def test_open_close(self):
"""Tests the open and close functions."""
if not unittest.source:
return
scca_file = pyscca.file()
# Test open and close.
scca_file.open(unittest.source)
scca_file.close()
# Test open and close a second time to validate clean up on close.
scca_file.open(unittest.source)
scca_file.close()
file_object = open(unittest.source, "rb")
# Test open_file_object and close.
scca_file.open_file_object(file_object)
scca_file.close()
# Test open_file_object and close a second time to validate clean up on close.
scca_file.open_file_object(file_object)
scca_file.close()
# Test open_file_object and close and dereferencing file_object.
scca_file.open_file_object(file_object)
del file_object
scca_file.close()
def prefetch_extractor(prefetch_path, start_date, end_date):
output = ""
for _, _, files in os.walk(prefetch_path):
for file in files:
if file.endswith(".pf"):
pfFile = pyscca.file()
pfFile.open(prefetch_path + "/" + file)
if(pfFile.get_last_run_time(0) >= start_date and pfFile.get_last_run_time(0) <= end_date):
output += "===================\n"
output += str(pfFile.executable_filename) + "-" + hex(pfFile.prefetch_hash).lstrip("0x").rstrip("L").upper() + ".pf\n"
output += "===================\n"
output += "\nExecutable Name: " + str(pfFile.executable_filename) + "\n\n"
output += "Run count: " + str(pfFile.run_count) + "\n\n"
output += "Last executed: " + str(pfFile.get_last_run_time(0)) + "\n"
if pfFile.format_version >= 26:
for i in range(2,8):
if str(pfFile.get_last_run_time(i))[0:4] != "1601":
output += " " + str(pfFile.get_last_run_time(i)) + "\n"
output += "\nVolumes Information:"
for i in pfFile.volumes:
output += "\n Name: " + str(i.device_path)[1:]
output += "\n Creation Date: " + str(i.creation_time)
output += "\n Serial Number: " + hex(i.serial_number).lstrip("0x").rstrip("L")
output += "\n"
output += "\nResources Loaded:\n"
cont = 0
for i in pfFile.filenames:
cont += 1
output += str(cont) + ": " + i + "\n"
output += "\n\n\n"
pfFile.close()
write_it(output, "prefetch_output.txt")
def test_open_file_object(self):
"""Tests the open_file_object function."""
if not unittest.source:
raise unittest.SkipTest("missing source")
if not os.path.isfile(unittest.source):
raise unittest.SkipTest("source not a regular file")
scca_file = pyscca.file()
with open(unittest.source, "rb") as file_object:
scca_file.open_file_object(file_object)
with self.assertRaises(IOError):
scca_file.open_file_object(file_object)
scca_file.close()
# TODO: change IOError into TypeError
with self.assertRaises(IOError):
scca_file.open_file_object(None)
with self.assertRaises(ValueError):
scca_file.open_file_object(file_object, mode="w")
def test_open_close(self):
"""Tests the open and close functions."""
if not unittest.source:
return
scca_file = pyscca.file()
# Test open and close.
scca_file.open(unittest.source)
scca_file.close()
# Test open and close a second time to validate clean up on close.
scca_file.open(unittest.source)
scca_file.close()
file_object = open(unittest.source, "rb")
# Test open_file_object and close.
scca_file.open_file_object(file_object)
scca_file.close()
# Test open_file_object and close a second time to validate clean up on close.
scca_file.open_file_object(file_object)
scca_file.close()
# Test open_file_object and close and dereferencing file_object.
scca_file.open_file_object(file_object)
del file_object
scca_file.close()
def test_close(self):
"""Tests the close function."""
if not unittest.source:
return
scca_file = pyscca.file()
with self.assertRaises(IOError):
scca_file.close()
def test_close(self):
"""Tests the close function."""
if not unittest.source:
return
scca_file = pyscca.file()
with self.assertRaises(IOError):
scca_file.close()
def test_close(self):
"""Tests the close function."""
if not unittest.source:
raise unittest.SkipTest("missing source")
scca_file = pyscca.file()
with self.assertRaises(IOError):
scca_file.close()
def test_get_prefetch_hash(self):
"""Tests the get_prefetch_hash function and prefetch_hash property."""
if not unittest.source:
raise unittest.SkipTest("missing source")
scca_file = pyscca.file()
scca_file.open(unittest.source)
prefetch_hash = scca_file.get_prefetch_hash()
self.assertIsNotNone(prefetch_hash)
self.assertIsNotNone(scca_file.prefetch_hash)
scca_file.close()
def test_get_executable_filename(self):
"""Tests the get_executable_filename function and executable_filename property."""
