def BuildArtifactsRegistry(cls, artifact_definitions_path,
custom_artifacts_path):
if artifact_definitions_path and not os.path.isdir(
artifact_definitions_path):
raise errors.BadConfigOption(
'No such artifacts filter file: {0:s}.'.format(
artifact_definitions_path))
if custom_artifacts_path and not os.path.isfile(custom_artifacts_path):
raise errors.BadConfigOption(
'No such artifacts filter file: {0:s}.'.format(
custom_artifacts_path))
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
try:
registry.ReadFromDirectory(reader, artifact_definitions_path)
except (KeyError, artifacts_errors.FormatError) as exception:
raise errors.BadConfigOption(
('Unable to read artifact definitions from: {0:s} with error: '
'{1!s}').format(artifact_definitions_path, exception))
if custom_artifacts_path:
try:
registry.ReadFromFile(reader, custom_artifacts_path)
except (KeyError, artifacts_errors.FormatError) as exception:
raise errors.BadConfigOption((
'Unable to read artifact definitions from: {0:s} with error: '
'{1!s}').format(custom_artifacts_path, exception))
return registry
def testProcessSources(self):
"""Tests the PreprocessSources and ProcessSources function."""
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
path = shared_test_lib.GetTestFilePath(['artifacts'])
registry.ReadFromDirectory(reader, path)
test_engine = task_engine.TaskMultiProcessEngine(
maximum_number_of_tasks=100)
source_path = self._GetTestFilePath(['ímynd.dd'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=source_path)
source_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK,
location='/',
parent=os_path_spec)
test_engine.PreprocessSources(registry, [source_path_spec])
session = sessions.Session()
configuration = configurations.ProcessingConfiguration()
configuration.parser_filter_expression = 'filestat'
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
storage_writer = storage_zip_file.ZIPStorageFileWriter(
session, temp_file)
test_engine.ProcessSources(session.identifier, [source_path_spec],
storage_writer, configuration)
def testPreprocessSources(self):
"""Tests the PreprocessSources function."""
test_file_path = self._GetTestFilePath(['SOFTWARE'])
self._SkipIfPathNotExists(test_file_path)
test_file_path = self._GetTestFilePath(['SYSTEM'])
self._SkipIfPathNotExists(test_file_path)
test_artifacts_path = shared_test_lib.GetTestFilePath(['artifacts'])
self._SkipIfPathNotExists(test_artifacts_path)
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
registry.ReadFromDirectory(reader, test_artifacts_path)
test_engine = TestEngine()
source_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_FAKE, location='/')
test_engine.PreprocessSources(registry, [source_path_spec])
operating_system = test_engine.knowledge_base.GetValue(
'operating_system')
self.assertEqual(operating_system, 'Windows NT')
test_engine.PreprocessSources(registry, [None])
def testProcessSources(self):
"""Tests the ProcessSources function."""
test_artifacts_path = self._GetTestFilePath(['artifacts'])
self._SkipIfPathNotExists(test_artifacts_path)
test_file_path = self._GetTestFilePath(['ímynd.dd'])
self._SkipIfPathNotExists(test_file_path)
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
registry.ReadFromDirectory(reader, test_artifacts_path)
test_engine = single_process.SingleProcessEngine()
resolver_context = context.Context()
session = sessions.Session()
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
source_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK,
location='/',
parent=os_path_spec)
test_engine.PreprocessSources(registry, [source_path_spec])
storage_writer = fake_writer.FakeStorageWriter(session)
configuration = configurations.ProcessingConfiguration()
configuration.parser_filter_expression = 'filestat'
test_engine.ProcessSources([source_path_spec], storage_writer,
resolver_context, configuration)
self.assertEqual(storage_writer.number_of_events, 15)
def testArtifactDefinitionsRegistry(self):
"""Tests the ArtifactDefinitionsRegistry functions."""
