def testParseFile(self):
"""Tests the Parse function on a stand-alone $MFT file."""
parser_object = ntfs.NTFSMFTParser()
test_path = self._GetTestFilePath([u'MFT'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_path)
event_queue_consumer = self._ParseFileByPathSpec(
parser_object, os_path_spec)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 126352)
# A distributed link tracking event.
event_object = event_objects[3684]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2007-06-30 12:58:40.500004')
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.CREATION_TIME)
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_message = (u'9fe44b69-2709-11dc-a06b-db3099beae3c '
u'MAC address: db:30:99:be:ae:3c '
u'Origin: $MFT: 462-1')
expected_short_message = (u'9fe44b69-2709-11dc-a06b-db3099beae3c '
u'Origin: $MFT: 462-1')
self._TestGetMessageStrings(event_object, expected_message,
expected_short_message)
def testParseFile(self):
"""Tests the Parse function on a stand-alone $MFT file."""
parser = ntfs.NTFSMFTParser()
test_file_path = self._GetTestFilePath(['MFT'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
storage_writer = self._ParseFileByPathSpec(os_path_spec, parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 126352)
events = list(storage_writer.GetEvents())
# A distributed link tracking event.
event = events[3684]
self.CheckTimestamp(event.timestamp, '2007-06-30 12:58:40.500004')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_CREATION)
event_data = self._GetEventDataOfEvent(storage_writer, event)
expected_message = ('9fe44b69-2709-11dc-a06b-db3099beae3c '
'MAC address: db:30:99:be:ae:3c '
'Origin: $MFT: 462-1')
expected_short_message = ('9fe44b69-2709-11dc-a06b-db3099beae3c '
'Origin: $MFT: 462-1')
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
def testParseImage(self):
"""Tests the Parse function on a storage media image."""
parser = ntfs.NTFSMFTParser()
test_file_path = self._GetTestFilePath(['vsstest.qcow2'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
qcow_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_QCOW, parent=os_path_spec)
tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK,
inode=0,
location='/$MFT',
parent=qcow_path_spec)
storage_writer = self._ParseFileByPathSpec(tsk_path_spec, parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 284)
events = list(storage_writer.GetEvents())
# The creation timestamp.
event = events[0]
self.CheckTimestamp(event.timestamp, '2013-12-03 06:30:41.807908')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_CREATION)
event_data = self._GetEventDataOfEvent(storage_writer, event)
# Check that the allocation status is set correctly.
self.assertIsInstance(event_data.is_allocated, bool)
self.assertTrue(event_data.is_allocated)
# The last modification timestamp.
event = events[1]
self.CheckTimestamp(event.timestamp, '2013-12-03 06:30:41.807908')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_MODIFICATION)
event_data = self._GetEventDataOfEvent(storage_writer, event)
# Check that the allocation status is set correctly.
self.assertIsInstance(event_data.is_allocated, bool)
self.assertTrue(event_data.is_allocated)
# The last accessed timestamp.
event = events[2]
self.CheckTimestamp(event.timestamp, '2013-12-03 06:30:41.807908')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_LAST_ACCESS)
event_data = self._GetEventDataOfEvent(storage_writer, event)
# Check that the allocation status is set correctly.
self.assertIsInstance(event_data.is_allocated, bool)
self.assertTrue(event_data.is_allocated)
# The entry modification timestamp.
event = events[3]
self.CheckTimestamp(event.timestamp, '2013-12-03 06:30:41.807908')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_ENTRY_MODIFICATION)
event_data = self._GetEventDataOfEvent(storage_writer, event)
# Check that the allocation status is set correctly.
self.assertIsInstance(event_data.is_allocated, bool)
self.assertTrue(event_data.is_allocated)
expected_message = ('TSK:/$MFT '
'File reference: 0-1 '
'Attribute name: $STANDARD_INFORMATION')
expected_short_message = ('/$MFT 0-1 $STANDARD_INFORMATION')
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
# The creation timestamp.
event = events[4]
self.CheckTimestamp(event.timestamp, '2013-12-03 06:30:41.807908')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_CREATION)
event_data = self._GetEventDataOfEvent(storage_writer, event)
