def testProcessSourcesVSSImage(self): """Tests the ProcessSources function on an image containing VSS.""" test_source = self._GetTestFilePath([u'vsstest.qcow2']) with shared_test_lib.TempDirectory() as temp_directory: test_storage_file = os.path.join(temp_directory, u'test.plaso') options = cli_test_lib.TestOptions() options.output = test_storage_file options.quiet = True options.single_process = True options.status_view_mode = u'none' options.source = test_source options.vss_stores = u'all' self._test_tool.ParseOptions(options) self._test_tool.ProcessSources() output = self._output_writer.ReadOutput() # TODO: print summary and compare that against output. _ = output
def _TestScanSourceVSSImage(self, source_path): """Tests the ScanSource function on a VSS storage media image. Args: source_path: the path of the source device, directory or file. """ test_tool = storage_media_tool.StorageMediaTool() options = test_lib.TestOptions() options.source = source_path options.vss_stores = u'all' test_tool.ParseOptions(options) scan_context = test_tool.ScanSource() self.assertIsNotNone(scan_context) scan_node = self._GetTestScanNode(scan_context) self.assertIsNotNone(scan_node) self.assertEqual( scan_node.type_indicator, dfvfs_definitions.TYPE_INDICATOR_QCOW) self.assertEqual(len(scan_node.sub_nodes), 2) volume_scan_node = scan_node scan_node = volume_scan_node.sub_nodes[0] self.assertEqual( scan_node.type_indicator, dfvfs_definitions.TYPE_INDICATOR_VSHADOW) self.assertEqual(len(scan_node.sub_nodes), 2) scan_node = scan_node.sub_nodes[0] self.assertEqual( scan_node.type_indicator, dfvfs_definitions.TYPE_INDICATOR_VSHADOW) # By default the file system inside a VSS volume is not scanned. self.assertEqual(len(scan_node.sub_nodes), 0) scan_node = volume_scan_node.sub_nodes[1] self.assertEqual( scan_node.type_indicator, dfvfs_definitions.TYPE_INDICATOR_TSK)
def testRunModeRegistryFile(self): """Tests the RunModeRegistryFile function.""" options = cli_test_lib.TestOptions() options.registry_file = self._GetTestFilePath([u'SOFTWARE']) self._test_tool.ParseOptions(options) self._test_tool.RunModeRegistryFile() output = self._output_writer.ReadOutput() plugins, registry_keys = self._ExtractPluginsAndKey(output) # Define the minimum set of plugins that need to be in the output. # This information is gathered from the actual tool output, which # for aesthetics reasons surrounds the text with **. The above processing # then cuts of the first half of that, but leaves the second ** intact. expected_plugins = set([ b'msie_zone', b'windows_run', b'windows_task_cache', b'windows_version' ]) self.assertTrue(expected_plugins.issubset(plugins)) self.assertIn((b'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\' b'CurrentVersion\\Schedule\\TaskCache'), registry_keys) self.assertIn((b'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\' b'CurrentVersion\\Run'), registry_keys) self.assertIn((b'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\' b'CurrentVersion\\Internet Settings\\Lockdown_Zones'), registry_keys) # The output should grow with each newly added plugin, and it might be # reduced with changes to the codebase, yet there should be at least 1.400 # lines in the output. line_count = 0 for _ in output: line_count += 1 self.assertGreater(line_count, 1400)
def _TestScanSourceDirectory(self, source_path): """Tests the ScanSource function on a directory. Args: source_path: the path of the source device, directory or file. """ test_tool = storage_media_tool.StorageMediaTool() options = test_lib.TestOptions() options.source = source_path test_tool.ParseOptions(options) scan_context = test_tool.ScanSource() self.assertIsNotNone(scan_context) scan_node = scan_context.GetRootScanNode() self.assertIsNotNone(scan_node) self.assertEqual( scan_node.type_indicator, dfvfs_definitions.TYPE_INDICATOR_OS) path_spec = scan_node.path_spec self.assertEqual(path_spec.location, os.path.abspath(source_path))
def testCreateAnalysisPlugins(self): """Tests the _CreateAnalysisPlugins function.""" test_file_path = self._GetTestFilePath(['tagging_file', 'valid.txt']) self._SkipIfPathNotExists(test_file_path) output_writer = test_lib.TestOutputWriter(encoding='utf-8') test_tool = TestToolWithAnalysisPluginOptions(output_writer=output_writer) options = test_lib.TestOptions() options.tagging_file = test_file_path test_tool._analysis_plugins = 'tagging' plugins = test_tool._CreateAnalysisPlugins(options) self.assertIn('tagging', plugins.keys()) test_tool._analysis_plugins = 'bogus' plugins = test_tool._CreateAnalysisPlugins(options) self.assertEqual(plugins, {}) test_tool._analysis_plugins = '' plugins = test_tool._CreateAnalysisPlugins(options) self.assertEqual(plugins, {})
def testProcessStorageWithMissingParameters(self): """Test the ProcessStorage function with half-configured output module.""" input_reader = TestInputReader() output_writer = cli_test_lib.TestOutputWriter(encoding=u'utf-8') test_tool = psort.PsortTool( input_reader=input_reader, output_writer=output_writer) options = cli_test_lib.TestOptions() options.storage_file = self._GetTestFilePath([u'psort_test.json.plaso']) options.output_format = u'test_missing' output_manager.OutputManager.RegisterOutput( TestOutputModuleMissingParameters) helpers_manager.ArgumentHelperManager.RegisterHelper( TestOutputModuleArgumentHelper) lines = [] with shared_test_lib.TempDirectory() as temp_directory: temp_file_name = os.path.join(temp_directory, u'output.txt') options.write = temp_file_name test_tool.ParseOptions(options) test_tool.ProcessStorage() with open(temp_file_name, 'rb') as file_object: for line in file_object.readlines(): lines.append(line.strip()) self.assertTrue(input_reader.read_called) self.assertEqual(TestOutputModuleMissingParameters.missing, u'foobar') self.assertEqual(TestOutputModuleMissingParameters.parameters, u'foobar') expected_line = u'FILE/OS ctime OS:/tmp/test/test_data/syslog Type: file' self.assertIn(expected_line, lines) output_manager.OutputManager.DeregisterOutput( TestOutputModuleMissingParameters) helpers_manager.ArgumentHelperManager.DeregisterHelper( TestOutputModuleArgumentHelper)
def testProcessSourcesExtractWithFilter(self): """Tests the ProcessSources function with a filter file.""" test_artifacts_path = self._GetTestFilePath(['artifacts']) self._SkipIfPathNotExists(test_artifacts_path) test_file_path = self._GetTestFilePath(['image.qcow2']) self._SkipIfPathNotExists(test_file_path) output_writer = test_lib.TestOutputWriter(encoding='utf-8') test_tool = image_export_tool.ImageExportTool( output_writer=output_writer) options = test_lib.TestOptions() options.artifact_definitions_path = test_artifacts_path options.image = test_file_path options.quiet = True with shared_test_lib.TempDirectory() as temp_directory: filter_file = os.path.join(temp_directory, 'filter.txt') with io.open(filter_file, 'wt', encoding='utf-8') as file_object: file_object.write('/a_directory/.+_file\n') options.file_filter = filter_file options.path = temp_directory test_tool.ParseOptions(options) test_tool.ProcessSources() expected_extracted_files = sorted([ os.path.join(temp_directory, 'filter.txt'), os.path.join(temp_directory, 'a_directory'), os.path.join(temp_directory, 'a_directory', 'another_file'), os.path.join(temp_directory, 'a_directory', 'a_file') ]) extracted_files = self._RecursiveList(temp_directory) self.assertEqual(sorted(extracted_files), expected_extracted_files)