if not unittest.source:
raise unittest.SkipTest("missing source")
scca_file = pyscca.file()
scca_file.open(unittest.source)
executable_filename = scca_file.get_executable_filename()
self.assertIsNotNone(executable_filename)
self.assertIsNotNone(scca_file.executable_filename)
scca_file.close()
def test_get_number_of_volumes(self):
"""Tests the get_number_of_volumes function and number_of_volumes property."""
if not unittest.source:
raise unittest.SkipTest("missing source")
scca_file = pyscca.file()
scca_file.open(unittest.source)
number_of_volumes = scca_file.get_number_of_volumes()
self.assertIsNotNone(number_of_volumes)
self.assertIsNotNone(scca_file.number_of_volumes)
scca_file.close()
def test_get_run_count(self):
"""Tests the get_run_count function and run_count property."""
if not unittest.source:
raise unittest.SkipTest("missing source")
scca_file = pyscca.file()
scca_file.open(unittest.source)
run_count = scca_file.get_run_count()
self.assertIsNotNone(run_count)
self.assertIsNotNone(scca_file.run_count)
scca_file.close()
def test_get_format_version(self):
"""Tests the get_format_version function and format_version property."""
if not unittest.source:
raise unittest.SkipTest("missing source")
scca_file = pyscca.file()
scca_file.open(unittest.source)
format_version = scca_file.get_format_version()
self.assertIsNotNone(format_version)
self.assertIsNotNone(scca_file.format_version)
scca_file.close()
def test_open(self):
"""Tests the open function."""
if not unittest.source:
return
scca_file = pyscca.file()
scca_file.open(unittest.source)
with self.assertRaises(IOError):
scca_file.open(unittest.source)
scca_file.close()
with self.assertRaises(TypeError):
scca_file.open(None)
with self.assertRaises(ValueError):
scca_file.open(unittest.source, mode="w")
def test_open(self):
"""Tests the open function."""
if not unittest.source:
return
scca_file = pyscca.file()
scca_file.open(unittest.source)
with self.assertRaises(IOError):
scca_file.open(unittest.source)
scca_file.close()
with self.assertRaises(TypeError):
scca_file.open(None)
with self.assertRaises(ValueError):
scca_file.open(unittest.source, mode="w")
def test_open_file_object(self):
"""Tests the open_file_object function."""
if not unittest.source:
return
file_object = open(unittest.source, "rb")
scca_file = pyscca.file()
scca_file.open_file_object(file_object)
with self.assertRaises(IOError):
scca_file.open_file_object(file_object)
scca_file.close()
# TODO: change IOError into TypeError
with self.assertRaises(IOError):
scca_file.open_file_object(None)
with self.assertRaises(ValueError):
scca_file.open_file_object(file_object, mode="w")
def test_open_file_object(self):
"""Tests the open_file_object function."""
if not unittest.source:
return
file_object = open(unittest.source, "rb")
scca_file = pyscca.file()
scca_file.open_file_object(file_object)
with self.assertRaises(IOError):
scca_file.open_file_object(file_object)
scca_file.close()
# TODO: change IOError into TypeError
with self.assertRaises(IOError):
scca_file.open_file_object(None)
with self.assertRaises(ValueError):
scca_file.open_file_object(file_object, mode="w")
def ParseFileObject(self, parser_mediator, file_object):
"""Parses a Windows Prefetch file-like object.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO): file-like object.
"""
scca_file = pyscca.file()
try:
scca_file.open_file_object(file_object)
except IOError as exception:
parser_mediator.ProduceExtractionWarning(
'unable to open file with error: {0!s}'.format(exception))
return
try:
self._ParseSCCAFile(parser_mediator, scca_file)
except IOError as exception:
parser_mediator.ProduceExtractionWarning(
'unable to parse file with error: {0!s}'.format(exception))
finally:
scca_file.close()
def ParseFileObject(self, parser_mediator, file_object):
"""Parses a Windows Prefetch file-like object.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO): file-like object.
