def GetSourceFileSystemSearcher(self, resolver_context=None): """Retrieves the file system searcher of the source. Args: resolver_context: Optional resolver context (instance of dfvfs.Context). The default is None. Note that every thread or process must have its own resolver context. Returns: The file system searcher object (instance of dfvfs.FileSystemSearcher). Raises: RuntimeError: if source path specification is not set. """ if not self._source_path_spec: raise RuntimeError(u'Missing source.') file_system = path_spec_resolver.Resolver.OpenFileSystem( self._source_path_spec, resolver_context=resolver_context) type_indicator = self._source_path_spec.type_indicator if type_indicator == dfvfs_definitions.TYPE_INDICATOR_OS: mount_point = self._source_path_spec else: mount_point = self._source_path_spec.parent return file_system_searcher.FileSystemSearcher(file_system, mount_point)
def Preprocess(self, artifacts_registry_object, source_path_specs, resolver_context=None): detected_operating_systems = [] for source_path_spec in source_path_specs: if source_path_spec.IsFileSystem(): try: file_system, mount_point = self._GetSourceFileSystem( source_path_spec, resolver_context=resolver_context) except (RuntimeError, dfvfs_errors.BackEndError) as exception: logger.error(exception) continue try: searcher = file_system_searcher.FileSystemSearcher( file_system, mount_point) operating_system = self._DetermineOperatingSystem(searcher) if operating_system != definitions.OPERATING_SYSTEM_FAMILY_UNKNOWN: preprocess_manager.PreprocessPluginsManager.RunPlugins( artifacts_registry_object, file_system, mount_point, self.knowledge_base) detected_operating_systems.append(operating_system) finally: file_system.Close() if detected_operating_systems: logger.info( 'Preprocessing detected operating systems: {0:s}'.format( ', '.join(detected_operating_systems))) self.knowledge_base.SetValue('operating_system', detected_operating_systems)
def _RunPreprocessorPluginOnFileSystem(self, file_system, mount_point, storage_writer, plugin): """Runs a preprocessor plugin on a file system. Args: file_system (dfvfs.FileSystem): file system to be preprocessed. mount_point (dfvfs.PathSpec): mount point path specification that refers to the base location of the file system. storage_writer (StorageWriter): storage writer. plugin (ArtifactPreprocessorPlugin): preprocessor plugin. Return: PreprocessMediator: preprocess mediator. """ artifact_definition = self._artifacts_registry.GetDefinitionByName( plugin.ARTIFACT_DEFINITION_NAME) self.assertIsNotNone(artifact_definition) session = sessions.Session() test_knowledge_base = knowledge_base.KnowledgeBase() test_mediator = mediator.PreprocessMediator(session, storage_writer, test_knowledge_base) searcher = file_system_searcher.FileSystemSearcher( file_system, mount_point) plugin.Collect(test_mediator, artifact_definition, searcher, file_system) return test_mediator
def PreprocessSources(self, source_path_specs, resolver_context=None): """Preprocesses the sources. Args: source_path_specs: list of path specifications (instances of dfvfs.PathSpec) to process. resolver_context: Optional resolver context (instance of dfvfs.Context). The default is None which will use the built in context which is not multi process safe. Note that every thread or process must have its own resolver context. """ for source_path_spec in source_path_specs: file_system, mount_point = self.GetSourceFileSystem( source_path_spec, resolver_context=resolver_context) try: searcher = file_system_searcher.FileSystemSearcher( file_system, mount_point) platform = preprocess_interface.GuessOS(searcher) if platform: self.knowledge_base.platform = platform preprocess_manager.PreprocessPluginsManager.RunPlugins( platform, file_system, mount_point, self.knowledge_base) finally: file_system.Close() if platform: break
def testCollect(self): """Tests the Collect function.""" file_system_builder = fake_file_system_builder.FakeFileSystemBuilder() test_file_path = shared_test_lib.GetTestFilePath(['SOFTWARE']) file_system_builder.AddFileReadData( '/Windows/System32/config/SOFTWARE', test_file_path) test_file_path = shared_test_lib.GetTestFilePath(['SYSTEM']) file_system_builder.AddFileReadData('/Windows/System32/config/SYSTEM', test_file_path) session = sessions.Session() test_knowledge_base = knowledge_base.KnowledgeBase() storage_writer = fake_writer.FakeStorageWriter() test_mediator = mediator.PreprocessMediator(session, storage_writer, test_knowledge_base) mount_point = fake_path_spec.FakePathSpec(location='/') searcher = file_system_searcher.FileSystemSearcher( file_system_builder.file_system, mount_point) plugin = generic.DetermineOperatingSystemPlugin() storage_writer.Open() try: plugin.Collect(test_mediator, None, searcher, file_system_builder.file_system) finally: storage_writer.Close() operating_system = test_mediator.knowledge_base.GetValue( 'operating_system') self.assertEqual(operating_system, 'Windows NT')
def _Preprocess(self, file_system, mount_point): """Preprocesses the image. Args: file_system: the file system object (instance of vfs.FileSystem) to be preprocessed. mount_point: the mount point path specification (instance of path.PathSpec) that refers to the base location of the file system. """ if self._knowledge_base is not None: return self._knowledge_base = knowledge_base.KnowledgeBase() logging.info(u'Guessing OS') searcher = file_system_searcher.FileSystemSearcher( file_system, mount_point) platform = preprocess_interface.GuessOS(searcher) logging.info(u'OS: {0:s}'.format(platform)) logging.info(u'Running preprocess.') preprocess_manager.PreprocessPluginsManager.RunPlugins( platform, file_system, mount_point, self._knowledge_base) logging.info(u'Preprocess done, saving files from image.')
