def __init__(self, file_system, mount_point, path_attributes=None):
"""Initializes a Windows Registry file reader object.
Args:
file_system: the file system object (instance of vfs.FileSystem).
mount_point: the mount point path specification (instance of
path.PathSpec).
path_attributes: optional dictionary of path attributes. The path
attributes correspond to environment variable names
that can be used in the Windows paths. E.g. the
systemroot path attribute corresponds to the
%SystemRoot% environment variable. At moment only
the systemroot and userprofile path attributes are
supported.
"""
super(FileSystemWinRegistryFileReader, self).__init__()
self._file_system = file_system
self._path_resolver = windows_path_resolver.WindowsPathResolver(
file_system, mount_point)
if path_attributes:
for attribute_name, attribute_value in iter(path_attributes.items()):
# TODO: fix the call to this class and make sure only relevant
# values are passed.
if attribute_name == u'systemroot':
self._path_resolver.SetEnvironmentVariable(
u'SystemRoot', attribute_value)
elif attribute_name == u'userprofile':
self._path_resolver.SetEnvironmentVariable(
u'UserProfile', attribute_value)
def _CreateWindowsPathResolver(self, file_system, mount_point,
environment_variables):
"""Create a Windows path resolver and sets the evironment variables.
Args:
file_system (dfvfs.FileSytem): file system.
mount_point (dfvfs.PathSpec): mount point path specification.
environment_variables (list[EnvironmentVariableArtifact]): environment
variables.
Returns:
dfvfs.WindowsPathResolver: Windows path resolver.
"""
if environment_variables is None:
environment_variables = []
path_resolver = windows_path_resolver.WindowsPathResolver(
file_system, mount_point)
for environment_variable in environment_variables:
name = environment_variable.name.lower()
if name not in (u'systemroot', u'userprofile'):
continue
path_resolver.SetEnvironmentVariable(environment_variable.name,
environment_variable.value)
return path_resolver
def _ScanFileSystem(self, scan_node, base_path_specs):
"""Scans a file system scan node for file systems.
This method checks if the file system contains a known Windows directory.
Args:
scan_node (SourceScanNode): file system scan node.
base_path_specs (list[PathSpec]): file system base path specifications.
Raises:
ScannerError: if the scan node is invalid.
"""
if not scan_node or not scan_node.path_spec:
raise errors.ScannerError(
'Invalid or missing file system scan node.')
file_system = resolver.Resolver.OpenFileSystem(scan_node.path_spec)
if not file_system:
return
try:
path_resolver = windows_path_resolver.WindowsPathResolver(
file_system, scan_node.path_spec.parent)
if self._ScanFileSystemForWindowsDirectory(path_resolver):
base_path_specs.append(scan_node.path_spec)
finally:
file_system.Close()
def __init__(self, file_system, mount_point, path_attributes=None):
"""Initializes a Windows Registry file reader object.
Args:
file_system (dfvfs.FileSytem): file system.
mount_point (dfvfs.PathSpec): mount point path specification.
path_attributes (Optional[dict[str, str]]): path attributes e.g.
{'SystemRoot': '\\Windows'}
"""
super(FileSystemWinRegistryFileReader, self).__init__()
self._file_system = file_system
self._path_resolver = windows_path_resolver.WindowsPathResolver(
file_system, mount_point)
if path_attributes:
for attribute_name, attribute_value in iter(
path_attributes.items()):
# TODO: fix the call to this class and make sure only relevant
# values are passed.
if attribute_name == u'systemroot':
self._path_resolver.SetEnvironmentVariable(
u'SystemRoot', attribute_value)
elif attribute_name == u'userprofile':
self._path_resolver.SetEnvironmentVariable(
u'UserProfile', attribute_value)
def _CreateTestEventMessageStringExtractor(self):
"""Creates an event message string extractor for testing.
Returns:
EventMessageStringExtractor: an event message string extractor.
