage_writer, events[80], expected_event_values)
expected_message = (
'Application Display Name: OneDrive Package '
'Identifier: Microsoft.SkyDrive.Desktop')
expected_short_message = 'Microsoft.SkyDrive.Desktop'
event_data = self._GetEventDataOfEvent(storage_writer, events[80])
self._TestGetMessageStrings(
event_data, expected_message, expected_short_message)
expected_event_values = {
'application_display_name': 'Notepad',
'data_type': 'windows:timeline:generic',
'description': 'C:\\Users\\demouser\\Desktop\\SCHEMA.txt',
'package_identifier': (
'{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\notepad.exe'),
'timestamp': '2018-07-27 12:36:09.000000',
'timestamp_desc': definitions.TIME_DESCRIPTION_START}
self.CheckEventValues(storage_writer, events[96], expected_event_values)
expected_message = (
'Application Display Name: Notepad Package Identifier: '
'{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\notepad.exe Description:'
' C:\\Users\\demouser\\Desktop\\SCHEMA.txt')
expected_short_message = (
'{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\notepad.exe')
event_data = self._GetEventDataOfEvent(storage_writer, events[96])
self._TestGetMessageStrings(
event_data, expected_message, expected_short_message)
def testProcess(self):
"""Tests the Process function on a Windows Timeline db."""
plugin = windows_timeline.WindowsTimelinePlugin()
storage_writer = self._ParseDatabaseFileWithPlugin(
['windows_timeline_ActivitiesCache.db'], plugin)
self.assertEqual(112, storage_writer.number_of_events)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2018-08-03 11:29:00.000000')
self.assertEqual(definitions.TIME_DESCRIPTION_START,
event.timestamp_desc)
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.data_type, 'windows:timeline:user_engaged')
self.assertEqual(event_data.active_duration_seconds, 9)
self.assertEqual(event_data.reporting_app, 'ShellActivityMonitor')
self.assertEqual(event_data.package_identifier,
'c:\\python34\\python.exe')
expected_long_message = (
'Package Identifier: c:\\python34\\python.exe '
'Active Duration (seconds): 9 Reporting App: ShellActivityMonitor')
expected_short_message = 'c:\\python34\\python.exe'
self._TestGetMessageStrings(event, expected_long_message,
expected_short_message)
event = events[2]
self.CheckTimestamp(event.timestamp, '2018-07-27 11:58:55.000000')
self.assertEqual(definitions.TIME_DESCRIPTION_START,
event.timestamp_desc)
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.data_type, 'windows:timeline:user_engaged')
self.assertEqual(event_data.active_duration_seconds, 11)
self.assertEqual(event_data.reporting_app, 'ShellActivityMonitor')
expected_package_identifier = (
'c:\\users\\demouser\\appdata\\local\\programs\\python\\python37-32\\'
'python.exe')
self.assertEqual(event_data.package_identifier,
expected_package_identifier)
expected_long_message = (
'Package Identifier: c:\\users\\demouser\\appdata'
'\\local\\programs\\python\\python37-32\\python.exe Active Duration ('
'seconds): 11 Reporting App: ShellActivityMonitor')
expected_short_message = (
'c:\\users\\demouser\\appdata\\local\\programs\\'
'python\\python37-32\\python.exe')
self._TestGetMessageStrings(event, expected_long_message,
expected_short_message)
event = events[80]
self.CheckTimestamp(event.timestamp, '2018-07-25 12:04:48.000000')
self.assertEqual(definitions.TIME_DESCRIPTION_START,
event.timestamp_desc)
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.data_type, 'windows:timeline:generic')
self.assertEqual(event_data.package_identifier,
'Microsoft.SkyDrive.Desktop')
self.assertEqual(event_data.description, '')
self.assertEqual(event_data.application_display_name, 'OneDrive')
expected_long_message = ('Application Display Name: OneDrive Package '
'Identifier: Microsoft.SkyDrive.Desktop')
expected_short_message = 'Microsoft.SkyDrive.Desktop'
self._TestGetMessageStrings(event, expected_long_message,
expected_short_message)
event = events[96]
self.CheckTimestamp(event.timestamp, '2018-07-27 12:36:09.000000')
self.assertEqual(definitions.TIME_DESCRIPTION_START,
event.timestamp_desc)
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.data_type, 'windows:timeline:generic')
self.assertEqual(
event_data.package_identifier,
'{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\notepad.exe')
self.assertEqual(event_data.description,
'C:\\Users\\demouser\\Desktop\\SCHEMA.txt')
self.assertEqual(event_data.application_display_name, 'Notepad')
expected_long_message = (
'Application Display Name: Notepad Package Identifier: '
'{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\notepad.exe Description:'
' C:\\Users\\demouser\\Desktop\\SCHEMA.txt')
expected_short_message = (
'{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\notepad.exe')
self._TestGetMessageStrings(event, expected_long_message,
expected_short_message)
