def testTSKFile(self):
"""Read a file within an image file and make few tests."""
parser = filestat.FileStatParser()
test_file = self._GetTestFilePath(['ímynd.dd'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file)
tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK,
inode=15,
location='/passwords.txt',
parent=os_path_spec)
storage_writer = self._ParseFileByPathSpec(tsk_path_spec, parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 3)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2012-05-25 16:00:53.000000')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_LAST_ACCESS)
self.assertEqual(event.file_size, 116)
self.assertEqual(event.inode, 15)
self.assertEqual(event.file_system_type, 'EXT2')
expected_message = ('TSK:/passwords.txt ' 'Type: file')
expected_short_message = '/passwords.txt'
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testGzipFile(self):
"""Test a GZIP file."""
parser = filestat.FileStatParser()
test_file_path = self._GetTestFilePath(['syslog.gz'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
gzip_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec)
storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2012-07-28 16:44:07.000000')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_MODIFICATION)
self.assertEqual(event.file_size, 1247)
self.assertIsNone(event.inode)
test_path = os.path.join(os.getcwd(), 'test_data', 'syslog.gz')
expected_message = ('GZIP:{0:s} ' 'Type: file').format(test_path)
expected_short_message = self._GetShortMessage(test_path)
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testZipFile(self):
"""Test a ZIP file."""
parser = filestat.FileStatParser()
test_file = self._GetTestFilePath([u'syslog.zip'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=test_file)
zip_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_ZIP,
location=u'/syslog',
parent=os_path_spec)
storage_writer = self._ParseFileByPathSpec(zip_path_spec, parser)
# The ZIP file has 1 event.
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event = events[0]
self.assertEqual(event.file_size, 1247)
expected_message = (u'ZIP:/syslog ' u'Type: file')
expected_short_message = u'/syslog'
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testGzipFile(self):
"""Test a GZIP file."""
parser = filestat.FileStatParser()
test_file = self._GetTestFilePath([u'syslog.gz'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=test_file)
gzip_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec)
storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser)
# The gzip file has 1 event.
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event = events[0]
self.assertEqual(event.file_size, 1247)
test_path = os.path.join(os.getcwd(), u'test_data', u'syslog.gz')
expected_message = (u'GZIP:{0:s} ' u'Type: file').format(test_path)
expected_short_message = self._GetShortMessage(test_path)
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testTSKFile(self):
"""Read a file within an image file and make few tests."""
parser = filestat.FileStatParser()
test_file = self._GetTestFilePath([u'ímynd.dd'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=test_file)
tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_TSK,
inode=15,
location=u'/passwords.txt',
parent=os_path_spec)
storage_writer = self._ParseFileByPathSpec(tsk_path_spec, parser)
# The TSK file entry has 3 events.
self.assertEqual(storage_writer.number_of_events, 3)
events = list(storage_writer.GetEvents())
event = events[0]
self.assertEqual(event.file_size, 116)
expected_message = (u'TSK:/passwords.txt ' u'Type: file')
expected_short_message = u'/passwords.txt'
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testGzipFile(self):
"""Test a GZIP file."""
test_file_path = self._GetTestFilePath(['syslog.gz'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
gzip_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec)
parser = filestat.FileStatParser()
storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser)
self.assertEqual(storage_writer.number_of_events, 1)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetEvents())
test_path = os.path.join(shared_test_lib.TEST_DATA_PATH, 'syslog.gz')
expected_event_values = {
'data_type': 'fs:stat',
'date_time': '2012-07-28 16:44:07',
'display_name': 'GZIP:{0:s}'.format(test_path),
'file_entry_type': 'file',
'file_size': 1247,
'file_system_type': 'GZIP',
'inode': None,
'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testTSKFile(self):
"""Read a file within an image file and make few tests."""
