def _StreamBody(
self,
args: ApiGetCollectedTimelineArgs,
) -> api_call_handler_base.ApiBinaryStream:
client_id = str(args.client_id)
flow_id = str(args.flow_id)
opts = body.Opts()
opts.timestamp_subsecond_precision = args.body_opts.timestamp_subsecond_precision
opts.backslash_escape = args.body_opts.backslash_escape
opts.carriage_return_escape = args.body_opts.carriage_return_escape
opts.non_printable_escape = args.body_opts.non_printable_escape
if args.body_opts.HasField("inode_ntfs_file_reference_format"):
# If the field is set explicitly, we respect the choice no matter what
# filesystem we detected.
if args.body_opts.inode_ntfs_file_reference_format:
opts.inode_format = body.Opts.InodeFormat.NTFS_FILE_REFERENCE
else:
fstype = timeline.FilesystemType(client_id=client_id,
flow_id=flow_id)
if fstype is not None and fstype.lower() == "ntfs":
opts.inode_format = body.Opts.InodeFormat.NTFS_FILE_REFERENCE
entries = timeline.ProtoEntries(client_id=client_id, flow_id=flow_id)
content = body.Stream(entries, opts=opts)
filename = "timeline_{}.body".format(flow_id)
return api_call_handler_base.ApiBinaryStream(filename, content)
def testBackslashEscape(self):
entry = timeline_pb2.TimelineEntry()
entry.path = "C:\\Windows\\system32\\notepad.exe".encode("utf-8")
opts = body.Opts()
opts.backslash_escape = True
stream = body.Stream(iter([entry]), opts=opts)
content = b"".join(stream).decode("utf-8")
self.assertIn("|C:\\\\Windows\\\\system32\\\\notepad.exe|", content)
def testNonPrintableEscape(self):
entry = timeline_pb2.TimelineEntry()
entry.path = b"/f\x00b\x0ar\x1baz"
opts = body.Opts()
opts.non_printable_escape = True
stream = body.Stream(iter([entry]), opts=opts)
content = b"".join(stream).decode("utf-8")
self.assertIn(r"|/f\x00b\x0ar\x1baz|", content)
def testCarriageReturnEscape(self):
entry = timeline_pb2.TimelineEntry()
entry.path = "C:\\Foo\rBar\\Baz\r\rQuux".encode("utf-8")
opts = body.Opts()
opts.carriage_return_escape = True
stream = body.Stream(iter([entry]), opts=opts)
content = b"".join(stream).decode("utf-8")
self.assertIn("|C:\\Foo\\rBar\\Baz\\r\\rQuux|", content)
def testSubsecondPrecision(self):
entry = timeline_pb2.TimelineEntry()
entry.path = "/foo/bar".encode("utf-8")
entry.atime_ns = 123_456_789_000
opts = body.Opts()
opts.timestamp_subsecond_precision = True
stream = body.Stream(iter([entry]), opts=opts)
content = b"".join(stream).decode("utf-8")
self.assertIn("/foo/bar", content)
self.assertIn("123.456789", content)
def testNtfsFileReference(self):
entry = timeline_pb2.TimelineEntry()
entry.path = "/foo/bar".encode("utf-8")
entry.ino = 1688849860339456
opts = body.Opts()
opts.inode_ntfs_file_reference_format = True
stream = body.Stream(iter([entry]), opts=opts)
content = b"".join(stream).decode("utf-8")
self.assertIn("/foo/bar", content)
self.assertIn("75520-6", content)
def _StreamBody(
self,
args: ApiGetCollectedTimelineArgs,
) -> api_call_handler_base.ApiBinaryStream:
client_id = str(args.client_id)
flow_id = str(args.flow_id)
opts = body.Opts()
opts.timestamp_subsecond_precision = args.body_opts.timestamp_subsecond_precision
opts.inode_ntfs_file_reference_format = args.body_opts.inode_ntfs_file_reference_format
opts.backslash_escape = args.body_opts.backslash_escape
entries = timeline.ProtoEntries(client_id=client_id, flow_id=flow_id)
content = body.Stream(entries, opts=opts)
filename = "timeline_{}.body".format(flow_id)
return api_call_handler_base.ApiBinaryStream(filename, content)
def testChunks(self):
entries = []
for idx in range(1024):
entry = timeline_pb2.TimelineEntry()
entry.path = "/foo/bar{}".format(idx).encode("utf-8")
entries.append(entry)
opts = body.Opts()
opts.chunk_size = 6
chunks = list(body.Stream(iter(entries), opts=opts))
self.assertLen(chunks, len(entries))
content = b"".join(chunks).decode("utf-8")
reader = csv.reader(io.StringIO(content), delimiter="|")
rows = list(reader)
self.assertLen(rows, len(entries))
for idx, row in enumerate(rows):
self.assertEqual(row[1].encode("utf-8"), entries[idx].path)
