def testListHashers(self):
"""Tests the ListHashers function."""
output_writer = cli_test_lib.TestOutputWriter(encoding=u'utf-8')
test_tool = log2timeline.Log2TimelineTool(output_writer=output_writer)
test_tool.ListHashers()
output = output_writer.ReadOutput()
number_of_tables = 0
lines = []
for line in output.split(b'\n'):
line = line.strip()
lines.append(line)
if line.startswith(b'*****') and line.endswith(b'*****'):
number_of_tables += 1
self.assertIn(u'Hashers', lines[1])
lines = frozenset(lines)
self.assertEqual(number_of_tables, 1)
expected_line = b'md5 : Calculates an MD5 digest hash over input data.'
self.assertIn(expected_line, lines)
def testListOutputModules(self):
"""Tests the ListOutputModules function."""
output_writer = cli_test_lib.TestOutputWriter(encoding=u'utf-8')
test_tool = log2timeline.Log2TimelineTool(output_writer=output_writer)
test_tool.ListOutputModules()
output = output_writer.ReadOutput()
number_of_tables = 0
lines = []
for line in output.split(b'\n'):
line = line.strip()
lines.append(line)
if line.startswith(b'*****') and line.endswith(b'*****'):
number_of_tables += 1
self.assertIn(u'Output Modules', lines[1])
# pylint: disable=protected-access
lines = frozenset(lines)
disabled_outputs = list(test_tool._front_end.GetDisabledOutputClasses())
enabled_outputs = list(test_tool._front_end.GetOutputClasses())
expected_number_of_tables = 0
if disabled_outputs:
expected_number_of_tables += 1
if enabled_outputs:
expected_number_of_tables += 1
self.assertEqual(number_of_tables, expected_number_of_tables)
expected_line = b'rawpy : "raw" (or native) Python output.'
self.assertIn(expected_line, lines)
def testProcessSourcesSingleFile(self):
"""Tests the ProcessSources function on a single file."""
output_writer = cli_test_lib.TestOutputWriter(encoding=u'utf-8')
test_tool = log2timeline.Log2TimelineTool(output_writer=output_writer)
options = cli_test_lib.TestOptions()
options.quiet = True
options.single_process = True
options.status_view_mode = u'none'
options.source = self._GetTestFilePath([u'System.evtx'])
with shared_test_lib.TempDirectory() as temp_directory:
options.output = os.path.join(temp_directory, u'storage.plaso')
test_tool.ParseOptions(options)
test_tool.ProcessSources()
expected_output = [
b'',
b'Source path\t: {0:s}'.format(options.source.encode(u'utf-8')),
b'Source type\t: single file',
b'',
b'Processing started.',
b'Processing completed.',
b'',
b'']
output = output_writer.ReadOutput()
self.assertEqual(output.split(b'\n'), expected_output)
def testProcessSourcesFilestat(self):
"""Test if the filestat and other parsers ran."""
output_writer = cli_test_lib.TestOutputWriter(encoding=u'utf-8')
test_tool = log2timeline.Log2TimelineTool(output_writer=output_writer)
options = cli_test_lib.TestOptions()
options.quiet = True
options.parsers = u'filestat,pe'
options.single_process = True
options.status_view_mode = u'none'
options.source = self._GetTestFilePath([u'test_pe.exe'])
with shared_test_lib.TempDirectory() as temp_directory:
options.output = os.path.join(temp_directory, u'storage.plaso')
test_tool.ParseOptions(options)
test_tool.ProcessSources()
storage_file = storage_zip_file.ZIPStorageFile()
try:
storage_file.Open(path=options.output, read_only=True)
except IOError as exception:
self.fail((
u'Unable to open storage file after processing with error: '
u'{0:s}.').format(exception))
# There should be 3 filestat and 3 pe parser generated events.
event_objects = list(storage_file.GetEvents())
self.assertEquals(len(event_objects), 6)
def testProcessSourcesPartitionedImage(self):
"""Tests the ProcessSources function on a multi partition image."""
