def Collect(self, knowledge_base):
"""Collects values from the knowledge base.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
Raises:
PreProcessFail: if the preprocessing fails.
"""
environment_variable = knowledge_base.GetEnvironmentVariable(
'programdata')
allusersprofile = getattr(environment_variable, 'value', None)
if not allusersprofile:
environment_variable = knowledge_base.GetEnvironmentVariable(
'allusersprofile')
allusersprofile = getattr(environment_variable, 'value', None)
if allusersprofile:
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='programdata', value=allusersprofile)
try:
logger.debug('setting environment variable: {0:s} to: "{1:s}"'.format(
'programdata', allusersprofile))
knowledge_base.AddEnvironmentVariable(environment_variable)
except KeyError:
# TODO: add and store preprocessing errors.
pass
def CollectFromWindowsRegistry(
cls, artifacts_registry, knowledge_base, searcher):
"""Collects values from Windows Registry values.
Args:
artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts
definitions registry.
knowledge_base (KnowledgeBase): to fill with preprocessing information.
searcher (dfwinreg.WinRegistrySearcher): Windows Registry searcher to
preprocess the Windows Registry.
"""
for preprocess_plugin in cls._windows_registry_plugins.values():
artifact_definition = artifacts_registry.GetDefinitionByName(
preprocess_plugin.ARTIFACT_DEFINITION_NAME)
if not artifact_definition:
logger.warning('Missing artifact definition: {0:s}'.format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME))
continue
logger.debug('Running Windows Registry preprocessor plugin: {0:s}'.format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME))
try:
preprocess_plugin.Collect(knowledge_base, artifact_definition, searcher)
except (IOError, errors.PreProcessFail) as exception:
logger.warning((
'Unable to collect value from artifact definition: {0:s} '
'with error: {1!s}').format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME, exception))
def CollectFromFileSystem(cls, artifacts_registry, mediator, searcher,
file_system):
"""Collects values from Windows Registry values.
Args:
artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts
definitions registry.
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
searcher (dfvfs.FileSystemSearcher): file system searcher to preprocess
the file system.
file_system (dfvfs.FileSystem): file system to be preprocessed.
"""
for preprocess_plugin in cls._file_system_plugins.values():
artifact_definition = artifacts_registry.GetDefinitionByName(
preprocess_plugin.ARTIFACT_DEFINITION_NAME)
if not artifact_definition:
logger.warning('Missing artifact definition: {0:s}'.format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME))
continue
logger.debug(
'Running file system preprocessor plugin: {0:s}'.format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME))
try:
preprocess_plugin.Collect(mediator, artifact_definition,
searcher, file_system)
except (IOError, errors.PreProcessFail) as exception:
logger.warning(
('Unable to collect value from artifact definition: {0:s} '
'with error: {1!s}').format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME,
exception))
def _ParseValueData(self, knowledge_base, value_data):
"""Parses Windows Registry value data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
value_data (object): Windows Registry value data.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
if not isinstance(value_data, py2to3.UNICODE_TYPE):
raise errors.PreProcessFail(
'Unsupported Windows Registry value type: {0:s} for '
'artifact: {1:s}.'.format(
type(value_data), self.ARTIFACT_DEFINITION_NAME))
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name=self._NAME, value=value_data)
try:
logger.debug('setting environment variable: {0:s} to: "{1:s}"'.format(
self._NAME, value_data))
knowledge_base.AddEnvironmentVariable(environment_variable)
except KeyError:
# TODO: add and store preprocessing errors.
pass
def _ParseValueData(self, mediator, value_data):
"""Parses Windows Registry value data for a preprocessing attribute.
Args:
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
value_data (object): Windows Registry value data.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
if not isinstance(value_data, str):
raise errors.PreProcessFail(
'Unsupported Windows Registry value type: {0!s} for '
'artifact: {1:s}.'.format(type(value_data),
self.ARTIFACT_DEFINITION_NAME))
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name=self._NAME, value=value_data)
try:
logger.debug(
'setting environment variable: {0:s} to: "{1:s}"'.format(
self._NAME, value_data))
mediator.knowledge_base.AddEnvironmentVariable(
environment_variable)
except KeyError:
mediator.ProducePreprocessingWarning(
self.ARTIFACT_DEFINITION_NAME,
'Unable to set environment variable: {0:s} in knowledge base.'.
format(self._NAME))
def CollectFromKnowledgeBase(cls, knowledge_base):
"""Collects values from knowledge base values.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
"""
for preprocess_plugin in cls._knowledge_base_plugins.values():
logger.debug('Running knowledge base preprocessor plugin: {0:s}'.format(
preprocess_plugin.__class__.__name__))
try:
preprocess_plugin.Collect(knowledge_base)
except errors.PreProcessFail as exception:
logger.warning(
'Unable to collect knowledge base value with error: {0!s}'.format(
exception))
def CollectFromKnowledgeBase(cls, mediator):
"""Collects values from knowledge base values.
Args:
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
"""
for preprocess_plugin in cls._knowledge_base_plugins.values():
logger.debug(
'Running knowledge base preprocessor plugin: {0:s}'.format(
preprocess_plugin.__class__.__name__))
try:
preprocess_plugin.Collect(mediator)
except errors.PreProcessFail as exception:
logger.warning(
'Unable to collect knowledge base value with error: {0!s}'.
format(exception))
def ProducePreprocessingWarning(self, plugin_name, message):
"""Produces a preprocessing warning.
Args:
plugin_name (str): name of the preprocess plugin.
message (str): message of the warning.
