def testFilters(self):
"""Tests the FILTERS class attribute."""
plugin = mrulistex.MRUListExStringAndShellItemWindowsRegistryPlugin()
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\RecentDocs')
self._AssertFiltersOnKeyPath(plugin, key_path)
self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
def testProcess(self):
"""Tests the Process function."""
test_file_entry = self._GetTestFileEntry(['NTUSER-WIN7.DAT'])
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\RecentDocs')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = mrulistex.MRUListExStringAndShellItemWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 6)
events = list(storage_writer.GetEvents())
# A MRUListEx event.
event = events[0]
self.assertEqual(event.pathspec, test_file_entry.path_spec)
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event.parser, plugin.plugin_name)
self.CheckTimestamp(event.timestamp, '2012-04-01 13:52:39.113742')
expected_message = (
'[{0:s}] '
'Index: 1 [MRU Value 17]: Path: The SHIELD, '
'Shell item: [The SHIELD.lnk] '
'Index: 10 [MRU Value 11]: Path: 5031RR_BalancedLeadership.pdf, '
'Shell item: [5031RR_BalancedLeadership.lnk] '
'Index: 11 [MRU Value 10]: '
'Path: SA-23E Mitchell-Hyundyne Starfury.docx, '
'Shell item: [SA-23E Mitchell-Hyundyne Starfury.lnk] '
'Index: 12 [MRU Value 9]: Path: StarFury.docx, '
'Shell item: [StarFury (3).lnk] '
'Index: 13 [MRU Value 6]: Path: StarFury.zip, '
'Shell item: [StarFury.lnk] '
'Index: 14 [MRU Value 4]: Path: VIBRANIUM.docx, '
'Shell item: [VIBRANIUM.lnk] '
'Index: 15 [MRU Value 5]: Path: ADAMANTIUM-Background.docx, '
'Shell item: [ADAMANTIUM-Background.lnk] '
'Index: 16 [MRU Value 3]: Path: Pictures, '
'Shell item: [Pictures.lnk] '
'Index: 17 [MRU Value 2]: Path: nick_fury_77831.jpg, '
'Shell item: [nick_fury_77831.lnk] '
'Index: 18 [MRU Value 1]: Path: Downloads, '
'Shell item: [Downloads.lnk] '
'Index: 19 [MRU Value 0]: Path: wallpaper_medium.jpg, '
'Shell item: [wallpaper_medium.lnk] '
'Index: 2 [MRU Value 18]: '
'Path: captain_america_shield_by_almogrem-d48x9x8.jpg, '
'Shell item: [captain_america_shield_by_almogrem-d48x9x8.lnk] '
'Index: 3 [MRU Value 16]: Path: captain-america-shield-front.jpg, '
'Shell item: [captain-america-shield-front.lnk] '
'Index: 4 [MRU Value 12]: Path: Leadership, '
'Shell item: [Leadership.lnk] '
'Index: 5 [MRU Value 15]: Path: followership.pdf, '
'Shell item: [followership.lnk] '
'Index: 6 [MRU Value 14]: Path: leaderqualities.pdf, '
'Shell item: [leaderqualities.lnk] '
'Index: 7 [MRU Value 13]: Path: htlhtl.pdf, '
'Shell item: [htlhtl.lnk] '
'Index: 8 [MRU Value 8]: Path: StarFury, '
'Shell item: [StarFury (2).lnk] '
'Index: 9 [MRU Value 7]: Path: Earth_SA-26_Thunderbolt.jpg, '
'Shell item: [Earth_SA-26_Thunderbolt.lnk]').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testProcess(self):
"""Tests the Process function."""
test_file_entry = self._GetTestFileEntry(['NTUSER-WIN7.DAT'])
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\RecentDocs')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = mrulistex.MRUListExStringAndShellItemWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 6)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
# A MRUListEx event.
expected_entries = (
'Index: 1 [MRU Value 17]: Path: The SHIELD, '
'Shell item: [The SHIELD.lnk] '
'Index: 2 [MRU Value 18]: '
'Path: captain_america_shield_by_almogrem-d48x9x8.jpg, '
'Shell item: [captain_america_shield_by_almogrem-d48x9x8.lnk] '
'Index: 3 [MRU Value 16]: Path: captain-america-shield-front.jpg, '
'Shell item: [captain-america-shield-front.lnk] '
'Index: 4 [MRU Value 12]: Path: Leadership, '
'Shell item: [Leadership.lnk] '
'Index: 5 [MRU Value 15]: Path: followership.pdf, '
'Shell item: [followership.lnk] '
'Index: 6 [MRU Value 14]: Path: leaderqualities.pdf, '
'Shell item: [leaderqualities.lnk] '
'Index: 7 [MRU Value 13]: Path: htlhtl.pdf, '
'Shell item: [htlhtl.lnk] '
'Index: 8 [MRU Value 8]: Path: StarFury, '
'Shell item: [StarFury (2).lnk] '
'Index: 9 [MRU Value 7]: Path: Earth_SA-26_Thunderbolt.jpg, '
'Shell item: [Earth_SA-26_Thunderbolt.lnk] '
'Index: 10 [MRU Value 11]: Path: 5031RR_BalancedLeadership.pdf, '
'Shell item: [5031RR_BalancedLeadership.lnk] '
'Index: 11 [MRU Value 10]: '
'Path: SA-23E Mitchell-Hyundyne Starfury.docx, '
'Shell item: [SA-23E Mitchell-Hyundyne Starfury.lnk] '
'Index: 12 [MRU Value 9]: Path: StarFury.docx, '
'Shell item: [StarFury (3).lnk] '
'Index: 13 [MRU Value 6]: Path: StarFury.zip, '
'Shell item: [StarFury.lnk] '
'Index: 14 [MRU Value 4]: Path: VIBRANIUM.docx, '
'Shell item: [VIBRANIUM.lnk] '
'Index: 15 [MRU Value 5]: Path: ADAMANTIUM-Background.docx, '
'Shell item: [ADAMANTIUM-Background.lnk] '
'Index: 16 [MRU Value 3]: Path: Pictures, '
'Shell item: [Pictures.lnk] '
'Index: 17 [MRU Value 2]: Path: nick_fury_77831.jpg, '
'Shell item: [nick_fury_77831.lnk] '
'Index: 18 [MRU Value 1]: Path: Downloads, '
'Shell item: [Downloads.lnk] '
'Index: 19 [MRU Value 0]: Path: wallpaper_medium.jpg, '
'Shell item: [wallpaper_medium.lnk]')
expected_event_values = {
'date_time': '2012-04-01 13:52:39.1137417',
'data_type': 'windows:registry:mrulistex',
'entries': expected_entries,
'key_path': key_path,
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
'parser': plugin.NAME
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