output_writer = cli_test_lib.TestOutputWriter(encoding=u'utf-8')
test_tool = log2timeline.Log2TimelineTool(output_writer=output_writer)
options = cli_test_lib.TestOptions()
# TODO: refactor to partitions.
options.partitions = u'all'
options.quiet = True
options.single_process = True
options.status_view_mode = u'none'
# Note that the source file is a RAW (VMDK flat) image.
options.source = self._GetTestFilePath([u'multi_partition_image.vmdk'])
with shared_test_lib.TempDirectory() as temp_directory:
options.output = os.path.join(temp_directory, u'storage.plaso')
test_tool.ParseOptions(options)
test_tool.ProcessSources()
expected_output = [
b'',
b'Source path\t: {0:s}'.format(options.source.encode(u'utf-8')),
b'Source type\t: storage media image',
b'',
b'Processing started.',
b'Processing completed.',
b'',
b'']
output = output_writer.ReadOutput()
self.assertEqual(output.split(b'\n'), expected_output)
def testProcessSourcesVSSImage(self):
"""Tests the ProcessSources function on an image containing VSS."""
output_writer = cli_test_lib.TestOutputWriter(encoding=u'utf-8')
test_tool = log2timeline.Log2TimelineTool(output_writer=output_writer)
options = cli_test_lib.TestOptions()
options.quiet = True
options.single_process = True
options.status_view_mode = u'none'
options.source = self._GetTestFilePath([u'vsstest.qcow2'])
options.vss_stores = u'all'
with shared_test_lib.TempDirectory() as temp_directory:
options.output = os.path.join(temp_directory, u'storage.plaso')
test_tool.ParseOptions(options)
test_tool.ProcessSources()
expected_output = [
b'',
b'Source path\t: {0:s}'.format(options.source.encode(u'utf-8')),
b'Source type\t: storage media image',
b'',
b'Processing started.',
b'Processing completed.',
b'',
b'Number of errors encountered while extracting events: 1.',
b'',
b'Use pinfo to inspect errors in more detail.',
b'',
b'']
output = output_writer.ReadOutput()
self.assertEqual(output.split(b'\n'), expected_output)
def testProcessSourcesBDEImage(self):
"""Tests the ProcessSources function on an image containing BDE."""
output_writer = cli_test_lib.TestOutputWriter(encoding=u'utf-8')
test_tool = log2timeline.Log2TimelineTool(output_writer=output_writer)
options = cli_test_lib.TestOptions()
options.credentials = [u'password:{0:s}'.format(self._BDE_PASSWORD)]
options.quiet = True
options.single_process = True
options.status_view_mode = u'none'
options.source = self._GetTestFilePath([u'bdetogo.raw'])
with shared_test_lib.TempDirectory() as temp_directory:
options.output = os.path.join(temp_directory, u'storage.plaso')
test_tool.ParseOptions(options)
test_tool.ProcessSources()
expected_output = [
b'',
b'Source path\t: {0:s}'.format(options.source.encode(u'utf-8')),
b'Source type\t: storage media image',
b'',
b'Processing started.',
b'Processing completed.',
b'',
b'']
output = output_writer.ReadOutput()
self.assertEqual(output.split(b'\n'), expected_output)
def testParseArguments(self):
"""Tests the ParseArguments function."""
output_writer = cli_test_lib.TestOutputWriter(encoding=u'utf-8')
test_tool = log2timeline.Log2TimelineTool(output_writer=output_writer)
result = test_tool.ParseArguments()
self.assertFalse(result)
def Process(self):
"""Process files with Log2Timeline from Plaso.
Returns:
str: path to a Plaso storage file.