parser = filestat.FileStatParser()
test_file_path = self._GetTestFilePath(['ímynd.dd'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK, inode=15,
location='/passwords.txt', parent=os_path_spec)
storage_writer = self._ParseFileByPathSpec(tsk_path_spec, parser)
self.assertEqual(storage_writer.number_of_events, 3)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'data_type': 'fs:stat',
'date_time': '2012-05-25 16:00:53',
'display_name': 'TSK:/passwords.txt',
'file_entry_type': 'file',
'file_size': 116,
'file_system_type': 'EXT2',
'inode': 15,
'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_ACCESS}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testNtfsFile(self):
"""Test a file in a NTFS file system."""
test_file_path = self._GetTestFilePath(['vsstest.qcow2'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
qcow_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_QCOW, parent=os_path_spec)
ext_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_NTFS,
location='\\$Extend\\$RmMetadata\\$TxfLog\\$TxfLog.blf',
parent=qcow_path_spec)
parser = filestat.FileStatParser()
storage_writer = self._ParseFileByPathSpec(ext_path_spec, parser)
self.assertEqual(storage_writer.number_of_events, 4)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'attribute_names': None,
'data_type': 'fs:stat',
'date_time': '2013-12-03 06:30:42.9779097',
'display_name': 'NTFS:\\$Extend\\$RmMetadata\\$TxfLog\\$TxfLog.blf',
'file_entry_type': 'file',
'file_size': 65536,
'file_system_type': 'NTFS',
'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_ACCESS}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testTarFile(self):
"""Test a TAR file."""
test_file_path = self._GetTestFilePath(['syslog.tar'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
tar_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TAR, location='/syslog',
parent=os_path_spec)
parser = filestat.FileStatParser()
storage_writer = self._ParseFileByPathSpec(tar_path_spec, parser)
self.assertEqual(storage_writer.number_of_events, 1)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'data_type': 'fs:stat',
'date_time': '2012-07-24 21:45:24',
'display_name': 'TAR:/syslog',
'file_entry_type': 'file',
'file_size': 1247,
'file_system_type': 'TAR',
'inode': None,
'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testZipFile(self):
"""Test a ZIP file."""
parser = filestat.FileStatParser()
test_file_path = self._GetTestFilePath(['syslog.zip'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
zip_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_ZIP,
location='/syslog',
parent=os_path_spec)
storage_writer = self._ParseFileByPathSpec(zip_path_spec, parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2012-07-24 14:45:24.000000')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_MODIFICATION)
self.assertEqual(event.file_size, 1247)
self.assertIsNone(event.inode)
expected_message = ('ZIP:/syslog ' 'Type: file')
expected_short_message = '/syslog'
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testTarFile(self):
"""Test a TAR file."""
parser = filestat.FileStatParser()
test_file = self._GetTestFilePath(['syslog.tar'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file)
tar_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TAR,
location='/syslog',
parent=os_path_spec)
storage_writer = self._ParseFileByPathSpec(tar_path_spec, parser)
self.assertEqual(storage_writer.number_of_errors, 0)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2012-07-24 21:45:24.000000')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_MODIFICATION)
self.assertEqual(event.file_size, 1247)
self.assertIsNone(event.inode)
expected_message = ('TAR:/syslog ' 'Type: file')
expected_short_message = '/syslog'
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testTarFile(self):
"""Test a TAR file."""
parser_object = filestat.FileStatParser()
test_file = self._GetTestFilePath([u'syslog.tar'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=test_file)
tar_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_TAR,
location=u'/syslog',
parent=os_path_spec)
event_queue_consumer = self._ParseFileByPathSpec(
parser_object, tar_path_spec)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
# The tar file has 1 event object.
self.assertEqual(len(event_objects), 1)
event_object = event_objects[0]
expected_message = (u'TAR:/syslog ' u'Type: file')
expected_message_short = u'/syslog'
self._TestGetMessageStrings(event_object, expected_message,
expected_message_short)
def testTSKFile(self):
"""Read a file within an image file and make few tests."""
