def testParse23(self):
"""Tests the Parse function on a version 23 Prefetch file."""
parser = winprefetch.WinPrefetchParser()
storage_writer = self._ParseFile(['PING.EXE-B29F6629.pf'], parser)
self.assertEqual(storage_writer.number_of_events, 2)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetEvents())
# The prefetch last run event.
expected_event_values = {
'date_time': '2012-04-06 19:00:55.9329556',
'data_type': 'windows:prefetch:execution',
'executable': 'PING.EXE',
'path_hints': ['\\WINDOWS\\SYSTEM32\\PING.EXE'],
'prefetch_hash': 0xb29f6629,
'run_count': 14,
'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_RUN,
'version': 23,
'volume_device_paths': ['\\DEVICE\\HARDDISKVOLUME1'],
'volume_serial_numbers': [0xac036525]
}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
# The volume creation event.
expected_event_values = {
'date_time': '2010-11-10 17:37:26.4843750',
'data_type': 'windows:volume:creation',
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParse23MultiVolume(self):
"""Tests the Parse function on a multi volume version 23 Prefetch file."""
parser = winprefetch.WinPrefetchParser()
storage_writer = self._ParseFile(['WUAUCLT.EXE-830BCC14.pf'], parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 6)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
# The prefetch last run event.
expected_event_values = {
'date_time':
'2012-03-15 21:17:39.8079963',
'data_type':
'windows:prefetch:execution',
'executable':
'WUAUCLT.EXE',
'path_hints': ['\\WINDOWS\\SYSTEM32\\WUAUCLT.EXE'],
'prefetch_hash':
0x830bcc14,
'run_count':
25,
'timestamp_desc':
definitions.TIME_DESCRIPTION_LAST_RUN,
'version':
23,
'volume_device_paths': [
'\\DEVICE\\HARDDISKVOLUME1',
'\\DEVICE\\HARDDISKVOLUMESHADOWCOPY2',
'\\DEVICE\\HARDDISKVOLUMESHADOWCOPY4',
'\\DEVICE\\HARDDISKVOLUMESHADOWCOPY7',
'\\DEVICE\\HARDDISKVOLUMESHADOWCOPY8'
],
'volume_serial_numbers':
[0xac036525, 0xac036525, 0xac036525, 0xac036525, 0xac036525]
}
self.CheckEventValues(storage_writer, events[5], expected_event_values)
# The volume creation event.
expected_event_values = {
'date_time': '2010-11-10 17:37:26.4843750',
'data_type': 'windows:volume:creation',
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParse30Compressed(self):
"""Tests the Parse function on a compressed version 30 Prefetch file."""
parser = winprefetch.WinPrefetchParser()
storage_writer = self._ParseFile(['BYTECODEGENERATOR.EXE-C1E9BCE6.pf'],
parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 8)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
# The prefetch last run event.
expected_event_values = {
'date_time': '2015-05-14 22:11:58.0911341',
'data_type': 'windows:prefetch:execution',
'executable': 'BYTECODEGENERATOR.EXE',
'prefetch_hash': 0xc1e9bce6,
'run_count': 7,
'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_RUN,
'version': 30
}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
# The prefetch previous last run event.
expected_event_values = {
'date_time':
'2015-05-14 22:11:55.3576520',
'timestamp_desc':
'Previous {0:s}'.format(definitions.TIME_DESCRIPTION_LAST_RUN)
}
self.CheckEventValues(storage_writer, events[2], expected_event_values)
event_data = self._GetEventDataOfEvent(storage_writer, events[2])
self.assertEqual(len(event_data.mapped_files), 1085)
# The volume creation event.
expected_event_values = {
'date_time': '2015-05-15 06:54:55.1392941',
'data_type': 'windows:volume:creation',
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParse30Variant2Compressed(self):
"""Tests the Parse function on a compressed version 30 variant 2 file."""
parser = winprefetch.WinPrefetchParser()
storage_writer = self._ParseFile(['NOTEPAD.EXE-D8414F97.pf'], parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 3)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
# The prefetch last run event.
expected_event_values = {
'date_time': '2019-06-05 19:55:04.8777787',
'data_type': 'windows:prefetch:execution',
'executable': 'NOTEPAD.EXE',
'prefetch_hash': 0xd8414f97,
'run_count': 2,
'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_RUN,
'version': 30
}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
# The prefetch previous last run event.
expected_event_values = {
'date_time':
'2019-06-05 19:23:00.8157052',
'timestamp_desc':
'Previous {0:s}'.format(definitions.TIME_DESCRIPTION_LAST_RUN)
}
self.CheckEventValues(storage_writer, events[2], expected_event_values)
event_data = self._GetEventDataOfEvent(storage_writer, events[2])
self.assertEqual(len(event_data.mapped_files), 56)
# The volume creation event.
expected_event_values = {
'date_time': '2017-07-30 19:40:03.5487843',
'data_type': 'windows:volume:creation',
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParse23(self):
"""Tests the Parse function on a version 23 Prefetch file."""