"""
if self._storage_writer:
path_spec = None
if self._file_entry:
path_spec = self._file_entry.path_spec
warning = warnings.PreprocessingWarning(message=message,
path_spec=path_spec,
plugin_name=plugin_name)
self._storage_writer.AddAttributeContainer(warning)
logger.debug('[{0:s}] {1:s}'.format(plugin_name, message))
def AddEnvironmentVariable(self, environment_variable_artifact):
"""Adds an environment variable.
Args:
environment_variable_artifact (EnvironmentVariableArtifact): environment
variable artifact.
Raises:
KeyError: if the environment variable already exists.
"""
logger.debug('setting environment variable: {0:s} to: "{1:s}"'.format(
environment_variable_artifact.name,
environment_variable_artifact.value))
self._knowledge_base.AddEnvironmentVariable(
environment_variable_artifact)
if self._storage_writer:
self._storage_writer.AddAttributeContainer(
environment_variable_artifact)
def _ParsePathSpecification(self, mediator, searcher, file_system,
path_specification, path_separator):
"""Parses artifact file system data for a preprocessing attribute.
Args:
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
searcher (dfvfs.FileSystemSearcher): file system searcher to preprocess
the file system.
file_system (dfvfs.FileSystem): file system to be preprocessed.
path_specification (dfvfs.PathSpec): path specification that contains
the artifact value data.
path_separator (str): path segment separator.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
relative_path = searcher.GetRelativePath(path_specification)
if not relative_path:
raise errors.PreProcessFail(
'Unable to read: {0:s} with error: missing relative path'.
format(self.ARTIFACT_DEFINITION_NAME))
if path_separator != file_system.PATH_SEPARATOR:
relative_path_segments = file_system.SplitPath(relative_path)
relative_path = '{0:s}{1:s}'.format(
path_separator, path_separator.join(relative_path_segments))
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name=self._NAME, value=relative_path)
try:
logger.debug(
'setting environment variable: {0:s} to: "{1:s}"'.format(
self._NAME, relative_path))
mediator.knowledge_base.AddEnvironmentVariable(
environment_variable)
except KeyError:
mediator.ProducePreprocessingWarning(
self.ARTIFACT_DEFINITION_NAME,
'Unable to set environment variable: {0:s} in knowledge base.'.
format(self._NAME))
def _ParsePathSpecification(
self, knowledge_base, searcher, file_system, path_specification,
path_separator):
"""Parses artifact file system data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
searcher (dfvfs.FileSystemSearcher): file system searcher to preprocess
the file system.
file_system (dfvfs.FileSystem): file system to be preprocessed.
path_specification (dfvfs.PathSpec): path specification that contains
the artifact value data.
path_separator (str): path segment separator.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
relative_path = searcher.GetRelativePath(path_specification)
if not relative_path:
raise errors.PreProcessFail(
'Unable to read: {0:s} with error: missing relative path'.format(
self.ARTIFACT_DEFINITION_NAME))
if path_separator != file_system.PATH_SEPARATOR:
relative_path_segments = file_system.SplitPath(relative_path)
relative_path = '{0:s}{1:s}'.format(
path_separator, path_separator.join(relative_path_segments))
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name=self._NAME, value=relative_path)
try:
logger.debug('setting environment variable: {0:s} to: "{1:s}"'.format(
self._NAME, relative_path))
knowledge_base.AddEnvironmentVariable(environment_variable)
except KeyError:
# TODO: add and store preprocessing errors.
pass
def Collect(self, mediator):
"""Collects values from the knowledge base.
Args:
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
Raises:
PreProcessFail: if the preprocessing fails.
"""
environment_variable = mediator.knowledge_base.GetEnvironmentVariable(
'programdata')
allusersappdata = getattr(environment_variable, 'value', None)
if not allusersappdata:
environment_variable = mediator.knowledge_base.GetEnvironmentVariable(
'allusersprofile')
allusersdata = getattr(environment_variable, 'value', None)
if allusersdata:
allusersappdata = '\\'.join([allusersdata, 'Application Data'])
if allusersappdata:
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False,
name='allusersappdata',
value=allusersappdata)
try:
logger.debug(
'setting environment variable: {0:s} to: "{1:s}"'.format(
'allusersappdata', allusersappdata))
mediator.knowledge_base.AddEnvironmentVariable(
environment_variable)
except KeyError:
mediator.ProducePreprocessingWarning(self.__class__.__name__, (
'Unable to set environment variable: %AllUsersAppData% in '
'knowledge base.'))
def CollectFromWindowsRegistry(cls, artifacts_registry, mediator,
searcher):
"""Collects values from Windows Registry values.
Args:
artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts
definitions registry.
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
searcher (dfwinreg.WinRegistrySearcher): Windows Registry searcher to
preprocess the Windows Registry.
"""
# TODO: define preprocessing plugin dependency and sort preprocess_plugins
# for now sort alphabetically to ensure WindowsAvailableTimeZones is run
# before WindowsTimezone.
for _, preprocess_plugin in sorted(
cls._windows_registry_plugins.items()):
artifact_definition = artifacts_registry.GetDefinitionByName(
preprocess_plugin.ARTIFACT_DEFINITION_NAME)
if not artifact_definition:
logger.warning('Missing artifact definition: {0:s}'.format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME))
continue
logger.debug(
'Running Windows Registry preprocessor plugin: {0:s}'.format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME))
try:
preprocess_plugin.Collect(mediator, artifact_definition,
searcher)
except (IOError, errors.PreProcessFail) as exception:
logger.warning(
('Unable to collect value from artifact definition: {0:s} '
'with error: {1!s}').format(
preprocess_plugin.ARTIFACT_DEFINITION_NAME,
exception))