def testBuildFindSpecsWithYAMLFilterFile(self): """Tests the BuildFindSpecs function with YAML filter file.""" test_filter_file = yaml_filter_file.YAMLFilterFile() test_path_filters = test_filter_file._ReadFromFileObject( io.StringIO(self._YAML_FILTER_FILE_DATA)) environment_variable = artifacts.EnvironmentVariableArtifact( case_sensitive=False, name='SystemRoot', value='C:\\Windows') test_helper = path_filters.PathCollectionFiltersHelper() test_helper.BuildFindSpecs( test_path_filters, environment_variables=[environment_variable]) self.assertEqual(len(test_helper.included_file_system_find_specs), 5) path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location='.') file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec) searcher = file_system_searcher.FileSystemSearcher( file_system, path_spec) path_spec_generator = searcher.Find( find_specs=test_helper.included_file_system_find_specs) self.assertIsNotNone(path_spec_generator) path_specs = list(path_spec_generator) file_system.Close() # Two evtx, one symbolic link to evtx, one AUTHORS, two filter_*.txt files, # total 6 path specifications. self.assertEqual(len(path_specs), 6)
def _RunPreprocessorPluginOnFileSystem(self, file_system, mount_point, plugin): """Runs a preprocessor plugin on a file system. Args: file_system (dfvfs.FileSystem): file system to be preprocessed. mount_point (dfvfs.PathSpec): mount point path specification that refers to the base location of the file system. plugin (ArtifactPreprocessorPlugin): preprocessor plugin. Return: KnowledgeBase: knowledge base filled with preprocessing information. """ artifact_definition = self._artifacts_registry.GetDefinitionByName( plugin.ARTIFACT_DEFINITION_NAME) self.assertIsNotNone(artifact_definition) knowledge_base_object = knowledge_base.KnowledgeBase() searcher = file_system_searcher.FileSystemSearcher( file_system, mount_point) plugin.Collect(knowledge_base_object, artifact_definition, searcher, file_system) return knowledge_base_object
def _GetSourceFileSystemSearcher(self, resolver_context=None): """Retrieves the file system searcher of the source. Args: resolver_context: Optional resolver context (instance of dfvfs.Context). The default is None. Note that every thread or process must have its own resolver context. Returns: A tuple of the file system (instance of dfvfs.FileSystem) and the file system searcher object (instance of dfvfs.FileSystemSearcher). Raises: RuntimeError: if source path specification is not set. """ if not self._source_path_spec: raise RuntimeError(u'Missing source.') file_system = path_spec_resolver.Resolver.OpenFileSystem( self._source_path_spec, resolver_context=resolver_context) type_indicator = self._source_path_spec.type_indicator if path_spec_factory.Factory.IsSystemLevelTypeIndicator(type_indicator): mount_point = self._source_path_spec else: mount_point = self._source_path_spec.parent searcher = file_system_searcher.FileSystemSearcher(file_system, mount_point) return file_system, searcher
def RunPlugins(cls, artifacts_registry, file_system, mount_point, knowledge_base): searcher = file_system_searcher.FileSystemSearcher( file_system, mount_point) cls.CollectFromFileSystem(artifacts_registry, knowledge_base, searcher, file_system) environment_variables = None if knowledge_base: environment_variables = knowledge_base.GetEnvironmentVariables() registry_file_reader = FileSystemWinRegistryFileReader( file_system, mount_point, environment_variables=environment_variables) win_registry = dfwinreg_registry.WinRegistry( registry_file_reader=registry_file_reader) searcher = registry_searcher.WinRegistrySearcher(win_registry) cls.CollectFromWindowsRegistry(artifacts_registry, knowledge_base, searcher) cls.CollectFromKnowledgeBase(knowledge_base) if not knowledge_base.HasUserAccounts(): logger.warning('Unable to find any user accounts on the system.')