parser_object = filestat.FileStatParser()
test_file = self._GetTestFilePath([u'ímynd.dd'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=test_file)
tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_TSK,
inode=15,
location=u'/passwords.txt',
parent=os_path_spec)
event_queue_consumer = self._ParseFileByPathSpec(
parser_object, tsk_path_spec)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
# The TSK file entry has 3 event objects.
self.assertEqual(len(event_objects), 3)
event_object = event_objects[0]
expected_message = (u'TSK:/passwords.txt ' u'Type: file')
expected_message_short = u'/passwords.txt'
self._TestGetMessageStrings(event_object, expected_message,
expected_message_short)
def testNestedTSK(self):
"""Test a nested TSK file."""
parser_object = filestat.FileStatParser()
test_file = self._GetTestFilePath([u'syslog_image.dd'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=test_file)
tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_TSK,
inode=11,
location=u'/logs/hidden.zip',
parent=os_path_spec)
zip_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_ZIP,
location=u'/syslog',
parent=tsk_path_spec)
event_queue_consumer = self._ParseFileByPathSpec(
parser_object, zip_path_spec)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
# The ZIP file has 1 event objects.
self.assertEqual(len(event_objects), 1)
event_object = event_objects[0]
expected_message = (u'ZIP:/syslog ' u'Type: file')
expected_message_short = u'/syslog'
self._TestGetMessageStrings(event_object, expected_message,
expected_message_short)
def testNestedTSK(self):
"""Test a nested TSK file."""
test_file_path = self._GetTestFilePath(['syslog_image.dd'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK, inode=11,
location='/logs/hidden.zip', parent=os_path_spec)
zip_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_ZIP, location='/syslog',
parent=tsk_path_spec)
parser = filestat.FileStatParser()
storage_writer = self._ParseFileByPathSpec(zip_path_spec, parser)
self.assertEqual(storage_writer.number_of_events, 1)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'data_type': 'fs:stat',
'date_time': '2012-07-20 15:44:14',
'display_name': 'ZIP:/syslog',
'file_entry_type': 'file',
'file_size': 1247,
'file_system_type': 'ZIP',
'inode': None,
'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testExt2FileWithTSK(self):
"""Test a file in an ext2 file system with TSK."""
test_file_path = self._GetTestFilePath(['ímynd.dd'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK,
inode=15,
location='/passwords.txt',
parent=os_path_spec)
parser = filestat.FileStatParser()
storage_writer = self._ParseFileByPathSpec(tsk_path_spec, parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 3)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
# Note that attribute support in pytsk/libtsk is currently broken
# also see: https://github.com/py4n6/pytsk/issues/79
expected_event_values = {
'attribute_names': None,
'data_type': 'fs:stat',
'date_time': '2012-05-25 16:00:53',
'display_name': 'TSK:/passwords.txt',
'file_entry_type': 'file',
'file_size': 116,
'file_system_type': 'EXT2',
'group_identifier': 5000,
'inode': 15,
'mode': 0o400,
'number_of_links': 1,
'owner_identifier': 151107,
'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_ACCESS
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testNestedFile(self):
"""Test a nested file."""
parser_object = filestat.FileStatParser()
test_file = self._GetTestFilePath([u'syslog.tgz'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=test_file)
gzip_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec)
tar_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_TAR,
location=u'/syslog',
parent=gzip_path_spec)
event_queue_consumer = self._ParseFileByPathSpec(
parser_object, tar_path_spec)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
# The tar file has 1 event object.
self.assertEqual(len(event_objects), 1)
event_object = event_objects[0]
expected_message = (u'TAR:/syslog ' u'Type: file')
expected_message_short = u'/syslog'
self._TestGetMessageStrings(event_object, expected_message,
expected_message_short)
test_file = self._GetTestFilePath([u'syslog.tgz'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=test_file)
gzip_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec)
event_queue_consumer = self._ParseFileByPathSpec(
parser_object, gzip_path_spec)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
# The gzip file has 1 event object.
self.assertEqual(len(event_objects), 1)
event_object = event_objects[0]
test_path = os.path.join(os.getcwd(), u'test_data', u'syslog.tgz')
expected_message = (u'GZIP:{0:s} ' u'Type: file').format(test_path)
expected_message_short = self._GetShortMessage(test_path)
self._TestGetMessageStrings(event_object, expected_message,
expected_message_short)
def testExt4File(self):
"""Test a file in an ext4 file system."""
