def testParsingChromeCookieDatabase(self): """Test the process function on a Chrome cookie database.""" plugin = chrome_cookies.ChromeCookiePlugin() test_file = self._GetTestFilePath([u'cookies.db']) event_queue_consumer = self._ParseDatabaseFileWithPlugin( plugin, test_file) event_objects = self._GetAnalyticsCookies(event_queue_consumer) # The cookie database contains 560 entries in total. Out of them # there are 75 events created by the Google Analytics plugin. self.assertEqual(len(event_objects), 75) # Check few "random" events to verify. # Check an UTMZ Google Analytics event. event_object = event_objects[39] self.assertEqual(event_object.utmctr, u'enders game') self.assertEqual(event_object.domain_hash, u'68898382') self.assertEqual(event_object.sessions, 1) expected_msg = ( u'http://imdb.com/ (__utmz) Sessions: 1 Domain Hash: 68898382 ' u'Sources: 1 Last source used to access: google Ad campaign ' u'information: (organic) Last type of visit: organic Keywords ' u'used to find site: enders game') self._TestGetMessageStrings(event_object, expected_msg, u'http://imdb.com/ (__utmz)') # Check the UTMA Google Analytics event. event_object = event_objects[41] self.assertEqual(event_object.timestamp_desc, u'Analytics Previous Time') self.assertEqual(event_object.cookie_name, u'__utma') self.assertEqual(event_object.visitor_id, u'1827102436') self.assertEqual(event_object.sessions, 2) expected_timestamp = timelib.Timestamp.CopyFromString( u'2012-03-22 01:55:29') self.assertEqual(event_object.timestamp, expected_timestamp) expected_msg = (u'http://assets.tumblr.com/ (__utma) ' u'Sessions: 2 ' u'Domain Hash: 151488169 ' u'Visitor ID: 1827102436') self._TestGetMessageStrings(event_object, expected_msg, u'http://assets.tumblr.com/ (__utma)') # Check the UTMB Google Analytics event. event_object = event_objects[34] self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.LAST_VISITED_TIME) self.assertEqual(event_object.cookie_name, u'__utmb') self.assertEqual(event_object.domain_hash, u'154523900') self.assertEqual(event_object.pages_viewed, 1) expected_timestamp = timelib.Timestamp.CopyFromString( u'2012-03-22 01:48:30') self.assertEqual(event_object.timestamp, expected_timestamp) expected_msg = ( u'http://upressonline.com/ (__utmb) Pages Viewed: 1 Domain Hash: ' u'154523900') self._TestGetMessageStrings(event_object, expected_msg, u'http://upressonline.com/ (__utmb)')
def testParsingChromeCookieDatabase(self): """Test the process function on a Chrome cookie database.""" plugin = chrome_cookies.ChromeCookiePlugin() storage_writer = self._ParseDatabaseFileWithPlugin(['cookies.db'], plugin) events = self._GetAnalyticsCookieEvents(storage_writer) self.assertEqual(storage_writer.number_of_warnings, 1) # The cookie database contains 560 entries in total. Out of them # there are 75 events created by the Google Analytics plugin. self.assertEqual(len(events), 75) # Check few "random" events to verify. # Check an UTMZ Google Analytics event. event = events[39] event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.utmctr, 'enders game') self.assertEqual(event_data.domain_hash, '68898382') self.assertEqual(event_data.sessions, 1) expected_message = ( 'http://imdb.com/ (__utmz) Sessions: 1 Domain Hash: 68898382 ' 'Sources: 1 Last source used to access: google Ad campaign ' 'information: (organic) Last type of visit: organic Keywords ' 'used to find site: enders game') expected_short_message = 'http://imdb.com/ (__utmz)' self._TestGetMessageStrings(event, expected_message, expected_short_message) # Check the UTMA Google Analytics event. event = events[41] self.CheckTimestamp(event.timestamp, '2012-03-22 01:55:29.000000') self.assertEqual(event.timestamp_desc, 'Analytics Previous Time') event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.cookie_name, '__utma') self.assertEqual(event_data.visitor_id, '1827102436') self.assertEqual(event_data.sessions, 2) expected_message = ('http://assets.tumblr.com/ (__utma) ' 'Sessions: 2 ' 'Domain Hash: 151488169 ' 'Visitor ID: 1827102436') expected_short_message = 'http://assets.tumblr.com/ (__utma)' self._TestGetMessageStrings(event, expected_message, expected_short_message) # Check the UTMB Google Analytics event. event = events[34] self.CheckTimestamp(event.timestamp, '2012-03-22 01:48:30.000000') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_VISITED) event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.cookie_name, '__utmb') self.assertEqual(event_data.domain_hash, '154523900') self.assertEqual(event_data.pages_viewed, 1) expected_message = ( 'http://upressonline.com/ (__utmb) Pages Viewed: 1 Domain Hash: ' '154523900') expected_short_message = 'http://upressonline.com/ (__utmb)' self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testProcess(self): """Tests the Process function on a Chrome cookie database file.""" plugin = chrome_cookies.ChromeCookiePlugin() storage_writer = self._ParseDatabaseFileWithPlugin(['cookies.db'], plugin) # There should be one warning due to the parser attempting the Chrome 66+ # query as well. self.assertEqual(storage_writer.number_of_warnings, 1) # Since we've got both events generated by cookie plugins and the Chrome # cookie plugin we need to separate them. events = [] extra_objects = [] for event in storage_writer.GetEvents(): event_data = self._GetEventDataOfEvent(storage_writer, event) if event_data.data_type == 'chrome:cookie:entry': events.append(event) else: extra_objects.append(event) # The cookie database contains 560 entries: # 560 creation timestamps. # 560 last access timestamps. # 