def ParseFile(
self,
knowledge_base: rdf_client.KnowledgeBase,
pathspec: rdf_paths.PathSpec,
filedesc: IO[bytes],
) -> Iterator[rdf_webhistory.BrowserHistoryItem]:
del knowledge_base # Unused.
# TODO(user): Convert this to use the far more intelligent plaso parser.
chrome = ChromeParser()
path = pathspec.CollapsePath()
for timestamp, entry_type, url, data1, _, _ in chrome.Parse(path, filedesc):
if entry_type == "CHROME_DOWNLOAD":
yield rdf_webhistory.BrowserHistoryItem(
url=url,
domain=urlparse.urlparse(url).netloc,
access_time=timestamp,
program_name="Chrome",
source_path=pathspec.CollapsePath(),
download_path=data1)
elif entry_type == "CHROME_VISIT":
yield rdf_webhistory.BrowserHistoryItem(
url=url,
domain=urlparse.urlparse(url).netloc,
access_time=timestamp,
program_name="Chrome",
source_path=pathspec.CollapsePath(),
title=data1)
def ParseFile(
self,
knowledge_base: rdf_client.KnowledgeBase,
pathspec: rdf_paths.PathSpec,
filedesc: IO[bytes],
) -> Iterator[rdf_webhistory.BrowserHistoryItem]:
del knowledge_base # Unused.
# TODO(user): Convert this to use the far more intelligent plaso parser.
ie = IEParser(filedesc)
for dat in ie.Parse():
yield rdf_webhistory.BrowserHistoryItem(
url=dat["url"],
domain=urlparse.urlparse(dat["url"]).netloc,
access_time=dat.get("mtime"),
program_name="Internet Explorer",
source_path=pathspec.CollapsePath())
def ParseFile(
self,
knowledge_base: rdf_client.KnowledgeBase,
pathspec: rdf_paths.PathSpec,
filedesc: IO[bytes],
) -> Iterator[rdf_webhistory.BrowserHistoryItem]:
del knowledge_base # Unused.
# TODO(user): Convert this to use the far more intelligent plaso parser.
ff = Firefox3History()
for timestamp, unused_entry_type, url, title in ff.Parse(filedesc):
yield rdf_webhistory.BrowserHistoryItem(
url=url,
domain=urlparse.urlparse(url).netloc,
access_time=timestamp,
program_name="Firefox",
source_path=pathspec.CollapsePath(),
title=title)
def VFSOpen(
pathspec: rdf_paths.PathSpec,
progress_callback: Optional[Callable[[], None]] = None) -> VFSHandler:
"""Expands pathspec to return an expanded Path.
A pathspec is a specification of how to access the file by recursively opening
each part of the path by different drivers. For example the following
pathspec:
pathtype: OS
path: "/dev/sda1"
nested_path {
pathtype: TSK
path: "/home/image2.img"
nested_path {
pathtype: TSK
path: "/home/a.txt"
}
}
Instructs the system to:
1) open /dev/sda1 using the OS driver.
2) Pass the obtained filelike object to the TSK driver to open
"/home/image2.img".
3) The obtained filelike object should be passed to the TSK driver to open
"/home/a.txt".
The problem remains how to get to this expanded path specification. Since the
server is not aware of all the files on the client, the server may request
this:
pathtype: OS
path: "/dev/sda1"
nested_path {
pathtype: TSK
path: "/home/image2.img/home/a.txt"
}
Or even this:
pathtype: OS
path: "/dev/sda1/home/image2.img/home/a.txt"
This function converts the pathspec requested by the server into an expanded
pathspec required to actually open the file. This is done by expanding each
component of the pathspec in turn.
Expanding the component is done by opening each leading directory in turn and
checking if it is a directory of a file. If its a file, we examine the file
headers to determine the next appropriate driver to use, and create a nested
pathspec.
Note that for some clients there might be a virtual root specified. This
is a directory that gets prepended to all pathspecs of a given
pathtype. For example if there is a virtual root defined as
["os:/virtualroot"], a path specification like
pathtype: OS
path: "/home/user/*"
will get translated into
pathtype: OS
path: "/virtualroot"
is_virtualroot: True
nested_path {
pathtype: OS
path: "/dev/sda1"
}
Args:
pathspec: A Path() protobuf to normalize.
progress_callback: A callback to indicate that the open call is still
working but needs more time.
Returns:
The open filelike object. This will contain the expanded Path() protobuf as
the member fd.pathspec.
Raises:
IOError: if one of the path components can not be opened.
"""
# Initialize the dictionary of VFS handlers lazily, if not yet done.
if not VFS_HANDLERS:
Init()
fd = None
# Adjust the pathspec in case we are using a vfs_virtualroot.
vroot = _VFS_VIRTUALROOTS.get(pathspec.pathtype)
# If we have a virtual root for this vfs handler, we need to prepend
# it to the incoming pathspec except if the pathspec is explicitly
# marked as containing a virtual root already or if it isn't marked but
# the path already contains the virtual root.
if (not vroot or pathspec.is_virtualroot
or pathspec.CollapsePath().startswith(vroot.CollapsePath())):
# No virtual root but opening changes the pathspec so we always work on a
# copy.
working_pathspec = pathspec.Copy()
else:
# We're in a virtual root, put the target pathspec inside the virtual root
# as a nested path.
working_pathspec = vroot.Copy()
working_pathspec.last.nested_path = pathspec.Copy()
# For each pathspec step, we get the handler for it and instantiate it with
# the old object, and the current step.
while working_pathspec:
component = working_pathspec.Pop()
try:
handler = VFS_HANDLERS[component.pathtype]
except KeyError:
raise UnsupportedHandlerError(component.pathtype)
# Open the component.
fd = handler.Open(fd=fd,
component=component,
handlers=dict(VFS_HANDLERS),
pathspec=working_pathspec,
progress_callback=progress_callback)
if fd is None:
raise ValueError("VFSOpen cannot be called with empty PathSpec.")
return fd