test_file_path = self._GetTestFilePath(['ext4.raw'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
ext_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_EXT,
inode=14,
location='/passwords.txt',
parent=os_path_spec)
parser = filestat.FileStatParser()
storage_writer = self._ParseFileByPathSpec(ext_path_spec, parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 4)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'attribute_names': ['security.selinux'],
'data_type': 'fs:stat',
'date_time': '2021-07-22 14:07:32.842610820',
'display_name': 'EXT:/passwords.txt',
'file_entry_type': 'file',
'file_size': 116,
'file_system_type': 'EXT',
'group_identifier': 1000,
'inode': 14,
'mode': 0o664,
'number_of_links': 1,
'owner_identifier': 1000,
'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_ACCESS
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testZipFile(self):
"""Test a ZIP file."""
test_file_path = self._GetTestFilePath(['syslog.zip'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
zip_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_ZIP,
location='/syslog',
parent=os_path_spec)
parser = filestat.FileStatParser()
storage_writer = self._ParseFileByPathSpec(zip_path_spec, parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 1)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'data_type': 'fs:stat',
'date_time': '2012-07-24 14:45:24',
'display_name': 'ZIP:/syslog',
'file_entry_type': 'file',
'file_size': 1247,
'file_system_type': 'ZIP',
'inode': None,
'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testNestedTSK(self):
"""Test a nested TSK file."""
parser = filestat.FileStatParser()
test_file_path = self._GetTestFilePath(['syslog_image.dd'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK,
inode=11,
location='/logs/hidden.zip',
parent=os_path_spec)
zip_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_ZIP,
location='/syslog',
parent=tsk_path_spec)
storage_writer = self._ParseFileByPathSpec(zip_path_spec, parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2012-07-20 15:44:14.000000')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_MODIFICATION)
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.file_size, 1247)
self.assertIsNone(event_data.inode)
expected_message = ('ZIP:/syslog ' 'Type: file')
expected_short_message = '/syslog'
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
def testNestedTSK(self):
"""Test a nested TSK file."""
parser = filestat.FileStatParser()
test_file = self._GetTestFilePath(['syslog_image.dd'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file)
tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK,
inode=11,
location='/logs/hidden.zip',
parent=os_path_spec)
zip_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_ZIP,
location='/syslog',
parent=tsk_path_spec)
storage_writer = self._ParseFileByPathSpec(zip_path_spec, parser)
# The ZIP file has 1 events.
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event = events[0]
expected_timestamp = timelib.Timestamp.CopyFromString(
'2012-07-20 15:44:14')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_MODIFICATION)
self.assertEqual(event.timestamp, expected_timestamp)
self.assertEqual(event.file_size, 1247)
self.assertIsNone(event.inode)
expected_message = ('ZIP:/syslog ' 'Type: file')
expected_short_message = '/syslog'
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testZipFile(self):
"""Test a ZIP file."""
parser_object = filestat.FileStatParser()
test_file = self._GetTestFilePath([u'syslog.zip'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_OS, location=test_file)
zip_path_spec = path_spec_factory.Factory.NewPathSpec(
definitions.TYPE_INDICATOR_ZIP, location=u'/syslog',
parent=os_path_spec)
storage_writer = self._ParseFileByPathSpec(zip_path_spec, parser_object)
# The ZIP file has 1 event object.
self.assertEqual(len(storage_writer.events), 1)
event_object = storage_writer.events[0]
expected_message = (
u'ZIP:/syslog '
u'Type: file')
expected_message_short = u'/syslog'
self._TestGetMessageStrings(
event_object, expected_message, expected_message_short)
def testNestedFile(self):
"""Test a nested file."""