def RunPlugins(cls, platform, file_system, mount_point, knowledge_base): """Runs the plugins for a specific platform. Args: platform: A string containing the supported operating system of the plugin. file_system: the file system object (instance of vfs.FileSystem) to be preprocessed. mount_point: the mount point path specification (instance of path.PathSpec) that refers to the base location of the file system. knowledge_base: A knowledge base object (instance of KnowledgeBase), which contains information from the source data needed for parsing. """ # TODO: bootstrap the artifact preprocessor. searcher = file_system_searcher.FileSystemSearcher(file_system, mount_point) for weight in cls._GetWeights(cls._plugin_classes, platform): for plugin_object in cls._GetPluginsByWeight( cls._plugin_classes, platform, weight): try: plugin_object.Run(searcher, knowledge_base) except (IOError, errors.PreProcessFail) as exception: logging.warning(( u'Unable to run preprocessor: {0:s} for attribute: {1:s} ' u'with error: {2:s}').format( plugin_object.plugin_name, plugin_object.ATTRIBUTE, exception)) # Run the Registry plugins separately so we do not have to open # Registry files in every plugin. if knowledge_base: pre_obj = knowledge_base.pre_obj path_attributes = pre_obj.__dict__ else: pre_obj = None path_attributes = None registry_file_reader = FileSystemWinRegistryFileReader( file_system, mount_point, path_attributes=path_attributes) win_registry = dfwinreg_registry.WinRegistry( registry_file_reader=registry_file_reader) for weight in cls._GetWeights(cls._registry_plugin_classes, platform): for plugin_object in cls._GetPluginsByWeight( cls._registry_plugin_classes, platform, weight): try: plugin_object.Run(win_registry, knowledge_base) except (IOError, errors.PreProcessFail) as exception: logging.warning(( u'Unable to run preprocessor: {0:s} for attribute: {1:s} ' u'with error: {2:s}').format( plugin_object.plugin_name, plugin_object.ATTRIBUTE, exception))
def setUp(self): """Sets up the needed objects used throughout the test.""" self._fake_file_system = self._BuildSingleLinkFakeFileSystem( u'/private/etc/localtime', u'/usr/share/zoneinfo/Europe/Amsterdam') mount_point = fake_path_spec.FakePathSpec(location=u'/') self._searcher = file_system_searcher.FileSystemSearcher( self._fake_file_system, mount_point)
def setUp(self): """Makes preparations before running an individual test.""" file_system_builder = shared_test_lib.FakeFileSystemBuilder() file_system_builder.AddFile(u'/etc/passwd', self._FILE_DATA) mount_point = fake_path_spec.FakePathSpec(location=u'/') self._searcher = file_system_searcher.FileSystemSearcher( file_system_builder.file_system, mount_point)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._fake_file_system = self._BuildSingleFileFakeFileSystem( u'/etc/passwd', self._FILE_DATA) mount_point = fake_path_spec.FakePathSpec(location=u'/') self._searcher = file_system_searcher.FileSystemSearcher( self._fake_file_system, mount_point)
def _GetSearchersForImage(self, volume_path_spec): """Retrieves the file systems searchers for searching the image. Args: volume_path_spec: The path specification of the volume containing the file system (instance of dfvfs.PathSpec). Returns: A list of tuples containing the a string identifying the file system searcher and a file system searcher object (instance of dfvfs.FileSystemSearcher). """ searchers = [] path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK, location=u'/', parent=volume_path_spec) file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec) searcher = file_system_searcher.FileSystemSearcher( file_system, volume_path_spec) searchers.append((u'', searcher)) vss_stores = self._vss_stores if not vss_stores: return searchers for store_index in vss_stores: vss_path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_VSHADOW, store_index=store_index - 1, parent=volume_path_spec) path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_TSK, location=u'/', parent=vss_path_spec) file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec) searcher = file_system_searcher.FileSystemSearcher( file_system, vss_path_spec) searchers.append(( u':VSS Store {0:d}'.format(store_index), searcher)) return searchers
