def testParse(self):
"""Tests the Parse function."""
parser = custom_destinations.CustomDestinationsParser()
storage_writer = self._ParseFile(
[u'5afe4de1b92fc382.customDestinations-ms'], parser)
self.assertEqual(storage_writer.number_of_events, 126)
events = list(storage_writer.GetEvents())
# A shortcut event.
# The last accessed timestamp.
event = events[121]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2009-07-13 23:55:56.248103')
self.assertEqual(
event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_ACCESS)
self.assertEqual(event.timestamp, expected_timestamp)
# The creation timestamp.
event = events[122]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2009-07-13 23:55:56.248103')
self.assertEqual(
event.timestamp_desc, definitions.TIME_DESCRIPTION_CREATION)
self.assertEqual(event.timestamp, expected_timestamp)
# The last modification timestamp.
event = events[123]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2009-07-14 01:39:11.388000')
self.assertEqual(
event.timestamp_desc, definitions.TIME_DESCRIPTION_MODIFICATION)
self.assertEqual(event.timestamp, expected_timestamp)
expected_message = (
u'[@%systemroot%\\system32\\oobefldr.dll,-1262] '
u'File size: 11776 '
u'File attribute flags: 0x00000020 '
u'Drive type: 3 '
u'Drive serial number: 0x24ba718b '
u'Local path: C:\\Windows\\System32\\GettingStarted.exe '
u'cmd arguments: {DE3895CB-077B-4C38-B6E3-F3DE1E0D84FC} '
u'%systemroot%\\system32\\control.exe /name Microsoft.Display '
u'env location: %SystemRoot%\\system32\\GettingStarted.exe '
u'Icon location: %systemroot%\\system32\\display.dll '
u'Link target: <My Computer> C:\\Windows\\System32\\GettingStarted.exe')
expected_short_message = (
u'[@%systemroot%\\system32\\oobefldr.dll,-1262] '
u'C:\\Windows\\System32\\GettingStarte...')
self._TestGetMessageStrings(event, expected_message, expected_short_message)
# A shell item event.
event = events[18]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2010-11-10 07:41:04')
self.assertEqual(event.timestamp, expected_timestamp)
expected_message = (
u'Name: System32 '
u'Long name: System32 '
u'NTFS file reference: 2331-1 '
u'Shell item path: <My Computer> C:\\Windows\\System32 '
u'Origin: 5afe4de1b92fc382.customDestinations-ms')
expected_short_message = (
u'Name: System32 '
u'NTFS file reference: 2331-1 '
u'Origin: 5afe4de1b92fc382.customDes...')
self._TestGetMessageStrings(event, expected_message, expected_short_message)
# A distributed link tracking event.
event = events[12]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2010-11-10 19:08:32.656259')
self.assertEqual(event.timestamp, expected_timestamp)
expected_message = (
u'e9215b24-ecfd-11df-a81c-000c29031e1e '
u'MAC address: 00:0c:29:03:1e:1e '
u'Origin: 5afe4de1b92fc382.customDestinations-ms')
expected_short_message = (
u'e9215b24-ecfd-11df-a81c-000c29031e1e '
u'Origin: 5afe4de1b92fc382.customDestinati...')
self._TestGetMessageStrings(event, expected_message, expected_short_message)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._parser = custom_destinations.CustomDestinationsParser()
def testParse(self):
"""Tests the Parse function."""
parser = custom_destinations.CustomDestinationsParser()
storage_writer = self._ParseFile(
['5afe4de1b92fc382.customDestinations-ms'], parser)
self.assertEqual(storage_writer.number_of_events, 126)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetEvents())
# The shortcut last accessed event.
expected_event_values = {
'data_type': 'windows:lnk:link',
'date_time': '2009-07-13 23:55:56.2481035',
'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_ACCESS}
self.CheckEventValues(storage_writer, events[121], expected_event_values)
# The shortcut creation event.
expected_event_values = {
'data_type': 'windows:lnk:link',
'date_time': '2009-07-13 23:55:56.2481035',
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION}
self.CheckEventValues(storage_writer, events[122], expected_event_values)
# The shortcut last modification event.
expected_event_values = {
'command_line_arguments': (
'{DE3895CB-077B-4C38-B6E3-F3DE1E0D84FC} %systemroot%\\system32\\'
'control.exe /name Microsoft.Display'),
'data_type': 'windows:lnk:link',
'date_time': '2009-07-14 01:39:11.3880000',
'description': '@%systemroot%\\system32\\oobefldr.dll,-1262',
'drive_serial_number': 0x24ba718b,
'drive_type': 3,
'env_var_location': '%SystemRoot%\\system32\\GettingStarted.exe',
'file_attribute_flags': 0x00000020,
'file_size': 11776,
'icon_location': '%systemroot%\\system32\\display.dll',
'link_target': (
'<My Computer> C:\\Windows\\System32\\GettingStarted.exe'),
'local_path': 'C:\\Windows\\System32\\GettingStarted.exe',
'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION}
self.CheckEventValues(storage_writer, events[123], expected_event_values)
