plaso-rubanetra/plaso/formatters/recycler.py

#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Formatter for the Windows recycle files."""

from plaso.lib import errors
from plaso.formatters import interface


class WinRecyclerFormatter(interface.ConditionalEventFormatter):
  """Formatter for Windows recycle bin events."""

  DATA_TYPE = 'windows:metadata:deleted_item'

  DRIVE_LIST = {
      0x00: 'A',
      0x01: 'B',
      0x02: 'C',
      0x03: 'D',
      0x04: 'E',
      0x05: 'F',
      0x06: 'G',
      0x07: 'H',
      0x08: 'I',
      0x09: 'J',
      0x0A: 'K',
      0x0B: 'L',
      0x0C: 'M',
      0x0D: 'N',
      0x0E: 'O',
      0x0F: 'P',
      0x10: 'Q',
      0x11: 'R',
      0x12: 'S',
      0x13: 'T',
      0x14: 'U',
      0x15: 'V',
      0x16: 'W',
      0x17: 'X',
      0x18: 'Y',
      0x19: 'Z',
  }

  # The format string.
  FORMAT_STRING_PIECES = [
      u'DC{index} ->',
      u'{orig_filename}',
      u'[{orig_filename_legacy}]',
      u'(from drive {drive_letter})']

  FORMAT_STRING_SHORT_PIECES = [
      u'Deleted file: {orig_filename}']

  SOURCE_LONG = 'Recycle Bin'
  SOURCE_SHORT = 'RECBIN'

  def GetMessages(self, event_object):
    """Return the message strings."""
    if self.DATA_TYPE != event_object.data_type:
      raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
          event_object.data_type))

    if hasattr(event_object, 'drive_number'):
      event_object.drive_letter = self.DRIVE_LIST.get(
          event_object.drive_number, 'C?')

    return super(WinRecyclerFormatter, self).GetMessages(event_object)
Import from old repository 2020-04-06 18:48:34 +02:00			`#!/usr/bin/python`
			`# -- coding: utf-8 --`
			`#`
			`# Copyright 2013 The Plaso Project Authors.`
			`# Please see the AUTHORS file for details on individual authors.`
			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`
			`"""Formatter for the Windows recycle files."""`

			`from plaso.lib import errors`
			`from plaso.formatters import interface`


			`class WinRecyclerFormatter(interface.ConditionalEventFormatter):`
			`"""Formatter for Windows recycle bin events."""`

			`DATA_TYPE = 'windows:metadata:deleted_item'`

			`DRIVE_LIST = {`
			`0x00: 'A',`
			`0x01: 'B',`
			`0x02: 'C',`
			`0x03: 'D',`
			`0x04: 'E',`
			`0x05: 'F',`
			`0x06: 'G',`
			`0x07: 'H',`
			`0x08: 'I',`
			`0x09: 'J',`
			`0x0A: 'K',`
			`0x0B: 'L',`
			`0x0C: 'M',`
			`0x0D: 'N',`
			`0x0E: 'O',`
			`0x0F: 'P',`
			`0x10: 'Q',`
			`0x11: 'R',`
			`0x12: 'S',`
			`0x13: 'T',`
			`0x14: 'U',`
			`0x15: 'V',`
			`0x16: 'W',`
			`0x17: 'X',`
			`0x18: 'Y',`
			`0x19: 'Z',`
			`}`

			`# The format string.`
			`FORMAT_STRING_PIECES = [`
			`u'DC{index} ->',`
			`u'{orig_filename}',`
			`u'[{orig_filename_legacy}]',`
			`u'(from drive {drive_letter})']`

			`FORMAT_STRING_SHORT_PIECES = [`
			`u'Deleted file: {orig_filename}']`

			`SOURCE_LONG = 'Recycle Bin'`
			`SOURCE_SHORT = 'RECBIN'`

			`def GetMessages(self, event_object):`
			`"""Return the message strings."""`
			`if self.DATA_TYPE != event_object.data_type:`
			`raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(`
			`event_object.data_type))`

			`if hasattr(event_object, 'drive_number'):`
			`event_object.drive_letter = self.DRIVE_LIST.get(`
			`event_object.drive_number, 'C?')`

			`return super(WinRecyclerFormatter, self).GetMessages(event_object)`