parser = winprefetch.WinPrefetchParser()
storage_writer = self._ParseFile(['PING.EXE-B29F6629.pf'], parser)
self.assertEqual(storage_writer.number_of_events, 2)
events = list(storage_writer.GetEvents())
# The prefetch last run event.
event = events[1]
self.assertEqual(event.data_type, 'windows:prefetch:execution')
self.assertEqual(event.version, 23)
expected_timestamp = timelib.Timestamp.CopyFromString(
'2012-04-06 19:00:55.932955')
self.assertEqual(event.timestamp, expected_timestamp)
self.assertEqual(
event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_RUN)
self.assertEqual(event.executable, 'PING.EXE')
self.assertEqual(event.prefetch_hash, 0xb29f6629)
self.assertEqual(event.path, '\\WINDOWS\\SYSTEM32\\PING.EXE')
self.assertEqual(event.run_count, 14)
self.assertEqual(event.volume_device_paths[0], '\\DEVICE\\HARDDISKVOLUME1')
self.assertEqual(event.volume_serial_numbers[0], 0xac036525)
expected_message = (
'Prefetch [PING.EXE] was executed - run count 14 path: '
'\\WINDOWS\\SYSTEM32\\PING.EXE '
'hash: 0xB29F6629 '
'volume: 1 [serial number: 0xAC036525, '
'device path: \\DEVICE\\HARDDISKVOLUME1]')
expected_short_message = 'PING.EXE was run 14 time(s)'
self._TestGetMessageStrings(event, expected_message, expected_short_message)
# The volume creation event.
event = events[0]
self.assertEqual(event.data_type, 'windows:volume:creation')
expected_timestamp = timelib.Timestamp.CopyFromString(
'2010-11-10 17:37:26.484375')
self.assertEqual(event.timestamp, expected_timestamp)
self.assertEqual(
event.timestamp_desc, definitions.TIME_DESCRIPTION_CREATION)
def testParse30Compressed(self):
"""Tests the Parse function on a compressed version 30 Prefetch file."""
parser = winprefetch.WinPrefetchParser()
storage_writer = self._ParseFile(
['BYTECODEGENERATOR.EXE-C1E9BCE6.pf'], parser)
self.assertEqual(storage_writer.number_of_events, 8)
events = list(storage_writer.GetEvents())
# The prefetch last run event.
event = events[1]
self.assertEqual(event.data_type, 'windows:prefetch:execution')
self.assertEqual(event.version, 30)
self.assertEqual(event.data_type, 'windows:prefetch:execution')
expected_timestamp = timelib.Timestamp.CopyFromString(
'2015-05-14 22:11:58.091134')
self.assertEqual(event.timestamp, expected_timestamp)
self.assertEqual(
event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_RUN)
self.assertEqual(event.executable, 'BYTECODEGENERATOR.EXE')
self.assertEqual(event.prefetch_hash, 0xc1e9bce6)
# The prefetch previous last run event.
event = events[2]
expected_timestamp = timelib.Timestamp.CopyFromString(
'2015-05-14 22:11:55.357652')
self.assertEqual(event.timestamp, expected_timestamp)
self.assertEqual(
event.timestamp_desc,
'Previous {0:s}'.format(definitions.TIME_DESCRIPTION_LAST_RUN))
self.assertEqual(len(event.mapped_files), 1085)
# The volume creation event.
event = events[0]
self.assertEqual(event.data_type, 'windows:volume:creation')
expected_timestamp = timelib.Timestamp.CopyFromString(
'2015-05-15 06:54:55.139294')
self.assertEqual(event.timestamp, expected_timestamp)
self.assertEqual(
event.timestamp_desc, definitions.TIME_DESCRIPTION_CREATION)
def testParse23(self):
"""Tests the Parse function on a version 23 Prefetch file."""
parser_object = winprefetch.WinPrefetchParser()
test_file = self._GetTestFilePath([u'PING.EXE-B29F6629.pf'])
event_queue_consumer = self._ParseFile(parser_object, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 2)
# The prefetch last run event.
event_object = event_objects[1]
self.assertEqual(event_object.version, 23)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2012-04-06 19:00:55.932955')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.LAST_RUNTIME)
self.assertEqual(event_object.executable, u'PING.EXE')
self.assertEqual(event_object.prefetch_hash, 0xb29f6629)
self.assertEqual(event_object.path, u'\\WINDOWS\\SYSTEM32\\PING.EXE')
self.assertEqual(event_object.run_count, 14)
self.assertEqual(event_object.volume_device_paths[0],
u'\\DEVICE\\HARDDISKVOLUME1')
self.assertEqual(event_object.volume_serial_numbers[0], 0xac036525)
expected_msg = (
u'Prefetch [PING.EXE] was executed - run count 14 path: '
u'\\WINDOWS\\SYSTEM32\\PING.EXE '
u'hash: 0xB29F6629 '
u'volume: 1 [serial number: 0xAC036525, '
u'device path: \\DEVICE\\HARDDISKVOLUME1]')
expected_msg_short = u'PING.EXE was run 14 time(s)'
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
# The volume creation event.
event_object = event_objects[0]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2010-11-10 17:37:26.484375')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.CREATION_TIME)
def testParse23(self):
"""Tests the Parse function on a version 23 Prefetch file."""