def testPrintFilterCollection(self): """Tests the PrintFilterCollection function.""" output_writer = test_lib.TestOutputWriter(encoding='utf-8') test_tool = image_export_tool.ImageExportTool(output_writer=output_writer) options = test_lib.TestOptions() options.artifact_definitions_path = self._GetTestFilePath(['artifacts']) options.date_filters = ['ctime,2012-05-25 15:59:00,2012-05-25 15:59:20'] options.image = self._GetTestFilePath(['image.qcow2']) options.quiet = True test_tool.ParseOptions(options) test_tool.PrintFilterCollection() expected_output = '\n'.join([ 'Filters:', ('\tctime between 2012-05-25 15:59:00.000000 and ' '2012-05-25 15:59:20.000000'), '']) output = output_writer.ReadOutput() self.assertEqual(output, expected_output)
def _CreateExtractionOptions(self, source_path, password=None): """Create options for testing extraction. Args: source_path (str): path of the source (test) data. password (Optional[str]): password to unlock test data. Returns: TestOptions: options for testing extraction. """ options = test_lib.TestOptions() options.artifact_definitions_path = self._GetTestFilePath( ['artifacts']) options.quiet = True options.single_process = True options.status_view_mode = 'none' options.source = source_path if password: options.credentials = ['password:{0:s}'.format(password)] return options
def testExtractEventsFromSourceBDEImage(self): """Tests the ExtractEventsFromSources function on an image with BDE.""" test_artifacts_path = self._GetTestFilePath(['artifacts']) self._SkipIfPathNotExists(test_artifacts_path) test_file_path = self._GetTestFilePath(['bdetogo.raw']) self._SkipIfPathNotExists(test_file_path) dfvfs_resolver.Resolver.key_chain.Empty() output_writer = test_lib.TestOutputWriter(encoding='utf-8') test_tool = psteal_tool.PstealTool(output_writer=output_writer) options = test_lib.TestOptions() options.artifact_definitions_path = test_artifacts_path options.credentials = ['password:{0:s}'.format(self._BDE_PASSWORD)] options.quiet = True options.source = test_file_path options.status_view_mode = 'none' with shared_test_lib.TempDirectory() as temp_directory: options.log_file = os.path.join(temp_directory, 'output.log') options.storage_file = os.path.join(temp_directory, 'storage.plaso') options.write = os.path.join(temp_directory, 'output.txt') test_tool.ParseOptions(options) test_tool.ExtractEventsFromSources() expected_output = [ '', 'Source path\t\t: {0:s}'.format(options.source), 'Source type\t\t: storage media image', 'Processing time\t\t: 00:00:00', '', 'Processing started.', 'Processing completed.', '', '' ] output = output_writer.ReadOutput() self._CheckOutput(output, expected_output)
def testParseOptions(self): """Tests the ParseOptions function.""" options = cli_test_lib.TestOptions() options.storage_format = 'sqlite' options.task_storage_format = 'sqlite' test_tool = tools.CLITool() storage_format.StorageFormatArgumentsHelper.ParseOptions( options, test_tool) self.assertEqual(test_tool._storage_format, options.storage_format) self.assertEqual(test_tool._task_storage_format, options.task_storage_format) with self.assertRaises(errors.BadConfigObject): storage_format.StorageFormatArgumentsHelper.ParseOptions( options, None) with self.assertRaises(errors.BadConfigOption): options.storage_format = 'bogus' storage_format.StorageFormatArgumentsHelper.ParseOptions( options, test_tool)
def testExtractEventsFromSourceDirectory(self): """Tests the ExtractEventsFromSources function on a directory.""" test_artifacts_path = self._GetTestFilePath(['artifacts']) self._SkipIfPathNotExists(test_artifacts_path) test_file_path = self._GetTestFilePath(['testdir']) self._SkipIfPathNotExists(test_file_path) output_writer = test_lib.TestOutputWriter(encoding='utf-8') test_tool = psteal_tool.PstealTool(output_writer=output_writer) options = test_lib.TestOptions() options.artifact_definitions_path = test_artifacts_path options.quiet = True options.status_view_mode = 'none' options.source = test_file_path with shared_test_lib.TempDirectory() as temp_directory: options.log_file = os.path.join(temp_directory, 'output.log') options.storage_file = os.path.join(temp_directory, 'storage.plaso') options.write = os.path.join(temp_directory, 'output.txt') test_tool.ParseOptions(options) test_tool.ExtractEventsFromSources() expected_output = [ '', 'Source path\t\t: {0:s}'.format(options.source), 'Source type\t\t: directory', 'Processing time\t\t: 00:00:00', '', 'Processing started.', 'Processing completed.', '', ''] output = output_writer.ReadOutput() self._CheckOutput(output, expected_output)