"""
log_file_path = os.path.join(self.output_path, u'plaso.log')
self.console_out.VerboseOut(u'Log file: {0:s}'.format(log_file_path))
# Setup Plaso Log2Timeline tool
output_writer = cli_tools.CLIOutputWriter(encoding=u'utf-8')
tool = log2timeline.Log2TimelineTool(output_writer=output_writer)
# Configure Log2Timeline
options = argparse.Namespace()
options.hashers = u'all'
options.dependencies_check = False
options.serializer_format = u'json'
options.status_view_mode = u'window'
options.log_file = log_file_path
# Let plaso choose the appropriate number of workers
options.workers = 0
options.source = self.artifacts_path
options.output = self.plaso_storage_file_path
if self.timezone:
options.timezone = self.timezone
tool.ParseOptions(options)
# Run the tool
tool.ProcessSources()
self.console_out.VerboseOut(u'Storage file: {0:s}'.format(
self.plaso_storage_file_path))
self.results = self.plaso_storage_file_path
def testAddProcessingOptions(self):
"""Tests the AddProcessingOptions function."""
argument_parser = argparse.ArgumentParser(
prog=u'log2timeline_test.py',
description=u'Test argument parser.', add_help=False,
formatter_class=cli_test_lib.SortedArgumentsHelpFormatter)
test_tool = log2timeline.Log2TimelineTool()
test_tool.AddProcessingOptions(argument_parser)
output = self._RunArgparseFormatHelp(argument_parser)
self.assertEqual(output, self._EXPECTED_PROCESSING_OPTIONS)
def testListParsersAndPlugins(self):
"""Tests the ListParsersAndPlugins function."""
output_writer = cli_test_lib.TestOutputWriter(encoding=u'utf-8')
test_tool = log2timeline.Log2TimelineTool(output_writer=output_writer)
test_tool.ListParsersAndPlugins()
output = output_writer.ReadOutput()
number_of_tables = 0
lines = []
for line in output.split(b'\n'):
line = line.strip()
lines.append(line)
if line.startswith(b'*****') and line.endswith(b'*****'):
number_of_tables += 1
self.assertIn(u'Parsers', lines[1])
lines = frozenset(lines)
self.assertEqual(number_of_tables, 9)
expected_line = b'filestat : Parser for file system stat information.'
self.assertIn(expected_line, lines)
expected_line = b'bencode_utorrent : Parser for uTorrent bencoded files.'
self.assertIn(expected_line, lines)
expected_line = (
b'msie_webcache : Parser for MSIE WebCache ESE database files.')
self.assertIn(expected_line, lines)
expected_line = b'olecf_default : Parser for a generic OLECF item.'
self.assertIn(expected_line, lines)
expected_line = b'plist_default : Parser for plist files.'
self.assertIn(expected_line, lines)
expected_line = (
b'chrome_history : Parser for Chrome history SQLite database files.'
)
self.assertIn(expected_line, lines)
expected_line = b'ssh : Parser for SSH syslog entries.'
self.assertIn(expected_line, lines)
expected_line = b'winreg_default : Parser for Registry data.'
self.assertIn(expected_line, lines)
def testShowInfo(self):
"""Tests the output of the tool in info mode."""
output_writer = cli_test_lib.TestOutputWriter(encoding=u'utf-8')
test_tool = log2timeline.Log2TimelineTool(output_writer=output_writer)
options = cli_test_lib.TestOptions()
options.show_info = True
test_tool.ParseOptions(options)
test_tool.ShowInfo()
output = output_writer.ReadOutput()
section_headings = [
u'Parser Presets', u'Hashers', u'Parser Plugins', u'Versions',
u'Filters', u'Parsers', u'Output Modules']
for heading in section_headings:
self.assertIn(heading, output)
self.assertNotIn(u'<class', output)
def testParseOptions(self):
"""Tests the ParseOptions function."""
output_writer = cli_test_lib.TestOutputWriter(encoding=u'utf-8')
test_tool = log2timeline.Log2TimelineTool(output_writer=output_writer)
options = cli_test_lib.TestOptions()
options.source = self._GetTestFilePath([u'testdir'])
options.output = u'storage.plaso'
test_tool.ParseOptions(options)
options = cli_test_lib.TestOptions()
with self.assertRaises(errors.BadConfigOption):
test_tool.ParseOptions(options)
options = cli_test_lib.TestOptions()
options.source = self._GetTestFilePath([u'testdir'])
with self.assertRaises(errors.BadConfigOption):
test_tool.ParseOptions(options)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._output_writer = cli_test_lib.TestOutputWriter(encoding=u'utf-8')
self._test_tool = log2timeline.Log2TimelineTool(
output_writer=self._output_writer)
