def _StreamBody( self, args: ApiGetCollectedTimelineArgs, ) -> api_call_handler_base.ApiBinaryStream: client_id = str(args.client_id) flow_id = str(args.flow_id) opts = body.Opts() opts.timestamp_subsecond_precision = args.body_opts.timestamp_subsecond_precision opts.backslash_escape = args.body_opts.backslash_escape opts.carriage_return_escape = args.body_opts.carriage_return_escape opts.non_printable_escape = args.body_opts.non_printable_escape if args.body_opts.HasField("inode_ntfs_file_reference_format"): # If the field is set explicitly, we respect the choice no matter what # filesystem we detected. if args.body_opts.inode_ntfs_file_reference_format: opts.inode_format = body.Opts.InodeFormat.NTFS_FILE_REFERENCE else: fstype = timeline.FilesystemType(client_id=client_id, flow_id=flow_id) if fstype is not None and fstype.lower() == "ntfs": opts.inode_format = body.Opts.InodeFormat.NTFS_FILE_REFERENCE entries = timeline.ProtoEntries(client_id=client_id, flow_id=flow_id) content = body.Stream(entries, opts=opts) filename = "timeline_{}.body".format(flow_id) return api_call_handler_base.ApiBinaryStream(filename, content)
def testBackslashEscape(self): entry = timeline_pb2.TimelineEntry() entry.path = "C:\\Windows\\system32\\notepad.exe".encode("utf-8") opts = body.Opts() opts.backslash_escape = True stream = body.Stream(iter([entry]), opts=opts) content = b"".join(stream).decode("utf-8") self.assertIn("|C:\\\\Windows\\\\system32\\\\notepad.exe|", content)
def testNonPrintableEscape(self): entry = timeline_pb2.TimelineEntry() entry.path = b"/f\x00b\x0ar\x1baz" opts = body.Opts() opts.non_printable_escape = True stream = body.Stream(iter([entry]), opts=opts) content = b"".join(stream).decode("utf-8") self.assertIn(r"|/f\x00b\x0ar\x1baz|", content)
def testCarriageReturnEscape(self): entry = timeline_pb2.TimelineEntry() entry.path = "C:\\Foo\rBar\\Baz\r\rQuux".encode("utf-8") opts = body.Opts() opts.carriage_return_escape = True stream = body.Stream(iter([entry]), opts=opts) content = b"".join(stream).decode("utf-8") self.assertIn("|C:\\Foo\\rBar\\Baz\\r\\rQuux|", content)
def testSubsecondPrecision(self): entry = timeline_pb2.TimelineEntry() entry.path = "/foo/bar".encode("utf-8") entry.atime_ns = 123_456_789_000 opts = body.Opts() opts.timestamp_subsecond_precision = True stream = body.Stream(iter([entry]), opts=opts) content = b"".join(stream).decode("utf-8") self.assertIn("/foo/bar", content) self.assertIn("123.456789", content)
def testNtfsFileReference(self): entry = timeline_pb2.TimelineEntry() entry.path = "/foo/bar".encode("utf-8") entry.ino = 1688849860339456 opts = body.Opts() opts.inode_ntfs_file_reference_format = True stream = body.Stream(iter([entry]), opts=opts) content = b"".join(stream).decode("utf-8") self.assertIn("/foo/bar", content) self.assertIn("75520-6", content)
def _StreamBody( self, args: ApiGetCollectedTimelineArgs, ) -> api_call_handler_base.ApiBinaryStream: client_id = str(args.client_id) flow_id = str(args.flow_id) opts = body.Opts() opts.timestamp_subsecond_precision = args.body_opts.timestamp_subsecond_precision opts.inode_ntfs_file_reference_format = args.body_opts.inode_ntfs_file_reference_format opts.backslash_escape = args.body_opts.backslash_escape entries = timeline.ProtoEntries(client_id=client_id, flow_id=flow_id) content = body.Stream(entries, opts=opts) filename = "timeline_{}.body".format(flow_id) return api_call_handler_base.ApiBinaryStream(filename, content)
def testChunks(self): entries = [] for idx in range(1024): entry = timeline_pb2.TimelineEntry() entry.path = "/foo/bar{}".format(idx).encode("utf-8") entries.append(entry) opts = body.Opts() opts.chunk_size = 6 chunks = list(body.Stream(iter(entries), opts=opts)) self.assertLen(chunks, len(entries)) content = b"".join(chunks).decode("utf-8") reader = csv.reader(io.StringIO(content), delimiter="|") rows = list(reader) self.assertLen(rows, len(entries)) for idx, row in enumerate(rows): self.assertEqual(row[1].encode("utf-8"), entries[idx].path)