"""
file_system_builder = fake_file_system_builder.FakeFileSystemBuilder()
test_file_path = self._GetTestFilePath(['SOFTWARE'])
file_system_builder.AddFileReadData(
'/Windows/System32/config/SOFTWARE', test_file_path)
test_file_path = self._GetTestFilePath(['SYSTEM'])
file_system_builder.AddFileReadData(
'/Windows/System32/config/SYSTEM', test_file_path)
mount_point = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_FAKE, location='/')
extractor_object = extractor.EventMessageStringExtractor()
extractor_object._file_system = file_system_builder.file_system
extractor_object._path_resolver = (
windows_path_resolver.WindowsPathResolver(
file_system_builder.file_system, mount_point))
extractor_object._windows_directory = 'C:\\Windows'
extractor_object._path_resolver.SetEnvironmentVariable(
'SystemRoot', extractor_object._windows_directory)
extractor_object._path_resolver.SetEnvironmentVariable(
'WinDir', extractor_object._windows_directory)
return extractor_object
def testResolvePathWithEnvironmentVariable(self):
"""Test the resolve path function with environment variable expansion."""
path_resolver = windows_path_resolver.WindowsPathResolver(
self._tsk_file_system, self._qcow_path_spec)
path_resolver.SetEnvironmentVariable(
u'SystemRoot', u'C:\\System Volume Information')
expected_path = (
u'/System Volume Information/{3808876b-c176-4e48-b7ae-04046e6cc752}')
windows_path = u'%SystemRoot%\\{3808876b-c176-4e48-b7ae-04046e6cc752}'
path_spec = path_resolver.ResolvePath(windows_path)
self.assertNotEqual(path_spec, None)
self.assertEqual(path_spec.location, expected_path)
expected_windows_path = (
u'C:\\System Volume Information'
u'\\{3808876b-c176-4e48-b7ae-04046e6cc752}')
test_windows_path = path_resolver.GetWindowsPath(path_spec)
self.assertEqual(test_windows_path, expected_windows_path)
windows_path = u'%WinDir%\\{3808876b-c176-4e48-b7ae-04046e6cc752}'
path_spec = path_resolver.ResolvePath(windows_path)
self.assertEqual(path_spec, None)
def testResolvePathWithEnvironmentVariable(self):
"""Test the resolve path function with environment variable expansion."""
path_resolver = windows_path_resolver.WindowsPathResolver(
self._tsk_file_system, self._qcow_path_spec)
path_resolver.SetEnvironmentVariable(u'SystemRoot',
u'C:\\System Volume Information')
expected_path = (
u'/System Volume Information/{3808876b-c176-4e48-b7ae-04046e6cc752}'
)
windows_path = u'%SystemRoot%\\{3808876b-c176-4e48-b7ae-04046e6cc752}'
path_spec = path_resolver.ResolvePath(windows_path)
self.assertIsNotNone(path_spec)
self.assertEqual(path_spec.location, expected_path)
expected_windows_path = (u'C:\\System Volume Information'
u'\\{3808876b-c176-4e48-b7ae-04046e6cc752}')
test_windows_path = path_resolver.GetWindowsPath(path_spec)
self.assertEqual(test_windows_path, expected_windows_path)
windows_path = u'%WinDir%\\{3808876b-c176-4e48-b7ae-04046e6cc752}'
path_spec = path_resolver.ResolvePath(windows_path)
self.assertIsNone(path_spec)
# Test resolving multi path segment environment variables.
path_resolver = windows_path_resolver.WindowsPathResolver(
self._os_file_system, self._os_path_spec)
expected_path = self._GetTestFilePath(
[u'testdir_os', u'subdir1', u'file6.txt'])
path_resolver.SetEnvironmentVariable(u'Test',
u'C:\\testdir_os\\subdir1')
windows_path = u'%Test%\\file6.txt'
path_spec = path_resolver.ResolvePath(windows_path)
self.assertIsNotNone(path_spec)
self.assertEqual(path_spec.location, expected_path)
def ScanForWindowsVolume(self, source_path, options=None):
"""Scans for a Windows volume.
