Пример #1
0
    def __init__(self):
        """Initializes the front-end object."""
        input_reader = frontend.StdinFrontendInputReader()
        output_writer = frontend.StdoutFrontendOutputWriter()

        super(PinfoFrontend, self).__init__(input_reader, output_writer)

        self._printer = pprint.PrettyPrinter(indent=8)
        self._verbose = False
Пример #2
0
  def setUp(self):
    """Sets up the objects used throughout the test."""
    # This is necessary since TimeRangeCache uses class members.
    # TODO: remove this work around and properly fix TimeRangeCache.
    pfilter.TimeRangeCache.ResetTimeConstraints()

    self._input_reader = frontend.StdinFrontendInputReader()
    self._output_writer = frontend.StdoutFrontendOutputWriter()
    self._temp_directory = tempfile.mkdtemp()
Пример #3
0
    def __init__(self):
        """Initialize the process information frontend."""
        self._input_reader = frontend.StdinFrontendInputReader()
        self._output_writer = frontend.StdoutFrontendOutputWriter()
        self._parent_list = []
        self._process_list = []

        super(ProcessInformationFrontend,
              self).__init__(self._input_reader, self._output_writer)
Пример #4
0
    def __init__(self):
        """Initializes the front-end object."""
        input_reader = frontend.StdinFrontendInputReader()
        output_writer = frontend.StdoutFrontendOutputWriter()

        super(ImageExportFrontend, self).__init__(input_reader, output_writer)

        self._knowledge_base = None
        self._remove_duplicates = True
        self._source_path_spec = None
Пример #5
0
    def __init__(self):
        """Initializes the front-end object."""
        input_reader = frontend.StdinFrontendInputReader()
        output_writer = frontend.StdoutFrontendOutputWriter()

        super(PlasmFrontend, self).__init__(input_reader, output_writer)

        self._cluster_closeness = None
        self._cluster_threshold = None
        self._quiet = False
        self._tagging_file_path = None

        self.mode = None
Пример #6
0
    def __init__(self):
        """Initializes the front-end object."""
        input_reader = frontend.StdinFrontendInputReader()
        output_writer = frontend.StdoutFrontendOutputWriter()

        super(PsortFrontend, self).__init__(input_reader, output_writer)

        self._analysis_processes = []
        self._filter_buffer = None
        self._filter_expression = None
        self._filter_object = None
        self._output_module_class = None
        self._output_stream = None
        self._slice_size = 5
Пример #7
0
  def __init__(self):
    """Initializes the front-end object."""
    input_reader = frontend.StdinFrontendInputReader()
    output_writer = frontend.StdoutFrontendOutputWriter()

    super(PsortFrontend, self).__init__(input_reader, output_writer)

    self._analysis_processes = []
    self._filter_buffer = None
    self._filter_expression = None
    self._filter_object = None
    self._output_filename = None
    self._output_format = None
    self._preferred_language = u'en-US'
    self._slice_size = 5
Пример #8
0
  def __init__(self):
    """Initializes the front-end object."""
    # TODO: remove the need to pass input_reader and output_writer.
    input_reader = frontend.StdinFrontendInputReader()
    output_writer = frontend.StdoutFrontendOutputWriter()

    super(StorageMediaFrontend, self).__init__(input_reader, output_writer)
    self._resolver_context = context.Context()
    self._scan_context = source_scanner.SourceScannerContext()
    self._source_path = None
    self._source_scanner = source_scanner.SourceScanner()

    # TODO: move this into a source handler to support multiple sources.
    self.partition_offset = None
    self.process_vss = True
    self.vss_stores = None
Пример #9
0
 def setUp(self):
     """Sets up the objects used throughout the test."""
     self._input_reader = frontend.StdinFrontendInputReader()
     self._output_writer = frontend.StdoutFrontendOutputWriter()
Пример #10
0
  def __init__(self):
    """Initializes the front-end object."""
    input_reader = frontend.StdinFrontendInputReader()
    output_writer = frontend.StdoutFrontendOutputWriter()

    super(Log2TimelineFrontend, self).__init__(input_reader, output_writer)
Пример #11
0
def Main():
    """Run the tool."""
    output_writer = frontend.StdoutFrontendOutputWriter()
    front_end = preg.PregFrontend(output_writer)

    epilog = textwrap.dedent("""

Example usage:

