def testParseSystem(self): """Tests the Parse function on a SYSTEM file.""" parser = winreg_parser.WinRegistryParser() storage_writer = self._ParseFile(['SYSTEM'], parser) parser_chains = self._GetParserChains(storage_writer) # Check the existence of few known plugins, see if they # are being properly picked up and are parsed. plugin_names = [ 'windows_usbstor_devices', 'windows_boot_execute', 'windows_services' ] for plugin in plugin_names: expected_parser_chain = self._GetParserChainOfPlugin(plugin) self.assertIn(expected_parser_chain, parser_chains.keys()) # Check that the number of events produced by each plugin are correct. parser_chain = self._GetParserChainOfPlugin('windows_usbstor_devices') self.assertEqual(parser_chains.get(parser_chain, 0), 10) parser_chain = self._GetParserChainOfPlugin('windows_boot_execute') self.assertEqual(parser_chains.get(parser_chain, 0), 4) parser_chain = self._GetParserChainOfPlugin('windows_services') self.assertEqual(parser_chains.get(parser_chain, 0), 831)
def testExamineEventAndCompileReportOnSystemFile(self): """Tests the ExamineEvent and CompileReport functions on a SYSTEM file.""" # We could remove the non-Services plugins, but testing shows that the # performance gain is negligible. parser = winreg_parser.WinRegistryParser() plugin = windows_services.WindowsServicesAnalysisPlugin() storage_writer = self._ParseAndAnalyzeFile(['SYSTEM'], parser, plugin) self.assertEqual(storage_writer.number_of_events, 31438) self.assertEqual(len(storage_writer.analysis_reports), 1) analysis_report = storage_writer.analysis_reports[0] # We'll check that a few strings are in the report, like they're supposed # to be, rather than checking for the exact content of the string, # as that's dependent on the full path to the test files. test_strings = [ '1394ohci', 'WwanSvc', 'Sources:', 'ControlSet001', 'ControlSet002' ] for string in test_strings: self.assertIn(string, analysis_report.text)
def testExamineEventAndCompileReportOnSystemFileWithYAML(self): """Tests the ExamineEvent and CompileReport with YAML.""" # We could remove the non-Services plugins, but testing shows that the # performance gain is negligible. parser = winreg_parser.WinRegistryParser() plugin = windows_services.WindowsServicesAnalysisPlugin() plugin.SetOutputFormat('yaml') storage_writer = self._ParseAndAnalyzeFile(['SYSTEM'], parser, plugin) number_of_reports = storage_writer.GetNumberOfAttributeContainers( 'analysis_report') self.assertEqual(number_of_reports, 1) analysis_report = storage_writer.GetAttributeContainerByIndex( reports.AnalysisReport.CONTAINER_TYPE, 0) self.assertIsNotNone(analysis_report) # We'll check that a few strings are in the report, like they're supposed # to be, rather than checking for the exact content of the string, # as that's dependent on the full path to the test files. test_strings = [ windows_services.WindowsService.yaml_tag, '1394ohci', 'WwanSvc', 'ControlSet001', 'ControlSet002' ] for string in test_strings: self.assertIn(string, analysis_report.text)
def testParseNoRootKey(self): """Test the parse function on a Registry file with no root key.""" parser = winreg_parser.WinRegistryParser() storage_writer = self._ParseFile(['ntuser.dat.LOG'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 0)
def testParse(self): """Test the parse function on a Windows NT Registry file.""" parser = winreg_parser.WinRegistryParser() storage_writer = self._ParseFile(['regf', '100_sub_keys.hiv'], parser) self.assertEqual(storage_writer.number_of_events, 101) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
def testParseCorruptionInSubKeyList(self): """Test the parse function on a corrupted Windows NT Registry file.""" parser = winreg_parser.WinRegistryParser() storage_writer = self._ParseFile(['regf', 'corrupt_sub_key_list.hiv'], parser) self.assertEqual(storage_writer.number_of_events, 100) self.assertEqual(storage_writer.number_of_extraction_warnings, 1) self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
def testEnablePlugins(self): """Tests the EnablePlugins function.""" parser = winreg_parser.WinRegistryParser() parser.EnablePlugins(['appcompatcache']) self.assertIsNotNone(parser) self.assertIsNotNone(parser._default_plugin) self.assertNotEqual(parser._plugins, []) self.assertEqual(len(parser._plugins), 1)