Args:
source_path (str): source path.
options (Optional[VolumeScannerOptions]): volume scanner options. If None
the default volume scanner options are used, which are defined in the
VolumeScannerOptions class.
Returns:
bool: True if a Windows volume was found.
Raises:
ScannerError: if the source path does not exists, or if the source path
is not a file or directory, or if the format of or within the source
file is not supported.
"""
windows_path_specs = self.GetBasePathSpecs(source_path, options=options)
if (not windows_path_specs or
self._source_type == definitions.SOURCE_TYPE_FILE):
return False
file_system_path_spec = windows_path_specs[0]
self._file_system = resolver.Resolver.OpenFileSystem(file_system_path_spec)
if file_system_path_spec.type_indicator == definitions.TYPE_INDICATOR_OS:
mount_point = file_system_path_spec
else:
mount_point = file_system_path_spec.parent
self._path_resolver = windows_path_resolver.WindowsPathResolver(
self._file_system, mount_point)
# The source is a directory or single volume storage media image.
if not self._windows_directory:
self._ScanFileSystemForWindowsDirectory(self._path_resolver)
if not self._windows_directory:
return False
self._path_resolver.SetEnvironmentVariable(
'SystemRoot', self._windows_directory)
self._path_resolver.SetEnvironmentVariable(
'WinDir', self._windows_directory)
return True
def testResolvePathDirectory(self):
"""Test the resolve path function on a mount point directory."""
path_resolver = windows_path_resolver.WindowsPathResolver(
self._os_file_system, self._os_path_spec)
expected_path = self._GetTestFilePath(['testdir_os', 'file1.txt'])
windows_path = 'C:\\testdir_os\\file1.txt'
path_spec = path_resolver.ResolvePath(windows_path)
self.assertIsNotNone(path_spec)
self.assertEqual(path_spec.location, expected_path)
test_windows_path = path_resolver.GetWindowsPath(path_spec)
self.assertEqual(test_windows_path, windows_path)
windows_path = 'C:\\testdir_os\\file6.txt'
path_spec = path_resolver.ResolvePath(windows_path)
self.assertIsNone(path_spec)
def ScanForWindowsVolume(self, source_path):
"""Scans for a Windows volume.
Args:
source_path: a string containing the source path.
Returns:
A boolean value indicating if a Windows volume was found.
Raises:
ScannerError: if the source path does not exists, or if the source path
is not a file or directory, or if the format of or within
the source file is not supported.
"""
windows_path_specs = self.GetBasePathSpecs(source_path)
if (not windows_path_specs
or self._source_type == definitions.SOURCE_TYPE_FILE):
return False
file_system_path_spec = windows_path_specs[0]
self._file_system = resolver.Resolver.OpenFileSystem(
file_system_path_spec)
if file_system_path_spec.type_indicator == definitions.TYPE_INDICATOR_OS:
mount_point = file_system_path_spec
else:
mount_point = file_system_path_spec.parent
self._path_resolver = windows_path_resolver.WindowsPathResolver(
self._file_system, mount_point)
# The source is a directory or single volume storage media image.
if not self._windows_directory:
self._ScanFileSystemForWindowsDirectory(self._path_resolver)
if not self._windows_directory:
return False
self._path_resolver.SetEnvironmentVariable(u'SystemRoot',
self._windows_directory)
self._path_resolver.SetEnvironmentVariable(u'WinDir',
self._windows_directory)
return True
def testExtractEventLogMessageStrings(self):
"""Tests the ExtractEventLogMessageStrings function."""