def testExtractEventsFromSourceVSSImage(self): """Tests the ExtractEventsFromSources function on an image with VSS.""" output_writer = test_lib.TestOutputWriter(encoding='utf-8') test_tool = psteal_tool.PstealTool(output_writer=output_writer) options = test_lib.TestOptions() options.artifact_definitions_path = self._GetTestFilePath(['artifacts']) options.quiet = True options.single_process = True options.status_view_mode = 'none' options.source = self._GetTestFilePath(['vsstest.qcow2']) options.vss_stores = 'all' with shared_test_lib.TempDirectory() as temp_directory: options.log_file = os.path.join(temp_directory, 'output.log') options.storage_file = os.path.join(temp_directory, 'storage.plaso') options.write = os.path.join(temp_directory, 'output.txt') test_tool.ParseOptions(options) test_tool.ExtractEventsFromSources() expected_output = [ '', 'Source path\t\t: {0:s}'.format(options.source), 'Source type\t\t: storage media image', 'Processing time\t\t: 00:00:00', '', 'Processing started.', 'Processing completed.', '', 'Number of warnings generated while extracting events: 3.', '', 'Use pinfo to inspect warnings in more detail.', '', ''] output = output_writer.ReadOutput() self._CheckOutput(output, expected_output)
def testProcessSourcesBDEImage(self): """Tests the ProcessSources function on an image containing BDE.""" test_source = self._GetTestFilePath([u'bdetogo.raw']) with shared_test_lib.TempDirectory() as temp_directory: test_storage_file = os.path.join(temp_directory, u'test.plaso') options = cli_test_lib.TestOptions() options.credentials = [u'password:{0:s}'.format(self._BDE_PASSWORD)] options.output = test_storage_file options.quiet = True options.single_process = True options.status_view_mode = u'none' options.source = test_source self._test_tool.ParseOptions(options) self._test_tool.ProcessSources() output = self._output_writer.ReadOutput() # TODO: print summary and compare that against output. _ = output
def testParseOptions(self): """Tests the ParseOptions function.""" test_file_path = self._GetTestFilePath(['tagging_file', 'valid.txt']) self._SkipIfPathNotExists(test_file_path) options = cli_test_lib.TestOptions() options.tagging_file = test_file_path analysis_plugin = tagging.TaggingAnalysisPlugin() tagging_analysis.TaggingAnalysisArgumentsHelper.ParseOptions( options, analysis_plugin) with self.assertRaises(errors.BadConfigObject): tagging_analysis.TaggingAnalysisArgumentsHelper.ParseOptions( options, None) options.tagging_file = None with self.assertRaises(errors.BadConfigOption): tagging_analysis.TaggingAnalysisArgumentsHelper.ParseOptions( options, analysis_plugin) test_file_path = self._GetTestFilePath( ['tagging_file', 'invalid_syntax.txt']) self._SkipIfPathNotExists(test_file_path) options.tagging_file = test_file_path with self.assertRaises(errors.BadConfigOption): tagging_analysis.TaggingAnalysisArgumentsHelper.ParseOptions( options, analysis_plugin) options.tagging_file = self._GetTestFilePath( ['tagging_file', 'invalid_encoding.txt']) with self.assertRaises(errors.BadConfigOption): tagging_analysis.TaggingAnalysisArgumentsHelper.ParseOptions( options, analysis_plugin)