parser = filestat.FileStatParser()
test_file = self._GetTestFilePath(['syslog.tgz'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file)
gzip_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec)
tar_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TAR,
location='/syslog',
parent=gzip_path_spec)
storage_writer = self._ParseFileByPathSpec(tar_path_spec, parser)
# The tar file has 1 event.
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event = events[0]
expected_timestamp = timelib.Timestamp.CopyFromString(
'2012-07-24 21:45:24')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_MODIFICATION)
self.assertEqual(event.timestamp, expected_timestamp)
self.assertEqual(event.file_size, 1247)
self.assertIsNone(event.inode)
expected_message = ('TAR:/syslog ' 'Type: file')
expected_short_message = '/syslog'
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
test_file = self._GetTestFilePath(['syslog.tgz'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file)
gzip_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec)
storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser)
# The gzip file has 1 event.
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event = events[0]
expected_timestamp = timelib.Timestamp.CopyFromString(
'2012-07-28 16:44:43')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_MODIFICATION)
self.assertEqual(event.timestamp, expected_timestamp)
self.assertEqual(event.file_size, 10240)
self.assertIsNone(event.inode)
test_path = os.path.join(os.getcwd(), 'test_data', 'syslog.tgz')
expected_message = ('GZIP:{0:s} ' 'Type: file').format(test_path)
expected_short_message = self._GetShortMessage(test_path)
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._parser = filestat.FileStatParser()
def setUp(self):
"""Sets up the needed objects used throughout the test."""
pre_obj = event.PreprocessObject()
self._parser = filestat.FileStatParser(pre_obj)
def testNestedFile(self):
"""Test a nested file."""
test_file_path = self._GetTestFilePath(['syslog.tgz'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
gzip_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec)
tar_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TAR,
location='/syslog',
parent=gzip_path_spec)
parser = filestat.FileStatParser()
storage_writer = self._ParseFileByPathSpec(tar_path_spec, parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 1)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'data_type': 'fs:stat',
'date_time': '2012-07-24 21:45:24',
'display_name': 'TAR:/syslog',
'file_entry_type': 'file',
'file_size': 1247,
'file_system_type': 'TAR',
'inode': None,
'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
test_file_path = self._GetTestFilePath(['syslog.tgz'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
gzip_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec)
storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 1)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
test_path = os.path.join(shared_test_lib.TEST_DATA_PATH, 'syslog.tgz')
expected_event_values = {
'data_type': 'fs:stat',
'date_time': '2012-07-28 16:44:43',
'display_name': 'GZIP:{0:s}'.format(test_path),
'file_entry_type': 'file',
'file_size': 10240,
'file_system_type': 'GZIP',
'inode': None,
'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testNestedFile(self):
"""Test a nested file."""
parser = filestat.FileStatParser()
test_file_path = self._GetTestFilePath(['syslog.tgz'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
gzip_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec)
tar_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TAR,
location='/syslog',
parent=gzip_path_spec)
storage_writer = self._ParseFileByPathSpec(tar_path_spec, parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2012-07-24 21:45:24.000000')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_MODIFICATION)
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.file_size, 1247)
self.assertIsNone(event_data.inode)
expected_message = ('TAR:/syslog ' 'Type: file')
expected_short_message = '/syslog'
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
test_file_path = self._GetTestFilePath(['syslog.tgz'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
gzip_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec)
storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2012-07-28 16:44:43.000000')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_MODIFICATION)
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.file_size, 10240)
self.assertIsNone(event_data.inode)
test_path = os.path.join(shared_test_lib.TEST_DATA_PATH, 'syslog.tgz')
expected_message = ('GZIP:{0:s} ' 'Type: file').format(test_path)
expected_short_message = self._GetShortMessage(test_path)
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
def setUp(self):
"""Makes preparations before running an individual test."""
self._parser = filestat.FileStatParser()