def setUp(self): """Sets up the needed objects used throughout the test.""" file_data = self._ReadTestFile([u'SYSTEM']) self._fake_file_system = self._BuildSingleFileFakeFileSystem( u'/Windows/System32/config/SYSTEM', file_data) mount_point = fake_path_spec.FakePathSpec(location=u'/') self._searcher = file_system_searcher.FileSystemSearcher( self._fake_file_system, mount_point)
def testBuildFindSpecsWithFileSystem(self): """Tests the BuildFindSpecs function for file type artifacts.""" knowledge_base = knowledge_base_engine.KnowledgeBase() testuser1 = artifacts.UserAccountArtifact( identifier='1000', user_directory='C:\\\\Users\\\\testuser1', username='******') knowledge_base.AddUserAccount(testuser1) testuser2 = artifacts.UserAccountArtifact( identifier='1001', user_directory='C:\\\\Users\\\\testuser2', username='******') knowledge_base.AddUserAccount(testuser2) test_filter_file = self._CreateTestArtifactDefinitionsFilterHelper( ['TestFiles', 'TestFiles2'], knowledge_base) environment_variable = artifacts.EnvironmentVariableArtifact( case_sensitive=False, name='SystemDrive', value='C:') test_filter_file.BuildFindSpecs( environment_variables=[environment_variable]) find_specs_per_source_type = knowledge_base.GetValue( test_filter_file.KNOWLEDGE_BASE_VALUE) find_specs = find_specs_per_source_type.get( artifact_types.TYPE_INDICATOR_FILE, []) # Should build 15 FindSpec entries. self.assertEqual(len(find_specs), 15) # Last find_spec should contain the testuser2 profile path. location_segments = sorted( [find_spec._location_segments for find_spec in find_specs]) path_segments = [ 'Users', 'testuser2', 'Documents', 'WindowsPowerShell', 'profile\\.ps1' ] self.assertEqual(location_segments[2], path_segments) path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location='.') file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec) searcher = file_system_searcher.FileSystemSearcher( file_system, path_spec) path_spec_generator = searcher.Find(find_specs=find_specs) self.assertIsNotNone(path_spec_generator) path_specs = list(path_spec_generator) # Two evtx, one symbolic link to evtx, one AUTHORS, two filter_*.txt files, # total 6 path specifications. self.assertEqual(len(path_specs), 6) file_system.Close()
def setUp(self): """Makes preparations before running an individual test.""" file_system_builder = shared_test_lib.FakeFileSystemBuilder() file_system_builder.AddSymbolicLink( u'/private/etc/localtime', u'/usr/share/zoneinfo/Europe/Amsterdam') mount_point = fake_path_spec.FakePathSpec(location=u'/') self._searcher = file_system_searcher.FileSystemSearcher( file_system_builder.file_system, mount_point)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._fake_file_system = self._BuildSingleFileFakeFileSystem( u'/Library/Preferences/SystemConfiguration/preferences.plist', self._FILE_DATA) mount_point = fake_path_spec.FakePathSpec(location=u'/') self._searcher = file_system_searcher.FileSystemSearcher( self._fake_file_system, mount_point)
def _ExtractWithFilter(self, source_path_specs, destination_path, output_writer, artifact_filters, filter_file, artifact_definitions_path, custom_artifacts_path, skip_duplicates=True): """Extracts files using a filter expression. This method runs the file extraction process on the image and potentially on every VSS if that is wanted. Args: source_path_specs (list[dfvfs.PathSpec]): path specifications to extract. destination_path (str): path where the extracted files should be stored. output_writer (CLIOutputWriter): output writer. artifact_definitions_path (str): path to artifact definitions file. custom_artifacts_path (str): path to custom artifact definitions file. artifact_filters (list[str]): names of artifact definitions that are used for filtering file system and Windows Registry key paths. filter_file (str): path of the file that contains the filter file path filters. skip_duplicates (Optional[bool]): True if files with duplicate content should be skipped. """ extraction_engine = engine.BaseEngine() # If the source is a directory or a storage media image # run pre-processing. if self._source_type in self._SOURCE_TYPES_TO_PREPROCESS: self._PreprocessSources(extraction_engine) for source_path_spec in source_path_specs: file_system, mount_point = self._GetSourceFileSystem( source_path_spec, resolver_context=self._resolver_context) display_name = path_helper.PathHelper.GetDisplayNameForPathSpec( source_path_spec) output_writer.Write( 'Extracting file entries from: {0:s}\n'.format(display_name)) filter_find_specs = engine.BaseEngine.BuildFilterFindSpecs( artifact_definitions_path, custom_artifacts_path, extraction_engine.knowledge_base, artifact_filters, filter_file) searcher = file_system_searcher.FileSystemSearcher( file_system, mount_point) for path_spec in searcher.Find(find_specs=filter_find_specs): self._ExtractFileEntry(path_spec, destination_path, output_writer, skip_duplicates=skip_duplicates) file_system.Close()