def testPrintStorageInformationAsJSON(self): """Tests the PrintStorageInformation function with JSON output format.""" test_filename = 'pinfo_test.plaso' session_identifier = 'c1ce225e-7eec-49a6-9f5c-35907e518ff8' session_start_time = '2020-04-04 06:40:08.695055' test_file_path = self._GetTestFilePath([test_filename]) self._SkipIfPathNotExists(test_file_path) options = test_lib.TestOptions() options.storage_file = test_file_path options.output_format = 'json' options.sections = 'events,reports,sessions,warnings' output_writer = test_lib.TestOutputWriter(encoding='utf-8') test_tool = pinfo_tool.PinfoTool(output_writer=output_writer) test_tool.ParseOptions(options) test_tool.PrintStorageInformation() output = output_writer.ReadOutput() json_output = json.loads(output) sessions = json_output.get('sessions') self.assertIsNotNone(sessions) first_session = sessions.get('session') self.assertIsNotNone(first_session) self.assertEqual( first_session['identifier'], session_identifier.replace('-', '')) expected_start_time = shared_test_lib.CopyTimestampFromSring( session_start_time) self.assertEqual(first_session['start_time'], expected_start_time) parsers_counter = first_session['parsers_counter'] self.assertEqual(parsers_counter['total'], 3) self.assertEqual(parsers_counter['filestat'], 3)
def testPrintStorageInformationAsJSON(self): """Tests the PrintStorageInformation function with JSON output format.""" test_filename = 'pinfo_test.plaso' session_identifier = '678d3612-feac-4de7-b929-0bd3260a9365' session_start_time = '2021-06-23 07:42:30.094310' test_file_path = self._GetTestFilePath([test_filename]) self._SkipIfPathNotExists(test_file_path) options = test_lib.TestOptions() options.storage_file = test_file_path options.output_format = 'json' options.sections = 'events,reports,sessions,warnings' output_writer = test_lib.TestOutputWriter(encoding='utf-8') test_tool = pinfo_tool.PinfoTool(output_writer=output_writer) test_tool.ParseOptions(options) test_tool.PrintStorageInformation() output = output_writer.ReadOutput() json_output = json.loads(output) sessions = json_output.get('sessions') self.assertIsNotNone(sessions) first_session = sessions.get('session') self.assertIsNotNone(first_session) self.assertEqual(first_session['identifier'], session_identifier.replace('-', '')) expected_start_time = shared_test_lib.CopyTimestampFromString( session_start_time) self.assertEqual(first_session['start_time'], expected_start_time) parsers_counter = first_session['parsers_counter'] self.assertEqual(parsers_counter['total'], 3) self.assertEqual(parsers_counter['filestat'], 3)
def _TestScanSourcePartitionedImage(self, source_path): """Tests the ScanSource function on an image containing multiple partitions. Args: source_path (str): path of the source device, directory or file. """ test_tool = storage_media_tool.StorageMediaTool() options = test_lib.TestOptions() options.partitions = u'all' options.source = source_path test_tool.ParseOptions(options) scan_context = test_tool.ScanSource() self.assertIsNotNone(scan_context) scan_node = self._GetTestScanNode(scan_context) self.assertIsNotNone(scan_node) self.assertEqual(scan_node.type_indicator, dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION) self.assertEqual(len(scan_node.sub_nodes), 7) for scan_node in scan_node.sub_nodes: if getattr(scan_node.path_spec, u'location', None) == u'/p2': break self.assertIsNotNone(scan_node) self.assertEqual(scan_node.type_indicator, dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION) self.assertEqual(len(scan_node.sub_nodes), 1) path_spec = scan_node.path_spec self.assertEqual(path_spec.start_offset, 180224) scan_node = scan_node.sub_nodes[0] self.assertIsNotNone(scan_node) self.assertEqual(scan_node.type_indicator, dfvfs_definitions.TYPE_INDICATOR_TSK)