Parse the SOFTWARE hive from an image:
  {0:s} [--vss] [--vss-stores VSS_STORES] -i IMAGE_PATH [-o OFFSET] -c SOFTWARE

Parse an userassist key within an extracted hive:
  {0:s} -p userassist MYNTUSER.DAT

Parse the run key from all Registry keys (in vss too):
  {0:s} --vss -i IMAGE_PATH [-o OFFSET] -p run

Open up a console session for the SYSTEM hive inside an image:
  {0:s} -i IMAGE_PATH [-o OFFSET] -c SYSTEM
      """).format(os.path.basename(sys.argv[0]))

    description = textwrap.dedent("""
preg is a simple Windows Registry parser using the plaso Registry
plugins and image parsing capabilities.

It uses the back-end libraries of plaso to read raw image files and
extract Registry files from VSS and restore points and then runs the
Registry plugins of plaso against the Registry hive and presents it
in a textual format.

      """)

    arg_parser = argparse.ArgumentParser(
        epilog=epilog,
        description=description,
        add_help=False,
        formatter_class=argparse.RawDescriptionHelpFormatter)

    # Create the different argument groups.
    mode_options = arg_parser.add_argument_group(u'Run Mode Options')
    image_options = arg_parser.add_argument_group(u'Image Options')
    info_options = arg_parser.add_argument_group(u'Informational Options')
    additional_data = arg_parser.add_argument_group(u'Additional Options')

    mode_options.add_argument(
        '-c',
        '--console',
        dest='console',
        action='store_true',
        default=False,
        help=
        u'Drop into a console session Instead of printing output to STDOUT.')

    additional_data.add_argument(
        '-r',
        '--restore_points',
        dest='restore_points',
        action='store_true',
        default=False,
        help=u'Include restore points for hive locations.')

    image_options.add_argument(
        '-i',
        '--image',
        dest='image',
        action='store',
        type=unicode,
        default='',
        metavar='IMAGE_PATH',
        help=(
            u'If the Registry file is contained within a storage media image, '
            u'set this option to specify the path of image file.'))

    front_end.AddImageOptions(image_options)

    info_options.add_argument('-v',
                              '--verbose',
                              dest='verbose',
                              action='store_true',
                              default=False,
                              help=u'Print sub key information.')

    info_options.add_argument('-h',
                              '--help',
                              action='help',
                              help=u'Show this help message and exit.')

    front_end.AddVssProcessingOptions(additional_data)

    info_options.add_argument(
        '--info',
        dest='info',
        action='store_true',
        default=False,
        help=u'Print out information about supported plugins.')

    mode_options.add_argument(
        '-p',
        '--plugins',
        dest='plugin_names',
        action='append',
        default=[],
        type=unicode,
        metavar='PLUGIN_NAME',
        help=(u'Substring match of the Registry plugin to be used, this '
              u'parameter can be repeated to create a list of plugins to be '
              u'run against, eg: "-p userassist -p rdp" or "-p userassist".'))

    mode_options.add_argument(
        '-k',
        '--key',
        dest='key',
        action='store',
        default='',
        type=unicode,
        metavar='REGISTRY_KEYPATH',
        help=(u'A Registry key path that the tool should parse using all '
              u'available plugins.'))

    arg_parser.add_argument(
        'regfile',
        action='store',
        metavar='REGHIVE',
        nargs='?',
        help=(u'The Registry hive to read key from (not needed if running '
              u'using a plugin)'))

    # Parse the command line arguments.
    options = arg_parser.parse_args()

    if options.info:
        print front_end.GetListOfAllPlugins()
        return True

    try:
        front_end.ParseOptions(options, source_option='image')
    except errors.BadConfigOption as exception:
        arg_parser.print_usage()
        print u''
        logging.error('{0:s}'.format(exception))
        return False

    # Run the tool, using the run mode according to the options passed
    # to the tool.
    if front_end.run_mode == front_end.RUN_MODE_CONSOLE:
        RunModeConsole(front_end, options)
    if front_end.run_mode == front_end.RUN_MODE_REG_KEY:
        front_end.RunModeRegistryKey(options, options.plugin_names)
    elif front_end.run_mode == front_end.RUN_MODE_REG_PLUGIN:
        front_end.RunModeRegistryPlugin(options, options.plugin_names)
    elif front_end.run_mode == front_end.RUN_MODE_REG_FILE:
        front_end.RunModeRegistryFile(options, options.regfile)

    return True