stefan/plaso-rubanetra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Import from old repository

Browse Source
This commit is contained in:
Stefan
2020-04-06 18:48:34 +02:00
commit 0da6783a45
762 changed files with 103065 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
plaso/events/__init__.py
+17
View File
@@ -0,0 +1,17 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
plaso/events/plist_event.py
+92
View File
@@ -0,0 +1,92 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file is the template for Plist events."""
from plaso.events import time_events
from plaso.lib import eventdata
class PlistEvent(time_events.PythonDatetimeEvent):
"""Convenience class for a plist events."""
DATA_TYPE = 'plist:key'
def __init__(self, root, key, timestamp, desc=None, host=None, user=None):
"""Template for creating a Plist EventObject for returning data to Plaso.
All events extracted from files get passed around Plaso internally as an
EventObject. PlistEvent is an EventObject with attributes specifically
relevant to data extracted from a Plist file. The attribute DATA_TYPE
'plist:key' allows the formatter used during output to identify
the appropriate formatter for converting these attributes to output.
Args:
root: A string representing the path from the root to this key.
key: A string representing the name of key.
timestamp: The date object (instance of datetime.datetime).
desc: An optional string intended for the user describing the event.
host: An optional host name if one is available within the log file.
user: An optional user name if one is available within the log file.
"""
super(PlistEvent, self).__init__(
timestamp, eventdata.EventTimestamp.WRITTEN_TIME)
self.root = root
self.key = key
if desc:
self.desc = desc
if host:
self.hostname = host
if user:
self.username = user
class PlistTimeEvent(time_events.TimestampEvent):
"""Convenience class for a plist event that does not use datetime objects."""
DATA_TYPE = 'plist:key'
def __init__(self, root, key, timestamp, desc=None, host=None, user=None):
"""Template for creating a Plist EventObject for returning data to Plaso.
All events extracted from files get passed around Plaso internally as an
EventObject. PlistEvent is an EventObject with attributes specifically
relevant to data extracted from a Plist file. The attribute DATA_TYPE
'plist:key' allows the formatter used during output to identify
the appropriate formatter for converting these attributes to output.
Args:
root: A string representing the path from the root to this key.
key: A string representing the name of key.
timestamp: The timestamp time value. The timestamp contains the
number of microseconds since Jan 1, 1970 00:00:00 UTC.
desc: An optional string intended for the user describing the event.
host: An optional host name if one is available within the log file.
user: An optional user name if one is available within the log file.
"""
super(PlistTimeEvent, self).__init__(
timestamp, eventdata.EventTimestamp.WRITTEN_TIME)
self.root = root
self.key = key
if desc:
self.desc = desc
if host:
self.hostname = host
if user:
self.username = user
plaso/events/shell_item_events.py
+50
View File
@@ -0,0 +1,50 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains the shell item specific event object classes."""
from plaso.events import time_events
class ShellItemFileEntryEvent(time_events.FatDateTimeEvent):
"""Convenience class for a shell item file entry event."""
DATA_TYPE = 'windows:shell_item:file_entry'
def __init__(
self, fat_date_time, usage, name, long_name, localized_name,
file_reference, origin):
"""Initializes an event object.
Args:
fat_date_time: The FAT date time value.
usage: The description of the usage of the time value.
name: A string containing the name of the file entry shell item.
long_name: A string containing the long name of the file entry shell item.
localized_name: A string containing the localized name of the file entry
shell item.
file_reference: A string containing the NTFS file reference
(MTF entry - sequence number).
origin: A string containing the origin of the event (event source).
"""
super(ShellItemFileEntryEvent, self).__init__(fat_date_time, usage)
self.name = name
self.long_name = long_name
self.localized_name = localized_name
self.file_reference = file_reference
self.origin = origin
plaso/events/text_events.py
+48
View File
@@ -0,0 +1,48 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains the text format specific event object classes."""
from plaso.events import time_events
from plaso.lib import eventdata
class TextEvent(time_events.TimestampEvent):
"""Convenience class for a text format-based event."""
DATA_TYPE = 'text:entry'
def __init__(self, timestamp, offset, attributes):
"""Initializes a text event object.
Args:
timestamp: The timestamp time value. The timestamp contains the
number of microseconds since Jan 1, 1970 00:00:00 UTC.
offset: The offset of the attributes.
attributes: A dict that contains the events attributes.
"""
super(TextEvent, self).__init__(
timestamp, eventdata.EventTimestamp.WRITTEN_TIME)
self.offset = offset
for name, value in attributes.iteritems():
# TODO: Revisit this constraints and see if we can implement
# it using a more sane solution.
if isinstance(value, basestring) and not value:
continue
setattr(self, name, value)
plaso/events/time_events.py
+157
View File
@@ -0,0 +1,157 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains the time-based event object classes."""
from plaso.lib import event
from plaso.lib import timelib
class TimestampEvent(event.EventObject):
"""Convenience class for a timestamp-based event."""
def __init__(self, timestamp, usage, data_type=None):
"""Initializes an event object.
Args:
timestamp: The timestamp value.
usage: The description of the usage of the time value.
data_type: Optional event data type. If not set data_type is
derived from the DATA_TYPE attribute.
"""
super(TimestampEvent, self).__init__()
self.timestamp = timestamp
self.timestamp_desc = usage
if data_type:
self.data_type = data_type
class CocoaTimeEvent(TimestampEvent):
"""Convenience class for a Cocoa time-based event."""
def __init__(self, cocoa_time, usage, data_type=None):
"""Initializes an event object.
Args:
cocoa_time: The Cocoa time value.
usage: The description of the usage of the time value.
data_type: Optional event data type. If not set data_type is
derived from the DATA_TYPE attribute.