test_file = self._GetTestFilePath(['definitions.yaml'])
if not os.path.exists(test_file):
raise unittest.SkipTest('missing test file: definitions.yaml')
artifact_registry = registry.ArtifactDefinitionsRegistry()
artifact_reader = reader.YamlArtifactsReader()
for artifact_definition in artifact_reader.ReadFile(test_file):
artifact_registry.RegisterDefinition(artifact_definition)
# Make sure the test file got turned into artifacts.
self.assertEqual(len(artifact_registry.GetDefinitions()), 7)
artifact_definition = artifact_registry.GetDefinitionByName(
'EventLogs')
self.assertIsNotNone(artifact_definition)
# Try to register something already registered
with self.assertRaises(KeyError):
artifact_registry.RegisterDefinition(artifact_definition)
# Deregister
artifact_registry.DeregisterDefinition(artifact_definition)
# Check it is gone
with self.assertRaises(KeyError):
artifact_registry.DeregisterDefinition(artifact_definition)
self.assertEqual(len(artifact_registry.GetDefinitions()), 6)
test_artifact_definition = artifact_registry.GetDefinitionByName(
'SecurityEventLogEvtx')
self.assertIsNotNone(test_artifact_definition)
self.assertEqual(test_artifact_definition.name, 'SecurityEventLogEvtx')
expected_description = (
'Windows Security Event log for Vista or later systems.')
self.assertEqual(test_artifact_definition.description,
expected_description)
bad_args = io.BytesIO(
b'name: SecurityEventLogEvtx\n'
b'doc: Windows Security Event log for Vista or later systems.\n'
b'sources:\n'
b'- type: FILE\n'
b' attributes: {broken: [\'%%environ_systemroot%%\\System32\\'
b'winevt\\Logs\\Security.evtx\']}\n'
b'conditions: [os_major_version >= 6]\n'
b'labels: [Logs]\n'
b'supported_os: [Windows]\n'
b'urls: [\'http://www.forensicswiki.org/wiki/\n'
b'Windows_XML_Event_Log_(EVTX)\']\n')
generator = artifact_reader.ReadFileObject(bad_args)
with self.assertRaises(errors.FormatError):
next(generator)
def setUpClass(cls):
"""Makes preparations before running any of the tests."""
artifacts_path = shared_test_lib.GetTestFilePath(['artifacts'])
cls._artifacts_registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
cls._artifacts_registry.ReadFromDirectory(reader, artifacts_path)
def testParseSystemWithArtifactFilters(self):
"""Tests the Parse function on a SYSTEM file with artifact filters."""
parser = winreg.WinRegistryParser()
knowledge_base = knowledge_base_engine.KnowledgeBase()
artifact_filter_names = ['TestRegistryKey', 'TestRegistryValue']
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
registry.ReadFromDirectory(reader,
self._GetTestFilePath(['artifacts']))
artifacts_filter_helper = artifact_filters.ArtifactDefinitionsFilterHelper(
registry, knowledge_base)
artifacts_filter_helper.BuildFindSpecs(artifact_filter_names,
environment_variables=None)
storage_writer = self._ParseFile(
['SYSTEM'],
parser,
artifacts_filter_helper=artifacts_filter_helper)
events = list(storage_writer.GetEvents())
parser_chains = self._GetParserChains(events)
# Check the existence of few known plugins, see if they
# are being properly picked up and are parsed.
plugin_names = [
'windows_usbstor_devices', 'windows_boot_execute',
'windows_services'
]
for plugin in plugin_names:
expected_parser_chain = self._PluginNameToParserChain(plugin)
self.assertTrue(
expected_parser_chain in parser_chains,
'Chain {0:s} not found in events.'.format(
expected_parser_chain))