# Check that the allocation status is set correctly.
self.assertIsInstance(event_data.is_allocated, bool)
self.assertTrue(event_data.is_allocated)
expected_message = ('TSK:/$MFT '
'File reference: 0-1 '
'Attribute name: $FILE_NAME '
'Name: $MFT '
'Parent file reference: 5-5')
expected_short_message = ('/$MFT 0-1 $FILE_NAME')
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
# Note that the source file is a RAW (VMDK flat) image.
test_file_path = self._GetTestFilePath(['multi_partition_image.vmdk'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
p2_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION,
location='/p2',
part_index=3,
start_offset=0x00510000,
parent=os_path_spec)
tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK,
inode=0,
location='/$MFT',
parent=p2_path_spec)
storage_writer = self._ParseFileByPathSpec(tsk_path_spec, parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 184)
def setUp(self):
"""Makes preparations before running an individual test."""
self._parser = ntfs.NTFSMFTParser()
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._parser = ntfs.NTFSMFTParser()
def testParseImage(self):
"""Tests the Parse function on a storage media image."""
parser = ntfs.NTFSMFTParser()
test_file_path = self._GetTestFilePath(['vsstest.qcow2'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
qcow_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_QCOW, parent=os_path_spec)
tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK, inode=0, location='/$MFT',
parent=qcow_path_spec)
storage_writer = self._ParseFileByPathSpec(tsk_path_spec, parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers('event')
self.assertEqual(number_of_events, 284)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
# The creation timestamp.
expected_event_values = {
'data_type': 'fs:stat:ntfs',
'date_time': '2013-12-03 06:30:41.8079077',
'is_allocated': True,
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
# The last modification timestamp.
expected_event_values = {
'data_type': 'fs:stat:ntfs',
'date_time': '2013-12-03 06:30:41.8079077',
'is_allocated': True,
'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
# The last accessed timestamp.
expected_event_values = {
'data_type': 'fs:stat:ntfs',
'date_time': '2013-12-03 06:30:41.8079077',
'is_allocated': True,
'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_ACCESS}
self.CheckEventValues(storage_writer, events[2], expected_event_values)
# The entry modification timestamp.
expected_event_values = {
'attribute_type': 0x00000010,
'data_type': 'fs:stat:ntfs',
'date_time': '2013-12-03 06:30:41.8079077',
'display_name': 'TSK:/$MFT',
'file_reference': 0x1000000000000,
'is_allocated': True,
'path_hints': ['\\$MFT'],
'timestamp_desc': definitions.TIME_DESCRIPTION_ENTRY_MODIFICATION}
self.CheckEventValues(storage_writer, events[7], expected_event_values)
# The creation timestamp.
expected_event_values = {
'attribute_type': 0x00000030,
'data_type': 'fs:stat:ntfs',
'date_time': '2013-12-03 06:30:41.8079077',
'file_reference': 0x1000000000000,
'is_allocated': True,
'name': '$MFT',
'parent_file_reference': 0x5000000000005,
'path_hints': ['\\$MFT'],
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
expected_event_values = {
'attribute_type': 0x00000010,
'data_type': 'fs:stat:ntfs',
'date_time': '2013-12-03 06:35:09.5179783',
'display_name': 'TSK:/$MFT',
'file_reference': 0x1000000000026,
'path_hints': [
'\\System Volume Information\\{3808876b-c176-4e48-b7ae-'
'04046e6cc752}']}
self.CheckEventValues(storage_writer, events[251], expected_event_values)
expected_event_values = {
'attribute_type': 0x00000030,
'data_type': 'fs:stat:ntfs',
'date_time': '2013-12-03 06:35:09.5023783',
'display_name': 'TSK:/$MFT',
'file_reference': 0x1000000000026,
'name': '{38088~1',
'parent_file_reference': 0x1000000000024,
'path_hints': ['\\System Volume Information\\{38088~1']}
self.CheckEventValues(storage_writer, events[240], expected_event_values)
expected_event_values = {
'attribute_type': 0x00000030,
'data_type': 'fs:stat:ntfs',
'date_time': '2013-12-03 06:35:09.5023783',
'display_name': 'TSK:/$MFT',
'file_reference': 0x1000000000026,
'name': '{3808876b-c176-4e48-b7ae-04046e6cc752}',
'parent_file_reference': 0x1000000000024,
'path_hints': [
'\\System Volume Information\\'
'{3808876b-c176-4e48-b7ae-04046e6cc752}']}
self.CheckEventValues(storage_writer, events[244], expected_event_values)
