def __init__(self, parser_filter_expression=None):
"""Initializes an event extraction worker.
Args:
parser_filter_expression (Optional[str]): parser filter expression,
where None represents all parsers and plugins.
The parser filter expression is a comma separated value string that
denotes a list of parser names to include and/or exclude. Each entry
can have the value of:
* An exact match of a list of parsers, or a preset (see
plaso/parsers/presets.py for a full list of available presets).
* A name of a single parser (case insensitive), e.g. msiecf.
* A glob name for a single parser, e.g. '*msie*' (case insensitive).
"""
super(EventExtractionWorker, self).__init__()
self._abort = False
self._analyzers = []
self._event_extractor = extractors.EventExtractor(
parser_filter_expression=parser_filter_expression)
self._hasher_file_size_limit = None
self._path_spec_extractor = extractors.PathSpecExtractor()
self._process_archives = None
self._process_compressed_streams = None
self._processing_profiler = None
self.last_activity_timestamp = 0.0
self.processing_status = definitions.PROCESSING_STATUS_IDLE
def __init__(self, parser_filter_expression=None):
"""Initializes an event extraction worker.
Args:
parser_filter_expression (Optional[str]): parser filter expression,
where None represents all parsers and plugins.
A parser filter expression is a comma separated value string that
denotes which parsers and plugins should be used. See
filters/parser_filter.py for details of the expression syntax.
This function does not support presets, and requires a parser
filter expression where presets have been expanded.
"""
super(EventExtractionWorker, self).__init__()
self._abort = False
self._analyzers = []
self._analyzers_profiler = None
self._event_extractor = extractors.EventExtractor(
parser_filter_expression=parser_filter_expression)
self._hasher_file_size_limit = None
self._path_spec_extractor = extractors.PathSpecExtractor()
self._process_archives = None
self._process_compressed_streams = None
self._processing_profiler = None
self.last_activity_timestamp = 0.0
self.processing_status = definitions.STATUS_INDICATOR_IDLE
def testParseDataStream(self):
"""Tests the ParseDataStream function."""
test_file_path = self._GetTestFilePath(['INFO2'])
self._SkipIfPathNotExists(test_file_path)
test_extractor = extractors.EventExtractor(
parser_filter_expression='recycle_bin_info2')
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
file_entry = path_spec_resolver.Resolver.OpenFileEntry(path_spec)
storage_writer = self._CreateStorageWriter()
parser_mediator = self._CreateParserMediator(storage_writer,
file_entry=file_entry)
test_extractor.ParseDataStream(parser_mediator, file_entry, '')
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 4)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
def InitializeParserObjects(self, parser_filter_expression=None):
"""Initializes the parser objects.
The parser_filter_expression is a comma separated value string that
denotes a list of parser names to include and/or exclude. Each entry
can have the value of:
* An exact match of a list of parsers, or a preset (see
plaso/frontend/presets.py for a full list of available presets).
* A name of a single parser (case insensitive), e.g. msiecf.
* A glob name for a single parser, e.g. '*msie*' (case insensitive).
Args:
parser_filter_expression: optional string containing the parser filter
expression, where None represents all parsers
and plugins.
"""
self._event_extractor = extractors.EventExtractor(
self._resolver_context,
parser_filter_expression=parser_filter_expression)
def testParseDataStreamWithForceParser(self):
"""Tests the ParseDataStream function with force parser."""
test_file_path = self._GetTestFilePath(['UsnJrnl.raw'])
self._SkipIfPathNotExists(test_file_path)
test_extractor = extractors.EventExtractor(
force_parser=True, parser_filter_expression='usnjrnl')
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
file_entry = path_spec_resolver.Resolver.OpenFileEntry(path_spec)
storage_writer = self._CreateStorageWriter()
parser_mediator = self._CreateParserMediator(storage_writer,
file_entry=file_entry)
test_extractor.ParseDataStream(parser_mediator, file_entry, '')
self.assertEqual(storage_writer.number_of_events, 0)
self.assertEqual(storage_writer.number_of_extraction_warnings, 1)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
def __init__(
self, resolver_context, parser_filter_expression=None,
process_archives=False, process_compressed_streams=True):
"""Initializes the event extraction worker object.
Args:
resolver_context (dfvfs.Context): resolver context.
parser_filter_expression (Optional[str]): parser filter expression.
None represents all parsers and plugins.
The parser filter expression is a comma separated value string that
denotes a list of parser names to include and/or exclude. Each entry
can have the value of:
* An exact match of a list of parsers, or a preset (see
plaso/frontend/presets.py for a full list of available presets).
* A name of a single parser (case insensitive), e.g. msiecf.
* A glob name for a single parser, e.g. '*msie*' (case insensitive).
process_archives (Optional[bool]): True if the worker should scan
for file entries inside archive files.
process_compressed_streams (Optional[bool]): True if file content in
compressed streams should be processed.
"""
super(EventExtractionWorker, self).__init__()
self._abort = False
self._analyzers = []
self._event_extractor = extractors.EventExtractor(
resolver_context, parser_filter_expression=parser_filter_expression)
self._hasher_names = None
self._process_archives = process_archives
self._process_compressed_streams = process_compressed_streams
self._processing_profiler = None
self._resolver_context = resolver_context
self.last_activity_timestamp = 0.0
self.processing_status = definitions.PROCESSING_STATUS_IDLE