parser = winprefetch.WinPrefetchParser()
storage_writer = self._ParseFile(['PING.EXE-B29F6629.pf'], parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 2)
events = list(storage_writer.GetEvents())
# The prefetch last run event.
expected_event_values = {
'data_type': 'windows:prefetch:execution',
'executable': 'PING.EXE',
'path_hints': ['\\WINDOWS\\SYSTEM32\\PING.EXE'],
'prefetch_hash': 0xb29f6629,
'run_count': 14,
'timestamp': '2012-04-06 19:00:55.932956',
'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_RUN,
'version': 23,
'volume_device_paths': ['\\DEVICE\\HARDDISKVOLUME1'],
'volume_serial_numbers': [0xac036525]
}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
expected_message = ('Prefetch [PING.EXE] was executed - run count 14 '
'path hints: \\WINDOWS\\SYSTEM32\\PING.EXE '
'hash: 0xB29F6629 '
'volume: 1 [serial number: 0xAC036525, '
'device path: \\DEVICE\\HARDDISKVOLUME1]')
expected_short_message = 'PING.EXE was run 14 time(s)'
event_data = self._GetEventDataOfEvent(storage_writer, events[1])
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
# The volume creation event.
expected_event_values = {
'data_type': 'windows:volume:creation',
'timestamp': '2010-11-10 17:37:26.484375',
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParse30Variant2Compressed(self):
"""Tests the Parse function on a compressed version 30 variant 2 file."""
parser = winprefetch.WinPrefetchParser()
storage_writer = self._ParseFile(['NOTEPAD.EXE-D8414F97.pf'], parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 3)
events = list(storage_writer.GetEvents())
# The prefetch last run event.
event = events[1]
self.CheckTimestamp(event.timestamp, '2019-06-05 19:55:04.877779')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_LAST_RUN)
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.data_type, 'windows:prefetch:execution')
self.assertEqual(event_data.version, 30)
self.assertEqual(event_data.executable, 'NOTEPAD.EXE')
self.assertEqual(event_data.prefetch_hash, 0xd8414f97)
self.assertEqual(event_data.run_count, 2)
# The prefetch previous last run event.
event = events[2]
self.CheckTimestamp(event.timestamp, '2019-06-05 19:23:00.815705')
expected_timestamp_desc = 'Previous {0:s}'.format(
definitions.TIME_DESCRIPTION_LAST_RUN)
self.assertEqual(event.timestamp_desc, expected_timestamp_desc)
self.assertEqual(len(event_data.mapped_files), 56)
# The volume creation event.
event = events[0]
self.CheckTimestamp(event.timestamp, '2017-07-30 19:40:03.548784')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_CREATION)
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.data_type, 'windows:volume:creation')
def testParse26(self):
"""Tests the Parse function on a version 26 Prefetch file."""
parser = winprefetch.WinPrefetchParser()
storage_writer = self._ParseFile(['TASKHOST.EXE-3AE259FC.pf'], parser)
self.assertEqual(storage_writer.number_of_errors, 0)
self.assertEqual(storage_writer.number_of_events, 5)
events = list(storage_writer.GetEvents())
# The prefetch last run event.
event = events[1]
self.assertEqual(event.data_type, 'windows:prefetch:execution')
self.assertEqual(event.version, 26)
self.CheckTimestamp(event.timestamp, '2013-10-04 15:40:09.037833')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_LAST_RUN)
self.assertEqual(event.executable, 'TASKHOST.EXE')
self.assertEqual(event.prefetch_hash, 0x3ae259fc)
# The prefetch previous last run event.
event = events[2]
self.CheckTimestamp(event.timestamp, '2013-10-04 15:28:09.010357')
expected_timestamp_desc = 'Previous {0:s}'.format(
definitions.TIME_DESCRIPTION_LAST_RUN)
self.assertEqual(event.timestamp_desc, expected_timestamp_desc)
expected_mapped_files = [
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTDLL.DLL '
'[MFT entry: 46299, sequence: 1]'),
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TASKHOST.EXE',
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNEL32.DLL '
'[MFT entry: 45747, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNELBASE.DLL '
'[MFT entry: 45734, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\LOCALE.NLS '
'[MFT entry: 45777, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\MSVCRT.DLL '
'[MFT entry: 46033, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RPCRT4.DLL '
'[MFT entry: 46668, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\COMBASE.DLL '
'[MFT entry: 44616, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\OLEAUT32.DLL '
'[MFT entry: 46309, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\OLE32.DLL '
'[MFT entry: 46348, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RPCSS.DLL '
'[MFT entry: 46654, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNEL.APPCORE.DLL '
'[MFT entry: 45698, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CRYPTBASE.DLL '
'[MFT entry: 44560, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\BCRYPTPRIMITIVES.DLL '
'[MFT entry: 44355, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\USER32.DLL '
'[MFT entry: 47130, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\GDI32.DLL '
'[MFT entry: 45344, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\EN-US\\'
'TASKHOST.EXE.MUI'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SECHOST.DLL '
'[MFT entry: 46699, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CLBCATQ.DLL '
'[MFT entry: 44511, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RACENGN.DLL '
'[MFT entry: 46549, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTMARTA.DLL '
'[MFT entry: 46262, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WEVTAPI.DLL '
'[MFT entry: 47223, sequence: 1]'),
'\\DEVICE\\HARDDISKVOLUME2\\$MFT',
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SQMAPI.DLL '
'[MFT entry: 46832, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\AEPIC.DLL '
'[MFT entry: 43991, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WINTRUST.DLL '
'[MFT entry: 47372, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SLWGA.DLL '
'[MFT entry: 46762, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\DXGI.DLL '
'[MFT entry: 44935, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\ESENT.DLL '