# Note that the source file is a RAW (VMDK flat) image.
test_file_path = self._GetTestFilePath(['multi_partition_image.vmdk'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
p2_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION, location='/p2',
part_index=3, start_offset=0x00510000, parent=os_path_spec)
tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK, inode=0, location='/$MFT',
parent=p2_path_spec)
storage_writer = self._ParseFileByPathSpec(tsk_path_spec, parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers('event')
self.assertEqual(number_of_events, 184)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
def testParseFile(self):
"""Tests the Parse function on a stand-alone $MFT file."""
parser = ntfs.NTFSMFTParser()
test_file_path = self._GetTestFilePath(['MFT'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
storage_writer = self._ParseFileByPathSpec(os_path_spec, parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers('event')
self.assertEqual(number_of_events, 126352)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
# A distributed link tracking event.
expected_event_values = {
'data_type': 'windows:distributed_link_tracking:creation',
'date_time': '2007-06-30 12:58:40.5000041',
'mac_address': 'db:30:99:be:ae:3c',
'origin': '$MFT: 462-1',
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION,
'uuid': '9fe44b69-2709-11dc-a06b-db3099beae3c'}
self.CheckEventValues(storage_writer, events[3680], expected_event_values)
# Test path hints of a regular file.
expected_event_values = {
'data_type': 'fs:stat:ntfs',
'name': 'SAM',
'path_hints': ['\\WINDOWS\\system32\\config\\SAM']}
self.CheckEventValues(storage_writer, events[28741], expected_event_values)
# Test path hints of a deleted file.
expected_path_hints = [(
'\\Documents and Settings\\Donald Blake\\Local Settings\\'
'Temporary Internet Files\\Content.IE5\\9EUWFPZ1\\CAJA1S19.js')]
expected_event_values = {
'data_type': 'fs:stat:ntfs',
'date_time': '2009-01-14 03:38:58.5869993',
'is_allocated': False,
'name': 'CAJA1S19.js',
'path_hints': expected_path_hints}
self.CheckEventValues(storage_writer, events[120476], expected_event_values)
# Testing path hint of orphaned file.
expected_event_values = {
'data_type': 'fs:stat:ntfs',
'date_time': '2009-01-14 21:07:11.5721856',
'name': 'menu.text.css',
'path_hints': ['$Orphan\\session\\menu.text.css']}
self.CheckEventValues(storage_writer, events[125432], expected_event_values)
def testParseImage(self):
"""Tests the Parse function on a storage media image."""
parser = ntfs.NTFSMFTParser()
test_file_path = self._GetTestFilePath(['vsstest.qcow2'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
qcow_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_QCOW, parent=os_path_spec)
tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK,
inode=0,
location='/$MFT',
parent=qcow_path_spec)
storage_writer = self._ParseFileByPathSpec(tsk_path_spec, parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 284)
events = list(storage_writer.GetEvents())
# The creation timestamp.
expected_event_values = {
'is_allocated': True,
'timestamp': '2013-12-03 06:30:41.807908',
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
# The last modification timestamp.
expected_event_values = {
'is_allocated': True,
'timestamp': '2013-12-03 06:30:41.807908',
'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION
}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
# The last accessed timestamp.
expected_event_values = {
'is_allocated': True,
'timestamp': '2013-12-03 06:30:41.807908',
'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_ACCESS
}
self.CheckEventValues(storage_writer, events[2], expected_event_values)
# The entry modification timestamp.
expected_event_values = {
'is_allocated': True,
'timestamp': '2013-12-03 06:30:41.807908',
'timestamp_desc': definitions.TIME_DESCRIPTION_ENTRY_MODIFICATION
}
self.CheckEventValues(storage_writer, events[7], expected_event_values)
expected_message = ('TSK:/$MFT '
'File reference: 0-1 '
'Attribute name: $STANDARD_INFORMATION '
'Path hints: \\$MFT')
expected_short_message = ('/$MFT 0-1 $STANDARD_INFORMATION')
event_data = self._GetEventDataOfEvent(storage_writer, events[7])