# A shell item event.
expected_event_values = {
'data_type': 'windows:shell_item:file_entry',
'date_time': '2010-11-10 07:41:04',
'file_reference': '2331-1',
'long_name': 'System32',
'name': 'System32',
'origin': '5afe4de1b92fc382.customDestinations-ms',
'shell_item_path': '<My Computer> C:\\Windows\\System32'}
self.CheckEventValues(storage_writer, events[18], expected_event_values)
# A distributed link tracking event.
expected_event_values = {
'data_type': 'windows:distributed_link_tracking:creation',
'date_time': '2010-11-10 19:08:32.6562596',
'mac_address': '00:0c:29:03:1e:1e',
'origin': '5afe4de1b92fc382.customDestinations-ms',
'uuid': 'e9215b24-ecfd-11df-a81c-000c29031e1e'}
self.CheckEventValues(storage_writer, events[12], expected_event_values)
def setUp(self): """Makes preparations before running an individual test.""" self._parser = custom_destinations.CustomDestinationsParser()
def testParse(self):
"""Tests the Parse function."""
parser = custom_destinations.CustomDestinationsParser()
storage_writer = self._ParseFile(
['5afe4de1b92fc382.customDestinations-ms'], parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 126)
events = list(storage_writer.GetEvents())
# A shortcut event.
# The last accessed timestamp.
expected_event_values = {
'timestamp': '2009-07-13 23:55:56.248104',
'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_ACCESS}
self.CheckEventValues(storage_writer, events[121], expected_event_values)
# The creation timestamp.
expected_event_values = {
'timestamp': '2009-07-13 23:55:56.248104',
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION}
self.CheckEventValues(storage_writer, events[122], expected_event_values)
# The last modification timestamp.
expected_event_values = {
'timestamp': '2009-07-14 01:39:11.388000',
'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION}
self.CheckEventValues(storage_writer, events[123], expected_event_values)
expected_message = (
'[@%systemroot%\\system32\\oobefldr.dll,-1262] '
'File size: 11776 '
'File attribute flags: 0x00000020 '
'Drive type: 3 '
'Drive serial number: 0x24ba718b '
'Local path: C:\\Windows\\System32\\GettingStarted.exe '
'cmd arguments: {DE3895CB-077B-4C38-B6E3-F3DE1E0D84FC} '
'%systemroot%\\system32\\control.exe /name Microsoft.Display '
'env location: %SystemRoot%\\system32\\GettingStarted.exe '
'Icon location: %systemroot%\\system32\\display.dll '
'Link target: <My Computer> C:\\Windows\\System32\\GettingStarted.exe')
expected_short_message = (
'[@%systemroot%\\system32\\oobefldr.dll,-1262] '
'C:\\Windows\\System32\\GettingStarte...')
event_data = self._GetEventDataOfEvent(storage_writer, events[123])
self._TestGetMessageStrings(
event_data, expected_message, expected_short_message)
# A shell item event.
expected_event_values = {
'timestamp': '2010-11-10 07:41:04.000000'}
self.CheckEventValues(storage_writer, events[18], expected_event_values)
expected_message = (
'Name: System32 '
'Long name: System32 '
'NTFS file reference: 2331-1 '
'Shell item path: <My Computer> C:\\Windows\\System32 '
'Origin: 5afe4de1b92fc382.customDestinations-ms')
expected_short_message = (
'Name: System32 '
'NTFS file reference: 2331-1 '
'Origin: 5afe4de1b92fc382.customDes...')
event_data = self._GetEventDataOfEvent(storage_writer, events[18])
self._TestGetMessageStrings(
event_data, expected_message, expected_short_message)
# A distributed link tracking event.
expected_event_values = {
'timestamp': '2010-11-10 19:08:32.656260'}
self.CheckEventValues(storage_writer, events[12], expected_event_values)
expected_message = (
'e9215b24-ecfd-11df-a81c-000c29031e1e '
'MAC address: 00:0c:29:03:1e:1e '
'Origin: 5afe4de1b92fc382.customDestinations-ms')
expected_short_message = (
'e9215b24-ecfd-11df-a81c-000c29031e1e '
'Origin: 5afe4de1b92fc382.customDestinati...')
event_data = self._GetEventDataOfEvent(storage_writer, events[12])
self._TestGetMessageStrings(
event_data, expected_message, expected_short_message)