'[MFT entry: 45256, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WMICLNT.DLL '
'[MFT entry: 47413, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL '
'[MFT entry: 43994, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SFC_OS.DLL '
'[MFT entry: 46729, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\VERSION.DLL '
'[MFT entry: 47120, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CRYPT32.DLL '
'[MFT entry: 44645, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\MSASN1.DLL '
'[MFT entry: 45909, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WTSAPI32.DLL '
'[MFT entry: 47527, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SPPC.DLL '
'[MFT entry: 46803, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\POWRPROF.DLL '
'[MFT entry: 46413, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\PROFAPI.DLL '
'[MFT entry: 46441, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\'
'RACMETADATA.DAT [MFT entry: 39345, sequence: 2]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\GLOBALIZATION\\SORTING\\'
'SORTDEFAULT.NLS [MFT entry: 37452, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RACRULES.XML '
'[MFT entry: 46509, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TASKSCHD.DLL '
'[MFT entry: 47043, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SSPICLI.DLL '
'[MFT entry: 46856, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\XMLLITE.DLL '
'[MFT entry: 47569, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\'
'RACWMIEVENTDATA.DAT [MFT entry: 23870, sequence: 3]'),
('\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\'
'RACWMIDATABOOKMARKS.DAT [MFT entry: 23871, sequence: 2]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TPMTASKS.DLL '
'[MFT entry: 47003, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NCRYPT.DLL '
'[MFT entry: 46073, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\BCRYPT.DLL '
'[MFT entry: 44346, sequence: 1]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTASN1.DLL '
'[MFT entry: 46261, sequence: 1]')
]
self.assertEqual(event.mapped_files, expected_mapped_files)
# The volume creation event.
event = events[0]
self.assertEqual(event.data_type, 'windows:volume:creation')
self.CheckTimestamp(event.timestamp, '2013-10-04 15:57:26.146548')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_CREATION)
def testParse17(self):
"""Tests the Parse function on a version 17 Prefetch file."""
parser = winprefetch.WinPrefetchParser()
storage_writer = self._ParseFile(['CMD.EXE-087B4001.pf'], parser)
self.assertEqual(storage_writer.number_of_errors, 0)
self.assertEqual(storage_writer.number_of_events, 2)
events = list(storage_writer.GetEvents())
# The prefetch last run event.
event = events[1]
self.assertEqual(event.data_type, 'windows:prefetch:execution')
self.assertEqual(event.version, 17)
self.CheckTimestamp(event.timestamp, '2013-03-10 10:11:49.281250')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_LAST_RUN)
self.assertEqual(event.executable, 'CMD.EXE')
self.assertEqual(event.prefetch_hash, 0x087b4001)
self.assertEqual(event.volume_serial_numbers[0], 0x24cb074b)
expected_mapped_files = [
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\NTDLL.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\KERNEL32.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\UNICODE.NLS',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\LOCALE.NLS',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SORTTBLS.NLS',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\MSVCRT.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CMD.EXE',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\USER32.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\GDI32.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHIMENG.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\APPPATCH\\SYSMAIN.SDB',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\APPPATCH\\ACGENRAL.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\RPCRT4.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\WINMM.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\OLE32.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\OLEAUT32.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\MSACM32.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\VERSION.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHELL32.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHLWAPI.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\USERENV.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\UXTHEME.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CTYPE.NLS',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SORTKEY.NLS',
('\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\WINSXS\\X86_MICROSOFT.WINDOWS.'
'COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2180_X-WW_A84F1FF9\\'
'COMCTL32.DLL'),
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\WINDOWSSHELL.MANIFEST',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\COMCTL32.DLL',
('\\DEVICE\\HARDDISKVOLUME1\\D50FF1E628137B1A251B47AB9466\\UPDATE\\'
'UPDATE.EXE.MANIFEST'), '\\DEVICE\\HARDDISKVOLUME1\\$MFT',
('\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\IE7\\SPUNINST\\SPUNINST.EXE.'
'MANIFEST'),
('\\DEVICE\\HARDDISKVOLUME1\\D50FF1E628137B1A251B47AB9466\\UPDATE\\'
'IERESETICONS.EXE'),
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\IE7\\SPUNINST\\IERESETICONS.EXE'
]
self.assertEqual(event.mapped_files, expected_mapped_files)
# The volume creation event.
event = events[0]
self.assertEqual(event.data_type, 'windows:volume:creation')
self.CheckTimestamp(event.timestamp, '2013-03-10 10:19:46.234375')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_CREATION)
expected_message = ('\\DEVICE\\HARDDISKVOLUME1 '
'Serial number: 0x24CB074B '
'Origin: CMD.EXE-087B4001.pf')
expected_short_message = ('\\DEVICE\\HARDDISKVOLUME1 '
'Origin: CMD.EXE-087B4001.pf')
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testParse23MultiVolume(self):
"""Tests the Parse function on a multi volume version 23 Prefetch file."""
