def testTSKFile(self): """Read a file within an image file and make few tests.""" parser = filestat.FileStatParser() test_file = self._GetTestFilePath(['ímynd.dd']) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file) tsk_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK, inode=15, location='/passwords.txt', parent=os_path_spec) storage_writer = self._ParseFileByPathSpec(tsk_path_spec, parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 3) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2012-05-25 16:00:53.000000') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_ACCESS) self.assertEqual(event.file_size, 116) self.assertEqual(event.inode, 15) self.assertEqual(event.file_system_type, 'EXT2') expected_message = ('TSK:/passwords.txt ' 'Type: file') expected_short_message = '/passwords.txt' self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testGzipFile(self): """Test a GZIP file.""" parser = filestat.FileStatParser() test_file_path = self._GetTestFilePath(['syslog.gz']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) gzip_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec) storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2012-07-28 16:44:07.000000') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_MODIFICATION) self.assertEqual(event.file_size, 1247) self.assertIsNone(event.inode) test_path = os.path.join(os.getcwd(), 'test_data', 'syslog.gz') expected_message = ('GZIP:{0:s} ' 'Type: file').format(test_path) expected_short_message = self._GetShortMessage(test_path) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testZipFile(self): """Test a ZIP file.""" parser = filestat.FileStatParser() test_file = self._GetTestFilePath([u'syslog.zip']) os_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_OS, location=test_file) zip_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_ZIP, location=u'/syslog', parent=os_path_spec) storage_writer = self._ParseFileByPathSpec(zip_path_spec, parser) # The ZIP file has 1 event. self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] self.assertEqual(event.file_size, 1247) expected_message = (u'ZIP:/syslog ' u'Type: file') expected_short_message = u'/syslog' self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testGzipFile(self): """Test a GZIP file.""" parser = filestat.FileStatParser() test_file = self._GetTestFilePath([u'syslog.gz']) os_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_OS, location=test_file) gzip_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec) storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser) # The gzip file has 1 event. self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] self.assertEqual(event.file_size, 1247) test_path = os.path.join(os.getcwd(), u'test_data', u'syslog.gz') expected_message = (u'GZIP:{0:s} ' u'Type: file').format(test_path) expected_short_message = self._GetShortMessage(test_path) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testTSKFile(self): """Read a file within an image file and make few tests.""" parser = filestat.FileStatParser() test_file = self._GetTestFilePath([u'ímynd.dd']) os_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_OS, location=test_file) tsk_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_TSK, inode=15, location=u'/passwords.txt', parent=os_path_spec) storage_writer = self._ParseFileByPathSpec(tsk_path_spec, parser) # The TSK file entry has 3 events. self.assertEqual(storage_writer.number_of_events, 3) events = list(storage_writer.GetEvents()) event = events[0] self.assertEqual(event.file_size, 116) expected_message = (u'TSK:/passwords.txt ' u'Type: file') expected_short_message = u'/passwords.txt' self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testGzipFile(self): """Test a GZIP file.""" test_file_path = self._GetTestFilePath(['syslog.gz']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) gzip_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec) parser = filestat.FileStatParser() storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser) self.assertEqual(storage_writer.number_of_events, 1) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) events = list(storage_writer.GetEvents()) test_path = os.path.join(shared_test_lib.TEST_DATA_PATH, 'syslog.gz') expected_event_values = { 'data_type': 'fs:stat', 'date_time': '2012-07-28 16:44:07', 'display_name': 'GZIP:{0:s}'.format(test_path), 'file_entry_type': 'file', 'file_size': 1247, 'file_system_type': 'GZIP', 'inode': None, 'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION} self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testTSKFile(self): """Read a file within an image file and make few tests.""" parser = filestat.FileStatParser() test_file_path = self._GetTestFilePath(['ímynd.dd']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) tsk_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK, inode=15, location='/passwords.txt', parent=os_path_spec) storage_writer = self._ParseFileByPathSpec(tsk_path_spec, parser) self.assertEqual(storage_writer.number_of_events, 3) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'data_type': 'fs:stat', 'date_time': '2012-05-25 16:00:53', 'display_name': 'TSK:/passwords.txt', 'file_entry_type': 'file', 'file_size': 116, 'file_system_type': 'EXT2', 'inode': 15, 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_ACCESS} self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testNtfsFile(self): """Test a file in a NTFS file system.""" test_file_path = self._GetTestFilePath(['vsstest.qcow2']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) qcow_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_QCOW, parent=os_path_spec) ext_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_NTFS, location='\\$Extend\\$RmMetadata\\$TxfLog\\$TxfLog.blf', parent=qcow_path_spec) parser = filestat.FileStatParser() storage_writer = self._ParseFileByPathSpec(ext_path_spec, parser) self.assertEqual(storage_writer.number_of_events, 4) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'attribute_names': None, 'data_type': 'fs:stat', 'date_time': '2013-12-03 06:30:42.9779097', 'display_name': 'NTFS:\\$Extend\\$RmMetadata\\$TxfLog\\$TxfLog.blf', 'file_entry_type': 'file', 'file_size': 65536, 'file_system_type': 'NTFS', 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_ACCESS} self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testTarFile(self): """Test a TAR file.""" test_file_path = self._GetTestFilePath(['syslog.tar']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) tar_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TAR, location='/syslog', parent=os_path_spec) parser = filestat.FileStatParser() storage_writer = self._ParseFileByPathSpec(tar_path_spec, parser) self.assertEqual(storage_writer.number_of_events, 1) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'data_type': 'fs:stat', 'date_time': '2012-07-24 21:45:24', 'display_name': 'TAR:/syslog', 'file_entry_type': 'file', 'file_size': 1247, 'file_system_type': 'TAR', 'inode': None, 'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION} self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testZipFile(self): """Test a ZIP file.""" parser = filestat.FileStatParser() test_file_path = self._GetTestFilePath(['syslog.zip']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) zip_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_ZIP, location='/syslog', parent=os_path_spec) storage_writer = self._ParseFileByPathSpec(zip_path_spec, parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2012-07-24 14:45:24.000000') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_MODIFICATION) self.assertEqual(event.file_size, 1247) self.assertIsNone(event.inode) expected_message = ('ZIP:/syslog ' 'Type: file') expected_short_message = '/syslog' self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testTarFile(self): """Test a TAR file.""" parser = filestat.FileStatParser() test_file = self._GetTestFilePath(['syslog.tar']) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file) tar_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TAR, location='/syslog', parent=os_path_spec) storage_writer = self._ParseFileByPathSpec(tar_path_spec, parser) self.assertEqual(storage_writer.number_of_errors, 0) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2012-07-24 21:45:24.000000') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_MODIFICATION) self.assertEqual(event.file_size, 1247) self.assertIsNone(event.inode) expected_message = ('TAR:/syslog ' 'Type: file') expected_short_message = '/syslog' self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testTarFile(self): """Test a TAR file.""" parser_object = filestat.FileStatParser() test_file = self._GetTestFilePath([u'syslog.tar']) os_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_OS, location=test_file) tar_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_TAR, location=u'/syslog', parent=os_path_spec) event_queue_consumer = self._ParseFileByPathSpec( parser_object, tar_path_spec) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) # The tar file has 1 event object. self.assertEqual(len(event_objects), 1) event_object = event_objects[0] expected_message = (u'TAR:/syslog ' u'Type: file') expected_message_short = u'/syslog' self._TestGetMessageStrings(event_object, expected_message, expected_message_short)