file_system_builder = fake_file_system_builder.FakeFileSystemBuilder()
test_file_path = self._GetTestFilePath([u'SOFTWARE'])
file_system_builder.AddFileReadData(
u'/Windows/System32/config/SOFTWARE', test_file_path)
test_file_path = self._GetTestFilePath([u'SYSTEM'])
file_system_builder.AddFileReadData(
u'/Windows/System32/config/SYSTEM', test_file_path)
mount_point = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_FAKE, location=u'/')
extractor_object = extractor.EventMessageStringExtractor()
extractor_object._file_system = file_system_builder.file_system
extractor_object._path_resolver = (
windows_path_resolver.WindowsPathResolver(
file_system_builder.file_system, mount_point))
extractor_object._windows_directory = u'C:\\Windows'
extractor_object._path_resolver.SetEnvironmentVariable(
u'SystemRoot', extractor_object._windows_directory)
extractor_object._path_resolver.SetEnvironmentVariable(
u'WinDir', extractor_object._windows_directory)
system_root = extractor_object._GetSystemRoot()
self.assertEqual(system_root, u'C:\\WINDOWS')
event_log_providers = list(extractor_object._GetEventLogProviders())
self.assertEqual(len(event_log_providers), 258)
event_log_providers = list(
extractor_object._GetEventLogProviders(all_control_sets=True))
self.assertEqual(len(event_log_providers), 516)
output_writer = TestOutputWriter()
extractor_object.ExtractEventLogMessageStrings(output_writer)
self.assertEqual(len(output_writer.event_log_providers), 258)
self.assertEqual(len(output_writer.message_files), 0)
def testResolvePathDirectory(self):
"""Test the resolve path function on a mount point directory."""
path_resolver = windows_path_resolver.WindowsPathResolver(
self._os_file_system, self._os_path_spec)
expected_path = os.path.join(
os.getcwd(), u'test_data', u'testdir_os', u'file1.txt')
windows_path = u'C:\\testdir_os\\file1.txt'
path_spec = path_resolver.ResolvePath(windows_path)
self.assertNotEqual(path_spec, None)
self.assertEqual(path_spec.location, expected_path)
test_windows_path = path_resolver.GetWindowsPath(path_spec)
self.assertEqual(test_windows_path, windows_path)
windows_path = u'C:\\testdir_os\\file6.txt'
path_spec = path_resolver.ResolvePath(windows_path)
self.assertEqual(path_spec, None)
def testResolvePathImage(self):
"""Test the resolve path function on a storage media image."""
path_resolver = windows_path_resolver.WindowsPathResolver(
self._tsk_file_system, self._qcow_path_spec)
expected_path = (
'/System Volume Information/{3808876b-c176-4e48-b7ae-04046e6cc752}'
)
windows_path = ('C:\\System Volume Information'
'\\{3808876b-c176-4e48-b7ae-04046e6cc752}')
path_spec = path_resolver.ResolvePath(windows_path)
self.assertIsNotNone(path_spec)
self.assertEqual(path_spec.location, expected_path)
test_windows_path = path_resolver.GetWindowsPath(path_spec)
self.assertEqual(test_windows_path, windows_path)
windows_path = ('\\\\?\\C:\\System Volume Information'
'\\{3808876b-c176-4e48-b7ae-04046e6cc752}')
path_spec = path_resolver.ResolvePath(windows_path)
self.assertIsNotNone(path_spec)
self.assertEqual(path_spec.location, expected_path)
windows_path = ('\\\\.\\C:\\System Volume Information'
'\\{3808876b-c176-4e48-b7ae-04046e6cc752}')