parser = winprefetch.WinPrefetchParser()
storage_writer = self._ParseFile(['WUAUCLT.EXE-830BCC14.pf'], parser)
self.assertEqual(storage_writer.number_of_errors, 0)
self.assertEqual(storage_writer.number_of_events, 6)
events = list(storage_writer.GetEvents())
# The prefetch last run event.
event = events[5]
self.assertEqual(event.data_type, 'windows:prefetch:execution')
self.assertEqual(event.version, 23)
self.CheckTimestamp(event.timestamp, '2012-03-15 21:17:39.807996')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_LAST_RUN)
self.assertEqual(event.executable, 'WUAUCLT.EXE')
self.assertEqual(event.prefetch_hash, 0x830bcc14)
self.assertEqual(event.path, '\\WINDOWS\\SYSTEM32\\WUAUCLT.EXE')
self.assertEqual(event.run_count, 25)
self.assertEqual(event.volume_device_paths[0],
'\\DEVICE\\HARDDISKVOLUME1')
self.assertEqual(event.volume_serial_numbers[0], 0xac036525)
expected_message = (
'Prefetch [WUAUCLT.EXE] was executed - run count 25 path: '
'\\WINDOWS\\SYSTEM32\\WUAUCLT.EXE '
'hash: 0x830BCC14 '
'volume: 1 [serial number: 0xAC036525, '
'device path: \\DEVICE\\HARDDISKVOLUME1], '
'volume: 2 [serial number: 0xAC036525, '
'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY2], '
'volume: 3 [serial number: 0xAC036525, '
'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY4], '
'volume: 4 [serial number: 0xAC036525, '
'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY7], '
'volume: 5 [serial number: 0xAC036525, '
'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY8]')
expected_short_message = 'WUAUCLT.EXE was run 25 time(s)'
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
# The volume creation event.
event = events[0]
self.assertEqual(event.data_type, 'windows:volume:creation')
self.CheckTimestamp(event.timestamp, '2010-11-10 17:37:26.484375')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_CREATION)
expected_message = ('\\DEVICE\\HARDDISKVOLUME1 '
'Serial number: 0xAC036525 '
'Origin: WUAUCLT.EXE-830BCC14.pf')
expected_short_message = ('\\DEVICE\\HARDDISKVOLUME1 '
'Origin: WUAUCLT.EXE-830BCC14.pf')
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._parser = winprefetch.WinPrefetchParser()
def testParse23MultiVolume(self):
"""Tests the Parse function on a multi volume version 23 Prefetch file."""
parser_object = winprefetch.WinPrefetchParser()
test_file = self._GetTestFilePath([u'WUAUCLT.EXE-830BCC14.pf'])
event_queue_consumer = self._ParseFile(parser_object, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 6)
# The prefetch last run event.
event_object = event_objects[5]
self.assertEqual(event_object.version, 23)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2012-03-15 21:17:39.807996')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.LAST_RUNTIME)
self.assertEqual(event_object.executable, u'WUAUCLT.EXE')
self.assertEqual(event_object.prefetch_hash, 0x830bcc14)
self.assertEqual(event_object.path,
u'\\WINDOWS\\SYSTEM32\\WUAUCLT.EXE')
self.assertEqual(event_object.run_count, 25)
self.assertEqual(event_object.volume_device_paths[0],
u'\\DEVICE\\HARDDISKVOLUME1')
self.assertEqual(event_object.volume_serial_numbers[0], 0xac036525)
expected_msg = (
u'Prefetch [WUAUCLT.EXE] was executed - run count 25 path: '
u'\\WINDOWS\\SYSTEM32\\WUAUCLT.EXE '
u'hash: 0x830BCC14 '
u'volume: 1 [serial number: 0xAC036525, '
u'device path: \\DEVICE\\HARDDISKVOLUME1], '
u'volume: 2 [serial number: 0xAC036525, '
u'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY2], '
u'volume: 3 [serial number: 0xAC036525, '
u'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY4], '
u'volume: 4 [serial number: 0xAC036525, '
u'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY7], '
u'volume: 5 [serial number: 0xAC036525, '
u'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY8]')
expected_msg_short = u'WUAUCLT.EXE was run 25 time(s)'
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
# The volume creation event.
event_object = event_objects[0]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2010-11-10 17:37:26.484375')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.CREATION_TIME)
expected_msg = (u'\\DEVICE\\HARDDISKVOLUME1 '
u'Serial number: 0xAC036525 '
u'Origin: WUAUCLT.EXE-830BCC14.pf')
expected_msg_short = (u'\\DEVICE\\HARDDISKVOLUME1 '
u'Origin: WUAUCLT.EXE-830BCC14.pf')
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testParse17(self):
"""Tests the Parse function on a version 17 Prefetch file."""