def testProcessSourcesPartitionedImage(self): """Tests the ProcessSources function on a multi partition image.""" test_source = self._GetTestFilePath([u'multi_partition_image.vmdk']) with shared_test_lib.TempDirectory() as temp_directory: test_storage_file = os.path.join(temp_directory, u'test.plaso') options = cli_test_lib.TestOptions() # TODO: refactor to partitions. options.partition_number = u'all' options.output = test_storage_file options.quiet = True options.single_process = True options.status_view_mode = u'none' options.source = test_source self._test_tool.ParseOptions(options) self._test_tool.ProcessSources() output = self._output_writer.ReadOutput() # TODO: print summary and compare that against output. _ = output
def testProcessSourcesImage(self): """Tests the ProcessSources function on a single partition image.""" output_writer = cli_test_lib.TestOutputWriter(encoding=u'utf-8') test_tool = image_export.ImageExportTool(output_writer=output_writer) options = cli_test_lib.TestOptions() options.image = self._GetTestFilePath([u'ímynd.dd']) options.quiet = True with shared_test_lib.TempDirectory() as temp_directory: options.path = temp_directory test_tool.ParseOptions(options) test_tool.ProcessSources() expected_output = b'\n'.join([ b'Export started.', b'Extracting file entries.', b'Export completed.', b'', b'' ]) output = output_writer.ReadOutput() self.assertEqual(output, expected_output)
def testProcessSourcesExtractWithExtensionsFilter(self): """Tests the ProcessSources function with an extensions filter.""" output_writer = test_lib.TestOutputWriter(encoding='utf-8') test_tool = image_export_tool.ImageExportTool(output_writer=output_writer) options = test_lib.TestOptions() options.artifact_definitions_path = self._GetTestFilePath(['artifacts']) options.extensions_string = 'txt' options.image = self._GetTestFilePath(['image.qcow2']) options.quiet = True with shared_test_lib.TempDirectory() as temp_directory: options.path = temp_directory test_tool.ParseOptions(options) test_tool.ProcessSources() expected_extracted_files = sorted([ os.path.join(temp_directory, 'passwords.txt')]) extracted_files = self._RecursiveList(temp_directory) self.assertEqual(sorted(extracted_files), expected_extracted_files)
def _TestScanSourceImage(self, source_path): """Tests the ScanSource function on an image containing a single partition. Args: source_path (str): path of the source device, directory or file. """ test_tool = storage_media_tool.StorageMediaTool() options = test_lib.TestOptions() options.source = source_path test_tool._ParseStorageMediaImageOptions(options) test_tool._ParseVSSProcessingOptions(options) test_tool._ParseCredentialOptions(options) test_tool._ParseSourcePathOption(options) scan_context = test_tool.ScanSource(source_path) self.assertIsNotNone(scan_context) scan_node = self._GetTestScanNode(scan_context) self.assertIsNotNone(scan_node) self.assertEqual(scan_node.type_indicator, dfvfs_definitions.TYPE_INDICATOR_TSK)
def testParseOptions(self): """Tests the ParseOptions function.""" options = cli_test_lib.TestOptions() options.filter = 'event.timestamp == 0' options.slice = '2020-06-13T06:33:10' options.slicer = False test_tool = tools.CLITool() event_filters.EventFiltersArgumentsHelper.ParseOptions(options, test_tool) self.assertEqual(test_tool._event_filter_expression, options.filter) self.assertIsNotNone(test_tool._event_filter) with self.assertRaises(errors.BadConfigObject): event_filters.EventFiltersArgumentsHelper.ParseOptions(options, None) options.filter = 'BOGUS' with self.assertRaises(errors.BadConfigOption): event_filters.EventFiltersArgumentsHelper.ParseOptions(options, test_tool) options.filter = 'event.timestamp == 0' options.slice = '2020-06-13 06:33:10' with self.assertRaises(errors.BadConfigOption): event_filters.EventFiltersArgumentsHelper.ParseOptions(options, test_tool) options.slice = 'YEAR-06-13T06:33:10' with self.assertRaises(errors.BadConfigOption): event_filters.EventFiltersArgumentsHelper.ParseOptions(options, test_tool) options.slice = '2020-06-13T06:33:10' options.slicer = True with self.assertRaises(errors.BadConfigOption): event_filters.EventFiltersArgumentsHelper.ParseOptions(options, test_tool)