"""
super(CocoaTimeEvent, self).__init__(
timelib.Timestamp.FromCocoaTime(cocoa_time), usage,
data_type=data_type)
class FatDateTimeEvent(TimestampEvent):
"""Convenience class for a FAT date time-based event."""
def __init__(self, fat_date_time, usage, data_type=None):
"""Initializes an event object.
Args:
fat_date_time: The FAT date time value.
usage: The description of the usage of the time value.
data_type: Optional event data type. If not set data_type is
derived from the DATA_TYPE attribute.
"""
super(FatDateTimeEvent, self).__init__(
timelib.Timestamp.FromFatDateTime(fat_date_time), usage,
data_type=data_type)
class FiletimeEvent(TimestampEvent):
"""Convenience class for a FILETIME timestamp-based event."""
def __init__(self, filetime, usage, data_type=None):
"""Initializes an event object.
Args:
filetime: The FILETIME timestamp value.
usage: The description of the usage of the time value.
data_type: Optional event data type. If not set data_type is
derived from the DATA_TYPE attribute.
"""
super(FiletimeEvent, self).__init__(
timelib.Timestamp.FromFiletime(filetime), usage, data_type=data_type)
class JavaTimeEvent(TimestampEvent):
"""Convenience class for a Java time-based event."""
def __init__(self, java_time, usage, data_type=None):
"""Initializes an event object.
Args:
java_time: The Java time value.
usage: The description of the usage of the time value.
data_type: Optional event data type. If not set data_type is
derived from the DATA_TYPE attribute.
"""
super(JavaTimeEvent, self).__init__(
timelib.Timestamp.FromJavaTime(java_time), usage, data_type=data_type)
class PosixTimeEvent(TimestampEvent):
"""Convenience class for a POSIX time-based event."""
def __init__(self, posix_time, usage, data_type=None):
"""Initializes an event object.
Args:
posix_time: The POSIX time value.
usage: The description of the usage of the time value.
data_type: Optional event data type. If not set data_type is
derived from the DATA_TYPE attribute.
"""
super(PosixTimeEvent, self).__init__(
timelib.Timestamp.FromPosixTime(posix_time), usage, data_type=data_type)
class PythonDatetimeEvent(TimestampEvent):
"""Convenience class for a Python DateTime time-based event."""
def __init__(self, datetime_time, usage, data_type=None):
"""Initializes an event object.
Args:
datetime_time: The datetime object (instance of datetime.datetime).
usage: The description of the usage of the time value.
data_type: Optional event data type. If not set data_type is
derived from the DATA_TYPE attribute.
"""
super(PythonDatetimeEvent, self).__init__(
timelib.Timestamp.FromPythonDatetime(datetime_time), usage,
data_type=data_type)
class WebKitTimeEvent(TimestampEvent):
"""Convenience class for a WebKit time-based event."""
def __init__(self, webkit_time, usage, data_type=None):
"""Initializes an event object.
Args:
webkit_time: The WebKit time value.
usage: The description of the usage of the time value.
data_type: Optional event data type. If not set data_type is
derived from the DATA_TYPE attribute.
"""
super(WebKitTimeEvent, self).__init__(
timelib.Timestamp.FromWebKitTime(webkit_time), usage,
data_type=data_type)
plaso/events/windows_events.py
+95
View File
@@ -0,0 +1,95 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains the Windows specific event object classes."""
from plaso.events import time_events
from plaso.lib import eventdata
class WindowsVolumeCreationEvent(time_events.FiletimeEvent):
"""Convenience class for a Windows volume creation event."""
DATA_TYPE = 'windows:volume:creation'
def __init__(self, filetime, device_path, serial_number, origin):
"""Initializes an event object.
Args:
filetime: The FILETIME timestamp value.
device_path: A string containing the volume device path.
serial_number: A string containing the volume serial number.
origin: A string containing the origin of the event (event source).
"""
super(WindowsVolumeCreationEvent, self).__init__(
filetime, eventdata.EventTimestamp.CREATION_TIME)
self.device_path = device_path
self.serial_number = serial_number
self.origin = origin
class WindowsRegistryEvent(time_events.TimestampEvent):
"""Convenience class for a Windows Registry-based event."""
DATA_TYPE = 'windows:registry:key_value'
def __init__(
self, timestamp, key_name, value_dict, usage=None, offset=None,
registry_type=None, urls=None, source_append=None):
"""Initializes a Windows registry event.
Args:
timestamp: The timestamp time value. The timestamp contains the
number of microseconds since Jan 1, 1970 00:00:00 UTC.
key_name: The name of the Registry key being parsed.
value_dict: The interpreted value of the key, stored as a dictionary.
usage: Optional description of the usage of the time value.
The default is None.
offset: Optional (data) offset of the Registry key or value.
The default is None.
registry_type: Optional Registry type string. The default is None.
urls: Optional list of URLs. The default is None.
source_append: Optional string to append to the source_long of the event.
The default is None.
"""
if usage is None:
usage = eventdata.EventTimestamp.WRITTEN_TIME
super(WindowsRegistryEvent, self).__init__(timestamp, usage)
if key_name:
self.keyname = key_name
self.regvalue = value_dict
if offset or type(offset) in [int, long]:
self.offset = offset
if registry_type:
self.registry_type = registry_type
if urls:
self.url = u' - '.join(urls)
if source_append:
self.source_append = source_append
class WindowsRegistryServiceEvent(WindowsRegistryEvent):
"""Convenience class for service entries retrieved from the registry."""
DATA_TYPE = 'windows:registry:service'