"""
scca_file = pyscca.file()
try:
scca_file.open_file_object(file_object)
except IOError as exception:
parser_mediator.ProduceExtractionError(
'unable to open file with error: {0!s}'.format(exception))
return
format_version = scca_file.format_version
executable_filename = scca_file.executable_filename
prefetch_hash = scca_file.prefetch_hash
run_count = scca_file.run_count
number_of_volumes = scca_file.number_of_volumes
volume_serial_numbers = []
volume_device_paths = []
path = ''
for volume_information in iter(scca_file.volumes):
volume_serial_number = volume_information.serial_number
volume_device_path = volume_information.device_path
volume_serial_numbers.append(volume_serial_number)
volume_device_paths.append(volume_device_path)
timestamp = volume_information.get_creation_time_as_integer()
if timestamp:
event_data = windows_events.WindowsVolumeEventData()
event_data.device_path = volume_device_path
event_data.origin = parser_mediator.GetFilename()
event_data.serial_number = volume_serial_number
date_time = dfdatetime_filetime.Filetime(timestamp=timestamp)
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_CREATION)
parser_mediator.ProduceEventWithEventData(event, event_data)
for filename in iter(scca_file.filenames):
if not filename:
continue
if (filename.startswith(volume_device_path) and
filename.endswith(executable_filename)):
_, _, path = filename.partition(volume_device_path)
mapped_files = []
for entry_index, file_metrics in enumerate(scca_file.file_metrics_entries):
mapped_file_string = file_metrics.filename
if not mapped_file_string:
parser_mediator.ProduceExtractionError(
'missing filename for file metrics entry: {0:d}'.format(
entry_index))
continue
file_reference = file_metrics.file_reference
if file_reference:
mapped_file_string = (
'{0:s} [MFT entry: {1:d}, sequence: {2:d}]').format(
mapped_file_string, file_reference & 0xffffffffffff,
file_reference >> 48)
mapped_files.append(mapped_file_string)
event_data = WinPrefetchExecutionEventData()
event_data.executable = executable_filename
event_data.mapped_files = mapped_files
event_data.number_of_volumes = number_of_volumes
event_data.path = path
event_data.prefetch_hash = prefetch_hash
event_data.run_count = run_count
event_data.version = format_version
event_data.volume_device_paths = volume_device_paths
event_data.volume_serial_numbers = volume_serial_numbers
timestamp = scca_file.get_last_run_time_as_integer(0)
if not timestamp:
parser_mediator.ProduceExtractionError('missing last run time')
date_time = dfdatetime_semantic_time.SemanticTime('Not set')
else:
date_time = dfdatetime_filetime.Filetime(timestamp=timestamp)
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_LAST_RUN)
parser_mediator.ProduceEventWithEventData(event, event_data)
# Check for the 7 older last run time values available since
# format version 26.
if format_version >= 26:
for last_run_time_index in range(1, 8):
timestamp = scca_file.get_last_run_time_as_integer(last_run_time_index)
if not timestamp:
continue
date_time = dfdatetime_filetime.Filetime(timestamp=timestamp)
date_time_description = 'Previous {0:s}'.format(
definitions.TIME_DESCRIPTION_LAST_RUN)
event = time_events.DateTimeValuesEvent(
date_time, date_time_description)
parser_mediator.ProduceEventWithEventData(event, event_data)
scca_file.close()
def test_signal_abort(self):
"""Tests the signal_abort function."""
scca_file = pyscca.file()
scca_file.signal_abort()
def ParseFileObject(self, parser_mediator, file_object, **kwargs):
"""Parses a Windows Prefetch file-like object.
Args:
parser_mediator (ParserMediator): parser mediator.
file_object (dfvfs.FileIO): file-like object to be parsed.