def testTSKFile(self): """Read a file within an image file and make few tests.""" parser_object = filestat.FileStatParser() test_file = self._GetTestFilePath([u'ímynd.dd']) os_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_OS, location=test_file) tsk_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_TSK, inode=15, location=u'/passwords.txt', parent=os_path_spec) event_queue_consumer = self._ParseFileByPathSpec( parser_object, tsk_path_spec) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) # The TSK file entry has 3 event objects. self.assertEqual(len(event_objects), 3) event_object = event_objects[0] expected_message = (u'TSK:/passwords.txt ' u'Type: file') expected_message_short = u'/passwords.txt' self._TestGetMessageStrings(event_object, expected_message, expected_message_short)
def testNestedTSK(self): """Test a nested TSK file.""" parser_object = filestat.FileStatParser() test_file = self._GetTestFilePath([u'syslog_image.dd']) os_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_OS, location=test_file) tsk_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_TSK, inode=11, location=u'/logs/hidden.zip', parent=os_path_spec) zip_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_ZIP, location=u'/syslog', parent=tsk_path_spec) event_queue_consumer = self._ParseFileByPathSpec( parser_object, zip_path_spec) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) # The ZIP file has 1 event objects. self.assertEqual(len(event_objects), 1) event_object = event_objects[0] expected_message = (u'ZIP:/syslog ' u'Type: file') expected_message_short = u'/syslog' self._TestGetMessageStrings(event_object, expected_message, expected_message_short)
def testNestedTSK(self): """Test a nested TSK file.""" test_file_path = self._GetTestFilePath(['syslog_image.dd']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) tsk_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK, inode=11, location='/logs/hidden.zip', parent=os_path_spec) zip_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_ZIP, location='/syslog', parent=tsk_path_spec) parser = filestat.FileStatParser() storage_writer = self._ParseFileByPathSpec(zip_path_spec, parser) self.assertEqual(storage_writer.number_of_events, 1) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'data_type': 'fs:stat', 'date_time': '2012-07-20 15:44:14', 'display_name': 'ZIP:/syslog', 'file_entry_type': 'file', 'file_size': 1247, 'file_system_type': 'ZIP', 'inode': None, 'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION} self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testExt2FileWithTSK(self): """Test a file in an ext2 file system with TSK.""" test_file_path = self._GetTestFilePath(['ímynd.dd']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) tsk_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK, inode=15, location='/passwords.txt', parent=os_path_spec) parser = filestat.FileStatParser() storage_writer = self._ParseFileByPathSpec(tsk_path_spec, parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 3) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) # Note that attribute support in pytsk/libtsk is currently broken # also see: https://github.com/py4n6/pytsk/issues/79 expected_event_values = { 'attribute_names': None, 'data_type': 'fs:stat', 'date_time': '2012-05-25 16:00:53', 'display_name': 'TSK:/passwords.txt', 'file_entry_type': 'file', 'file_size': 116, 'file_system_type': 'EXT2', 'group_identifier': 5000, 'inode': 15, 'mode': 0o400, 'number_of_links': 1, 'owner_identifier': 151107, 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_ACCESS } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testNestedFile(self): """Test a nested file.""" parser_object = filestat.FileStatParser() test_file = self._GetTestFilePath([u'syslog.tgz']) os_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_OS, location=test_file) gzip_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec) tar_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_TAR, location=u'/syslog', parent=gzip_path_spec) event_queue_consumer = self._ParseFileByPathSpec( parser_object, tar_path_spec) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) # The tar file has 1 event object. self.assertEqual(len(event_objects), 1) event_object = event_objects[0] expected_message = (u'TAR:/syslog ' u'Type: file') expected_message_short = u'/syslog' self._TestGetMessageStrings(event_object, expected_message, expected_message_short) test_file = self._GetTestFilePath([u'syslog.tgz']) os_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_OS, location=test_file) gzip_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec) event_queue_consumer = self._ParseFileByPathSpec( parser_object, gzip_path_spec) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) # The gzip file has 1 event object. self.assertEqual(len(event_objects), 1) event_object = event_objects[0] test_path = os.path.join(os.getcwd(), u'test_data', u'syslog.tgz') expected_message = (u'GZIP:{0:s} ' u'Type: file').format(test_path) expected_message_short = self._GetShortMessage(test_path) self._TestGetMessageStrings(event_object, expected_message, expected_message_short)