def testParseNTUserDat(self): """Tests the Parse function on a NTUSER.DAT file.""" parser = winreg_parser.WinRegistryParser() storage_writer = self._ParseFile(['NTUSER.DAT'], parser) parser_chains = self._GetParserChains(storage_writer) expected_parser_chain = self._GetParserChainOfPlugin('userassist') self.assertIn(expected_parser_chain, parser_chains.keys()) self.assertEqual(parser_chains[expected_parser_chain], 14)
def testParseNTUserDat(self): """Tests the Parse function on a NTUSER.DAT file.""" parser = winreg_parser.WinRegistryParser() storage_writer = self._ParseFile(['NTUSER.DAT'], parser) events = list(storage_writer.GetEvents()) parser_chains = self._GetParserChains(events) expected_parser_chain = self._PluginNameToParserChain('userassist') self.assertTrue(expected_parser_chain in parser_chains) self.assertEqual(parser_chains[expected_parser_chain], 14)
def testEnablePlugins(self): """Tests the EnablePlugins function.""" parser = winreg_parser.WinRegistryParser() number_of_plugins = len(parser._plugin_classes) parser.EnablePlugins([]) self.assertEqual(len(parser._plugins), 0) parser.EnablePlugins(parser.ALL_PLUGINS) # Extract 1 for the default plugin. self.assertEqual(len(parser._plugins), number_of_plugins - 1) parser.EnablePlugins(['appcompatcache']) self.assertEqual(len(parser._plugins), 1)
def testParse(self): """Test the parse function on a Windows NT Registry file.""" parser = winreg_parser.WinRegistryParser() storage_writer = self._ParseFile(['regf', '100_sub_keys.hiv'], parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 101) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0)
def testParseNoRootKey(self): """Test the parse function on a Registry file with no root key.""" parser = winreg_parser.WinRegistryParser() storage_writer = self._ParseFile(['ntuser.dat.LOG'], parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0)
def testParseSystemWithArtifactFilters(self): """Tests the Parse function on a SYSTEM file with artifact filters.""" artifacts_path = self._GetTestFilePath(['artifacts']) self._SkipIfPathNotExists(artifacts_path) parser = winreg_parser.WinRegistryParser() knowledge_base = knowledge_base_engine.KnowledgeBase() artifact_filter_names = ['TestRegistryKey', 'TestRegistryValue'] registry = artifacts_registry.ArtifactDefinitionsRegistry() reader = artifacts_reader.YamlArtifactsReader() registry.ReadFromDirectory(reader, artifacts_path) artifacts_filters_helper = ( artifact_filters.ArtifactDefinitionsFiltersHelper( registry, knowledge_base)) artifacts_filters_helper.BuildFindSpecs(artifact_filter_names, environment_variables=None) storage_writer = self._ParseFile( ['SYSTEM'], parser, collection_filters_helper=artifacts_filters_helper) parser_chains = self._GetParserChains(storage_writer) # Check the existence of few known plugins, see if they # are being properly picked up and are parsed. plugin_names = [ 'windows_usbstor_devices', 'windows_boot_execute', 'windows_services' ] for plugin in plugin_names: expected_parser_chain = self._GetParserChainOfPlugin(plugin) self.assertIn(expected_parser_chain, parser_chains.keys()) # Check that the number of events produced by each plugin are correct. # There will be 10 usbstor chains for ControlSet001 and ControlSet002: # 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR' parser_chain = self._GetParserChainOfPlugin('windows_usbstor_devices') number_of_parser_chains = parser_chains.get(parser_chain, 0) self.assertEqual(number_of_parser_chains, 10) # There will be 4 Windows boot execute chains for key_value pairs: # {key: 'HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager', # value: 'BootExecute'} # {key: 'HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Session Manager', # value: 'BootExecute'} parser_chain = self._GetParserChainOfPlugin('windows_boot_execute') number_of_parser_chains = parser_chains.get(parser_chain, 0) self.assertEqual(number_of_parser_chains, 4) # There will be 831 windows services chains for keys: # 'HKEY_LOCAL_MACHINE\System\ControlSet001\services\**' # 'HKEY_LOCAL_MACHINE\System\ControlSet002\services\**' parser_chain = self._GetParserChainOfPlugin('windows_services') number_of_parser_chains = parser_chains.get(parser_chain, 0) self.assertEqual(number_of_parser_chains, 831)