"""
scca_file = pyscca.file()
try:
scca_file.open_file_object(file_object)
except IOError as exception:
parser_mediator.ProduceExtractionError(
u'unable to open file with error: {0:s}'.format(exception))
return
format_version = scca_file.format_version
executable_filename = scca_file.executable_filename
prefetch_hash = scca_file.prefetch_hash
run_count = scca_file.run_count
number_of_volumes = scca_file.number_of_volumes
volume_serial_numbers = []
volume_device_paths = []
path = u''
for volume_information in iter(scca_file.volumes):
volume_serial_number = volume_information.serial_number
volume_device_path = volume_information.device_path
volume_serial_numbers.append(volume_serial_number)
volume_device_paths.append(volume_device_path)
timestamp = volume_information.get_creation_time_as_integer()
if timestamp:
event_object = windows_events.WindowsVolumeCreationEvent(
timestamp, volume_device_path, volume_serial_number,
parser_mediator.GetFilename())
parser_mediator.ProduceEvent(event_object)
for filename in iter(scca_file.filenames):
if not filename:
continue
if (filename.startswith(volume_device_path) and
filename.endswith(executable_filename)):
_, _, path = filename.partition(volume_device_path)
mapped_files = []
for entry_index, file_metrics in enumerate(scca_file.file_metrics_entries):
mapped_file_string = file_metrics.filename
if not mapped_file_string:
parser_mediator.ProduceExtractionError(
u'missing filename for file metrics entry: {0:d}'.format(
entry_index))
continue
file_reference = file_metrics.file_reference
if file_reference:
mapped_file_string = (
u'{0:s} [MFT entry: {1:d}, sequence: {2:d}]').format(
mapped_file_string, file_reference & 0xffffffffffffL,
file_reference >> 48)
mapped_files.append(mapped_file_string)
timestamp = scca_file.get_last_run_time_as_integer(0)
if not timestamp:
parser_mediator.ProduceExtractionError(u'missing last run time')
timestamp = timelib.Timestamp.NONE_TIMESTAMP
event_object = WinPrefetchExecutionEvent(
timestamp, eventdata.EventTimestamp.LAST_RUNTIME, format_version,
executable_filename, prefetch_hash, run_count, mapped_files, path,
number_of_volumes, volume_serial_numbers, volume_device_paths)
parser_mediator.ProduceEvent(event_object)
# Check for the 7 older last run time values available since
# format version 26.
if format_version >= 26:
for last_run_time_index in range(1, 8):
timestamp = scca_file.get_last_run_time_as_integer(last_run_time_index)
if not timestamp:
continue
timestamp_description = u'Previous {0:s}'.format(
eventdata.EventTimestamp.LAST_RUNTIME)
event_object = WinPrefetchExecutionEvent(
timestamp, timestamp_description, format_version,
executable_filename, prefetch_hash, run_count, mapped_files, path,
number_of_volumes, volume_serial_numbers, volume_device_paths)
parser_mediator.ProduceEvent(event_object)
scca_file.close()
def ParseFileObject(self, parser_mediator, file_object, **kwargs):
"""Parses a Windows Prefetch file-like object.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
file_object: A file-like object.
Raises:
UnableToParseFile: when the file cannot be parsed.
"""
scca_file = pyscca.file()
try:
scca_file.open_file_object(file_object)
except IOError as exception:
parser_mediator.ProduceParseError(
u'unable to open file with error: {0:s}'.format(exception))
return
format_version = scca_file.format_version
executable_filename = scca_file.executable_filename
prefetch_hash = scca_file.prefetch_hash
run_count = scca_file.run_count
number_of_volumes = scca_file.number_of_volumes
volume_serial_numbers = []
volume_device_paths = []
path = u''
for volume_information in iter(scca_file.volumes):
volume_serial_number = volume_information.serial_number
volume_device_path = volume_information.device_path
volume_serial_numbers.append(volume_serial_number)
volume_device_paths.append(volume_device_path)
timestamp = volume_information.get_creation_time_as_integer()
if timestamp:
event_object = windows_events.WindowsVolumeCreationEvent(
timestamp, volume_device_path, volume_serial_number,
parser_mediator.GetFilename())
parser_mediator.ProduceEvent(event_object)
for filename in iter(scca_file.filenames):
if not filename:
continue
if (filename.startswith(volume_device_path) and
filename.endswith(executable_filename)):
_, _, path = filename.partition(volume_device_path)
mapped_files = []
for entry_index, file_metrics in enumerate(scca_file.file_metrics_entries):
mapped_file_string = file_metrics.filename
if not mapped_file_string:
parser_mediator.ProduceParseError(
u'missing filename for file metrics entry: {0:d}'.format(
entry_index))
continue
file_reference = file_metrics.file_reference
if file_reference:
mapped_file_string = (
u'{0:s} [MFT entry: {1:d}, sequence: {2:d}]').format(
mapped_file_string, file_reference & 0xffffffffffffL,
file_reference >> 48)
mapped_files.append(mapped_file_string)
timestamp = scca_file.get_last_run_time_as_integer(0)
if not timestamp:
parser_mediator.ProduceParseError(u'missing last run time')
timestamp = timelib.Timestamp.NONE_TIMESTAMP
event_object = WinPrefetchExecutionEvent(
timestamp, eventdata.EventTimestamp.LAST_RUNTIME, format_version,
executable_filename, prefetch_hash, run_count, mapped_files, path,
number_of_volumes, volume_serial_numbers, volume_device_paths)
parser_mediator.ProduceEvent(event_object)