def testExt4File(self): """Test a file in an ext4 file system.""" test_file_path = self._GetTestFilePath(['ext4.raw']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) ext_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_EXT, inode=14, location='/passwords.txt', parent=os_path_spec) parser = filestat.FileStatParser() storage_writer = self._ParseFileByPathSpec(ext_path_spec, parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 4) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'attribute_names': ['security.selinux'], 'data_type': 'fs:stat', 'date_time': '2021-07-22 14:07:32.842610820', 'display_name': 'EXT:/passwords.txt', 'file_entry_type': 'file', 'file_size': 116, 'file_system_type': 'EXT', 'group_identifier': 1000, 'inode': 14, 'mode': 0o664, 'number_of_links': 1, 'owner_identifier': 1000, 'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_ACCESS } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testZipFile(self): """Test a ZIP file.""" test_file_path = self._GetTestFilePath(['syslog.zip']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) zip_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_ZIP, location='/syslog', parent=os_path_spec) parser = filestat.FileStatParser() storage_writer = self._ParseFileByPathSpec(zip_path_spec, parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 1) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'data_type': 'fs:stat', 'date_time': '2012-07-24 14:45:24', 'display_name': 'ZIP:/syslog', 'file_entry_type': 'file', 'file_size': 1247, 'file_system_type': 'ZIP', 'inode': None, 'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testNestedTSK(self): """Test a nested TSK file.""" parser = filestat.FileStatParser() test_file_path = self._GetTestFilePath(['syslog_image.dd']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) tsk_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK, inode=11, location='/logs/hidden.zip', parent=os_path_spec) zip_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_ZIP, location='/syslog', parent=tsk_path_spec) storage_writer = self._ParseFileByPathSpec(zip_path_spec, parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2012-07-20 15:44:14.000000') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_MODIFICATION) event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.file_size, 1247) self.assertIsNone(event_data.inode) expected_message = ('ZIP:/syslog ' 'Type: file') expected_short_message = '/syslog' self._TestGetMessageStrings(event_data, expected_message, expected_short_message)
def testNestedTSK(self): """Test a nested TSK file.""" parser = filestat.FileStatParser() test_file = self._GetTestFilePath(['syslog_image.dd']) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file) tsk_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK, inode=11, location='/logs/hidden.zip', parent=os_path_spec) zip_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_ZIP, location='/syslog', parent=tsk_path_spec) storage_writer = self._ParseFileByPathSpec(zip_path_spec, parser) # The ZIP file has 1 events. self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] expected_timestamp = timelib.Timestamp.CopyFromString( '2012-07-20 15:44:14') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_MODIFICATION) self.assertEqual(event.timestamp, expected_timestamp) self.assertEqual(event.file_size, 1247) self.assertIsNone(event.inode) expected_message = ('ZIP:/syslog ' 'Type: file') expected_short_message = '/syslog' self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testZipFile(self): """Test a ZIP file.""" parser_object = filestat.FileStatParser() test_file = self._GetTestFilePath([u'syslog.zip']) os_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_OS, location=test_file) zip_path_spec = path_spec_factory.Factory.NewPathSpec( definitions.TYPE_INDICATOR_ZIP, location=u'/syslog', parent=os_path_spec) storage_writer = self._ParseFileByPathSpec(zip_path_spec, parser_object) # The ZIP file has 1 event object. self.assertEqual(len(storage_writer.events), 1) event_object = storage_writer.events[0] expected_message = ( u'ZIP:/syslog ' u'Type: file') expected_message_short = u'/syslog' self._TestGetMessageStrings( event_object, expected_message, expected_message_short)