parser_object = winprefetch.WinPrefetchParser()
test_file = self._GetTestFilePath([u'CMD.EXE-087B4001.pf'])
event_queue_consumer = self._ParseFile(parser_object, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 2)
# The prefetch last run event.
event_object = event_objects[1]
self.assertEqual(event_object.version, 17)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-03-10 10:11:49.281250')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.LAST_RUNTIME)
self.assertEqual(event_object.executable, u'CMD.EXE')
self.assertEqual(event_object.prefetch_hash, 0x087b4001)
self.assertEqual(event_object.volume_serial_numbers[0], 0x24cb074b)
expected_mapped_files = [
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\NTDLL.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\KERNEL32.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\UNICODE.NLS',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\LOCALE.NLS',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SORTTBLS.NLS',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\MSVCRT.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CMD.EXE',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\USER32.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\GDI32.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHIMENG.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\APPPATCH\\SYSMAIN.SDB',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\APPPATCH\\ACGENRAL.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\RPCRT4.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\WINMM.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\OLE32.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\OLEAUT32.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\MSACM32.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\VERSION.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHELL32.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHLWAPI.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\USERENV.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\UXTHEME.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CTYPE.NLS',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SORTKEY.NLS',
(u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\WINSXS\\X86_MICROSOFT.WINDOWS.'
u'COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2180_X-WW_A84F1FF9\\'
u'COMCTL32.DLL'),
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\WINDOWSSHELL.MANIFEST',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\COMCTL32.DLL',
(u'\\DEVICE\\HARDDISKVOLUME1\\D50FF1E628137B1A251B47AB9466\\UPDATE\\'
u'UPDATE.EXE.MANIFEST'), u'\\DEVICE\\HARDDISKVOLUME1\\$MFT',
(u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\IE7\\SPUNINST\\SPUNINST.EXE.'
u'MANIFEST'),
(u'\\DEVICE\\HARDDISKVOLUME1\\D50FF1E628137B1A251B47AB9466\\UPDATE\\'
u'IERESETICONS.EXE'),
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\IE7\\SPUNINST\\IERESETICONS.EXE'
]
self.assertEqual(event_object.mapped_files, expected_mapped_files)
# The volume creation event.
event_object = event_objects[0]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-03-10 10:19:46.234375')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.CREATION_TIME)
expected_msg = (u'\\DEVICE\\HARDDISKVOLUME1 '
u'Serial number: 0x24CB074B '
u'Origin: CMD.EXE-087B4001.pf')
expected_msg_short = (u'\\DEVICE\\HARDDISKVOLUME1 '
u'Origin: CMD.EXE-087B4001.pf')
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testParse26(self):
"""Tests the Parse function on a version 26 Prefetch file."""
parser_object = winprefetch.WinPrefetchParser()
test_file = self._GetTestFilePath([u'TASKHOST.EXE-3AE259FC.pf'])
event_queue_consumer = self._ParseFile(parser_object, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 5)
# The prefetch last run event.
event_object = event_objects[1]
self.assertEqual(event_object.version, 26)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-10-04 15:40:09.037833')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.LAST_RUNTIME)
self.assertEqual(event_object.executable, u'TASKHOST.EXE')
self.assertEqual(event_object.prefetch_hash, 0x3ae259fc)
# The prefetch previous last run event.
event_object = event_objects[2]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-10-04 15:28:09.010356')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(
event_object.timestamp_desc,
u'Previous {0:s}'.format(eventdata.EventTimestamp.LAST_RUNTIME))
expected_mapped_files = [
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTDLL.DLL '
u'[MFT entry: 46299, sequence: 1]'),
u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TASKHOST.EXE',
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNEL32.DLL '
u'[MFT entry: 45747, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNELBASE.DLL '
u'[MFT entry: 45734, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\LOCALE.NLS '
u'[MFT entry: 45777, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\MSVCRT.DLL '
u'[MFT entry: 46033, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RPCRT4.DLL '
u'[MFT entry: 46668, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\COMBASE.DLL '
u'[MFT entry: 44616, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\OLEAUT32.DLL '
u'[MFT entry: 46309, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\OLE32.DLL '
u'[MFT entry: 46348, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RPCSS.DLL '
u'[MFT entry: 46654, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNEL.APPCORE.DLL '
u'[MFT entry: 45698, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CRYPTBASE.DLL '
u'[MFT entry: 44560, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\BCRYPTPRIMITIVES.DLL '
u'[MFT entry: 44355, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\USER32.DLL '
u'[MFT entry: 47130, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\GDI32.DLL '
u'[MFT entry: 45344, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\EN-US\\'
u'TASKHOST.EXE.MUI'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SECHOST.DLL '
u'[MFT entry: 46699, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CLBCATQ.DLL '
u'[MFT entry: 44511, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RACENGN.DLL '
u'[MFT entry: 46549, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTMARTA.DLL '
u'[MFT entry: 46262, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WEVTAPI.DLL '
u'[MFT entry: 47223, sequence: 1]'),
u'\\DEVICE\\HARDDISKVOLUME2\\$MFT',
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SQMAPI.DLL '
u'[MFT entry: 46832, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\AEPIC.DLL '
u'[MFT entry: 43991, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WINTRUST.DLL '
u'[MFT entry: 47372, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SLWGA.DLL '
u'[MFT entry: 46762, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\DXGI.DLL '
u'[MFT entry: 44935, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\ESENT.DLL '
u'[MFT entry: 45256, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WMICLNT.DLL '
u'[MFT entry: 47413, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL '
u'[MFT entry: 43994, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SFC_OS.DLL '
u'[MFT entry: 46729, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\VERSION.DLL '
u'[MFT entry: 47120, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CRYPT32.DLL '
u'[MFT entry: 44645, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\MSASN1.DLL '
u'[MFT entry: 45909, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WTSAPI32.DLL '
u'[MFT entry: 47527, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SPPC.DLL '
u'[MFT entry: 46803, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\POWRPROF.DLL '
u'[MFT entry: 46413, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\PROFAPI.DLL '
u'[MFT entry: 46441, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\'
u'RACMETADATA.DAT [MFT entry: 39345, sequence: 2]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\GLOBALIZATION\\SORTING\\'
u'SORTDEFAULT.NLS [MFT entry: 37452, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RACRULES.XML '
u'[MFT entry: 46509, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TASKSCHD.DLL '
u'[MFT entry: 47043, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SSPICLI.DLL '
u'[MFT entry: 46856, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\XMLLITE.DLL '
u'[MFT entry: 47569, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\'
u'RACWMIEVENTDATA.DAT [MFT entry: 23870, sequence: 3]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\'
u'RACWMIDATABOOKMARKS.DAT [MFT entry: 23871, sequence: 2]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TPMTASKS.DLL '
u'[MFT entry: 47003, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NCRYPT.DLL '
u'[MFT entry: 46073, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\BCRYPT.DLL '
u'[MFT entry: 44346, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTASN1.DLL '
u'[MFT entry: 46261, sequence: 1]')
]
self.assertEqual(event_object.mapped_files, expected_mapped_files)