def setUp(self): """Sets up the needed objects used throughout the test.""" file_data = self._ReadTestFile([u'com.apple.HIToolbox.plist']) self._fake_file_system = self._BuildSingleFileFakeFileSystem( u'/Library/Preferences/com.apple.HIToolbox.plist', file_data) mount_point = fake_path_spec.FakePathSpec(location=u'/') self._searcher = file_system_searcher.FileSystemSearcher( self._fake_file_system, mount_point)
def testBuildFindSpecsWithFileSystem(self): """Tests the BuildFindSpecs function for file type artifacts.""" test_file_path = self._GetTestFilePath(['System.evtx']) self._SkipIfPathNotExists(test_file_path) test_file_path = self._GetTestFilePath(['testdir', 'filter_1.txt']) self._SkipIfPathNotExists(test_file_path) test_file_path = self._GetTestFilePath(['testdir', 'filter_3.txt']) self._SkipIfPathNotExists(test_file_path) knowledge_base = self._CreateTestKnowledgeBaseWindows() artifact_filter_names = ['TestFiles', 'TestFiles2'] test_filters_helper = self._CreateTestArtifactDefinitionsFiltersHelper( knowledge_base) environment_variable = artifacts.EnvironmentVariableArtifact( case_sensitive=False, name='SystemDrive', value='C:') test_filters_helper.BuildFindSpecs( artifact_filter_names, environment_variables=[environment_variable]) self.assertEqual( len(test_filters_helper.included_file_system_find_specs), 16) self.assertEqual(len(test_filters_helper.registry_find_specs), 0) # Last find_spec should contain the testuser2 profile path. location_segments = sorted([ find_spec._location_segments for find_spec in test_filters_helper.included_file_system_find_specs ]) path_segments = [ 'Users', 'testuser2', 'Documents', 'WindowsPowerShell', 'profile\\.ps1' ] self.assertEqual(location_segments[2], path_segments) path_spec = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_OS, location='.') file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec) searcher = file_system_searcher.FileSystemSearcher( file_system, path_spec) path_spec_generator = searcher.Find( find_specs=test_filters_helper.included_file_system_find_specs) self.assertIsNotNone(path_spec_generator) path_specs = list(path_spec_generator) # Two evtx, one symbolic link to evtx, one AUTHORS, two filter_*.txt files, # total 6 path specifications. self.assertEqual(len(path_specs), 6) file_system.Close()
def setUp(self): """Makes preparations before running an individual test.""" file_system_builder = shared_test_lib.FakeFileSystemBuilder() file_system_builder.AddFile(u'/Windows/System32/config/SYSTEM', self._FILE_DATA) mount_point = path_spec_factory.Factory.NewPathSpec( dfvfs_definitions.TYPE_INDICATOR_FAKE, location=u'/') self._searcher = file_system_searcher.FileSystemSearcher( file_system_builder.file_system, mount_point)
def setUp(self): """Makes preparations before running an individual test.""" file_system_builder = shared_test_lib.FakeFileSystemBuilder() file_system_builder.AddFile( u'/Library/Preferences/SystemConfiguration/preferences.plist', self._FILE_DATA) mount_point = fake_path_spec.FakePathSpec(location=u'/') self._searcher = file_system_searcher.FileSystemSearcher( file_system_builder.file_system, mount_point)
def setUp(self): """Makes preparations before running an individual test.""" file_system_builder = shared_test_lib.FakeFileSystemBuilder() file_system_builder.AddTestFile( u'/private/var/db/dslocal/nodes/Default/users/nobody.plist', [u'com.apple.HIToolbox.plist']) mount_point = fake_path_spec.FakePathSpec(location=u'/') self._searcher = file_system_searcher.FileSystemSearcher( file_system_builder.file_system, mount_point)
def setUp(self): """Makes preparations before running an individual test.""" file_system_builder = shared_test_lib.FakeFileSystemBuilder() file_system_builder.AddTestFile( u'/Library/Preferences/com.apple.HIToolbox.plist', [u'com.apple.HIToolbox.plist']) mount_point = fake_path_spec.FakePathSpec(location=u'/') self._searcher = file_system_searcher.FileSystemSearcher( file_system_builder.file_system, mount_point)