path_spec = path_resolver.ResolvePath(windows_path)
self.assertIsNotNone(path_spec)
self.assertEqual(path_spec.location, expected_path)
expected_path = '/syslog.gz'
windows_path = '\\SYSLOG.GZ'
path_spec = path_resolver.ResolvePath(windows_path)
self.assertIsNotNone(path_spec)
self.assertEqual(path_spec.location, expected_path)
windows_path = 'C:\\..\\SYSLOG.GZ'
path_spec = path_resolver.ResolvePath(windows_path)
self.assertIsNotNone(path_spec)
self.assertEqual(path_spec.location, expected_path)
expected_path = '/'
windows_path = '\\'
path_spec = path_resolver.ResolvePath(windows_path)
self.assertIsNotNone(path_spec)
self.assertEqual(path_spec.location, expected_path)
windows_path = 'S'
path_spec = path_resolver.ResolvePath(windows_path)
self.assertIsNone(path_spec)
windows_path = '\\\\?\\'
path_spec = path_resolver.ResolvePath(windows_path)
self.assertIsNone(path_spec)
windows_path = '\\\\.\\'
path_spec = path_resolver.ResolvePath(windows_path)
self.assertIsNone(path_spec)
windows_path = '\\\\?\\UNC\\server\\share\\directory\\file.txt'
path_spec = path_resolver.ResolvePath(windows_path)
self.assertIsNone(path_spec)
windows_path = '\\\\server\\share\\directory\\file.txt'
path_spec = path_resolver.ResolvePath(windows_path)
self.assertIsNone(path_spec)
windows_path = 'SYSLOG.GZ'
path_spec = path_resolver.ResolvePath(windows_path)
self.assertIsNone(path_spec)
windows_path = '.\\SYSLOG.GZ'
path_spec = path_resolver.ResolvePath(windows_path)
self.assertIsNone(path_spec)
windows_path = '..\\SYSLOG.GZ'
path_spec = path_resolver.ResolvePath(windows_path)
self.assertIsNone(path_spec)
def _GetRegistryHelperFromPath(self, path, codepage):
"""Return a Registry helper object from a path.
Given a path to a Registry file this function goes through
all the discovered source path specifications (instance of PathSpec)
and extracts Registry helper objects based on the supplied
path.
Args:
path: the path filter to a Registry file.
codepage: the codepage used for the Registry file.
Yields:
A Registry helper object (instance of PregRegistryHelper).
"""
# TODO: deprecate usage of pre_obj.
path_attributes = self.knowledge_base_object.pre_obj.__dict__
for source_path_spec in self._source_path_specs:
if source_path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_OS:
file_entry = path_spec_resolver.Resolver.OpenFileEntry(
source_path_spec)
if file_entry.IsFile():
yield PregRegistryHelper(file_entry,
u'OS',
self.knowledge_base_object,
codepage=codepage)
continue
# TODO: Change this into an actual mount point path spec.
self._mount_path_spec = source_path_spec
collector_name = source_path_spec.type_indicator
parent_path_spec = getattr(source_path_spec, u'parent', None)
if parent_path_spec and parent_path_spec.type_indicator == (
dfvfs_definitions.TYPE_INDICATOR_VSHADOW):
vss_store = getattr(parent_path_spec, u'store_index', 0)
collector_name = u'VSS Store: {0:d}'.format(vss_store)
file_system, mount_point = self._GetSourceFileSystem(
source_path_spec)
try:
path_resolver = windows_path_resolver.WindowsPathResolver(
file_system, mount_point)
if path.startswith(u'%UserProfile%\\'):
searcher = file_system_searcher.FileSystemSearcher(
file_system, mount_point)
user_profiles = []