def testNestedFile(self): """Test a nested file.""" parser = filestat.FileStatParser() test_file = self._GetTestFilePath(['syslog.tgz']) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file) gzip_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec) tar_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TAR, location='/syslog', parent=gzip_path_spec) storage_writer = self._ParseFileByPathSpec(tar_path_spec, parser) # The tar file has 1 event. self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] expected_timestamp = timelib.Timestamp.CopyFromString( '2012-07-24 21:45:24') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_MODIFICATION) self.assertEqual(event.timestamp, expected_timestamp) self.assertEqual(event.file_size, 1247) self.assertIsNone(event.inode) expected_message = ('TAR:/syslog ' 'Type: file') expected_short_message = '/syslog' self._TestGetMessageStrings(event, expected_message, expected_short_message) test_file = self._GetTestFilePath(['syslog.tgz']) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file) gzip_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec) storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser) # The gzip file has 1 event. self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] expected_timestamp = timelib.Timestamp.CopyFromString( '2012-07-28 16:44:43') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_MODIFICATION) self.assertEqual(event.timestamp, expected_timestamp) self.assertEqual(event.file_size, 10240) self.assertIsNone(event.inode) test_path = os.path.join(os.getcwd(), 'test_data', 'syslog.tgz') expected_message = ('GZIP:{0:s} ' 'Type: file').format(test_path) expected_short_message = self._GetShortMessage(test_path) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._parser = filestat.FileStatParser()
def setUp(self): """Sets up the needed objects used throughout the test.""" pre_obj = event.PreprocessObject() self._parser = filestat.FileStatParser(pre_obj)
def testNestedFile(self): """Test a nested file.""" test_file_path = self._GetTestFilePath(['syslog.tgz']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) gzip_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec) tar_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TAR, location='/syslog', parent=gzip_path_spec) parser = filestat.FileStatParser() storage_writer = self._ParseFileByPathSpec(tar_path_spec, parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 1) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'data_type': 'fs:stat', 'date_time': '2012-07-24 21:45:24', 'display_name': 'TAR:/syslog', 'file_entry_type': 'file', 'file_size': 1247, 'file_system_type': 'TAR', 'inode': None, 'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION } self.CheckEventValues(storage_writer, events[0], expected_event_values) test_file_path = self._GetTestFilePath(['syslog.tgz']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) gzip_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec) storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 1) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) test_path = os.path.join(shared_test_lib.TEST_DATA_PATH, 'syslog.tgz') expected_event_values = { 'data_type': 'fs:stat', 'date_time': '2012-07-28 16:44:43', 'display_name': 'GZIP:{0:s}'.format(test_path), 'file_entry_type': 'file', 'file_size': 10240, 'file_system_type': 'GZIP', 'inode': None, 'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testNestedFile(self): """Test a nested file.""" parser = filestat.FileStatParser() test_file_path = self._GetTestFilePath(['syslog.tgz']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) gzip_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec) tar_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TAR, location='/syslog', parent=gzip_path_spec) storage_writer = self._ParseFileByPathSpec(tar_path_spec, parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2012-07-24 21:45:24.000000') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_MODIFICATION) event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.file_size, 1247) self.assertIsNone(event_data.inode) expected_message = ('TAR:/syslog ' 'Type: file') expected_short_message = '/syslog' self._TestGetMessageStrings(event_data, expected_message, expected_short_message) test_file_path = self._GetTestFilePath(['syslog.tgz']) self._SkipIfPathNotExists(test_file_path) os_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path) gzip_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_GZIP, parent=os_path_spec) storage_writer = self._ParseFileByPathSpec(gzip_path_spec, parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2012-07-28 16:44:43.000000') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_MODIFICATION) event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.file_size, 10240) self.assertIsNone(event_data.inode) test_path = os.path.join(shared_test_lib.TEST_DATA_PATH, 'syslog.tgz') expected_message = ('GZIP:{0:s} ' 'Type: file').format(test_path) expected_short_message = self._GetShortMessage(test_path) self._TestGetMessageStrings(event_data, expected_message, expected_short_message)
def setUp(self): """Makes preparations before running an individual test.""" self._parser = filestat.FileStatParser()