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
# The creation timestamp.
expected_event_values = {
'is_allocated': True,
'timestamp': '2013-12-03 06:30:41.807908',
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
expected_message = ('TSK:/$MFT '
'File reference: 0-1 '
'Attribute name: $FILE_NAME '
'Name: $MFT '
'Parent file reference: 5-5 '
'Path hints: \\$MFT')
expected_short_message = ('/$MFT 0-1 $FILE_NAME')
event_data = self._GetEventDataOfEvent(storage_writer, events[0])
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
expected_path_hints = [
'\\System Volume Information\\{3808876b-c176-4e48-b7ae-04046e6cc752}'
]
expected_event_values = {'path_hints': expected_path_hints}
self.CheckEventValues(storage_writer, events[251],
expected_event_values)
expected_message = ('TSK:/$MFT '
'File reference: 38-1 '
'Attribute name: $STANDARD_INFORMATION '
'Path hints: \\System Volume Information\\'
'{3808876b-c176-4e48-b7ae-04046e6cc752}')
expected_short_message = ('/$MFT 38-1 $STANDARD_INFORMATION')
event_data = self._GetEventDataOfEvent(storage_writer, events[251])
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
expected_event_values = {
'path_hints': ['\\System Volume Information\\{38088~1']
}
self.CheckEventValues(storage_writer, events[240],
expected_event_values)
expected_message = (
'TSK:/$MFT '
'File reference: 38-1 '
'Attribute name: $FILE_NAME '
'Name: {38088~1 '
'Parent file reference: 36-1 '
'Path hints: \\System Volume Information\\{38088~1')
expected_short_message = ('/$MFT 38-1 $FILE_NAME')
event_data = self._GetEventDataOfEvent(storage_writer, events[240])
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
expected_path_hints = [
'\\System Volume Information\\{3808876b-c176-4e48-b7ae-04046e6cc752}'
]
expected_event_values = {'path_hints': expected_path_hints}
self.CheckEventValues(storage_writer, events[244],
expected_event_values)
expected_message = ('TSK:/$MFT '
'File reference: 38-1 '
'Attribute name: $FILE_NAME '
'Name: {3808876b-c176-4e48-b7ae-04046e6cc752} '
'Parent file reference: 36-1 '
'Path hints: \\System Volume Information\\'
'{3808876b-c176-4e48-b7ae-04046e6cc752}')
expected_short_message = ('/$MFT 38-1 $FILE_NAME')
event_data = self._GetEventDataOfEvent(storage_writer, events[244])
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
# Note that the source file is a RAW (VMDK flat) image.
test_file_path = self._GetTestFilePath(['multi_partition_image.vmdk'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
p2_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION,
location='/p2',
part_index=3,
start_offset=0x00510000,
parent=os_path_spec)
tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK,
inode=0,
location='/$MFT',
parent=p2_path_spec)
storage_writer = self._ParseFileByPathSpec(tsk_path_spec, parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 184)
def testParseFile(self):
"""Tests the Parse function on a stand-alone $MFT file."""
parser = ntfs.NTFSMFTParser()
test_file_path = self._GetTestFilePath(['MFT'])
self._SkipIfPathNotExists(test_file_path)
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_file_path)
storage_writer = self._ParseFileByPathSpec(os_path_spec, parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 126352)
events = list(storage_writer.GetEvents())
# A distributed link tracking event.
expected_event_values = {
'timestamp': '2007-06-30 12:58:40.500004',
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION
}
self.CheckEventValues(storage_writer, events[3680],
expected_event_values)
expected_message = ('9fe44b69-2709-11dc-a06b-db3099beae3c '
'MAC address: db:30:99:be:ae:3c '
'Origin: $MFT: 462-1')
expected_short_message = ('9fe44b69-2709-11dc-a06b-db3099beae3c '
'Origin: $MFT: 462-1')
event_data = self._GetEventDataOfEvent(storage_writer, events[3680])