def setUp(self): """Sets up the needed objects used throughout the test.""" file_data = self._ReadTestFile([u'com.apple.HIToolbox.plist']) self._fake_file_system = self._BuildSingleFileFakeFileSystem( u'/private/var/db/dslocal/nodes/Default/users/nobody.plist', file_data) mount_point = fake_path_spec.FakePathSpec(location=u'/') self._searcher = file_system_searcher.FileSystemSearcher( self._fake_file_system, mount_point)
def setUp(self): """Makes preparations before running an individual test.""" file_system_builder = fake_file_system_builder.FakeFileSystemBuilder() file_system_builder.AddFile( u'/System/Library/CoreServices/SystemVersion.plist', self._FILE_DATA) mount_point = fake_path_spec.FakePathSpec(location=u'/') self._searcher = file_system_searcher.FileSystemSearcher( file_system_builder.file_system, mount_point)
def RunPlugins(cls, file_system, mount_point, knowledge_base): """Runs the preprocessing plugins. Args: file_system (dfvfs.FileSystem): file system to be preprocessed. mount_point (dfvfs.PathSpec): mount point path specification that refers to the base location of the file system. knowledge_base (KnowledgeBase): to fill with preprocessing information. """ # TODO: bootstrap the artifact preprocessor. searcher = file_system_searcher.FileSystemSearcher( file_system, mount_point) for plugin_object in cls._GetPluginObjects( cls._file_system_plugin_classes): try: plugin_object.Run(searcher, knowledge_base) # All exceptions need to be caught here to prevent the manager # from being killed by an uncaught exception. except Exception as exception: # pylint: disable=broad-except logging.warning( u'Preprocess plugin: {0:s} run failed with error: {1:s}'. format(plugin_object.plugin_name, exception)) # Run the Registry plugins separately so we do not have to open # Registry files in every plugin. environment_variables = None if knowledge_base: environment_variables = knowledge_base.GetEnvironmentVariables() registry_file_reader = FileSystemWinRegistryFileReader( file_system, mount_point, environment_variables=environment_variables) win_registry = dfwinreg_registry.WinRegistry( registry_file_reader=registry_file_reader) for plugin_object in cls._GetPluginObjects( cls._registry_plugin_classes): try: plugin_object.Run(win_registry, knowledge_base) # All exceptions need to be caught here to prevent the manager # from being killed by an uncaught exception. except Exception as exception: # pylint: disable=broad-except logging.warning( u'Preprocess plugin: {0:s} run failed with error: {1:s}'. format(plugin_object.plugin_name, exception)) if not knowledge_base.HasUserAccounts(): logging.warning(u'Unable to find any user accounts on the system.')
def _ExtractPathSpecsFromFileSystem(self, path_spec, find_specs=None, recurse_file_system=True, resolver_context=None): """Extracts path specification from a file system within a specific source. Args: path_spec (dfvfs.PathSpec): path specification of the root of the file system. find_specs (Optional[list[dfvfs.FindSpec]]): find specifications used in path specification extraction. recurse_file_system (Optional[bool]): True if extraction should recurse into a file system. resolver_context (Optional[dfvfs.Context]): resolver context. Yields: dfvfs.PathSpec: path specification of a file entry found in the file system. """ file_system = None try: file_system = path_spec_resolver.Resolver.OpenFileSystem( path_spec, resolver_context=resolver_context) except (dfvfs_errors.AccessError, dfvfs_errors.BackEndError, dfvfs_errors.PathSpecError) as exception: logger.error('Unable to open file system with error: {0!s}'.format( exception)) if file_system: try: if find_specs: searcher = file_system_searcher.FileSystemSearcher( file_system, path_spec) for extracted_path_spec in searcher.Find( find_specs=find_specs): yield extracted_path_spec elif recurse_file_system: file_entry = file_system.GetFileEntryByPathSpec(path_spec) if file_entry: for extracted_path_spec in self._ExtractPathSpecsFromDirectory( file_entry): yield extracted_path_spec else: yield path_spec except (dfvfs_errors.AccessError, dfvfs_errors.BackEndError, dfvfs_errors.PathSpecError) as exception: logger.warning('{0!s}'.format(exception)) finally: file_system.Close()