def CompileReport(self, analysis_context):
"""Compiles a report of the analysis.
Args:
analysis_context: The analysis context object. Instance of
AnalysisContext.
Returns:
The analysis report (instance of AnalysisReport).
"""
report = event.AnalysisReport(self.NAME)
report.report_dict = self._results
lines_of_text = []
for user, extensions in sorted(self._results.iteritems()):
lines_of_text.append(u' == USER: {0:s} =='.format(user))
for extension, extension_id in sorted(extensions):
lines_of_text.append(u' {0:s} [{1:s}]'.format(extension, extension_id))
# An empty string is added to have SetText create an empty line.
lines_of_text.append(u'')
report.SetText(lines_of_text)
return report
def CompileReport(self, analysis_mediator):
"""Compiles a report of the analysis.
Args:
analysis_mediator: The analysis mediator object (instance of
AnalysisMediator).
Returns:
The analysis report (instance of AnalysisReport).
"""
report = event.AnalysisReport(self.NAME)
if self._output_format == u'yaml':
lines_of_text = []
lines_of_text.append(
yaml.safe_dump_all(self._service_collection.services))
else:
lines_of_text = [u'Listing Windows Services']
for service in self._service_collection.services:
lines_of_text.append(self._FormatServiceText(service))
# Separate services with a blank line.
lines_of_text.append(u'')
report.SetText(lines_of_text)
return report
def CompileReport(self, analysis_mediator):
"""Compiles a report of the analysis.
Args:
analysis_mediator: The analysis mediator object (instance of
AnalysisMediator).
Returns:
The analysis report (instance of AnalysisReport).
"""
tags = []
lines_of_text = [u'{0:s} hash tagging Results'.format(self.NAME)]
while self._ContinueReportCompilation():
try:
self._LogProgressUpdateIfReasonable()
hash_analysis = self.hash_analysis_queue.get(
timeout=self._analysis_queue_timeout)
except Queue.Empty:
# The result queue is empty, but there could still be items that need
# to be processed by the analyzer.
continue
pathspecs, tag_strings, new_tags = self._HandleHashAnalysis(
hash_analysis)
tags.extend(new_tags)
for pathspec in pathspecs:
text_line = self._GenerateTextLine(
analysis_mediator, pathspec, tag_strings)
lines_of_text.append(text_line)
self._analyzer.SignalAbort()
report = event.AnalysisReport(self.NAME)
report.SetText(lines_of_text)
report.SetTags(tags)
return report
def CompileReport(self, analysis_mediator):
"""Compiles a report of the analysis.
Args:
analysis_mediator: The analysis mediator object (instance of
AnalysisMediator).
Returns:
The analysis report (instance of AnalysisReport).
"""
report = event.AnalysisReport(self.NAME)
results = {}
for key, count in self._counter.iteritems():
search_engine, _, search_term = key.partition(u':')
results.setdefault(search_engine, {})
results[search_engine][search_term] = count
report.report_dict = results
report.report_array = self._search_term_timeline
lines_of_text = []
for search_engine, terms in sorted(results.items()):
lines_of_text.append(u' == ENGINE: {0:s} =='.format(search_engine))
for search_term, count in sorted(
terms.iteritems(), key=lambda x: (x[1], x[0]), reverse=True):
lines_of_text.append(u'{0:d} {1:s}'.format(count, search_term))
# An empty string is added to have SetText create an empty line.
lines_of_text.append(u'')
report.SetText(lines_of_text)
return report
def _ConvertDictToAnalysisReport(self, json_dict):
"""Converts a JSON dict into an analysis report.
The dictionary of the JSON serialized objects consists of:
{
'__type__': 'AnalysisReport'
'_anomalies': { ... }
'_tags': { ... }
'report_array': { ... }
'report_dict': { ... }
...
}
Here '__type__' indicates the object base type. In this case this should
be 'AnalysisReport'. The rest of the elements of the dictionary make up
the preprocessing object properties.
Args:
json_dict: a dictionary of the JSON serialized objects.
Returns:
An analysis report (instance of AnalysisReport).
"""
# Plugin name is set as one of the attributes.
analysis_report = event.AnalysisReport(u'')
for key, value in iter(json_dict.items()):
setattr(analysis_report, key, value)
return analysis_report
def testWriteSerialized(self):
"""Tests the WriteSerialized function."""
analysis_report = event.AnalysisReport(u'chrome_extension_test')
analysis_report.report_dict = self._report_dict
analysis_report.text = self._report_text
analysis_report.time_compiled = 1431978243000000
self._TestWriteSerialized(
self._serializer, analysis_report, self._proto_string)
def CompileReport(self, analysis_mediator):
"""Compiles a report of the analysis.