def testExtractEventsFromSourceVSSImage(self): """Tests the ExtractEventsFromSources function on an image with VSS.""" output_writer = test_lib.TestOutputWriter(encoding=u'utf-8') test_tool = psteal_tool.PstealTool(output_writer=output_writer) options = test_lib.TestOptions() options.artifact_definitions_path = self._GetTestFilePath([u'artifacts']) options.quiet = True options.single_process = True options.status_view_mode = u'none' options.source = self._GetTestFilePath([u'vsstest.qcow2']) options.vss_stores = u'all' with shared_test_lib.TempDirectory() as temp_directory: options.write = os.path.join(temp_directory, u'unused_output.txt') options.storage_file = os.path.join(temp_directory, u'storage.plaso') test_tool.ParseOptions(options) test_tool.ExtractEventsFromSources() expected_output = [ b'', b'Source path\t: {0:s}'.format(options.source.encode(u'utf-8')), b'Source type\t: storage media image', b'', b'Processing started.', b'Processing completed.', b'', b'Number of errors encountered while extracting events: 1.', b'', b'Use pinfo to inspect errors in more detail.', b'', b''] output = output_writer.ReadOutput() self.assertEqual(output.split(b'\n'), expected_output)
def testParseOptions(self): """Tests the ParseOptions function.""" output_writer = test_lib.TestOutputWriter(encoding=u'utf-8') test_tool = psteal_tool.PstealTool(output_writer=output_writer) options = test_lib.TestOptions() options.artifact_definitions_path = self._GetTestFilePath([u'artifacts']) # Test when the output file is missing. expected_error = (u'Output format: dynamic requires an output file') with self.assertRaisesRegexp(errors.BadConfigOption, expected_error): test_tool.ParseOptions(options) options.write = u'dynamic.out' # Test when the source is missing. expected_error = u'Missing source path.' with self.assertRaisesRegexp(errors.BadConfigOption, expected_error): test_tool.ParseOptions(options) with shared_test_lib.TempDirectory() as temp_directory: options.source = self._GetTestFilePath([u'testdir']) options.write = os.path.join(temp_directory, u'dynamic.out') # Test when both source and output are specified. test_tool.ParseOptions(options) with open(options.write, 'w') as file_object: file_object.write(u'bogus') # Test when output file already exists. # Escape \ otherwise assertRaisesRegexp can error with: # error: bogus escape: u'\\1' expected_error = u'Output file already exists: {0:s}.'.format( options.write.replace(u'\\', u'\\\\')) with self.assertRaisesRegexp(errors.BadConfigOption, expected_error): test_tool.ParseOptions(options)
def testParseOptions(self): """Tests the ParseOptions function.""" test_file_path = self._GetTestFilePath(['rules.yara']) self._SkipIfPathNotExists(test_file_path) invalid_rules_path = self._GetTestFilePath(['another_file']) self._SkipIfPathNotExists(invalid_rules_path) unsupported_rules_path = self._GetTestFilePath( ['unsupported_rules.yara']) self._SkipIfPathNotExists(unsupported_rules_path) options = cli_test_lib.TestOptions() options.yara_rules_path = test_file_path test_tool = tools.CLITool() yara_rules.YaraRulesArgumentsHelper.ParseOptions(options, test_tool) self.assertIsNotNone(test_tool._yara_rules_string) with self.assertRaises(errors.BadConfigObject): yara_rules.YaraRulesArgumentsHelper.ParseOptions(options, None) options.yara_rules_path = '/tmp/non_existant' with self.assertRaises(errors.BadConfigOption): yara_rules.YaraRulesArgumentsHelper.ParseOptions( options, test_tool) options.yara_rules_path = invalid_rules_path with self.assertRaises(errors.BadConfigOption): yara_rules.YaraRulesArgumentsHelper.ParseOptions( options, test_tool) options.yara_rules_path = unsupported_rules_path with self.assertRaises(errors.BadConfigOption): yara_rules.YaraRulesArgumentsHelper.ParseOptions( options, test_tool)