# The volume creation event.
event_object = event_objects[0]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-10-04 15:57:26.146547')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.CREATION_TIME)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
pre_obj = event.PreprocessObject()
self._parser = winprefetch.WinPrefetchParser(pre_obj)
def testParse26(self):
"""Tests the Parse function on a version 26 Prefetch file."""
parser = winprefetch.WinPrefetchParser()
storage_writer = self._ParseFile(['TASKHOST.EXE-3AE259FC.pf'], parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 5)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
# The prefetch last run event.
expected_event_values = {
'date_time': '2013-10-04 15:40:09.0378333',
'data_type': 'windows:prefetch:execution',
'executable': 'TASKHOST.EXE',
'prefetch_hash': 0x3ae259fc,
'run_count': 4,
'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_RUN,
'version': 26
}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
# The prefetch previous last run event.
expected_mapped_files = [
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTDLL.DLL [46299-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TASKHOST.EXE',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNEL32.DLL [45747-1]',
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNELBASE.DLL '
'[45734-1]'),
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\LOCALE.NLS [45777-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\MSVCRT.DLL [46033-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RPCRT4.DLL [46668-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\COMBASE.DLL [44616-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\OLEAUT32.DLL [46309-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\OLE32.DLL [46348-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RPCSS.DLL [46654-1]',
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNEL.APPCORE.DLL '
'[45698-1]'),
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CRYPTBASE.DLL [44560-1]',
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\BCRYPTPRIMITIVES.DLL '
'[44355-1]'),
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\USER32.DLL [47130-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\GDI32.DLL [45344-1]',
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\EN-US\\'
'TASKHOST.EXE.MUI'),
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SECHOST.DLL [46699-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CLBCATQ.DLL [44511-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RACENGN.DLL [46549-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTMARTA.DLL [46262-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WEVTAPI.DLL [47223-1]',
'\\DEVICE\\HARDDISKVOLUME2\\$MFT',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SQMAPI.DLL [46832-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\AEPIC.DLL [43991-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WINTRUST.DLL [47372-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SLWGA.DLL [46762-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\DXGI.DLL [44935-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\ESENT.DLL [45256-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WMICLNT.DLL [47413-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL [43994-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SFC_OS.DLL [46729-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\VERSION.DLL [47120-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CRYPT32.DLL [44645-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\MSASN1.DLL [45909-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WTSAPI32.DLL [47527-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SPPC.DLL [46803-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\POWRPROF.DLL [46413-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\PROFAPI.DLL [46441-1]',
('\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\'
'RACMETADATA.DAT [39345-2]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\GLOBALIZATION\\SORTING\\'
'SORTDEFAULT.NLS [37452-1]'),
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RACRULES.XML [46509-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TASKSCHD.DLL [47043-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SSPICLI.DLL [46856-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\XMLLITE.DLL [47569-1]',
('\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\'
'RACWMIEVENTDATA.DAT [23870-3]'),
('\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\'
'RACWMIDATABOOKMARKS.DAT [23871-2]'),
('\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TPMTASKS.DLL '
'[47003-1]'),
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NCRYPT.DLL [46073-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\BCRYPT.DLL [44346-1]',
'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTASN1.DLL [46261-1]'
]
expected_event_values = {
'date_time':
'2013-10-04 15:28:09.0103565',
'mapped_files':
expected_mapped_files,
'timestamp_desc':
'Previous {0:s}'.format(definitions.TIME_DESCRIPTION_LAST_RUN)
}
self.CheckEventValues(storage_writer, events[2], expected_event_values)
# The volume creation event.
expected_event_values = {
'date_time': '2013-10-04 15:57:26.1465476',
'data_type': 'windows:volume:creation',
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParse23MultiVolume(self):
"""Tests the Parse function on a multi volume version 23 Prefetch file."""