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
# Test path hints of a regular file.
expected_event_values = {
'name': 'SAM',
'path_hints': ['\\WINDOWS\\system32\\config\\SAM']
}
self.CheckEventValues(storage_writer, events[28741],
expected_event_values)
# Test path hints of a deleted file.
expected_path_hints = [
('\\Documents and Settings\\Donald Blake\\Local Settings\\'
'Temporary Internet Files\\Content.IE5\\9EUWFPZ1\\CAJA1S19.js')
]
expected_event_values = {
'is_allocated': False,
'name': 'CAJA1S19.js',
'path_hints': expected_path_hints
}
self.CheckEventValues(storage_writer, events[120476],
expected_event_values)
# Testing path hint of orphaned file.
expected_event_values = {
'name': 'menu.text.css',
'path_hints': ['$Orphan\\session\\menu.text.css']
}
self.CheckEventValues(storage_writer, events[125432],
expected_event_values)
def testParseImage(self):
"""Tests the Parse function on a storage media image."""
parser_object = ntfs.NTFSMFTParser()
test_path = self._GetTestFilePath([u'vsstest.qcow2'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_path)
qcow_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_QCOW, parent=os_path_spec)
tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK,
inode=0,
location=u'/$MFT',
parent=qcow_path_spec)
event_queue_consumer = self._ParseFileByPathSpec(
parser_object, tsk_path_spec)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 284)
# The creation timestamp.
event_object = event_objects[0]
# Check that the allocation status is set correctly.
self.assertIsInstance(event_object.is_allocated, bool)
self.assertTrue(event_object.is_allocated)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-12-03 06:30:41.807907')
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.CREATION_TIME)
self.assertEqual(event_object.timestamp, expected_timestamp)
# The last modification timestamp.
event_object = event_objects[1]
# Check that the allocation status is set correctly.
self.assertIsInstance(event_object.is_allocated, bool)
self.assertTrue(event_object.is_allocated)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-12-03 06:30:41.807907')
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.MODIFICATION_TIME)
self.assertEqual(event_object.timestamp, expected_timestamp)
# The last accessed timestamp.
event_object = event_objects[2]
# Check that the allocation status is set correctly.
self.assertIsInstance(event_object.is_allocated, bool)
self.assertTrue(event_object.is_allocated)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-12-03 06:30:41.807907')
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.ACCESS_TIME)
self.assertEqual(event_object.timestamp, expected_timestamp)
# The entry modification timestamp.
event_object = event_objects[3]
# Check that the allocation status is set correctly.
self.assertIsInstance(event_object.is_allocated, bool)
self.assertTrue(event_object.is_allocated)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-12-03 06:30:41.807907')
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.ENTRY_MODIFICATION_TIME)
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_message = (u'TSK:/$MFT '
u'File reference: 0-1 '
u'Attribute name: $STANDARD_INFORMATION')
expected_short_message = (u'/$MFT 0-1 $STANDARD_INFORMATION')
self._TestGetMessageStrings(event_object, expected_message,
expected_short_message)
# The creation timestamp.
event_object = event_objects[4]
# Check that the allocation status is set correctly.
self.assertIsInstance(event_object.is_allocated, bool)
self.assertTrue(event_object.is_allocated)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-12-03 06:30:41.807907')
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.CREATION_TIME)
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_message = (u'TSK:/$MFT '
u'File reference: 0-1 '
u'Attribute name: $FILE_NAME '
u'Name: $MFT '
u'Parent file reference: 5-5')
expected_short_message = (u'/$MFT 0-1 $FILE_NAME')
self._TestGetMessageStrings(event_object, expected_message,
expected_short_message)
# Note that the source file is a RAW (VMDK flat) image.
test_path = self._GetTestFilePath([u'multi_partition_image.vmdk'])
os_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=test_path)
p2_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION,
location=u'/p2',
part_index=3,
start_offset=0x00510000,
parent=os_path_spec)
tsk_path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_TSK,
inode=0,
location=u'/$MFT',
parent=p2_path_spec)
event_queue_consumer = self._ParseFileByPathSpec(
parser_object, tsk_path_spec)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 184)