560 expired timestamps. # Then there are extra events created by plugins: # 75 events created by Google Analytics cookies. # In total: 1755 events. self.assertEqual(len(events), 3 * 560) self.assertEqual(len(extra_objects), 75) # Check few "random" events to verify. # Check one linkedin cookie. event = events[124] self.CheckTimestamp(event.timestamp, '2011-08-25 21:50:27.292367') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_ACCESS) event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.host, 'www.linkedin.com') self.assertEqual(event_data.cookie_name, 'leo_auth_token') self.assertFalse(event_data.httponly) self.assertEqual(event_data.url, 'http://www.linkedin.com/') expected_message = ( 'http://www.linkedin.com/ (leo_auth_token) Flags: [HTTP only] = False ' '[Persistent] = True') expected_short_message = 'www.linkedin.com (leo_auth_token)' self._TestGetMessageStrings(event_data, expected_message, expected_short_message) # Check one of the visits to rubiconproject.com. event = events[379] self.CheckTimestamp(event.timestamp, '2012-04-01 13:54:34.949210') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_ACCESS) event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.url, 'http://rubiconproject.com/') self.assertEqual(event_data.path, '/') self.assertFalse(event_data.secure) self.assertTrue(event_data.persistent) expected_message = ( 'http://rubiconproject.com/ (put_2249) Flags: [HTTP only] = False ' '[Persistent] = True') self._TestGetMessageStrings(event, expected_message, 'rubiconproject.com (put_2249)') # Examine an event for a visit to a political blog site. event = events[444] self.CheckTimestamp(event.timestamp, '2012-03-22 01:47:21.012022') event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual( event_data.path, '/2012/03/21/romney-tries-to-clean-up-etch-a-sketch-mess/') self.assertEqual(event_data.host, 'politicalticker.blogs.cnn.com') # Examine a cookie that has an autologin entry. event = events[1425] self.CheckTimestamp(event.timestamp, '2012-04-01 13:52:56.189444') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_CREATION) event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.host, 'marvel.com') self.assertEqual(event_data.cookie_name, 'autologin[timeout]') # This particular cookie value represents a timeout value that corresponds # to the expiration date of the cookie. self.assertEqual(event_data.data, '1364824322') # Examine a cookie expiry event. event = events[2] self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_EXPIRATION) self.CheckTimestamp(event.timestamp, '2013-08-14 14:19:42.000000')
def testProcess(self): """Tests the Process function on a Chrome cookie database file.""" plugin = chrome_cookies.ChromeCookiePlugin() storage_writer = self._ParseDatabaseFileWithPlugin( ['Cookies-68.0.3440.106'], plugin) # There should be one warning due to the parser attempting the Chrome 17-65 # query as well. self.assertEqual(storage_writer.number_of_warnings, 1) # Since we've got both events generated by cookie plugins and the Chrome # cookie plugin we need to separate them. events = [] extra_objects = [] for event in storage_writer.GetEvents(): event_data = self._GetEventDataOfEvent(storage_writer, event) if event_data.data_type == 'chrome:cookie:entry': events.append(event) else: extra_objects.append(event) # The cookie database contains 5 entries: # 5 creation timestamps. # 5 last access timestamps. # 5 expired timestamps. # Then there are extra events created by plugins: # 1 event created by Google Analytics cookies. # In total: 16 events. self.assertEqual(len(events), 3 * 5) self.assertEqual(len(extra_objects), 1) # Test some cookies # Check a GA cookie creation event with a path. event = events[0] self.CheckTimestamp(event.timestamp, '2018-08-14 15:03:43.650324') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_CREATION) event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.host, 'google.com') self.assertEqual(event_data.cookie_name, '__utma') self.assertFalse(event_data.httponly) self.assertEqual(event_data.url, 'http://google.com/gmail/about/') expected_message = ('http://google.com/gmail/about/ (__utma) ' 'Flags: [HTTP only] = False [Persistent] = True') expected_short_message = 'google.com (__utma)' self._TestGetMessageStrings(event_data, expected_message, expected_short_message) # Check one of the visits to fbi.gov for last accessed time. event = events[10] self.CheckTimestamp(event.timestamp, '2018-08-20 17:19:53.134291') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_ACCESS) event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.url, 'http://fbi.gov/') self.assertEqual(event_data.path, '/') self.assertFalse(event_data.secure) self.assertTrue(event_data.persistent) expected_message = ('http://fbi.gov/ (__cfduid) ' 'Flags: [HTTP only] = True [Persistent] = True') self._TestGetMessageStrings(event, expected_message, 'fbi.gov (__cfduid)') # Examine an event for a cookie with a very large expire time. event = events[8] self.CheckTimestamp(event.timestamp, '9999-08-17 12:26:28.000000') event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.host, 'projects.fivethirtyeight.com')
def setUp(self): """Sets up the needed objects used throughout the test.""" self._plugin = chrome_cookies.ChromeCookiePlugin()
def setUp(self): """Sets up the needed objects used throughout the test.""" pre_obj = event.PreprocessObject() self._plugin = chrome_cookies.ChromeCookiePlugin(pre_obj)
def setUp(self): """Makes preparations before running an individual test.""" self._plugin = chrome_cookies.ChromeCookiePlugin()