Args:
analysis_mediator: The analysis mediator object (instance of
AnalysisMediator).
Returns:
The analysis report (instance of AnalysisReport).
"""
report = event.AnalysisReport(self.NAME)
report.SetTags(self._tags)
report.SetText(
[u'Tagging plugin produced {0:d} tags.'.format(len(self._tags))])
return report
def CompileReport(self, analysis_mediator):
"""Compiles a report of the analysis.
Args:
analysis_mediator: The analysis mediator object (instance of
AnalysisMediator).
Returns:
The analysis report (instance of AnalysisReport).
"""
report = event.AnalysisReport(self.NAME)
lines_of_text = [u'Listing domains visited by all users']
for domain in sorted(self._domains):
lines_of_text.append(domain)
report.SetText(lines_of_text)
return report
def testWriteSerialized(self):
"""Tests the WriteSerialized function."""
event_tag = event.EventTag(
comment=self._comment, event_uuid=self._event_uuid)
event_tag.AddLabels(self._labels)
self.assertTrue(event_tag.IsValidForSerialization())
analysis_report = event.AnalysisReport(u'chrome_extension_test')
analysis_report.report_dict = self._report_dict
analysis_report.text = self._report_text
analysis_report.time_compiled = 1431978243000000
analysis_report.SetTags([event_tag])
self._TestWriteSerialized(
self._serializer, analysis_report, self._json_dict)
def testWriteSerialized(self):
"""Tests the WriteSerialized function."""
event_tag = event.EventTag()
event_tag.event_uuid = u'403818f93dce467bac497ef0f263fde8'
event_tag.comment = u'This is a test event tag.'
event_tag._tags = [u'This is a test.', u'Also a test.']
self.assertTrue(event_tag.IsValidForSerialization())
analysis_report = event.AnalysisReport(u'chrome_extension_test')
analysis_report.report_dict = self._report_dict
analysis_report.text = self._report_text
analysis_report.time_compiled = 1431978243000000
analysis_report.SetTags([event_tag])
self._TestWriteSerialized(self._serializer, analysis_report,
self._json_dict)
def CompileReport(self, analysis_context):
"""Compiles a report of the analysis.
Args:
analysis_context: The analysis context object. Instance of
AnalysisContext.
Returns:
The analysis report (instance of AnalysisReport).
"""
report = event.AnalysisReport(self.NAME)
lines_of_text = [u'Listing file paths and hashes']
for pathspec, hashes in sorted(self._paths_with_hashes.items(),
key=lambda tuple: tuple[0].comparable):
path_string = self._GeneratePathString(analysis_context, pathspec,
hashes)
lines_of_text.append(path_string)
report.SetText(lines_of_text)
return report
def ReadSerializedObject(cls, proto):
"""Reads an analysis report from serialized form.
Args:
proto: a protobuf object containing the serialized form (instance of
plaso_storage_pb2.AnalysisReport).
Returns:
An analysis report (instance of AnalysisReport).
"""
# Plugin name is set as one of the attributes.
analysis_report = event.AnalysisReport(u'')
for proto_attribute, value in proto.ListFields():
# TODO: replace by ReadSerializedDictObject, need tests first.
# dict_object = ProtobufEventAttributeSerializer.ReadSerializedDictObject(
# proto.report_dict)
if proto_attribute.name == u'report_dict':
new_value = {}
for proto_dict in proto.report_dict.attributes:
dict_key, dict_value = (ProtobufEventAttributeSerializer.
ReadSerializedObject(proto_dict))
new_value[dict_key] = dict_value
setattr(analysis_report, proto_attribute.name, new_value)
# TODO: replace by ReadSerializedListObject, need tests first.
# list_object = ProtobufEventAttributeSerializer.ReadSerializedListObject(
# proto.report_array)
elif proto_attribute.name == u'report_array':
new_value = []
for proto_array in proto.report_array.values:
_, list_value = ProtobufEventAttributeSerializer.ReadSerializedObject(
proto_array)
new_value.append(list_value)
setattr(analysis_report, proto_attribute.name, new_value)
else:
setattr(analysis_report, proto_attribute.name, value)
return analysis_report