# Check that the number of events produced by each plugin are correct.
# There will be 5 usbstor chains for currentcontrolset:
# 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR'
parser_chain = self._PluginNameToParserChain('windows_usbstor_devices')
self.assertEqual(parser_chains.get(parser_chain, 0), 5)
# There will be 4 Windows boot execute chains for key_value pairs:
# {key: 'HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager',
# value: 'BootExecute'}
# {key: 'HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Session Manager',
# value: 'BootExecute'}
parser_chain = self._PluginNameToParserChain('windows_boot_execute')
self.assertEqual(parser_chains.get(parser_chain, 0), 4)
# There will be 831 windows services chains for keys:
# 'HKEY_LOCAL_MACHINE\System\ControlSet001\services\**'
# 'HKEY_LOCAL_MACHINE\System\ControlSet002\services\**'
parser_chain = self._PluginNameToParserChain('windows_services')
self.assertEqual(parser_chains.get(parser_chain, 0), 831)
def testArtifactDefinitionsRegistry(self):
"""Tests the ArtifactDefinitionsRegistry functions."""
artifact_registry = registry.ArtifactDefinitionsRegistry()
artifact_reader = reader.YamlArtifactsReader()
test_file = os.path.join('test_data', 'definitions.yaml')
artifact_definition = None
for artifact_definition in artifact_reader.ReadFile(test_file):
artifact_registry.RegisterDefinition(artifact_definition)
# Make sure the test file is not empty.
self.assertNotEquals(artifact_definition, None)
with self.assertRaises(KeyError):
artifact_registry.RegisterDefinition(artifact_definition)
artifact_definitions = []
for artifact_definition in artifact_registry.GetDefinitions():
artifact_definitions.append(artifact_definition)
artifact_registry.DeregisterDefinition(artifact_definition)
with self.assertRaises(KeyError):
artifact_registry.DeregisterDefinition(artifact_definition)
artifact_definitions = []
for artifact_definition in artifact_registry.GetDefinitions():
artifact_definitions.append(artifact_definition)
self.assertEqual(len(artifact_definitions), 6)
test_artifact_definition = artifact_registry.GetDefinitionByName(
'SecurityEventLogEvtx')
self.assertNotEquals(test_artifact_definition, None)
self.assertEquals(test_artifact_definition.name,
u'SecurityEventLogEvtx')
expected_description = (
u'Windows Security Event log for Vista or later systems.')
self.assertEquals(test_artifact_definition.description,
expected_description)
bad_args = io.BytesIO(b'\n'.join([
b'name: SecurityEventLogEvtx',
b'doc: Windows Security Event log for Vista or later systems.',
b'sources:', b'- type: FILE',
(b' attributes: {broken: [\'%%environ_systemroot%%\\System32\\'
b'winevt\\Logs\\Security.evtx\']}'),
b'conditions: [os_major_version >= 6]', b'labels: [Logs]',
b'supported_os: [Windows]',
(b'urls: [\'http://www.forensicswiki.org/wiki/'
b'Windows_XML_Event_Log_(EVTX)\']')
]))
generator = artifact_reader.ReadFileObject(bad_args)
with self.assertRaises(TypeError):
_ = generator.next()
def testCollectFromFileSystem(self):
"""Tests the CollectFromFileSystem function."""
path = self._GetTestFilePath(['artifacts'])
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
registry.ReadFromDirectory(reader, path)
knowledge_base_object = knowledge_base.KnowledgeBase()
_ = knowledge_base_object
def testProcessSources(self):
"""Tests the ProcessSources function."""
test_artifacts_path = self._GetTestFilePath(['artifacts'])
self._SkipIfPathNotExists(test_artifacts_path)
test_file_path = self._GetTestFilePath(['ímynd.dd'])
self._SkipIfPathNotExists(test_file_path)
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
registry.ReadFromDirectory(reader, test_artifacts_path)
test_engine = extraction_engine.SingleProcessEngine()
resolver_context = context.Context()
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
source_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK,
location='/',
parent=os_path_spec)
session = sessions.Session()
configuration = configurations.ProcessingConfiguration()
configuration.parser_filter_expression = 'filestat'
storage_writer = fake_writer.FakeStorageWriter()
storage_writer.Open()
try:
test_engine.PreprocessSources(registry, [source_path_spec],
session, storage_writer)
test_engine.ProcessSources(session, [source_path_spec],
storage_writer, resolver_context,
configuration)
finally:
storage_writer.Close()
self.assertEqual(storage_writer.number_of_events, 15)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
expected_parsers_counter = collections.Counter({
'filestat': 15,
'total': 15
})
self.assertEqual(session.parsers_counter, expected_parsers_counter)
def _BuildArtifactsRegistry(self, artifact_definitions_path,
custom_artifacts_path):
"""Build Find Specs from artifacts or filter file if available.
Args:
artifact_definitions_path (str): path to artifact definitions directory
or file.
custom_artifacts_path (str): path to custom artifact definitions
directory or file.
Returns:
artifacts.ArtifactDefinitionsRegistry: artifact definitions registry.
Raises:
BadConfigOption: if artifact definitions cannot be read.
"""
if not artifact_definitions_path:
raise errors.BadConfigOption(
'No such artifact definitions: {0:s}.'.format(
artifact_definitions_path))
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
try:
if os.path.isdir(artifact_definitions_path):
registry.ReadFromDirectory(reader, artifact_definitions_path)
else:
registry.ReadFromFile(reader, artifact_definitions_path)
except (KeyError, artifacts_errors.FormatError) as exception:
raise errors.BadConfigOption(
('Unable to read artifact definitions from: {0:s} with error: '
'{1!s}').format(artifact_definitions_path, exception))
if custom_artifacts_path:
try:
if os.path.isdir(custom_artifacts_path):
registry.ReadFromDirectory(reader, custom_artifacts_path)
else:
registry.ReadFromFile(reader, custom_artifacts_path)
except (KeyError, artifacts_errors.FormatError) as exception:
raise errors.BadConfigOption((
'Unable to read custom artifact definitions from: {0:s} with '
'error: {1!s}').format(custom_artifacts_path, exception))
return registry
def BuildArtifactsRegistry(cls, artifact_definitions_path,
custom_artifacts_path):
"""Build Find Specs from artifacts or filter file if available.
Args:
artifact_definitions_path (str): path to artifact definitions file.
custom_artifacts_path (str): path to custom artifact definitions file.
Returns:
artifacts.ArtifactDefinitionsRegistry: artifact definitions registry.
Raises:
RuntimeError: if no valid FindSpecs are built.
"""
if artifact_definitions_path and not os.path.isdir(
artifact_definitions_path):
raise errors.BadConfigOption(
'No such artifacts filter file: {0:s}.'.format(
artifact_definitions_path))
if custom_artifacts_path and not os.path.isfile(custom_artifacts_path):
raise errors.BadConfigOption(
'No such artifacts filter file: {0:s}.'.format(
custom_artifacts_path))
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
try:
registry.ReadFromDirectory(reader, artifact_definitions_path)
except (KeyError, artifacts_errors.FormatError) as exception:
raise errors.BadConfigOption(
('Unable to read artifact definitions from: {0:s} with error: '
'{1!s}').format(artifact_definitions_path, exception))
if custom_artifacts_path:
try:
registry.ReadFromFile(reader, custom_artifacts_path)
except (KeyError, artifacts_errors.FormatError) as exception:
raise errors.BadConfigOption((
'Unable to read artifact definitions from: {0:s} with error: '
'{1!s}').format(custom_artifacts_path, exception))
return registry
def testPreprocessSources(self):
"""Tests the PreprocessSources function."""
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
path = shared_test_lib.GetTestFilePath(['artifacts'])
registry.ReadFromDirectory(reader, path)
test_engine = TestEngine()
source_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_FAKE, location='/')
test_engine.PreprocessSources(registry, [source_path_spec])
self.assertEqual(test_engine.knowledge_base.platform, 'Windows')
test_engine.PreprocessSources(registry, [None])
def _CreateTestArtifactDefinitionsFiltersHelper(self, knowledge_base):
"""Creates an artifact definitions filters helper for testing.
Args:
knowledge_base (KnowledgeBase): contains information from the source
data needed for filtering.
Returns:
ArtifactDefinitionsFiltersHelper: artifact definitions filters helper.
"""
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
test_artifacts_path = self._GetTestFilePath(['artifacts'])
registry.ReadFromDirectory(reader, test_artifacts_path)
return artifact_filters.ArtifactDefinitionsFiltersHelper(
registry, knowledge_base)
def testArtifactDefinitionsRegistry(self):
"""Tests the ArtifactDefinitionsRegistry functions."""
artifact_registry = registry.ArtifactDefinitionsRegistry()
artifact_reader = reader.YamlArtifactsReader()
test_file = os.path.join('test_data', 'definitions.yaml')
artifact_definition = None
with open(test_file, 'rb') as file_object:
for artifact_definition in artifact_reader.Read(file_object):
artifact_registry.RegisterDefinition(artifact_definition)
# Make sure the test file is not empty.
self.assertNotEquals(artifact_definition, None)
with self.assertRaises(KeyError):
artifact_registry.RegisterDefinition(artifact_definition)
artifact_definitions = []
for artifact_definition in artifact_registry.GetDefinitions():
artifact_definitions.append(artifact_definition)
artifact_registry.DeregisterDefinition(artifact_definition)
with self.assertRaises(KeyError):
artifact_registry.DeregisterDefinition(artifact_definition)
artifact_definitions = []
for artifact_definition in artifact_registry.GetDefinitions():
artifact_definitions.append(artifact_definition)
self.assertEqual(len(artifact_definitions), 4)
test_artifact_definition = artifact_registry.GetDefinitionByName(
'SecurityEventLogEvtx')
self.assertNotEquals(test_artifact_definition, None)
self.assertEquals(test_artifact_definition.name, u'SecurityEventLogEvtx')
expected_description = (
u'Windows Security Event log for Vista or later systems.')
self.assertEquals(
test_artifact_definition.description, expected_description)
def testGetRegistryHelpers(self):
"""Tests the GetRegistryHelpers function."""
path = self._GetTestFilePath(['artifacts'])
artifact_registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
artifact_registry.ReadFromDirectory(reader, path)
test_tool = self._ConfigureSingleFileTest()
with self.assertRaises(ValueError):
test_tool.GetRegistryHelpers(artifact_registry)
registry_helpers = test_tool.GetRegistryHelpers(
artifact_registry, registry_file_types=['SYSTEM'])
self.assertEqual(len(registry_helpers), 1)
registry_helper = registry_helpers[0]
file_path = self._GetTestFilePath(['SYSTEM'])
self.assertEqual(registry_helper.path, file_path)
test_tool = self._ConfigureStorageMediaFileTest()
registry_helpers = test_tool.GetRegistryHelpers(
artifact_registry, registry_file_types=['NTUSER'])
self.assertEqual(len(registry_helpers), 3)
registry_helper = registry_helpers[0]
registry_helper.Open()
expected_file_type = definitions.REGISTRY_FILE_TYPE_NTUSER
self.assertEqual(registry_helper.file_type, expected_file_type)
self.assertEqual(registry_helper.name, 'NTUSER.DAT')
self.assertEqual(registry_helper.collector_name, 'TSK')
registry_helper.Close()
registry_helpers = test_tool.GetRegistryHelpers(
artifact_registry, plugin_names=['userassist'])
self.assertEqual(len(registry_helpers), 3)
registry_helpers = test_tool.GetRegistryHelpers(
artifact_registry, registry_file_types=['SAM'])
self.assertEqual(len(registry_helpers), 1)
def _CreateTestArtifactDefinitionsFiltersHelper(self, knowledge_base):
"""Creates an artifact definitions filters helper for testing.
Args:
knowledge_base (KnowledgeBase): contains information from the source
data needed for filtering.
Returns:
ArtifactDefinitionsFiltersHelper: artifact definitions filters helper.
Raises:
SkipTest: if the path inside the test data directory does not exist and
the test should be skipped.
"""
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
test_artifacts_path = self._GetTestFilePath(['artifacts'])
self._SkipIfPathNotExists(test_artifacts_path)
registry.ReadFromDirectory(reader, test_artifacts_path)
return artifact_filters.ArtifactDefinitionsFiltersHelper(
registry, knowledge_base)
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(
description=('Checks artifact definitions on a storage media image.'))
argument_parser.add_argument(
'--artifact_definitions',
'--artifact-definitions',
dest='artifact_definitions',
type=str,
metavar='PATH',
action='store',
help=('Path to a directory or file containing the artifact definition '
'.yaml files.'))
argument_parser.add_argument('--back_end',
'--back-end',
dest='back_end',
action='store',
metavar='NTFS',
default=None,
help='preferred dfVFS back-end.')
argument_parser.add_argument(
'--partitions',
'--partition',
dest='partitions',
action='store',
type=str,
default=None,
help=
('Define partitions to be processed. A range of partitions can be '
'defined as: "3..5". Multiple partitions can be defined as: "1,3,5" '
'(a list of comma separated values). Ranges and lists can also be '
'combined as: "1,3..5". The first partition is 1. All partitions '
'can be specified with: "all".'))
argument_parser.add_argument(
'--snapshots',
'--snapshot',
dest='snapshots',
action='store',
type=str,
default=None,
help=
('Define snapshots to be processed. A range of snapshots can be '
'defined as: "3..5". Multiple snapshots can be defined as: "1,3,5" '
'(a list of comma separated values). Ranges and lists can also be '
'combined as: "1,3..5". The first snapshot is 1. All snapshots can '
'be specified with: "all".'))
argument_parser.add_argument(
'--volumes',
'--volume',
dest='volumes',
action='store',
type=str,
default=None,
help=
('Define volumes to be processed. A range of volumes can be defined '
'as: "3..5". Multiple volumes can be defined as: "1,3,5" (a list '
'of comma separated values). Ranges and lists can also be combined '
'as: "1,3..5". The first volume is 1. All volumes can be specified '
'with: "all".'))
argument_parser.add_argument(
'-w',
'--windows_version',
'--windows-version',
dest='windows_version',
action='store',
metavar='Windows XP',
default=None,
help='string that identifies the Windows version.')
argument_parser.add_argument('source',
nargs='?',
action='store',
metavar='image.raw',
default=None,
help='path of the storage media image.')
options = argument_parser.parse_args()
if not options.source:
print('Path to source storage media image is missing.')
print('')
argument_parser.print_help()
print('')
return False
if not options.artifact_definitions:
print('Path to artifact definitions is missing.')
print('')
argument_parser.print_help()
print('')
return False
dfimagetools_helpers.SetDFVFSBackEnd(options.back_end)
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
if os.path.isdir(options.artifact_definitions):
registry.ReadFromDirectory(reader, options.artifact_definitions)
elif os.path.isfile(options.artifact_definitions):
registry.ReadFromFile(reader, options.artifact_definitions)
mediator = dfvfs_command_line.CLIVolumeScannerMediator()
scanner = volume_scanner.ArtifactDefinitionsVolumeScanner(
registry, mediator=mediator)
volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
volume_scanner_options.partitions = mediator.ParseVolumeIdentifiersString(
options.partitions)
if options.snapshots == 'none':
volume_scanner_options.snapshots = ['none']
else:
volume_scanner_options.snapshots = mediator.ParseVolumeIdentifiersString(
options.snapshots)
volume_scanner_options.volumes = mediator.ParseVolumeIdentifiersString(
options.volumes)
try:
if not scanner.ScanForOperatingSystemVolumes(
options.source, options=volume_scanner_options):
print('Unable to retrieve an operating system volume from: {0:s}.'.
format(options.source))
print('')
return False
definitions_with_check_results = {}
for artifact_definition in registry.GetDefinitions():
group_only = True
for source in artifact_definition.sources:
if source.type_indicator != (
artifacts_definitions.TYPE_INDICATOR_ARTIFACT_GROUP):
group_only = False
break
if group_only:
# Not interested in results of group-only artifact definitions.
continue
check_result = scanner.CheckArtifactDefinition(artifact_definition)
if check_result.number_of_file_entries:
definitions_with_check_results[
artifact_definition.name] = check_result
except dfvfs_errors.ScannerError as exception:
print('[ERROR] {0!s}'.format(exception), file=sys.stderr)
print('')
return False
except KeyboardInterrupt:
print('Aborted by user.', file=sys.stderr)
print('')
return False
print('Aritfact definitions found:')
for name, check_result in sorted(definitions_with_check_results.items()):
text = '* {0:s} [results: {1:d}]'.format(
name, check_result.number_of_file_entries)
if check_result.data_formats:
text = '{0:s} [formats: {1:s}]'.format(
text, ', '.join(sorted(check_result.data_formats)))
print(text)
print('')
return True
def ParseOptions(cls, options, configuration_object):
"""Parses and validates options.
Args:
options (argparse.Namespace): parser options.
configuration_object (CLITool): object to be configured by the argument
helper.
Raises:
BadConfigObject: when the configuration object is of the wrong type.
BadConfigOption: if the required artifact definitions are not defined.
"""
if not isinstance(configuration_object, tools.CLITool):
raise errors.BadConfigObject(
'Configuration object is not an instance of CLITool')
artifacts_path = getattr(options, 'artifact_definitions_path', None)
if ((not artifacts_path or not os.path.exists(artifacts_path))
and configuration_object.data_location):
artifacts_path = os.path.dirname(
configuration_object.data_location)
artifacts_path = os.path.join(artifacts_path, 'artifacts')
if not os.path.exists(
artifacts_path) and 'VIRTUAL_ENV' in os.environ:
artifacts_path = os.path.join(os.environ['VIRTUAL_ENV'],
'share', 'artifacts')
if not os.path.exists(artifacts_path):
artifacts_path = os.path.join(sys.prefix, 'share', 'artifacts')
if not os.path.exists(artifacts_path):
artifacts_path = os.path.join(sys.prefix, 'local', 'share',
'artifacts')
if sys.prefix != '/usr':
if not os.path.exists(artifacts_path):
artifacts_path = os.path.join('/usr', 'share', 'artifacts')
if not os.path.exists(artifacts_path):
artifacts_path = os.path.join('/usr', 'local', 'share',
'artifacts')
if not os.path.exists(artifacts_path):
artifacts_path = None
if not artifacts_path or not os.path.exists(artifacts_path):
raise errors.BadConfigOption(
'Unable to determine path to artifact definitions.')
custom_artifacts_path = getattr(options,
'custom_artifact_definitions_path',
None)
if custom_artifacts_path and not os.path.exists(custom_artifacts_path):
raise errors.BadConfigOption(
('Unable to determine path to custom artifact definitions: '
'{0:s}.').format(custom_artifacts_path))
if custom_artifacts_path:
logger.info('Custom artifact definitions path: {0:s}'.format(
custom_artifacts_path))
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
logger.info('Determined artifact definitions path: {0:s}'.format(
artifacts_path))
try:
if os.path.isdir(artifacts_path):
registry.ReadFromDirectory(reader, artifacts_path)
else:
registry.ReadFromFile(reader, artifacts_path)
except (KeyError, artifacts_errors.FormatError) as exception:
raise errors.BadConfigOption(
('Unable to read artifact definitions from: {0:s} with error: '
'{1!s}').format(artifacts_path, exception))
if custom_artifacts_path:
try:
if os.path.isdir(custom_artifacts_path):
registry.ReadFromDirectory(reader, custom_artifacts_path)
else:
registry.ReadFromFile(reader, custom_artifacts_path)
except (KeyError, artifacts_errors.FormatError) as exception:
raise errors.BadConfigOption((
'Unable to read custorm artifact definitions from: {0:s} with '
'error: {1!s}').format(custom_artifacts_path, exception))
for name in preprocessors_manager.PreprocessPluginsManager.GetNames():
if not registry.GetDefinitionByName(name):
raise errors.BadConfigOption(
'Missing required artifact definition: {0:s}'.format(name))
setattr(configuration_object, '_artifact_definitions_path',
artifacts_path)
setattr(configuration_object, '_custom_artifacts_path',
custom_artifacts_path)
def __init__(self): """Initializes an artifact definitions validator.""" super(ArtifactDefinitionsValidator, self).__init__() self._artifact_registry = registry.ArtifactDefinitionsRegistry() self._artifact_registry_key_paths = set()
def __init__(self): """Initializes the artifact definitions validator object.""" super(ArtifactDefinitionsValidator, self).__init__() self._artifact_registry = registry.ArtifactDefinitionsRegistry()
def testParseRegistry(self):
"""Tests the _ParseRegistryFile and ParseRegistryKey functions."""
path = self._GetTestFilePath(['artifacts'])
artifact_registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
artifact_registry.ReadFromDirectory(reader, path)
test_tool = self._ConfigureSingleFileTest()
registry_helpers = test_tool.GetRegistryHelpers(
artifact_registry, registry_file_types=['SYSTEM'])
registry_helper = registry_helpers[0]
plugins = test_tool._GetRegistryPluginsFromRegistryType('SYSTEM')
key_list = []
plugin_list = []
for plugin in plugins:
for key_filter in plugin.FILTERS:
plugin_list.append(plugin.NAME)
key_list.extend(key_filter.key_paths)
test_tool._ExpandKeysRedirect(key_list)
parsed_data = test_tool._ParseRegistryFile(registry_helper,
key_paths=key_list,
use_plugins=plugin_list)
for key_parsed in parsed_data:
self.assertIn(key_parsed, key_list)
usb_parsed_data = parsed_data.get(
'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Enum\\USBSTOR',
None)
self.assertIsNotNone(usb_parsed_data)
usb_key = usb_parsed_data.get('key', None)
self.assertIsNotNone(usb_key)
expected_key_path = (
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Enum\\USBSTOR')
self.assertEqual(usb_key.path, expected_key_path)
data = usb_parsed_data.get('data', None)
self.assertIsNotNone(data)
plugin_names = [plugin.NAME for plugin in data.keys()]
self.assertIn('windows_usbstor_devices', plugin_names)
usb_plugin = None
for plugin in data.keys():
if plugin.NAME == 'windows_usbstor_devices':
usb_plugin = plugin
break
event_objects = data.get(usb_plugin, [])
self.assertEqual(len(event_objects), 5)
event = event_objects[2]
self.assertEqual(event.data_type, 'windows:registry:key_value')
parse_key_data = test_tool.ParseRegistryKey(
usb_key, registry_helper, use_plugins='windows_usbstor_devices')
self.assertEqual(len(parse_key_data.keys()), 1)
parsed_key_value = parse_key_data.values()[0]
for index, event in enumerate(event_objects):
parsed_key_event = parsed_key_value[index]
event_values = event.CopyToDict()
parsed_key_event_values = parsed_key_event.CopyToDict()
self.assertEqual(event_values, parsed_key_event_values)