# Check for the 7 older last run time values available since
# format version 26.
if format_version >= 26:
for last_run_time_index in range(1, 8):
timestamp = scca_file.get_last_run_time_as_integer(last_run_time_index)
if not timestamp:
continue
timestamp_description = u'Previous {0:s}'.format(
eventdata.EventTimestamp.LAST_RUNTIME)
event_object = WinPrefetchExecutionEvent(
timestamp, timestamp_description, format_version,
executable_filename, prefetch_hash, run_count, mapped_files, path,
number_of_volumes, volume_serial_numbers, volume_device_paths)
parser_mediator.ProduceEvent(event_object)
scca_file.close()
def test_signal_abort(self):
"""Tests the signal_abort function."""
scca_file = pyscca.file()
scca_file.signal_abort()
def ParseFileObject(self, parser_mediator, file_object):
"""Parses a Windows Prefetch file-like object.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
file_object (dfvfs.FileIO): file-like object.
"""
scca_file = pyscca.file()
try:
scca_file.open_file_object(file_object)
except IOError as exception:
parser_mediator.ProduceExtractionError(
'unable to open file with error: {0!s}'.format(exception))
return
format_version = scca_file.format_version
executable_filename = scca_file.executable_filename
prefetch_hash = scca_file.prefetch_hash
run_count = scca_file.run_count
number_of_volumes = scca_file.number_of_volumes
volume_serial_numbers = []
volume_device_paths = []
path = ''
for volume_information in iter(scca_file.volumes):
volume_serial_number = volume_information.serial_number
volume_device_path = volume_information.device_path
volume_serial_numbers.append(volume_serial_number)
volume_device_paths.append(volume_device_path)
timestamp = volume_information.get_creation_time_as_integer()
if timestamp:
event_data = windows_events.WindowsVolumeEventData()
event_data.device_path = volume_device_path
event_data.origin = parser_mediator.GetFilename()
event_data.serial_number = volume_serial_number
date_time = dfdatetime_filetime.Filetime(timestamp=timestamp)
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_CREATION)
parser_mediator.ProduceEventWithEventData(event, event_data)
for filename in iter(scca_file.filenames):
if not filename:
continue
if (filename.startswith(volume_device_path)
and filename.endswith(executable_filename)):
_, _, path = filename.partition(volume_device_path)
mapped_files = []
for entry_index, file_metrics in enumerate(
scca_file.file_metrics_entries):
mapped_file_string = file_metrics.filename
if not mapped_file_string:
parser_mediator.ProduceExtractionError(
'missing filename for file metrics entry: {0:d}'.format(
entry_index))
continue
file_reference = file_metrics.file_reference
if file_reference:
mapped_file_string = (
'{0:s} [MFT entry: {1:d}, sequence: {2:d}]').format(
mapped_file_string, file_reference & 0xffffffffffff,
file_reference >> 48)
mapped_files.append(mapped_file_string)
event_data = WinPrefetchExecutionEventData()
event_data.executable = executable_filename
event_data.mapped_files = mapped_files
event_data.number_of_volumes = number_of_volumes
event_data.path = path
event_data.prefetch_hash = prefetch_hash
event_data.run_count = run_count
event_data.version = format_version
event_data.volume_device_paths = volume_device_paths
event_data.volume_serial_numbers = volume_serial_numbers
timestamp = scca_file.get_last_run_time_as_integer(0)
if not timestamp:
parser_mediator.ProduceExtractionError('missing last run time')
date_time = dfdatetime_semantic_time.SemanticTime('Not set')
else:
date_time = dfdatetime_filetime.Filetime(timestamp=timestamp)
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_LAST_RUN)
parser_mediator.ProduceEventWithEventData(event, event_data)
# Check for the 7 older last run time values available since
# format version 26.
if format_version >= 26:
for last_run_time_index in range(1, 8):
timestamp = scca_file.get_last_run_time_as_integer(
last_run_time_index)
if not timestamp:
continue
date_time = dfdatetime_filetime.Filetime(timestamp=timestamp)
date_time_description = 'Previous {0:s}'.format(
definitions.TIME_DESCRIPTION_LAST_RUN)
event = time_events.DateTimeValuesEvent(
date_time, date_time_description)
parser_mediator.ProduceEventWithEventData(event, event_data)
scca_file.close()