import uuid import construct import pyfsntfs from plaso import dependencies from plaso.events import file_system_events from plaso.events import windows_events from plaso.lib import eventdata from plaso.lib import specification from plaso.parsers import interface from plaso.parsers import manager dependencies.CheckModuleVersion(u'pyfsntfs') class NTFSMFTParser(interface.FileObjectParser): """Parses a NTFS $MFT metadata file.""" _INITIAL_FILE_OFFSET = None NAME = u'mft' DESCRIPTION = u'Parser for NTFS $MFT metadata files.' _MFT_ATTRIBUTE_STANDARD_INFORMATION = 0x00000010 _MFT_ATTRIBUTE_FILE_NAME = 0x00000030 _MFT_ATTRIBUTE_OBJECT_ID = 0x00000040 @classmethod
# -*- coding: utf-8 -*- """Parser for Windows NT shell items.""" import pyfwsi from plaso import dependencies from plaso.events import shell_item_events from plaso.lib import eventdata from plaso.winnt import shell_folder_ids dependencies.CheckModuleVersion(u'pyfwsi') class ShellItemsParser(object): """Parses for Windows NT shell items.""" NAME = u'shell_items' def __init__(self, origin): """Initializes the parser. Args: origin: A string containing the origin of the event (event source). """ super(ShellItemsParser, self).__init__() self._origin = origin self._path_segments = [] def _ParseShellItem(self, parser_mediator, shell_item): """Parses a shell item.
# -*- coding: utf-8 -*- """Parser for OLE Compound Files (OLECF).""" import logging import pyolecf from plaso import dependencies from plaso.lib import errors from plaso.lib import specification from plaso.parsers import interface from plaso.parsers import manager dependencies.CheckModuleVersion(u'pyolecf') class OleCfParser(interface.SingleFileBasePluginsParser): """Parses OLE Compound Files (OLECF).""" _INITIAL_FILE_OFFSET = None NAME = u'olecf' DESCRIPTION = u'Parser for OLE Compound Files (OLECF).' _plugin_classes = {} def __init__(self): """Initializes a parser object.""" super(OleCfParser, self).__init__() self._plugins = OleCfParser.GetPluginObjects()
import uuid import pylnk from plaso import dependencies from plaso.containers import time_events from plaso.containers import windows_events from plaso.lib import eventdata from plaso.lib import specification from plaso.parsers import interface from plaso.parsers import manager from plaso.parsers.shared import shell_items dependencies.CheckModuleVersion(u'pylnk') class WinLnkLinkEvent(time_events.FiletimeEvent): """Convenience class for a Windows Shortcut (LNK) link event. Attributes: birth_droid_file_identifier: the distributed link tracking brith droid file identifier. birth_droid_volume_identifier: the distributed link tracking brith droid volume identifier. command_line_arguments: the command line arguments. description: the description of the linked item. drive_serial_number: the drive serial number where the linked item resides. drive_type: the drive type where the linked item resided. droid_file_identifier: the distributed link tracking droid file
# -*- coding: utf-8 -*- """Parser for Windows EventLog (EVT) files.""" import pyevt from plaso import dependencies from plaso.containers import time_events from plaso.lib import eventdata from plaso.lib import specification from plaso.parsers import interface from plaso.parsers import manager dependencies.CheckModuleVersion(u'pyevt') class WinEvtRecordEvent(time_events.PosixTimeEvent): """Convenience class for a Windows EventLog (EVT) record event. Attributes: computer_name (str): computer name stored in the event record. event_category (int): event category. event_identifier (int): event identifier. event_type (int): event type. facility (int): event facility. message_identifier (int): event message identifier. offset (int): data offset of the event record with in the file. record_number (int): event record number. recovered (bool): True if the record was recovered. severity (int): event severity. source_name (str): name of the event source.
def testCheckModuleVersion(self): """Tests the CheckModuleVersion function.""" dependencies.CheckModuleVersion(u'dfdatetime') with self.assertRaises(ImportError): dependencies.CheckModuleVersion(u'bogus')
# -*- coding: utf-8 -*- """Parser for Extensible Storage Engine (ESE) database files (EDB).""" import pyesedb from plaso import dependencies from plaso.lib import specification from plaso.parsers import interface from plaso.parsers import manager from plaso.parsers import plugins dependencies.CheckModuleVersion(u'pyesedb') class ESEDBCache(plugins.BasePluginCache): """A cache storing query results for ESEDB plugins.""" def StoreDictInCache(self, attribute_name, dict_object): """Store a dict object in cache. Args: attribute_name (str): name of the attribute. dict_object (dict): dictionary. """ setattr(self, attribute_name, dict_object) class ESEDBParser(interface.FileObjectParser): """Parses Extensible Storage Engine (ESE) database files (EDB).""" _INITIAL_FILE_OFFSET = None
# -*- coding: utf-8 -*- """Fake Windows Registry objects implementation.""" import calendar import construct from plaso import dependencies from plaso.dfwinreg import definitions from plaso.dfwinreg import errors from plaso.dfwinreg import interface dependencies.CheckModuleVersion(u'construct') # TODO: give this class a place of its own when dfwinreg is split off. class Filetime(object): """Class that implements a FILETIME timestamp. The FILETIME timestamp is a 64-bit integer that contains the number of 100th nano seconds since 1601-01-01 00:00:00. Do not confuse this with the FILETIME structure that consists of 2 x 32-bit integers and is presumed to be unsigned. Attributes: timestamp: the FILETIME timestamp. """ # The difference between Jan 1, 1601 and Jan 1, 1970 in seconds. _FILETIME_TO_POSIX_BASE = 11644473600L
# -*- coding: utf-8 -*- """Parser for Windows Prefetch files.""" import pyscca from plaso import dependencies from plaso.containers import time_events from plaso.containers import windows_events from plaso.lib import eventdata from plaso.lib import specification from plaso.lib import timelib from plaso.parsers import interface from plaso.parsers import manager dependencies.CheckModuleVersion(u'pyscca') class WinPrefetchExecutionEvent(time_events.FiletimeEvent): """Class that defines a Windows Prefetch execution event. Attributes: executable: a string containing the executable filename. format_version: an integer containing the format version. mapped_files: a list of strings containing the mapped filenames. number_of_volumes: an integer containing the number of volumes. path: a path to the executable. prefetch_hash: an integer containing the prefetch hash. run_count: an integer containing the run count. volume_device_paths: a list of strings containing volume device path strings.
# -*- coding: utf-8 -*- """Pyregf specific implementation for the Windows Registry file access.""" import logging import pyregf from plaso import dependencies from plaso.dfwinreg import interface from plaso.lib import errors from plaso.lib import timelib dependencies.CheckModuleVersion(u'pyregf') class WinPyregfKey(interface.WinRegKey): """Implementation of a Windows Registry key using pyregf.""" def __init__(self, pyregf_key, parent_path=u'', root=False): """Initializes a Windows Registry key object. Args: pyregf_key: An instance of a pyregf.key object. parent_path: The path of the parent key. root: A boolean value indicating we are dealing with a root key. """ super(WinPyregfKey, self).__init__() self._pyregf_key = pyregf_key # Adding few checks to make sure the root key is not # invalid in plugin checks (root key is equal to the # path separator). if parent_path == self.PATH_SEPARATOR: