def testExpandWindowsPath(self):
"""Tests the ExpandWindowsPath function."""
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value='C:\\Windows')
expanded_path = path_helper.PathHelper.ExpandWindowsPath(
'%SystemRoot%\\System32', [environment_variable])
self.assertEqual(expanded_path, 'C:\\Windows\\System32')
expanded_path = path_helper.PathHelper.ExpandWindowsPath(
'C:\\Windows\\System32', [environment_variable])
self.assertEqual(expanded_path, 'C:\\Windows\\System32')
expanded_path = path_helper.PathHelper.ExpandWindowsPath(
'%SystemRoot%\\System32', None)
self.assertEqual(expanded_path, '%SystemRoot%\\System32')
expanded_path = path_helper.PathHelper.ExpandWindowsPath(
'%Bogus%\\System32', [environment_variable])
self.assertEqual(expanded_path, '%Bogus%\\System32')
expanded_path = path_helper.PathHelper.ExpandWindowsPath(
'%%environ_systemroot%%\\System32', [environment_variable])
self.assertEqual(expanded_path, '\\Windows\\System32')
# Test non-string environment variable.
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value=('bogus', 0))
expanded_path = path_helper.PathHelper.ExpandWindowsPath(
'%SystemRoot%\\System32', [environment_variable])
self.assertEqual(expanded_path, '%SystemRoot%\\System32')
def testGetEnvironmentVariables(self):
"""Tests the GetEnvironmentVariables function."""
knowledge_base_object = knowledge_base.KnowledgeBase()
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value='C:\\Windows')
knowledge_base_object.AddEnvironmentVariable(environment_variable)
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='WinDir', value='C:\\Windows')
knowledge_base_object.AddEnvironmentVariable(environment_variable)
environment_variables = knowledge_base_object.GetEnvironmentVariables()
self.assertEqual(len(environment_variables), 2)
def _RunWindowsRegistryPlugin(self, file_system, mount_point, plugin):
"""Runs a Windows Registry preprocess plugin.
Args:
file_system (dfvfs.FileSystem): file system to be preprocessed.
mount_point (dfvfs.PathSpec): mount point path specification that refers
to the base location of the file system.
plugin (PreprocessPlugin): preprocess plugin.
Return:
KnowledgeBase: knowledge base filled with preprocessing information.
"""
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name=u'SystemRoot', value=u'C:\\Windows')
registry_file_reader = manager.FileSystemWinRegistryFileReader(
file_system,
mount_point,
environment_variables=[environment_variable])
win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
knowledge_base_object = knowledge_base.KnowledgeBase()
plugin.Run(win_registry, knowledge_base_object)
return knowledge_base_object
def _ParseValueData(self, mediator, value_data):
"""Parses Windows Registry value data for a preprocessing attribute.
Args:
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
value_data (object): Windows Registry value data.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
if not isinstance(value_data, str):
raise errors.PreProcessFail(
'Unsupported Windows Registry value type: {0!s} for '
'artifact: {1:s}.'.format(type(value_data),
self.ARTIFACT_DEFINITION_NAME))
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name=self._NAME, value=value_data)
try:
mediator.AddEnvironmentVariable(environment_variable)
except KeyError:
mediator.ProducePreprocessingWarning(
self.ARTIFACT_DEFINITION_NAME,
'Unable to set environment variable: {0:s}.'.format(
self._NAME))
def Collect(self, knowledge_base):
"""Collects values from the knowledge base.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
Raises:
PreProcessFail: if the preprocessing fails.
"""
environment_variable = knowledge_base.GetEnvironmentVariable(
'programdata')
allusersprofile = getattr(environment_variable, 'value', None)
if not allusersprofile:
environment_variable = knowledge_base.GetEnvironmentVariable(
'allusersprofile')
allusersprofile = getattr(environment_variable, 'value', None)
if allusersprofile:
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='programdata', value=allusersprofile)
try:
logger.debug('setting environment variable: {0:s} to: "{1:s}"'.format(
'programdata', allusersprofile))
knowledge_base.AddEnvironmentVariable(environment_variable)
except KeyError:
# TODO: add and store preprocessing errors.
pass
def testCollectWithProgramData(self):
"""Tests the Collect function with the %ProgramData% variable."""
plugin = windows.WindowsAllUsersAppDataKnowledgeBasePlugin()
session = sessions.Session()
storage_writer = self._CreateTestStorageWriter()
test_knowledge_base = knowledge_base.KnowledgeBase()
test_mediator = mediator.PreprocessMediator(session, storage_writer,
test_knowledge_base)
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False,
name='programdata',
value='%SystemDrive%\\ProgramData')
test_mediator.knowledge_base.AddEnvironmentVariable(
environment_variable)
plugin.Collect(test_mediator)
self.assertEqual(storage_writer.number_of_preprocessing_warnings, 0)
environment_variable = test_mediator.knowledge_base.GetEnvironmentVariable(
'allusersappdata')
self.assertIsNotNone(environment_variable)
self.assertEqual(environment_variable.value,
'%SystemDrive%\\ProgramData')
def Run(self, searcher, knowledge_base):
"""Determines the value of the preprocessing attributes.
Args:
searcher (dfvfs.FileSystemSearcher): file system searcher.
knowledge_base (KnowledgeBase): to fill with preprocessing information.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
path_specs = self._FindPathSpecs(searcher, self._PATH_REGEX)
if not path_specs:
return
relative_path = searcher.GetRelativePath(path_specs[0])
if not relative_path:
raise errors.PreProcessFail(
u'Missing relative path for: {0:s}'.format(self._PATH_REGEX))
if relative_path.startswith(u'/'):
relative_path = u'\\'.join(relative_path.split(u'/'))
evironment_variable_artifact = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name=self._NAME, value=relative_path)
knowledge_base.SetEnvironmentVariable(evironment_variable_artifact)
def Collect(self, mediator):
"""Collects values from the knowledge base.
Args:
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
Raises:
PreProcessFail: if the preprocessing fails.
"""
environment_variable = mediator.GetEnvironmentVariable('programdata')
allusersprofile = getattr(environment_variable, 'value', None)
if not allusersprofile:
environment_variable = mediator.GetEnvironmentVariable(
'allusersprofile')
allusersprofile = getattr(environment_variable, 'value', None)
if allusersprofile:
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False,
name='programdata',
value=allusersprofile)
try:
mediator.AddEnvironmentVariable(environment_variable)
except KeyError:
mediator.ProducePreprocessingWarning(
self.__class__.__name__,
'Unable to set environment variable: %ProgramData%.')
def _ParseValueData(self, knowledge_base, value_data):
"""Parses Windows Registry value data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
value_data (object): Windows Registry value data.
Returns:
bool: True if all the preprocessing attributes were found and
the preprocessor plugin is done.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
if not isinstance(value_data, py2to3.UNICODE_TYPE):
raise errors.PreProcessFail(
u'Unsupported Windows Registry value type: {0:s} for '
u'artifact: {1:s}.'.format(type(value_data),
self.ARTIFACT_DEFINITION_NAME))
result = False
evironment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name=self._NAME, value=value_data)
try:
knowledge_base.AddEnvironmentVariable(evironment_variable)
result = True
except KeyError:
# TODO: add and store preprocessing errors.
pass
return result
def _ParseValueData(self, knowledge_base, value_data):
"""Parses Windows Registry value data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
value_data (object): Windows Registry value data.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
if not isinstance(value_data, py2to3.UNICODE_TYPE):
raise errors.PreProcessFail(
'Unsupported Windows Registry value type: {0:s} for '
'artifact: {1:s}.'.format(
type(value_data), self.ARTIFACT_DEFINITION_NAME))
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name=self._NAME, value=value_data)
try:
logger.debug('setting environment variable: {0:s} to: "{1:s}"'.format(
self._NAME, value_data))
knowledge_base.AddEnvironmentVariable(environment_variable)
except KeyError:
# TODO: add and store preprocessing errors.
pass
def testBuildFindSpecsWithYAMLFilterFile(self):
"""Tests the BuildFindSpecs function with YAML filter file."""
test_filter_file = yaml_filter_file.YAMLFilterFile()
test_path_filters = test_filter_file._ReadFromFileObject(
io.StringIO(self._YAML_FILTER_FILE_DATA))
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value='C:\\Windows')
test_helper = path_filters.PathCollectionFiltersHelper()
test_helper.BuildFindSpecs(
test_path_filters, environment_variables=[environment_variable])
self.assertEqual(len(test_helper.included_file_system_find_specs), 5)
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location='.')
file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec)
searcher = file_system_searcher.FileSystemSearcher(
file_system, path_spec)
path_spec_generator = searcher.Find(
find_specs=test_helper.included_file_system_find_specs)
self.assertIsNotNone(path_spec_generator)
path_specs = list(path_spec_generator)
file_system.Close()
# Two evtx, one symbolic link to evtx, one AUTHORS, two filter_*.txt files,
# total 6 path specifications.
self.assertEqual(len(path_specs), 6)
def _RunPreprocessorPluginOnWindowsRegistryValue(self, file_system,
mount_point, plugin):
"""Runs a preprocessor plugin on a Windows Registry value.
Args:
file_system (dfvfs.FileSystem): file system to be preprocessed.
mount_point (dfvfs.PathSpec): mount point path specification that refers
to the base location of the file system.
plugin (ArtifactPreprocessorPlugin): preprocessor plugin.
Return:
KnowledgeBase: knowledge base filled with preprocessing information.
"""
artifact_definition = self._artifacts_registry.GetDefinitionByName(
plugin.ARTIFACT_DEFINITION_NAME)
self.assertIsNotNone(artifact_definition)
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value='C:\\Windows')
registry_file_reader = manager.FileSystemWinRegistryFileReader(
file_system,
mount_point,
environment_variables=[environment_variable])
win_registry = dfwinreg_registry.WinRegistry(
registry_file_reader=registry_file_reader)
knowledge_base_object = knowledge_base.KnowledgeBase()
searcher = registry_searcher.WinRegistrySearcher(win_registry)
plugin.Collect(knowledge_base_object, artifact_definition, searcher)
return knowledge_base_object
def testCollectWithAllUsersProfile(self):
"""Tests the Collect function with the %AllUsersProfile% variable."""
plugin = windows.WindowsAllUsersAppProfileKnowledgeBasePlugin()
session = sessions.Session()
storage_writer = self._CreateTestStorageWriter()
test_knowledge_base = knowledge_base.KnowledgeBase()
test_mediator = mediator.PreprocessMediator(session, storage_writer,
test_knowledge_base)
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False,
name='allusersprofile',
value='C:\\Documents and Settings\\All Users')
test_mediator.knowledge_base.AddEnvironmentVariable(
environment_variable)
plugin.Collect(test_mediator)
self.assertEqual(storage_writer.number_of_preprocessing_warnings, 0)
environment_variable = test_mediator.knowledge_base.GetEnvironmentVariable(
'allusersprofile')
self.assertIsNotNone(environment_variable)
self.assertEqual(environment_variable.value,
'C:\\Documents and Settings\\All Users')
def _ParsePathSpecification(self, knowledge_base, searcher, file_system,
path_specification, path_separator):
"""Parses artifact file system data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
searcher (dfvfs.FileSystemSearcher): file system searcher to preprocess
the file system.
file_system (dfvfs.FileSystem): file system to be preprocessed.
path_specification (dfvfs.PathSpec): path specification that contains
the artifact value data.
path_separator (str): path segment separator.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
relative_path = searcher.GetRelativePath(path_specification)
if not relative_path:
raise errors.PreProcessFail(
'Unable to read: {0:s} with error: missing relative path'.
format(self.ARTIFACT_DEFINITION_NAME))
if path_separator != file_system.PATH_SEPARATOR:
relative_path_segments = file_system.SplitPath(relative_path)
relative_path = '{0:s}{1:s}'.format(
path_separator, path_separator.join(relative_path_segments))
evironment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name=self._NAME, value=relative_path)
try:
knowledge_base.AddEnvironmentVariable(evironment_variable)
except KeyError:
# TODO: add and store preprocessing errors.
pass
def testGetAttributeNames(self):
"""Tests the GetAttributeNames function."""
attribute_container = artifacts.EnvironmentVariableArtifact()
expected_attribute_names = ['case_sensitive', 'name', 'value']
attribute_names = sorted(attribute_container.GetAttributeNames())
self.assertEqual(attribute_names, expected_attribute_names)
def testBuildFindSpecsWithFileSystem(self):
"""Tests the BuildFindSpecs function for file type artifacts."""
knowledge_base = knowledge_base_engine.KnowledgeBase()
testuser1 = artifacts.UserAccountArtifact(
identifier='1000',
user_directory='C:\\\\Users\\\\testuser1',
username='******')
knowledge_base.AddUserAccount(testuser1)
testuser2 = artifacts.UserAccountArtifact(
identifier='1001',
user_directory='C:\\\\Users\\\\testuser2',
username='******')
knowledge_base.AddUserAccount(testuser2)
test_filter_file = self._CreateTestArtifactDefinitionsFilterHelper(
['TestFiles', 'TestFiles2'], knowledge_base)
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemDrive', value='C:')
test_filter_file.BuildFindSpecs(
environment_variables=[environment_variable])
find_specs_per_source_type = knowledge_base.GetValue(
test_filter_file.KNOWLEDGE_BASE_VALUE)
find_specs = find_specs_per_source_type.get(
artifact_types.TYPE_INDICATOR_FILE, [])
# Should build 15 FindSpec entries.
self.assertEqual(len(find_specs), 15)
# Last find_spec should contain the testuser2 profile path.
location_segments = sorted(
[find_spec._location_segments for find_spec in find_specs])
path_segments = [
'Users', 'testuser2', 'Documents', 'WindowsPowerShell',
'profile\\.ps1'
]
self.assertEqual(location_segments[2], path_segments)
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location='.')
file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec)
searcher = file_system_searcher.FileSystemSearcher(
file_system, path_spec)
path_spec_generator = searcher.Find(find_specs=find_specs)
self.assertIsNotNone(path_spec_generator)
path_specs = list(path_spec_generator)
# Two evtx, one symbolic link to evtx, one AUTHORS, two filter_*.txt files,
# total 6 path specifications.
self.assertEqual(len(path_specs), 6)
file_system.Close()
def testBuildFindSpecsWithFileSystem(self):
"""Tests the BuildFindSpecs function for file type artifacts."""
test_file_path = self._GetTestFilePath(['System.evtx'])
self._SkipIfPathNotExists(test_file_path)
test_file_path = self._GetTestFilePath(['testdir', 'filter_1.txt'])
self._SkipIfPathNotExists(test_file_path)
test_file_path = self._GetTestFilePath(['testdir', 'filter_3.txt'])
self._SkipIfPathNotExists(test_file_path)
knowledge_base = self._CreateTestKnowledgeBaseWindows()
artifact_filter_names = ['TestFiles', 'TestFiles2']
test_filters_helper = self._CreateTestArtifactDefinitionsFiltersHelper(
knowledge_base)
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemDrive', value='C:')
test_filters_helper.BuildFindSpecs(
artifact_filter_names,
environment_variables=[environment_variable])
self.assertEqual(
len(test_filters_helper.included_file_system_find_specs), 16)
self.assertEqual(len(test_filters_helper.registry_find_specs), 0)
# Last find_spec should contain the testuser2 profile path.
location_segments = sorted([
find_spec._location_segments for find_spec in
test_filters_helper.included_file_system_find_specs
])
path_segments = [
'Users', 'testuser2', 'Documents', 'WindowsPowerShell',
'profile\\.ps1'
]
self.assertEqual(location_segments[2], path_segments)
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location='.')
file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec)
searcher = file_system_searcher.FileSystemSearcher(
file_system, path_spec)
path_spec_generator = searcher.Find(
find_specs=test_filters_helper.included_file_system_find_specs)
self.assertIsNotNone(path_spec_generator)
path_specs = list(path_spec_generator)
# Two evtx, one symbolic link to evtx, one AUTHORS, two filter_*.txt files,
# total 6 path specifications.
self.assertEqual(len(path_specs), 6)
file_system.Close()
def _ReadEnvironmentVariables(self, storage_reader):
"""Reads the Windows EventLog message files.
Args:
storage_reader (StorageReader): storage reader.
"""
# TODO: read environment variables from storage reader.
_ = storage_reader
self._environment_variables = [artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value='C:\\Windows')]
def testExpandWindowsPath(self):
"""Tests the ExpandWindowsPath function."""
environment_variables = []
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value='C:\\Windows')
environment_variables.append(environment_variable)
expanded_path = path_helper.PathHelper.ExpandWindowsPath(
'%SystemRoot%\\System32', environment_variables)
self.assertEqual(expanded_path, '\\Windows\\System32')
def testAddEnvironmentVariable(self):
"""Tests the AddEnvironmentVariable function."""
knowledge_base_object = knowledge_base.KnowledgeBase()
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value='C:\\Windows')
knowledge_base_object.AddEnvironmentVariable(environment_variable)
with self.assertRaises(KeyError):
knowledge_base_object.AddEnvironmentVariable(environment_variable)
def testBuildFindSpecs(self):
"""Tests the BuildFindSpecs function."""
filter_file_path = ''
with tempfile.NamedTemporaryFile(delete=False) as temp_file:
test_filter_file = filter_file.FilterFile(temp_file.name)
# 2 hits.
temp_file.write(b'/test_data/testdir/filter_.+.txt\n')
# A single hit.
temp_file.write(b'/test_data/.+evtx\n')
# A single hit.
temp_file.write(b'/AUTHORS\n')
temp_file.write(b'/does_not_exist/some_file_[0-9]+txt\n')
# Path expansion.
temp_file.write(b'{systemroot}/Tasks/.+[.]job\n')
# This should not compile properly, missing file information.
temp_file.write(b'failing/\n')
# This should not fail during initial loading, but fail later on.
temp_file.write(b'bad re (no close on that parenthesis/file\n')
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value='C:\\Windows')
find_specs = test_filter_file.BuildFindSpecs(
environment_variables=[environment_variable])
try:
os.remove(filter_file_path)
except (OSError, IOError) as exception:
logging.warning(
'Unable to remove filter file: {0:s} with error: {1!s}'.format(
filter_file_path, exception))
self.assertEqual(len(find_specs), 5)
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location='.')
file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec)
searcher = file_system_searcher.FileSystemSearcher(
file_system, path_spec)
path_spec_generator = searcher.Find(find_specs=find_specs)
self.assertIsNotNone(path_spec_generator)
path_specs = list(path_spec_generator)
# Two evtx, one symbolic link to evtx, one AUTHORS, two filter_*.txt files,
# total 6 path specifications.
self.assertEqual(len(path_specs), 6)
with self.assertRaises(IOError):
test_filter_file = filter_file.FilterFile('thisfiledoesnotexist')
test_filter_file.BuildFindSpecs()
file_system.Close()
def testCopyToDict(self):
"""Tests the CopyToDict function."""
attribute_container = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value='C:\\Windows')
self.assertEqual(attribute_container.name, 'SystemRoot')
expected_dict = {
'case_sensitive': False,
'name': 'SystemRoot',
'value': 'C:\\Windows'}
test_dict = attribute_container.CopyToDict()
self.assertEqual(test_dict, expected_dict)
def testCopyToDict(self):
"""Tests the CopyToDict function."""
evironment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name=u'SystemRoot', value=u'C:\\Windows')
self.assertEqual(evironment_variable.name, u'SystemRoot')
expected_dict = {
u'case_sensitive': False,
u'name': u'SystemRoot',
u'value': u'C:\\Windows'}
evironment_variable_dict = evironment_variable.CopyToDict()
self.assertEqual(evironment_variable_dict, expected_dict)
def testExpandWindowsPath(self):
"""Tests the ExpandWindowsPath function."""
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name=u'SystemRoot', value=u'C:\\Windows')
expanded_path = path_helper.PathHelper.ExpandWindowsPath(
u'%SystemRoot%\\System32', [environment_variable])
self.assertEqual(expanded_path, u'C:\\Windows\\System32')
expanded_path = path_helper.PathHelper.ExpandWindowsPath(
u'%SystemRoot%\\System32', None)
self.assertEqual(expanded_path, u'%SystemRoot%\\System32')
expanded_path = path_helper.PathHelper.ExpandWindowsPath(
u'%Bogus%\\System32', [environment_variable])
self.assertEqual(expanded_path, u'%Bogus%\\System32')
def testBuildFindSpecsWithFileSystemAndGroup(self):
"""Tests the BuildFindSpecs function for file type artifacts."""
test_file_path = self._GetTestFilePath(['System.evtx'])
self._SkipIfPathNotExists(test_file_path)
test_file_path = self._GetTestFilePath(['testdir', 'filter_1.txt'])
self._SkipIfPathNotExists(test_file_path)
test_file_path = self._GetTestFilePath(['testdir', 'filter_3.txt'])
self._SkipIfPathNotExists(test_file_path)
knowledge_base = self._CreateTestKnowledgeBaseWindows()
artifact_filter_names = ['TestGroupExtract']
test_filters_helper = self._CreateTestArtifactDefinitionsFiltersHelper(
knowledge_base)
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemDrive', value='C:')
test_filters_helper.BuildFindSpecs(
artifact_filter_names, environment_variables=[environment_variable])
# There should be 15 file system find specifications.
self.assertEqual(
len(test_filters_helper.included_file_system_find_specs), 15)
self.assertEqual(len(test_filters_helper.registry_find_specs), 0)
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location='.')
file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec)
searcher = file_system_searcher.FileSystemSearcher(
file_system, path_spec)
path_spec_generator = searcher.Find(
find_specs=test_filters_helper.included_file_system_find_specs)
self.assertIsNotNone(path_spec_generator)
path_specs = list(path_spec_generator)
# Two evtx, one symbolic link to evtx, one AUTHORS, two filter_*.txt
# files,
# total 6 path specifications.
self.assertEqual(len(path_specs), 6)
file_system.Close()
def testCollectWithProgramData(self):
"""Tests the Collect function with the %ProgramData% variable."""
plugin = windows.WindowsAllUsersAppDataKnowledgeBasePlugin()
knowledge_base_object = knowledge_base.KnowledgeBase()
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='programdata',
value='%SystemDrive%\\ProgramData')
knowledge_base_object.AddEnvironmentVariable(environment_variable)
plugin.Collect(knowledge_base_object)
environment_variable = knowledge_base_object.GetEnvironmentVariable(
'allusersappdata')
self.assertIsNotNone(environment_variable)
self.assertEqual(environment_variable.value, '%SystemDrive%\\ProgramData')
def testCollectWithAllUsersProfile(self):
"""Tests the Collect function with the %AllUsersProfile% variable."""
plugin = windows.WindowsProgramDataKnowledgeBasePlugin()
knowledge_base_object = knowledge_base.KnowledgeBase()
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='allusersprofile',
value='C:\\Documents and Settings\\All Users')
knowledge_base_object.AddEnvironmentVariable(environment_variable)
plugin.Collect(knowledge_base_object)
environment_variable = knowledge_base_object.GetEnvironmentVariable(
'programdata')
self.assertIsNotNone(environment_variable)
self.assertEqual(
environment_variable.value, 'C:\\Documents and Settings\\All Users')
def _ParseValueData(self, knowledge_base, value_data):
"""Parses Windows Registry value data for a preprocessing attribute.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
value_data (object): Windows Registry value data.
Raises:
errors.PreProcessFail: if the value data is not supported.
"""
if not isinstance(value_data, py2to3.UNICODE_TYPE):
raise errors.PreProcessFail(
u'Unsupported Registry key: {0:s}, value: {1:s} type.'.format(
self._REGISTRY_KEY_PATH, self._REGISTRY_VALUE_NAME))
evironment_variable_artifact = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name=self._NAME, value=value_data)
knowledge_base.SetEnvironmentVariable(evironment_variable_artifact)
def testGetEnvironmentVariable(self):
"""Tests the GetEnvironmentVariable functions."""
knowledge_base_object = knowledge_base.KnowledgeBase()
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value='C:\\Windows')
knowledge_base_object.AddEnvironmentVariable(environment_variable)
test_environment_variable = knowledge_base_object.GetEnvironmentVariable(
'SystemRoot')
self.assertIsNotNone(test_environment_variable)
test_environment_variable = knowledge_base_object.GetEnvironmentVariable(
'sYsTeMrOoT')
self.assertIsNotNone(test_environment_variable)
test_environment_variable = knowledge_base_object.GetEnvironmentVariable(
'Bogus')
self.assertIsNone(test_environment_variable)
def testBuildFindSpecsWithFileSystemAndGroup(self):
"""Tests the BuildFindSpecs function for file type artifacts."""
knowledge_base = self._CreateTestKnowledgeBaseWindows()
filter_helper = self._CreateTestArtifactDefinitionsFilterHelper(
['TestGroupExtract'], knowledge_base)
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemDrive', value='C:')
filter_helper.BuildFindSpecs(
environment_variables=[environment_variable])
find_specs_per_source_type = knowledge_base.GetValue(
filter_helper.KNOWLEDGE_BASE_VALUE)
file_find_specs = find_specs_per_source_type.get(
artifact_types.TYPE_INDICATOR_FILE, [])
# Should build 15 file FindSpec entries.
self.assertEqual(len(file_find_specs), 15)
all_find_specs = iter(find_specs_per_source_type.values())
all_find_specs = itertools.chain(*all_find_specs)
find_spec_count = len(list(all_find_specs))
self.assertEqual(find_spec_count, 15)
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location='.')
file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec)
searcher = file_system_searcher.FileSystemSearcher(
file_system, path_spec)
path_spec_generator = searcher.Find(find_specs=file_find_specs)
self.assertIsNotNone(path_spec_generator)
path_specs = list(path_spec_generator)
# Two evtx, one symbolic link to evtx, one AUTHORS, two filter_*.txt
# files,
# total 6 path specifications.
self.assertEqual(len(path_specs), 6)
file_system.Close()