def testShowInfo(self): """Tests the output of the tool in info mode.""" output_writer = test_lib.TestOutputWriter(encoding='utf-8') test_tool = log2timeline_tool.Log2TimelineTool( output_writer=output_writer) options = test_lib.TestOptions() options.artifact_definitions_path = self._GetTestFilePath( ['artifacts']) options.show_info = True test_tool.ParseOptions(options) test_tool.ShowInfo() output = output_writer.ReadOutput() section_headings = [ 'Hashers', 'Parsers', 'Parser Plugins', 'Parser Presets', 'Versions' ] for heading in section_headings: self.assertIn(heading, output) self.assertNotIn('<class', output)
def testProcessSourcesExtractWithArtifactsGroupFilter(self): """Tests the ProcessSources function with a group artifacts filter file.""" test_artifacts_path = self._GetTestFilePath(['artifacts']) self._SkipIfPathNotExists(test_artifacts_path) test_file_path = self._GetTestFilePath(['image.qcow2']) self._SkipIfPathNotExists(test_file_path) output_writer = test_lib.TestOutputWriter(encoding='utf-8') test_tool = image_export_tool.ImageExportTool( output_writer=output_writer) options = test_lib.TestOptions() options.artifact_definitions_path = test_artifacts_path options.image = test_file_path options.quiet = True options.artifact_filter_string = 'TestGroupExport' with shared_test_lib.TempDirectory() as temp_directory: options.path = temp_directory test_tool.ParseOptions(options) test_tool.ProcessSources() expected_extracted_files = sorted([ os.path.join(temp_directory, 'a_directory'), os.path.join(temp_directory, 'a_directory', 'another_file'), os.path.join(temp_directory, 'a_directory', 'a_file'), os.path.join(temp_directory, 'passwords.txt'), os.path.join(temp_directory, 'hashes.json') ]) extracted_files = self._RecursiveList(temp_directory) self.assertEqual(sorted(extracted_files), expected_extracted_files)
def testProcessSourcesExtractWithSignaturesFilter(self): """Tests the ProcessSources function with a signatures filter.""" output_writer = test_lib.TestOutputWriter(encoding='utf-8') test_tool = image_export_tool.ImageExportTool(output_writer=output_writer) options = test_lib.TestOptions() options.artifact_definitions_path = self._GetTestFilePath(['artifacts']) options.image = self._GetTestFilePath(['syslog_image.dd']) options.quiet = True options.signature_identifiers = 'gzip' with shared_test_lib.TempDirectory() as temp_directory: options.path = temp_directory test_tool.ParseOptions(options) test_tool.ProcessSources() expected_extracted_files = sorted([ os.path.join(temp_directory, 'logs'), os.path.join(temp_directory, 'logs', 'sys.tgz')]) extracted_files = self._RecursiveList(temp_directory) self.assertEqual(sorted(extracted_files), expected_extracted_files)
def testProcessSourcesExtractWithDateTimeFilter(self): """Tests the ProcessSources function with a date time filter.""" output_writer = test_lib.TestOutputWriter(encoding='utf-8') test_tool = image_export_tool.ImageExportTool(output_writer=output_writer) options = test_lib.TestOptions() options.artifact_definitions_path = self._GetTestFilePath(['artifacts']) options.date_filters = ['ctime,2012-05-25 15:59:00,2012-05-25 15:59:20'] options.image = self._GetTestFilePath(['image.qcow2']) options.quiet = True with shared_test_lib.TempDirectory() as temp_directory: options.path = temp_directory test_tool.ParseOptions(options) test_tool.ProcessSources() expected_extracted_files = sorted([ os.path.join(temp_directory, 'a_directory'), os.path.join(temp_directory, 'a_directory', 'a_file')]) extracted_files = self._RecursiveList(temp_directory) self.assertEqual(sorted(extracted_files), expected_extracted_files)