parser = winprefetch.WinPrefetchParser()
storage_writer = self._ParseFile(['WUAUCLT.EXE-830BCC14.pf'], parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 6)
events = list(storage_writer.GetEvents())
# The prefetch last run event.
expected_event_values = {
'data_type':
'windows:prefetch:execution',
'executable':
'WUAUCLT.EXE',
'path_hints': ['\\WINDOWS\\SYSTEM32\\WUAUCLT.EXE'],
'prefetch_hash':
0x830bcc14,
'run_count':
25,
'timestamp':
'2012-03-15 21:17:39.807996',
'timestamp_desc':
definitions.TIME_DESCRIPTION_LAST_RUN,
'version':
23,
'volume_device_paths': [
'\\DEVICE\\HARDDISKVOLUME1',
'\\DEVICE\\HARDDISKVOLUMESHADOWCOPY2',
'\\DEVICE\\HARDDISKVOLUMESHADOWCOPY4',
'\\DEVICE\\HARDDISKVOLUMESHADOWCOPY7',
'\\DEVICE\\HARDDISKVOLUMESHADOWCOPY8'
],
'volume_serial_numbers':
[0xac036525, 0xac036525, 0xac036525, 0xac036525, 0xac036525]
}
self.CheckEventValues(storage_writer, events[5], expected_event_values)
expected_message = (
'Prefetch [WUAUCLT.EXE] was executed - run count 25 '
'path hints: \\WINDOWS\\SYSTEM32\\WUAUCLT.EXE '
'hash: 0x830BCC14 '
'volume: 1 [serial number: 0xAC036525, '
'device path: \\DEVICE\\HARDDISKVOLUME1], '
'volume: 2 [serial number: 0xAC036525, '
'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY2], '
'volume: 3 [serial number: 0xAC036525, '
'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY4], '
'volume: 4 [serial number: 0xAC036525, '
'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY7], '
'volume: 5 [serial number: 0xAC036525, '
'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY8]')
expected_short_message = 'WUAUCLT.EXE was run 25 time(s)'
event_data = self._GetEventDataOfEvent(storage_writer, events[5])
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
# The volume creation event.
expected_event_values = {
'data_type': 'windows:volume:creation',
'timestamp': '2010-11-10 17:37:26.484375',
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
expected_message = ('\\DEVICE\\HARDDISKVOLUME1 '
'Serial number: 0xAC036525 '
'Origin: WUAUCLT.EXE-830BCC14.pf')
expected_short_message = ('\\DEVICE\\HARDDISKVOLUME1 '
'Origin: WUAUCLT.EXE-830BCC14.pf')
event_data = self._GetEventDataOfEvent(storage_writer, events[0])
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
def testParse17(self):
"""Tests the Parse function on a version 17 Prefetch file."""
parser = winprefetch.WinPrefetchParser()
storage_writer = self._ParseFile(['CMD.EXE-087B4001.pf'], parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 2)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
# Check the prefetch last run event.
expected_mapped_files = [
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\NTDLL.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\KERNEL32.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\UNICODE.NLS',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\LOCALE.NLS',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SORTTBLS.NLS',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\MSVCRT.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CMD.EXE',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\USER32.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\GDI32.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHIMENG.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\APPPATCH\\SYSMAIN.SDB',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\APPPATCH\\ACGENRAL.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\RPCRT4.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\WINMM.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\OLE32.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\OLEAUT32.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\MSACM32.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\VERSION.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHELL32.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHLWAPI.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\USERENV.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\UXTHEME.DLL',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CTYPE.NLS',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SORTKEY.NLS',
('\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\WINSXS\\X86_MICROSOFT.WINDOWS.'
'COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2180_X-WW_A84F1FF9\\'
'COMCTL32.DLL'),
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\WINDOWSSHELL.MANIFEST',
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\COMCTL32.DLL',
('\\DEVICE\\HARDDISKVOLUME1\\D50FF1E628137B1A251B47AB9466\\UPDATE\\'
'UPDATE.EXE.MANIFEST'), '\\DEVICE\\HARDDISKVOLUME1\\$MFT',
('\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\IE7\\SPUNINST\\SPUNINST.EXE.'
'MANIFEST'),
('\\DEVICE\\HARDDISKVOLUME1\\D50FF1E628137B1A251B47AB9466\\UPDATE\\'
'IERESETICONS.EXE'),
'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\IE7\\SPUNINST\\IERESETICONS.EXE'
]
expected_event_values = {
'date_time': '2013-03-10 10:11:49.2812500',
'data_type': 'windows:prefetch:execution',
'executable': 'CMD.EXE',
'mapped_files': expected_mapped_files,
'prefetch_hash': 0x087b4001,
'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_RUN,
'version': 17,
'volume_serial_numbers': [0x24cb074b]
}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
# Check the volume creation event.
expected_event_values = {
'date_time': '2013-03-10 10:19:46.2343750',
'data_type': 'windows:volume:creation',
'device_path': '\\DEVICE\\HARDDISKVOLUME1',
'origin': 'CMD.EXE-087B4001.pf',
'serial_number': 0x24cb074b,
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)