# TODO: determine the users path properly instead of relying on
# common defaults. Note that these paths are language dependent.
for user_path in (u'/Documents and Settings/.+',
u'/Users/.+'):
find_spec = file_system_searcher.FindSpec(
location_regex=user_path, case_sensitive=False)
for path_spec in searcher.Find(find_specs=[find_spec]):
location = getattr(path_spec, u'location', None)
if location:
if location.startswith(u'/'):
location = u'\\'.join(location.split(u'/'))
user_profiles.append(location)
for user_profile in user_profiles:
path_resolver.SetEnvironmentVariable(
u'UserProfile', user_profile)
path_spec = path_resolver.ResolvePath(path)
if not path_spec:
continue
file_entry = file_system.GetFileEntryByPathSpec(
path_spec)
if not file_entry:
continue
yield PregRegistryHelper(file_entry,
collector_name,
self.knowledge_base_object,
codepage=codepage)
else:
path_attribute_value = path_attributes.get(
u'systemroot', None)
if path_attribute_value:
path_resolver.SetEnvironmentVariable(
u'SystemRoot', path_attribute_value)
path_spec = path_resolver.ResolvePath(path)
if not path_spec:
continue
file_entry = file_system.GetFileEntryByPathSpec(path_spec)
if not file_entry:
continue
yield PregRegistryHelper(file_entry,
collector_name,
self.knowledge_base_object,
codepage=codepage)
finally:
file_system.Close()
def ScanForOperatingSystemVolumes(self, source_path, options=None):
"""Scans for volumes containing an operating system.
Args:
source_path (str): source path.
options (Optional[dfvfs.VolumeScannerOptions]): volume scanner options.
If None the default volume scanner options are used, which are defined
in the VolumeScannerOptions class.
Returns:
bool: True if a volume with an operating system was found.
Raises:
ScannerError: if the source path does not exists, or if the source path
is not a file or directory, or if the format of or within the source
file is not supported.
"""
if not options:
options = dfvfs_volume_scanner.VolumeScannerOptions()
scan_context = self._ScanSource(source_path)
self._source_path = source_path
self._source_type = scan_context.source_type
base_path_specs = self._GetBasePathSpecs(scan_context, options)
if (not base_path_specs or scan_context.source_type
== dfvfs_definitions.SOURCE_TYPE_FILE):
return False
for path_spec in base_path_specs:
file_system = dfvfs_resolver.Resolver.OpenFileSystem(path_spec)
if path_spec.type_indicator == dfvfs_definitions.TYPE_INDICATOR_OS:
mount_point = path_spec
else:
mount_point = path_spec.parent
file_system_searcher = dfvfs_file_system_searcher.FileSystemSearcher(
file_system, mount_point)
system_directories = []
for system_directory_path_spec in file_system_searcher.Find(
find_specs=self._SYSTEM_DIRECTORY_FIND_SPECS):
relative_path = file_system_searcher.GetRelativePath(
system_directory_path_spec)
if relative_path:
system_directories.append(relative_path.lower())
if system_directories or len(base_path_specs) == 1:
self._file_system_searcher = file_system_searcher
self._file_system = file_system
self._mount_point = mount_point
if self._WINDOWS_SYSTEM_DIRECTORIES.intersection(
set(system_directories)):
path_resolver = dfvfs_windows_path_resolver.WindowsPathResolver(
file_system, mount_point)
# TODO: determine Windows directory based on system directories.
windows_directory = None
for windows_path in self._WINDOWS_DIRECTORIES:
windows_path_spec = path_resolver.ResolvePath(windows_path)
if windows_path_spec is not None:
windows_directory = windows_path
break
if windows_directory:
path_resolver.SetEnvironmentVariable(
'SystemRoot', windows_directory)
path_resolver.SetEnvironmentVariable(
'WinDir', windows_directory)
registry_file_reader = (
windows_registry.
StorageMediaImageWindowsRegistryFileReader(
file_system, path_resolver))
winregistry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
collector = (environment_variables.
WindowsEnvironmentVariablesCollector())
self._environment_variables = list(
collector.Collect(winregistry))
self._path_resolver = path_resolver
self._windows_directory = windows_directory
self._windows_registry = winregistry
if system_directories:
# TODO: on Mac OS prevent detecting the Recovery volume.
break
self._filter_generator = (
artifact_filters.ArtifactDefinitionFiltersGenerator(
self._artifacts_registry, self._environment_variables, []))
return True
